Office 365 Mobile Device Management: What Is It,

and Why Should You CarePaul Robichaux

Summit 7 Systems paul.Robichaux@summit7systems.com

Introduction

The rise of BYOD

• Mobile devices have become ubiquitous– Blame BlackBerry and Steve Jobs

• Work time has expanded– “You can work anywhere, anytime” has become “you must”

• Employers are stingy– If you can get employees to provide their own devices and data plans…

The dark side of BYOB

• Your data, their device– Can’t guarantee physical or data integrity– Theft, loss, damage are all threats– Security policies viewed with suspicion and hostility

• Version, device, and application support• End-to-end troubleshooting

BYOD coping strategies*

• Denial– Don’t allow any user-provided devices

• Barganining– Allow user-provided devices subject to ToU

• Acceptance– Perhaps better described as “resignation”

*Anger, depression strategies are options

Common MDM tools

• Restrict which devices are allowed to sync• Restrict which users are allowed to sync• Restrict what users can sync• Store all synced content in a separate container

The MDM lifecycle

1. Enrollment places a device under management

2. Configuration applies settings / policies

3. Secure enforces settings4. Manage5. Monitor

Image courtesy Microsoft; https://technet.microsoft.com/en-us/library/mt143184.aspx

Exchange ActiveSync

• EAS is both a transport protocol and an MDM protocol• Designed years ago, it has many limitations

– Doesn’t address many capabilities customers: app policies jailbreak protection, etc.

– Rate of change is low due to installed base• But it’s also ubiquitous and cheap

– Great 80% solution

Exchange ActiveSync

Pros• Cheap• Widely available• Fully integrated with

Exchange• Equivalent on-prem/online

feature sets

Cons• Limited feature set• Not every device supports

the full protocol• No integrity protection• No containerization• Only supports Exchange

MDM Pieces and Parts

Surpassing EAS

• Competing MDM solutions have taken significant market share

• Microsoft’s previous effort was SCMDM• Second attempt was Intune• O365 MDM is a subset of Intune

What is Intune?

• Microsoft says…“Intune is a cloud-based service that lets you manage

mobile devices, PCs, and apps so your users can be productive while you protect your company's information.”

What is Intune?

• Part of Enterprise Mobility Suite (EMS)• Can manage PCs and mobile devices• Offers mobile app management (MAM)

• We won’t talk about it further in this session

What is Office 365 MDM?

• Subset of Intune– Doesn’t manage PCs– Doesn’t integrate with SCCM– Managed using O365 admin center

• Cloud-only• Provides three main functions

– Conditional access– Device management– Selective wipe

Conditional access

• Blocks access to Office 365 resources unless policy conditions are met– Mail through EAS– Mail through Outlook– OneDrive– Documents through Office apps

Device management

• Enforces security policies you specify• Devices that don’t meet policy may not be allowed to connect• Policies vary between device families

– E.g. “force encrypted cloud backup” only works on iOS

Selective wipe

• EAS wipe erases the entire device– Users don’t like this

• O365 MDM wipe allows you to choose:– Wipe the whole device, EAS-style– Wipe only data that came from O365– Wipe the device after multiple wrong password attempts

What “selective” means

• The Company Portal app is removed• Data synced into Outlook is removed• Data synced into OneDrive for Business is removed• Policy settings are no longer enforced• Managed email profiles are removed• The device is removed from the list of managed devices• Everything else stays

Configuring O365 MDM

Setting up O365 MDM

• Remember the lifecycle diagram?

• Turns out there are 2 extra steps

Image courtesy Microsoft; https://technet.microsoft.com/en-us/library/mt143184.aspx

Step 0: Audit devices

• Audit your devices!• Admins are always surprised by the audit results

– Ancient devices– Departed employees

• Best way: use Paul Cunningham’s Get-EASDeviceReport.ps1: http://bit.ly/1zEbJG5

Step 0, part 2: Config tenant

• Before you can enroll devices you must configure the tenant in Office 3651. Enable MDM in the Mobile Devices tab2. Configure DNS3. Configure APNS

Enabling feature in tenant

• Go to “Mobile Devices” tab on left nav bar in Office 365 admin portal

• Follow instructions

Creating DNS records

• You may already have done this• Two required CNAME records

– Enterpriseregistration: used to register/re-register devices• Also used by Workplace Join

– Enterpriseenrollment: used to enroll brand-new devices

APNS enrollment

• Apple Push Notification Service needed if you have iOS devices

• You request a cert then upload it to Apple’s portal

The enrollment process

Image courtey Microsoft; “Windows 8.1 Enterprise Device Management Protocol.pdf”

Configuring security policies

• You manage policies through the Compliance Center– Show of hands: who’s been to that page?

Policies and groups

• You assign policies to security groups– So create the groups first

• Single org-wide exclusion group• Policies apply to users, not devices

– Joe has two iOS devices and a Lumia 950…– This is different from EAS

What do policies do?

• Depends on device OS– Not every device OS supports every setting– E.g. “Block access to application store” works on WP + iOS, not Android

• Depends on your policy setting– You can allow non-compliant devices or not

• See http://summit7systems.com/office-365-mobile-device-management-policies/

Policy application

• Devices must download policy– No download, no policy– Devices that report that they don’t have a policy are blocked

• Up to 6-hour window when you apply a policy to existing users– Newly created users get the policy immediately when they’re added to

the target group

DEMO: MDM security policies

Enrolling devices

• Automatic enrollment happens when you add a user to a group that has a policy assigned

• Manual enrollment may require the user to install an app– iOS: install Company Portal app– Android: install Company Portal app– WP8.x: built-in– Win10: built-in

Setting up O365 MDM

• When you add a user to a group that has a policy assigned, that user’s devices will be enrolled

• User must opt in

Image courtesy of MVP Paul Cunningham since I stupidly forgot to bring an iOS device

Auto-enrollment

• After user accepts opt-in prompt, they must download and install Company Portal app for their OS– Fairly simple process that still may confuse non-technical users

New enrollment experience

• MS is rolling out a “new” end user experience• Users who are blocked by policy get an email with a link to get

the Company Portal app

Manage and monitor

• Office 365 admin center shows you enrolled devices and their states

• Compliance Center device compliance reports• Third-party reporting tools (e.g. Cogmotive)

DEMO: MDM management and reporting

The big picture

What should I use?

• O365 MDM replaces EAS– Any existing EAS policy will be overwritten when you enroll the device

• Intune replaces O365 MDM– Much broader feature set– Aggressive bundle pricing through EMS

• Several third-party solutions– Installed base and feature set drive this decision

EAS

• EAS is cheap, cheerful, compatible– Very wide range of supported devices– Basic policy management only– You’re probably already using it– Don’t expect much future investment– The split may be coming…

Office 365 MDM

• Included in most SKUs• Good functionality• Can easily be expanded to Intune

Intune

• Tons of functionality– More complex to deploy and manage