Installing MDM Services

Mobile Device Management

Mobile Device Management (MDM) is an Office 365 service for securing and managing users’ mobile devices like iPhones, iPads, Androids, and Windows phones. Using MDM Office 365 administrators can

  • view an inventory of all enrolled devices that connect to an organization
  • create and manage device security policies
  • remotely wipe a device
  • view detailed device and management reports. Click open the steps below to activate and set up Mobile Device Management for Office 365.
1 - Activate MDM in Office 365

To manage mobile devices for Office 365 licensed users in your organization, you first need to activate the service in the Office 365 admin center.

Sign in to Office 365 with your work or school account.

Go to the Office 365 admin center.

Select Mobile Management.

Select “Let’s get started” to kick off the activation process

mdm get started page

It may take some time for the service to be provisioned. When it’s done, you’ll see the new Mobile Device Management for Office 365 page.

2 - Set up Mobile Device Management for Office 365

When the service is ready, complete the required steps to finish setup. You may need to click Manage settings on the Mobile Device Management for Office 365 page to see the following settings.

mdm confirmation

Configure an APNs Certificate for iOS devices

To manage iOS devices like iPad and iPhones, you need to create and install an APNs certificate in Office 365.

To do this,

1 – Next to Create an APNs Certificate for an iOS device, select Set up.

2 – Select Download your CSR file and save the Certificate signing request to a file location on your computer that you’ll remember.

mdm APNs certificate

3 – Select Next.

4 – Create an APN certificate.

  • Select Apple APNS Portal to open the Apple Push Certificates Portal.

mdm install apn 2

  • Sign in with an Apple ID.

IMPORTANT – Use a company Apple ID associated with an email account that will remain with your organization even if the user who manages the account leaves. Save this ID because you will need to use the same ID when it is time to renew the certificate.

  • Select Create a Certificate and accept the Terms of Use.
  • Browse to the Certificate signing request you downloaded to your computer from Office 365 and select Upload.
  • Download the APN certificate created by the Apple Push Certificate Portal to your computer.

TIP – if you are having trouble downloading the certificate, refresh your browser.

5 – Go back to Office 365 and select Next to get to the Upload APNS certificate page.

6 – Browse to the APN certificate you downloaded from the Apple Push Certificates Portal.

mdm upload APNS

7 – Select Finish.

Go back to Office 365 admin center > Mobile Management > Manage settings to complete setup.

Configure domains for MDM

If you do not have a custom domain associated with Office 365, you can skip this section. Otherwise, you’ll need to add DNS records for the domain at your DNS host. If you have added the records already, you are ready to proceed. After you add these records, Office 365 users in your organization who sign in with their mobile device with an email address that uses your custom domain can then be redirected to enroll in MDM for Office 365.

Find your domain registrar in the list provided in Create DNS records for Office 365 when you manage your DNS records and select the registrar name to go to step-by-step help for creating DNS records. Use those instructions to add the following two records:

mdm DNS records

After you add the two records, go back to Office 365 admin center > Mobile Device Management > Manage settings to complete setup.

Set up multi-factor authentication

If you don’t see multi-factor authentication (MFA) under Recommended steps you can skip this section. If this option is listed, we recommend you turn on MFA in the Azure AD portal to increase the security of the Mobile Device Management for Office 365 enrollment process. It is turned off by default.

MFA helps secure the sign in to Office 365 for mobile device enrollment by requiring a second form of authentication. Users are required to acknowledge a phone call, text message, or app notification on their mobile device after correctly entering their work account password. They can only enroll their device after this second form of authentication is completed. After users’ devices are enrolled in Mobile Device Management for Office 365, users can access Office 365 resources with just their work account.

Next to Set up multi-factor authentication, select Set up. To learn how to turn on MFA in the Azure AD portal, see Set up multi-factor authentication.

When you’re done, go back to Office 365 admin center > Mobile Management > Manage settings to complete setup.

Manage device security policies

Before you can start to manage mobile devices in your organization, you need to create a device security policy to enforce users to enroll their devices. This is covered in Step 3.

3 - Configure device security policies

Office 365 global administrators can create and deploy mobile device management policies to protect Office 365 organizational data. For example, to help prevent data loss if a user loses their device, you can create a policy to lock devices after 5 minutes of inactivity and have devices wiped after 3 sign-in failures.

In the Compliance Center, go to Devices to create device security policies and access rules.

mdm security policies

For step by step instructions on how to create a new policy, see Create and deploy mobile device management policies for Office 365.


  • When you create a new policy, you might want to set the policy to allow access and report policy violation where a user’s device isn’t compliant with the policy. This way you can see how many mobile devices would be impacted by the policy without blocking your organization’s access to Office 365.
  • Before deploying a new policy to everyone in your organization, we recommend you test it on the devices used by a small number of users.
  • Before deploying policies, let your organization know the potential impacts of enrolling a device in MDM for Office 365. Depending on how you set up the policies, non-compliant devices could be blocked access to Office 365 and data including installed applications, photos and personal information on an enrolled device could be deleted if the device is wiped. For more information, see Wipe a mobile device in Office 365.


4 - Enrolling users in MDM

After you’ve deployed a mobile device management policy, each licensed Office 365 user in your organization that the device policy applies to will receive an enrollment message the next time they sign into Office 365 from their mobile device. They must complete the enrollment and activation steps before they can access Office 365 email and documents. See Enroll your mobile device for work or school.

IMPORTANT If a user’s preferred language is not supported by the enrollment process, users may receive enrollment notification and steps on their mobile devices in another language. Not all languages supported in Office 365 are currently supported for the enrollment process on mobile devices.

Users with Android or iOS devices are required to install the Company Portal app as part of the enrollment process.

5 - Manage devices

Go to Office 365 admin center > Mobile Management to view device properties, access reports, and wipe devices.

mdm manage devices

Mobile device management for Office 365

mdm for office 365

Microsoft is expanding its built-in mobile device management (MDM) features built for Office 365.

Small businesses tend to adopt a BYOD (bring your own device) policy to mobile devices when granting email and in-house business information to its employees. However, as this article explains, giving employees wider access to business IT networks poses serious data protection and security risks.

The new tools enable network administrators to selectively restrict senstitive business information so that in the event of, for instance, a temporary loss emails and Word docs can be wiped from a mobile device while leaving an end user’s personal data and apps in place.

Large businesses use applications like Microsoft Intune to automate deployments and management of large mobile device fleets. Office 365 includes provisions for basic device management in its business and enterprise Office 365 services. In early 2015, these tools are being expanded to include:

  • configurable security policies on devices that connect to Office 365 to ensure that Office 365 business email and documents are synchronized only on phones and tablets that are managed by your company. For instance, whereas employees could potentially connect multiple devices including home PCs to services, Office 365 administrators can manage which devices a user can authenticate.
  • configurable security policies such as device level pin lock and jailbreak detection on devices to help prevent unauthorized users from accessing corporate email and data when a device is misplaced, lost or stolen.
  • remove Office 365 corporate data from authenticated devices when an employee leaves an organization, while leaving their personal data, photos and apps intact.

MDM for Office 365 is built directly into the productivity apps like Word, Excel, Outlook, etc., and mobile device policies can be managed with MDM within the Office 365 administration portal using the Office 365 user interface and wizard-based workflows. MDM generates ueful management reports detailing information about connected devices, including automated Wi-Fi, VPN and email profiles. Intune also provides bulk tools for pre-configuring large scale application delpoyment and can provide users with a self-service portal where they can enroll their own devices and install corporate apps.

Exchange mobile/tablet synch

Standalone Exchange licenses provide connectivity to users’ email accounts via mobile-enabled ActiveSync devices. Whereas Office 365 licenses provide up to 5 instances of Office 2013 apps, standalone Exchange does not provide Outlook for desktop or Office 2013 licenses for mobile devices. That is to say, while users can connect mobile phones, laptops, or tablets to their Exchange accounts via browsers or ActiveSync, Microsoft does not provide Office 2013 licenses for Outlook, Word, Excel, etc.

owa apple


Office 365 mobile/tablet support

As users distribute more content to multiple mobile devices, issues of data leakage, data privacy, and data protection become increasingly important. Microsoft Exchange can cope with connectivity to a maximum of 5 devices per user, so the number of devices exposing an organisation to liability under data protection laws extend far beyond the number of an organisation’s “on-premise” workstations.

In the event of a lost mobile phone, laptop, or tablet which contains your customers’ personal data by way of contact information, emails, and/or documents, it is not enough to ask a mbile phone supplier to stop a SIM card – many smartphones can continue to connect to cloud services wirelessly to access organizational information and contact information even after disconnection from telco services.

ComStat is an authorised Microsoft Clour Partner, and is additionally authorised as a qualified network administrator. This means our engineers have a thorough working knowledge of advanced Microsoft Exchange and Office 365 technologies to help organisations subscribing to our supported services to deal rapidly with “won’t happen to me” events like lost mobile phones so that policies can be established to configure devices by brand, model, or individual, invoke keypad security, and restrict or wipe organisational data in the event of loss, including overseas travel.

Exchange Email – mobile device management

From Sept 25th, ComStat is providing management services for users and organisations who need help managing business information on mobile devices like laptops, tablets, and mobile phones.

While users increasingly connect to organizational data using multiple devices, the pace for keeping up with the protection of sensitive business and personal information has fallen behind that curve. Losing a mobile phone is one thing. Loss or theft of a mobile phone which holds business data is a potentially serious issue, and one which can put entities in breach of data protection laws.

exchange mdm

ComStat’s mobile device management services enable us to manage an organisation’s mobile “fleet” in a number of ways:

1. Controlling access to services by equipment brand, or model, or user
2. Implementing selective or global PIN access to mobile devices
3. Temporary restrictions to services from mobile devices
4. Wiping all information associated with user accounts.

For instance, if Alex loses a mobile phone in Frankfurt, he can probably get the SIM stopped rapidly. However, without management tools of some kind in place, whoever has custody of the phone has potential access to everything on Alex’ desktop at work. On notofication of loss, ComStat engineers can invoke any of the techniques above to restrict or stop all services associated with Alex’ account instantly.

The issue of “mobile” data protection is important for another reason. Entities who give you or your organisation access to their personal data expect a duty of care requiring the “custodian” to use the data for the purposes it wa given and to protect it. In cases where mobile devices are lost, information which at law belongs to your customers and which falls into someone else’s hands may leave you or your organisation with reputational and potentially legal liability.

Please contact us for more information about data loss protection and mobile device management services.

Open chat
Scan the code
👋Scan the QR code or click open Chat to talk to us on WhatsApp.