I am using MDM for Office 365 and need some advice on how to automatically prevent users from enrolling their mobile devices for email and where ActiveSync comes into play in all of this.

I do not have Azure premium.

Q.

Does MDM require the use of ActiveSync?

I have noticed that even if I turn off ActiveSync against a user mailbox, the user is still able to receive mobile email, so long as he/she meets the requirements of the default Mobile device mailbox policy (eg 4 digit passcode etc).

Typically the user will have an iPhone and the native mail client or the Outlook app.

Q.

There seems to be 2 locations to create a Mobile Device Policy:-

Admin Centers > Exchange > Mobile > Mobile device mailbox policies

Admin Centers > Security & Compliance > Data Loss Prevention >Device security policies

Why is there two places for this? Is the first method when just ActiveSync (without company portal app) is used and the second when MDM (with the Company Portal app) is used?

Q.

Which of the above policies take precedence?

Q.

For:-

Admin Centers > Security & Compliance > Data Loss Prevention >Device security policies

There is a Deployment option to associate the policy with a security group.

• Does the group need to be mail enabled to work?
• What happens if the user does not belong to the group the policy is being deployed against?

Q.

How can I by default prevent users from receiving email if turning off ActiveSync fails to stop them?

I have managed to quarantine the device initially though.

Any comments or advice would be welcome.