Mobile Device Management in Exchange Online (Part 3)

If you would like to read the other parts in this article series please go to:

4: Enroll Users

After we have deployed a mobile device management policy, each licensed Office 365 user in the organization that the device policy applies to will receive an enrollment message the next time they sign into Office 365 from their mobile device. That could be when they try to login to the portal, to an Office app like Word or OneDrive, or create an email profile for example. They must complete the enrollment and activation steps before they can access Office 365 email and documents.

When users enroll their device in Mobile Device Management (MDM) for Office 365, they might be required to set up a password, together with allowing the option for the work organization to wipe the device. A device wipe can be performed, for example, to remove all data from the device if the password is entered incorrectly too many times or if usage terms are broken.

MDM for Office 365 works with most but not all mobile devices. The following are the supported ones at the time of writing this article:

  • iOS 7.1 or later;
  • Android 4 or later;
  • Windows 8.1 (phone or tablet).

iPad

Let us look at the example of a user that tries to configure their OneDrive on an iPad:

Image
Figure 1

When they try to login, the OneDrive app detects the account is an Office 365 account (and therefore it is OneDrive for Business), and takes the user to the Office 365 portal to complete the sign in process:

Image
Figure 2

Once the user types his username, he is asked to enroll the device (because of the policy we created earlier requiring devices to enroll in order to access Office 365 data):

Image
Figure 3

When the user clicks Enroll, he is asked to install the Microsoft Intune Company Portal app:

Image
Figure 4

By clicking on the iTunes store link, the user is taken to the Apple store to download the app:

Image
Figure 5

Once installed, the user opens the Company Portal app, types his credentials and clicks on Sign in:

Image
Figure 6

The app verifies the user credentials and tries to log the user into Intune. Once in, the user is taken through the process of enrolling the device. He clicks on Enroll:

Image
Figure 7

A webpage opens showing the device is being enrolled:

Image
Figure 8

The user is then taken to Settings where he needs to install a new (organization’s) Management Profile:

Image
Figure 9

The warning lets the user know what this management profile will allow administrators (MDM) to do on the device:

Image
Figure 10

The user clicks on Trust:

Image
Figure 11

And once the process is completed, the user clicks on Done:

Image
Figure 12

If the device’s password does not meet the requirements set by the security policy, the user is prompted to create a device passcode:

Image
Figure 13

The user is then taken back to the Company Portal app with a notification stating that the device has been enrolled successfully and that he can shortly access Office 365 data:

Image
Figure 14

By clicking on the device, we can see further details around the model, operating system and when the device was last checked for compliance:

Image
Figure 15

As we saw, the entire process is straightforward, not leaving much room for user error, and pretty much identical to when we enrolled a device in Intune in my last article series.

If we chose to manage iOS email profiles with a security profile (which is required so an admin can wipe a device, for example), the next step is to delete any work or school email accounts. MDM for Office 365 will recreate the email account for the user, and then MDM manages the account and a remote device wipe will work.

Android HTC

Let us now go through the same process but for an Android device. In this example, the user configured an email account when MDM was already being enforced. As such, once the user opens the mailbox, only one email from MDM is visible:

Image
Figure 16

This email explains why only this email is visible and exactly what the user needs to do in order to be able to access Office 365:

Image
Figure 17

When the user clicks on the Enroll your device link, he/she is taken to a webpage to start the enrollment process:

Image
Figure 18

From this webpage, a link guides the user to the Google Play store in order to download the Intune Company Portal app:

Image
Figure 19

Once the app is installed, the user needs to sign in to Office 365 with his/hers credentials:

Image
Figure 20

Step by step the user is guided through the process of enrolling the device:

Image
Figure 21

A detailed list of what MDM can do on the device is displayed that the user has to agree to:

Image
Figure 22

After clicking ACTIVATE a digital certificate needs to be installed for MDM to securely communicate with and manage the device:

Image
Figure 23

The enrollment process is finally complete:

Image
Figure 24

Through the company portal, the user can check the applications made available through the company app store (none in this case):

Image
Figure 25

As well as a list of the devices the user has already enrolled:

Image
Figure 26

Selecting a device will list additional information regarding the device itself:

Image
Figure 27

Now that the device has been enrolled and it is in compliance with the security policy we created, the user is given access to his entire mailbox:

Image
Figure 28

5: Manage Devices

Once we have one or more devices enrolled, they will show up in the MDM page:

Image
Figure 29

From here we can, for example, perform a full wipe or a selective wipe.

Image
Figure 30

If we select selective wipe, the following warning message is displayed:

Image
Figure 31

If we select full wipe instead, the following warning message is displayed:

Image
Figure 32

If we want to block unsupported devices from accessing Exchange email using Exchange ActiveSync we go to the Compliance Center, select Device management and then click on Manage organization-wide device access settings:

Image
Figure 33

In order to unblock noncompliant or unsupported device for a user or group of users, we have several options:

  • Remove the user or users from the security group the policy has been applied to (Office 365 admin center > Groups, and then select group name. Click Edit members);
  • Remove the security group the users are a member of from the device policy (Compliance Center > Device management, and then select the device policy name. Click Edit > Deployment);
  • Unblock all noncompliant devices for a device policy. Go to Compliance Center > Device management, and then select device policy name. Click Edit > Access requirements. Select Allow access and report violation).

We can also generate a report to see how many devices are and are not compliant. To do so, go to Office 365 admin center, click on Mobile Devices and then See device compliance report:

Image
Figure 34

We can filter the above report by operating system or by status:

Image
Figure 35

Conclusion

The built-in Mobile Device Management solution in Office 365 is a great addition to the Office 365 family as not every organization requires all the features that Intune provides, has the in-house expertise to deploy and manage it, or is able to justify its cost. MDM for Office 365 It is a “simplified version” of Intune that helps organizations secure and manage their mobile devices. We can create MDM policies with settings that can help control access to the organization’s Office 365 email and documents for supported mobile devices and apps. If a device ever gets lost or stolen, we can remotely wipe the device to remove sensitive organizational information.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top