Enterprise Mobility Suite / Exchange access

alexwhite19800 used Ask the Experts™

I am reading up on Enterprise Mobility Suite/ Intune, the MS Mobility offering, but am unable to work out how the mobile client accesses on-prem (or even cloud) Exchange mailboxes. Could someone point me in the direction of any documentation or tell me?

I'd also like to understand what apps are available with EMS. Can we also have Lync on mobile devices and file share access?

Finally, how much reliance does EMS have on Azure?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018

For a start, it will be good to know Activesync which I assume you already know, serves different focus compared to InTune. In fact, if you are already using ActiveSync Mailbox Policies to manage mobile devices and Exchange Server is adequately meeting all of your MDM needs, there is probably no reason to use Intune. However, if you are reconsidering MDM, then Windows Intune do contribute better in this aspects like having health alerts for mobile devices and can be used to deliver applications too. Excahnges relies on ActiveSync mailbox policies primarily to secure and apply policy settings to secure and manage mobile devices.

So if Intune is still an option, the focus for the Mobile device management found on the Exchange is taken over by it covering aspects such as
- Enables user-installed software with install line-of-business applications (automates push app)
- Ability to add and remove managed devices, these can be determine by self managed by User
- Support for dynamic membership queries, allows timely apps deployment to specific target device
- Integrated identity federation, like MS ADFS 2.0, allowing federation with on premise AD, thus it  manages distributed assets without having to manage AD accounts for those assets
- Centralized user interfaces for PCs and mobile devices, with a Portal for users to invoke self-service actions such as installing applications and downloading policies.

I suggest you check out this series of article stepping through one use case with Intune supporting conditional access policies for on-premises Exchange Server. It include sharing a walk through of end user experience once they have been blocked from email.

Catch also the On-demand Webcasts that covers one area that you may be interested
e.g. How do I make e-mail and Office secure on mobile devices?
e.g. Extend your existing Active Directory to the cloud

For the reliance of Azure, I will say it is dependent on the option you chose for management e.g.
We can configure and run Intune in two different ways:

Intune stand-alone. As a cloud-based solution, we can use any Silverlight-enabled web browser to manage Intune without any on-premises IT infrastructure (although we can have a DirSync/AADSync on-premises to synchronize user accounts into Azure Active Directory (AD) which Intune uses as we will later see);

Intune with System Center Configuration Manager. Intune can be integrated with System Center 2012 Configuration Manager (SCCM), allowing organizations to manage all of its devices through a single console, the Configuration Manager Admin Console, further extending both Intune’s and SCCM’s management capabilities.
But do note this before confirming the option to take
As a warning, you should consider carefully whether you want to manage mobile devices using Intune only or SCCM with Intune integration. After you set the mobile device management authority to either of these options, it can only be changed again by raising a support case with Microsoft. As such, it is best if you make the right choice first time around.
See more details of the run through configuration for both in http://www.msexchange.org/articles-tutorials/exchange-server-2013/mobility-client-access/intune-and-exchange-activesync-part1.html


Hello thanks for the detailed reply!

A quick question - so reading through,it looks like InTune provides the MDM / MAM functionality, not the connection back to Exchange. Does this mean that we have to publish Activesync externally so the devices can connect?

It's not a solution like Good, Citrix Worx and so on where the Exchange connection is via their own middleware servers?
Exec Consultant
Distinguished Expert 2018
It is more of the Intune standalone you are referring to. It is not really need to publish AS externally as Intune comes with two connectors type to achieve that "standalone"
e.g. Service to Service connector which does not depends on the on premise- See "Configure Microsoft Intune on-premises connector for on-premises or hosted Exchange" and note the below
The Service to Service Connector supports only cloud-based Exchange and has no requirements for on-premises infrastructure.

However, to use this connector, the following must be true:

You have an Office 365 subscription that has an Exchange Server 2013 tenant. So long as the tenant is Exchange Server 2013, the connector supports Exchange Server 2010 in that same environment.
The user account that you use to install the On-Premises Connector must be a tenant administrator for Intune and be an administrator in the Exchange tenant with a license to use Exchange Server 2013.

e.g. On Premise connector that use  Azure AD Connect wizard
Use the On-Premises Connector to synchronize data from Exchange Server:

If your instance of Exchange Server is on-premises, you must download, install, and Configure Microsoft Intune on-premises connector for on-premises or hosted Exchange on a computer in your infrastructure. This connector can also connect to Exchange in the cloud.
If your instance of Exchange Server is hosted in a cloud-based service, you can install and configure the On-Premises Connector, or you can Configure Intune service to service connector for hosted Exchange which does not require an on-premises server to host the connector.

Before you can use either connector to connect Intune to your Exchange Server, you must set up Active Directory synchronization so that your local users and security groups are synchronized with your instance of Azure AD.

Based on above connector, Intune standalone, also being Microsoft based, I tend to see more depth into interface with Azure or Exchange . Intune also integrated with SCCM 2012 as the second deployment approach if standalone is not palatable so it leverage on SCCM vantage and ride on.

For other MDM, it is another MDM to managed and patch etc on top of the MS patches - at least I do not differentiate them in term of control but more of long term to manage two vendor as compared to one. Pardon for the brief sharing as I should not go into depth as not into those MDM

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial