Default MDM in Office 365 for the beginners


To begin with, there are two types of device management tools available in Office 365 – ‘ActiveSync Mobile Device Mailbox Policies’ and ‘Mobile Device Management in Office 365’. You can use these any of these two methods for out of the box device management. You can also subscribe to Microsoft Intune, which is a great EMM solution available at a premium. But let's keep this conversation focused on ActiveSync and M365 MDM only. We'

Exchange ActiveSync is the same technology which enables mobile phone users to access their email, calendar, contacts, and tasks, and to continue to access this information while they're working offline. ActiveSync Policies works on exchange-based services and are designed to offer protection for EXO content on the mobile device. There is no control over other Office 365 related Content such as OneDrive for business data, Skype for business or even Office mobile which brings along Word, Excel, OneNote and PowerPoint to the small screen. This is where O365 MDM comes to picture. These additional apps are covered under O365 MDM.

What is MDM for Office 365

MDM for Office 365 is a ‘simplified’ version of Microsoft Intune that helps organizations secure and manage their mobile devices used by licensed Office 365 users. Per your wish, we can create MDM policies with settings that can help you control access to the organization’s Office 365 email and documents for supported mobile devices and applications. If a device ever gets lost or stolen, it can be remotely wiped which removes any corporate and organizational information from it.

There are two flavours of device remote wipe. First is Remote Wipe (full remote wipe) which sets the device to factory defaults thereby removing ALL information form it including user’s contacts, pictures etc. Second is Selective Wipe (only available by O365 MDM / Intune) which gives us the liberty to remove just corporate information from it but keeping the user’s personal data intact.  

Why Office 365 MDM over ActiveSync policies?
  • Block uncompliant devices
  • Block Jail-broken or illegally unlocked phones
  • Device Compliance Reports

If you are ready to start piloting O365 MDM for a few users, there will be a few prerequisites:

  DNS records:
DNS records should be configured for MDM first. You must create two CNAME Records in public DNS Zone to get started.
Host Name
Points to

  Security policy:
Every mobile managed device must bear a Device Security policy which identifies the rules that the device has to comply with. You could request a simple device policy which mimics the current ActiveSync Policy or choose something else. For example, we can help prevent data loss if a user loses their device by creating a policy to lock devices after 5 minutes of inactivity and have devices wiped after 3 sign-in failures. These policies can be changed according to requirements at all the time.

  Security groups:
Every user whose device should be protected under a policy will need to be identified as a member of a discrete security group synchronized to office 365.
e.g. Email:
Group Name: MDM* (any name)

Ready to pilot? 
Once you have got the domains DNS updated, and Security group synced to Office 365, device security policies can be attached to it. See Security Policy options in Appendix A.

         Just like ActiveSync policies, NOT ALL mobile platforms support all features of device security policies equally. You can find what’s covered per mobile OS here.
         The users you select as MDM security group members may lose access to services and device shall be forced into the Device Enrollment process. Access to data is restored once a device is enrolled. Explained here.  
         Policies and access rules created in MDM for Office 365 will override any Exchange ActiveSync mobile device mailbox policies and device access rules for the users. Which means, after a device is enrolled in MDM for Office 365, any Exchange ActiveSync mobile device mailbox policy or device access rule applied to the device will be ignored.

Appendix A

Device Security Policy Selection:
  Require a password
  Prevent simple passwords
  Require an alphanumeric password:
  Password must include at least 
  character sets
  Minimum password length:
  Number of sign-in failures before the device is wiped:
  Lock devices if they are inactive for this many minutes:
  Password expiration:
  Remember password history and prevent reuse:
  Store up to how many previous passwords:
  Require data encryption on devices:
  Prevent jailbroken or rooted devices from connecting
  Require managing email profile (required for selective wipe on iOS)
  If a device doesn't meet the requirements above, then...
  Allow access and report violation
  Block access and report violation
  Require encrypted backup
  Block cloud backup
  Block document synchronization
  Block photo synchronization
  Block screen capture
  Block video conferences on device
  Block sending diagnostic data from devices
  Block access to the application store
  Require a password when accessing the application store
  Block connection with removable storage
  Block Bluetooth connection

Appendix B

MDM Device Security Options in Office 365

Setting Name
Windows Phone 8.1+
IOS 7.1+
Android 4+
Require a password
Prevent simple password
Require an alphanumeric password
Minimum password length
Number of sign-in failures before device is wiped
Minutes of inactivity before device is locked
Password expiration (days)
Remember password history and prevent reuse
Require data encryption on devices
Encrypted by default
Device cannot be jail broken or rooted
Email profile is managed
Require encrypted backup
Block cloud backup
Block document synchronization
Block photo synchronization
Block screen capture
(Samsung Knox only)
Block sending diagnostic data from device
Block video conferences on device
Block access to application store
Require password when accessing application store
Block connection with removable storage
Block Bluetooth connection


I welcome you to write your comments here..