Office 365 Mobile Device Management (MDM)

To start using the MDM setup you need to go to the Security & Compliance Center and also make sure that you will not use a delegated administrator account to handle the Mobile Device Management for Office 365.

Steps to set up the Mobile Device Management ( MDM ) for Office 365 :

 

 1. MDM domain Configuration 

 2. APNs Certificate Configuration for iOS devices

 3. Multi-factor authentication Set up 

 4. Device security policies Management 

 5. User device enrollment

 

Sign in to Office 365 with your global admin account and activate the Mobile Device Management service.

Click this link: Activate Mobile Device Management.

 

It will take some time to activate MDM and once it finishes, you'll receive an email enlisting the further steps to take.

 

Set up Mobile Device Management

When the service is ready, complete the following steps for setup completion. Go to the Device management page in the Security & Compliance Center and click on Manage settings for the following settings.

Step 1: MDM domain Configuration (Required) 

 

You can skip this step if you are not having a custom domain associated with Office 365 or if you're not managing Windows devices. If it’s not so then you have to add these records for the domain in your DNS host panel. If you've already added the records while domain set up then no need to do anything for this step.

 

Once you add the records in DNS users under your organization using Office 365 are redirected to enroll in MDM while signing in on their Windows devices with an email address that uses your custom domain.

 

Add the below-given records in DNS and can refer the instructions

 

 

After these two records are added, go to the Security & Compliance Center and navigate to Device management > Manage settings to complete the next step.

 

Step 2: APNs Certificate Configuration for iOS devices

 

You need to create an APNs certificate to manage iOS devices.

 

Follow the steps given in the Set up link on the Setup mobile device management page.

 

Go to Device policies and select Configure a APNs Certificate for iOS devices.

 

Then go to the Apple Push Notification Certificate Settings page and select Next.

 

Select Download your CSR file and save the Certificate signing request to somewhere on your computer that you'll remember. Select Next.

 

On the Create an APNs certificate page:

 

Select Apple APNS Portal and open the Apple Push Certificates Portal.

 

Sign in with an Apple ID.

 

Note: Use a company Apple ID associated with an email account that will remain with your organization even if the user who manages the account leaves. Save this ID as you'll need it in future for certificate renewal.

 

Choose Create a Certificate and click on accept the Terms of Use.

 

Browse on your computer from Office 365 to select the downloaded Certificate for signing request and click on Upload.

 

Download the APN certificate on your computer created by the Apple Push Certificate Portal.

 

Then go back to Office 365 and choose Next to get to the Upload APNS certificate page.

 

Browse to the APN certificate and click on Finish.

 

Once the APN Certificate is added navigate to the Security & Compliance Center and then to Device management > Manage settings to complete the further set up.

 

Step 3: Multi-factor authentication (MFA) Set up 

MFA is an extra layer of security that helps to secure the sign in to Office 365 for mobile device enrollment.

 

If MFA is enabled then users need to acknowledge with the second authentication through a phone call, text message or app notification received on their mobile device. Only thereafter users will be able to access their Office 365 user accounts.

 

It depends upon company policies and users to enable it or not as by default it is turned off. If you don't find the MFA under Recommended steps, you can skip this. If you wish to use this feature as per standard recommendations then you need to turn it on through the Azure AD portal so you can increase the security.

 

For multi-factor authentication Click on Set up. 

 

After that setup MFA, then navigate back to the Security & Compliance Center and Device management > Manage settings to complete the next step.

 

Step 4: (Recommended) Manage device security policies

The security policies in Office 365 helps to protect your organization's data from unauthorized data access and data loss type of incidents. As an example, you can deactivate the account after 3 unsuccessful sign-in attempts, can wipe out the data from device etc.

 

To create a Data loss prevention policy you need to navigate 

1. to the Security & Compliance Center,

2. in it select the Data loss prevention.

3. Here click on Device management, then select Device actions 

4. Here in Device policies, you can create device security policies and access rules.

 

 

For complete steps and instructions to create a new policy, check Create and deploy device security policies.

 

Important Note : 

 

Test the policies for a few users and proofread the functioning for each new policy before you deploy it in your organization.

 

Before you implement any policy check and prentimate the users' devices are compliant or not for the policies you are about to enroll and take the steps with preventive measures. 

Step 5: User Device Enrollment

 

Every licensed Office 365 user in your organization will receive an enrollment message after you create and deploy the MDM policies and device policies will be applied from the immediate next sign in attempt to Office 365 from their mobile device.

 

Every user must complete the enrollment and activation process before they try to access Office 365 email and documents etc.

 

Important: All languages supported in Office 365 are currently not supported for the enrollment process on mobile devices for which users may receive enrollment notification and steps on their mobile devices in another language.

 

Users having Android or iOS device needs to install the Company Portal app for the enrollment process.

References: Microsoft office 365 help portal