Microsoft Adds Conditional Access to System Center 2012 R2 Configuration Manager for Exchange Online

Microsoft has added its "conditional access" mobile device management capability to its System Center 2012 R2 Configuration Manager product for organizations using the Exchange Online e-mail service.

Conditional access is feature of the Microsoft Intune mobile device management service that checks to see if the device is managed and compliant before permitting access to an organization's applications and data. While conditional access is an Intune capability, Microsoft recently explained that it plans to bring "100 percent" of its Intune capabilities to its System Center Configuration Manager PC management solution. That's enabled using Intune connector software, which permits Configuration Manager to be used as a "single pane of glass" for managing both PCs and mobile devices.

So far, Microsoft has announced various new Intune features. They now arrive on a monthly frequency. These Intune product updates have mostly been for the "standalone" Intune product, meaning that they don't yet work with Configuration Manager via Intune connector technology. Today, Microsoft announced an exception to that general trend. It's now possible to use System Center 2012 R2 Configuration Manager to enforce conditional access policies for mobile devices accessing Exchange Online.

Microsoft's announcement today is very specific about the new conditional access capability applying just to Exchange Online. The standalone version of Intune has broader capabilities. It's capable of enforcing conditional access for premises-based Exchange Server, as well as SharePoint Online and dedicated versions of Microsoft Office 365, according to Microsoft's TechNet documentation. It's possible that Configuration Manager will one day get those capabilities, too. However, Microsoft currently has a warning in its TechNet documentation not to use the Intune connector "if you intend to use conditional access for both Exchange Online and Exchange On-premises."

Organizations need to carry out a few setup steps to use Configuration Manager with the new conditional access capability. It gets enabled through an extension, called "Conditional Access," which will show up in the Configuration Manager console. IT pros need to enable it through the console before it will work, as Microsoft describes in this TechNet article.

The devices managed under Microsoft's conditional access scheme are required to use the Exchange ActiveSync client protocol. For Exchange Online, supported devices include those running Windows 8.1 and later operating systems, Windows Phone 8.1 and later OSes, iOS 6.0 and later OSes and Android 4.2 and later OSes.

The devices also need to be enrolled via "workplace join" (which is a Windows Server 2012 R2-associated technology for non-domain-controlled devices) to work with the conditional access feature. Microsoft's Azure Active Directory service is used to enable the workplace join operation.

Conditional access checks to see if a device is registered with Azure Active Directory and also if it's compliant with the policies set up for the device by IT pros, according to a blog post by Chris Green, a senior program manager at Microsoft. The compliance policy gets set up using the Intune console. It's also possible to set compliance policies using Configuration Manager via the "Assets and Compliance" interface, Green noted.

A typical compliance policy might only allow a device access to resources if it is password protected, encrypted and not jailbroken. However, the policies that can be set depend on the device's operating system. For instance, Android-based devices don't force the user to encrypt a device, according to Microsoft's documentation.

If a device fails a conditional access check, the system sends a message to the end user describing how the device can be brought into a compliant state. IT pros using Intune can see a list of the noncompliant devices ahead of time by running the Mobile Device Inventory Report in Intune. Green said that this reporting capability will arrive later for "hybrid" users of System Center Configuration Manager with the Intune connector, but it's not available with this current extension release.

Microsoft first added this conditional access feature in its December Intune update, according to Green. Microsoft's March Intune update also extended the conditional access capability to Microsoft's OneDrive for Business and SharePoint Online services. Microsoft's various conditional access components seem to be rolling out in a gradual fashion, though. For instance, Microsoft also announced this month that its Azure Active Directory service now supports conditional access for premises-installed apps, in addition to SaaS apps.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

comments powered by Disqus