My Experts Live session and content

ExpertsLive2015November has been a crazy month for me so far. The frequent visitors of my blog might have noticed a complete silence the last couple of weeks. Well, it’s time to break that silence again! This month started with my first MVP Summit and I have to say that it would be awesome to be there again next year!

After that I had the great opportunity to present on Experts Live 2015. I had a session about conditional access and mobile application management. This post will contain the slide deck of that session and the movies of the demos. The sessions were not recorded, but as I always create movies of my demos, as a backup scenario, I thought lets post those movies instead.

Slide deck

ExpertsLive_SlideLet’s start with the slide deck of my session. The PDF of my slide deck will be made available on the site of Experts Live and is available for download on my own site by clicking on picture of my slide deck here on the side. This will start a direct download.

Demos

Let’s continue with the bigger part of this post, the movies of my demos. These movies were created as a backup scenario, in case there would be a problem with the Internet connection. Even to those that attended my session, these movies will include new information. During my session I could only show the Microsoft Intune hybrid configurations, due to time considerations. These movies also include the Microsoft Intune standalone configurations.

Demo – Conditional access on Exchange Online and SharePoint Online

During this demo I’ll walkthrough the end-user experience for conditional access. This provides a clear overview of what conditional access is and what it will be for the end-user. During this demo I’ll go through the following actions, on a Dutch iPad:

  • Go to Settings > General and show the missing Management Profile;
  • Go to Settings > Mail and add <user>@petervanderwoude.nl;
  • Open the native mail app and show the conditional access email;
  • Open the Microsoft Outlook app and show the enrollment message for <user>@petervanderwoude.nl;
  • Open the Microsoft Intune Company Portal app and walkthrough the steps to enroll the device;
  • During the enrollment solve the issue with the configured mail profile;
  • Open the native mail app and show the access to <user>@petervanderwoude.nl;
  • Open the Microsoft Outlook app and show the access to <user>@petervanderwoude.nl.

Demo – Configuring conditional access on Exchange Online and SharePoint Online

During this demo I’ll walkthrough the settings that are available for configuring compliance policies and conditional access on Exchange Online and SharePoint Online for Microsoft Intune standalone and hybrid. This demo is cut in four parts, one for conditional access on Exchange Online, one for conditional access SharePoint Online, one for compliance policies in Microsoft Intune hybrid and one for compliance policies in Microsoft Intune standalone. During the first part I’ll go through the following actions:

  • Open the Configuration Manager console and navigate to Assets and Compliance;
  • Navigate to Compliance Settings > Conditional Access > Exchange Online;
  • Select Configure conditional access policy in the Intune console;
  • Select Enable conditional access policy for Exchange Online;
  • Walkthrough the settings for apps using modern authentication;
  • Walkthrough the settings for apps using basic authentication;
  • Walkthrough the targeted and exempted groups;
  • (Additional) Show the Service to Service Connector.

During the second part I’ll go through the following actions:

  • Open the Configuration Manager console and navigate to Assets and Compliance;
  • Navigate to Compliance Settings > Conditional Access > SharePoint Online;
  • Select Configure conditional access policy in the Intune console;
  • Select Enable conditional access policy for SharePoint Online;
  • Walkthrough the settings for apps using modern authentication;
  • Walkthrough the targeted and exempted groups.

During the third part I’ll go through the following actions:

  • Open the Configuration Manager console and navigate to Assets and Compliance;
  • Navigate to Compliance Settings > Compliance Policies;
  • Select Create Compliance Policy;
  • Walkthrough the available Rules and the impact of the selected Platform;
  • Walkthrough the Deployment Settings.

During the fourth part I’ll go through the following actions:

  • Open the Microsoft Intune console and navigate to POLICY > Configuration Policies;
  • Select Add…;
  • Walkthrough the available Policies Settings;
  • Walkthrough the Deployment options.

Demo – Mobile application management

During this demo I’ll walkthrough the end-user experience for mobile application management. This provides a clear overview of what can be achieved with mobile application management and what the experience will be for the end-user. This demo is cut in two parts, one for starting to manage an app and one for the managed app experience. During the first part of this demo I’ll go through the following actions, on a Dutch iPad:

  • Go to Settings > General and show the missing apps in the Management Profile;
  • Open the Microsoft Intune Company Portal app;
  • Install, configure and allow management of the Microsoft Outlook app;
  • Go to Settings > General and show the Microsoft Outlook app in the Management Profile.

During the second part of this demo I’ll go through the following actions, on an English iPad:

  • Open the Microsoft Outlook app;
  • Walkthrough the behavior of blocked and allowed URLs from company email;
  • Walkthrough the behavior of copying and pasting content from company email;
  • Walkthrough the behavior of attachments in company email.

Demo – Configuring mobile application management

During this demo I’ll walkthrough the settings that are available for configuring mobile application management for Microsoft Intune standalone and hybrid. This demo is cut in two parts, one for Microsoft Intune hybrid and one for Microsoft Intune standalone. During the first part I’ll go through the following actions:

  • Open the Configuration Manager console and navigate to Software Library;
  • Navigate to Application Management > Application Management Policies;
  • Select Create Application Management Policy;
  • Walkthrough the Policy Types and the impact on the Policy Settings;
  • Walkthrough the Deployment options.

During the second part I’ll go through the following actions:

  • Open the Microsoft Intune console and navigate to POLICY > Configuration Policies;
  • Select Add…;
  • Select Software > Mobile Application Management (iOS 7.1 and later);
  • Select Create a Custom Policy;
  • Walkthrough the available Policies Settings;
  • Walkthrough the Deployment options.

Demo – Retire mobile device

The last demo showed the impact of retiring a mobile device. This is the only demo that I didn’t record, simply because I made it up at the last moment and I didn’t decide until the end of the session how I was going to retire the mobile device. Depending on the available time I would pick between the Configuration Manager console, PowerShell, or the iPad.

The three layers of protection with conditional access for Exchange email

In this blog post I would like to write a little about, what I like to call, the three layers of protection with conditional access for Exchange email. No, I don’t mean that a device has to be 1) enrolled in Microsoft Intune, 2) workplace joined and 3) compliant with any Microsoft Intune compliance policies. What I do mean is related to company data, in this case company email, and the protection of it on mobile devices. That means three different layers of protection for Exchange email on mobile devices. From basic protection to almost complete protection.

The first layer of protection

ConditionalAccess_Level1The first, basic, layer of protection is simply using an Exchange Online Policy, or an Exchange On-premises Policy. These policies make it possible to protect Exchange email by blocking the access, via ActiveSync, to Exchange. It, of course, doesn’t block connections via OWA.

By enabling these policies, a mobile device, of an user that’s in a Targeted Group and not in an Exempted Group, will be blocked from ActiveSync when it’s not enrolled in Microsoft Intune, and/or not compliant with any targeted Microsoft Intune compliance policies. When no compliance policy is targeted, the device will automatically be evaluated as compliant. Also, not supported and exempted platforms can be blocked access through these policies.

I like to call this the first layer of protection, as it provides very basic protection, to the Exchange email, on the mobile device, by simply making sure that the mobile device is enrolled in Microsoft Intune. That enrollment makes sure that the connected mobile devices are known by the IT organization.

The second layer of protection

ConditionalAccess_Level2The second layer of protection is adding a few requirements, by using a Conditional Access Policy. A Conditional Access Policy can be used to add additional requirements to the mobile devices that want to connect to Exchange email, via ActiveSync.

These policies can be used to specify additional requirements to the password and encryption of the mobile device. Besides that it’s possible to, in case of iOS, block jailbroken mobile devices and, in case of Android, rooted mobile devices.

I like to call this the second layer of protection, as it already adds another form of protection, to the Exchange email, on the mobile device, by requiring additional configurations to mobile devices.

The third layer of protection

ConditionalAccess_Level3The third layer of protection is adding another, very important, requirement, by using a Conditional Access Policy in combination with an Email Profile.

This is basically nothing more than an additional configuration in the Conditional Access Policy, but it adds a lot more. It requires that the mobile device (currently only iOS) can only connect to Exchange email, via ActiveSync, when it’s using a specific Email Profile that’s configured via Microsoft Intune.

I like to call this the third layer of protection, as it adds almost complete protection to the company email that’s available on the mobile device. As the mobile device can only connect via an Email Profile, configured via Microsoft Intune, the company email will also be removed when the device is removed from Microsoft Intune.

Conclusion

These three layers of protection together make a very powerful combination for protecting company email. Especially by adding the third layer, it ensures that the available company email will also be removed again.

A good thing to know is that the (managed) Microsoft Outlook app can also still connect to Exchange email, via ActiveSync, as long as the mobile device is enrolled and compliant. More about this in my next blog post.

Note: Even though this post only shows Microsoft Intune standalone screenshots, the same is applicable to Microsoft Intune hybrid.

More information

For a lot more information about conditional access and compliance policies, please refer to the following links.