Installing MDM Services

Mobile Device Management

Mobile Device Management (MDM) is an Office 365 service for securing and managing users’ mobile devices like iPhones, iPads, Androids, and Windows phones. Using MDM Office 365 administrators can

  • view an inventory of all enrolled devices that connect to an organization
  • create and manage device security policies
  • remotely wipe a device
  • view detailed device and management reports. Click open the steps below to activate and set up Mobile Device Management for Office 365.
1 - Activate MDM in Office 365

To manage mobile devices for Office 365 licensed users in your organization, you first need to activate the service in the Office 365 admin center.

Sign in to Office 365 with your work or school account.

Go to the Office 365 admin center.

Select Mobile Management.

Select “Let’s get started” to kick off the activation process

mdm get started page

It may take some time for the service to be provisioned. When it’s done, you’ll see the new Mobile Device Management for Office 365 page.

2 - Set up Mobile Device Management for Office 365

When the service is ready, complete the required steps to finish setup. You may need to click Manage settings on the Mobile Device Management for Office 365 page to see the following settings.

mdm confirmation

Configure an APNs Certificate for iOS devices

To manage iOS devices like iPad and iPhones, you need to create and install an APNs certificate in Office 365.

To do this,

1 – Next to Create an APNs Certificate for an iOS device, select Set up.

2 – Select Download your CSR file and save the Certificate signing request to a file location on your computer that you’ll remember.

mdm APNs certificate

3 – Select Next.

4 – Create an APN certificate.

  • Select Apple APNS Portal to open the Apple Push Certificates Portal.

mdm install apn 2

  • Sign in with an Apple ID.

IMPORTANT – Use a company Apple ID associated with an email account that will remain with your organization even if the user who manages the account leaves. Save this ID because you will need to use the same ID when it is time to renew the certificate.

  • Select Create a Certificate and accept the Terms of Use.
  • Browse to the Certificate signing request you downloaded to your computer from Office 365 and select Upload.
  • Download the APN certificate created by the Apple Push Certificate Portal to your computer.

TIP – if you are having trouble downloading the certificate, refresh your browser.

5 – Go back to Office 365 and select Next to get to the Upload APNS certificate page.

6 – Browse to the APN certificate you downloaded from the Apple Push Certificates Portal.

mdm upload APNS

7 – Select Finish.

Go back to Office 365 admin center > Mobile Management > Manage settings to complete setup.

Configure domains for MDM

If you do not have a custom domain associated with Office 365, you can skip this section. Otherwise, you’ll need to add DNS records for the domain at your DNS host. If you have added the records already, you are ready to proceed. After you add these records, Office 365 users in your organization who sign in with their mobile device with an email address that uses your custom domain can then be redirected to enroll in MDM for Office 365.

Find your domain registrar in the list provided in Create DNS records for Office 365 when you manage your DNS records and select the registrar name to go to step-by-step help for creating DNS records. Use those instructions to add the following two records:

mdm DNS records

After you add the two records, go back to Office 365 admin center > Mobile Device Management > Manage settings to complete setup.

Set up multi-factor authentication

If you don’t see multi-factor authentication (MFA) under Recommended steps you can skip this section. If this option is listed, we recommend you turn on MFA in the Azure AD portal to increase the security of the Mobile Device Management for Office 365 enrollment process. It is turned off by default.

MFA helps secure the sign in to Office 365 for mobile device enrollment by requiring a second form of authentication. Users are required to acknowledge a phone call, text message, or app notification on their mobile device after correctly entering their work account password. They can only enroll their device after this second form of authentication is completed. After users’ devices are enrolled in Mobile Device Management for Office 365, users can access Office 365 resources with just their work account.

Next to Set up multi-factor authentication, select Set up. To learn how to turn on MFA in the Azure AD portal, see Set up multi-factor authentication.

When you’re done, go back to Office 365 admin center > Mobile Management > Manage settings to complete setup.

Manage device security policies

Before you can start to manage mobile devices in your organization, you need to create a device security policy to enforce users to enroll their devices. This is covered in Step 3.

3 - Configure device security policies

Office 365 global administrators can create and deploy mobile device management policies to protect Office 365 organizational data. For example, to help prevent data loss if a user loses their device, you can create a policy to lock devices after 5 minutes of inactivity and have devices wiped after 3 sign-in failures.

In the Compliance Center, go to Devices to create device security policies and access rules.

mdm security policies

For step by step instructions on how to create a new policy, see Create and deploy mobile device management policies for Office 365.


  • When you create a new policy, you might want to set the policy to allow access and report policy violation where a user’s device isn’t compliant with the policy. This way you can see how many mobile devices would be impacted by the policy without blocking your organization’s access to Office 365.
  • Before deploying a new policy to everyone in your organization, we recommend you test it on the devices used by a small number of users.
  • Before deploying policies, let your organization know the potential impacts of enrolling a device in MDM for Office 365. Depending on how you set up the policies, non-compliant devices could be blocked access to Office 365 and data including installed applications, photos and personal information on an enrolled device could be deleted if the device is wiped. For more information, see Wipe a mobile device in Office 365.


4 - Enrolling users in MDM

After you’ve deployed a mobile device management policy, each licensed Office 365 user in your organization that the device policy applies to will receive an enrollment message the next time they sign into Office 365 from their mobile device. They must complete the enrollment and activation steps before they can access Office 365 email and documents. See Enroll your mobile device for work or school.

IMPORTANT If a user’s preferred language is not supported by the enrollment process, users may receive enrollment notification and steps on their mobile devices in another language. Not all languages supported in Office 365 are currently supported for the enrollment process on mobile devices.

Users with Android or iOS devices are required to install the Company Portal app as part of the enrollment process.

5 - Manage devices

Go to Office 365 admin center > Mobile Management to view device properties, access reports, and wipe devices.

mdm manage devices

Google’s mobile-friendly update affects web site owners

From 21st April Google searches will prioritize web sites that are optimised for mobile browsing. The effect will be to weight results against web site owners whose sites do not deliver “mobile friendly” content.

A mobile friendly web site, like the one below from our design studios, is one which renders its layout “on the fly” according to the dimensions of the device asking for content. This may include resizing images, changing column widths, and re-arranging layout so that information can be optimally displayed on tablets or mobile phones.


Until recently, web sites have been developed primarily for desktop and laptop display. This poses problems for users who want to view web sites with small screens and Google thinks this matters.  For instance, users might have trouble using page links that are designed for mouse clicks rather than index fingers. Also, without changing column widths to suit small screens users may have to scroll across a screen several times on a tablet or mobile phone to read one line of text before scrolling back to return the left margin for the next line.

A mobile friendly, or mobile-responsive site, is capable of re-ordering textual and graphical content to deliver a web page in the best format for the device that is calling for the content whether the device is a mobile phone, tablet, laptop, desktop, or even a large television screen.

Business decision makers still tend to rely on a desktop layout when deciding on a new web site. However, Google’s attitude is that “desktop” searches are rapidly losing pace to searches from other devices. Google’s findings are based on their own statistics. The proliferation of devices available to consumers means that modern web sites need to deliver alternate layouts to deliver a good experience to users. The web site below, again from our design studios, shows that a fully mobile responsive web site is capable of re-positioning headers, navigation bars, and image sizes. In this case, the web site’s “sidebar” has been also been replaced in the mobile phone layout so that a user scrolling down the page would find the sidebar positioned at the end of the page.


In this way, the choice of desktop layout that the decision maker opted for when choosing a web site is irrelevant to other devices. According to market analyst Comcast, the number of mobile devices using the Internet exceeded conventional desktop machines in 2014, and with smart-phone ownership in countries like the UK and USA already in the hands of 60% of the general public, search engines are responding to user trends which indicate an increasing reliance on portable and mobile devices.

As Google responds to increasing search requests from portable devices, it is weighting its output to take account of the format of available information its searches output.

Regardless of the techniques businesses use to improve their “relevance” to search engines, Google’s announcement means that web sites which are not optimized for mobile devices are being discounted.

Google makes changes to its algorithms twice a month on average. The search engine emphasizes search results that connect users with relevant content in an easily interpreted formats. Google’s new attitude recognizes for the first time that web sites designed on the basis of desktop appearance alone no longer meet the needs of a market that is predominantly “mobile” based. Web site owners may argue that end users still rely on desktop machines for their web sites. Google says that this is just not the case any more and their move to prioritize mobile friendly sites suggests that reliance on desktop layouts only is a moot point if consumers have found other competing content that has been positioned by Google for formatted delivery specific to devices that searched for results in the first place.

Read Google’s announcement here.

Exchange mobile/tablet synch

Standalone Exchange licenses provide connectivity to users’ email accounts via mobile-enabled ActiveSync devices. Whereas Office 365 licenses provide up to 5 instances of Office 2013 apps, standalone Exchange does not provide Outlook for desktop or Office 2013 licenses for mobile devices. That is to say, while users can connect mobile phones, laptops, or tablets to their Exchange accounts via browsers or ActiveSync, Microsoft does not provide Office 2013 licenses for Outlook, Word, Excel, etc.

owa apple


Office 365 mobile/tablet support

As users distribute more content to multiple mobile devices, issues of data leakage, data privacy, and data protection become increasingly important. Microsoft Exchange can cope with connectivity to a maximum of 5 devices per user, so the number of devices exposing an organisation to liability under data protection laws extend far beyond the number of an organisation’s “on-premise” workstations.

In the event of a lost mobile phone, laptop, or tablet which contains your customers’ personal data by way of contact information, emails, and/or documents, it is not enough to ask a mbile phone supplier to stop a SIM card – many smartphones can continue to connect to cloud services wirelessly to access organizational information and contact information even after disconnection from telco services.

ComStat is an authorised Microsoft Clour Partner, and is additionally authorised as a qualified network administrator. This means our engineers have a thorough working knowledge of advanced Microsoft Exchange and Office 365 technologies to help organisations subscribing to our supported services to deal rapidly with “won’t happen to me” events like lost mobile phones so that policies can be established to configure devices by brand, model, or individual, invoke keypad security, and restrict or wipe organisational data in the event of loss, including overseas travel.

Exchange Email – mobile device management

From Sept 25th, ComStat is providing management services for users and organisations who need help managing business information on mobile devices like laptops, tablets, and mobile phones.

While users increasingly connect to organizational data using multiple devices, the pace for keeping up with the protection of sensitive business and personal information has fallen behind that curve. Losing a mobile phone is one thing. Loss or theft of a mobile phone which holds business data is a potentially serious issue, and one which can put entities in breach of data protection laws.

exchange mdm

ComStat’s mobile device management services enable us to manage an organisation’s mobile “fleet” in a number of ways:

1. Controlling access to services by equipment brand, or model, or user
2. Implementing selective or global PIN access to mobile devices
3. Temporary restrictions to services from mobile devices
4. Wiping all information associated with user accounts.

For instance, if Alex loses a mobile phone in Frankfurt, he can probably get the SIM stopped rapidly. However, without management tools of some kind in place, whoever has custody of the phone has potential access to everything on Alex’ desktop at work. On notofication of loss, ComStat engineers can invoke any of the techniques above to restrict or stop all services associated with Alex’ account instantly.

The issue of “mobile” data protection is important for another reason. Entities who give you or your organisation access to their personal data expect a duty of care requiring the “custodian” to use the data for the purposes it wa given and to protect it. In cases where mobile devices are lost, information which at law belongs to your customers and which falls into someone else’s hands may leave you or your organisation with reputational and potentially legal liability.

Please contact us for more information about data loss protection and mobile device management services.

Open chat
Scan the code
👋Scan the QR code or click open Chat to talk to us on WhatsApp.