Why MDM for Office 365 may be obsolete, with updates to Exchange Active Sync

Back to Blog
22Aug2018

Why MDM for Office 365 may be obsolete, with updates to Exchange Active Sync

Disclaimer: This is not breaking news, what I am about to describe has been available for a while, but I just haven’t gotten around to blogging about it. Previously I wrote about MDM for Office 365, and I had to update that article since Microsoft keeps changing the interface and where things are located in the Security & Compliance center (it’s basically impossible as a blogger to keep up with changes in Office 365–screenshots are always potentially out of date). But anyway, the whole reason organizations may require users to register their mobile device with the organization, is because it gives them some level of visibility and control over the device.

Why use MDM?

But Exchange has always allowed this control as well, using Exchange Active Sync policies. So what is the difference between using MDM via the Security and Compliance Center, and just sticking with the Exchange active sync policies? Well, for one thing, the enrollment process for MDM was way harder than just applying an EAS policy–MDM involved downloading an app to assist you with the enrollment and setup of each and every device, and that was a big pain for some users (and for IT support). However, there was a carrot on the end of the stick…. you see, there are a few more controls available in MDM than we have in EAS. Truth be told, we cared about almost none of them (e.g. most organizations do not care to restrict their users’ access to things like the camera or Bluetooth for instance), but one very important capability was “Selective wipe” or the ability to pull back only the managed email profile, without wiping the device fully (which was the only control available in Exchange Active Sync).

But guess what? For most modern mobile devices, it is now possible to fully wipe the device, OR just wipe the account data–and all from Exchange Active Sync.

To start, be sure you have actually setup an EAS policy in Exchange Online. Navigate to the Exchange admin center, then mobile > mobile device mailbox policies. Edit the default policy (or create a new one if you prefer).

Now you can make your own selections, but I like to deselect the option to Allow mobile devices that don’t fully support these policies to synchronize. Why agree to support a device that is not modern enough to support simple Exchange Active Sync settings? Crazy. On the security page, I almost always require device encryption as well as the use of a passcode, and it is optional whether you require it to expire, etc. But these are basic protections which help prevent unauthorized access of a mobile device if it is lost or stolen.

Once you have a policy enabled, you can apply it to individual mailboxes (you can have multiple policies if you prefer, I usually just modify the default policy which is applied to everyone by default).

So I have added my iPhone using the regular Apple mail application. Since it is an up-to-date iPhone 6, it does indeed support this feature. If I browse to my mailbox account under recipients, I can find the mailbox features page and click on View Details under Mobile Devices. Notice that I have an option, with a little drop-down arrow, to select Account Only Remote Wipe Device (this is like selective wipe). The other, Wipe Data, is the classic “factory reset” option–and pisses people off real good (unless the device really was lost or stolen). But for standard terminations or departures, wiping a personal phone is a pretty nasty thing to have to do.

Don’t worry if you choose the wrong one, as it will tell you what you have selected, giving you a chance to confirm.

And so, now that we have the ability to do this with Exchange Active Sync, do we really want to go down the path of the MDM enrollment? After all, EAS just applies these policies automatically when you add an email account to the device–and most users don’t have too much trouble navigating that process. But with MDM, if you start by adding an email account, you must then proceed to enroll the device using a link to get the app, and you won’t actually get any email until the device is made compliant via the instructions provided in the app. If you try to explain this process to users in advance, and provide them with screenshots or whatever–it doesn’t matter. They always need more help than you think they will.

For what it does, I believe that all this hassle is not really worth it, given we have the ability to selective wipe right from Exchange Online. However, if you are looking toward a full Intune subscription, you will get a vast many more features and levers to pull, to customize the experience on your devices (including application policies, etc.) This is made a bit easier for you with the device management features built into Microsoft 365 subscriptions, too–so in that case you may still prefer a full MDM (which still requires device enrollment via the Intune app). But the “built-in” MDM with Office 365 looks much less attractive today than it did a couple of years ago. Again, just in my opinion.

Opinion, Technical , , , , , 7 Comments
Share:

Comments (7)

  • Chris Claessens Reply

    Thx Alex!

    August 23, 2018 at 2:07 am
  • Bryan Reply

    And it would be awesome… if Android supported it like iPhone does! Till then, we need to keep schluffing along with the stupid MDM

    February 1, 2019 at 10:25 am
    • Alex Reply

      True fact.

      February 1, 2019 at 10:34 am
  • Mike Reply

    What does one do if we don’t have the little dropdown ad only have the Full Wipe option? We use Office 365 so I’m assuming it’s the latest version.

    September 13, 2019 at 3:56 pm
    • Alex Reply

      Not all devices support the feature. iPhones do support it. Just block Android, Google is evil.

      September 13, 2019 at 10:17 pm
  • Mike Reply

    Follow up to my previous post so feel free to delete that one…
    Some of my users show an actual phone in the device list but most have entries that just say Outlook for iOS and Android. Does the “Outlook” option mean they are using the Outlook App and if it shows an actual phone that they’re using the native email?
    The only time I see the little dropdown arrow for selective wipe is if it shows an actual iPhone device. The ones that say Outlook do not give the dropdown.

    I saw something online that said the Outlook app runs in a container of sorts so “Wiping” that device really just wipes the Outlook container and leaves the rest of the phone alone. I’m just trying to find some information that lists all the possibilities and how they all actually work before I wipe someone’s phone I didn’t mean to.

    September 13, 2019 at 4:01 pm
    • Alex Reply

      That is true, the Outlook app is unique that way–you don’t wipe the device you wipe the app. This post is already dated in some ways, I usually just recommend MAM now as a baseline for everyone–Outlook app for all. It’s more secure and you should only need to support a single app anyway. Plus you get richer features like Shared calendars, Shared mailboxes, Groups, reading encrypted emails natively, the RSVP and calendar overlays, etc. are all just way better. iOS mail is okay because it supports at least some of the modern features, but not all of them. And Android mail apps are the worst (some now actually ship with Outlook, however). But Outlook app is going to be the gold standard for email on mobile.

      September 13, 2019 at 10:22 pm

Leave a Reply

Back to Blog

Related Posts

29Aug

2016 Essentials Integration: Microsoft Intune

Today we're going to enable the Microsoft Intune integration service from the Essentials Dashboard and discuss what it means a little bit. Intune is another cloud offering by Microsoft. It's purpose is to enable more robust Mobile Device Management. You can obtain an Intune subscription separately, which is what... read more
18Jul

A Reader’s input for your consideration: Blocking unsupported devices with Conditional access

Consider the following scenario (from a reader who wished to remain anonymous): Let's say you have implemented my recommended baseline policies for Conditional access, which require Windows & Mac computers to become managed/compliant with Intune, and iOS & Android devices to use approved client applications. In... read more
27Aug

How to configure Advanced Threat Protection (ATP) part 3: safe links

This will be our last post in this series on Advanced Threat Protection (ATP). We have previously covered anti-phishing policies and safe attachments. Now we will consider safe links. Safe links are basically just taking hyperlinks which exist in Exchange email messages or other content in... read more
09Nov

Migrate from Windows Server Essentials with Azure AD integration to Windows Server Standard and Azure AD Connect

I have a love-hate relationship with Windows Server Essentials. It's a great product with a lot of goodness baked in, but there are some real limits to it as well. On the one hand, Remote Web Access, Client PC backup, the Azure Recovery plugins, and... read more
27Oct

Step-by-Step: How to upgrade a Legacy Hybrid Exchange Server to 2016

One of the most common frustrations I hear from readers and clients alike is the requirement for keeping a hybrid Exchange server around, even well after all of your mailboxes have been moved to the cloud. Microsoft's official stance regarding hybrid is this: If you remove... read more
09May

Scripting with ISE: Adding New LUNs, part 1

In this series, we are getting familiar with Windows PowerShell ISE. My hope is that thru working in this application, more IT professionals will come to view PowerShell as a truly accessible (and indispensable) tool. Remember that the point of technology should include making your job... read more
13Oct

Top Mobility-Enabling Security Features in Office 365

At this point, even the staunchest conservatives among us have to admit that we live in a post-perimeter world. In recent years there have been even more developments and trends chipping away at our traditional conceptions of so-called perimeter-based security. Cloud and mobility means two things: Users... read more
19Jul

We never have to deploy folder redirection to a file server, ever again

OneDrive recently announced yet another amazing feature improvement: Known Folder Move. Think of this as folder redirection 2.0--if you have historically redirected things like Desktop and Documents libraries to a file server (which leads to other Offline Files considerations for mobile workers), then this is... read more
Unboxing Microsoft Defender for Business: Device-based Conditional Access
09Mar

Unboxing Microsoft Defender for Business, Part 4: Integration with MEM and Conditional Access

Welcome back to this series! Microsoft Defender for Business (MDB) is a huge product with lots of ground to cover. So far we have discussed the Simplified configuration process, Threat & Vulnerability Management, and Attack Surface Reduction Rules. Since we began our series an exciting thing... read more
14Oct

Why you shouldn’t disable external sharing (really)

Okay, so anyone who has ever done consulting with Microsoft / Office 365 before has probably heard this question: "Can we disable external sharing?"--Any customer at every Office 365 consulting engagement, ever. Bless their souls, these questions are usually coming from a good place, but to see... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me