By Murali Krishna Hosabettu Kamalesha | Sr. PM, Tyler Castaldo | PM & Owen Yen | Sr. PM
Updated 11/28 - Based on your feedback, we're going to postpone this change while we develop a friendlier end user experience. We will continue to keep this blog post updated on this topic and will also post a targeted communication with updated screenshots in the Office Message Center if action or changes are required.
Updated 10/17 to include a section for customers using Mobile Device Management for O365. Updated 10/19 to add new screenshot for O365 customers. Updated 11/1 to include new section on users exempt from CA. Updated 11/7 with additional information on new report. Updated 11/14 with end user screen shots, reporting, and updated timeline.
We’re introducing some security enhancements, based on your feedback, in the Intune service in November. Depending on how your compliance policies are configured, you may need to take action to avoid loss of email access for your end users. Read along!
If you have used compliance policies with Conditional Access (CA) in Intune, you may have noticed that devices without a compliance policy assigned to them are considered compliant and end users are allowed access to email. Starting the last week in November 2017 and into the first week in December, we'll introduce a change so that devices with no compliance policy assigned to them will be treated as “not compliant”. These devices will be blocked by CA and end users associated with them will lose access to email.
How should I prepare for this change?
We’ve launched a new report in Intune on Azure, called “Devices without compliance policy”. This report will help you identify all the devices in your environment that do not have a compliance policy assigned. Please review your compliance policy deployments and ensure that all your devices have at least one compliance policy assigned to them by mid- to end- of November.
Here’s a screenshot of what the report looks like. If the count of devices in your report is non-zero, then you have devices in your environment without a compliance policy which will be marked as not compliant towards the end of November. Click on the report, review the list of devices and users, and assign a compliance policy where necessary. See Get started with Intune device compliance policies and follow links for directions to assign policies to different platforms.
The report has gone live with the October service release which finished up early November. We’ve reviewed the deployment schedule and plan to make changes through the schedule below. NOTE - To know what scale unit you are on, login to the Intune on Azure console, and then select the help and support blade. The scale unit you are on shows up in the top part of the blade under Tenant Location.
11/2-11/27 – Preproduction validation
11/28 – Start with Scale Unit North America 06
11/28 – 11/30 – Provided no alerts from North America 06, expand changes to Asia Pacific 03 and North America 05 The rest of the scale units will then be updated as the service updates to the December service release. These exact dates are scheduled to be completed by mid-December, but exact dates do shift, so sharing those dates now would be premature.
How will I know if an end-user is impacted?
Here's a screen shot of what the end user will see. Please note, this is a screen shot from testing and from a real device; the white line in the image is the overhead lights.
How do I assign a compliance policy to “All Users”?
In November, to make things easier, we’ll add a new feature to the Intune on Azure Portal that allows you to assign compliance policies to “All Users”.
What if I only care about enrollment and don't need compliance?
To allow access for enrolled devices without any additional security checks, create a blank compliance policy with no settings configured and assign it to your users.
What if I have users exempted from CA that aren’t targeted by a compliance policy?
If you have users in your environment that are exempt from CA requirements, their devices will still be reported as not compliant if they’re not targeted by at least one compliance policy. However, this will not impact their access to company resources such as email.
What if I am a Configuration Manager customer using hybrid mobile device management (MDM)?
If you’re using a hybrid MDM configuration, this change applies to you, too. Towards the end of November, devices not covered by compliance policy will be marked “not compliant,” and if you have CA configured, these devices will lose access to company resources such as email. You’ll need to prepare for that by first determining which users’ devices are impacted. To do this in hybrid, you can run the following SQL query in your Configuration Manager database. Note that this query does not make any changes, but only returns information about the impacted devices.
SELECT UMR.UniqueUserName AS UserName, CDR.Name AS DeviceName, CDR.DeviceOS, CDR.SiteCode, CDR.LastActiveTime, CDR.ManagementAuthority, CDR.SMSID, CDR.SerialNumber, CDR.IMEI
FROM vSMS_CombinedDeviceResources CDR LEFT JOIN v_UserMachineRelationship UMR ON CDR.MachineID = UMR.MachineResourceID
WHERE CDR.ClientType = 3 AND CDR.ArchitectureKey = 5 AND CDR.MachineID NOT IN
(SELECT DISTINCT MachineResourceID FROM v_UserMachineRelationship WHERE UniqueUserName IN (SELECT DISTINCT SMSID FROM vCollectionMembers WHERE CollectionID IN (SELECT DISTINCT TargetCollectionID FROM vCI_CIAssignments WHERE AssignmentType = 8)))
You can also create a custom report using this query. See the instructions here. Once you’ve identified the impacted users and devices, you should ensure that they are targeted with a compliance policy.
What if I am an Office 365 customer using Mobile Device Management for Office 365?
If you are using Mobile Device Management for Office 365, this change applies to you, too. Towards the end of November, devices that previously have been targeted with a policy to “Allow access even if the device does not meet the requirements of the policy” (see screenshot) will be marked “not compliant”, and if you have CA configured, these devices will lose access to company resources such as email and SharePoint.
You’ll need to prepare for this by first determining which users’ devices are impacted. To do this you need to identify all users that currently have policies (as described above) targeted. Once you have these users identified, you can mitigate the impact of this change in one of two ways.
- You can change your existing device policies in Mobile Device Management for Office 365 by replacing each existing policy with a new one, leaving all the settings the same with the exception of changing the above to “Block access and report violation”. OR
- You can simply create a blank policy and target the policy to all existing users who have a policy targeted, and make sure the policy is set to “Block access and report violation”.
By doing either of the above, you can ensure that your existing devices that are currently targeted with policies can remain in “compliant” state and continue to access your corporate assets in Exchange Online and SharePoint Online.