Use built-in MDM in Microsoft Office 365 to manage your devices
The sixth in a seven-part series on the effectiveness and efficiencies of a feature-rich, cloud-connected Windows 10 environment for small businesses
Previously in Building and growing your business with Windows 10 and the cloud…
In the first blog post of this series, we described how Windows 10 and Microsoft cloud services can provide you with powerful, scalable IT services without the need to configure, deploy, and maintain costly on-premises equipment. Next we established your organization’s online presence, reviewed single sign-on and user authentication, and added users to your domain—all without installing a single on-premises server. Then we set up your email service and had users download Office 365. We added online storage and collaboration services, and looked at how to help secure data and applications on your organization’s devices and in the cloud. In our last post, we upgraded users to Windows 10, and built and deployed provisioning packages to tailor their devices to your organization’s requirements.
We’re now at step 5 of the road map to a comprehensive cloud-based deployment for your small business.
About mobile device management
Security is a top priority for organizations of all sizes. Yet users demand consistent access to the applications and data they need from any location, on any device. This bring-your-own-device (BYOD) trend has introduced significant challenges for IT administrators who want to enable workforce mobility while ensuring that their organization’s resources are protected from unauthorized access.
Mobile device management (MDM) helps you monitor, secure, and manage your users’ mobile devices—including iPhones, iPads, Android devices, and Windows phones—from the cloud. MDM is a separate online service that is available to you as part of your Office 365 subscription.
When you activate and configure MDM for Office 365, you can:
- Enforce mobile device MDM enrollment.
- Set access controls for Office 365 email and documents.
- Define password and encryption requirements.
- Enforce a managed email profile (that the user cannot change).
- Apply additional policy settings for mobile devices around app usage, capabilities, and allowed device features.
- Lock mobile devices after failed sign-in attempts.
- Remotely wipe mobile devices.
Mobile device management is an essential service for effectively managing BYOD scenarios and safely commissioning and decommissioning permanent and contingent users and their devices in a largely self-service environment.
Set up MDM for Office 365
- Activate MDM in the Office 365 admin center under Mobile Management.
- Configure Apple Push Notification (APN) certificates for iOS devices.
- Set up Multi-Factor Authentication to further secure mobile sign-in with a password, specific device, or biometric input.
- Configure mobile device management policies (for lock and wipe, for example).
- Use the Office 365 admin center Mobile Management section to view device properties, and to block or wipe devices.
- View reports in the Office 365 Compliance Center to see the results of MDM policies and device enrollment.
After you have completed the MDM activation process and configured your MDM device policies, users with devices to which the policies apply receive MDM enrollment messages the next time they sign in to your domain.
Extend MDM with Microsoft Intune
Microsoft Intune, part of the Microsoft Enterprise Mobility Suite (EMS), is an optional subscription that gives you additional MDM capabilities, including support for PCs, tablets, and 2-in-1 devices across a range of platforms. Intune is a separate service, but you can manage Intune subscriptions and licenses from your Office 365 portal.
Intune adds enhanced manageability and data protection for Office mobile apps, helping prevent leakage of company data by restricting actions—such as copy, cut, paste, and save-as—between Intune-managed apps and personal apps. Work data is protected and available in your specified line-of-business apps, but users can access their personal apps without interrupting their work; they don’t need to switch environments or sign in multiple times.
An Intune subscription also includes Microsoft Endpoint Protection, which provides real-time protection against malware threats, keeps malware definitions up to date, and automatically scans users’ devices. You can also request alerts relating to detected security and malware threats, network connectivity issues, and storage space problems.
You can sign up for a trial period of Intune at no cost. To get started:
- Visit the Intune sign-up page.
- Subscribe using your organization’s Office 365 account.
- Add your users to Intune individually or in bulk.
- Create groups to simplify management of multiple users.
- Establish security and device configuration policies.
- Publish apps that you want to make available for users to install from your organization’s Office 365 portal.
Once you are up and running with Intune, you can direct your users to the guides and templates Microsoft offers to help them complete tasks and solve any issues they may have with the service.
Your domain is set up and you have configured users and devices in your online directory service. You set up email for your new online domain, and your users are enjoying single sign-on to their email and Office productivity applications. You’ve added file sharing and collaboration services, users’ devices are up to date, and you have customized Windows 10 to suit your organization’s requirements. Permanent and temporary workers can use their own devices at work, and you can monitor compliance with your mobile device policies.
Our final post will review your serverless IT deployment, and look at the ongoing task of maintaining your organization’s data security with tools that are built into Windows 10 and Office 365.
Visit the following sites to learn more about the Windows 10 and Microsoft Azure–based technologies and services that work together to provide a compelling solution for your cloud-connected devices and services.