Capabilities of Built-In Mobile Device Management for Office 365

Capabilities of built-in Mobile Device Management for Office 365

Mobile Device Management for Office 365 can help you secure and manage mobile devices like iPhones, iPads, Androids, and Windows Phones used by licensed Office 365 users in your organization. You can create mobile device management policies with settings that can help control access to your organization’s Office 365 email and documents for supported mobile devices and apps. If a device is lost or stolen, you can remotely wipe the device to remove sensitive organizational information.

In this article:

·  Supported devices

·  Access control for Office 365 email and documents

·  Policy settings for mobile devices

·  Remotely wipe a mobile device

Supported devices

You can use MDM for Office 365 to secure and manage the following types of devices.

·  Windows Phone 8.1

·  iOS 7.1 or later versions

·  Android 4 or later versions

·  Windows 8.1*

·  Windows 8.1 RT*

* Access control for Windows 8.1 and Windows 8.1 RT devices is limited to Exchange ActiveSync.

Access control for Office 365 email and documents

The supported apps for the different types of mobile devices in the following table will prompt users to enroll in MDM for Office 365 where there is a new mobile device management policy that applies to a user’s device and the user hasn’t previously enrolled the device. If a user’s device doesn’t comply with a policy, depending on how you set the policy up, a user might be blocked from accessing Office 365 resources in these apps, or they might have access but Office 365 will report a policy violation.

Windows Phone 8.1 / iOS 7.1+ / Android 4+
Exchange
Exchange ActiveSync includes native email and third-party apps, like TouchDown, that use Exchange ActiveSync. /
Exchange ActiveSync

Exchange Mail /
Exchange ActiveSync

Mail /
Exchange ActiveSync

Email
OfficeandOneDrive for Business / No supported apps /
Outlook

OneDrive

Word

Excel

PowerPoint / On phones and tablets:

Outlook

OneDrive

Word

Excel

PowerPoint
On phones only:

Office Mobile

Apps supported to control access to Office 365

The following diagram shows what happens when a user with a new device signs in to an app that supports access control with MDM for Office 365. The user is blocked from accessing Office 365 resources in the app until they enroll their device.

Policy settings for mobile devices

If you create a policy to block access with certain settings turned on, users will be blocked from accessing Office 365 resources when using a supported app that is listed inAccess control for Office 365 email and documents. The settings that can block users from accessing Office 365 resources are in these sections:

·  Security

·  Encryption

·  Jail broken

·  Managed email profile

For example, the following diagram shows what happens when a user with an enrolled device isn’t compliant with a security setting in a mobile device management policy that applies to their device. The user signs in to an app that supports access control with MDM for Office 365. They are blocked from accessing Office 365 resources in the app until their device complies with the security setting.

The following sections list the policy settings you can use to help secure and manage mobile devices that connect to your organization's Office 365 resources.

Setting name / Windows Phone 8.1 / iOS 7.1+ / Android 4+
Require a password / ✔ / ✔ / ✔
Prevent simple password / ✔ / ✔ / ✖
Require an alphanumeric password / ✔ / ✔ / ✖
Minimum password length / ✔ / ✔ / ✔
Number of sign-in failures before device is wiped / ✔ / ✔ / ✔
Minutes of inactivity before device is locked / ✔ / ✔ / ✔
Password expiration (days) / ✔ / ✔ / ✔
Remember password history and prevent reuse / ✔ / ✔ / ✔

Security settings

Setting name / Windows Phone 8.1 / iOS 7.1+ / Android 4+
Require data encryption on devices / Windows Phone 8.1 is already encrypted and cannot be unencrypted / ✖ / ✔

Encryption settings

Setting name / Windows Phone 8.1 / iOS 7.1+ / Android 4+
Device cannot be jail broken or rooted / ✖ / ✔ / ✔

Jail broken setting

Managed email profile option

The following option can block users from accessing their Office 365 email if they’re using a manually created email profile. Users on iOS devices must delete their manually created email profile before they can access their email. After they delete the profile, a new profile will be automatically created on the device.

Setting name / Windows Phone 8.1 / iOS 7.1+ / Android 4+
Email profile is managed / ✖ / ✔ / ✖

Cloud settings

Setting name / Windows Phone 8.1 / iOS 7.1+ / Android 4+
Require encrypted backup / ✖ / ✔ / ✖
Block cloud backup / ✖ / ✔ / ✖
Block document synchronization / ✖ / ✔ / ✖
Block photo synchronization / ✖ / ✔ / ✖

System settings

Setting name / Windows Phone 8.1 / iOS 7.1+ / Android 4+
Block screen capture / ✔ / ✔ / ✔ (Samsung Knox only)
Block sending diagnostic data from device / ✔ / ✔ / ✖

Application settings

Setting name / Windows Phone 8.1 / iOS 7.1+ / Android 4+
Block video conferences on device / ✖ / ✔ / ✖
Block access to application store / ✔ / ✔ / ✖
Require password when accessing application store / ✖ / ✔ / ✖

Device capabilities settings

Setting name / Windows Phone 8.1 / iOS 7.1+ / Android 4+
Block connection with removable storage / ✔ / ✖ / ✖
Block Bluetooth connection / ✔ / ✖ / ✖

Additional settings

You can set the following additional policy settings by using PowerShell cmdlets. For more information, seeGet-DevicePolicy.

Setting name / Windows Phone 8.1 / iOS 7.1+ / Android 4+
CameraEnabled / ✔ / ✔ / ✔
RegionRatings / ✖ / ✔ / ✖
MoviesRatings / ✖ / ✔ / ✖
TVShowsRating / ✖ / ✔ / ✖
AppsRatings / ✖ / ✔ / ✖
AllowVoiceDialing / ✖ / ✔ / ✖
AllowVoiceAssistant / ✖ / ✔ / ✖
AllowAssistantWhileLocked / ✖ / ✔ / ✖
AllowPassbookWhileLocked / ✖ / ✔ / ✖
MaxPasswordGracePeriod / ✖ / ✔ / ✖
PasswordQuality / ✖ / ✖ / ✔
SystemSecurityTLS / ✖ / ✔ / ✖
WLANEnabled / ✔ / ✖ / ✖

Settings supported by Windows 8.1 and Windows 8.1 RT

You can manage Windows 8.1 devices by enrolling them as mobile devices. After an applicable policy is deployed, users with Windows 8.1 RT devices will be required to enroll in MDM for Office 365 the first time they use the native email app to access their Office 365 email.

The following settings are supported for Windows 8.1 devices that are enrolled as mobile devices. These setting won’t block users from accessing Office 365 resources.

Security settings

·  Require an alphanumeric password

·  Minimum password length

·  Number of sign-in failures before device is wiped

·  Minutes of inactivity before device is locked

·  Password expiration (days)

·  Remember password history and prevent reuse

System settings

Block sending diagnostic data from device

Additional settings

You can set the following additional policy settings by using PowerShell cmdlets:

·  AllowConvenienceLogon

·  UserAccountControlStatus

·  FirewallStatus

·  AutoUpdateStatus

·  AntiVirusStatus

·  AntiVirusSignatureStatus

·  SmartScreenEnabled

·  WorkFoldersSyncUrl

Remotely wipe a mobile device

If a device is lost or stolen, you can remove sensitive organizational data and help prevent access to your organization’s Office 365 resources by doing a wipe from Office 365 admin centerMobile management. You can do a selective wipe to remove only organizational data or a full wipe to delete all information from a device and restore it to its factory settings. Go toOffice 365 admin centerMobile Devices, and then selectdevice name. SelectFull wipeto delete all information or Selective wipeto delete only organizational information on the device.

Syed Sabhi Zaidi (MCT) Microsoft MicrotechX