Protect Exchange Online email on managed iOS devices with Microsoft Intune

 

Protect Exchange Online email on managed iOS devices with Microsoft Intune:

1.Prerequisites

2.Sign in to Intune

3.Create an email device profile

4.Create the iOS device compliance policy

5.Create the Conditional Access policy

6.Try it out

This tutorial shows how to restrict Exchange access to only Intune-managed iOS devices that are using an approved email application.

• Create an Intune iOS device compliance policy to set the conditions that a device must meet to be considered compliant.
• Create a Microsoft Entra Conditional Access policy that requires iOS devices to enroll in Intune, comply with Intune policies, and use the approved Outlook mobile app to access Exchange Online email.

Step1:. Create an email device profile for iOS/iPadOS

Create an iOS/iPadOS email profile

1. Sign in to the Microsoft Intune admin center.
2. Go to Devices > Manage devices > Configuration > Create > New policy:

 

3.Enter the following properties:

• Platform: Select iOS/iPadOS.

• Profile type: Select Templates > Email.

4.Select Create.

5.In Basics, enter the following properties:

• Name: Enter a descriptive name for the new profile. For this example, enter iOS require work email.

• Description: Enter Require iOS/iPadOS devices to use work email.

 

6.Select Next.

7.In Configuration settings, enter the following settings. For the other settings, use the default values.

• Email server: For this evaluation step, enter outlook.office365.com. This setting specifies the Exchange location (URL) of the email server that the iOS/iPadOS mail app uses to connect to email.

• Account name: Enter Company Email.

• Username attribute from Microsoft Entra ID: This name is the attribute Intune gets from Microsoft Entra ID. Intune dynamically generates the username for this profile using this name. For this evaluation step, we use the User Principal Name as the username for the profile, like prasad@imech544.onmicrosoft.com.

• Email address attribute from Microsoft Entra ID: This setting is the email address from Microsoft Entra ID that signs in to Exchange. For this evaluation step, select User Principal Name.

• Authentication method: For this evaluation step, select Username and password. If you set up authentication certificates in Intune, then you can choose Certificate.

8.Select Next.

9.In Scope tags (optional), select Next. In this example, we don't use scope tags.

10.In Assignments, use the drop-down for Assign to and select All users and all devices. Then, select Next.

11.In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned.

Step2: Create the iOS device compliance policy:

First, create an Intune device compliance policy to define the requirements for a device to be considered compliant. Since these policies are platform-specific, you need a separate one for each operating system. In this tutorial, we'll make one for iOS.

1. Sign in to the Microsoft Intune admin center.
2. Select Devices > Compliance.
3. On the Policies tab, choose Create policy.
4. On the Create a policy page, for Platform select iOS/iPadOS. Select Create to continue.
5. On the Basics tab, enter the following properties:

• Name: Enter a descriptive name for the new profile. For this example, enter iOS compliance policy test.

• Description: Optional - Enter iOS compliance policy test.

Select Next to continue.

6. On the Compliance settings tab:

o   Expand Email, and then set Unable to set up email on the device to Require.

o   Expand Device Health, and set Jailbroken devices to Block.

o   Expand System Security, and configure the following settings:

• Require a password to unlock mobile devices to Require
• Simple passwords to Block

• Minimum password length to 4
• Required password type to Alphanumeric
• Maximum minutes after screen lock before password is required to Immediately
• Password expiration (days) to 41
• Number of previous passwords to prevent reuse to 5

 

 

 

 

 

 

 

3.Create the Conditional Access policy:

Next, use the Microsoft Intune admin center to create a Conditional Access policy. You integrate Conditional Access with Intune to help control the devices and apps that can connect to your organizations email and resources.

The Conditional Access policy will:

• Require devices that run any platform to enroll in Intune and to comply with your Intune compliance policy before those devices can be used to access Exchange Online.
• Require devices use the Outlook app for email access.

Conditional Access policies are configurable in either the Microsoft Entra admin center or the Microsoft Intune admin center. Since we're already in the admin center, we can create the policy here.

1. Sign in to the Microsoft Intune admin center.
2. Select Endpoint security > Conditional Access > Create new policy.
3. For Name, enter Test policy for Microsoft 365 email.
4. Under Assignments, for Users, select 0 users and groups selected. On the Include tab, select All users. The value for Users updates to All users.
5. Also under Assignments, select Target resources. For Select what this policy applies to drop-down, select Cloud apps.

Next, because we want to protect Microsoft 365 Exchange Online email, select that app by following these steps:

a.                  On the Include tab, choose Select apps.

b.                  For the Select category, select None to open the Select pane with its applications list.

c.                   From the applications list, select the checkbox for Office 365 Exchange Online, and then choose Select.

6.Also under Assignments, select Conditions > Device platforms to open the Device platforms pane.

Set Configure to Yes.

On the Include tab, select Any device, and then select Done.

 

 

7.Once again, under Assignments, select Conditions > Client apps.

a.                  Set Configure to Yes.

b.                  For this tutorial, select Mobile apps and desktop clients, part of Modern authentication clients (which refers to apps like Outlook for iOS and Outlook for Android). Clear all other check boxes.

c.                   Select Done, and then select Done again.

 

8.Under Access controls, select Grant.

a.                  On the Grant pane, select Grant access.

b.                  Select Require device to be marked as compliant.

c.                   Select Require approved client app.

d.                  Under For multiple controls, select Require all the selected controls. This setting ensures that both requirements you selected are enforced when a device tries to access email.

e.                  Choose Select.

 

 

 

 

10.Select Create to save your changes. The profile is assigned.

 

 

Try it out

With the policies you've created, any iOS device that attempts to sign in to Microsoft 365 email must enroll in Intune and use the Outlook mobile app for iOS/iPadOS. To test this scenario on an iOS device, try signing in to Exchange Online using credentials for a user in your test tenant. You're prompted to enroll the device and install the Outlook mobile app.

1. To test on an iPhone, go to Settings > Passwords & Accounts > Add Account > Exchange.
2. Enter the email address for a user in your test tenant, and then press Next.
3. Press Sign In.
4. Enter the test user's password, and press Sign in.
5. A message appears that says your device must be managed to access the resource, along with an option to enroll.

Here's a deployment script and setup guide to protect Exchange Online email on managed iOS devices using Microsoft Intune, focused on MDM enrollment with an email profile and Conditional Access.

Here's a deployment script and setup guide to protect Exchange Online email on managed iOS devices using Microsoft Intune, focused on MDM enrollment with an email profile and Conditional Access.

Script to Create Email Profile:

🔹 2. Create Device Compliance Policy (Portal)

Go to Intune Portal > Devices > iOS/iPadOS > Compliance policies
Click Create Policy with rules like:

• Require PIN
• Block Jailbroken devices
• Require encryption

🔹 3. Create Conditional Access Policy (Azure Portal)

If automating Conditional Access using PowerShell:

powershell

CopyEdit

Install-Module AzureAD

Connect-AzureAD

 

# This is simplified — real CA deployment is done via Graph API or Portal.

# Microsoft recommends manual CA policy creation via GUI for complex conditions.

📍 Recommended: Use the Microsoft Entra Portal:

• Users: Target user group
• Cloud app: Exchange Online
• Conditions: Platform = iOS
• Access Control: Require compliant device

 

Assign Profile to Group:

# Assign to device group

$assignment = @{

    "@odata.type" = "#microsoft.graph.deviceConfigurationAssignment"

    target = @{

        "@odata.type" = "#microsoft.graph.groupAssignmentTarget"

        groupId = "<Azure AD Group ID here>"

    }

}

 

New-MgDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId "<ProfileId>" -BodyParameter $assignment