referring to my old Blogpost, where I described the Integration of the Conditional Access in System Center 2012 Configuration Manager for Exchange Online (Link) and because there was an Update with the Intune Extension to support the On-Premise Exchange Server aswell, I decided to create a new blogpost about this.
The Supported Exchange Versions are currently 2010 and 2013, be sure suing one of them with a current Update Rollup (afaik for 2013 UR6 is required).
And you can use the conditional Access to restrict the EAS connection on the following Devices:
•Windows 8 and later (when enrolled with Intune)
•Windows Phone 8 and later
•Any iOS device that uses an Exchange ActiveSync (EAS) email client
•Android 4 and later.
The first step is to set up the Exchange Connector within your SCCM 2012 Administration Workspace. Follow this TechNet Article to configure the Exchange Connector:
How to Manage Mobile Devices by Using Configuration Manager and Exchange
When this is done, you should create a User Collection, which is used later to Target the conditional access profile to this collection, you can already add the users you want to restrict. If needed, do the same for an exclusion collection, because you can exclude users from restrictions, even they are within the restrict Collection.
The next screen of the wizards asks for the Exempted collections, if your configuration needs this, you can add it here. The last screen of the wizards shows you the message template that is sent to the user, when his Device is not compliant to the Policy:
This message is sent to a user, when EAS has recognized, that the device is not compliant. Make sure that you have configured the new “Conditional Access Email Notification Account” option on the Exchange Connector properties, this enables SCCM to send the Email:
But it can take up to 3 hours, that the Device is blocked, that means if a user sets up an Exchange ActiveSync profile, it might take from 1-3 hours for the device to be blocked (if it is not managed by Intune). Or otherwise if a user un-enrolls a Device from Intune it might take from 1-3 hours for the device to be blocked. But on the other hand, if a user then enrolls the device with Intune (again), email access will be unblocked within 2 minutes. (from Technet).
See also this link for a very detailed description: