Office 365 – Mobile Devices Management is now available

It has been announced some time ago, Microsoft has now delivered a first release of the mobile devices management for Office 365.

You can now define complete access rules for mobile devices to access your Office 365 resources.

This feature is currently being roll out on Office 365 for all Office 365 commercial plans (Business, Enterprise, EDU and government).

If you are interested in cloud mobile devices management, the first thing is to choose between Intune and Office 365 MDM – see for the comparison https://technet.microsoft.com/library/dn957912.aspx

Enable and configure Office 365 MDM

Then, if you want to use the Office 365 MDM, you have to activate the service by going to the Mobile Devices menu from the Office 365 admin portal to activating it; please note it may take some time to complete the activation

Then you will have to complete the configuration by:

configuring the DNS records required – please note the interface may display your tenant has been already correctly configured for the DNS but this is a false positive state because you already have associated Internet domain. DNS entries required

CNAME enterpriseenrollment pointing to enterpriseenrollment.manage.microsoft.com
CNAME entepriseregistration pointing to enterpriseregistration.windows.net

Please note that the last entry may already exists and points to your ADFS end point or your Azure device registration as this entry is used for the Join Workspace feature.

create the APN’s certificate to allow you to manage Apple devices (iPhone / iPad)

Setup MDM Access Rules

Once this has been done, you can also additionally configure multi factor authentication requirements and setup the access rules.

Access rules are managed from the Compliance Center – which has been available since few days now.

NOTE this access rules are overriding the Exchange mobile devices access rule you may have already setup

To setup an access rule, just hit the + sign and follow the wizard

As part of the settings available you can:

request to setup a device password
require device encryption
block jail broker device

Then you have the choice to apply or not the rule after the creation – this may take few minutes to apply on devices

NOTE if you want to apply now the new access rule, you have to select existing security group and you have to search for the DL; the interface does not gather automatically existing DL for performance reasons

View devices list

From the Office 365 admin portal you can get compliance reports for registered devices

NOTE there is currently a defect as the user list returned contains sample Contoso data

From the Office 365 admin portal you can also have a quick look of these devices and perform a wipe operation – either FULL wipe which completely reset the device or a SELECTIVE wipe which removes ONLY your corporate data (OneDrive for Business, Mail…)