In this post I want to talk about some of the Intune on-premise Exchange Connector gotchas and how the communication flow works.
What is the Exchange Connector?
The Intune Exchange Connector is a piece of software that you download from the Intune portal and install on your Exchange server. Specifically the CAS role if you still have seperated roles. Installation instructions can be found here.
https://docs.microsoft.com/en-us/intune/exchange-service-connector-configure
Please note that the section on the 'Service to Service' connector should be ignored. That feature is being deprecated and was honestly never needed in the first place.
I dont want to go over installation, the Microsoft document does a decent job of that and its fairly self explanatory. I do want to touch on the communication flow. It looks something like this,
For iOS, and Knox devices there are 2 routes. Either you install the company portal first, or you try to add an EAS account first. We will go over the adding an EAS account scenario.
1. End user adds thier EAS account to their mobile device
2. After some time the Intune connector will sync the EAS record up to Intune
3. If the EAS record gets synced up and there is no corresponding MDM record the Intune Connector will set the device from allowed to blocked
4. The end user will recieve an email asking them to enroll into Intune
5. The end user enrolls the device into Intune and creates an MDM record
6. The EAS record and MDM record merge to become a EAS/MDM record in the Intune console
7. The connector will do another sync and check that the record is merged. If so it will remove the device from blocked back to allow
Where this process gets tricky though is for non-Samsung Androids. For some reason, and this may change with Android Enterprise, when a regular Android device enrolls into Intune it does not report its Active-Sync ID. They way we get around this is by using the link in the email notification we receive on the device that says we've been blocked. This link contains our EAS ID and will communicate that to the Intune Service. Without this link our EAS record will never merge with the MDM record when enrolled.
This also makes it tricky to use any type of non native email client as these clients create their own EAS record but can never create an MDM record to match to. The MDM record is always owned by the device not by the email clients on it, if that makes sense. Long story short you have to use the native mail clients when doing this or you have to create an exception for certain platforms.
I will say it again, non-Samsung Android devices have to enroll via the email notification!!! Just going to the app store and getting the company portal app will not work. Enrolling using the app before you receive the email notification will not work.
Here is where the gotchas come in to play. There are two main ones that I want to cover.
When setting up the connector it asks you to enter a notification account. You need to enable that and MAKE SURE THAT ACCOUNT HAS A MAILBOX!
Without a mailbox the end user will never receive the email asking them to enroll with the link that contains their EAS ID.
Second gotcha is that this service relies heavily on the Autodiscover service. Very heavily. If your Autodiscover is not healthy then this process will fail. One specific example of this when working through this in my lab was that I did not have an internal DNS record for Autodiscover.rollerlabs.com. This is because internal Outlook clients do not use the DNS record to find AutoD, they use the internal URI that is set within Exchange. I never had a need for an actual internal DNS record before.
The connector was reliant upon that to find the Exchange server, even though you specify in the connector what your server name is, it will still look at AutoD.
Once I added the internal AutoD record I was able to receive the enroll now email.
This is just an image pulled out of a search but it lets you see the format of the expected email. Please note that the activate/enroll email with link that contains your EAS ID is not the same as the email generated by the exchange server that tells you your device has been blocked. The activate link will come from the Notification account.
Hope this is helpful to someone out there. Is anyone still using Exchange on premise anymore? Hello? Bueller?
No comments:
Post a Comment