Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Exchange Access Rules and Mobile Device Security Policy in Windows Intune

Updated: December 17, 2012

Applies To: Windows Intune

Windows Intune provides comprehensive mobile device management capabilities. With Windows Intune, you can manage mobile devices directly or through Exchange ActiveSync. For information about Windows Intune direct management and Exchange ActiveSync management, see Windows Intune Capabilities for Directly Managed and Exchange ActiveSync-Managed Mobile Devices. There are two aspects to mobile device policy management in Windows Intune.

  • Exchange Access Rules for Mobile Devices: These rules apply only to mobile devices that are managed through Exchange ActiveSync, not to devices that are directly managed.

  • Mobile Device Security Policy: Mobile Device Security Policy settings may apply to mobile devices that are directly managed or managed by Exchange ActiveSync, or both, depending on the capabilities of the operating system that the device is running. For detailed information about individual Mobile Device Security Policy settings and applicable device operating systems, see the Windows Intune Mobile Device Security Policy Reference.

noteNote
If a device is managed by policy settings from both Windows Intune direct management and Exchange ActiveSync, the more secure policy settings are applied.

Exchange Access Rules for Mobile Devices

Exchange access rules for mobile devices determine the level of access to Exchange that is granted to mobile devices. The Default Rule determines the baseline access level that is granted to mobile devices that do not have a custom rule defined.

Exchange access rules are applied to a particular group of devices based on some properties of the device, such as family and model of the device.

noteNote
If the Exchange administrator has explicitly granted access to a particular device or explicitly blocked a particular device, this will supersede the Windows Intune Exchange access rules for mobile devices.

When a device is blocked or quarantined you can specify a custom message that will be sent to the user to indicate why their device was blocked or quarantined and who to contact. You can also specify a list of SMTP addresses for administrators who will receive an email notification when a mobile device has been quarantined.

ImportantImportant
On the first sync of the Windows Intune Exchange Connector the following information is imported to Windows Intune from Exchange.

  • Default access rule

  • Custom access rules

  • List of administrators who receive an email notification when a device is quarantined.

Access levels

The following table describes the access levels that can be configured.

 

Access level Description

Allow all mobile devices to access Exchange, unless a custom rule states otherwise

In the allow access state, a mobile device can synchronize through Exchange ActiveSync and connect to the Exchange server to retrieve email and manipulate calendar information, contacts, tasks, and notes. This will continue as long as the device complies with the Windows Intune Mobile Device Security Policy that you have configured, unless the user or the specific mobile device has been blocked by the Exchange administrator.

Block all mobile devices from accessing Exchange, unless a custom rule states otherwise

A mobile device that is blocked because of a device access setting you configured will not be allowed to connect to the Exchange server and will receive HTTP 403 Forbidden errors. The user will receive an email message from the Exchange server telling them that the mobile device was blocked from accessing their mailbox. The user will not be able to read the email message on the blocked mobile device. You can add customized text to this message to provide instructions for users whose devices are blocked through the Set User Notification task.

Quarantine all mobile devices so I can decide later for each individual mobile device, unless a custom rule states otherwise

When a mobile device is quarantined, the mobile device is allowed to connect to the Exchange server. However, it is given only limited access to data. The user can add content to their own Calendar, Contacts, Tasks, and Notes folders but the server will not allow the device to retrieve any content from the user's mailbox. The user will receive a single email message that tells them that the mobile device is quarantined. This message will be received by the device and will also be available in the user's mailbox. You can add customized text to this message to provide instructions for users whose devices are quarantined through the Set User Notification task.

Configuring Common Access Strategies

The following table lists some common access strategies.

 

Access Strategy Description

Allow list

You can use an allow list to grant access to a list of known devices and restrict access for everything else. To do this, you must create custom rules so that the specific devices you want are allowed to access users' mailboxes. As soon as you create such a rule, you must set the default access rule to block or quarantine all other devices. To add a new device to the allow list, create a new custom rule

Block list

You can use a block list to grant access to all devices by default, but to block access for a set of devices that you do not want to access your organization. You create a block list by creating custom rules to block the devices that you do not want to synchronize with the organization’s mailboxes. The default rule should be set to allow access to all devices that are not explicitly blocked by the existing rules. To add a new device or set of devices to the block list, create a new custom rule.

Mixed allow and block

In addition to creating allow and block lists, you can quarantine new mobile devices as they are introduced into the organization while you evaluate them. For example, if you have a block list for mobile devices that are not allowed within your organization, and an allow list for mobile devices that are allowed within the organization, you can set the default rule to quarantine. All other devices will automatically be quarantined, which lets you discover new devices as they are introduced to the organization and decide whether to add them to the allow list or the block list.

ImportantImportant
When a new mobile device connects to the Exchange server, it will take a few hours before you can select the new device and family in an access rule.

Mobile Device Security Policy

You can create Mobile Device Security Policy policies to apply to user groups. A policy contains a variety of settings including, Password: Common, Password: Windows RT, Device Restrictions: Common, Device Restrictions: iOS, E-mail: Exchange ActiveSync, Encryption: Common, and Encryption: Exchange ActiveSync. For more information, see Windows Intune Mobile Device Security Policy Reference.

ImportantImportant
If you are managing mobile devices by using Exchange ActiveSync, note that Windows Intune imports and links mobile devices from Exchange to a user in Windows Intune by matching the user’s SMTP address configured for the user in Active Directory Domain Services (AD DS) to the user’s Exchange mailbox primary SMTP address. This can only happen when the following steps have been successfully completed:

  • User accounts and security groups have been imported from your on-premises existing Active Directory Domain Services (AD DS) environment to the Windows Intune account portal through directory synchronization. For more information about directory synchronization, see Active Directory synchronization roadmap.

  • You have activated the synchronized users in the account portal and assigned them membership in the Windows Intune user group to provision them in Windows Intune. After provisioning is complete, users are displayed and can be managed in the Windows Intune administrator console. For more information about activating synchronized users, see the “Adding Users and Security Groups to Windows Intune” section in the Windows Intune Getting Started Guide.

  • You have installed the Windows Intune Exchange Connector and a successful synchronization between Exchange and Windows Intune has occurred. For more information about installing the Exchange Connector, see Connecting Windows Intune to Your Exchange Server.

    After the Exchange Connector has been installed, you should only manage users’ mobile device security policy settings by using the Windows Intune administrator console. Windows Intune will save mobile device security policy to the Exchange server and apply it to the appropriate mailbox. If you change the user’s mailbox policy settings by using Exchange management tools, unexpected behaviors might occur.

Windows Intune direct management of mobile devices does not require AD DS in your environment. If you do not have AD DS in your environment and you want to manage mobile devices directly, you can provision users in Windows Intune by manually adding the users to the Windows Intune account portal. For more information, see the “Adding Users and Security Groups to Windows Intune” section in the Windows Intune Getting Started Guide.

See Also

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.