• Home
  • Blog
  • Technical
  • Leveraging Conditional Access to enforce either MDM or MAM–user’s choice

Leveraging Conditional Access to enforce either MDM or MAM–user’s choice

Back to Blog
29Nov2018

Leveraging Conditional Access to enforce either MDM or MAM–user’s choice

In some circumstances, you might want users to have their choice:

  1. Use the native mail apps and have their mobile devices managed via Intune MDM, OR,
  2. Use a managed application such as Outlook on their own personal devices, and opt out of full device management.

The catch is, they must go down one or the other path to gain access to resources. So as an admin, you know that their device will either show up in your inventory and be properly managed, or, that the user will be protected using the MAM policies from your Microsoft 365 subscription. Win-win.

Previously, I described this scenario in another post, as an alternative to straight up requiring managed apps at all times. I promised to show another option that gives us a bit more flexibility between MAM and MDM, so here it is.

I will ask you to configure three policies:

  1. Require either MDM or MAM for access to Office 365 Exchange Online and SharePoint Online via mobile devices
  2. Require MDM or MAM for access to Exchange Online via an EAS client
  3. Block legacy client applications from Exchange Online

Policy # 1: Require either MDM or MAM for mobile access to Office 365 Exchange Online and SharePoint Online

From the Azure AD portal, go to Conditional Access and create a new policy. Name it something descriptive like require MAM or MDM for Exchange Online and SharePoint Online. Choose All users, or scope it to a subset of users.  I usually exclude at least one admin account in there, as previously described in other examples. Select two Cloud apps specifically: Office 365 Exchange Online and Office 365 SharePoint Online–these apps are the ones worth protecting, with online locations for storing company data. (Note: With Teams there really is only one client to choose from, and all the shared Team files are stored in SharePoint anyway.)

For Conditions, under Device platforms you need to select at least Android and iOS (this policy is scoped to mobile devices).

The second condition is Client apps, choose Mobile apps and desktop clients, and under that, Modern authentication clients only.

Now, here is where the magic takes place. Go to Access controls, choose Grant access, and select both Require device to be marked as compliant, AND Require approved client app, BUT, be sure to pick Require one of the selected controls. This is where you get two possible paths–meeting either will grant access.

The effect of choosing the other option here, to require all controls, would mean that devices would be required to become both MDM and MAM managed. Some orgs may want to do this, but our goal here is to provide options for BYOD scenarios, not to create strict policies for corporate-owned devices.

Policy #2: Require MDM or MAM for access to Exchange Online via an EAS client

For some odd technical reason (for which I still haven’t found a super great explanation), Microsoft does not support configuring a Conditional access policy for Exchange ActiveSync alongside of other applications or conditions, so you need to configure this separately to be “officially supported.” It looks like this:

Name a new policy something like Conditional access for EAS. Again I would apply this as liberally as possible across the user base, but we should only select Office 365 Exchange Online in this case under Cloud apps, to be supported as a policy scoped specifically to EAS clients.

Then under Conditions > Client apps (which is the only supported condition in this case), pick Mobile apps and desktop clients, as well as Exchange ActiveSync clients.

And last: the Access controls will be the same as we saw above, so just replicate that same selection again.

Policy #3: Block legacy client applications from Exchange Online

Last, you may want to take one further step to block access to older legacy applications. For instance IMAP clients, etc. Only implement this policy if you have removed all legacy applications from your environment, and are using newer, Office 365 subscription-based desktop and mobile apps.

Name the policy something like Block legacy client apps from Exchange Online. Again we only need to select Office 365 Exchange Online under Cloud apps. Under Conditions > Client apps, choose Mobile apps and desktop clients, and Other clients underneath that.

Access controls will be different this time: just choose Block access.

Save selections and Create the final policy.

Test it out!

Now, when a user goes to add an email profile to the native mail app on their phone, for example, they will be required to register their mobile device, and run through the process to become enrolled for MDM. See the screenshot below as an example.

Otherwise, a user could choose to add the Outlook app to their device, and thereby they would be granted access without the requirement to enroll for MDM. This is perfectly acceptable, as long as you have already configured your MAM policies. Either way, users will be protected either via MDM or MAM, depending upon which application experience they prefer.

Technical , , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

Turn your MFA up to 11
09Dec

But have you turned multifactor authentication ALL the way on?

Do you remember just a short time ago, Microsoft would claim that switching on Multi-factor Authentication (MFA) prevents 99.9% of identity-based attacks? Well, the times they are a-changin. I do not know what they would report today for a percentage of attacks which are thwarted... read more
27Apr

How to enable 2-factor or multi-factor authentication (2FA or MFA)

Enabling a second factor for authentication is an important (and often very easy) thing to do.  Usually this can be accomplished in just a few clicks for most websites and cloud services. It is highly recommended that you take the time to do this, especially for... read more
17Aug

Showdown: Office 365 E3 vs. Microsoft 365 Business

Recently I wrote a few articles on the various subscriptions out there, and how confusing everything is getting as the 365 universe expands and morphs. Since that time, I have also been playing more and more with the Microsoft 365 Business subscription (as opposed to... read more
18Jul

Reader question: How do I setup iOS devices after disabling app permissions consent for my users?

I continue to get great feedback and questions from our readership lately. Keep it up! I love to field these questions and use them to improve my literature. This person (who is also an MVP) also wished to remain anonymous, and had a couple of... read more
29Aug

2016 Essentials Integration: Microsoft Intune

Today we're going to enable the Microsoft Intune integration service from the Essentials Dashboard and discuss what it means a little bit. Intune is another cloud offering by Microsoft. It's purpose is to enable more robust Mobile Device Management. You can obtain an Intune subscription separately, which is what... read more
20Jun

A framework for implementing device-based Conditional access with Microsoft Intune

I recently shared a set of scripts to help make deployment of Intune a bit quicker. Today I just want to cover a framework which can be used for deploying device-based conditional access in conjunction with your baseline policy set. The main crux of the... read more
07Apr

Extend Your On-premises Network with Azure Virtual Network

One of my favorite use cases for Azure Virtual Networks and Azure Virtual Machines is to create a secondary (DR) site for a fraction of what it would cost to build your own co-location. With one of the smaller-sized basic or even standard tier VM's to act as... read more
11Oct

Understanding the Anti-Spoofing technology in Exchange Online

In the Spring of 2018, Microsoft released some new anti-spoofing features into their Advanced Threat Protection product, which is also bundled into Microsoft & Office 365 E5 plans, as well as Microsoft 365 Business. Anti-spoofing leverages machine learning and other intelligent software to determine whether... read more
24Mar

What is Advanced Threat Analytics?

Advanced Threat Analytics (ATA) is a security product from Microsoft that is included with the Enterprise Mobility Suite (EMS) subscription.  Unlike most of the other EMS components that tend to be a bit more cloud-centric, ATA is an on-premises-based security solution that helps identify Advanced Persistent Threats (APT's) and insider... read more
15Aug

Find out why Windows Server 2016 Essentials Experience still matters

Upcoming Windows Server Essentials Experience Series For many months now, I have been playing around with the Windows Server 2016 Technical Previews, especially the Essentials Experience role. You might ask: Why? Does the Windows Server Essentials product matter anymore, now that we have Office 365 and have moved well past the... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me