The Importance of Mobile Device Management & Sneak Peek Into Microsoft MDM

There’s a good chance you already have access to this basic mobile device security solution!

At Candoris, we talk a lot about security. With COVID19 forcing teams into remote work utilizing a wide range of devices, the security perimeter has drastically changed. If you’re a small business seeking ways to secure your team and your data and already own Microsoft 365 Business Standard (formerly Office 365 Business Premium) licenses, what you might not realize is that you already have access to a basic mobile device management security solution!

When most folks (myself included) think Microsoft mobility, we think of the InTune solution. InTune is Microsoft’s answer to securing endpoints that require mobility. Yet for smaller organizations that may not be ready to take the plunge into full mobility and cloud managed endpoints but are looking for a solution to secure mobile phones, Microsoft has an answer with their Mobile Device Management (MDM) for Office 365.

MDM fulfills small business security concerns

Mobile Device Management for Office 365 is a very slimmed down version of the InTune solution, designed for basic protection of company data on mobile devices. While the policy options are extremely basic compared to the full InTune solution, it may be enough for what your small business needs right now.

As mentioned previously, Mobile Device Management for Office 365 is a solution included with Microsoft 365 Business Standard (formerly Office 365 Business Premium) license. Any user assigned a license can enroll managed devices. You can even require employees to enroll their devices before they are able to gain access to critical services such as email. Once enrolled, the devices fall subject to your organization’s device security policy, where you can control settings such as passcode protection and prevent employees with “rooted” or “jailbroken” devices from potentially bringing unwanted vulnerabilities into your environment. Let’s take a look at an employee attempting to setup the native email app on their phone for the first time.

Sneak peek into installing MDM

Once the employee successfully authenticates to email, they are greeted with the following message letting them know that they will not be able to access email until they enroll their device.

Clicking the ‘Enroll Now’ button takes them to the app store, where they download and install the InTune Company Portal app.

Once logged into the InTune Company Portal, the user is guided through the enrollment process.

The employee is clearly shown what the organization can and cannot do to their personal device.

Once enrollment is complete, the employee’s device is checked for compliance against the organization policy. If the device does not meet the criteria (i.e. it does not have a passcode and a passcode is a requirement for your organization) then the device will prompt the user to correct the compliance issue.

Once compliant, the user can go back to completing the setup of the native mail app. Now that the device is enrolled, it will let the user complete the setup and access their email.

As previously mentioned, the device settings are very basic, but they cover many of the common security settings small business organizations are concerned about.

MDM facilitates easy removal of company data

One of the most important yet often-overlooked aspect of mobile device security is the ability to remove company data from a personal device in the event an employee leaves the company. Most IT folks will point to settings within Exchange ActiveSync for remote device wipe when asked how they would remove company data from a personal device. However, an ActiveSync remote device wipe will completely remove the former employee’s company as well as personal data. All text messages, apps, photos, etc. would be removed and the device would be reset back to factory. While this model works for company-owned devices or lost/stolen devices, this would not be an acceptable solution for separated employees. Instead, enrolling the device in a solution such as Office 365 Mobile Device Management allows the organization to perform a more graceful “selective wipe” that will remove only company data from the device, including email.

Determining your ideal solution

If don’t currently have any mobile device security solutions and/or your organization is looking for some of the simple controls mentioned in this article, Office 365 Mobile Device Management may be right for you. Yet if your organization is seeking a solution to publish applications to users, allow users to single sign-on to applications, and protect organizational data from being copied or moved outside the published company applications, you should look to a more full-featured solution such as Microsoft InTune.

My team of end user compute engineers are ready to help you determine the solution that best fits your needs and to assist you with deployment and configuration!

For Further Reading:

About the author

End-User Compute Architect

Mike assists Candoris customers with strategy and solution implementations related to end-user computing. His experience with productivity solutions such as Microsoft 365, and device lifecycle management software like System Center Configuration Manager, enables him to help customers overcome the challenges of workforce transformation. Mike’s main areas of expertise are Microsoft Technologies, VMWare Workspace One, and Proofpoint Email Security. He has MCSA & MCSE certifications and holds a Computer Systems Specialist degree from YTI Career Institute.