Microsoft recently began rolling out the Office 365 MDM service. This is a subset of the Intune service, click here for an overview of the differences. Read more info about MDM for Office 365 here, including the various SKU that have MDM included.

This blog post will walk you thru setting up MDM for Office 365.

First things first, you need to enable the service, and to do this you must be a Global Admin. From the Office 365 Admin Center, if MDM has been enabled in your tenant, you should find the Mobile Devices menu item on the left had side between External Sharing and Service Settings (Not quite sure why it is not in the Service Settings area) Click on Mobile Devices and select Get Started.

(Testing Note: I tried to set this up with the default company.onmicrosoft.com domain and never got it to work, switching to a vanity domain worked perfectly)

Let the service get setup, as you can see above this could take a few hours. I recommend letting it sit for at least one hour prior to moving forward.

Eventually you should be redirect automatically to the screen above. First step is to select the Manage Settings link on the right.

The first thing to do is Configure the Domains for MDM. This consist of setting up DNS records to make MDM discovery and management easier for your end users

As you can see above, two DNS CNAME entries are needed for each domain you want to use with MDM.

You can also then setup an APNs certificate for IOS devices. As I do not have any IOS Devices I am skipping this step.

Setup one of more Security Group(s) in Office 365 containing users you want to deploy policies to and possibly group(s) you want to exclude from policies, https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55c96b32-e086-4c9e-948b-a018b44510cb?ui=en-US&rs=en-US&ad=US

Next up is to configure Device security policies and access rules, select the highlighted link above

Notice that you are now in the new Compliance Center, select the Manage Device access settings link to setup how you want to control devices

I decided to block all unsupported devices, as you can see you can add groups or users to bypass the access control policies, click Save

Back at the Device Management area click on the + sign to create a new policy

Give the Policy a name and a description, click next

Configure the device requirements and then click Next. Pay attention to the last two options. Selecting Allow access means that the device must meet these requirements to gain access, if it does not, after initial enrollment, it will not have access. You can set a policy to block and prevent as well.

You have additional settings for the device you can configure, click Next

Select whether to apply this policy now or save it for later, if applying you must select at least one security group, click next

Review and click Finish

Wait until the Policy Status equals On (when first creating you will probably see Turning On…)

After a device has been added (see my follow-up Blog Post on this) you can go to the Mobile Devices area to see a list of Managed Devices

This is pretty straight forward and provides some great MDM functionality with no additional costs. I will be following up shortly with a blog post on what the end-user experiences when adding an email profile to their phone.