Monday, June 22, 2015

Mobile Device Management for Office 365 - Part 3

In part 1 and 2, I enabled Mobile Device Management feature on Office 365. After that, I created a security policy on Office 365 admin center to make sure the device is enrolled before connect to Office 365. In this part, I'm going to walk through the mobile device enrollment and connect to mail server on Office 365.

  • 1 mobile device without Pin code (I selected iOS for testing)
After enabling MDM policy for the user, user cannot connect to mail server on Office 365 to download email until the device is enrolled. The user get the following email when they bypass MDM enrollment.

However, the configuration will be failure. :-) Please continue reading it.

We need to click "Enroll your device" to get Microsoft Intune agent from App Store.

Then, launch "Comp Portal" agent and then insert the user and password to sign in.

On "Device Enrollment" page, click "Enroll".

When the device is being enrolled, you can find the device information on Mobile Device Management for Office 365 page.

Then, we continue installing the Management Profile on the device by pressing "Install".

After enrollment, the device is required to set a passcode.

I pressed "Later" and then try to access the email. There is no email because the device is blocked.

The MDM profile forces the user to set a passcode after 60 mins.

Go to "Comp Portal" and then click the device to check compliance.

After a few minutes, I got the following message.

Because I checked "Require managing email profile (required for selective wipe on iOS)", I shouldn't create an email profile by myself. To solve this issue, I need to remove the current Exchange email profile and remove MDM proflie and then re-enroll again :-(. For Android, it isn't affected.

If check "Require managing email profile (required for selective wipe on iOS)", we do the following steps.

1. Download "Microsoft Intune Company Portal" from App Store.
2. Enroll the device.
3. Make sure the device is "This is the device you are currently using". 

4. Click mail on the device. The email profile, Office 365 email, is created automatically. It show a dialog box for you to enter the password of this email account.

Remark: If "Cancel" button is pressed, users can go to "Settings >Mail, Contacts, Calendars > Office 365 email > Accounts" to enter the password.

Now, the mobile device can connect to Office 365 to get emails.

Remark: "Require managing email profile (required for selective wipe on iOS)" can apply an email profile for built-in iOS mail application. At this moment, it doesn't apply an email profile to Outlook for iOS.

Additional information:
Based on my testing, there is a limitation of Mobile Device Management on Office 365.

1. Administrator cannot control number of devices for enrollment per user.

I'll keep updating the MDM testing of Office 365.

More information:
Enroll your mobile device in Office 365

Other parts in this series
Mobile Device Management for Office 365 - Part 1
Mobile Device Management for Office 365 - Part 2
Mobile Device Management for Office 365 - Part 4

This posting is provided “AS IS” with no warranties, and confers no rights!


  1. An admin can control max number of devices per user in Azure AD for the domain. It appears the default is 20, but it can be lowered. Options are 5, 10, 20, 50, 100, Unlimited.

    1.Log on to the Azure Portal as Administrator.
    2.On the left pane, select Active Directory.
    3.On the Directory tab, select your directory.
    4.Select the Configure tab.
    5.Scroll to the section called Devices.
    6.Select the maximum number of devices you want to authorize per user.