Microsoft offers two ways to handle mobile device management: MDM for Office 365 and Microsoft Intune.
The enterprise mobility industry has changed significantly in the past few years. Mobile device management (MDM) platforms such as MDM for Office 365 was once enough for most organizations. As devices such as iPads, wearables and IoT devices became prevalent in the enterprise, however, many organizations needed advanced management capabilities and a unified console. Unified endpoint management (UEM) products such as Intune entered the market, which provided a way for IT admins to manage a range of different devices under a single console.
MDM still has use cases today, however. MDM for Office 365 provides a limited feature set, but it is included in the price of many Office 365 subscriptions. This built-in tool offers organizations an integrated, inexpensive way to manage mobile devices. Microsoft Intune, on the other hand, provides a rich feature set and comes with additional costs.
MDM for Office 365 capabilities
MDM for Office 365 provides a lightweight version of MDM that does not include mobile application management (MAM). It provides organizations with MDM policies and settings that will help to control access to Office 365 data for supported mobile devices and apps. For stolen or lost devices, it offers the ability to remotely wipe the device to remove corporate data.
MDM for Office 365 provides support for the following platforms:
- iOS 10.0 or later
- Android 4.4 or later
- Windows 8.1 (limited to Exchange ActiveSync functionality)
- Windows 10 (requires the device to be Azure Active Directory joined)
Supported access control scenarios
MDM for Office 365 provides a few scenarios that will prompt the user to enroll their device. When the user's device doesn't comply with the policy, the user might be blocked from accessing Office 365 data, depending on the policy configuration.
These are the following scenarios:
- Access to Exchange by using the built-in mail app on iOS 10 or later
- Access to Exchange by using the built-in mail app on Android 4.4 or later
- Access to Office and OneDrive for Business by using the Outlook, OneDrive, Word, Excel or PowerPoint app on iOS 10 or later
- Access to Office and OneDrive for Business by using the Outlook, OneDrive, Word, Excel, PowerPoint or the Office Mobile (phones only) app on Android 4.4 or later
People who are using mobile browsers to access Office 365 data will not be prompted to enroll their devices and will not be blocked.
Supported policy settings
With MDM for Office 365, IT can enable certain settings as requirements to access Office 365 data. IT can use these settings in the supported access control scenarios to block users from accessing Office 365 data. These settings are divided into the following categories:
- Security - Require password settings
- Encryption - Require encryption settings
- Jailbroken - Require non-jailbroken devices
- Managed email profile - Require managed email profile
MDM for Office 365 also provides a limited set of policies that IT can use to configure settings on the user's device, such as policies to prevent data loss on devices, access public clouds, make screen captures and access the store.
Microsoft Intune capabilities
Microsoft Intune is a UEM platform that provides MDM and MAM functionality and comes with additional costs, as it's not part of the different Office 365 subscriptions. It requires an organization to have licenses that include the rights for using Microsoft Intune. These licenses include Microsoft Intune standalone, the Enterprise Mobility + Security and the Microsoft 365 subscriptions.
Microsoft Intune helps organizations to provide MDM and MAM policies and settings that will help with controlling access to corporate data. This includes not just data in Office 365, but nearly all corporate data that is available from apps that are exposed via Azure Active Directory (AAD). For stolen or lost devices, Intune provides the ability to remotely wipe the device or app to remove corporate data. It provides organizations with a strong method to secure and manage mobile devices, apps and corporate data.
Microsoft Intune provides support for the following platforms:
- iOS and iPadOS 11.0 and later
- Mac OS X 10.0.12 and later
- Android 5.0 and later, including Android Enterprise
- Windows 8.1, including Windows 8.1 RT
- Windows 10, including Windows 10 Teams, Windows 10 IoT and Windows Holographic for Business
Supported access scenarios
Microsoft Intune supports many scenarios. The main difference of MDM for Office 365 vs Intune is that Intune is not limited to Office 365-related scenarios. For most organizations, the management boundaries must expand to include all apps and data that can be exposed via AAD and all apps on the devices that can use modern authentication. Intune integrates well within a Microsoft ecosystem, including Office 365.
Microsoft Intune can do more than just control access to corporate apps and data. IT can use Intune to verify compliance of devices, deploy applications, assign advanced configurations including Wi-Fi configuration, push certificates and VPN configurations, provide inventory information and more. And that's only mentioning MDM scenarios. Besides that, it also provides MAM scenarios, including the ability to limit access to corporate apps and data and the ability to perform a selective wipe of only the app.
Supported policy settings
Microsoft Intune provides many policy settings and it's nearly impossible to list all the possibilities. It provides the policy settings that are available with MDM for Office 365 and many more. These policy settings are categorized to provide functionality to address the supported access scenarios – for example, policies to verify access requirements, policies to verify compliance, policies to configure settings, policies to configure updates and the ability to deploy, configure and manage apps.
MDM for Office 365 vs. Microsoft Intune
The following table provides an overview of the main capabilities of MDM for Office 365 vs Microsoft Intune.
It should be clear that Microsoft Intune is the most logical choice from a security and management perspective. That doesn't that mean there is no use case for MDM for Office 365. For smaller organizations, or organizations that only use Office 365, this could be enough. That does require strong agreements with the employees, however, as MDM for Office 365 only provides basic security for accessing Office 365 data.
MDM for Office 365 is a good starting point for any organization beginning to deploy MDM. To provide real security and management capabilities, however, any organization should eventually look at using Microsoft Intune when using more than just Office 365.
To support a migration path from MDM for Office 365 and Microsoft Intune, organizations can run both products alongside each other. When a user gets a Microsoft Intune license, the enrollment process will automatically prefer the Microsoft Intune enrollment above the MDM for Office 365 enrollment.