Using Intune With Exchange On-Premises | Credera (2024)

Using Intune With Exchange On-Premises | Credera (1)

Using Intune With Exchange On-Premises | Credera (2)

Microsoft Intune is part of Microsoft’s rapidly developing Enterprise Mobility + Security (EMS) suite. It provides a solution for mobile device management (MDM) and mobile application management (MAM) that integrates well with other Microsoft technologies, particularly when also using Office 365.

But what happens when we have an environment that’s still largely on-premises and we want to be able to manage and selectively wipe email? I recently ran into this exact situation of trying to integrate Intune with Exchange on-premises for a client. The Intune On-Premises Exchange Connector enables Intune to communicate with the Exchange Server that hosts the mailboxes for the mobile devices. However, there are some definite limitations that come with the territory when trying to leverage the Intune features listed below with on-premises mailboxes.

Selective Wipe

Outlook: No support

Native app: Samsung KNOX and iOS

In order for selective wipe to be possible, the email profile must be managed by Intune. Otherwise, it can’t distinguish the work profile from a personal ActiveSync profile and, consequently, cannot remove it. Because Intune can currently only deploy managed profiles to the native app of iOS and Samsung KNOX (more details later), selective wipe is limited to those platforms.

Support for managed email profiles for other Android devices using Android for Work is in the works, which may change the picture here, but it’s not available for all tenants yet.

MAM Policy

Outlook: All platforms

Native app: No support

This one may be obvious to some of you, but there is no way for Intune to manage the native mail application on any device. If you want to take advantage of mobile application management policies to restrict copy/paste to non-managed apps, prevent saving locally, etc., those policies will only affect Outlook. This is the same when using Exchange Online, but it is still an important point to be aware of.

Conditional Access

Outlook: No support

Native app: All platforms

The ability to enforce conditional access on email is a powerful capability that is critical to a full implementation of Intune. It allows you to withhold access to corporate email until the device is enrolled in Intune. Without it, we are at the mercy of the device owner to enroll their device, and they have little incentive to do so. It is important to note, therefore, that conditional access for the Outlook app is currently unsupported when using on-premises Exchange. And by not supported, I mean Intune will block access entirely from Outlook. Maybe that is what you want, particularly if you want selective wipe, but it is definitely a limitation of Intune at the present time.

Email Profile Auto-Setup

Outlook: No support

Native app: Samsung KNOX and iOS

Intune is unable to push down an email profile for Outlook, which makes sense if you think that it’s not a system app. Less intuitive, it also does not work for stock Android devices (Google and other non-Samsung devices). This issue should be resolved with the rollout of Android for Work support in the next few months. With it, Intune will be able to set up an email account in the “work” profile of the device and, in theory, be able to selectively wipe the cached email data from that profile upon un-enrollment from Intune.

Another limitation to be aware of is that Intune standalone only gives you the option of using UPN as the username for email profiles on iOS (and devices using Android for Work if your tenant supports it). For whatever reason, with Samsung devices it lets you use the sAMAccountName, aka user logon name, as well. This comes into play if you are using the latter for ActiveSync basic authentication. You will be unable to deploy a valid email profile for anything but Samsung devices unless you switch to use UPN for authentication with ActiveSync. Not something to be done lightly to be sure.

The Big Picture

So now where do we stand? Let’s look at these four capabilities again in this handy graphic:

Using Intune With Exchange On-Premises | Credera (3)

Using Intune With Exchange On-Premises | Credera (4)

Using Intune With Exchange On-Premises | Credera (5)

The bottom line? If you want to take advantage of selective wipe and conditional access, you will need to limit devices to the native email app at the cost of a little convenience and application management for email. If you or your client’s focus is managing data in applications, you will need to enforce the use of Outlook and potentially stick to using Intune MAM Without Enrollment.

A couple final things to consider when using Intune with On-Premises Exchange:

  1. UPNs need to match primary SMTP addresses.

The Exchange connector will not properly pick up users for conditional access if these two attributes do not match in Azure Active Directory. This is also important because users must log in to Intune (as well as all Office 365 application) using their UPN. The DOMAIN\username style will not work. As long as UPNs match email addresses, it makes the process as intuitive as possible for end users.

2. The Intune Exchange Connector syncs every two hours.

In other words, there are often delays between enabling conditional access for a user and the ActiveSync block to take effect. Likewise, there can be delays for a newly enrolled device to regain access to email. I was not able to find any documentation regarding how to change the connector’s synchronization interval.

So there you have it. Hopefully this will be helpful to you in evaluating whether to implement Microsoft Intune in your environment. In the case of our client, they decided to hold off on their Intune rollout until they migrated to Exchange Online so they could take advantage of its full capabilities.

Is your business dealing with the mobile security problem? Are you already licensed for EMS but don’t know how best to implement it to meet your business needs? Do you just have questions about the options available for mobile security? Credera has helped businesses to implement a mobile security strategy including the implementation of EMS and would be happy to help. Contact us atsales@credera.com.

  • MDM
  • Office 365
  • Microsoft Intune
  • Enterprise Mobility
  • Security (EMS)
  • Mobile Device Management
  • MAM
  • Mobile Application Management
  • Microsoft Technologies
Using Intune With Exchange On-Premises | Credera (2024)

FAQs

Does Intune work with on-premises exchange? ›

Intune supports multiple on-premises Exchange connectors per subscription. However, each on-premises Exchange connector is specific to a single Intune tenant and cannot be used with any other tenant.

What is Microsoft Exchange on-premises? ›

Microsoft Exchange Server is a platform with which the user can e-mail, contact, schedule and collaborate.

Does Intune use active sync? ›

The Intune Exchange connector pulls in all the Exchange Active Sync (EAS) records that exist at the Exchange server so Intune can take these EAS records and map them to Intune device records. These records are devices enrolled and recognized by Intune.

Can you use Intune with on premise ad? ›

The Intune Connector for Active Directory creates autopilot-enrolled computers in the on-premises Active Directory domain. The computer that hosts the Intune Connector must have the rights to create the computer objects within the domain. In some domains, computers aren't granted the rights to create computers.

What is the difference between Office 365 Exchange and Exchange on premise? ›

Office 365 Exchange can help its users stay up-to-date and they can upgrade the features automatically via Microsoft 365. However, in the case of the Microsoft Exchange On-Premises version, the local IT department is responsible for performing software and hardware upgrades manually according to the schedule.

How to connect to exchange on-premise? ›

Click “Responsibilities” and “Target systems”. In the list of available target system connectors select the connector “on-prem Exchange“ and click the button “Setup” to create a new target system instance. Name the target system instance, put in a description and select the IAM.

What is the difference between online with Microsoft Exchange and connected to Microsoft Exchange? ›

Online with Microsoft Exchange offers the convenience of working from any device, while connecting directly to Exchange provides the added security of working on a local server. Ultimately, the choice will depend on your needs and preferences.

How do I know if my Exchange is on-premise or cloud? ›

Sign in to the Exchange Admin Center and look at the Mailbox Type column. You can see if the mailbox is located on-premises or in Office 365. Another way to determine if a mailbox is on-premises or in Office 365 is by checking the mailbox database.

Can I use Intune without Active Directory? ›

Do you need other software to use Intune? To use Intune, your computers must be connected to Azure Active Directory, which is a cloud-hosted Active Directory. Historically, this has only existed on-prem.

How does Intune work with Active Directory? ›

Benefits of Integrating Intune with Azure Active Directory

The integration allows for leveraging Azure AD security features and protecting sensitive data during remote access. Centralized management: The integration enables administrators to manage devices and user identities from a single console.

How often do computers sync with Intune? ›

Policy refresh intervals
PlatformFrequency
iOS/iPadOSEvery 15 minutes for 1 hour, and then around every 8 hours
macOSEvery 15 minutes for 1 hour, and then around every 8 hours
Windows 10/11 PCs enrolled as devicesEvery 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours
2 more rows
May 13, 2024

How do I connect to Exchange on premises? ›

Click “Responsibilities” and “Target systems”. In the list of available target system connectors select the connector “on-prem Exchange“ and click the button “Setup” to create a new target system instance. Name the target system instance, put in a description and select the IAM.

What platforms does Intune support? ›

Intune can manage the following OSes:
  • Windows 10 and 11.
  • Android 8.0+, Android Enterprise.
  • Apple macOS 10.15+, iPadOS 13.0+, iOS 13.0+

Does Intune work with Windows Server? ›

Intune can manage Antivirus, Firewall, and Attack Surface Reduction (ASR) policies on servers that are onboarded to Defender for Endpoint. Here is a table list the profile support on windows server.

Top Articles
Latest Posts
Article information

Author: Ms. Lucile Johns

Last Updated:

Views: 6467

Rating: 4 / 5 (61 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Ms. Lucile Johns

Birthday: 1999-11-16

Address: Suite 237 56046 Walsh Coves, West Enid, VT 46557

Phone: +59115435987187

Job: Education Supervisor

Hobby: Genealogy, Stone skipping, Skydiving, Nordic skating, Couponing, Coloring, Gardening

Introduction: My name is Ms. Lucile Johns, I am a successful, friendly, friendly, homely, adventurous, handsome, delightful person who loves writing and wants to share my knowledge and understanding with you.