Conditional Access for PCs – Part III: Exchange Online

Keep in mind that by default modern authentication is disabled on Exchange Online. To enable this please following this guidance. Two weeks ago I started with this series of blog posts about conditional access for PCs and I started with the requirements for conditional access for PCs. Last week I built onto those requirements by adding the SharePoint Online Policy, and the Compliance Policy, and I finished with showing the end-user experience. This week, in the third part of this blog series, I’ll also build onto those requirements by adding the Exchange Online Policy and again the Compliance Policy. After those configurations are in place, I’ll also finish, this third part of this blog series, with the end-user experience. Note: This post shows a few …

Read moreConditional Access for PCs – Part III: Exchange Online

Conditional Access for PCs – Part II: SharePoint Online

Last week I started with this series of blog posts about conditional access for PCs. I started with the requirements for conditional access for PCs. This week, in the second part of this blog series, I’ll build onto those requirements by adding the SharePoint Online Policy and the Compliance Policy. After those configurations are in place, I’ll finish, this second part of this blog series, with the end-user experience. Note: This post shows a few identical configurations as I also mention in the third part of this blog series. This allows one to configure the SharePoint Online Policy without going through the configuration of the Exchange Online Policy. Configuration The configuration of conditional access for PCs contains two actions. The first action is to configure …

Read moreConditional Access for PCs – Part II: SharePoint Online

Conditional Access for PCs – Part I: Requirements

Another new capability that’s added, during the August 2015 update, to Microsoft Intune, is conditional access for PCs that run Office desktop applications to access Exchange Online and SharePoint Online. This nice capability enables us to require that PCs must be either domain joined or compliant. In order to be compliant, the PCs must be enrolled in Microsoft Intune and the PCs must comply with the policies. This capability has more requirements and requires more configurations than the most other Microsoft Intune standalone or Microsoft Intune hybrid capabilities. That’s why I decided to make this another blog series. This blog series will contain three parts: Requirements – This part will list all the requirements and the required configurations to start with the different conditional access …

Read moreConditional Access for PCs – Part I: Requirements

Multi-identity in the managed Outlook app – Part 2

This blog post will show the behavior of the multi identities in the Microsoft Outlook app, as described in my posts about multi-identity in the managed Outlook app – part 1 and the Microsoft Intune Managed Browser. I’ve made four small movies that will show the behavior of the Microsoft Outlook app. A general note with these movies is that they’ll start to blink and act all funny at the moments that a managed app is opened, or a when a PIN is required. Part I – Install and configure the Microsoft Outlook app In this first part I’ll show how the Microsoft Outlook app behaves during the installation and initial configuration. During this movie I’ll go through the following actions: Open the Company Portal …

Read moreMulti-identity in the managed Outlook app – Part 2

The Microsoft Intune Managed Browser

Before I’ll start with the second part of the my blog post about multi-identity in the managed Outlook app, I thought it would be wise to make a side-step to the Microsoft Intune Managed Browser first. The main reason for that is that the Microsoft Intune Managed Browser can also have a managed browser policy configured. That policy can have a direct impact on the end-user experience when opening links from the Outlook app. The good thing, for this blog post, is that the Microsoft Intune Managed Browser doesn’t use multiple identities. It’s either managed, or not. This blog post will describe the behavior of the Microsoft Intune Managed Browser. During the second part, of my post about multi-identity in the managed Outlook app, this …

Read moreThe Microsoft Intune Managed Browser

Multi-identity in the managed Outlook app – Part 1

This blog post can be seen as a follow up about a previous post about the email profile behavior after retiring a mobile device. During that post I showed the behavior of email profiles in the native mail app and the Outlook app after retiring the mobile device. In this post I’ll dive deeper into the Outlook app. More specifically, the behavior of the managed Outlook app and multi-identities. To be complete, I’ll divide this blog post in two parts. This first part will describe the assumptions, the configuration and the behavior and the second part will show the behavior in a real example. Assumptions During this blog post I’ve done four important assumption, about the used environment, that might impact the test results. When …

Read moreMulti-identity in the managed Outlook app – Part 1

Important note about KB3081699

Good news! Microsoft has just released KB3081699 to fix the issue that Windows Phone Apps cannot be deployed or added to Allowed Apps or Blocked Apps lists via ConfigMgr. This hotfix applies to ConfigMgr 2012 R2 SP1 and ConfigMgr SP2. However, it’s important to note that, even though this hotfix was released after CU1, the current version of this hotfix should be installed before CU1. Update August 7, 2015: As expected this update is now available in two flavors. In the hotfix request form it’s now possible to select the one of the following: pre-CU1: ConfigMgr_2012_SP2_R2SP1_CU0_QFE_KB3081699_ENU post-CU1: ConfigMgr_2012_SP2_R2SP1_CU1_QFE_KB3081699_ENU

Whitelist the Microsoft Intune Company Portal app for Windows Phone

This time a short blog post about the Microsoft Intune Company Portal app for Windows Phone. More specifically, about whitelisting the Microsoft Intune Company Portal app for Windows Phone. When whitelists, also known as Allowed Apps lists, are used, for allowing access to applications on a Windows Phone, even the Microsoft Intune Company Portal app has to be added to that list. In that case the Windows Phone Store variant can simply be added, based on the link in the Windows Phone Store, but the Download Center variant is a bit more challenging. In this post I’ll provide the required information to find the app product ID for the Microsoft Intune Company Portal app for Windows Phone. As the app might be updated in the …

Read moreWhitelist the Microsoft Intune Company Portal app for Windows Phone

Email profile behavior after retiring a mobile device

This blog post will be a follow-up on my blog post of last week about the three layers of protection with conditional access for Exchange email. During that post I tried to stress the importance of protecting, and being in control of, company email. In this blog post I will go through different scenarios to show the behavior of company email after retiring a mobile device from Microsoft Intune. I will show the results of these scenarios for both the native email app and the Outlook app. Scenarios Before I start with the different scenarios it’s important to mention that, after a mobile device is successfully retired from Microsoft Intune, the user will be able to configure company email on its mobile device. This is …

Read moreEmail profile behavior after retiring a mobile device

The three layers of protection with conditional access for Exchange email

In this blog post I would like to write a little about, what I like to call, the three layers of protection with conditional access for Exchange email. No, I don’t mean that a device has to be 1) enrolled in Microsoft Intune, 2) workplace joined and 3) compliant with any Microsoft Intune compliance policies. What I do mean is related to company data, in this case company email, and the protection of it on mobile devices. That means three different layers of protection for Exchange email on mobile devices. From basic protection to almost complete protection. The first layer of protection The first, basic, layer of protection is simply using an Exchange Online Policy, or an Exchange On-premises Policy. These policies make it possible …

Read moreThe three layers of protection with conditional access for Exchange email