Conditional Exchange Access


Conditional Exchange Access (CEA) Policy lets you monitor the devices accessing your Exchange server. This is ideal for a BYOD environment as it ensures that corporate data is accessed only from an MDM authorized device. It makes MDM the single point of control for monitoring devices, as any access restriction set up using this feature overrides the access specifications provided in the Exchange server. Mobile Device Manager Plus also supports Exchange Server 2019.

Points to be Noted

Platform Native e-mail app Gmail app Outlook/third-party app
Samsung 8.0 and above
Below 8.0

In case the account to be used for setting up Conditional Exchange Access has multi-factor authentication enabled, you need to provide an app-specific password instead of your usual password when initiating Exchange server sync with MDM. You can know more about app-specific passcodes here.

This feature is available in Professional, Free, and Trial editions of MDM.

Pre-requisites for enabling Conditional Exchange Access on Exchange Online

For enabling CEA on Exchange Online, Microsoft has recommended organizations to upgrade to the latest Exchange Online Powershell V2 module (EXO V2 module). This contains a new list of commandlets that simplify bulk import of data from Exchange Online.

Follow any of the steps given below to upgrade to EXO V2 module:

NOTE: In case, you've already configured CEA for Exchange Online and are facing issues in syncing with Exchange Online, we recommend you to update to EXO V2 module to resolve these issues.

Configuring Conditional Exchange Access

We have made your job simpler!

Learn how to set up Conditional Exchange Access in under 3 minutes through this demo video.
  • Recommended Default Access level is Quarantine.
  • It is recommended to configure Exchange on managed devices by associating Exchange ActiveSync policy (iOS, Android and Windows) before associating a Conditional Exchange Access policy to the device.
  • Powershell 5 is the recommended version to be installed on the machine where the MDM server is running. You can download this from here.
  • If you are using Exchange Server 2010, you need to enable Basic Authentication to configure Conditional Exchange Access as explained here (applicable only if Exchange On-Premises is being used).

Configuring Access policy

The following flowchart describes the general workflow after a Conditional Exchange Access policy is applied:

Flowchart describing Conditional Exchange Access workflow


To customize the content in the Exchange mail, go to https://Exchange Server FQDN/ecp (for example https://mdm-exchange/ecp). Click on Edit and you'll be redirected to Exchange ActiveSync Access Settings. Add the Self Enrollment URL to the content which is to be sent to users from Exchange server.

Once, the restriction is applied, the devices cannot send or receive mails. However, mails in the users' mailbox before the restriction is applied are accessible.

How Conditional Exchange Access policy works?

Conditional Exchange Access works based on how you have defined the policy. The policy can be defined to monitor:

Restricting all users can be ideally used to ensure that users can access the organization's data only using authorized devices. If you want to get a better understanding of the working of the policy, you can test the policy by applying it only on specific users, and then applying it to all the users in your organization.

The policy can be defined to restrict access to Exchange server:

If the policy is defined to restrict access immediately, all devices are denied access irrespective of Personal Exemptions/Device Access rules specified in the Exchange server. Users need to enroll with MDM through Self Enrollment to regain access to Exchange server.
If the policy is defined with a Grace Period, devices are given a period of time to enroll. After the Grace Period, only devices enrolled with MDM can access Exchange.

The following table shows the Grace Period and Access type for all devices based on the Default Access level.

Default Access level Existing Devices New Devices
Grace Period given Access to mailbox
during Grace Period
Grace Period given Access to mailbox
during Grace Period
Allow As specified in the policy Full Access As specified in the policy Full Access
Block As specified in the policy Full Access No Grace Period Blocked by default
Quarantine As specified in the policy Full Access No Grace Period Quarantined by default

In case the configured Conditional Exchange Access policy doesn't allow access to Exchange despite the devices being enrolled, click on Enrollment tab on the MDM web console and select the column chooser present on the right. Now select the parameter EAS Identifier and add it to the view. Then verify if the EAS identifier of the enrolled device (not granted access to Exchange) is the same in Enrollment view and Conditional Exchange Access view. If they do not match, then it implies Exchange was not configured on the device using MDM, which is one of the pre-requisites for Conditional Exchange Access.


NOTE: Devices allowed access to Exchange server using Personal Exemptions and/or Device Access rules have full access to Exchange server during Grace Period, even when not enrolled with MDM. Devices denied access to Exchange server using Personal Exemptions and/or Device Access rules gain full access to Exchange server when they enroll with MDM. After Grace Period, only devices enrolled with MDM can access Exchange server.

Removing/Modifying the policy

If you modify or remove the policy with the rollback option enabled, the blocked devices of the unselected users are granted access to Exchange. Otherwise, the access state of these devices remain restricted and you have to manually make changes to the access state of these devices. You can still get details of new devices accessing Exchange server but cannot restrict the users who are not monitored by the policy.

When the Exchange server details are removed, all the changes implemented using the policy are not reverted automatically. You can neither get details of new devices accessing Exchange server nor restrict them.

List of Commandlets used by MDM

These are the commandlets required by MDM for Conditional Exchange Access.

To initiate a Powershell Session with Exchange ActiveSync host from the MDM server:

READ-only commandlets which MDM uses to fetch data (mailbox-mobileDevice information) from Exchange ActiveSync host.

WRITE-only commandlets

See Also: Device Enrollment, App Management, Profile Management, Asset Management, Security Management, Reports
Copyright © 2020, ZOHO Corp. All Rights Reserved.