Enable Office 365 Built-In MDM (Mobile Device Management)

Do you have company owned mobile devices or employee-owned mobile devices that receive email? Of course, you do everyone does. Do you have a Mobile Device Management solution that you’re paying lots for but only using little of? Have you got or are you looking at getting Office 365? If the answer to any of these questions is yes then you need to be aware of Mobile Device Management in  which Microsoft announced on March 30 on the Office Blog. In this post, I’m going take you through enabling MDM management of a device but first, why is MDM in Office 365 important?

Why is MDM in Office 365 important?

The Exchange Active Sync (EAS) protocol has had some mobile device management like capabilities for some time, but as mobile devices and their use has evolved EAS hasn’t been the go-to management solution beyond email. OS manufacturers have invested in Mobile Device Management protocols and deeply instrumented those in their OS allowing MDM to apply policies far beyond email.

I’ll give you a prime example of that evolution: The BYOD movement has led to people using their personal devices for work. It’s not clear legally how much control over such a device an employer has and it can vary dramatically even in one country. As a result wiping everything on a device that is personally owned could be worrisome to an employer.

With AES, it’s only been possible to fully wipe a device. One of the capabilities that Office 365 built-in MDM brings is the ability to selectively wipe business data from the device. This is huge because if remote wipe is your only need, Office 365’s built-in MDM has you covered. More of you need to specify basic device policies (that still go beyond AES) to control device capabilities, such as encryption, password requirements, app (age) restrictions and the like. A full list of the policies enabled through Office 365 MDM is on TechNet.

Conditional Access to Office 365 is also available through the built-in MDM. If you aren’t familiar with the principle of Conditional Access yet, it asks a simple question: Does the device meet the minimum bar for entry. You define the minimum bar. So you can set a policy that says that a device must be managed by Office 365, so you can wipe it, for example, before its allowed access to critical information. Frankly it’s ground-breaking that this ability is in an MDM offering that costs nothing extra.

With all that in mind, what’s the answer to the question: Why is MDM in Office 365 important? The Answer: It gives you another option for management.

For some customers, it might be the only MDM they need. Indeed I surveyed my Twitter followers and I found out something interesting (I do this regularly, you should follow me to participate and be heard). 14% of respondents to one poll were paying for MDM (which is probably about $100 per user or $51 per device per month* they could cut this from their expenditure immediately…that would probably make the boss happy!)

How about if you still need MDM for some users that need capabilities beyond what’s built into Office 365 such as Mobile Application Management or Company Resource provisioning?

There are people or groups of devices that need capabilities beyond what’s available built into Office 365 MDM and that is fine. Just license them for Microsoft Intune and the on-ramp is simple. Users with a Microsoft Intune license are managed through Microsoft Intune, users without are managed through Office 365 MDM! With Microsoft Intune, you get capabilities such as being able to automatically provision company resources (certificates, VPN, WiFi) and being able to distribute and manage apps.

Ok, looks useful, let’s try this…

That’s the why over with and hopefully you want to start taking a look. Let’s take a look through my Office 365 tenant and see what we need to do to get setup.

Enable Office 365 MDM

First we go to the Mobile Devices option in the Office 365 Admin portal and click Get Started to start the activation process, this will take some time to complete. If you’re using a custom domain (such as contoso.com and not .onmicrosoft.com )to set up Office 365 as a mobile device management authority you will need to set up the correct DNS settings and exchange a certificate request from Office 365 for a certificate from Apple to work with the Apple Push Notification Network (APN) to support iOS. You’ll need to add the following two DNS entries if you’re using a custom DNS:

Host name Record type Address TTL
EnterpriseEnrollment CNAME EnterpriseEnrollment.manage.microsoft.com 3600
EnterpriseRegistration CNAME EnterpriseRegistration.windows.net 3600


REALLY neat feature. These are the same DNS entries you need to add if you’re using Microsoft Intune for MDM, which is why moving some or all users to Intune from Office 365 MDM is possible or put another way: Office 365 and Microsoft Intune co-exist for MDM.

Optionally you can enable Multi-Factor Authentication (MFA) meaning that to enroll their device into Office 365 MDM management they need to give a second factor of authentication, such as receive a phone call or text from the Azure MFA service. Configuring this only requires MFA for device registration from that point forward, because the device is now trusted, it’s a second factor of authentication.

Create A Device Security Policy

Now that your Office 365 tenant is enabled for MDM we need to enable some policy. So click the Manage device security policies and access rules link. You’ll be taken to Compliance Center where you’ll click the Manage device access settings link.

In Organization-wide settings for device access management, you can choose to allow devices that don’t support MDM management to enroll or choose to block them. If you choose block then a device must be MDM capable to be able to add an Office 365 email profile. You might want to do this for your regular users but have some users that you this rule doesn’t apply to (such as your C-level people).

Finally, let’s create our policy and target it to some users. Click the New icon (the plus sign). Enter a policy name, and click Next. Make some policy settings: I like to set a password policy for testing purposes. The last section of the Device Security Policy determines what to do if a device is non-complaint, this is Conditional Access!

Conditional Access

Conditional Access, as previously stated, prevents a non-compliant device from accessing resources. If you select Block access and report violation what happens is that if any of the above policy settings aren’t set on the device (or the device has refused the setting) access to Office 365 Email, SharePoint and OneDrive for Business will be blocked from this device. If you select Allow access and report violation then the violation will just be audited (which you can see in either case in Compliance Center).

This is simple a cool feature: It means you can definitely stop email flow to a device that isn’t enrolled, or a device that’s jailbroken or rooted, or a device that simply isn’t encrypted.

In the case of email, all the user will get in their inbox, until they are complaint, is a single email telling them how to get complaint, and nothing more!

If the device Click Next to set the policy.

Something Extra Really Cool

One other thing. If you tick the box that says Require managing email profile then what you’re saying is that if the user added their own email profile that is not good enough for them to access resources. The reason it’s not good enough is that you DO NOT have the right to wipe a non-managed email profile on iOS or Android and therefore you don’t have control over your organization’s email data.

Ticking Require managing email profile does something really cool though. The user is prompted to remove the organizational email profile they added and, once that’s done, Office 365 will provision the email profile to the users device, making it managed!

And that [Email Provisioning] takes is just one check box!

Finally, Deploy the Policy

The very last thing you’ll do is deploy the policy. Just search for a security group that you want to deploy the policy to, select the group, click Add and Ok. Then you can go to a test device and try out the policy, add an organizational email account manually on the device and (if you selected the Block option for conditional access) you’ll receive an email telling you to enroll your device by getting the Company Portal app from the store.

Perhaps you’d like to see this in action

Corporate Vice President, Enterprise Client and Mobility at Microsoft, Brad Anderson and I took a look at this on the latest episode of the Endpoint Zone with Brad Anderson which you can watch below:

This is cool, I want to try it out how do I do that?

Firstly, if you have Office 365 you should check to see if MDM is available in your Admin portal yet. If it is you’ll see it just like in the first step above. If it’s not it’s coming, Office 365 MDM is rolling out now, but it’ll take us a few more weeks to complete every Office 365 tenant (there are so many!)

If you don’t yet have Office 365 you can get a free trial, although the functionality might not be available there yet, but it should be before the trial expires.

Finally if you want to know even more, you should check out the free Microsoft Intune Jumpstart on Microsoft Virtual Academy next week that is part of our Enterprise Mobility Core Skills Jumpstart series. Since it’s a series you can sign-up for them all and watch them live or binge on the them as they become available on demand!

* Airwatch Green Management Suite-Cloud as of 3/1/2015.





The post Enable Office 365 Built-In MDM (Mobile Device Management) appeared first on Enterprise Devices + Infrastructure.