itpro_ca
0 (0 Likes / 0 Dislikes)
In this video, you learn how to control user access
to email and other corporate resources
based on your company's device enrollment
and compliance policies
by using conditional access
in Microsoft Intune.
Let's see how conditional access works
from the user perspective.
The first thing they usually do
on their mobile devices
is set up their work email
like this.
They go to Settings,
tap Mail, Contacts, Calendars,
and then tap Add Account.
Next, users will usually check
to make sure their email is working.
But when conditional access is enabled in Intune,
users won't typically have media access to email.
Instead, they'll receive an email
informing them that their device
is temporarily blocked from accessing email
until they complete the Intune enrollment steps.
As you can see here, there's a link in the email
to enroll the device.
After following a few simple enrollment steps,
they'll have access to their work email.
Let's take a look at how this works behind the scenes.
Depending on the type of email application
that you use to access exchange online,
the path to establishing secured access to email
can be slightly different.
However, the key components are the same.
They are Azure Active Directory,
Office 365 and Exchange Online,
and Microsoft Intune.
Intune currently supports native email apps
and the Microsoft Outlook app
for iOS and Android.
Let's look at the flow for native email apps
and Exchange ActiveSync.
A device is authenticated
when it connects to Office 365 to sync mail.
As part of this authentication,
Office 365 confirms with Azure Active Directory
that the device is registered,
enrolled in Intune,
and compliant with the device compliance policy.
If the device is registered,
enrolled, and compliant,
email syncs and the user
recieves access to their email.
If the device isn't registered,
users recieve a message in their inbox
with instructions with how to enroll in Intune.
Azure Active Directory device registration
happens automatically during enrollment.
If the device isn't compliant,
users receive a message
that redirects them to the Intune web portal
where they can get more information
about the compliance problem
and how to resolve it.
Once the device is enrolled and compliant,
email syncs and users receive their email.
If you're using the Microsoft Outlook client,
device compliance is established
in much the same way.
However, for Outlook apps,
the flow between the components is slightly different.
When the Outlook app attempts to get email,
it's redirected to Azure Active Directory.
Azure AD issues a security token
if the device is enrolled and compliant.
The security token grants access
to exchange online.
Email synchronization is brokered
through the Outlook Cloud service
using an Exchange ActiveSync
service access token
on behalf of the user to complete
the authentication and deliver the email.
Now let's see how conditional access
is configured from the Intune admin console.
If you've enrolled users in Intune
before enabling conditional access policies,
run the mobile device inventory report
to see which devices will lose access
to email and other corporate resources
when conditional access is enabled.
This allows you to inform users
of noncompliant devices
before blocking their access to email.
The next step is to create
a compliance policy in Intune.
Compliance policies allow you to check
for specific settings on a device
and ensure that these settings are enabled
before the device gains access to email.
Settings, such as requiring a password,
encrypting data, and detecting
if the device is jail broken
can be verified to make sure
that a device is compliant.
The next step is to enable conditional access
for specific services
such as Exchange Online,
Exchange On-Premises,
and SharePoint Online.
Let's go ahead and enable conditional access
for Exchange Online.
Next, you'll need to decide
which groups of users
to apply these policies to.
Let's choose the engineering group.
As soon as conditional access is enabled,
users in this group will lose access to their email
if their devices are not compliant
or enrolled in Intune.
You can also specify groups
that are exempted from conditional access policies.
Exempted users don't need to enroll
their devices with Intune
or be compliant in order to access corporate email.
That's it.
Now you know how to enable users
to be productive
while protecting corporate data
at the same time
all by using conditional access
in Microsoft Intune.
You can further protect the content
in your mail system
by using managed app policies.