• Home
  • Blog
  • Technical
  • Showdown: Exchange Active Sync vs. Office 365 MDM vs. Intune (MDM and MAM)

Showdown: Exchange Active Sync vs. Office 365 MDM vs. Intune (MDM and MAM)

Back to Blog
15Nov2018

Showdown: Exchange Active Sync vs. Office 365 MDM vs. Intune (MDM and MAM)

The Microsoft 365 platform offers customers not one, not two, but three distinct Mobile Device Management solutions (well, technically four, as we’ll see). In my experience, most small business customers will be fine with nothing more than a well configured Exchange Active Sync policy, requiring basics like a pass code, device encryption, and the ability to remote wipe. But it is good to evaluate all of your options, in case your own requirements call for more. Note: there are also a plethora of third-party solutions out there, but in this article I’m just going to compare the ones available within the native Microsoft 365 universe.

Solution #1 : Exchange Active Sync (EAS)

As I mentioned, the original solution is EAS, and what does it have to recommend it? Simplicity. Here is what you can do, with a basic EAS policy:

  • Refuse access to devices that do not support the policies
  • Require device encryption
  • Require a pass code (non-simple, alphanumeric, etc.)
  • Require the pass code to expire
  • Lock the screen after a certain number of minutes
  • Wipe the device after a certain number of pass code attempts have failed
  • Wipe the device (or Account data) remotely

Most orgs are happy with the above options alone. But also know that there are several other items you can control, available via PowerShell. It is furthermore possible to have new devices auto-quarantined by default, meaning that administrators would get a notification, and then choose to approve or block the device in Exchange Online.

And the best part: from an end-user perspective, nothing special is really required, other than adding a mail profile to the device, or using their favorite supported mail app. Enrolling the device in MDM or Intune is a totally different story.

Solution #2: MDM for Office 365

This feature is included with Business and Enterprise plans for Office 365, and it can be a good option for requiring a tiny bit more device-based security without a large investment in additional subscriptions or third party products. Basically these policies can do everything that an EAS policy can do, plus:

  • prevent jail-broken/rooted devices from connecting
  • require managed email profile (this means that enrollment in MDM will install the email profile in the phone’s native mail app)
  • block access to the app store
  • block cloud backup, document &/or photo sync, screen capture, Bluetooth devices, etc.
  • Require enrollment for access to apps other than just email (e.g. the OneDrive app)

The drawbacks to this solution are many in my opinion, but mainly you should know that the device enrollment process totally sucks. Users have to get the Intune app, and proceed to step through more than a dozen screens, selecting “Continue” and “Enroll” and “Install” and “Accept” and on and on, until FINALLY they get their email profile… and then you learn that it can only deploy to the built-in native email app, such as iOS’s mail app (boooouurrnnss). Last, understand that this solution requires an Apple Push Notification Service (APNS) certificate, which needs to be renewed annually–so yet another piece to manage. If you’re doing this you might as well do the full-blown Intune, in my opinion.

Support for Office 365 MDM is available on iOS 7.1 or later, as well as Android 4 or later.

Solution #3: Microsoft Intune MDM

Intune is available as a standalone product, but is more frequently purchased as part of a bundle, like the Enterprise Mobility + Security E3 or E5 plan, or Microsoft 365 Business or Enterprise plans. Intune actually has two different mobility management solutions built-in: Mobile Device Management (MDM), and Mobile Application Management (MAM).

MDM, or device-based management, is often leveraged when you have corporate-owned and managed devices. Intune’s MDM can do everything included in EAS and Office 365 MDM, plus you get a lot of additional powers over the device. For example:

  • Push Wi-Fi and VPN profiles to the device
  • Push business applications to devices
  • Manage updates to devices
  • Use corporate PKI and certificates

I normally only see larger sized enterprises entertaining these types of options, or generally situations where corporate-owned devices are being strictly controlled and “made the same” for various groups of users. That is to say, you can configure different profiles and device rules for different kinds of users in different roles / locations.

Plus, Intune has the capability to manage Windows 10 and Mac OS computers, in addition to mobile devices. Very large companies that use System Center Config Manager (SCCM) can hook into Intune, as well, to extend their management capabilities.

Unfortunately, the same painful enrollment process is required for the Intune MDM (it is in fact accomplished via the same mechanism: the Intune app available via the app store).

Solution #4: Microsoft Intune MAM (BYOD)

Mobile Application Management (MAM) is another advanced feature of Intune, which allows for BYOD scenarios. MAM can actually be paired along with MDM in larger corporate environments, to support either use case: device-based and/or application-based mobility management. But in the small to mid-sized business, almost all users are “BYOD”–using their own devices to access corporate email and other digital resources. So it makes sense to evaluate the MAM options here.

First and foremost, the good news: end-users have no enrollment process to speak of; instead they just get a one-time prompt that their application settings are being managed (and they have to restart the app). Therefore, MAM is a very attractive alternative to MDM, with many of the same benefits, although the execution looks a little bit different.

Fig. 1: MDM and MAM address same concerns but differently

As mentioned above, MDM is great when you need to exercise an extreme level of control over a device. But generally speaking, when users bring their own personal device to the table, they don’t want to be bothered or blocked from doing “other stuff”–therefore, many of the controls provided via MDM are moot. These workers are going to have personal data and apps, as well as corporate ones. Who wants to block their users from syncing personal photos to iCloud, for instance?!

Enter MAM. When choosing to manage mobility at the application level, we are most often pairing Intune up with Azure Active Directory Premium, so that we can enable Conditional Access–for example: we can create a Conditional Access policy that forces users to access their corporate data only through the Microsoft apps such as Outlook, OneDrive, Word, OneNote, etc. And, we can also challenge them for MFA.  The extra controls are necessary so that we can raise our confidence level in those mobile connections being made to our environment, and protect the data at the application level, rather than the device level.

This means that the device does not need to be enrolled at all, and the application will do the job of protecting the corporate data, effectively isolating it from the personal stuff on the device. This includes blocking users from saving to the device or even copy/pasting out of Microsoft apps and into “personal” ones such as the native mail app, Evernote, DropBox, etc. A pretty effective solution over all, and again, minimally invasive to users.

Conclusions

It is true, I am heavily biased toward simplicity. And, since I support primarily smaller sized businesses, I tend to favor solutions that I think are better suited to that market segment. In my opinion, the built-in features of Exchange Online cover 95% of use cases in the small business. For Nazi-level security, I would skip all the way to EMS/Intune, rather than use the “included” MDM of Office 365. But, for the money, and for the fact that most every business I know and support has personal “BYOD” scenarios at play–I would lean toward MAM rather than MDM in those cases. But again, that’s just my opinion–take it or leave it, and just consider these things when forming your own mobility strategy.

Fig. 2: Summary comparing features

In some upcoming posts I will show you how to turn on MAM, with Conditional Access policies assisting from Azure AD Premium. Note that this is even easier with Microsoft 365 subscriptions, since you can use simplified wizards to setup these policies from the admin center, without messing around in the Intune portal.

Technical , , , , , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

09Feb

The realities and limitations of managing personal (BYOD) devices in Microsoft 365 and Endpoint Manager

These days, I am willing to bet that I get asked about BYOD endpoints over corporate endpoints 10 to 1. Personal devices (even personal Windows devices) are creeping into the workplace more and more, especially with so many working from home. And this does present... read more
07Sep

Tutorial: How-to Setup Azure Site Recovery using Windows Server Essentials, Part 2: Configuration

Windows Server Essentials (or the Essentials Experience role) can be leveraged to quickly provision a full Disaster Recovery site in the cloud, and replicate Virtual Machines from your on-premises Hyper-V server(s) to Azure. The built-in integrations that make this possible are Azure Virtual Network and... read more
03Oct

Windows Information Protection done right, part 2: typical set up steps

Last time we talked about a couple of key concepts including enlightened and non-enlightened apps, and how Windows Information Protection (WIP) treats corporate data differently than personal. In short, a non-enlightened app and all of its data will be treated by WIP as personal (by... read more
09Apr

The encryption button fiasco

I have done quite a few posts recently on the new Office Message Encryption (OME) features in Office 365 Exchange Online. This past winter, Microsoft released version 2 of OME, which had some improvements over version 1, but came with some downsides/trade-offs also. Oftentimes, the downsides... read more
26May

Migration path from SBS to Office 365 & Windows Server 2016

So many small businesses adopted Microsoft's Windows Small Business Server (SBS) product--now that the product has been discontinued, these organizations tend to need a little more guidance regarding the migration path forward from SBS 2003, 2008 or 2011. Do I still need an On-premises Windows Server? With the option to... read more
Fast and Free Incident Response Tools in Microsoft 365
09Jul

Fast and Free Incident Response Tools in Microsoft 365

As part of the SquareOne Summer Security Series, our group recently explored the topic of Incident Response in Microsoft 365. This was a very well-received course, and I felt a blog post was in order to cover off on some of the important content from... read more
01Oct

Should I stick with Microsoft 365 Business or move up to Enterprise?

Microsoft 365 is best described as a "bundle of bundles"--these new SKU's go beyond Office 365, and include advanced security products as well as device management and even your Windows licensing.  I have been writing a lot about the Microsoft 365 Business SKU, since it... read more
16Jul

How to bundle even more security into your Office 365 subscription

In a previous post, I covered some of the most common SKU's that are frequently purchased by small businesses, who are migrating to the Office 365 platform. In a nutshell, by FAR the most common of those are Office 365 Business Premium and Office 365... read more
22Jun

How to securely deploy Remote Desktop Services (RDS) with the Gateway Role

Remote Desktop can be deployed in any number of different ways, and not all of them are created equally when it comes to security. In the Enterprise, we'd most likely see RDS deployed using a "DMZ" or "Demilitarized Zone," which is a special type of... read more
17Sep

Enable the Archive Mailbox and modify the default retention policy (for cloud-only and hybrid users)

In any subscription that includes Exchange Online Archiving, such as Office 365 E3 or Microsoft 365 Business (as well as any subscription to which the Archiving add-on is applied), it is possible to enable an unlimited storage container for those hoarders out there, known as... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me