Understanding Configuration Policies on Microsoft Intune

In Microsoft Intune, there are 2 types of configuration policies to manage mobile devices. The first type is Common Mobile Device Settings policy which is included PC settings. This kind of policy is based on Exchange ActiveSync and it can manage the following configuration settings for all platform mobile devices like iOS, Android, Windows Phone and Windows PC.

• Security
• Encryption
• System
• Email
• Applications

The second type is platform aware policy like iOS, Android, Windows Phone and Windows PC. This kind of policy is only applied to the specific platform. For example, iOS Configuration Policy is applied to iOS devices only. Other platforms like Android and Windows Phone won't be applied the setting from iOS Configuration Policy even it applies to all user groups or all mobile devices group.

To manage multiple platforms environment on Microsoft Intune, you may consider to create specific configuration policies for each platform.

This posting is provided “AS IS” with no warranties, and confers no rights!

My view of compliance policy on Microsoft Intune

Compliance policy are some basic rules and settings for enrolled devices of users. A compliance policy can be applied to all devices of users like iOS, Andorid, Windows Phone and so on. In Microsoft Intune, the compliance policy will check the following on devices.

• Password
• Encryption
• Jailbreak
• Email Profile

Microsoft defined the settings of non-compliance devices. For example, a device doesn't meet the pin or password requirement. The compliance policy will force the device, iOS, to change the pin or password within 60 minutes. If the device isn't set pin or password within 60 minutes, the user is forced to configure it after 60 minutes. For other scenarios, Microsoft listed a table about what actions will be applied for non-compliance devices.

To compare with other Enterprise Mobility Management products, compliance policy settings of Microsoft Intune are lack of flexible. there is no option for administrators to control OS version of enrolled devices. For security reason, administrators would like to apply this setting on compliance policy to filter OS version for their companies.

Even though the device is non-compliance like not configure pin or password, user still can download applications through Company Portal. It seems that the compliance policies of Microsoft Intune isn't flexible and mature enough.

I hope Microsoft will add more flexible settings on compliance policy of Microsoft Intune like other EMM products.

This posting is provided “AS IS” with no warranties, and confers no rights!

Add a user to a custom user group on AirWatch Portal.

There is no option under custom user group to add a user into the group on AirWatch Portal.

How do we add a user into the custom user group?

Check the user account and then click "Accounts > List View > Management > Add to user group" to add a user to a custom user group.

Then, select a custom group which you want to added into.

As a result, the user was added into the custom user group on AirWatch Portal.

This posting is provided “AS IS” with no warranties, and confers no rights!

Configure AirWatch Mobile Email Management to connect Office 365

Recently, I needed to test Mobile Email Management (MEM) of AirWatch to connect to Office 365 email. I'd like to mark some notes for myself and share it to everyone. If you are using AirWatch for Enterprise Mobility Management solution, you might be interested.

Why do we use Mobile Email Management? 
We got Active Sync to connect to our Exchange Servers or Office 365 and with some security policies. 

Normally, Enterprise Mobility Management software providers provide an email software to work with their platform. This kind of email software can provide enhanced security features like email encryption, data loss  prevention and so on to protect email on mobile devices.

Goals
Configure email profile on AirWatch for iOS devices with AirWatch Inbox to connect to their email accounts on Office 365.

To configure MEM, we need to do the following tasks on Office 365 and AirWatch console.
1. Create a service account for AirWatch to connect to your Office 365.
2. Create a email profile for Mobile Devices on Airwatch.
3. Configure Mobile Email Management on Airwatch.

Task 1
1. Log in to your Office 365 as an administrator.
2. Go to Office 365 admin center > Users > Active Users.

3. Click + button to create a new user.
4. On "Create new user account" page, under "Display name" and "User name", enter a name for this service account.
5. Click "Type password" and then enter a password for this service account.
6. Un-check "Make this person change their password the next time they sign in".

7. Click "Create".

By default, the Office 365 will assign to the user when we create. For the service account, we don't need to assign any Office 365 license. We're going to remove the Office 365 license for it.

8. Select the service account and then click "Edit" next to "Assigned license".

9. On  "Assign License" page, un-check Office 365 license and then click "Save".

10. Go to "Exchange admin center", click "permissions".

11. Click + button to add a new admin role.
12. On "new role group" page, add "Mail Recipients", "Organization Client Access" and "Recipient Policies" under "Roles".
13. Add the service account to become a member.

14. Click "Save".

Task 2
1. Log in to your AirWatch console as an administrator.
2. Navigate to "Devices > Profiles > List View".

3. Click "Add".
4. Select a platform for deploying email profile. In my test case, I selected Apple iOS.

5. On "General" page, enter a name for the profile.
6. Next to "Assigned Smart Groups", select the smart group from your environment. In my environment, I selected the smart group related to iOS devices.

7. On left pane, select "Exchange ActiveSync" and then click "Configure".
8. On "Exchange ActiveSync" page, next to "Mail Client", select "AirWatch Inbox".
9. Next to "Exchange ActiveSync Host", enter "outlook.office365.com" to connect to mail servers on Office 365.
10. Next to "Login Information", you need to understand your corporate email addresses naming convention and AirWatch provided many options for us to configure it.

In my test environment, I configured the following patterns.

There are some restrictions to control AirWatch Inbox.

In my test case, I don't change any default settings.

11. Click "Save and Publish" to deploy the profile to managed devices.

Task 3
1. Still in AirWatch console, go to "Settings".
2. On "Settings" page, navigate to "Email > Configuration".

3. Click "Configure".
4. On "Mail Platform" page, select the following and the click "Next".

Email Server Type: Microsoft Exchange
Microsoft Exchange Version: Exchange 2010 / 2013 / Office365
Deployment Type: Exchange PowerShell

5. On "MEM Deployment" page, enter the following and then click "Next".

Friendly Name: O365_MEM
PowerShell URL: https://outlook.office365.com/PowerShell
Authentication Type: Basic
Admin Username: <Service account>@<your domain name>
Admin Password: <The password the service account>.

Additional info: I tested that we can also use https://outlook.office365.com/powershell-liveid/powershell to connect to Office 365. 

AirWatch uses WinHTTP connection to connect Office 365.

We can click "Test Connection" to verify the connection between AirWatch and your Office 365 account.

6. On "MEM Profile Deployment" page, click "Add" and then select the following

Platform: iOS
Mail Client: AirWatch Inbox
Action: Use Existing Profile
Profile: iOS MEM Profile

7. Click "Next".
8. On "Summary" page, click "Save".

In this test, I don't have any AD forest. In production environment, you can click "Advanced" and then check "sync with entire forest in AD" to sync settings with Active Directory.

9. Navigate to "Email > Compliance Policies".

The settings of this page controls which devices can received email. You should carefully configure it. If all devices of your company aren't enrolled Mobile Device Management but it downloads email though ActiveSync, you need to be award of  "Allow unmanaged devices" setting. 

By default, it allowed both managed or unmanaged devices. If changed to managed devices only, ActiveSync users of unmanaged devices couldn't download email. This is the conditional access settings provided by AirWatch for email on Office 365.  

After configuration, you can click "Run Compliance" to update the settings.

Now, enrolled devices can use AirWatch Inbox to check email.

References:
Connect to Exchange Online using remote PowerShell

Use PowerShel to Manage Exchange Online in Office 365

Managing and Protecting Mobile Email with AirWatch

This posting is provided “AS IS” with no warranties, and confers no rights!