Conditional Exchange Access

Overview

Conditional Exchange Access Policy lets you monitor the devices accessing your Exchange. This is ideal for a BYOD environment as it ensures that corporate data is accessed only from a MDM authorised device. It makes MDM the single point of control for monitoring devices, as any access restriction set using this feature overrides the access specifications provided in the Exchange Server. Conditional Exchange Access is supported for both Office 365(Exchange Online) and Exchange On-Premises.
(This is not supported for MDM Cloud).
We have made your job simpler!

Learn how to setup Conditional Exchange Access in under 3 minutes through this demo video.

Configuring Conditional Exchange Access

  1. You can configure Conditional Exchange Access(CEA) on the MDM Server, by navigating to Device Mgmt -> Conditional Exchange Access.

  2. Provide your Exchange Admin credentials or an Exchange account that can execute this list of commandlets, to allow MDM to fetch the details of the users and devices access Exchange. These devices include both the enrolled and unenrolled devices accessing Exchange server. After providing the credentials, MDM syncs with the Exchange Server daily to obtain details of new devices accessing Exchange Server. Syncing can also be performed manually.

  • Recommended Default Access level is Quarantine.
  • It is recommended to configure Exchange on managed devices by associating Exchange ActiveSync policy (iOS, Android and Windows) via before associating a Conditional Exchange Access policy to the device.
  • Powershell 5 is the recommended version to be installed. If you haven't download it here
  • If you are using Windows Server 2010, you need to enable Basic Authentication to configure Conditional Exchange Access as explained here(Applicable only if using Exchange On-Premises).

Configuring Access policy

The following flowchart describes the general workflow after a Conditional Exchange Access policy is applied:

Flowchart describing Conditional Exchange Access workflow

  1. Conditional Exchange Access Policy can be applied only when Self Enrollment is enabled.

  2. Using the Access policy you can define the users that you want to monitor. If you wish to monitor all the users who are accessing your Exchange, select All users for the Apply policy on option. Else, if you want to monitor and manage only specific users select Specific users.

  3. You can also choose to exclude monitoring specific users, for example, only the top level employees in your organization, you can do that by clicking on Exclude specific users.

  4. You can also set a Grace Period during which MDM doesn't restrict the users from accessing Exchange. The user must enroll his device within the Grace period else the access will be revoked upon completion of the Grace period.
To customize the content in the Exchange mail, go to https://Exchange Server FQDN/ecp (for example https://mdm-exchange/ecp). Click on Edit and you'll be redirected to Exchange ActiveSynce Access Settings. Add the Self Enrollment URL to the content which is to sent to users from Exchange Server.
Once, the restriction is applied, the devices cannot send or receive mails. However, mails in the users' mailbox before the restriction is applied are accessible.

How Conditional Exchange Access policy works?

Conditional Exchange Access works based on how you have defined the policy. The policy can be defined to monitor

Restricting all users can be ideally used to ensure that users can access the organization's data only using authorised devices. If you wish to get a better understanding of the working of the policy, you can apply the policy only on specific users, test the policy and then apply it to all the users in your organizations.

The policy can be defined to restrict access to Exchange Server


If the policy is defined to restrict devices immediately, all devices will be restricted irrespective of Personal Exemptions/Device Access rules specified in the Exchange Server. Users need to enroll with MDM through Self Enrollment to regain access to Exchange Server.

If the policy is defined with a Grace Period, devices are given a period of time to enroll. After the Grace Period, only devices enrolled with MDM can access Exchange.
The following table shows the Grace Period and Access type for all devices based on the Default Access level.

 Default Access level                                             Existing Devices                                New Devices
Grace Period given Access to mailbox
during Grace Period
Grace Period given Access to mailbox
during Grace Period
Allow As specified in the policy Full Access As specified in the policy Full Access
Block As specified in the policy Full Access No Grace Period Blocked by default
Quarantine As specified in the policy Full Access No Grace Period Quarantined by default
    
NOTE : Devices allowed access to Exchange Server using Personal Exemptions and/or Device Access rules have full access to Exchange Server during Grace Period, even when not enrolled with MDM. Devices denied access to Exchange Server using Personal Exemptions and/or Device Access rules gain full access to Exchange Server when they enroll with MDM. After Grace Period, only devices enrolled with MDM can access Exchange Server.

Removing/Modifying the policy

If you modify or remove the policy with the rollback option enabled, the blocked devices of the unselected users will be granted access to Exchange. Otherwise, the access state of these devices will remain restricted and you will have to manually make changes to the access state of these devices. You can still get details of new devices accessing Exchange Server but cannot restrict the users who are not monitored by the policy.

When the Exchange Server details are removed, all the changes implemented using the policy will not be reverted automatically. You can neither get details of new devices accessing Exchange Server nor restrict them.

List of commandlets utilized by MDM

These are the commandlets required by MDM for Conditional Exchange Access(CEA)

To initiate a Powershell Session with Exchange ActiveSync host from the MDM server

READ-only commandlets which MDM uses to fetch data(mailbox-mobiledevice information) from Exchange ActiveSync host.

WRITE-only commandlets

See Also: Device Enrollment, App Management,  Profile Management,  Asset Management, Security Management , Reports
Copyright © 2019, ZOHO Corp. All Rights Reserved.
ManageEngine