Removing Access Control from Mobile Device Management for Office 365


Author: Joel Stevens | Microsoft Support Escalation Engineer

When you activate the Mobile Device Management (MDM) for Office 365 service, you are prompted to create a Device Management Security Policy. The mobile devices for users that you target with this policy will be quarantined, and the user will be sent an email asking them to enroll using the Intune Company Portal application before the quarantine will be lifted. An example is below:

image

Note: More information on the enrollment process for mobile device in Office 365 can be found here.

After implementing this in your environment, if you no longer desire to use Office 365 MDM Access Control, here are some things you can do to minimize the impact to your end-users:

– If removing Access Control for only a limited amount of time, you can manually override the quarantine rules by completing the following steps:

  1. Navigate to the Exchange Admin Center at https://outlook.office365.com/ecp.
  2. Click Mobile.
  3. Under the heading “Quarantined Devices”, select the affected device and click Allow. Note that if Access Control provided by Intune is still enforced then the device will be quarantined again in about 4 hours.

– If removing Access Control for some or all users permanently is desired, you can override Access Control via a Security Group. This also lifts the quarantine immediately.

  1. Navigate to the Security and Compliance Center at https://protection.office.com.
  2. Click Device Security Policies.
  3. Click “Manage organization wide device access settings” or navigate directly to https://protection.office.com/Ucc/Device/DeviceTenantPolicy.aspx
  4. Under the heading “Are there any security groups you want to exclude from access control?”, click the plus symbol + and add in the desired users based on Security Groups:

image

– If you prefer to stop Intune enrollment requests for your entire organization, then you should delete all Device Security policies:

  1. Navigate to the Security and Compliance Center at https://protection.office.com.
  2. Click Device Security Policies.
  3. Delete any existing polices or changing the deployment settings to remove Access Control. Note that due to the way devices are granted access to email and other Office 365 resources, it can take up to 8 hours before access is restored after deleting the Security Policy. See the second option above for steps to lift the quarantine sooner.

More Information

See the following article for a description of Office 365 MDM Access Control powered by Microsoft Intune: https://technet.microsoft.com/en-US/library/ms.o365.cc.devicepolicysupporteddevice.aspx.

Please be aware that it is not currently possible to “turn off” Office 365 MDM. If you are switching to a 3rd party MDM provider, then you can follow the steps in this article to remove Access Control and there should not be any further impact. There is no need to contact Microsoft Support unless you plan to use System Center Configuration Manager to manage your mobile devices via Microsoft Intune.

Joel Stevens, Support Escalation Engineer
Microsoft Enterprise Cloud Group

Microsoft O365


Comments (0)

Skip to main content