Set up Basic Mobility and Security

Check out all of our small business content on Small business help & learning.

The built-in Basic Mobility and Security for Microsoft 365 helps you secure and manage users' mobile devices such as iPhones, iPads, Androids, and Windows phones. You can create and manage device security policies, remotely wipe a device, and view detailed device reports.

Have questions? For a FAQ to help address common questions, see Basic Mobility and Security Frequently asked questions (FAQs). Be aware that you cannot use a delegated administrator account to manage Basic Mobility and Security. For more info, see Partners: Offer delegated administration.

Activate the Basic Mobility and Security service

  1. Sign in to Microsoft 365 with your global admin account.

  2. Go to Activate Basic Mobility and Security.

    It can take some time to activate Basic Mobility and Security. When it finishes, select Manage devices on the page. You'll also receive an email that explains the next steps to take if you don't see the Manage devices page.

Set up Mobile Device Management

When the service is ready, complete the following steps to finish setup.

Step 1: (Required) Configure domains for Basic Mobility and Security

If you don't have a custom domain associated with Microsoft 365 or if you're not managing Windows devices, you can skip this section. Otherwise, you'll need to add DNS records for the domain at your DNS host. If you've added the records already, as part of setting up your domain with Microsoft 365, you're all set. After you add the records, Microsoft 365 users in your organization who sign in on their Windows device with an email address that uses your custom domain are redirected to enroll in Basic Mobility and Security.

Need help with setting up the records? Find your domain registrar and select the registrar name to go to step-by-step help for creating DNS records in the list provided in Add DNS records to connect your domain. Use the following details to create CNAME records:

Type Host name Points to TTL
CNAME EnterpriseEnrollment.company_domain.com EnterpriseEnrollment-s.manage.microsoft.us 1 hour
CNAME EnterpriseRegistration.company_domain.com EnterpriseRegistration.windows.net 1 hour

After you add the two CNAME records, go back to the Security & Compliance Center and go to Data loss prevention > Device management to complete the next step.

Step 2: (Required) Configure an APNs Certificate for iOS devices

To manage iOS devices like iPad and iPhones, you need to create an APNs certificate.

  1. Sign in to Microsoft 365 with your global admin account.

  2. Go to the Microsoft 365 admin center, and choose APNs Certificate for iOS.

  3. On the Apple Push Notification Certificate Settings page, choose Next.

  4. Select Download your CSR file and save the Certificate signing request to somewhere on your computer that you'll remember. Select Next.

  5. On the Create an APNs certificate page:

    • Select Apple APNS Portal to open the Apple Push Certificates Portal.

    • Sign in with an Apple ID.

      Important

      Use a company Apple ID associated with an email account that will remain with your organization even if the user who manages the account leaves. Save this ID because you'll need to use the same ID when it's time to renew the certificate.

    • Select Create a Certificate and accept the Terms of Use.

    • Browse to the Certificate signing request you downloaded to your computer from Microsoft 365 and selectUpload.

    • Download the APN certificate created by the Apple Push Certificate Portal to your computer.

      Tip

      If you're having trouble downloading the certificate, refresh your browser.

  6. Go back to Microsoft 365 and select Next.

  7. Browse to the APN certificate you downloaded from the Apple Push Certificates Portal.

  8. Select Finish.

Make sure users enroll their devices

After you've created and deployed a mobile device management policy, each licensed Microsoft 365 user in your organization that the device policy applies receives an enrollment message the next time they sign into Microsoft 365 from their mobile device. They must complete the enrollment and activation steps before they can access Microsoft 365 email and documents. For more info, see Enroll your mobile device using Basic Mobility and Security.

Important

If a user's preferred language isn't supported by the enrollment process, users might receive enrollment notification and steps on their mobile devices in another language. Not all languages supported in Microsoft 365 are currently supported for the enrollment process on mobile devices.

Users with Android or iOS devices are required to install the Company Portal app as part of the enrollment process.

Capabilities of Basic Mobility and Security (article)
Create device security policies in Basic Mobility and Security (article)