SOLVED
Home

MDM License requirements.

%3CLINGO-SUB%20id%3D%22lingo-sub-1161645%22%20slang%3D%22en-US%22%3EMDM%20License%20requirements.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1161645%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20Community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20tasked%20with%20researching%20MDM%20deployment%20and%20enrollment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20current%20situation%3A%3C%2FP%3E%3CP%3EWe%20currently%20have%20a%20hybrid%20environment%20synchronizing%20with%20AAD%20but%20have%20O365%20for%20our%20mail%20exchange.%3C%2FP%3E%3CP%3EWe%20only%20have%20Office%20365%20Business%20Essentials%20licenses%20and%20we%20would%20like%20to%20deploy%20MDM.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhere%20we%20want%20to%20go%3A%3C%2FP%3E%3CP%3EWe%20would%20like%20to%20manage%20what%20applications%20can%20be%20used%20to%20synchronize%20company%20mail%20for%20example%20Company%20Portal.%20i%20preferably%20would%20like%20this%20to%20be%20enforce%20so%20the%20native%20mail%20applications%20are%20not%20able%20to%20be%20configured%20to%20synchronize%20mail.%20that%20said%2C%20if%20users%20don't%20enroll%20using%20the%20company%20portal%20app%2C%20configuring%20their%20email%20address%20is%20not%20possible.%20I%20would%20like%20to%20remotely%20wipe%2C%20at%20least%20mail%20access%20and%20content%20by%20the%20administration%20portal.%20If%20remotely%20wiping%20a%20device%20is%20also%20possible%20its%20a%20plus.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20know%20if%20this%20is%20feature%20based%20or%20License%20based.%20i%20know%20that%20the%20company%20portal%20application%20is%20related%20to%20intune%2C%20but%20upon%20login%20in%20to%20azure%20AD%20portal%20i%20see%20that%20i%20need%20a%20premium%20subscription%20to%20use%20intune.%20But%20is%20this%20also%20necesary%20to%20deploy%20specific%20policies%20and%20enforcing%20what%20i%20would%20like%20to%20achieve%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20created%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20will%20kindly%20wait%20for%20feedback%20and%20replies.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1161645%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ELicense%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMDM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1161814%22%20slang%3D%22en-US%22%3ERe%3A%20MDM%20License%20requirements.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1161814%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F456573%22%20target%3D%22_blank%22%3E%40cbraafhart%3C%2FA%3E%26nbsp%3BHi%2C%20there%20are%20various%20options%2C%20the%20first%20to%20check%20out%20is%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23leveraging-mobile-device-management-for-office-365%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELeveraging%20Mobile%20Device%20Management%20for%20Office%20365%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%20the%20limitations%20mentioned%20but%20however%20this%20is%20available%20with%26nbsp%3BOffice%20365%20Business%20Essentials%20license%20at%20no%20extra%20cost%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CEM%3EBecause%20this%20is%20a%20device%20management%20solution%2C%20there%20is%20no%20native%20capability%20to%20control%20which%20apps%20can%20be%20used%20even%20after%20a%20device%20is%20enrolled.%20If%20you%20want%20to%20limit%20access%20to%20Outlook%20for%20iOS%20and%20Android%2C%20you%20will%20need%20to%20obtain%20Azure%20Active%20Directory%20Premium%20licenses%20and%20leverage%20the%20conditional%20access%20policies.%3C%2FEM%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20365%20Business%20(at%20extra%20expense)%20would%20be%20the%20best%20option%20which%20includes%20Microsoft%20Intune%20and%20Azure%20AD%20Premium%20(which%20can%20be%20also%20bought%20separately%20as%20an%20add-on)%2C%20this%20opens%20up%20much%20more%20control%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23block-all-email-apps-except-outlook-for-ios-and-android-using-conditional-access%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EBlock%20all%20email%20apps%20except%20Outlook%20for%20iOS%20and%20Android%20using%20conditional%20access%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20also%26nbsp%3BIntune%20app%20protection%20policies%20for%20additional%20security%20too%2C%20including%20for%20personal%20devices%20that%20aren't%20enrolled%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2F%26nbsp%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23protect-corporate-data-in-outlook-for-ios-and-android-using-intune-app-protection-policies%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EProtect%20corporate%20data%20in%20Outlook%20for%20iOS%20and%20Android%20using%20Intune%20app%20protection%20policies%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESelective%20app-based%20wipe%20is%20also%20available%20as%20outlined%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fapps%2Fapps-selective-wipe%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20can%20also%20similarly%20be%20applied%20not%20only%20to%20email%20but%20SharePoint%2C%20OneDrive%2C%20Teams%20etc.%26nbsp%3B%20If%20you%20are%20new%20to%26nbsp%3BConditional%20Access%20this%20is%20a%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Foverview%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Egood%20place%20to%20start%3C%2FA%3E!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1162301%22%20slang%3D%22en-US%22%3ERe%3A%20MDM%20License%20requirements.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1162301%22%20slang%3D%22en-US%22%3E%40CianAllner%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20read%20the%20supplied%20links.%20What%20i%20would%20like%20to%20achieve%20is%20not%20possible%20with%20just%20Mobile%20device%20Management%20for%20Office%20365.%20It%20will%20give%20me%20the%20opportunity%20to%20set%20policies%20and%20secure%20wipe%20the%20phones%20but%20i%20can't%20control%20which%20app%20they%20use%20to%20synchronise%20their%20email.%20I%20have%20to%20set%20up%20a%20test%20pilot%20and%20try%20to%20configure%20mdm%20for%20O365%20using%20specific%20policies%20to%20achieve%20the%20minimum%20i%20would%20to%20achieve.%20But%20your%20information%20was%20very%20helpfull.%20But%20for%20now%20i%20know%20enough.%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Dear Community,

 

I have been tasked with researching MDM deployment and enrollment.

 

Our current situation:

We currently have a hybrid environment synchronizing with AAD but have O365 for our mail exchange.

We only have Office 365 Business Essentials licenses and we would like to deploy MDM.

 

Where we want to go:

We would like to manage what applications can be used to synchronize company mail for example Company Portal. i preferably would like this to be enforce so the native mail applications are not able to be configured to synchronize mail. that said, if users don't enroll using the company portal app, configuring their email address is not possible. I would like to remotely wipe, at least mail access and content by the administration portal. If remotely wiping a device is also possible its a plus.

 

I don't know if this is feature based or License based. i know that the company portal application is related to intune, but upon login in to azure AD portal i see that i need a premium subscription to use intune. But is this also necesary to deploy specific policies and enforcing what i would like to achieve?

 

I created

 

I will kindly wait for feedback and replies.

2 Replies
Highlighted
Solution

@cbraafhart Hi, there are various options, the first to check out is the following:

 

Leveraging Mobile Device Management for Office 365

 

Note the limitations mentioned but however this is available with Office 365 Business Essentials license at no extra cost:

 

"Because this is a device management solution, there is no native capability to control which apps can be used even after a device is enrolled. If you want to limit access to Outlook for iOS and Android, you will need to obtain Azure Active Directory Premium licenses and leverage the conditional access policies."

 

Microsoft 365 Business (at extra expense) would be the best option which includes Microsoft Intune and Azure AD Premium (which can be also bought separately as an add-on), this opens up much more control:

 

Block all email apps except Outlook for iOS and Android using conditional access

 

You can also Intune app protection policies for additional security too, including for personal devices that aren't enrolled:

 

Protect corporate data in Outlook for iOS and Android using Intune app protection policies

 

Selective app-based wipe is also available as outlined here

 

This can also similarly be applied not only to email but SharePoint, OneDrive, Teams etc.  If you are new to Conditional Access this is a good place to start!

Highlighted
@CianAllner

I have read the supplied links. What i would like to achieve is not possible with just Mobile device Management for Office 365. It will give me the opportunity to set policies and secure wipe the phones but i can't control which app they use to synchronise their email. I have to set up a test pilot and try to configure mdm for O365 using specific policies to achieve the minimum i would to achieve. But your information was very helpfull. But for now i know enough.