How-to Configure MDM for Office 365

Back to Blog

How-to Configure MDM for Office 365

This article updated 8/22/18 with new screenshots, since they moved some items around.

Today we’re going to take a deep dive with the Mobile Device Management (MDM) features available through Office 365, powered by Microsoft’s Intune cloud service.

Note: This is not the same as enabling a full Microsoft Intune subscription. Think of an Office 365 MDM solution as a “lite” offering of the Intune service. For many SMB organizations, the Office 365 feature set may be all they ever need. You will have to judge for yourself based on your own business requirements.

Begin by logging into the Office 365 Administrative Portal.  Before we go create a policy, let’s setup a security group in Groups. Add a new group, and choose the type Security. Give it a name that describes the purpose–MDM Policy users, or Apply the MDM policy, etc.

I usually just add all users, but you can actually have multiple MDM policies with different users in each group, if you so choose.


Now we can proceed to the Security & Compliance Center, find Device Management from the left menu.


First thing: set up your Apple Push Notification Certificate by clicking APNS Certificate for iOS…


It’s a pretty straightforward process that starts with downloading a certificate signing request (CSR), takes you to Apple’s sign-in page where you upload that CSR file, and ends with you downloading the APN certificate from Apple’s Website, and then uploading it into your Office 365 portal. Download the CSR file.

If you do not yet have one, you might need to create an Apple ID with an account that is associated with your domain name, in order to get the APNS certificate from their Apple Push Certificates portal.

Once you upload the CSR to Apple and accept their terms, you will be able to download the certificate. Save it somewhere safe.

Finally upload it to Microsoft, specifying your Apple ID, which you used to get the certificate.

Back on this page, click Device policies.

+ Create a policy.  You will start by giving it a name. Although you could have multiple and apply them to different groups, etc., as I said before, I usually just create a global one for the entire organization (but your own needs may differ).

Make your selections; there are two pages of options, and this first one is more important. I usually require a non-simple password and enable auto lock–it is up to your organization whether you require other restrictions. Below is an example of something more stringent, requiring expiration of the password, etc. Again, make your own selections. But I do recommend using the managed email profile, since it allows you to perform “selective wipe”–removing only organization data, while leaving the device intact (does not perform full reset of the device).

There is an additional page with more options, such as Require encrypted backup, and others. Most small organizations have no interest in controlling these items on personal mobile phones, tablets, etc.

You can either enable the policy, or just save it without turning it on–it is also necessary to specify that group to which the policy will apply. Next.

Review your settings and Create this policy.

Back on this screen, one more link to follow: Manage organization-wide device access settings.

Here you can choose to Allow or Block devices that are not compliant with the MDM policy. This could be annoying for some people, but really–why use an incompatible device or app? Why support it?

When you are done with all of this, your users will need to go enroll their devices, which is a whole other story.

The main feature leveraged in MDM is probably Selective wipe –invaluable for those situations where you need to remove the corporate data of a departed employee’s personal device, without causing an upsetting situation–by wiping ALL of the data, and affecting a full factory reset on the device.

Now interestingly, these days it is also possible to enable a selective wipe in Exchange Active Sync, as well–so it may no longer be necessary to implement the 365 MDM in order to achieve your desired configuration (not all older versions of Android/iOS support this EAS policy, but as we continue moving forward, this will become less and less of a “thing”).

And that about concludes the tour of MDM configuration and settings included with your Office 365 subscription!


Comment (1)

  • Michele Reply

    hello Alex
    I’m trying to implement the MDM solution and your article was really helpful.
    I have only one question and I’m sure that you have the right answer :)

    If I remove the company portal from a device, all the office 365 applications (email, onedreive, etc) still work.

    Is there a way to prevent the removal of the company portal app or block the application in case the app has been removed?
    thanks in advance

    July 2, 2019 at 5:45 am

Leave a Reply

Back to Blog

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.