If you would like to read the other parts in this article series please go to:
- Mobile Device Management in Exchange Online (Part 1)
- Mobile Device Management in Exchange Online (Part 3)
3: Configure Security Policies
Before we start enrolling users’ devices, we need to create one or more Security Policies to enforce users to enroll their devices so we can manage them and protect our organizational data. For example, to help prevent data loss if a user loses their device, we can create a policy to lock devices after 5 minutes of inactivity and have devices wiped after 3 sign-in failures.
Please note that the policies and access rules we create in MDM override the Exchange ActiveSync mobile device mailbox policies and device access rules created in the Exchange Admin Center. After a device is enrolled in MDM, any Exchange ActiveSync mobile device mailbox policy or device access rule applied to the device is simply ignored.
If we create a policy to block access based on certain settings being enabled or not, users will be blocked from accessing Office 365 resources when using a supported app. The settings that can block users from accessing Office 365 resources are in the following categories:
- Security;
- Encryption;
- Jail broken;
- Managed email profile.
Let us say that my device is not compliant because it does not have a password. The following diagram shows what happens when my device is not compliant with a security setting in a mobile device management policy that applies to it. I can sign in to an app that supports access control with MDM (such as the email app) but I am blocked from accessing Office 365 in the app until my device complies with the security setting:
Figure 1
Before creating our first security policy, let us have a quick look at the settings we can use to help us secure and manage mobile devices.
Security settings
| Setting name | Windows Phone 8.1 | iOS 7.1+ | Android 4+ |
| Require a password | ✔ | ✔ | ✔ |
| Prevent simple password | ✔ | ✔ | ✖ |
| Require an alphanumeric password | ✔ | ✔ | ✖ |
| Minimum password length | ✔ | ✔ | ✔ |
| Number of sign-in failures before device is wiped | ✔ | ✔ | ✔ |
| Minutes of inactivity before device is locked | ✔ | ✔ | ✔ |
| Password expiration (days) | ✔ | ✔ | ✔ |
| Remember password history and prevent reuse | ✔ | ✔ | ✔ |
Encryption settings
| Setting name | Windows Phone 8.1 | iOS 7.1+ | Android 4+ |
| Require data encryption on devices | Windows Phone 8.1 is already encrypted and cannot be unencrypted | ✖ | ✔ |
Jail broken setting
| Setting name | Windows Phone 8.1 | iOS 7.1+ | Android 4+ |
| Device cannot be jail broken or rooted | ✖ | ✔ | ✔ |
Managed email profile option
This option can block users from accessing their Office 365 email if they are using a manually created email profile. Users on iOS devices must delete their manually created email profile before they can access their email. After they delete the profile, a new profile will be automatically created on the device.
| Setting name | Windows Phone 8.1 | iOS 7.1+ | Android 4+ |
| Email profile is managed | ✖ | ✔ | ✖ |
Cloud settings
| Setting name | Windows Phone 8.1 | iOS 7.1+ | Android 4+ |
| Require encrypted backup | ✖ | ✔ | ✖ |
| Block cloud backup | ✖ | ✔ | ✖ |
| Block document synchronization | ✖ | ✔ | ✖ |
| Block photo synchronization | ✖ | ✔ | ✖ |
System settings
| Setting name | Windows Phone 8.1 | iOS 7.1+ | Android 4+ |
| Block screen capture | ✔ | ✔ | ✔ (Samsung Knox only) |
| Block sending diagnostic data from device | ✔ | ✔ | ✖ |
Application settings
| Setting name | Windows Phone 8.1 | iOS 7.1+ | Android 4+ |
| Block video conferences on device | ✖ | ✔ | ✖ |
| Block access to application store | ✔ | ✔ | ✖ |
| Require password when accessing application store | ✖ | ✔ | ✖ |
Device capabilities settings
| Setting name | Windows Phone 8.1 | iOS 7.1+ | Android 4+ |
| Block connection with removable storage | ✔ | ✖ | ✖ |
| Block Bluetooth connection | ✔ | ✖ | ✖ |
Remote wipe
If a device is lost or stolen, we can remove organizational data and help prevent access to Office 365 resources by performing a wipe from Office 365 admin center >Mobile device management. As we will see later in this article series, we can perform a selective wipe to remove only organizational data or a full wipe to delete all information from a device and restore it to its factory settings.
Let us now start creating our new policy. When creating a new policy, we can set it to allow access and report policy violation where a user’s device is not compliant with the policy. This way we can see how many mobile devices would be impacted by the policy without actually blocking them.
- In Office 365, go to Compliance Center -> Device management:
Figure 2
- Select Add +;
- Enter a Name and Description for the new policy, and select Next:
Figure 3
- Select the requirements you want applied to mobile devices in the organization. Notice the last option to allow the device access to Office 365 and report the violation:
Figure 4
- Select any other configurations you want to apply to mobile devices, and select Next:
Figure 5
- Select Apply it to one or more security groups:
Figure 6
- Select Add ;
- Enter a security group name that has members who will test the policy before you deploy it to your organization. The list is empty until we type a security group name, or part of a name, and then click the search icon. Alternatively we can type * and then click the search icon to see a list of all the groups. Select the name, and select Add:
Figure 7
- Select Ok, and then Next.
- Review and confirm the details of the new device policy, and select Finish.
Figure 8
Back in the Mobile device management page, we can see the details of our new security policy including that it is still being created:
Figure 9
Once it is ready to be used, the Status changes to On:
Figure 10
To help further secure our information, we can block Exchange ActiveSync app access to Office 365 email for mobile devices that are not supported by MDM. To do this:
- In the Compliance Center, go to Device management;
- Select Manage organization-wide device access settings:
Figure 11
- Select Block:
Figure 12
- Select Save.
We can also exclude some users from conditional access checks on their mobile devices so they do not have any policies enforced for their supported mobile devices:
- In the Compliance Center, go to Device management;
- Select Manage organization-wide device access settings:
Figure 13
- Select Add to add the security group that contains users we want to be exclude from being blocked access to Office 365. When a user has been added to this list, they will be able to access Office 365 email when using an unsupported device;
- Enter the security group;
- Select the name, and select Add.
Figure 14
- Select Ok and then Save.
Each user that the policy applies to will have the policy pushed to their device the next time they sign in to Office 365 from their mobile device. If users have not had a policy applied to their mobile device before, then after we deploy the policy, they will get a notification on their device that includes the steps to enroll and activate MDM. Until they complete enrollment, access to email, OneDrive and other services will be restricted. After they complete enrollment using the Company Portal app (which we will see in the next article), they will be able to use the services and the policy will be applied to their device.
When we delete a policy or remove a user from a group to which the policy was deployed to, the policy settings, Office 365 email profile and cached emails may be removed from the user’s device:
| What’s removed | Windows Phone 8.1 | iOS 6+ | Android 4+ |
| Managed email profiles* | ✖ | ✔ | ✖ |
| Policy settings | ✔
Except for Block sending diagnostic data from device. |
✔ | ✖ |
*If the policy was deployed with the option require managing email profile selected (as we did above), then the managed email profile and cached emails in that profile will be deleted from the user’s device.
Each user that the removed policy applied to will have the policy removed from their device the next time their mobile device checks in with MDM. If we deploy a new policy that applies to these users’ devices, they will be prompted to re-enroll in MDM.
Conclusion
In this article we created our first security policy. In the next part we will start enrolling mobile devices.
If you would like to read the other parts in this article series please go to:
