Intune Conditional Access and Selective Wipe–Caveats Abound
A key piece of the enterprise mobility narrative centers around control of data, especially email. There are a number of different scenarios out in the various environments, and it can be a little confusing as to how the pieces all fit together. In this post, we’re addressing the scenario of a company that wants to enable BYOD for mobile devices to allow access to corporate email while ensuring they are able to remove the email from that device when the user leaves the company. For the purposes of this discussion, we’ll focus just on iOS and Android devices.
Let’s start with email and selective wipe, or the ability to force removal of email from a mobile device when it is no longer authorized for corporate access. There are two scenarios this is supported for: an email profile set up on the native email application for the mobile OS platform, and Microsoft’s Outlook mobile application (available for free from the iTunes and Google Play app stores).
Caveat #1 – For selective wipe to work on the native email application, the email profile must be delivered/managed by Intune. If the email profile has already been set up in the native email application, it must be removed before the Email Profile policy can re-add it and enable support for selective wipe. There’s a way to force users to do this…we’ll look at that when we get to Conditional Access.
Caveat #2 – For Android devices, Email Profile policies only apply to the native Android email app. In the case of Android devices such as the Nexus which are managed directly by Google rather than a cellular carrier, the native email app is disabled in favor of the Gmail app. Ergo, Email Profile policy…and in turn, selective wipe, is not supported for the native email application on those Android devices.
Caveat #3 – For Android devices, Email Profile policies only enable selective wipe on devices with the Samsung KNOX protocol; non-KNOX devices do not support selective wipe capabilities for the native email application.
Caveat #4 – The native email application does not support Mobile Application Management (MAM) policies, meaning corporate data can be copied/pasted between email and other applications. The only supported method for MAM control with email is the Outlook mobile application.
Caveat #5 – Outlook mobile does not support Email Profile policies, so users must manually add their account. It’s not terribly difficult, but it’s still an extra step users must take that is not required when using the native email application.
Caveat #6 – Selective wipe is only supported for email hosted in Exchange hybrid or Office365. There is currently no support for selective wipe with Exchange On-Premise because it is seen as a personal email account.
| Phone Type | Exchange On Premise Outlook App |
Exchange On Premise Native App |
Office 365 Outlook App |
Office 365 Native App |
| iOS Devices | No | Yes | Yes | Yes |
| KNOX Android Devices | No | Yes | Yes | Yes |
| Non-KNOX and Google Android Devices | No | No | Yes | No |
So we’ve narrowed our supported configurations for email with selective wipe down to the following: Exchange Online/Office 365 email users with iOS devices, Android devices with KNOX and the native email application or Outlook, or non-KNOX Android devices with just Outlook.
Now how do we ensure users only access email in the supported scenarios for selective wipe? This is where Conditional Access comes in. For Exchange Online/Office 365, the Conditional Access policy is set in the Intune Admin Portal even if you’ve integrated Intune with Configuration Manager.
By enabling Conditional Access, we’ve ensured that the device must be enrolled in Intune *and compliant with policy* before the user can access email on the device. This obviously requires some planning and communication before it’s enabled as there are likely already users who have an ActiveSync email profile set up on their device and you don’t want to block their ability to access email before they have the steps required to meet the requirements. It’s highly recommended you start with a small targeted group of users first before expanding it out to the rest of the environment.
To that end though, if you have a user who already has email set up in the native email application and you then enable Conditional Access, once the user enrolled the device their email access would be restored but would not be subject to Selective Wipe (see Caveat #1 above). Even if you have created an Email Profile policy targeted to the device, it will not reconfigure or otherwise manage a pre-existing email profile. You can instruct your users to delete the profile and let Intune re-add it…but you’re leaving your ability to securely remove email at the mercy of your user’s voluntary action (one which you cannot verify). Fortunately, because compliance is an integrated part of Conditional Access we can leverage a special compliance policy setting requiring the corporate email profile to be managed by Intune. If we create a Compliance Policy in ConfigMgr targeted for iOS devices, we can see this option as an additional rule to be added:
However, if we create a new Compliance Policy targeted only for Android…this option isn’t available. If we are creating the policy in the Intune Admin Console, we’ll see why:
Which brings us to…
Caveat #7 – The Compliance Policy option “Email profile must be managed by Intune” is only applicable to the iOS platform. There is no way to force the native Android email client to use n Intune-managed email profile.
So going back to our original scenario, where does that leave us? Basically, iOS with Exchange Online is the only platform where you can ensure Selective Wipe with Conditional Access. The Android platform can at least ensure the device is enrolled, but you can’t ensure that Selective Wipe will work if they have email set up in the native email application (you’re at the mercy of requesting they delete the profile and let Intune configure it). On the iOS platform, you still have the inability to apply MAM policies to email if the user favors the native email app.
Now…the good news is there ARE some options outside of Intune that can help mitigate these risks.
Option 1 – Exchange ActiveSync Policy. The Exchange ActiveSync access settings can be set up to quarantine systems by default if they are not managed:
You can then set a Device Access Rule that only allows the Outlook Mobile app:
![clip_image002[5]](https://i0.wp.com/lab-geek.com/wp-content/uploads/2016/05/clip_image0025.jpg "clip_image002[5]")
With these settings in place, the default behavior is that only devices using the Outlook app will be able to access email, meaning the native email application is no longer in play. The down side to this approach is that it’s an all-or-nothing setting so you have to be ready to enable this across the organization.
Option 2 – Multi-Factor Authentication. If you have implemented or will implement Multi-Factor Authentication (MFA), an important thing to note is that the requirement for Modern Auth excludes the native email applications from accessing email as the apps are not compatible with that authentication method. Modern Auth can be turned on for Exchange Online using PowerShell. The downside here is that this affects more than just mobile devices. While you can setup MFA to not be needed when on the network and to only prompt when external, any users accessing email on full Windows devices will need to be on Office 2013 or Office 2016.
None of the information above is hidden; it’s all available in the TechNet documentation, but it’s not all presented in one place. Generalized questions like “can Intune selectively wipe email” and “can Intune prevent corporate data from moving outside its influence” don’t necessarily have yes or no answers…it depends on your specific details. While Microsoft is ultimately at the mercy of device and mobile OS manufacturers in many cases, hopefully these gaps can be closed soon to present a comprehensive solution that covers a wider scope of scenarios.
Some References: