First published on TechNet on Oct 05, 2016
Updated: 8/20/21 - Post refresh.
By Joel Stevens - Microsoft Support Escalation Engineer | Microsoft Endpoint Manager - Intune
When setting up mobile device management (MDM) for your Microsoft 365 organization, you activate Basic Mobility and Security to manage access control, and create and apply a device security policy to groups of users. When targeted users sign in to Microsoft 365 from their mobile devices, they will be prompted to enroll their devices in Basic Mobility and Security using the Intune Company Portal. Their access to email, OneDrive, and other services is restricted until they complete enrollment. An example notification is below:
You can find more information on the enrollment process for mobile device in Office 365 here
After implementing Basic Mobility and Security in your environment, you might decide to stop enforcing access control. There are different strategies to consider to minimize the impact to your end-users.
Note: It is not currently possible to “turn off” Basic Mobility and Security. If you are switching to a third- party MDM provider, then you can follow the steps in this article to remove access control and there should not be any further impact. There is no need to contact Microsoft Support unless you plan to use System Center Configuration Manager to manage your mobile devices via Microsoft Intune.
If you want to temporarily unblock a noncompliant or unsupported device, you can manually override the quarantine rules.
Note: This action is only available in the Classic Exchange admin center.
Note: If Intune access control is still enforced, the device will be quarantined again in about four hours.
If you want to permanently exempt some or all users from access control, remove the applicable security group(s) from your device security policy. This immediately unblocks their access restrictions.
If you prefer to stop Intune enrollment requests for your entire organization, then you should delete all device security policies. Alternatively, you can edit the policy’s deployment settings to remove access control for specific security groups.
Note: Due to the way devices are granted access to email and other Microsoft 365 resources, it can take up to eight hours before access is restored after deleting the security policy. See the second option above for steps to lift the quarantine sooner.
See the following documentation for more information about Basic Mobility and Security:
Capabilities of Basic Mobility and Security
Set up Basic Mobility and Security
Basic Mobility and Security frequently asked questions (FAQ)
If you have any questions, reply to this post or reach out to @IntuneSuppTeam on Twitter.
Joel Stevens , Support Escalation Engineer
Microsoft Enterprise Cloud Group
Microsoft O365
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.