The March 30 announcement on the Office 365 blog that Microsoft is now making mobile device management (MDM) capabilities available within Office 365 has many attractive aspects for companies who are coping with the demands of BYOD, or Bring Your Own Device. On the surface, BYOD is great for both users and employers alike as it allows users to connect the mobile device of their choice to corporate resources while relieving companies of the need to qualify and provide suitable devices to users. But as we all know, BYOD has its dark side too, and unmanageable devices can wreak havoc on services and pose a huge security risk if sensitive corporate data ends up on devices. Microsoft's announcement has been coming for quite a while as it first surfaced at TechEd Europe in Barcelona last October. MDM is available to all of Microsoft's Office 365 "commercial" plans, which means everything except the Home or Personal plans sold to consumers.
Current industry trends show increasing demand for on-the-go access to information, so MDM for Office 365 is designed to manage access to Office 365 applications from a wide variety of devices, including Apple iPhones and iPads, Windows Phone, and Android devices. As implemented, MDM for Office 365 looks, smells, and behaves a lot like the existing Exchange ActiveSync (EAS) mobile device policies with the exception that MDM is intended to cover access to data from more than just Exchange mailboxes. To be fair to ActiveSync, the protocol was designed at a time when Bluetooth was a major connection method for mobile devices, many of which struggled to keep up with email. It's a testament to the foresight of the ActiveSync developers that the protocol has been stretched in so many ways to deal with so many circumstances, but it is showing signs of wear when faced with the challenges of today's mobile working environment.
The major functionality of MDM for Office 365 is divided into security policies, device management, and remote wipe. Policies are applied to devices to ensure that only those devices can be used to access Office 365 applications. Device management works through the new Compliance Center to create and manage security policies, each of which is broken down into settings that control different aspects of device behavior. For example, in the policy settings shown in the screen shot, we can see that any device deemed to be "jailbroken" or "rooted" will be blocked from connecting.
The final piece of functionality is "selective wipe", meaning that MDM can remove Office 365 and only Office 365 data from a device if required, such as when the device is lost or stolen. Any data deemed to be personal is left intact, which is better than the situation with an EAS wipe as, depending on the implementation of the command in an EAS client, can end up by removing everything from the device.
The Compliance Center is gradually showing up in Office 365 tenants who have First Release enabled. It will take some time before it and the new MDM capabilities are available throughout the service.
MDM for Office 365 is better than EAS policies but not as capable as Microsoft's full-blown InTune mobile device management suite. It's bundled into Office 365 to make sure that Microsoft has an answer to the very real customer need to protect and secure data that is downloaded on these devices, but the question of whether MDM is sufficient to meet the security needs of your organization is one that needs careful consideration. MDM for Office 365 is probably OK for small to medium companies, but Microsoft's own comparison with InTune reveals a number of areas where the larger enterprise might find the need to consider InTune or other alternatives. If required, Microsoft allows companies to sign up for a 30-day trial of InTune.
The bottom line is that MDM for Office 365 is a welcome advance on Exchange ActiveSync device management, but it is offers entry-point mobile device management that might not meet your requirements.
Follow Tony @12Knocksinna