Office 365 is a strong solution for enterprises and employees are moving faster onto the cloud via different types of devices including desktop/tablets/pads/mobile. In this regard, it’s very important to protect valuable enterprise information, not only inside the organization but outside the organization as well when employees are allowed to work with company data on mobile devices/tablets. In order to do so, Microsoft introduced Mobile Device Management (MDM) capabilities and has rolled out MDM in all Office 365 commercial plans. These capabilities are now supported for Windows, iOS and Android phones to control information via different apps like Outlook, Word, Excel, PowerPoint, OneDrive, etc.
MDM capabilities for Office 365
Built-in Mobile Device Management in Office 365 provides key benefits to control and secure an organization’s information. It also gives flexibility and guidance to choose the best solution per the organization’s needs.
Access. MDM lets you set options that determine whether a particular user can bring their Office 365 data from the cloud to their mobile device. You can use this capability to configure settings for users who have MDM-compatible devices. The Access options let you set:
- Criteria for mobile devices connected to Office 365
- Device access policies such as pin lock
- Data encryption on devices
- Jailbreak detection
- Blocking non-compatible devices
Control. Use MDM options to control devices via a built-in management console with PowerShell or create group policies for devices.
Wipe. In case of loss of mobile/employee account deletion within the organization, the Wipe feature deletes data from a user’s mobile device that is protected by MDM but not the user’s own personal data.
Report. This feature provides reports on following:
- Device compliance reports
- Mobile usage and trends in the organization
- API support (coming, not available yet)
Microsoft Intune. MDM for Office 365 makes a subset of Microsoft Intune features available (figure 1), which gives administrators more sophisticated control for aligning with corporate data policies and a user's personal data on their devices. You can read a detailed TechNet article about Intune capabilities for MDM in Office 365 here. Microsoft Intune gives administrators the ability to restrict actions such as cut, copy, paste and save as to other applications that keeps corporate data more secure.
Figure 1: Mobile Application Management with Microsoft Intune
How to configure MDM in Office 365
As a Global Administrator, you must do the following tasks to configure Mobile Device Manager for Office 365:
- Activate MDM from the Office 365 Admin Center and then click the Get Started button to set up MDM, including required steps such as the setup of APN certificates/domain settings.
Figure 2: Set up MDM for Office 365
- Create and deploy devices security policies from compliance center for specific security users/group of users. This device policy provides a wide range of administrative options to manage security such as device-level pin lock, jailbreak detection, etc., as well as additional configuration options as indicated in figures 3 and 4, which will be deployed to specific security group of users.
Figure 3: Security policy options for mobile devices
Figure 4: Additional security policy options for mobile devices
Note: MDM policies will always override the Exchange Active Sync Policy.
After an administrator has configured Microsoft Device Manager for Office 365, users must enroll each device that they want to use to access company resources with that company’s Office 365 tenant. When a user signs into MDM using a compatible Office 365 mobile device, Office 365 verifies whether the device is enrolled—if not, then it notifies the user to enroll the device (figure 5).
- Enroll the device to MDM compatible Office 365 tenant.
Figure 5: Mobile device enrollment notification
Note: If a user tries to access their corporate email configured by Office 365 via a mobile device for the first time, they receive an email with a specific set of instruction to enroll the device. If you want to see the whole enrollment notification cycle, view this.
- As soon as the user finishes the steps to enroll the device and if security policy requires that users set a passcode configured via MDM in the Office 365 tenant, then the user is notified as indicated (figure 6) to set the passcode.
Figure 6: Passcode Requirement notification per the security policy configuration
For more information, please view this Microsoft support article about managing mobile devices in Office 365.
When users access Office 365 data from mobile devices, they are directed to sign into Azure Active Directory, and by doing so, users send both their user credentials and device credentials to be validated by Azure AD. If the conditional policies are satisfied, then the client is granted a token to access Office 365.
As employees keep accessing business data through mobile devices, global administrators can use MDM for Office 365 to perform the following tasks:
- Wipe corporate data from a device (for more information click here)
- Block devices that are not supported from accessing email using ActiveSync
- Check lists of blocked devices
- Unblock non-compliant devices for user or groups
- Generate reports to review compliant and non-compliant devices
Office 365 is all about productivity and MDM helps organizations to improve productivity by allowing employees to work on mobile devices outside of the organization while protecting company data. MDM policies can also prevent copy and paste from managed applications into personal applications. Moreover, device polices give organizations more access to control different group of users. For example, using MDM you can give more control to members of the finance team but less control to members of the sales team.
Such simplified administrative process by MDM is really a great change in Office 365 in terms of productivity and security. I believe that Microsoft will add more MDM-compatible apps apart from Office apps in later releases.