Presentation is loading. Please wait.

Presentation is loading. Please wait.

Office 365 MDM On the field experience

Published byGitta Brahms Modified over 5 years ago

Similar presentations

Presentation on theme: "Office 365 MDM On the field experience"— Presentation transcript:

1 Office 365 MDM On the field experience

2 Introduction Who are we and what is this session about?
Consultancy team working on migrating to Office 365 with MDM for an Enterprise customer Key deliverables of the project are: Migrate their to Exchange Online (tried and true, yay!) Migrate their devices from ‘legacy’ MobileIron solution to Office 365 MDM (brand new feature, yay…but oh noes!) Aim to provide you an overview of what is Office 365 MDM A run-though of how to set it up Our (fresh!) lessons learned while deploying it to end users

3 What is Office 365 MDM MDM = Mobile Device Management?
Have you used ActiveSync Policies before? It’s like that, but better Became Generally Available for all Commercial Office 365 Plans in April this year. “Free!!” as in “it’s included into the subscription you’re already paying for” Provides a “base” level of security enforcement and compliance controls: Require enrolment to access corporate data (i.e. authorization) Enforce PIN Lock / device encryption / jailbreak detection (i.e. access protection) Selective or full device wipe (i.e. data loss prevention) Works across and office apps (OneDrive, Word, Excel etc.)

4 Office 365 MDM vs Intune Wait, what about Intune?
Have you used Office 365 MDM before? It’s like that, but better An established device management solution that covers a wider platform base (i.e. desktops as well as mobile) “Not Free!” as in “…buy InTune…or EMS…or talk to your local friendly Microsoft Account manager” Provides a more thorough level of management, enforcement and compliance controls: Configure WiFi and VPN management profiles Provision and manage certificates and app deployments Data containerisation including Mobile Application Management (MAM)

5 Sounds great, how do I turn it on?
Check if you can see it in your Office 365 Portal Admin console. If not, add yourself into First Release under Service Settings  Updates

6 Well, This doesn’t look right
Office 365 MDM cannot coexist with Intune If you have an existing Intune or EMS subscription, you may see the below. It means that the Intune portal has taken ‘authority’ within your tenancy. If you don’t want to use Intune (say, because it’s a trial subscription), raise a Service Request to have Microsoft Technical Support switch Authority back to Office 365 MDM

7 Setting up O365 MDM

8 Setting up O365 MDM

9 Setting up O365 MDM

10 Setting up O365 MDM INSERT LIVE DEMO HERE
Show the policy configuration Show the devise managed

11 On the field lessons learned
Supported features are different across platforms (Windows Phone, iOS, Android) Prime example: Managed profile only works on iOS If you make a policy that ‘enforces’ this feature, then it will make Android devices non-compliant Office 365 MDM policies stack (we think?) We created a base policy (blocks) and an policy (allow and report) Base policy enforces security functions such as PIN, device lock, jail break detection policy pushes out managed policy. Androids effectively ignore this, and iOS gets profile But, I hear you ask, why don’t we just create two policies? One for Android and one for iOS?

12 On the field lessons learned
MDM policies are deployed per user via Security Group Membership Security Group only (can be cloud or synched) but no distribution groups or dynamic distribution groups. Slight delay (~10 mins) for group memberships to be picked up Per user policy deployment means that policies need to be device agnostic, as users can have an iOS phone and an android tablet (or any combination of support devices) Also, if you are not a member of any groups, then you get no policy (i.e. no enforcement) Pain point: There is no “all users” group, which means that by default users don’t get MDM policies. Our workaround is use an ‘In Cloud’ group we populate with all synchronised users via a scheduled script Current ticket open to see if there are any other alternatives (or potential feature request)

13 On the field lessons learned
Fresh new information (as of 3 hours ago) The Block functionality appears to be driven by whether the device supports the policies that you have defined rather than whether the policies are being applied As soon as you enrol, you will be asked to meet the policy – you can’t “not do it”. Or if you changed the policy, the device says “you have 60 mins to change your PIN before being locked out” Therefore, use the Block function very sparingly, particularly if you have BYOD scenarios – as the Allow function does everything you want it to do

14 On the field lessons learned
Fresh new information (as of 2 weeks later) We ended up removing the stacking policies as even though Microsoft Support says it supports it, we were seeing weird behaviour so removed it to avoid confusion We saw weird behaviour of the Group Membership not being recognised (and thus users not getting MDM policy). In the end we only added the user to the MDM group after we had licensed the user. Adding non-licensed users or adding them first then assigning a license seemed to make it ignore memberships in the group in an erratic way.

15 On the field lessons learned
When migrating from an existing MDM solution (e.g. MobileIron) Ensure you first remove the existing MDM policy / Management profiles If you can, do this on behalf of the user, e.g. in MoblieIron we could ‘retire’ the profile remotely from the management console. Otherwise users get a poor enrolment experience (lots of popups to go back and forth) Be prepared for users not being able to “re-enrol” the device themselves Particularly as Androids and iOS devices across different versions behave ever slightly different, making creating 100% accurate step by step instructions impossible After extensive documentation, we managed to get the incident rate to be about 5-10% which isn’t too bad, however the odd incident with mobile devices could end up each taking 20 mins because you have to walk them through how to use their device  ProTip for Android – use TeamViewer QuickSupport of they are remote!

16 On the field lessons learned
If using managed profiles, instruct users to first get the Intune Company Portal and enrol Otherwise if they try to create an profile, they’ll get an “enrolment required” message, get directed to install Intune Company, then warned that they have to remove existing profile, as it needs to be managed – which overall can frustrating/confusing for users If the user changes their password, instruct them to sign into the Intune Company Portal first to put in new creds We found the other apps just constantly prompt for creds and get stuck until you update the Intune app

17 On the field lessons learned
Troubleshooting Pro Tips Use the Exchange Online ‘mobile’ section to view ‘active sync’ quarantined devices. This lets you see easier who is trying to sign in and are having device compliance issues If a user is having sign in issues with apps on an enrolled, compliant device, its probably because the app needs updating. Stale Records in MDM portal is a known issue Currently stale records of non-clean unenrolled devices remain for 30 days. Being looked at to allow individual removal of stale records

18 Overall Thoughts Great improvement over ActiveSync Policies
Good ‘entry level’ MDM solution, provides businesses with at least some level of protection Generally the enrolment process is fairly seamless Selective Wipe works really well (for the supported platforms), a good message for users concern about BYOD of personal devices Some maturity around administration still required, but it is still early days, and we expect improvements to come Would be nicer to see a more consistent support of functionality across platforms

Download ppt "Office 365 MDM On the field experience"

Similar presentations

Mobile Protection Overview

Mobile Protection Overview
Mobile Device Management Intune-Configmanager CHANDAN BHARTI PREMIER FIELD ENGINEER-MICROSOFT.

Mobile Device Management Intune-Configmanager CHANDAN BHARTI PREMIER FIELD ENGINEER-MICROSOFT.
Everything you want to know about managing mobile devices in the enterprise Ivan Hemmans hemmans.com From A to Z.

Everything you want to know about managing mobile devices in the enterprise Ivan Hemmans hemmans.com From A to Z.
Windows 8.1 Device Management With Windows Intune Mark O’Shea MVP Windows Expert – IT Pro 30 June 2014.

Windows 8.1 Device Management With Windows Intune Mark O’Shea MVP Windows Expert – IT Pro 30 June 2014.
Managing and Securing Devices using Exchange, System Center, and Intune LAWRENCE NOVAK MICHAEL INDENCE DMVMUG Reston, VA

Managing and Securing Devices using Exchange, System Center, and Intune LAWRENCE NOVAK MICHAEL INDENCE DMVMUG Reston, VA
Desktop Central Managing Desktops, Servers & Devices Romanus Prabhu R Technical Account Manager LinkedIn : romanus.prabhu.

Desktop Central Managing Desktops, Servers & Devices Romanus Prabhu R Technical Account Manager LinkedIn : romanus.prabhu.
Sophos Mobile Control. Tablets on the rise 2 Trends 3 75% of 157 polled companies encourage employee owned smart phones and tablets to access corporate.

Sophos Mobile Control. Tablets on the rise 2 Trends 3 75% of 157 polled companies encourage employee owned smart phones and tablets to access corporate.
Enterprise Mobility Platform Microsoft Differentiation Managed Mobile Productivity Layered Protection Hybrid Solutions Office 365DynamicsWorkday.

Enterprise Mobility Platform Microsoft Differentiation Managed Mobile Productivity Layered Protection Hybrid Solutions Office 365DynamicsWorkday.
Protect your data Enable your users Unify Your Environment DevicesAppsData Help organizations enable their users to be productive on the devices they.

Protect your data Enable your users Unify Your Environment DevicesAppsData Help organizations enable their users to be productive on the devices they.
Management lifecycle summary Mobile Device Management with Windows Intune or 3 rd Party tools Simplified and flexible device enrollment, using.

Management lifecycle summary Mobile Device Management with Windows Intune or 3 rd Party tools Simplified and flexible device enrollment, using.
Build 2015 4/16/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.

Build /16/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.
Data Devices People 6.5B Wireless connections today >42% of global population owns smartphone by end of 2015 >50% User will go to tablet or smartphone.

Data Devices People 6.5B Wireless connections today >42% of global population owns smartphone by end of 2015 >50% User will go to tablet or smartphone.
Protect your data Enable your users Unify Your Environment DevicesAppsData Help organizations enable their users to be productive on the devices they.

Protect your data Enable your users Unify Your Environment DevicesAppsData Help organizations enable their users to be productive on the devices they.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Exchange Exchange Connecter with Configuration Manager Configuration Manager with Intune Protect and Manage Devices and Infrastructure.

Exchange Exchange Connecter with Configuration Manager Configuration Manager with Intune Protect and Manage Devices and Infrastructure.
Howard A. Carter III Senior Consultant Microsoft Consulting Services

Howard A. Carter III Senior Consultant Microsoft Consulting Services
Tim Vander Kooi Systems

Tim Vander Kooi Systems
Three steps to sell Office 131 2 3 Always ask every customer the following questions to get them interested in buying Office: Did you know that Office.

Three steps to sell Office Always ask every customer the following questions to get them interested in buying Office: Did you know that Office.
Virtual techdays INDIA │ 18-20 august 2010 virtual techdays INDIA │ 18-20 august 2010 Moving/Co-existing your messaging platform to the cloud with Exchange.

Virtual techdays INDIA │ august 2010 virtual techdays INDIA │ august 2010 Moving/Co-existing your messaging platform to the cloud with Exchange.

Similar presentations

Ads by Google