ra2 studio - Fotolia


Use Office 365 MDM to protect your tenant

When ActiveSync just isn't enough, learn how to enable and use Office 365 mobile device management with your devices.

Many organizations like the functionality of Exchange Online's built-in device management, but it lacks capabilities compared to third-party device mobile device management options.

Microsoft offers its own full mobile device management (MDM) option through Intune, which allows users to manage email and other company-owned applications installed on devices. Some organizations don't need all of that functionality, but still seek better, more modern controls.

The ActiveSync protocol delivers push email to devices and works best when combined with Exchange's mobile device quarantine features and remote wipe, a set of controls to restrict which devices connect and remove data. Policies that were mostly defined in a pre-iPhone era and aimed at Windows Mobile 6 and below have been implemented in part by modern smartphone manufacturers, but usually only in a basic way -- for example, to enforce a PIN lock.

Office 365 MDM comes in where ActiveSync leaves off, but doesn't provide the third-party app management ability of Intune. With Intune, Office 365 aims to manage your Office 365 suite -- but nothing else.

Office 365 MDM allows you to deploy and manage Office 365 apps and use advanced features to protect content in your tenant. It's a basic management option that doesn't provide the full functionality options as Intune, but it offers a simple layer to secure access to Office 365-specific services. A more comprehensive option requires an advanced tool, but this free out-of-the-box functionality is more complete than using ActiveSync alone.

Configure Office 365 MDM in your tenant

Office 365 MDM is available in your tenant and doesn't require any special enablement, but it does require configuration.

Log into the Office 365 portal. Select Mobile Devices from the left hand menu in the admin portal. There is an existing registered devices list and a Manage Settings link on the right hand side (Figure 1).

Configure Office 365 MDM
Figure 1

After reaching the Manage Settings link, you'll need to add additional domain name system (DNS) configuration and request a certificate from Apple for iOS devices such as iPhones and iPads.

Add DNS configuration. For each domain, navigate to the Domains list and check Domain Settings (Figure 2). When the DNS Management page displays, select Mobile Device Management for Office 365 under the Domain Purpose (Figure 3).

Adding DNS configuration
Figure 2
Select MDM for Office 365
Figure 3

After selecting MDM for Office 365, two new DNS records will appear and should be entered into your public DNS (Figure 4).

Follow the same process for each custom domain in the tenant. The DNS CNAME record is the same for every domain, so these can be created en masse.

Two new DNS records appear
Figure 4

The next step is the Apple certificate request, where you generate a certificate for push notifications on Apple devices. You can generate a certificate signing request with the Manage Settings link. The Install Apple Push Notification Certificate wizard pages will start. Choose Download your CSR file on the first page.

A link to the Apple Push Certificates portal will appear. Follow the link and sign in with an Apple ID. If you don't have an Apple ID, use one attached to a role-based mailbox or email address rather than an individual's ID -- that way you aren't obligated to renew it annually. After uploading the certificate request, you'll see a freshly signed Apple certificate. Complete the wizard on the Office 365 portal by uploading the certificate.

The end-user experience on the mobile device mirrors the end-user experience with Exchange Online's conditional access features because the underlying technology uses the same Intune back end.

Setup defaults for mobile access settings

If you're starting with a fresh tenant, you may want to disable all mobile device access -- unless a policy covers the devices -- or exclude some users and ramp up slowly. If you only allow mobile access via MDM, then you won't have any unmanaged devices. If you allow people to add devices before implementing MDM, then you'll need to reconfigure those devices.

In this example, we want to block all devices, unless the end user is a member of a specific group. We've created a group in Azure Active Directory (AD) called "ExcludedFromMDM." Choose Manage device security policies and access rules from the Office 365 MDM homepage to configure this group (Figure 5).

Configure Azure AD group
Figure 5

Next, you'll see a Device Management page in the compliance center. This page allows us to use the default settings and create specific policies. Select Manage Device Access Settings to define the default action for devices.

This displays settings for the whole organization. We added all excluded end users from our pilot to the "ExcludedFromMDM" policy and then blocked unsupported devices, except for those contained in the group.

Save your changes and ensure that a default security model of enforcement is in place -- but exclude the group of end users this shouldn't affect.

Create device profiles

The next step is to create device profiles for end users. A device profile is a group of settings that control what end users can and can't do on the device. Device profiles also set minimum standards the device must comply with before use with Office 365. These standards include: functionality, such as access to the app store or camera; security settings, such as ensuring a PIN is enforced or the device is encrypted; and reporting on whether the device has been tampered with -- if an end user has jailbroken the device.

Before creating a profile, choose a group of end users to which the profile will apply. We've created an "EnforcedMDM" group in Azure AD.

To create the first profile, choose the Add (+) button in the Mobile Device Management section of the compliance center. The wizard lets you restrict settings and set a default for end users in the policy's scope -- either to block or allow with a warning if they don't meet policy requirements (Figure 6).

New device security policy
Figure 6

Save the settings and the policy will take effect.

About the author:
Steve Goodman is an Exchange MVP and is the head of unified communications at the U.K.'s leading Office 365 partner. He has worked in the IT industry for 16 years and has worked extensively with Microsoft Exchange since version 5.5. Goodman is the author of a number of books about Exchange, regularly presents at conferences, co-hosts The UC Architects podcast and regularly blogs about Exchange Server, Office 365 and PowerShell at www.stevieg.org

Next Steps

Is ActiveSync or Intune better for MDM?

What you can (and can't) do with ActiveSync for MDM

MDM enhancements made to Office 365

Dig Deeper on Office 365 and Microsoft SaaS setup and management