.png)
Exchange Access Rules and Mobile Device Security Policy
Updated: December 17, 2012
Applies To: Windows Intune December 2012 Release
Windows Intune provides comprehensive mobile device management capabilities. With Windows Intune, you can manage mobile devices directly or through Exchange ActiveSync. For information about Windows Intune direct management and Exchange ActiveSync management, see Windows Intune Capabilities for Directly Managed and Exchange ActiveSync-Managed Mobile Devices. There are two aspects to mobile device policy management in Windows Intune.
-
Exchange Access Rules for Mobile Devices
: These rules apply only to mobile devices that are managed through Exchange ActiveSync, not to devices that are directly managed.
-
Mobile Device Security Policy
: Mobile Device Security Policy settings may apply to mobile devices that are directly managed or managed by Exchange ActiveSync, or both, depending on the capabilities of the operating system that the device is running. For detailed information about individual Mobile Device Security Policy settings and applicable device operating systems, see the Mobile Device Security Policy Reference.
 Note |
|---|
| If a device is managed by policy settings from both Windows Intune direct management and Exchange ActiveSync, the more secure policy settings are applied. |
Exchange Access Rules for Mobile Devices
Exchange access rules for mobile devices determine the level of access to Exchange that is granted to mobile devices. The Default Rule determines the baseline access level that is granted to mobile devices that do not have a custom rule defined.
Exchange access rules are applied to a particular group of devices based on some properties of the device, such as family and model of the device.
|
Note |
|---|
| If the Exchange administrator has explicitly granted access to a particular device or explicitly blocked a particular device, this will supersede the Windows Intune Exchange access rules for mobile devices. |
When a device is blocked or quarantined you can specify a custom message that will be sent to the user to indicate why their device was blocked or quarantined and who to contact. You can also specify a list of SMTP addresses for administrators who will receive an email notification when a mobile device has been quarantined.
|
Important |
|---|
On the first sync of the Windows Intune Exchange Connector the following information is imported to Windows Intune from Exchange.
|
Access levels
The following table describes the access levels that can be configured.
| Access level | Description |
|---|---|
|
Allow all mobile devices to access Exchange, unless a custom rule states otherwise |
In the allow access state, a mobile device can synchronize through Exchange ActiveSync and connect to the Exchange server to retrieve email and manipulate calendar information, contacts, tasks, and notes. This will continue as long as the device complies with the Windows Intune Mobile Device Security Policy that you have configured, unless the user or the specific mobile device has been blocked by the Exchange administrator. |
|
Block all mobile devices from accessing Exchange, unless a custom rule states otherwise |
A mobile device that is blocked because of a device access setting you configured will not be allowed to connect to the Exchange server and will receive HTTP 403 Forbidden errors. The user will receive an email message from the Exchange server telling them that the mobile device was blocked from accessing their mailbox. The user will not be able to read the email message on the blocked mobile device. You can add customized text to this message to provide instructions for users whose devices are blocked through the Set User Notification task. |
|
Quarantine all mobile devices so I can decide later for each individual mobile device, unless a custom rule states otherwise |
When a mobile device is quarantined, the mobile device is allowed to connect to the Exchange server. However, it is given only limited access to data. The user can add content to their own Calendar, Contacts, Tasks, and Notes folders but the server will not allow the device to retrieve any content from the user's mailbox. The user will receive a single email message that tells them that the mobile device is quarantined. This message will be received by the device and will also be available in the user's mailbox. You can add customized text to this message to provide instructions for users whose devices are quarantined through the Set User Notification task. |
Configuring Common Access Strategies
The following table lists some common access strategies.
| Access Strategy | Description |
|---|---|
|
Allow list |
You can use an allow list to grant access to a list of known devices and restrict access for everything else. To do this, you must create custom rules so that the specific devices you want are allowed to access users' mailboxes. As soon as you create such a rule, you must set the default access rule to block or quarantine all other devices. To add a new device to the allow list, create a new custom rule |
|
Block list |
You can use a block list to grant access to all devices by default, but to block access for a set of devices that you do not want to access your organization. You create a block list by creating custom rules to block the devices that you do not want to synchronize with the organization’s mailboxes. The default rule should be set to allow access to all devices that are not explicitly blocked by the existing rules. To add a new device or set of devices to the block list, create a new custom rule. |
|
Mixed allow and block |
In addition to creating allow and block lists, you can quarantine new mobile devices as they are introduced into the organization while you evaluate them. For example, if you have a block list for mobile devices that are not allowed within your organization, and an allow list for mobile devices that are allowed within the organization, you can set the default rule to quarantine. All other devices will automatically be quarantined, which lets you discover new devices as they are introduced to the organization and decide whether to add them to the allow list or the block list. |
|
Important |
|---|
| When a new mobile device connects to the Exchange server, it will take a few hours before you can select the new device and family in an access rule. |
Mobile Device Security Policy
You can create Mobile Device Security Policy policies to apply to user groups. A policy contains a variety of settings including, Password: Common , Password: Windows RT , Device Restrictions: Common , Device Restrictions: iOS , E-mail: Exchange ActiveSync , Encryption: Common , and Encryption: Exchange ActiveSync . For more information, see Mobile Device Security Policy Reference.
|
Important |
|---|
If you are managing mobile devices by using Exchange ActiveSync, note that Windows Intune imports and links mobile devices from Exchange to a user in Windows Intune by matching the user’s SMTP address configured for the user in Active Directory Domain Services (AD DS) to the user’s Exchange mailbox primary SMTP address. This can only happen when the following steps have been successfully completed:
|
Windows Intune direct management of mobile devices does not require AD DS in your environment. If you do not have AD DS in your environment and you want to manage mobile devices directly, you can provision users in Windows Intune by manually adding the users to the Windows Intune account portal. For more information, see the “Adding Users and Security Groups to Windows Intune” section in the Windows Intune Getting Started Guide.
