Office 365 MDM On the field experience

Introduction Who are we and what is this session about? Consultancy team working on migrating to Office 365 with MDM for an Enterprise customer Key deliverables of the project are: Migrate their e-mail to Exchange Online (tried and true, yay!) Migrate their devices from ‘legacy’ MobileIron solution to Office 365 MDM (brand new feature, yay…but oh noes!) Aim to provide you an overview of what is Office 365 MDM A run-though of how to set it up Our (fresh!) lessons learned while deploying it to end users

What is Office 365 MDM MDM = Mobile Device Management? Have you used ActiveSync Policies before? It’s like that, but better Became Generally Available for all Commercial Office 365 Plans in April this year. “Free!!” as in “it’s included into the subscription you’re already paying for” Provides a “base” level of security enforcement and compliance controls: Require enrolment to access corporate data (i.e. authorization) Enforce PIN Lock / device encryption / jailbreak detection (i.e. access protection) Selective or full device wipe (i.e. data loss prevention) Works across e-mail and office apps (OneDrive, Word, Excel etc.)

Office 365 MDM vs Intune Wait, what about Intune? Have you used Office 365 MDM before? It’s like that, but better An established device management solution that covers a wider platform base (i.e. desktops as well as mobile) “Not Free!” as in “…buy InTune…or EMS…or talk to your local friendly Microsoft Account manager” Provides a more thorough level of management, enforcement and compliance controls: Configure WiFi and VPN management profiles Provision and manage certificates and app deployments Data containerisation including Mobile Application Management (MAM)

Sounds great, how do I turn it on? Check if you can see it in your Office 365 Portal Admin console. If not, add yourself into First Release under Service Settings  Updates

Well, This doesn’t look right Office 365 MDM cannot coexist with Intune If you have an existing Intune or EMS subscription, you may see the below. It means that the Intune portal has taken ‘authority’ within your tenancy. If you don’t want to use Intune (say, because it’s a trial subscription), raise a Service Request to have Microsoft Technical Support switch Authority back to Office 365 MDM

Setting up O365 MDM

Setting up O365 MDM

Setting up O365 MDM

Setting up O365 MDM INSERT LIVE DEMO HERE Show the policy configuration Show the devise managed

On the field lessons learned Supported features are different across platforms (Windows Phone, iOS, Android) Prime example: Managed email profile only works on iOS If you make a policy that ‘enforces’ this feature, then it will make Android devices non-compliant Office 365 MDM policies stack (we think?) We created a base policy (blocks) and an email policy (allow and report) Base policy enforces security functions such as PIN, device lock, jail break detection Email policy pushes out managed email policy. Androids effectively ignore this, and iOS gets email profile But, I hear you ask, why don’t we just create two policies? One for Android and one for iOS?

On the field lessons learned MDM policies are deployed per user via Security Group Membership Security Group only (can be cloud or synched) but no distribution groups or dynamic distribution groups. Slight delay (~10 mins) for group memberships to be picked up Per user policy deployment means that policies need to be device agnostic, as users can have an iOS phone and an android tablet (or any combination of support devices) Also, if you are not a member of any groups, then you get no policy (i.e. no enforcement) Pain point: There is no “all users” group, which means that by default users don’t get MDM policies. Our workaround is use an ‘In Cloud’ group we populate with all synchronised users via a scheduled script Current ticket open to see if there are any other alternatives (or potential feature request)

On the field lessons learned Fresh new information (as of 3 hours ago) The Block functionality appears to be driven by whether the device supports the policies that you have defined rather than whether the policies are being applied As soon as you enrol, you will be asked to meet the policy – you can’t “not do it”. Or if you changed the policy, the device says “you have 60 mins to change your PIN before being locked out” Therefore, use the Block function very sparingly, particularly if you have BYOD scenarios – as the Allow function does everything you want it to do

On the field lessons learned Fresh new information (as of 2 weeks later) We ended up removing the stacking policies as even though Microsoft Support says it supports it, we were seeing weird behaviour so removed it to avoid confusion We saw weird behaviour of the Group Membership not being recognised (and thus users not getting MDM policy). In the end we only added the user to the MDM group after we had licensed the user. Adding non-licensed users or adding them first then assigning a license seemed to make it ignore memberships in the group in an erratic way.

On the field lessons learned When migrating from an existing MDM solution (e.g. MobileIron) Ensure you first remove the existing MDM policy / Management profiles If you can, do this on behalf of the user, e.g. in MoblieIron we could ‘retire’ the profile remotely from the management console. Otherwise users get a poor enrolment experience (lots of popups to go back and forth) Be prepared for users not being able to “re-enrol” the device themselves Particularly as Androids and iOS devices across different versions behave ever slightly different, making creating 100% accurate step by step instructions impossible After extensive documentation, we managed to get the incident rate to be about 5-10% which isn’t too bad, however the odd incident with mobile devices could end up each taking 20 mins because you have to walk them through how to use their device  ProTip for Android – use TeamViewer QuickSupport of they are remote!

On the field lessons learned If using managed email profiles, instruct users to first get the Intune Company Portal and enrol Otherwise if they try to create an email profile, they’ll get an “enrolment required” message, get directed to install Intune Company, then warned that they have to remove existing email profile, as it needs to be managed – which overall can frustrating/confusing for users If the user changes their password, instruct them to sign into the Intune Company Portal first to put in new creds We found the other apps just constantly prompt for creds and get stuck until you update the Intune app

On the field lessons learned Troubleshooting Pro Tips Use the Exchange Online ‘mobile’ section to view ‘active sync’ quarantined devices. This lets you see easier who is trying to sign in and are having device compliance issues If a user is having sign in issues with apps on an enrolled, compliant device, its probably because the app needs updating. Stale Records in MDM portal is a known issue Currently stale records of non-clean unenrolled devices remain for 30 days. Being looked at to allow individual removal of stale records

Overall Thoughts Great improvement over ActiveSync Policies Good ‘entry level’ MDM solution, provides businesses with at least some level of protection Generally the enrolment process is fairly seamless Selective Wipe works really well (for the supported platforms), a good message for users concern about BYOD of personal devices Some maturity around administration still required, but it is still early days, and we expect improvements to come Would be nicer to see a more consistent support of functionality across platforms