Mobile Device Management in Exchange Online (Part 1)

In this article series we will explore the new built-in Mobile Device Management solution in Office 365, with a focus on Exchange Online.

If you would like to read the other parts in this article series please go to:



You may have heard or have worked on Intune and Exchange ActiveSync. Intune is constantly evolving and it is, without a doubt, a very capable Mobile Device Management (MDM) solution. However, not every organization requires all the features that Intune provides, has the in-house expertise to deploy and manage it, or is able to justify its cost.

To overcome these and other factors Microsoft has introduced built-in MDM for Office 365. Similarly to Intune, it can help organizations secure and manage their users' mobile devices such as iPhones, iPads, Androids or Windows phones by providing the following capabilities:
  • Device management. We can set and manage security policies such as encryption, device-level pin lock or jailbreak detection, amongst many others, to help prevent unauthorized users from accessing corporate email and data on a device when it is lost or stolen;
  • Conditional Access. We can create security policies for devices that connect to Office 365 to ensure email and documents can be accessed only on devices that are managed by our company and are compliant. In the background, this MDM solution leverages Intune and the Azure Active Directory to deliver this capability;
  • Selective wipe. We can easily remove Office 365 data from an employee’s device while leaving their personal data intact.


What can built-in MDM for Office 365 do?

As already mentioned, MDM for Office 365 is a “simplified version” of Intune that helps organizations secure and manage their mobile devices used by licensed Office 365 users. We can create MDM policies with settings that can help control access to the organization’s Office 365 email and documents for supported mobile devices and apps. If a device ever gets lost or stolen, we can remotely wipe the device to remove sensitive organizational information.

We can use this MDM solution to secure and manage the following devices:
  • Windows Phone 8.1;
  • iOS 7.1 or later versions;
  • Android 4 or later versions;
  • Windows 8.1 and Windows 8.1 RT (access control for these devices is limited to Exchange ActiveSync);
  • Management of BlackBerry devices is not supported, and organizations should use BlackBerry Business Cloud Services (BBCS) from BlackBerry.
OK, but what exactly can we do? As we will see throughout this article series (more specifically in the Configure Security Policies topic in the next article), we can use MDM to:
  • Wipe a device;
  • Block unsupported devices from accessing email using Exchange ActiveSync;
  • Configure device policies like password requirements and security settings;
  • View list of blocked devices;
  • View what policies have been applied to a device;
  • Unblock noncompliant or unsupported device for a user or group of users;
  • Generate detailed report to see devices that are not compliant.

Important:Something to take into consideration is that users will not be prompted to enroll and will not be blocked or reported for policy violation if they use the mobile browser to access Office 365 SharePoint sites, documents in Office Online, or email in Outlook on the web.

Although this article series focuses on Exchange Online, I have briefly mentioned that MDM can also protect documents in Office 365. The supported apps for the different types of mobile devices in the following table will prompt users to enroll in MDM where there is a new mobile device management policy that applies to a user’s device and the user has not previously enrolled the device. If a user’s device does not comply with a policy, depending on how we set the policy up, a user might be blocked from accessing Office 365 resources in these apps, or they might have access but Office 365 will report a policy violation.

Windows Phone 8.1
iOS 7.1+
Android 4+
Exchange ActiveSync includes native email and third-party apps, like TouchDown, that use Exchange ActiveSync.
  •   Exchange ActiveSync
  •   Exchange Mail
  •   Exchange ActiveSync
  •   Mail
Exchange ActiveSync
Office and OneDrive for Business
  •   No supported apps
  •   Outlook
  •   OneDrive
  •   Word
  •   Excel
  •   PowerPoint
On phones and tablets:
  •   Outlook
  •   OneDrive
  •   Word
  •   Excel
  •   PowerPoint
On phones only:
  •   Office Mobile
Table 1

The following diagram, taken from TechNet, demonstrates the process that happens behind the scenes when a user with a new device signs in to an app that supports access control with MDM. Until the user enrolls the device, he/she is blocked from accessing Office 365 resources in the app.

 Figure 1

In the next sections of this article series we will be looking at how to:
  1. Activate MDM;
  2. Set up MDM;
  3. Configure Security Policies;
  4. Enroll Users;
  5. Manage Devices.
So let’s get started!


1: Activate MDM

To manage mobile devices in Office 365, we first need to activate the service in the Office 365 admin center:
  1. Sign in to Office 365;
  2. Go to the admin center;
  4. Click on Get started to start the activation process:
 Figure 2

It might take a few minutes for the service to be provisioned. When it completes, we see the new MDM page:
 Figure 3

If you still see the red text shown above, give it a few more minutes, refresh the page and it should disappear.


2: Set up MDM

When the service is ready, complete the required steps to finish setup. You may need to click Manage settings on the Mobile Device Management for Office 365 page:
 Figure 4

Before we can use MDM to manage these devices, we need to get an Apple Push Notification service (APNs) certificate. This certificate allows MDM to manage iOS and establish an accredited and encrypted IP connection with the mobile device management authority service (our MDM in this case).
To do this:
  1. In the Set up mobile device management page, click on Set up next to Configure an APNs Certificate for iOS devices:
 Figure 5
  1. Select Download your CSR file:
 Figure 6
  1. Save the Certificate signing request to a file location on your computer:
 Figure 7
  1. Select Next;
  2. Select Apple APNS Portal to open the Apple Push Certificates Portal:
 Figure 8
  1. In the Apple Push Certificates Portal sign in with your company Apple ID to create the APNs certificate. This Apple ID must be used in future to renew the APNs certificate:
 Figure 9
  1. Once you login, click on Create a Certificate:
 Figure 10
  1. Accept the terms and conditions and click Accept;
  2. Upload the APNs certificate request created earlier by using the Browse... button and click Upload:
 Figure 11
  1. Next, download the APNs certificate and save the file locally. This APNs certificate (.pem) file is used to establish a trust relationship between the Apple Push Notification server and MDM authority. Notice that it is only valid for 1 year so we will have to manually renew it every year:
 Figure 12

Note:You should use a company Apple ID associated with an email account that will remain with your organization even if the user who manages the account leaves.
  1. Go back to Office 365 and select Next to get to the upload apns certificate page;
  2. Browse to the APN certificate you downloaded from the Apple Push Certificates Portal:
 Figure 13
  1. Select Finish:
 Figure 14

Once this has been completed successfully you will see a green mark at the top right-hand side of the page:
 Figure 15

Another step that we also have to complete, is to make sure that our DNS is correctly configured for MDM. On the admin portal, go to DOMAINS:
 Figure 16

Select the domain you want to configure and click on Domain settings. From here, we need to select the Mobile Device Management for Office 365 service:
 Figure 17

In the list of DNS records we need to create, notice the two new ones for MDM:
 Figure 18
These two DNS CNAME records help users in the organization who sign in on their mobile device with an email address that uses a custom domain to be redirected to enroll in MDM:

TYPE Host Name Points to TTL
CNAME 3600
CNAME 3600
Table 2

Create these two records in your DNS and then click on Okay, I’ve added the records. If they were configured correctly we will get the following message:

 Figure 19

Back on the Set up mobile device management page, on the recommended steps is to Set up multi-factor authentication. This option helps secure the sign in to Office 365 for mobile device enrollment by requiring a second form of authentication. Users are required to acknowledge a phone call, text message or app notification on their mobile device after correctly entering their work account password. They can only enroll their device after this second form of authentication is completed. After users’ devices are enrolled in MDM, users can access Office 365 resources with just their work account.



In the first part of this article series we presented the new built-in MDM solution in Office 365, what it can be used for and we started configuring it. In the next part we will create our first security policy.

If you would like to read the other parts in this article series please go to:

No comments:

Powered by Blogger.