Now that we have configured the Exchange 2016 Office 365 hybrid setup and are able to successfully migrate mailboxes we need a way for users to securely access their Office 365 mail and other services from their mobile devices. To do this we need to setup and configure Microsoft Intune.
We were actually migrating users from VMware’s Airwatch to Microsoft Intune. Before we could migrate them we had to do the below to get Intune working correctly. All of the settings below can be customised according to your own setups, I have just laid out a basic framework that will get Intune up and running and keep it secure.
Conditional Access
In order for mobile users to be able to use Intune and connect to Office 365 we first had to make some amendments to the Conditional Access policy. I changed the original policy that only allows access to MyCompany IP addresses from All platforms to Windows and macOS machines. This was so that I could set a different access policy for mobile devices.
I then created a new access policy called Grant Mobile Access and changed the condition so that only Android, IOS and Windows phone devices could connect.
Under Access controls we set the policy to grant access if the device is marked as compliant.
Compliance Policy
To create a compliance policy for your devices open the Intune portal and go to Device Compliance – Policies and click create Policy:
Give the policy a name and a description.
Configure as follows:
Configure System Security as follows:
Actions for non compliance
We leave the Assignments set to All Users
To check device compliance open Intune>Device Compliance>Device Compliance
Managing Applications
To add an app go to Intune>Client apps>Apps>Add
To add Outlook change the app store to UK and search the App store for Outlook
Configure Outlook as follows:
Click Assignments and set the requirement type as Required and it will be installed automatically
App protection policies
Open Intune and go to Client Apps> App protection policies
Click add a policy and give it a name, leave target to all app types
Select Assignments and choose which groups you want to include. You can setup AD groups on your on-premise AD servers and sync them to Azure for this.
Select the apps that you want to target with the policy:
Configure the policy settings as below:
