Create and deploy device security policies



You can use Mobile Device Management for Office 365 to create security policies that help protect your organization’s information on Office 365 from unauthorized access. You can apply policies to any mobile device in your organization where the user of the device has an applicable Office 365 license and has enrolled the device in MDM for Office 365.

In this topic

Before you begin

  • To create and deploy mobile device management policies in Office 365, you need to be an Office 365 global admin. See Permissions in Office 365 Security & Compliance admin center.

  • Before you can create a mobile device policy, you must activate and set up MDM for Office 365. See Overview of Mobile Device Management for Office 365.

  • Learn about the devices, mobile device apps, and security settings that MDM for Office 365 supports. See Capabilities of Mobile Device Management for Office 365.

  • Create security groups that include Office 365 users that you want to deploy policies to and for users that you might want to exclude from being blocked access to Office 365. We recommend that before you deploy a new policy to your organization, you test the policy by deploying it to a small number of users. You can create and use a security group that includes just yourself or a small number Office 365 users that can test the policy for you. To learn more about security groups, see Create, edit, or delete a security group.

  • Before you deploy policies, let your organization know the potential impacts of enrolling a device in MDM for Office 365. Depending on how you set up the policies, noncompliant devices can be blocked from accessing Office 365 and data, including installed applications, photos, and personal information on an enrolled device, can be deleted.

Note: Policies and access rules created in MDM for Office 365 will override Exchange ActiveSync mobile device mailbox policies and device access rules created in the Exchange admin center. After a device is enrolled in MDM for Office 365, any Exchange ActiveSync mobile device mailbox policy or device access rule applied to the device will be ignored. To learn more about Exchange ActiveSync, see Exchange ActiveSync in Exchange Online.

Step 1: Create security policy and deploy to a test group

  1. In Office 365, go to Security & Compliance Center > Security policies> Device security policies.

  2. Select Add Add icon .

  3. Enter a Name and Description for the new policy, and select Next.

  4. Select the requirements you want applied to mobile devices in your organization.

  5. Choose to allow the device access to Office 365 and report the violation, or block the device and report the violation. Then select Next.

    Select whether to block access or allow access but report violation.
  6. Select any other configurations you want to apply to mobile devices, and select Next.

  7. Select Apply it to one or more security groups.

  8. Select Add Add icon .

  9. Enter a security group name that has members who will test the policy before you deploy it to your organization. The list is empty until you type a security group name, or part of a name, and then click the search icon. Or type * and then click the search icon to see a list of all the groups.

    Type security group name and search.
  10. Select the name, and select Add.

  11. Select Ok, and then Next.

  12. Review and confirm the details of the new device policy, and select Finish.

Each user that the policy applies to will have the policy pushed to their device the next time they sign in to Office 365 from their mobile device. If users haven't had a policy applied to their mobile device before, then after you deploy the policy, they’ll get a notification on their device that includes the steps to enroll and activate MDM for Office 365. Until they complete enrollment, access to email, OneDrive, and other services will be restricted. After they complete enrollment using the Intune Company Portal app, they'll be able to use the services and the policy will be applied to their device.

Step 2: Verify policy works as expected

After you’ve created a security policy, you should check that the policy works as you expect before you deploy it to your organization.

  1. In Office 365, go to Security & Compliance Center > Reports > Device compliance report.

  2. Check the status of user devices that have the policy applied. You can filter or sort by Status to view Compliant devices or devices with Reported violations or Blocked access to Office 365.

  3. Select a device to see what policies are applied to it.

  4. If you need to change a policy, do the following:

    1. Select Security policies > Device security policies.

    2. Select the policy and click Edit Edit icon .

    3. Make your changes to the policy, and then select Save.

When you’re comfortable with the results of the device compliant report after testing your policy, you’re ready to deploy it to your organization.

Step 3: Deploy policy to your organization

After you’ve created a mobile device policy and verified that it works as expected, deploy it to your organization.

  1. In Office 365, go to Security & Compliance Center > Security policies> Device security policies.

  2. Select the policy you want to deploy, and select Edit Edit icon .

  3. Select the Deployment tab.

  4. Select Apply it to one or more security groups.

  5. Select Add Add icon to deploy the policy more broadly to your organization.

  6. Enter a security group name.

  7. Select the name, and select Add.

  8. Select Ok and then Save.

Each user that the policy applies to will have the policy pushed to their device the next time they sign in to Office 365 from their mobile device. If users haven't had a policy applied to their mobile device, they’ll get a notification on their device with steps to enroll and activate it for MDM for Office 365. After they’ve completed the enrollment, the policy will be applied to their device.

Step 4: Block Exchange ActiveSync email access for unsupported devices

To help secure your organization’s information, you should block Exchange ActiveSync app access to Office 365 email for mobile devices that are not supported by MDM for Office 365. To do this:

  1. In the Security & Compliance Center, go to Devices.

  2. Select Manage device access settings.

    Go to Compliance Center > Devices and click the Manage device access settings link.
  3. Select Block.

    Block unsupported devices.
  4. Select Save.

To learn what devices MDM for Office 365 supports, see Capabilities of Mobile Device Management for Office 365.

Step 5: Choose security groups to be excluded from conditional access checks

If you want to exclude some people from conditional access checks on their mobile devices and you've created one or more security groups for those people, add the security groups here. The people in these groups will not have any policies enforced for their supported mobile devices.

  1. Go to Security & Compliance Center> Security policies> Device security policies.

  2. Select Manage organization-wide device access settings.

    Go to Compliance Center > Devices and click the Manage device access settings link.
  3. Select Add Add icon to add the security group that has users that you’d like to exclude from being blocked access to Office 365. When a user has been added to this list, they’ll be able to access Office 365 email when using an unsupported device.

    Note: Any members of the security group you add will also be excluded from being blocked access to Office 365 when using a noncompliant device.

    Block unsupported devices.
  4. Enter the security group.

  5. Select the name, and select Add.

  6. Select Ok and then Save.

What is the impact of security policies on different device types?

When you apply a policy to user devices, the impact on each device varies somewhat between different device types. See the following table for examples of the impact of policies on different devices.

Security Policy

Windows Phone 8.1+

Android 4+

Samsung Knox

IOS 6+

Notes

Require encrypted backup

IOS encrypted backup required.

Block cloud backup

Block Google backup on Android (grayed out), cloud backup on iOS.

Block document synchronization

iOS: Block documents in the cloud.

Block photo synchronization

iOS (native): Block Photo Stream.

Block screen capture

X

Blocked when attempted.

Block video conference

FaceTime blocked on iOS, not Skype or others.

Block sending diagnostic data

X

Block sending Google crash report on Android.

Block access to app store

X

App store icon missing on Android home page, disabled on Windows, missing on iOS.

Require password for app store

iOS: Password required for iTunes purchases.

Block connection to removable storage

X

NA

Android: SD card will be grayed out in settings, Windows notifies user, apps installed there are not available

Block Bluetooth connection

***

***

***We can't disable BlueTooth as a setting on Android. Instead, we disable all the transactions that require BlueTooth: Advanced Audio Distribution, Audio/Video Remote Control, hands-free devices, headset, Phone Book Access, and Serial Port. A small toast message appears at the bottom of the page when any of these are used.

What happens when you delete a policy or remove a user from the policy?

When you delete a policy or remove a user from a group to which the policy was deployed to, the policy settings, Office 365 email profile and cached emails may be removed from the user's device. See the following table to see what is removed for the different device types:

What's removed

Windows Phone 8.1+

iOS 6+

Android 4+ (including Samsung Knox)

Managed email profiles*

Policy settings


Except for Block sending diagnostic data from device.

Note: *If the policy was deployed with the option Email profile is managed selected, then the managed email profile and cached emails in that profile will be deleted from the user's device.

Each user that the removed policy applied to will have the policy removed from their device the next time their mobile device checks in with MDM for Office 365 . If you deploy a new policy that applies to these users' devices, they'll be prompted to re-enroll in MDM for Office 365.

You can also wipe a device, either completely, or selectively wipe organizational information from the device.

See Also

Overview of Mobile Device Management for Office 365

Capabilities of Mobile Device Management for Office 365

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×