Set up Mobile Device Management (MDM) in Office 365

    Posted in Microsoft Office 365 on Nov 06, 2019

    Set up Mobile Device Management (MDM) in Office 365

    The built-in Mobile Device Management (MDM) for Office 365 helps you secure and manage your user's mobile devices like iPhones, iPads, Androids, and Windows phones. You can create and manage device security policies, remotely wipe a device, and view detailed device reports.

    Device management is part of the Security & Compliance Center so you'll need to go there to kick off MDM setup.

    To set up Mobile Device Management for Office 365 you'll need to:

    Activate the Mobile Device Management service

    Set up Mobile Device Management

    1. Configure domains for MDM
    2. Configure MDM devices
    3. Set up multi-factor authentication
    4. Manage device security policies

    Make sure users enroll their devices

    1. Activate the Mobile Device Management service

    Sign in to Office 365 with your global admin account.

    Click this link: Activate Mobile Device Management.

    Go to Device policies and select Manage organization-wide device access settings.

    It can take some time to activate Mobile Device Management for Office 365. When it finishes, you'll receive an email that explains the next steps to take.

    Set up Mobile Device Management

    When the service is ready, complete the following four steps to finish setup.

    Step 1: (Required) Configure domains for MDM

    If you don't have a custom domain associated with Office 365 or if you're not managing Windows devices, you can skip this section. Otherwise, you'll need to add DNS records for the domain at your DNS host. If you've added the records already, as part of setting up your domain with Office 365, you're all set. After you add the records, Office 365 users in your organization who sign in on their Windows device with an email address that uses your custom domain are redirected to enroll in MDM for Office 365.

    Need help setting up the records? Find your domain registrar in the list provided in Create DNS records at any DNS hosting provider for Office 365 and select the registrar name to go to step-by-step help for creating DNS records. Use those instructions to add the following two records:

    Host name                 Record type                     Address                          TTL
    
    EnterpriseEnrollment         CNAME          EnterpriseEnrollment.manage.microsoft.com     3600
    
    EnterpriseRegistration       CNAME          EnterpriseRegistration.windows.net            3600

    After you add the two records, go back to the Security & Compliance Center and navigate to Device management > Manage settings to complete the next step.

    Step 2: (Required) Configure an APNs Certificate for iOS devices

    To manage iOS devices like iPad and iPhones, you need to create an APNs certificate.

    1. Sign in to Office 365 with your global admin account.
    2. In your browser type: https://protection.office.com.
    3. Select Data loss prevention > Device management

    Step 3: (Recommended) Set up multi-factor authentication

    If you don't see multi-factor authentication (MFA) under Recommended steps, you can skip this section. If this option is listed, we recommend you turn on MFA in the Azure AD portal to increase the security of the Mobile Device Management for Office 365 enrollment process. It is turned off by default.

    MFA helps secure the sign in to Office 365 for mobile device enrollment by requiring a second form of authentication. Users are required to acknowledge a phone call, text message, or app notification on their mobile device after correctly entering their work account password. They can only enroll their device after this second form of authentication is completed. After users’ devices are enrolled in Mobile Device Management for Office 365, users can access Office 365 resources with just their work account.

    Next to Set up multi-factor authentication, select Set up. To learn how to turn on MFA in the Azure AD portal, see Set up multi-factor authentication.

    After you set up MFA, go back to the Security & Compliance Center and navigate to Device management > Manage settings to complete the next step.

    Step 4: (Recommended) Manage device security policies

    The next step is to create and deploy device security policies to help protect your Office 365 organization's data. For example, you can help prevent data loss if a user loses their device by creating a policy to lock devices after 5 minutes of inactivity and have devices wiped after 3 sign-in failures.

    1. Sign in to Office 365 with your global admin account.
    2. Click this link: Activate Mobile Device Management.
    3. Go to Device policies and select Manage organization-wide device access settings.

    Policy.png

    For step by step instructions on how to create a new policy, see Create and deploy device security policies.

    Make sure users enroll their devices

    After you've created and deployed a mobile device management policy, each licensed Office 365 user in your organization that the device policy applies to will receive an enrollment message the next time they sign into Office 365 from their mobile device. They must complete the enrollment and activation steps before they can access Office 365 email and documents. See Enroll your mobile device for work or school.

    Enroll your mobile device in Office 365

    Using your phone, tablet, and other mobile devices for work is a great way to stay informed and work on business projects while you’re away from the office. Before you can use Office 365 services with your device, you may need to first enroll it in Mobile Device Management for Office 365 (MDM) using Microsoft Intune Company Portal.

    Organizations choose MDM so that employees can use their mobile devices to securely access work email, calendars, and documents while the business secures important data and meets their compliance requirements. Learn about MDM in Office 365. For more information about what information your organization has access to.

    Set up your mobile device with Intune and MDM for Office 365

    The Intune Company Portal enables a device to be managed by Office 365 and MDM.

    1. iPhone or iPad

    Tip: You won’t be able to send and receive email until you complete this step.

    Go to the Apple App Store, download and install Intune Company Portal.

    Follow these steps to configure and connect your iOS phone or tablet with the Company portal to Office 365.

    1. Android phone or tablet

    Tip: You won’t be able to send and receive email until you complete this step.

    Go to the Google Play store, download and install Intune Company Portal.

    Follow these steps to configure and connect your Android phone or tablet with the Company portal to Office 365.

    1. Windows 8.1 and Windows 10

    Go to the Microsoft Store, download and install Intune Company Portal

    Follow these steps to configure and connect your Windows phone or PC with the Company portal to Office 365.

    After your device is enrolled in MDM for Office 365, you can start using Office apps on your device to work with email, calendar, contacts, and documents.

    office-365-cloud.jpg