Update from Technology Advisor – Spring 2023

Mobile Device Management with Microsoft 365

The ongoing evolution of mobile devices and computers and the changing ways organisations use that technology present both opportunities and challenges. It is now commonplace for mobile devices to be used both within the organisation’s premises and externally. This creates a need for organisations to ensure that these devices are managed and secure. While this can be achieved by setting up, managing and updating devices on an individual basis, it is often useful to use a mobile device management system (MDM), particularly if you have more than 10 – 15 devices.

There are a range of MDM systems on the market today e.g. Meraki, JAMF, JumpCloud, VMware Workspace ONE, etc. however in this article I will focus on the MDM solutions offered by Microsoft.

Microsoft offers two MDM solutions; Basic Mobility and Security included with Microsoft 365; and Microsoft Intune which, depending on your specific Microsoft 365 licence requires the purchase of an additional licence. More information on what MDM solution is included in specific Microsoft 365 subscriptions can be found on this Microsoft page.

It is important to note that you can’t start using Basic Mobility and Security if you’re already using Microsoft Intune. However, you can start using Basic Mobility and Security and then add the additional capabilities of Microsoft Intune.

Please visit this Microsoft page for a comparison of Basic Mobility and Security Microsoft Intune.

Basic Mobility and Security for Microsoft 365

For the remainder of this article, I will focus on Microsoft’s Basic Mobility and Security included with Microsoft 365. Basic Mobility and Security enables you to manage and secure mobile devices that are connected to your Microsoft 365 organisation. It allows you to set access rules, device security policies, and to wipe mobile devices if they’re lost or stolen.

Basic Mobility and Security supports many mobile devices including Android, iPhone and iPad. However, each person associated with the device must have an applicable Microsoft 365 license and their device must be enrolled in the Basic Mobility and Security.

Setting up Basic Mobility and Security

To set up Basic Mobility and Security you will need to login to your Microsoft 365 account as a global administrator.

Go to Activate Basic Mobility and Security.
Note: Microsoft are continuously rolling out changes, if the link above does not work, try:  https://admin.microsoft.com/adminportal/home#/MifoDevices

It can take some time to activate Basic Mobility and Security. When it finishes, you should receive an email that explains the next steps to take. If the service has already been activated, you will see a link to “Manage Devices” rather than the activation steps.

Once the service is ready, the following steps need to be completed:

Configure your domain/s for Basic Mobility and Security.

To do this you will need to add DNS records at your DNS host. If you are using a custom domain, the chances are that you have already done this during your initial Microsoft 365 set up. This step, while recommended, is also only required if you intend managing Windows devices.

Note: some Microsoft documents say to “go back to the Security & Compliance Center and go to Data loss prevention > Device management to complete the next step.” The Security & Compliance Center has been migrated to Microsoft Purview and can be found under Settings > Device onboarding.

Configure an APNs Certificate for iOS devices

1. To manage iPad and iPhones, you need to create an Apple Push Notification Certificate (APNs). For this you will need to be signed into Microsoft 365 as a global administrator.
2. Navigate to the  Microsoft 365 admin center, and choose APNs Certificate for iOS. (note: this page can be slow to load and appear blank at first.)
3. On the Apple Push Notification Certificate Settings page, check the “I agree” box and select “Next”.
4. Download your CSR file and save the Certificate signing request – make sure to note where that file is being saved on your computer. Select “Next”.
5. On the Create an APNs certificate page:
   • Select Apple APNS Portal to open the Apple Push Certificates Portal. This opens in a new tab.
   • Sign in with an Apple ID.
     Important: Use an Apple ID associated with an email account that will remain with your organisation even if the user who manages the account leaves. Save this ID because you’ll need to use the same ID when it’s time to renew the certificate.
   • Select “Create a Certificate”Read and check the “I have read and agree to these terms and conditions.” Checkbox, and accept the Terms of Use.
   • Select “Choose file” to browse to the Certificate signing request you downloaded to your computer from Microsoft 365 earlier, and select Upload.
   • Download the APN certificate you created in the Apple Push Certificate Portal to your computer.
     Tip: If you’re having trouble downloading the certificate, refresh your browser, or repeat try uploading the Certificate signing request again.
   • Go back to Microsoft 365 and select “Next”.
   • Enter your Apple ID
   • Browse to the APN certificate you downloaded from the Apple Push Certificates Portal and upload it.
   • Select “Finish”.

Set up multi-factor authentication

Multi-factor authentication (MFA) helps secure the sign into Microsoft 365 for mobile device enrolment by requiring a second form of authentication. Users are required to acknowledge a phone call, text message, or app notification on their mobile device after correctly entering their work account password. They can enrol their device only after this second form of authentication is completed. If MFA is not already enabled in can be done so in the Azure AD portal.

After user devices are enrolled in Basic Mobility and Security, users can access Microsoft 365 resources with only their work account.

Manage device security policies

It is good practice to is to create and deploy device security policies to help protect your organisation’s Microsoft 365 data. For example, policies to lock a device after five minutes of inactivity and wipe the device after three sign-in failures.

To create device security policies:

1. Sign into your Microsoft 365 as a global administrator.
2. In the Microsoft 365 admin center, go to the Mobile Device Management page.
3. Select the to “Device policies” link.
4. Create and deploy device security policies appropriate for your organisation. Additional information can be found in this Microsoft article on  creating device security policies in Basic Mobility and Security.

Important tips

When creating a new policy, it can be useful to first set the policy to allow access and report policy violation where a user device isn’t compliant with the policy. This allows you to see how many mobile devices are impacted by the policy without blocking access to Microsoft 365.

It is also advisable to test a new policy on the devices used by a small number of users before you deploy to everyone in your organisation.

Before enrolling a device in Basic Mobility and Security and creating and implementing policies it is strongly advisable to consider the potential impacts of this. One possible consequence could be that non-compliant devices might also have apps installed, photos, and other personal information which, could be deleted if the device is wiped. Please see this Microsoft article about wiping a mobile device in Basic Mobility and Security.

Enrolling devices

After everything has been set up and you have created and deployed a mobile device management policy, each licensed Microsoft 365 user in your organisation that the device policy applies to receives an enrolment message the next time they sign into Microsoft 365 from their mobile device. They must now complete the enrolment and activation steps before they can access Microsoft 365 email and documents.

Note: Users with Android or iOS devices will need to install the Company Portal app as part of the enrolment process.

For more information please see this Microsoft article about  enrolling your mobile device using Basic Mobility and Security.

Microsoft 365 Support Survey

The Karten Network, in association with TechAbility intend offering free support for Microsoft365 (previously called Office365) to Karten Network member organisations. To help us plan for this we kindly request that if you have not already done so, please complete this very short online survey: https://survey.karten-network.org.uk

Lastly, I am always interested to hear about how you are using mobile and other smart technology too. If you would like to have a particular topic covered in the next newsletter, please let me know. I am also available at any time to offer support and help where I can. 

Martin Pistorius 

Karten Network Technology Advisor 

Article meta data

Clicking on any of the links in this section will take you to other articles that have been tagged in the same category.

• Featured in the Karten Spring 2023 Newsletter
• This article is listed in the following subject areas: Update from Technology Advisor