Terry L@u's blog: June 2015

Thursday, June 25, 2015

Improvement suggestion for Mobile Device Management on Office 365

Microsoft tended to use Mobile Device Management (MDM) on Office 365 to replace ActiveSync and provide more security options on Office 365 for administrators and users. It's a good start on Office 365. How Microsoft improves MDM on Office 365? Microsoft can consider adding some features.

1. Apply "Sync Device" on Office 365 admin center

Users can press sync button on Comp Portal app to synchronize the information back to the Office 365. How about server side? There is no button on the web page to request sync data from mobile devices. Microsoft should consider adding this function on MDM of Office 365.

2. Apply "Clear device passcode" on Office 365 admin center

Sometimes users may forget the passcode on their mobile devices. For enrolled mobile devices, Microsoft should consider adding "Clear device passcode" on the web page for administrators to unlock device passcode for users. However, if there is no passcode on mobile devicves, the device isn't compliance. It's temporary. After clearing passcode, users have to enter a new passcode immediately to fulfill compliance requirement.

3. Apply "Remote Lock Device" on Office 365 admin center

Remote lock feature is provided by iCloud or Google account. Does Microsoft consider adding this feature on MDM for managed devices? :-)

4. Check applied MDM policies on Office 365 admin center

As mentioned, we can apply more than 1 policy to a device, even it's not a good practice. If available, I hope Microsoft added a web page to check which MDM policy is assigned to mobile devices.

I think there is still room for improvement of MDM on Office 365. Please give some feedback Microsoft to improve it.

This posting is provided “AS IS” with no warranties, and confers no rights!

Wednesday, June 24, 2015

Mobile Device Management for Office 365 - Part 4

In this part, I'm going to talk about the security policy of Mobile Device Management on Office 365. There isn't too much security policy and device restriction options on MDM of Office 365.

And, Microsoft listed which security policy and device restriction can be applied to iOS, Android and Windows Phone.

Supported security policy on mobile devices

Supported mobile device restrictions

Information source: Capabilities of built-in Mobile Device Management for Office 365

As you can see, many security policy and device restrictions can be applied to iOS devices only. These tables can help us to understand what security settings and restrictions are applied.

Remark: There are some additional settings which are configured by PowerShell on Office 365.

Can we apply 2 or more security policies or device restrictions to mobile devices?
Yes, one device can be applied 2 or more policies.

Which settings will be applied to mobile devices?
If there is no conflict, all settings are applied to mobile devices.

If the same setting with different values, the most restricted setting will be applied to mobile devices.

Example 1:

The first policy is configured "Minimum password length is 4".

Another policy is configured the same settings to 5.

Both policies are applied to the same user group. Then, users have to enter 5 digit passcode.

Example 2:
The first policy is configured "Minimum password length is 4".

Another policy is configured "Require an alphanumeric password".

Eventually, users is required to enter a new password with 1 special character.

If the applied policy is removed on Office 365, what happen will be on mobile devices?
If the setting is related to email profile on mobile devices, the email profile is deleted automatically on mobile devices.

If the setting is password related, it doesn't pop-up to request users to change password. Users need to change a new passcode manually.

Remark: When the policy is updating, it displays "Turning on" on the console but it hasn't applied to mobile devices.

I hope it's easy for you to understand the policy on MDM of Office 365.

Other parts in this series
Mobile Device Management for Office 365 - Part 1
Mobile Device Management for Office 365 - Part 2
Mobile Device Management for Office 365 - Part 3

This posting is provided “AS IS” with no warranties, and confers no rights!

Monday, June 22, 2015

Mobile Device Management for Office 365 - Part 3

In part 1 and 2, I enabled Mobile Device Management feature on Office 365. After that, I created a security policy on Office 365 admin center to make sure the device is enrolled before connect to Office 365. In this part, I'm going to walk through the mobile device enrollment and connect to mail server on Office 365.

Prerequisites

1 mobile device without Pin code (I selected iOS for testing)

After enabling MDM policy for the user, user cannot connect to mail server on Office 365 to download email until the device is enrolled. The user get the following email when they bypass MDM enrollment.

However, the configuration will be failure. :-) Please continue reading it.

We need to click "Enroll your device" to get Microsoft Intune agent from App Store.

Then, launch "Comp Portal" agent and then insert the user and password to sign in.

On "Device Enrollment" page, click "Enroll".

When the device is being enrolled, you can find the device information on Mobile Device Management for Office 365 page.

Then, we continue installing the Management Profile on the device by pressing "Install".

After enrollment, the device is required to set a passcode.

I pressed "Later" and then try to access the email. There is no email because the device is blocked.

The MDM profile forces the user to set a passcode after 60 mins.

Go to "Comp Portal" and then click the device to check compliance.

After a few minutes, I got the following message.

Because I checked "Require managing email profile (required for selective wipe on iOS)", I shouldn't create an email profile by myself. To solve this issue, I need to remove the current Exchange email profile and remove MDM proflie and then re-enroll again :-(. For Android, it isn't affected.

If check "Require managing email profile (required for selective wipe on iOS)", we do the following steps.

1. Download "Microsoft Intune Company Portal" from App Store.
2. Enroll the device.
3. Make sure the device is "This is the device you are currently using".

4. Click mail on the device. The email profile, Office 365 email, is created automatically. It show a dialog box for you to enter the password of this email account.

Remark: If "Cancel" button is pressed, users can go to "Settings >Mail, Contacts, Calendars > Office 365 email > Accounts" to enter the password.

Now, the mobile device can connect to Office 365 to get emails.

Remark: "Require managing email profile (required for selective wipe on iOS)" can apply an email profile for built-in iOS mail application. At this moment, it doesn't apply an email profile to Outlook for iOS.

Additional information:
Based on my testing, there is a limitation of Mobile Device Management on Office 365.

1. Administrator cannot control number of devices for enrollment per user.

I'll keep updating the MDM testing of Office 365.

More information:
Enroll your mobile device in Office 365

Other parts in this series
Mobile Device Management for Office 365 - Part 1
Mobile Device Management for Office 365 - Part 2
Mobile Device Management for Office 365 - Part 4

This posting is provided “AS IS” with no warranties, and confers no rights!

Sunday, June 21, 2015

Mobile Device Management for Office 365 - Part 2

In part 1, Mobile Device Management has been enabled on Office 365 account. The APNs certificate has been added into this Office 365 account and added required CNAME on the domain. In this part, I'm going to configure security policies for Mobile Device Management on Office 365.

As previous exchange connection, we used Exchange ActiveSync to connect to the Exchange Servers to sync email on Mobile Devices. Then, Exchange ActiveSync will apply the security policies to mobile devices which connected to Exchange Server. A few month ago, Microsoft announced Mobile Device Management for Office 365. It enhanced the protection to connect Office 365. Using Mobile Device Management, we can check mobile devices jailbreak or not. If yes, the device cannot be connected to Office 365 to get any email contents. It can reduce to leak the company data.

1. On Office 365 admin center, log in as Global Administrator.

2. Click "Mobile Devices".

3. On "Mobile Device Management for Office 365" page, click "Manage device security policies and access rules".

4. On "Mobile device management" page, click "+" button.

5. On "New device security policy" page, under "Name", enter "MDM Policy" and then click "Next".

6. On "What requirements do you want to have on devices" page, you can find some new security settings which are provided by Office 365.

Remark: On Exchange ActiveSync mailbox policy, we can configure password related to mobile devices.

Microsoft added these above features to check device encryption, jail broken and control to connect to Office 365. It's a common MDM feature.

Eventually, I configures the following security options for testing on this page.

7. Click "Next".
8. On "What else do you want to configure" page, there are the following options to control the devices.

9. I leave default settings and then click "Next".

Remark: Based on above security policies, Microsoft doesn't define any specific policy or restrictions for different platforms.

10. On "Do you want to apply this policy now" page, select "No" and then click "Next".

11. On "Review and confirm the details" page, click "Finish".

Now, we can add or create a new group into MDM policy for testing.

In this part, I configured the MDM security policy for mobile devices. In coming parts, I'll update the test result for iOS and Android devices.

Other parts in this series
Mobile Device Management for Office 365 - Part 1
Mobile Device Management for Office 365 - Part 3
Mobile Device Management for Office 365 - Part 4

This posting is provided “AS IS” with no warranties, and confers no rights!

Friday, June 19, 2015

Mobile Device Management for Office 365 - Part 1

Microsoft provided built-in Mobile Device Management (MDM) feature for Office 365 commercial subscriptions, including Business, Enterprise, EDU and Government plans. This feature is no additional cost. The MDM of Office 365 supports to manage the following types of devices:

Windows Phone 8.1
iOS 7.1 or later versions
Android 4 or later versions
Windows 8.1
Windows 8.1 RT

The MDM of Office 365 is powered by Microsoft Intune and the Microsoft Azure Active Directory. In coming parts, I'm going to use MDM of Office 365 to enrol an apple device and Android. After that, I'll try apply settings and email profile to the devices.

In this part, I'm going to enable MDM on Office 365.

1. On Office 365 admin center, log in as Global Administrator. You can find the "Mobile Devices".

2. Click "Get started". Then, you will see "We're setting things up for you. This may take a few hours, so check back again shortly" message.

3. On "Mobile Device Management for Office 365", click "Manage settings" to configure your environment.

4. On "Set up mobile device management" page, click "Set up" for "Configure domains for MDM".

The page will be jumped to "Manage domains" web page.

5. Click "Completed setup" to add "msoid", "EnterpriseEnrollment" and "EnterpriseRegistration" CNAME on your DNS server.

It depends on which hosting you are using. Please following the instruction from Office 365 to complete this setting.

6. Back to ""Set up mobile device management" page, click "Set up" for "Configure an APNs Certificate for iOS devices".

An APNs certificate is required to manage Apple Devices.

7. On "download certificate signing request" page, click "Download your CSR file" and then save the file to your local disk.

8. Click "Next".
9. On "create an apns certificate" page, click "Apple APNS Portal".

Before creating APNs certificate, make sure you had an Apple ID for company. Don't use the user Apple ID for APNs certificate registration.

10. Log in Apple ID for your company to create an APNs certificate.