I am new to System Manager and I am trying to figure out (ultimately) if I can do the following on Android and iOS mobile devices:
Setup up mobile devices so that email will only ActiveSync to Exchange if MDM is running and the device is compliant to policy.
To get to #1, how to I force MDM to always be running on a mobile device
I have Exchange set to quarantine new ActiveSync devices until approval but I need to stop the sync if the device falls out of compliance. With the Department of Defense upcoming CMMC requirements I need to establish tighter security on all mobile device connections.
Any assistance in the above is greatly appreciated.
Is the policy to which users must be compliant defined in the Meraki Security Policies or are you using another solution? If it is defined within Meraki you can setup your exchange ActiveSync payload to only sync to client devices which are compliant with a particular security policy using tags. This is described here.
The downside to this is that a user will have to re-enter their password / re-authenticate using OAuth every time their device becomes compliant again as it will remove the ActiveSync account completely from the device. This is probably okay if you don't expect devices to become uncompliant very often, but if it's a weekly thing it will definitely annoy users (maybe they'll start keeping their devices compliant!).
Unfortunately a more streamlined solution would be to use Microsoft Conditional Access policies to block ActiveSync connections when devices are not compliant with InTune MDM policies as described here. Of course this assumes your organisation has Office 365 with InTune. This would also mean abandoning Meraki EMM which is unideal.
A further solution (and perhaps the best if you can get it to work) would be to use Mobile Device Mailbox policies in the Exchange Admin Center (Office 365 or on-premises). This would let you apply policies only to ActiveSync connections which would auto-deny them on the server-side if certain conditions are not met. This seems more efficient than manual quarantine each time. The only policy available in the GUI is a password policy but there are more if you connect through powershell. This is described here. It seems to be what you’re already doing in the question.
However for this last solution the documentation is sparse and for me it's been hit-and-miss on iOS. I think Android still supports it but I'm not sure. I am pretty sure Microsoft is planning to abandon this in favour of it's InTune App Protection Policies / Conditional Access policies which they can use to extract even more money out of people.
Have you considered using a third-party application for email which can be managed separately? Or using the Outlook for iOS / Android app with InTune?
For point 2)
Meraki MDM is active as long as the device is connected and the profile is installed. If the profile is removed, the accounts get removed too. If your security policy needs constant location feedback you can make sure that in the security policy the Systems Manager app is set as mandatory and location services must be enabled. That means if users remove the Systems Manager app but not the profile they also lose access to their exchange account because their device violates the Security policy.