Microsoft Adds Conditional Access to System Center 2012 R2 Configuration Manager for Exchange Online
Microsoft has added its "conditional access" mobile device management capability to its System Center 2012 R2 Configuration Manager product for organizations using the Exchange Online e-mail service.
Conditional access is feature of the Microsoft Intune mobile device management service that checks to see if the device is managed and compliant before permitting access to an organization's applications and data. While conditional access is an Intune capability, Microsoft recently explained that it plans to bring "100 percent" of its Intune capabilities to its System Center Configuration Manager PC management solution. That's enabled using Intune connector software, which permits Configuration Manager to be used as a "single pane of glass" for managing both PCs and mobile devices.
So far, Microsoft has announced various new Intune features. They now arrive on a monthly frequency. These Intune product updates have mostly been for the "standalone" Intune product, meaning that they don't yet work with Configuration Manager via Intune connector technology. Today, Microsoft announced an exception to that general trend. It's now possible to use System Center 2012 R2 Configuration Manager to enforce conditional access policies for mobile devices accessing Exchange Online.
Microsoft's announcement today is very specific about the new conditional access capability applying just to Exchange Online. The standalone version of Intune has broader capabilities. It's capable of enforcing conditional access for premises-based Exchange Server, as well as SharePoint Online and dedicated versions of Microsoft Office 365, according to Microsoft's TechNet documentation. It's possible that Configuration Manager will one day get those capabilities, too. However, Microsoft currently has a warning in its TechNet documentation not to use the Intune connector "if you intend to use conditional access for both Exchange Online and Exchange On-premises."
Organizations need to carry out a few setup steps to use Configuration Manager with the new conditional access capability. It gets enabled through an extension, called "Conditional Access," which will show up in the Configuration Manager console. IT pros need to enable it through the console before it will work, as Microsoft describes in this TechNet article.
The devices managed under Microsoft's conditional access scheme are required to use the Exchange ActiveSync client protocol. For Exchange Online, supported devices include those running Windows 8.1 and later operating systems, Windows Phone 8.1 and later OSes, iOS 6.0 and later OSes and Android 4.2 and later OSes.
The devices also need to be enrolled via "workplace join" (which is a Windows Server 2012 R2-associated technology for non-domain-controlled devices) to work with the conditional access feature. Microsoft's Azure Active Directory service is used to enable the workplace join operation.
Conditional access checks to see if a device is registered with Azure Active Directory and also if it's compliant with the policies set up for the device by IT pros, according to a blog post by Chris Green, a senior program manager at Microsoft. The compliance policy gets set up using the Intune console. It's also possible to set compliance policies using Configuration Manager via the "Assets and Compliance" interface, Green noted.
A typical compliance policy might only allow a device access to resources if it is password protected, encrypted and not jailbroken. However, the policies that can be set depend on the device's operating system. For instance, Android-based devices don't force the user to encrypt a device, according to Microsoft's documentation.
If a device fails a conditional access check, the system sends a message to the end user describing how the device can be brought into a compliant state. IT pros using Intune can see a list of the noncompliant devices ahead of time by running the Mobile Device Inventory Report in Intune. Green said that this reporting capability will arrive later for "hybrid" users of System Center Configuration Manager with the Intune connector, but it's not available with this current extension release.
Microsoft first added this conditional access feature in its December Intune update, according to Green. Microsoft's March Intune update also extended the conditional access capability to Microsoft's OneDrive for Business and SharePoint Online services. Microsoft's various conditional access components seem to be rolling out in a gradual fashion, though. For instance, Microsoft also announced this month that its Azure Active Directory service now supports conditional access for premises-installed apps, in addition to SaaS apps.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.