Everywhere you turn in our industry, there will be some big buzzwords you are constantly bombarded with such as Cloud, Big Data and Mobile Device Management. With the power of smartphones and other devices, we are living in a mobile world with your end users wanting to be just as mobile in their working life as well as in their business.
This article will cover one feature from my experience in the field, which is aiding the adoption of Mobile Device Management (MDM). At PowerONPlatforms, we are getting more and more requests to help our customers implement an MDM solution. These customers either have no MDM solution in place or a solution which is either not delivering what their business requires, or not cost effective.
Whichever category you fall into, the main concern I hear from customers is how will they get users to adopt. I want to show how to make this concern a thing of the past with Microsoft Intune.
So how do you stop this and make sure that end users are enrolled to management before being allowed access to Exchange Activesync? Well, the answer is simple. We can use Microsoft Intune Conditional Access.
For those who are not aware, Microsoft Intune can be used as a standalone cloud service or integrated with Configuration Manager. Both architecture designs support Conditional Access.
Conditional Access Overview
If you think about a traditional Mobile Device Management project, one of the biggest challenges will be getting users to adopt because they can’t see any benefit to what IT is trying to achieve. Most end users just want email on their phones, so as soon as they have left the office they can still be on top of emails.
However, this puts the company at risk because users start to connect to Exchange ActiveSync on their personal devices. These devices are not corporate managed so do not receive the policies that should be required to gain access to corporate data, which can cause great risk to your company as you have no way to stop them distributing company data.
This is where conditional access can work its magic. We can ensure end user devices are Complaint with our company policies and enrolled within Microsoft Intune before gaining access.
This means if a device is not compliant with your policy, via MDM enrollment then access to Exchange will be revoked. When the user next goes into their e-mail app they will receive an email notifying them that their device is not compliant with the corporate policies and that corporate data.
The email profile will then be removed from the device. The email the user received will contain a link with information on how to bring the device back into compliance so access to corporate emails can be attained.
Conditional Access is not only for Exchange ActiveSync you can secure and restrict with policies the following:
- Exchange On-premises and Online
- Microsoft Office 365 Dedicated
- SharePoint Online.
Use conditional access to manage access to Microsoft Exchange On-premises, Exchange Online, Exchange Online Dedicated, and SharePoint Online.
You can control access to Exchange Online and Exchange On-premises from the following mail apps:
- The built-in app for Android 4.0 and later, Samsung Knox 4.0 Standard and later
- The built-in app for iOS 7.1 and later
- The built-in app for Windows Phone 8.1 and later
- The mail application on Windows 8.1 and later
- The Microsoft Outlook app for Android and iOS (for Exchange Online only)
You can control access to SharePoint Online from the following apps for the listed platforms:
- Microsoft Office Mobile (Android)
- Microsoft OneDrive (Android and iOS)
- Microsoft Word (iOS)
- Microsoft Excel (iOS)
- Microsoft PowerPoint (iOS)
- Microsoft OneNote (iOS)
Office desktop applications can access Exchange Online and SharePoint Online on PCs running:
- Office desktop 2013 and later with modern authentication enabled.
- Windows 7.0 and later
The Bigger Picture
Of course, this is just one part of a much bigger story. Microsofts Mobility strategy has improved by leaps and bounds and is spearheaded by Microsoft Enterprise Mobility Suite (EMS), which I recommend reading more about. (Figure below shows the makeup of Microsoft EMS)
Simple how-to documentation
When it comes time for your end users to start enrolling, it will be very important that your IT team have some simple documentation to educate them on how to enroll their devices.To give you an idea how this looks, Microsoft document team created an end user guide: Microsoft Intune End-User Enrollment Guide
Microsoft has made this solution extremely simple to implement conditional access while still focusing on security and UX.
As you can see, by setting conditional access on the most used corporate resource emails, the end users will have no choice but to enroll within Mobile Device Management to receive their emails to that device.
If you currently own Intune and are not already using conditional access, I highly recommend looking into it.
Or if you have not yet implemented an MDM solution and are concerned about your workforce adopting this solution, I hope you can see how using conditional access will work as a catalyst to achieve your desired results.
Good luck with implementing conditional access, if you have any questions email us on firstname.lastname@example.org!