Companies that rely on Microsoft 365 also receive basic mobile device management functions. These can be used for Android devices and also for iOS/iPadOS. In many cases, however, companies here rely on Microsoft Endpoint Manager/Intune features.
Basic Mobility and Security enables the basic management of smartphones and tablets as part of the connection to Microsoft 365. The services for this are integrated directly into Microsoft 365.
In order for MDM to work in Microsoft 365 in general, it should still be checked whether the necessary entries have been made in the DNS zone, which in turn is used in Microsoft 365. Here, it is primarily a matter of the entries with the host “enterpriseregistration” and “enterpriseregistration.windows.net” as well as “enterpriseenrollment” and “enterpriseenrollment.manage.microsoft.com”.
In general, MDM management in Microsoft 365 is cloud-based, no local installation is required. This also applies if Microsoft Endpoint Manager is used in parallel or as an alternative. However, management can still be extended with Microsoft Endpoint Configuration Manager.
However, this is not necessary for smartphones and tablets in most cases, but only if Windows computers are also to be connected to the solution. Basic Mobility and Security in Microsoft 365 is also based on Endpoint Manager (without Endpoint Configuration Manager).
The basis for the implementation of MDM with Microsoft 365 are guidelines
The implementation of MDM functions in Microsoft 365 is done with policies that users have to confirm on the end devices. After a mailbox on a smartphone or tablet is connected to Microsoft 365, a message appears stating that a wizard must be confirmed before the connection can be made. This wizard implements the settings defined by admins via policies in Android, iOS and iPadOS. If users do not want to implement these policies, Microsoft 365 does not allow the connection to the mailbox.
Policy setup takes place in the Microsoft 365 Admin Center. Microsoft has deliberately kept the setup of Basic Mobility and Security in Microsoft 365 simple. Those who find the features insufficient should take a closer look at the paid options of Microsoft Endpoint Manager/Intune.
Functions of Basic Mobility and Security in Microsoft 365
Mobility and Security in Microsoft 365 primarily supports basic security settings on the end devices and implements them automatically via policies. Even the tethering of rooted Android devices can be prevented via policies. In parallel, admins can also distribute and configure apps on the devices, for example OneDrive for Business or Outlook.
In addition to the security settings, Basic Mobility and Security also includes the display of reports or the remote deletion of professional data on the end devices. This is done by connecting to Microsoft 365 with the device management policies. If such a policy is assigned to a user or group, Microsoft 365 executes it on every device the user wants to connect. If the user refuses to apply it to individual devices, they cannot be connected to Microsoft 365. For supported devices, the following security settings can be specified in MDM for Microsoft 365:
- Request password
- Prevent simple password (not supported on Android devices)
- Request alphanumeric password (not supported on Android devices)
- Minimum password length
- Number of login failures before device data is cleared
- Minutes of inactivity before the device is locked out
- Password expiration (days)
- Track password history and prevent reuse
It is also possible to encrypt all Microsoft 365 data on the connected endpoints, if the device supports encryption. Microsoft lists all supported features, and the compatible settings for each, in the documentation.
Preparations for connecting Apple devices to MDM in Microsoft 365
To connect Apple devices to the MDM features of Microsoft 365, an Apple MDM push certificate is required. The control for this can be found at “Devices\Device Registration” via “Register Devices” at “Apple Registration”. After preparing the certificate request, the corresponding certificate can be obtained from Apple via the “https://identity.apple.com/pushcert” page. The certificate must then be uploaded again in the Microsoft 365 Admin Center or the Endpoint Manager Admin Center.
Create, manage and control device policies
The quickest way to control device policies is to visit https://portal.office.com/adminportal/home#/MifoDevices. Microsoft is currently converting the Office 365 pages to Microsoft 365 Defender, so the links are constantly changing. However, the internal redirects mean that by going directly to the pages, the functions can be accessed very quickly. On this page you can see the existing policies and you can also create new policies here. It is also possible to edit existing policies here.
The creation of a new policy is done via a wizard, with which all necessary settings can be set. The wizard can also be used to specify whether the settings are to be implemented immediately or only saved initially. Policies can be made available later by calling up the wizard again to configure the policy. By setting the “Yes” option, the users or groups to which this policy is to be assigned can be selected.