Intune: If you want email on your phone, you have to follow the rules!

Maintaining governance over where company data is stored and how it is used, is a core priority for many IT professionals. In this mobile first world, with each user on average having 3+ devices and each with company data on them, ensuring that data is well protected can be a challenge. Giving users a choice of what device they want to use and how they want to use it to execute their job can be empowering – but we must protect the data that lives on those devices. This means ensuring that only compliant/approved devices, (and compliant/approved apps), can access that data. If that data were to be compromised (leaked, lost,stolen,etc) that could be devastating to an organization and place individual employees at risk.

A classic example is when an employee has a smartphone and would like to receive their company email on it. If they go to configure the built-in mail app with their email, how can you require the device to be enrolled into an MDM to be protected and require they use an approved email app? Well, Microsoft Intune and Azure Active Directory Conditional Access to the rescue! In this blog, you and I will take a journey on how to setup and configure this exact scenario and then test it to see what the end-user experience will look like.

Note:
I’m not going to cover Microsoft Intune or Azure AD Conditional Access in full technical detail. Please refer to the product documentation (links above) for more information.

Let’s start with understanding Conditional Access. At a high level, this allows me (IT) to provide you (the end user) with access to corporate resources based on a set of conditions and if you meet those conditions I’ll let you in. If you don’t meet those conditions, or perhaps meet only one or two, I will have additional steps for you to take before I unlock the front door and invite you in for dinner. You can best think of Conditional Access as an “If/Then” statement. For example, if you are coming from a device that is un-managed (and using an un-approved application), then allow access but require you to enroll the device in MDM (i.e. managed) and download the approved application for accessing email. Here’s a good graphical representation on how to think about this, at a high level (as you can see, this can be very powerful!):

 

Now that we have an understanding of Conditional Access, let’s configure it for this scenario. I’m going to create a new Conditional Access policy in Azure Active Directory from within the Azure portal:


Next I will scope it to all users:

 

Next, for Cloud Apps I will chose Office 365 Exchange Online:

Next, for Conditions I will choose device platforms and select all platforms:

For Grant I will choose grant access and check the box for require device to be marked as compliant and require approved client app. I’ll also check the radio button so that all controls are required. (For more information about what are approved client apps see this article).

 

Next I’ll enable the policy and click create:

I now need to configure the device compliance for Intune. I’m going to navigate to Device Compliance in the Intune blade:

I’m going to create a new policy that is targeted at just iOS:

IMPORTANT: If there’s other platforms you need to accommodate, you’ll need to create a new policy for each platform type (i.e. Windows, Mac, Android, etc).

 

For fun, block jail broken devices under device health:

And for more fun, require a passcode under system security:

Now the compliance policy has been created, I am going to assign it to all users:

Okay, let’s take a look at what the user experience is like for this scenario.

 

Let’s launch the native mail app on an iPad (iOS device):

 

Tap Exchange:

 

Sign in with my corporate credentials:

 

Tap sign in:

 

 

When my company’s login page appears to finish the sign in process, enter my password:

What do we have here? …. Looks like Conditional Access kicked in! My device is not managed! But it does give me an option to Enroll!

 

IMPORTANT: To see the enrollment process, reference my other blog article Intune: MDM Enrollment Experience (complete device management)

Once the device is enrolled, with my policy it is also pulling down the Outlook app (well, the user is prompted to install it). When I launch the Outlook app….

 

Tap get started, and there’s my email profile!

NOTE: This does not require any configuration for the email profile to be automatically displayed.

And there’s my email!

Now what if I go back to the native mail app and try to use it? Well following the same process above where I type in my credentials and try to sign in again to the native mail app – Conditional Access will catch me red handed, and block me from using it:

Conclusion: As you can see, this is a very powerful feature and introduces automation into your device security strategy. Enjoy!

Intune: MDM Enrollment Experience (complete device management) (OLD)

Microsoft Intune, part of Enterprise Mobility + Security (EMS), is an Azure based service that enables IT to manage devices at scale (iOS,Android,MacOS,Windows) and customize them, just like you would with an enterprise Windows PC. This provides a wealth of capability for IT to ensure devices are secure and protect intellectual property on them, but are also easy, efficient to use and do not create a burden on the end user. Let’s take a look at how to enroll a device into Intune MDM from the end-user’s perspective.

Note: Refer to the technical documentation for more information on how to configure Intune for MDM enrollment.

With my personal (or corporate owned) iPad I’m going to download the Company Portal app from the App Store:

Once downloaded, I’m going to launch the Company Portal app. Upon launching I will be prompted to sign-in:

Microsoft will recognize my credentials as Azure Active Directory credentials and will take me to my company’s sign-in page (still inside the app):

Once I click Sign-in, Company Portal will load:

Once signed in, there will be instructions prompting me I need to get my device managed in order to access my corporate applications and data. I’m going to tap Begin.

Next, I’ll be made aware of what information on the device my IT department will have visibility to, and what they won’t. For me this is an important screen and step for users to develop trust with IT and the process. I’m going to tap Continue:

Next, I’ll be made aware of the next few steps. First redirected to Settings where I’ll be prompted to install the Management Profile and then re-directed back to the Company Portal. I’m going to tab Next:

I’m going to tap Allow for the redirect to Settings:

Upon redirect to Settings, I’m going to tab Install

Tap Install again:

I will be warned about how my IT Department will have visibility to the data on my iPad. Tab Install again:

Next, I will tap Trust,
indicating I trust the source of this management profile (Microsoft) to enroll my iPad into remote management:

Once the process finishes, I’ll tap Done:


Upon tapping done, I’ll be redirected back to Company Portal:

It looks like enrollment is complete! I’ll tap Done

Upon exiting the app, as part of my company’s policy, the Microsoft Outlook app will be installed. I need to tap Install to give my consent:

In addition, my company’s policy requires that I set a passcode on my iPad:

Next, I’m going to launch Outlook so I can access my email:

Notice my email profile is already configured! I’m going to tap Add Account:

And I’ll be taking directly to my mailbox:

I’m curious though, what are the other policies my company is applying to my device? Let’s launch settings and take a look. Clicking on General and then Management Profiles I can see the various certificates being applied:

If I go back and tap Apps I can see the required apps my company is pushing and requiring me to install:

If I go back and tap Restrictions I can see the restrictions of what my company will not allow me to perform on my iPad. It looks like they block iCloud from backing up, blocking the camera, and requiring a passcode:

Conclusion: As you can see the end user experience is straight forward and easy to enroll the device into Intune MDM. From here, depending upon how my IT Administrator configured policies I can have VPN/WiFi profiles pushed down, printers configured and a vast amount of other configurations and customizations done to the device. Pretty cool!

Intune: MDM Enrollment Experience (complete device management)

Microsoft Intune, part of Enterprise Mobility + Security (EMS), is an Azure based service that enables IT to manage devices at scale (iOS,Android,MacOS,Windows) and customize them, just like you would with an enterprise Windows PC. This provides a wealth of capability for IT to ensure devices are secure and protect intellectual property on them, but are also easy, efficient to use and do not create a burden on the end user. Let’s take a look at how to enroll a device into Intune MDM from the end-user’s perspective.

Note: Refer to the technical documentation for more information on how to configure Intune for MDM enrollment.

With my personal (or corporate owned) iPad I’m going to download the Company Portal app from the App Store:

 

Once downloaded, I’m going to launch the Company Portal app. Upon launching I will be prompted to sign-in:

Microsoft will recognize my credentials as Azure Active Directory credentials and will take me to my company’s sign-in page (still inside the app):

Once I click Sign-in, Company Portal will load:

Once signed in, there will be instructions prompting me I need to get my device managed in order to access my corporate applications and data. I’m going to tap Begin.

Next, I’ll be made aware of what information on the device my IT department will have visibility to, and what they won’t. For me this is an important screen and step for users to develop trust with IT and the process. I’m going to tap Continue:

Next, I’ll be made aware of the next few steps. First redirected to Settings where I’ll be prompted to install the Management Profile and then re-directed back to the Company Portal. I’m going to tab Next:

I’m going to tap Allow for the redirect to Settings:

Upon redirect to Settings, I’m going to tab Install

Tap Install again:

I will be warned about how my IT Department will have visibility to the data on my iPad. Tab Install again:

Next, I will tap Trust,
indicating I trust the source of this management profile (Microsoft) to enroll my iPad into remote management:

Once the process finishes, I’ll tap Done:


Upon tapping done, I’ll be redirected back to Company Portal:

It looks like enrollment is complete! I’ll tap Done

 

Upon exiting the app, as part of my company’s policy, the Microsoft Outlook app will be installed. I need to tap Install to give my consent:

In addition, my company’s policy requires that I set a passcode on my iPad:

Next, I’m going to launch Outlook so I can access my email:

Notice my email profile is already configured! I’m going to tap Add Account:

 

And I’ll be taking directly to my mailbox:

I’m curious though, what are the other policies my company is applying to my device? Let’s launch settings and take a look. Clicking on General and then Management Profiles I can see the various certificates being applied:

 

If I go back and tap Apps I can see the required apps my company is pushing and requiring me to install:

If I go back and tap Restrictions I can see the restrictions of what my company will not allow me to perform on my iPad. It looks like they block iCloud from backing up, blocking the camera, and requiring a passcode:

Conclusion: As you can see the end user experience is straight forward and easy to enroll the device into Intune MDM. From here, depending upon how my IT Administrator configured policies I can have VPN/WiFi profiles pushed down, printers configured and a vast amount of other configurations and customizations done to the device. Pretty cool!