Monday, September 5, 2016

Office 365 MDM or Microsoft Intune?

I have been asked several times, what are the MDM capabilities available in Office 365 versus what additional capabilities do you get with Intune?

In this quick article I will explore the differences.

What is Office 365 MDM?
In Office 365 there are several native MDM capabilities.

First there is Exchange ActiveSync (EAS) which is part of Exchange Online.  With EAS you:
  • Have the ability to manage an inventory of mobile devices that are connected to Exchange Online. 
  • Have the ability to remotely wipe email from a device.
  • Have the ability to enforce mobile device configuration settings, such as PIN requirements, PIN lengths, etc.
Second with E1, you also get Office 365 MDM.  With this you:
  • Can prevent access to both email and documents based on device enrollment and compliance policies.
  • Protect against root and jail broken devices.
  • Have reporting on devices that do not meet IT policy.
  • Have selective wipe capability that allows you to wipe Office 365 data without impacting personal data.
Behind the scenes, Office 365 MDM leverages Microsoft Intune to help deliver these solutions.

What is Intune?
Microsoft Intune is Microsoft’s cloud mobile and PC management platform.  Sometimes customers will want to add this to help them manage devices and applications beyond what Office 365 natively provides.  With Intune you:
  • Have the ability to manage traditional PCs MACs; not just mobile devices.  Plus you can manage Linux and UNIX servers.
  • Have a full Mobile Device Management (MDM) platform available to you to protect enterprise assets beyond Office 365.
  • Have the ability to create profiles for certificates, VPN, email profiles and Wi-Fi settings.
  • Have the ability to enroll and manage corporate owned devices.
  • Can deploy and protect customer built line of business apps using Mobile Application Management.
  • Can securely protect access to corporate data using Office mobile and custom line of business apps by using Mobile Application Management by restricting such actions as copy, cut, paste, save as to only applications managed by Intune.
  • Can enable more secure web browsing.
As you can see, this is a much more comprehensive solution you have access to.

Why do you need both? 
All depends on your approach.  Microsoft Office 365 has the ability to integrate with many third-party MDM providers.  Customers do have the power of choice.  Intune does provide unique capabilities for Mobile Application Management (MAM) to protect data on mobile devices without compromising the end user experience.  However, the big value sell of Intune is the expanded set of solution to manage PCs and MACs.

What are these new plans?
Intune is bundled into EMS.  EMS used to stand for Microsoft Enterprise Mobility Suite.  Now, EMS stands for Enterprise Mobility + Security.

Plus, the new EMS Suite has taken very similar plan structures as Office 365.  For instance:
  • EMS E3 includes Azure AD Premium P1, Intune, Azure Information Protection Premium P1 (Azure Rights Management (RMS)), and Advanced Threat Analytics
  • EMS E5 includes Azure AD Premium P2, Azure Information Protection Premium P2 (Intelligent classification) and Cloud App Security.
As you can see Intune, lands in the EMS E3 bundle or you can purchase it a-la-carte.  See references below.


Exchange ActiveSync -
Overview of Mobile Device Management (MDM) for Office 365 -
Controlling Access to Office 365 and Protecting Content on Devices -
Capabilities of built-in Mobile Device Management for Office 365 -
Choose between MDM for Office 365 and Microsoft Intune -
Create and deploy device security policies -
Enroll your mobile device in Office 365 -
Introducing Enterprise Mobility + Security -

No comments: