Conditional Access in Configuration Manager

 

Updated: June 20, 2016

Applies To: System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

System_CAPS_noteNote

The information in this topic applies to System Center 2012 Configuration Manager SP2 and System Center 2012 R2 Configuration Manager SP1.

If you are using the Conditional Access Extension for Microsoft Intune, the functionality of this extension is now included in the core product, and the extension is no longer displayed in the Extensions for Microsoft Intune node of the Configuration Manager console.

However, for System Center 2012 R2 Configuration Manager SP1, as of November 2, the following new functionality is provided by the Conditional Access Extension. The extension will be displayed in the Extensions for Microsoft Intune node of the Configuration Manager console.

  • Minimum OS compliance rule

  • Maximim OS compliance rule

Use conditional access in Configuration Manager to help secure email and other services on devices that are enrolled with Microsoft Intune, depending on conditions you specify.

System_CAPS_importantImportant

Conditional access for PCs and Windows 10 Mobile devices with apps using modern authentication is not currently available to all Intune customers. If you are already using these features, you do not need to take any action. You can continue to use them.

This does not apply to PCs or Windows 10 Mobile devices for conditional access to Exchange On-premises.

If you have not created conditional access policies for PCs or Windows 10 Mobile for apps using modern authentication, you will need to submit a request for access. You can find out more information about known issues as well as how to get access to this feature at the connect site.

A typical flow for conditional access might look as follows:

Advanced conditional access flow

Use conditional access to manage access to the following services:

  • Microsoft Exchange On-premises

  • Microsoft Exchange Online

  • Exchange Online Dedicated

  • SharePoint Online

  • Skype for Business Online

  • Dynamics CRM Online

You can control access to Exchange Online and Exchange On-premises from the built-in email client on the following platforms:

  • Android 4.0 and later, Samsung Knox Standard 4.0 and later

  • iOS 7.1 and later

  • Windows Phone 8.1 and later

  • Mail application on Windows 8.1 and later

You can control access to SharePoint Online from the following apps for the listed platforms:

  • Microsoft Office Mobile (Android)

  • Microsoft OneDrive (Android and iOS)

  • Microsoft Word (Android and iOS)

  • Microsoft Excel (Android and iOS)

  • Microsoft PowerPoint (Android and iOS)

  • Microsoft OneNote (Android and iOS)

Office desktop applications can access Exchange Online and SharePoint Online on PCs runing:

System_CAPS_noteNote

PCs should be domain joined or be complaint with the policies set in Intune.

You can control access to Skype for Business Online from the following apps for the listed platforms:

  • Skype app (Android and iOS)

To implement conditional access, you configure two policy types in Configuration Manager:

  • Compliance policies are optional policies you can deploy to user collections and evaluate settings like:

    • Passcode

    • Encryption

    • Whether the device is jailbroken or rooted

    • Whether email on the device is managed by a Configuration Manager or Intune policy

    If no compliance policy is deployed to a device, then any applicable conditional access policies will treat the device as compliant.

  • Conditional access policies are configured for a particular service, and define rules such as which Azure Active Directory security user groups or Configuration Manager user collections will be targeted, or exempt.

    You configure the On-Premises Exchange conditional access policy from the Configuration Manager console. However, when you configure an Exchange Online or SharePoint Online policy, this opens the Microsoft Intune admin console where you configure the policy.

    Unlike other Intune or Configuration Manager policies, you do not deploy conditional access policies. Instead, you configure these once, and they apply to all targeted users.

When devices do not meet the conditions you configure, the user is guided though the process of enrolling the device and fixing the issue that prevents the device from being compliant.

Before you start using conditional access, ensure that you have the correct requirements in place:

Policy type

Requirements

Exchange Online (using the shared multi-tenant environment)

Conditional access to Exchange Online supports devices that run:

  • Windows 8.1 and later (when enrolled with Intune)

  • Windows 7.0 or Windows 8.1 (when domain joined)

  • Windows Phone 8.1 and later

  • iOS 7.1 and later

  • Android 4.0 and later, Samsung Knox Standard 4.0 and later

Additionally:

  • Devices must be workplace joined, which registers the device with the Azure Active Directory Device Registration Service (AAD DRS).

    Domain joined PCs must be automatically registered with Azure Active Directory through group policy or MSI. The Conditional access for PCs section in this topic describes all the requirements for enabling conditional access for a PC.

    AAD DRS will be activated automatically for Intune and Office 365 customers. Customers who have already deployed the ADFS Device Registration Service will not see registered devices in their on-premises Active Directory.

  • You must use an Office 365 subscription that includes Exchange Online (such as E3) and users must be licensed for Exchange Online.

  • The optional Exchange Server connector is optional and connects Configuration Manager to Microsoft Exchange Online and helps you monitor device information through the Configuration Manager console (see How to Manage Mobile Devices by Using Configuration Manager and Exchange). You do not need to use the connector to use compliance policies or conditional access policies, but is required to run reports that help evaluate the impact of conditional access.

Exchange Online Dedicated

Conditional access to Exchange Online Dedicated supports devices that run:

  • Windows 8 and later (when enrolled with Intune)

  • Windows 7.0 or Windows 8.1 (when domain joined)

    Conditional access to domain joined PCs only to tenants in the new Exchange Online dedicated environment.

  • Windows Phone 8 and later

  • Any iOS device that uses an Exchange ActiveSync (EAS) email client

  • Android 4 and later.

  • For tenants in the legacy Exchange Online Dedicated environment:

    You must use the Exchange Server connector which connects Configuration Manager to Microsoft Exchange On-premises. This lets you manage mobile devices and enables conditional access (see How to Manage Mobile Devices by Using Configuration Manager and Exchange).

  • For tenants in the new Exchange Online Dedicated environment:

    The optional Exchange Server connector connects Configuration Manager to Microsoft Exchange Online and helps you manage device information (see How to Manage Mobile Devices by Using Configuration Manager and Exchange). You do not need to use the connector to use compliance policies or conditional access policies, but is required to run reports that help evaluate the impact of conditional access.

Exchange On-premises

Conditional access to Exchange On-premises supports:

  • Windows 8 and later (when enrolled with Intune)

  • Windows Phone 8 and later

  • Native email app on iOS

  • Native email app on Android 4 or later

  • Microsoft Outlook app on Android and iOS is not supported.

Additionally:

  • Your Exchange version must be Exchange 2010 or later. Exchange server Client Access Server (CAS) array is supported.

    System_CAPS_tipTip

    If your Exchange environment is in a CAS server configuration, then you must configure the on-premises Exchange connector to point to one of the CAS servers.

  • You must use the Exchange Server connector which connects Configuration Manager to Microsoft Exchange On-premises. This lets you manage mobile devices and enables conditional access (see How to Manage Mobile Devices by Using Configuration Manager and Exchange).

    • Make sure that you are using the latest version of the on-premises Exchange connector. The on-premises Exchange connector should be configured through the Configuration Manager console. For a detailed walkthrough, see How to Manage Mobile Devices by Using Configuration Manager and Exchange.

    • The connector must be configured only on the System Center Configuration Manager Primary Site.

    • This connector supports Exchange CAS environment. When configuring the connector, you must set it so it talk to the one of the Exchange CAS servers.

  • Exchange ActiveSync can be configured with certificate based authentication, or user credential entry

SharePoint Online

Conditional access to SharePoint Online supports devices that run:

  • Windows 8.1 and later (when enrolled with Intune)

  • Windows 7.0 or Windows 8.1 (when domain joined)

  • Windows Phone 8.1 and later

  • iOS 7.1 and later

  • Android 4.0 and later, Samsung Knox Standard 4.0 and later

Additionally:

  • Devices must be workplace joined, which registers the device with the Azure Active Directory Device Registration Service (AAD DRS).

    Domain joined PCs must be automatically registered with Azure Active Directory through group policy or MSI. The Conditional access for PCs section in this topic describes all the requirements for enabling conditional access for a PC.

    AAD DRS will be activated automatically for Intune and Office 365 customers. Customers who have already deployed the ADFS Device Registration Service will not see registered devices in their on-premises Active Directory.

  • A SharePoint Online subscription is required and users must be licensed for SharePoint Online.

Skype for Business Online

Conditional access to SharePoint Online supports devices that run:

  • iOS 7.1 and later

  • Android 4.0 and later

  • Samsung Knox Standard 4.0 or later

Additionally, you must enable modern authentication for Skype for Business Online. Fill this connect form to be enrolled in the modern authentication program. All your end-users must be using the Skype for Business Online. If you have a deployment with both Skype for Business Online and Skype for Business on-premises, conditional access policy will not be applied to end-users who are in the on-premises deployment.

Conditional access for PCs

You can setup conditional access for PCs that run Office desktop applications to access Exchange Online and SharePoint Online for PCs that meet the following requirements:

  • The PC must be running Windows 7.0 or Windows 8.1.

  • The PC must either be domain joined or compliant.

    In order to be compliant, the PC must be enrolled in Intune and comply with the policies.

    For domain joined PCs, you must set it up to automatically register the device with Azure Active Directory.

  • Office 365 modern authentication must be enabled, and have all the latest Office updates.

    Modern authentication brings Active Directory Authentication Library (ADAL) based sign-in to Office 2013 Windows clients and enables better security like multi-factor authentication, and certificate-based authentication.

  • Setup ADFS claims rules to block non-modern authentication protocols.

Show: