To begin with, there are two types of device management tools available in Office 365 – ‘ActiveSync Mobile Device Mailbox Policies’ and ‘Mobile Device Management in Office 365’. You can use these any of these two methods for out of the box device management. You can also subscribe to Microsoft Intune, which is a great EMM solution available at a premium. But let's keep this conversation focused on ActiveSync and M365 MDM only. We'
Exchange ActiveSync is the same technology which enables mobile phone users to access their email, calendar, contacts, and tasks, and to continue to access this information while they're working offline. ActiveSync Policies works on exchange-based services and are designed to offer protection for EXO content on the mobile device. There is no control over other Office 365 related Content such as OneDrive for business data, Skype for business or even Office mobile which brings along Word, Excel, OneNote and PowerPoint to the small screen. This is where O365 MDM comes to picture. These additional apps are covered under O365 MDM.
What is MDM for Office 365
MDM for Office 365 is a ‘simplified’ version of Microsoft Intune that helps organizations secure and manage their mobile devices used by licensed Office 365 users. Per your wish, we can create MDM policies with settings that can help you control access to the organization’s Office 365 email and documents for supported mobile devices and applications. If a device ever gets lost or stolen, it can be remotely wiped which removes any corporate and organizational information from it.
There are two flavours of device remote wipe. First is Remote Wipe (full remote wipe) which sets the device to factory defaults thereby removing ALL information form it including user’s contacts, pictures etc. Second is Selective Wipe (only available by O365 MDM / Intune) which gives us the liberty to remove just corporate information from it but keeping the user’s personal data intact.
Why Office 365 MDM over ActiveSync policies?
- Block uncompliant devices
- Block Jail-broken or illegally unlocked phones
- Device Compliance Reports
If you are ready to start piloting O365 MDM for a few users, there will be a few prerequisites:
Prerequisites:
✓ DNS records:
DNS records should be configured for MDM first. You must create two CNAME Records in public DNS Zone to get started.
TYPE
|
Host Name
|
Points to
|
TTL
|
CNAME
|
enterpriseregistration.company_domain.com
|
enterpriseregistration.windows.net
|
3600
|
CNAME
|
enterpriseenrollment.company_domain.com
|
enterpriseenrollment.manage.microsoft.com
|
3600
|
✓ Security policy:
Every mobile managed device must bear a Device Security policy which identifies the rules that the device has to comply with. You could request a simple device policy which mimics the current ActiveSync Policy or choose something else. For example, we can help prevent data loss if a user loses their device by creating a policy to lock devices after 5 minutes of inactivity and have devices wiped after 3 sign-in failures. These policies can be changed according to requirements at all the time.
✓ Security groups:
Every user whose device should be protected under a policy will need to be identified as a member of a discrete security group synchronized to office 365.
e.g. Email: MDM@domain.com
Group Name: MDM* (any name)
Ready to pilot?
Once you have got the domains DNS updated, and Security group synced to Office 365, device security policies can be attached to it. See Security Policy options in Appendix A.
IMPORTANT:
∙ Just like ActiveSync policies, NOT ALL mobile platforms support all features of device security policies equally. You can find what’s covered per mobile OS here.
∙ The users you select as MDM security group members may lose access to services and device shall be forced into the Device Enrollment process. Access to data is restored once a device is enrolled. Explained here.
∙ Policies and access rules created in MDM for Office 365 will override any Exchange ActiveSync mobile device mailbox policies and device access rules for the users. Which means, after a device is enrolled in MDM for Office 365, any Exchange ActiveSync mobile device mailbox policy or device access rule applied to the device will be ignored.
Appendix A
Device Security Policy Selection:
✓ Require a password
✓ Prevent simple passwords
✓ Require an alphanumeric password:
✓ Password must include at least
✓ character sets
✓ Minimum password length:
✓ Number of sign-in failures before the device is wiped:
✓ Lock devices if they are inactive for this many minutes:
✓ Password expiration:
✓ Remember password history and prevent reuse:
✓ Store up to how many previous passwords:
✓ Require data encryption on devices:
✓ Prevent jailbroken or rooted devices from connecting
✓ Require managing email profile (required for selective wipe on iOS)
✓ If a device doesn't meet the requirements above, then...
✓ Allow access and report violation
✓ Block access and report violation
✓ Require encrypted backup
✓ Block cloud backup
✓ Block document synchronization
✓ Block photo synchronization
✓ Block screen capture
✓ Block video conferences on device
✓ Block sending diagnostic data from devices
✓ Block access to the application store
✓ Require a password when accessing the application store
✓ Block connection with removable storage
✓ Block Bluetooth connection
Appendix B
MDM Device Security Options in Office 365
Setting Name
|
Windows Phone 8.1+
|
IOS 7.1+
|
Android 4+
|
Require a password
|
✔
|
✔
|
✔
|
Prevent simple password
|
✔
|
✔
|
✖
|
Require an alphanumeric password
|
✔
|
✔
|
✖
|
Minimum password length
|
✔
|
✔
|
✔
|
Number of sign-in failures before device is wiped
|
✔
|
✔
|
✔
|
Minutes of inactivity before device is locked
|
✔
|
✔
|
✔
|
Password expiration (days)
|
✔
|
✔
|
✔
|
Remember password history and prevent reuse
|
✔
|
✔
|
✔
|
Require data encryption on devices
|
Encrypted by default
|
✖
|
✔
|
Device cannot be jail broken or rooted
|
✖
|
✔
|
✔
|
Email profile is managed
|
✖
|
✔
|
✖
|
Require encrypted backup
|
✖
|
✔
|
✖
|
Block cloud backup
|
✖
|
✔
|
✖
|
Block document synchronization
|
✖
|
✔
|
✖
|
Block photo synchronization
|
✖
|
✔
|
✖
|
Block screen capture
|
✔
|
✔
|
✔ (Samsung Knox only)
|
Block sending diagnostic data from device
|
✔
|
✔
|
✖
|
Block video conferences on device
|
✖
|
✔
|
✖
|
Block access to application store
|
✔
|
✔
|
✖
|
Require password when accessing application store
|
✖
|
✔
|
✖
|
Block connection with removable storage
|
✔
|
✖
|
✖
|
Block Bluetooth connection
|
✔
|
✖
|
✖
|
CameraEnabled
|
✔
|
✔
|
✔
|
RegionRatings
|
✖
|
✔
|
✖
|
MoviesRatings
|
✖
|
✔
|
✖
|
TVShowsRating
|
✖
|
✔
|
✖
|
AppsRatings
|
✖
|
✔
|
✖
|
AllowVoiceDialing
|
✖
|
✔
|
✖
|
AllowVoiceAssistant
|
✖
|
✔
|
✖
|
AllowAssistantWhileLocked
|
✖
|
✔
|
✖
|
AllowPassbookWhileLocked
|
✖
|
✔
|
✖
|
MaxPasswordGracePeriod
|
✖
|
✔
|
✖
|
PasswordQuality
|
✖
|
✖
|
✔
|
SystemSecurityTLS
|
✖
|
✔
|
✖
|
WLANEnabled
|
✔
|
✖
|
✖
|
0 comments:
I welcome you to write your comments here..