Microsoft inTune – Mobile Device Management Authority set to Office 365

Well that is a mouthful of a title! Microsoft have now fully rolled out their Mobile Device Management features in Office 365, and I decided to kick the tires and find out more about what it could do. This involves enabling the MDM service from within Office 365.

A couple of weeks after this, I needed to do some testing with Microsoft inTune, the big brother of Office 365 MDM. I signed up for the 30 day trial, and went through the process of ticking off the pre-requisites of the intial deployment. One of these steps is to set the Mobile Device Management Authority. This settings defines whether you will integrate your inTune subscription with System Center Configuration Manager or not. This is a decision which is very difficult to reverse once done, but for my purposes I wanted to configure inTune itself as the Mobile Device Management Authority, and not integrate with SCCM.

However I was not able to do this as when I visited Admin>Mobile Device Management, I was told that my MDM Authority was set to Office 365. There was also no option to change this. I ended up having to log a call with inTune support, who responded very quickly and reset the MDM Authority so that I could set it. It took around 5 days for the reset to be processed. Once it is complete you can set the MDM Authority to inTune or SCCM!

MDM Authority

I can see this catching out a lot of customers who are using the built-in Office 365 MDM and decide to upgrade to use inTune. Just keep in mind that you will need to reset your MDM Authority by logging a call with inTune support, and this will take 5 working days. It’s also worth noting that before resetting your MDM Authority, you need to retire all current mobile devices from Office 365 MDM. This is best done by performing a selective wipe from the Mobile Devices tab of the Office 365 admin center.

I hope this helps some of you out there who are looking to move from the built-in Office 365 MDM to Microsoft inTune.

Built-in MDM for Office 365 is launched!

MDM Philosoraptor

Fantastic news follow nerds….one of my must have features for 2015 has been launched! I am super excited about this one and I believe that it will help give many new customers the peace of mind and confidence to start moving to Office 365 in earnest.

One of the great things about Office 365 is that you can get to your corporate data from anywhere, on any device. This is what users expect in todays modern world, and Office 365 lets us give our users the functionality they expect. However the services greatest benefit was also its greatest drawback. How can we make sure that data is secure if users can access it from anywhere. The answer to this before today was to either;

a. Use Microsoft Intune to control access to specific, enrolled devices. This came at additional cost and was a hard sell if a company had already got in bed with a different MDM provider.

b. Use ADFS and Conditional Access Policies to control access. This functionality was limited in scope and took away an awful lot of the benefits of Office 365 from a portability perspective.

c. Use the only control method available to try to limit data leakage; Exchange ActiveSync Quarantine. The problem with this is that it only applies to ActiveSync connections, and cannot control OneDrive for Business use. It also lacks granularity with regards to compliance.

Yesterday, the Office team announced that built-in MDM will be rolled out to all Office 365 commercial plans over the next 4-6 weeks. I am on the First Release program ( and have not got the feature yet, but as soon as I do I will be playing around and reporting back!

The main features are as follows:

Conditional Access – this ensures that only managed, compliant devices can connect to your corporate data. This is the biggie and helps us control which mobile devices can access data stored in Office 365, not just Exchange Online.

Device Management – Jailbreak detection, PIN lock controls and rich reporting.

Selective Wipe – Remove corporate data from a managed device while leaving personal data in place.

For those wanting more advanced capabilities such as VPN/Wi-Fi profile management, PC Management and Mobile App management, InTune is still the go to Microsoft product.

You can find out more about the MDM capabilities being rolled out to Office 365 customers at the official blog here:

Notes from Barcelona – Empowering and protecting your mobile users

After a day and a half of TechEd, my mind is filled with two words…Enterprise Mobility. And the more I hear, the more sense it makes. Gone are the days where a user had a single corporate device, plugged into the wall with a LAN cable. These days, a user typically has anywhere between 2-5 devices, most of them mobile, and that user fully expects to be able to access some kind of corporate data on those devices. The line between a device for work and another for play is blurred to the point of being invisible, and IT needs to adapt to be able to empower and protect users. EMS isn’t just a product suite, but a concept, which will increase productivity and security for your users.

On any given day, our users, in particular remote and mobile users, are logging into many different SaaS applications on many different devices, most of which are unmanaged. One new way for a company to get an idea of what SaaS apps are in use is to deploy the Cloud App Discovery tool from Microsoft. By deploying a lightweight agent to all, or a subset of machines, you can see which apps are in use, who is using them and how much data is being pushed through them. This can help you identify which apps are used most frequently, and will also show you if these can be integrated with Azure Active Directory to provide secure Single Sign On. Surprisingly the average amount of applications found is around 150! Integrating Azure Active Directory with these SaaS apps will bring a new level of security to your IT environment by controlling the authentication mechanism being used, thus avoiding credential leakage.

Enterprise Mobility covers many facets of securing mobile devices, mobile data and cloud services. Securing your SaaS apps is one,but what about your mobile devices? The half life of a mobile device is getting shorter all the time and it is not feasible for IT to keep track of who owns what device. With Microsoft Intune and Azure RMS in Office 365, you can enable your users to enrol and manage their own devices whilst keeping your data safe and secure.

For example, in order to access corporate email on their mobile or tablet device, a user must enrol their device with Microsoft Intune. Once this is done, conditional access is configured so that corporate data can only be accessed by approved applications. A Word Document attachment in your OWA app cannot be saved anywhere other than OneDrive for business, and cannot be edited by any app other than Word. This way, data leakage is reduced significantly. Policies for this are easy to configure in a few clicks and require no user involvement. The concept here is to enable users by providing access to apps which assist productivity, such as collaborative document management in Sharepoint and OneDrive for Business. However this data also needs to be secured for legal and compliance reasons, and conditional access can address this.

This is just a taste of the features available in the Enterprise Mobility Suite. The concept of integrating your SaaS applications with Azure AD and enabling and securing your users mobile and tablet devices using Intune will significantly improve the security and productivity of your users. Add to this the Azure Rights Management Services and Self Service Password Reset features and you are a much more mobile and secure company. BYOD is a reality and it’s time IT embraced it.