Now that you've read through the architecture guidance for protecting company email and documents, you are ready to proceed with deploying a solution.
For Intune to directly manage mobile devices, users need to enroll devices into Intune.
Follow these steps to deploy the Exchange Online with Intune solution:
Step 1: Create compliance policies and deploy to users.
Compliance policies define the rules and settings that a device must comply with in order to be considered compliant by conditional access polices. Follow the steps at Create a compliance policy in Microsoft Intune to create and deploy compliance policies.
If you want the ability to remove all corporate email from an iOS device after it is no longer part of your company, you must create and deploy an email profile and then set the compliance policy that specifies that email profiles are managed by Intune. You must deploy the email profile to the same set of users that you target with this compliance policy.
If you specify this compliance policy, a user who has already set up their email account must manually remove it and then Intune will add it back in through the registration process described in End-user experience of conditional access.
If you have not deployed a compliance policy and then enable an Exchange conditional access policy, all targeted devices will be allowed access.
Step 2: Evaluate the effect of the conditional access policy.
If you have configured a connection between Intune and Exchange by using the Microsoft Intune service to service connector, you can use the Mobile Device Inventory Reports to identify EAS mail clients that will be blocked from accessing Exchange after you configure the conditional access policy.
Follow the instructions at Evaluate the effect of the conditional access policy to identify those users who will be impacted by conditional access policy.
Step 3: Configure user groups for the conditional access policy.
You target conditional access policies to different groups of users depending on the policy types. These groups contain the users that will be targeted, or exempt from the policy. When a user is targeted by a policy, each device they use must be compliant in order to access email.
For more information, see Configure user groups for the conditional access policy.
Step 4: Configure conditional access policy.
The following flow is used by conditional access policies for Exchange Online to evaluate whether to allow or block devices.
Follow the information provided under Configure the conditional access policy to set up your conditional access policy.
Monitor the compliance and conditional access policies
To view devices that are blocked from Exchange:
On the Intune dashboard, click the Blocked Devices from Exchange tile to show the number of blocked devices and links to more information.
Where to go from here
After you have deployed a solution for protecting corporate email and email data on mobile devices, you can learn more about the end-user experience of conditional access. This will help prepare you for issues that might arise when end users enroll their specific devices.