Mobile Device

Management for
Office 365
David J. Rosenthal
CEO, Atidan
May 4, 2015
Ignite Conference, Chicago, IL

Agenda

Trends around mobility and BYOD

MDM for Office 365 overview

Demo admin setup & end user experience

Exchange ActiveSync

OWA for Devices

Devices supporting EAS

iOS and Android apps

Enforce device password

Enforce app password

Wipe entire device

Wipe just the app

Entire org or individuals (no

groups)

Entire org or individuals (no

groups)

Other apps
No controls

Devices

Enable
your users

Apps

Unify Your Environment

Data

Protect
your data

Helping organizations enable their users to be productive on the devices they love
while helping ensure corporate assets are secure

Enroll

Provision

Provide a self-service Company

Portal for users to enroll devices
Deliver custom terms and
conditions at enrollment
Bulk enroll devices using Apple
Configurator or service account
Restrict access to Exchange
email if a device is not enrolled

Deploy certificates, email, VPN,

and WiFi profiles
Deploy security policy
Install mandatory apps
Deploy app restriction policies
Deploy data protection policies

User

IT

Retire

Manage and Protect

Revoke access to corporate

resources
Perform selective wipe
Audit lost and stolen devices

Restrict access to corporate

resources if policies are violated
(e.g., jailbroken device)
Protect corporate data by
restricting actions such as
copy/cut/paste/save outside of
managed app ecosystem
Report on device and app
compliance

Inventory mobile devices that access corporate applications

Remote factory reset (full device wipe)
Mobile device configuration settings (PIN length, PIN required, lock time, etc.)
Self-service password reset (Office 365 cloud only users)
Provides reporting on devices that do not meet IT policy
Group-based policies and reporting (ability to use groups for targeted device configuration)
Root cert and jailbreak detection
Remove Office 365 app data from mobile devices while leaving personal data and apps intact (selective wipe)
Prevent access to corporate email and documents based upon device enrollment and compliance policies
Self-service Company Portal for users to enroll their own devices and install corporate apps
Deploy certificates, VPN profiles (including app-specific profiles), and Wi-Fi profiles
Prevent cut/copy/paste/save as of data from corporate apps to personal apps (mobile application management)
Secure content viewing via Managed browser, PDF viewer, Imager viewer, and AV player apps for Intune
Remote device lock via self-service Company Portal and via admin console
PC management (e.g. inventory, antimalware, patch, policies, etc.)
OS deployment (via System Center ConfigMgr)
PC software management
Single management console for PCs and mobile devices (through integration with System Center ConfigMgr)

User-centric approach

Conditional
Access

Device
Management

Selective Wipe

LoB
app

Built-In

Built-In

Microsoft
Intune
Microsoft Intune

Before mobile devices can access Office 365 data, they must be enrolled and healthy.

1. A user downloads
2. The user is shown a
3. The user steps
4. The OneDrive app is
the public OneDrive
page that directs them through the enrollment now MDM enabled
app on a personal iPad
to enroll the iPad
process

5. The user is able to

access their OneDrive
data

Device Polices

Control what mobile devices can connect to Office

365 Data
Set device configuration policies such as pin lock
Enforce data encryption on devices

Admin Controls

Built-In management in Office 365 Admin Center,

and PowerShell
Configure device policies by groups
Product level granular control

Device Reporting

Device compliance reports

Mobile usage and trends in our organization
API support

The IT admin can wipe Office 365 data from the users device. When they trigger the wipe,
all of the data cached or stored by the apps will be deleted, while all of the users personal
content remains intact.

1. An employee uses Office 365

apps and data on a mobile
device. The employee leaves
the company.

2. The IT admin logins into Office

365 Admin Center to perform a
selective wipe

3. The Office 365 data is removed

from the Office applications
leaving personal information
intact

* Native email clients that use ActiveSync will support Conditional Access, and Selective Wipe
** Office on Windows Phone (Combined App)

Configure Microsoft Intune

with Office 365

http://portal.office.com

http://aka.ms/TryIntune

Action required to access your organizations

email
This email was automatically generated by Microsoft Exchange.
You are receiving this message because your IT department requires
that you enroll your device in order to access Exchange email. This
helps to protect corporate information in your organization.
Follow the steps listed on this site to enroll your device, verify
compliance, and activate your email.
Please contact your IT department with any questions or problems.

portal.manage.microsoft.com/?portalAction=EmailQuarantine

www.microsoftintune/contoso/devicemanagement.com

www.microsoftintune/contoso/devicemanagement.com

Activating

www.microsoftintune/contoso/devicemanagement.com

www.microsoftintune/contoso/devicemanagement.com

Contoso device enro

Contoso company

www.microsoftintune/contoso/devicemanagement.com

Contoso device e

Contoso company

Outlook

Contoso

Contoso Viewer

Contoso Data Store

Contoso IT

Contoso Dash

Contoso managed

Contoso manage

Jessica
@jesssssss

Pasting content not allowed

This content is managed by Contoso. The
destination is not. Pasting this content is
not allowed by your administrator.

paste

close

Jame
s

james@contoso.com

Jame
s

CONTOSO

Contoso IT

11:18

Device Not Enrolled

To Access emails and other company resources

Contoso IT
Device Not Enrolled
Thu 1/16, 11:18

To: Contoso Employees

To access emails and other company

resources, your device needs to be enrolled

with Contoso. To enroll your device follow the

instructions below:
Step 1:
Enroll your Device

Step 2:
Once youve enrolled your device.
Click here to activate

Redirecting to device enrollment...

https://portal.manage.micro

james@contoso.com

Contoso
james@contoso.com

Contoso

Contoso IT

Jame
s

CONTOSO

Contoso IT
Device Not Enrolled
To Access emails and other company resources

Contoso IT
Device Not Enrolled
Thu 1/16, 11:18

To: Contoso Employees

To access emails and other company

resources, your device needs to be enrolled

with Contoso. To enroll your device follow the

instructions below:
Step 1:
Enroll your Device
Step 2:
Once youve enrolled your device.
Click here to activate

Jame
s

Activating

https://activate.aad/contoso/

Jame
s

Activation
Successful!
Your access to emails and other company
resources has been granted.

https://activate.aad/contoso/

Jame
s

CONTOSO

Contoso IT
Device Not Enrolled
To Access emails and other company resources

Enroll device, evaluate & enforce

compliance with device
management policies

Users on their devices

Microsoft
Intune

Report device
compliance

Azure AD

Office 365

IT Admin

Conditional access control - Exchange ActiveSync (EAS)

Lookup device
compliance state

Device object
- device id
- isManaged
- MDMStatus

Azure AD

- EASIDs

Azure AD DRS
7

EAS Server

3
Get email
EAS ID,
username,
password

Push device into

quarantine

Set device
management/
compliance
status

Intune

Quarantine
email

Register EAS
email client

EAS Client

Create EASID to
device ID binding

Quarantine email

Step 1: Enroll device

Step 2: Register EAS
client

(Workplace Join +
management)

6
4

office365@atidan.com

2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on
the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Personal

Corporate
Managed Browser
& Viewer Apps

Manage all of your corporate apps and data with

Intunes mobile device and application
management solution
Complete mobile application management
Securely access corporate information using Office
mobile apps, while preventing company data loss
by restricting actions such as copy/cut/paste/save
in your managed app ecosystem
Extend these capabilities to existing line of business
apps using the Intune app wrapper
Enable secure viewing of content using the
Managed Browser, PDF Viewer, AV Player, and
Image Viewer apps

Mobile device management

Deploy certificates, WiFi, VPN, and email profiles

automatically once a device is enrolled for management

Enable bulk enrollment of task-worker devices to set

policies and deploy applications on a large scale

Provide a self-service Company Portal for users to enroll

their own devices and install corporate apps

PC management

Provide lightweight, agentless management from the

cloud
Connect Intune to System Center 2012 R2 Configuration
Manager to manage all of your devices including PCs,
Macs, Unix/Linux Servers, and mobile devices from a
single management console
Provide real-time protection against malware threats on
managed computers
Collect information about hardware configurations and
software installed on managed computers
Deploy software based upon policies set by the
administrator

User

for Business
bryan@microsoft.com

bryan@microsoft.com