question

HarisBrkanic-8585 avatar image
0 Votes"
HarisBrkanic-8585 asked Crystal-MSFT commented

Intune ExchangeOnPrem HMA not work as expected

Our goal is to establish MDM using Intune with Exchange OnPremise and use only Outlook for Android and iOS as mail client on mobile devices. OnPrem enviroment is Adctive Directory DFF/FFF Windows Server 2012R2, Exchange Server 2016 CU21, domain is synced wth Azure AD Connect using password hash synchonization. All users have Microsoft 365 Business Premium Licences. HMA is configured, Exchange Hybrid established, conditional access and app protection policies are configured.

When user enroll to Intune using Company portal, it works as expected. But, when we want to block other, unmanaged devices managed devices are also blocked. We try to block unmanaged devices with those PS commands in Exchange OnPrem
Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Allow

Need help to achieve goal – block unmanaged deviced, allow managed devices with Outlook for Android & IOS.

mem-intune-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT commented

@HarisBrkanic-8585, From your description, it seems all the outlook connection from both managed and unmanaged device are blocked. Based on my research, for the commands we run, it will block all existing connected devices to access their mailbox unless the devices are subject to device access rules or individual allow or block list entries. It seems the device access rule is not working. As I am not familiar with this, we suggest to contact Exchange support to see if our requirement can accomplish with these commands:
https://docs.microsoft.com/en-us/answers/topics/office-exchange-hybrid-itpro.html

From Intune side, there's no direct setting to block unmanaged device. but in conditional access policy, we can configure to block non-compliant device to access Exchange online resource. We can set compliance policy to define what enrolled device are considered as compliant and then configure condition access policy to require compliant device when we access Exchange online. Here are some links for the reference:
https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device

Hope it can help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@HarisBrkanic-8585, Hope things are going well. I am writing to see if there's anything else we can help. if yes, feel free to let us know.

0 Votes 0 ·