Simply put, Conditional Access is EMS flexing its might. Surprisingly often, regular uses of ConfigMgr overlook how much they can use Conditional Access (CA) and take advantage of the simple, cloud-attached benefits. CA is a perpetual-motion machine which ensures that corporate resources are only accessed by trusted users on trusted devices using trusted apps. It has been built from scratch in the cloud and, whether you're managing devices with Intune or extending your ConfigMgr deployment with Co-Management, it works the same way. With Co-Management, Intune evaluates every device in your network to determine how trustworthy it is – and it does this in two key ways: Intune ensures a device or app is managed and securely configured based on any way you choose to set your organization's compliance policies (g. make sure all devices have encryption enabled and are not jailbroken). This is a pre-security breach, configuration-based evaluation.For Co-Managed devices, ConfigMgr also does configuration-based evaluation such as required updates or apps compliance – and Intune combines this evaluation along with its own assessment.Intune detects active security incidents on a device thanks to the intelligent security of Windows Defender Advanced Threat Protection and other mobile threat defense providers. These partners perform ongoing behavioral analysis on a devices to detect active incidents and pass this information to Intune for real-time compliance evaluation. This is a post-security breach, incident-based evaluation. You can listen to Brad Anderson discuss CA in depth (with live demos!) in this section of his keynote at Ignite 2018.