Understanding Configuration Policies on Microsoft Intune

In Microsoft Intune, there are 2 types of configuration policies to manage mobile devices. The first type is Common Mobile Device Settings policy which is included PC settings. This kind of policy is based on Exchange ActiveSync and it can manage the following configuration settings for all platform mobile devices like iOS, Android, Windows Phone and Windows PC.

• Security
• Encryption
• System
• Email
• Applications

The second type is platform aware policy like iOS, Android, Windows Phone and Windows PC. This kind of policy is only applied to the specific platform. For example, iOS Configuration Policy is applied to iOS devices only. Other platforms like Android and Windows Phone won't be applied the setting from iOS Configuration Policy even it applies to all user groups or all mobile devices group.

To manage multiple platforms environment on Microsoft Intune, you may consider to create specific configuration policies for each platform.

This posting is provided “AS IS” with no warranties, and confers no rights!

My view of compliance policy on Microsoft Intune

Compliance policy are some basic rules and settings for enrolled devices of users. A compliance policy can be applied to all devices of users like iOS, Andorid, Windows Phone and so on. In Microsoft Intune, the compliance policy will check the following on devices.

• Password
• Encryption
• Jailbreak
• Email Profile

Microsoft defined the settings of non-compliance devices. For example, a device doesn't meet the pin or password requirement. The compliance policy will force the device, iOS, to change the pin or password within 60 minutes. If the device isn't set pin or password within 60 minutes, the user is forced to configure it after 60 minutes. For other scenarios, Microsoft listed a table about what actions will be applied for non-compliance devices.

To compare with other Enterprise Mobility Management products, compliance policy settings of Microsoft Intune are lack of flexible. there is no option for administrators to control OS version of enrolled devices. For security reason, administrators would like to apply this setting on compliance policy to filter OS version for their companies.

Even though the device is non-compliance like not configure pin or password, user still can download applications through Company Portal. It seems that the compliance policies of Microsoft Intune isn't flexible and mature enough.

I hope Microsoft will add more flexible settings on compliance policy of Microsoft Intune like other EMM products.

This posting is provided “AS IS” with no warranties, and confers no rights!

Migrate Office 365 Mobile Device Management to Microsoft Intune problem

I enabled Mobile Device Management on Office 365 for my lab domain. Now, I'd like to change it to Microsoft Intune for testing. However, I cannot move it from Office 365 to Microsoft Intune because there is no option to do this task on both. At Microsoft Intune, it shows Set to Office 365.

On Office 365, it shows the current MDM configuration.

Eventually, I submitted a service request on Office 365 to report this status and let them to change the status on Microsoft Intune. 

If you plan to manage devices on Microsoft Intune, all devices are needed to re-enroll after configuring to Microsoft Intune.

Make sure what solution your customers need before deploying Mobile Device Management on Office 365 or Microsoft Intune.

More information:
Manage mobile devices with Microsoft Intune

This posting is provided “AS IS” with no warranties, and confers no rights!

Renew Apple Push Notification Service (APNs) certificate on MDM of Office 365

Apple Push Notification Service (APNs) certificate is used to manage Apple Devices by every Mobile Device Management platform. it expires every year. When the APNs certificate expired, administrators cannot manage enrolled mobile devices on MDM portal.

To renew APNs certificate, the steps are similar to request a new APNs certificate. In this blog post, I'm going to renew my non-expired APNs certificate on MDM of Office 365.

1. On Office 365 admin center, log in as Global Administrator.
2. On left pane, select "Mobile Devices" tab.
3. Next to "Settings", click "Manage settings".

4. On "Set up mobile device management" window, next to "Configure an APNs Certificate for iOS devices", click "Set up".

5. On "download certificate signing request" page, click "Download your CSR file" to download and save the file.

6. On "create an apns certificate" page, click "Apple APNs Portal".

Then, log in Apple Push Certificates Portal.

7. Click "Renew" on Certificates for Third-Party Servers" page.

8. On "Renew Push Certificate" page, click "Browse" to select the CSR file which downloaded from Office 365 web page.

9. Click "Upload".
10. Click "Download" on Certificates for Third-Party Servers" page to save .pem file.

11. Back to "upload apns certificate" page, click "Browse" to upload .pem file.

12. Click "Finish".

As a result, the APNs certificate has been renewed on MDM of Office 365.

This posting is provided “AS IS” with no warranties, and confers no rights!

Improvement suggestion for Mobile Device Management on Office 365

Microsoft tended to use Mobile Device Management (MDM) on Office 365 to replace ActiveSync and provide more security options on Office 365 for administrators and users. It's a good start on Office 365. How Microsoft improves MDM on Office 365? Microsoft can consider adding some features.

1. Apply "Sync Device" on Office 365 admin center

Users can press sync button on Comp Portal app to synchronize the information back to the Office 365. How about server side? There is no button on the web page to request sync data from mobile devices. Microsoft should consider adding this function on MDM of Office 365.

2. Apply "Clear device passcode" on Office 365 admin center

Sometimes users may forget the passcode on their mobile devices. For enrolled mobile devices, Microsoft should consider adding "Clear device passcode" on the web page for administrators to unlock device passcode for users. However, if there is no passcode on mobile devicves, the device isn't compliance. It's temporary. After clearing passcode, users have to enter a new passcode immediately to fulfill compliance requirement. 

3. Apply "Remote Lock Device" on Office 365 admin center

Remote lock feature is provided by iCloud or Google account. Does Microsoft consider adding this feature on MDM for managed devices? :-)

4. Check applied MDM policies on Office 365 admin center

As mentioned, we can apply more than 1 policy to a device, even it's not a good practice. If available, I hope Microsoft added a web page to check which MDM policy is assigned to mobile devices.

I think there is still room for improvement of MDM on Office 365. Please give some feedback Microsoft to improve it.  

This posting is provided “AS IS” with no warranties, and confers no rights!

Mobile Device Management for Office 365 - Part 4

In this part, I'm going to talk about the security policy of Mobile Device Management on Office 365. There isn't too much security policy and device restriction options on MDM of Office 365.

And, Microsoft listed which security policy and device restriction can be applied to iOS, Android and Windows Phone.

Supported security policy on mobile devices

Supported mobile device restrictions

Information source: Capabilities of built-in Mobile Device Management for Office 365

As you can see, many security policy and device restrictions can be applied to iOS devices only. These tables can help us to understand what security settings and restrictions are applied.

Remark: There are some additional settings which are configured by PowerShell on Office 365.

Can we apply 2 or more security policies or device restrictions to mobile devices?
Yes, one device can be applied 2 or more policies.

Which settings will be applied to mobile devices?
If there is no conflict, all settings are applied to mobile devices.

If the same setting with different values, the most restricted setting will be applied to mobile devices.

Example 1:

The first policy is configured "Minimum password length is 4".

Another policy is configured the same settings to 5.

Both policies are applied to the same user group. Then, users have to enter 5 digit passcode.

Example 2:
The first policy is configured "Minimum password length is 4".

Another policy is configured "Require an alphanumeric password".

Eventually, users is required to enter a new password with 1 special character.

If the applied policy is removed on Office 365, what happen will be on mobile devices?
If the setting is related to email profile on mobile devices, the email profile is deleted automatically on mobile devices.

If the setting is password related, it doesn't pop-up to request users to change password. Users need to change a new passcode manually.

Remark: When the policy is updating, it displays "Turning on" on the console but it hasn't applied to mobile devices. 

I hope it's easy for you to understand the policy on MDM of Office 365.

Other parts in this series
Mobile Device Management for Office 365 - Part 1
Mobile Device Management for Office 365 - Part 2
Mobile Device Management for Office 365 - Part 3

This posting is provided “AS IS” with no warranties, and confers no rights!

Mobile Device Management for Office 365 - Part 3

In part 1 and 2, I enabled Mobile Device Management feature on Office 365. After that, I created a security policy on Office 365 admin center to make sure the device is enrolled before connect to Office 365. In this part, I'm going to walk through the mobile device enrollment and connect to mail server on Office 365.

Prerequisites

• 1 mobile device without Pin code (I selected iOS for testing)

After enabling MDM policy for the user, user cannot connect to mail server on Office 365 to download email until the device is enrolled. The user get the following email when they bypass MDM enrollment.

However, the configuration will be failure. :-) Please continue reading it.

We need to click "Enroll your device" to get Microsoft Intune agent from App Store.

Then, launch "Comp Portal" agent and then insert the user and password to sign in.

On "Device Enrollment" page, click "Enroll".

When the device is being enrolled, you can find the device information on Mobile Device Management for Office 365 page.

Then, we continue installing the Management Profile on the device by pressing "Install".

After enrollment, the device is required to set a passcode.

I pressed "Later" and then try to access the email. There is no email because the device is blocked.

The MDM profile forces the user to set a passcode after 60 mins.

Go to "Comp Portal" and then click the device to check compliance.

After a few minutes, I got the following message.

Because I checked "Require managing email profile (required for selective wipe on iOS)", I shouldn't create an email profile by myself. To solve this issue, I need to remove the current Exchange email profile and remove MDM proflie and then re-enroll again :-(. For Android, it isn't affected.

If check "Require managing email profile (required for selective wipe on iOS)", we do the following steps.

1. Download "Microsoft Intune Company Portal" from App Store.
2. Enroll the device.
3. Make sure the device is "This is the device you are currently using". 

4. Click mail on the device. The email profile, Office 365 email, is created automatically. It show a dialog box for you to enter the password of this email account.

Remark: If "Cancel" button is pressed, users can go to "Settings >Mail, Contacts, Calendars > Office 365 email > Accounts" to enter the password.

Now, the mobile device can connect to Office 365 to get emails.

Remark: "Require managing email profile (required for selective wipe on iOS)" can apply an email profile for built-in iOS mail application. At this moment, it doesn't apply an email profile to Outlook for iOS.

Additional information:
Based on my testing, there is a limitation of Mobile Device Management on Office 365.

1. Administrator cannot control number of devices for enrollment per user.

I'll keep updating the MDM testing of Office 365.

More information:
Enroll your mobile device in Office 365

Other parts in this series
Mobile Device Management for Office 365 - Part 1
Mobile Device Management for Office 365 - Part 2
Mobile Device Management for Office 365 - Part 4

This posting is provided “AS IS” with no warranties, and confers no rights!

Mobile Device Management for Office 365 - Part 2

In part 1,  Mobile Device Management has been enabled on Office 365 account. The APNs certificate has been added into this Office 365 account and added required CNAME on the domain. In this part, I'm going to configure security policies for Mobile Device Management on Office 365.

As previous exchange connection, we used Exchange ActiveSync to connect to the Exchange Servers to sync email on Mobile Devices. Then, Exchange ActiveSync will apply the security policies to mobile devices which connected to Exchange Server. A few month ago, Microsoft announced Mobile Device Management for Office 365. It enhanced the protection to connect Office 365. Using Mobile Device Management, we can check mobile devices jailbreak or not. If yes, the device cannot be connected to Office 365 to get any email contents. It can reduce to leak the company data.

1. On Office 365 admin center, log in as Global Administrator.

2. Click "Mobile Devices".

3. On "Mobile Device Management for Office 365" page, click "Manage device security policies and access rules".

4. On "Mobile device management" page, click "+" button.

5. On "New device security policy" page, under "Name", enter "MDM Policy" and then click "Next".

6. On "What requirements do you want to have on devices" page, you can find some new security settings which are provided by Office 365.

Remark: On Exchange ActiveSync mailbox policy, we can configure password related to mobile devices.

Microsoft added these above features to check device encryption, jail broken and control to connect to Office 365. It's a common MDM feature.

Eventually, I configures the following security options for testing on this page.

7. Click "Next".
8. On "What else do you want to configure" page, there are the following options to control the devices.

9. I leave default settings and then click "Next".

Remark: Based on above security policies, Microsoft doesn't define any specific policy or restrictions for different platforms.

10. On "Do you want to apply this policy now" page, select "No" and then click "Next".

11. On "Review and confirm the details" page, click "Finish".

Now, we can add or create a new group into MDM policy for testing.

In this part, I configured the MDM security policy for mobile devices. In coming parts, I'll update the test result for iOS and Android devices.

Other parts in this series
Mobile Device Management for Office 365 - Part 1
Mobile Device Management for Office 365 - Part 3
Mobile Device Management for Office 365 - Part 4

This posting is provided “AS IS” with no warranties, and confers no rights!