Back

TechnologyJan 16, 2017

Using Intune With Exchange On-Premises

Sean Nixon

Microsoft Intune is part of Microsoft’s rapidly developing Enterprise Mobility + Security (EMS) suite. It provides a solution for mobile device management (MDM) and mobile application management (MAM) that integrates well with other Microsoft technologies, particularly when also using Office 365.

But what happens when we have an environment that’s still largely on-premises and we want to be able to manage and selectively wipe email? I recently ran into this exact situation of trying to integrate Intune with Exchange on-premises for a client. The Intune On-Premises Exchange Connector enables Intune to communicate with the Exchange Server that hosts the mailboxes for the mobile devices. However, there are some definite limitations that come with the territory when trying to leverage the Intune features listed below with on-premises mailboxes.

Selective Wipe

Outlook: No support

Native app: Samsung KNOX and iOS

In order for selective wipe to be possible, the email profile must be managed by Intune. Otherwise, it can’t distinguish the work profile from a personal ActiveSync profile and, consequently, cannot remove it. Because Intune can currently only deploy managed profiles to the native app of iOS and Samsung KNOX (more details later), selective wipe is limited to those platforms.

Support for managed email profiles for other Android devices using Android for Work is in the works, which may change the picture here, but it’s not available for all tenants yet.

MAM Policy

Outlook: All platforms

Native app: No support

This one may be obvious to some of you, but there is no way for Intune to manage the native mail application on any device. If you want to take advantage of mobile application management policies to restrict copy/paste to non-managed apps, prevent saving locally, etc., those policies will only affect Outlook. This is the same when using Exchange Online, but it is still an important point to be aware of.

Conditional Access

Outlook: No support

Native app: All platforms

The ability to enforce conditional access on email is a powerful capability that is critical to a full implementation of Intune. It allows you to withhold access to corporate email until the device is enrolled in Intune. Without it, we are at the mercy of the device owner to enroll their device, and they have little incentive to do so. It is important to note, therefore, that conditional access for the Outlook app is currently unsupported when using on-premises Exchange. And by not supported, I mean Intune will block access entirely from Outlook. Maybe that is what you want, particularly if you want selective wipe, but it is definitely a limitation of Intune at the present time.

Email Profile Auto-Setup

Outlook: No support

Native app: Samsung KNOX and iOS

Intune is unable to push down an email profile for Outlook, which makes sense if you think that it’s not a system app. Less intuitive, it also does not work for stock Android devices (Google and other non-Samsung devices). This issue should be resolved with the rollout of Android for Work support in the next few months. With it, Intune will be able to set up an email account in the “work” profile of the device and, in theory, be able to selectively wipe the cached email data from that profile upon un-enrollment from Intune.

Another limitation to be aware of is that Intune standalone only gives you the option of using UPN as the username for email profiles on iOS (and devices using Android for Work if your tenant supports it). For whatever reason, with Samsung devices it lets you use the sAMAccountName, aka user logon name, as well. This comes into play if you are using the latter for ActiveSync basic authentication. You will be unable to deploy a valid email profile for anything but Samsung devices unless you switch to use UPN for authentication with ActiveSync. Not something to be done lightly to be sure.

The Big Picture

So now where do we stand? Let’s look at these four capabilities again in this handy graphic:

intune with exchange on perm

The bottom line? If you want to take advantage of selective wipe and conditional access, you will need to limit devices to the native email app at the cost of a little convenience and application management for email. If you or your client’s focus is managing data in applications, you will need to enforce the use of Outlook and potentially stick to using Intune MAM Without Enrollment.

A couple final things to consider when using Intune with On-Premises Exchange:

  1. UPNs need to match primary SMTP addresses.

The Exchange connector will not properly pick up users for conditional access if these two attributes do not match in Azure Active Directory. This is also important because users must log in to Intune (as well as all Office 365 application) using their UPN. The DOMAIN\username style will not work. As long as UPNs match email addresses, it makes the process as intuitive as possible for end users.

  1. The Intune Exchange Connector syncs every two hours.

In other words, there are often delays between enabling conditional access for a user and the ActiveSync block to take effect. Likewise, there can be delays for a newly enrolled device to regain access to email. I was not able to find any documentation regarding how to change the connector’s synchronization interval.

So there you have it. Hopefully this will be helpful to you in evaluating whether to implement Microsoft Intune in your environment. In the case of our client, they decided to hold off on their Intune rollout until they migrated to Exchange Online so they could take advantage of its full capabilities.

Is your business dealing with the mobile security problem? Are you already licensed for EMS but don’t know how best to implement it to meet your business needs? Do you just have questions about the options available for mobile security? Credera has helped businesses to implement a mobile security strategy including the implementation of EMS and would be happy to help. Contact us at sales@credera.com.