Why MDM for Office 365 may be obsolete, with updates to Exchange Active SyncAlex Fields
Disclaimer: This is not breaking news, what I am about to describe has been available for a while, but I just haven’t gotten around to blogging about it. Previously I wrote about MDM for Office 365, and I had to update that article since Microsoft keeps changing the interface and where things are located in the Security & Compliance center (it’s basically impossible as a blogger to keep up with changes in Office 365–screenshots are always potentially out of date). But anyway, the whole reason organizations may require users to register their mobile device with the organization, is because it gives them some level of visibility and control over the device.
Why use MDM?
But Exchange has always allowed this control as well, using Exchange Active Sync policies. So what is the difference between using MDM via the Security and Compliance Center, and just sticking with the Exchange active sync policies? Well, for one thing, the enrollment process for MDM was way harder than just applying an EAS policy–MDM involved downloading an app to assist you with the enrollment and setup of each and every device, and that was a big pain for some users (and for IT support). However, there was a carrot on the end of the stick…. you see, there are a few more controls available in MDM than we have in EAS. Truth be told, we cared about almost none of them (e.g. most organizations do not care to restrict their users’ access to things like the camera or Bluetooth for instance), but one very important capability was “Selective wipe” or the ability to pull back only the managed email profile, without wiping the device fully (which was the only control available in Exchange Active Sync).
But guess what? For most modern mobile devices, it is now possible to fully wipe the device, OR just wipe the account data–and all from Exchange Active Sync.
To start, be sure you have actually setup an EAS policy in Exchange Online. Navigate to the Exchange admin center, then mobile > mobile device mailbox policies. Edit the default policy (or create a new one if you prefer).
Now you can make your own selections, but I like to deselect the option to Allow mobile devices that don’t fully support these policies to synchronize. Why agree to support a device that is not modern enough to support simple Exchange Active Sync settings? Crazy. On the security page, I almost always require device encryption as well as the use of a passcode, and it is optional whether you require it to expire, etc. But these are basic protections which help prevent unauthorized access of a mobile device if it is lost or stolen.
Once you have a policy enabled, you can apply it to individual mailboxes (you can have multiple policies if you prefer, I usually just modify the default policy which is applied to everyone by default).
So I have added my iPhone using the regular Apple mail application. Since it is an up-to-date iPhone 6, it does indeed support this feature. If I browse to my mailbox account under recipients, I can find the mailbox features page and click on View Details under Mobile Devices. Notice that I have an option, with a little drop-down arrow, to select Account Only Remote Wipe Device (this is like selective wipe). The other, Wipe Data, is the classic “factory reset” option–and pisses people off real good (unless the device really was lost or stolen). But for standard terminations or departures, wiping a personal phone is a pretty nasty thing to have to do.
Don’t worry if you choose the wrong one, as it will tell you what you have selected, giving you a chance to confirm.
And so, now that we have the ability to do this with Exchange Active Sync, do we really want to go down the path of the MDM enrollment? After all, EAS just applies these policies automatically when you add an email account to the device–and most users don’t have too much trouble navigating that process. But with MDM, if you start by adding an email account, you must then proceed to enroll the device using a link to get the app, and you won’t actually get any email until the device is made compliant via the instructions provided in the app. If you try to explain this process to users in advance, and provide them with screenshots or whatever–it doesn’t matter. They always need more help than you think they will.
For what it does, I believe that all this hassle is not really worth it, given we have the ability to selective wipe right from Exchange Online. However, if you are looking toward a full Intune subscription, you will get a vast many more features and levers to pull, to customize the experience on your devices (including application policies, etc.) This is made a bit easier for you with the device management features built into Microsoft 365 subscriptions, too–so in that case you may still prefer a full MDM (which still requires device enrollment via the Intune app). But the “built-in” MDM with Office 365 looks much less attractive today than it did a couple of years ago. Again, just in my opinion.