Mobile Device Management options included with Microsoft 365
by Andrew Serene
October 2020
Office 365 includes mobile device management capabilities built right into your existing subscriptions. Combining those capabilities with well-defined policies can result in a resilient environment that can help protect your corporate data while safeguarding employee privacy with bring-your-own-device (BYOD). You can read more about the basic mobility and security functionality of Office 365 here, but you may determine that you do not want to subject staff to additional security measures on their personal devices. If that is the case, we recommend you implement an app-based approach to protecting company data on remote devices.
If keeping company data separated is important while allowing staff to use their personal devices as they prefer without the perception or fears of monitoring, we recommend implementing controls to prevent users from synchronizing their email with any app other than the official Microsoft Outlook app for iOS and Android.
Limiting user access to only the Microsoft provided applications will allow you to ensure company data is protected when synchronized to the user’s device. Forcing users to use the Microsoft Outlook app for iOS and Android to synchronize email, calendars, and contacts will provide the following benefits:
- Require the use of device passwords / pin codes to unlock the phone
- Specify how long the screen can be idle before locking the device
- Require encryption on the device
- Specify the number of incorrect password attempts before a device is wiped
- Require passwords / pin codes be changed after a specified number of days
- Provide “account only” remote wipe capabilities where only company Outlook Data (Email, Calendar, and Contacts) is wiped from the device.
To effectively take advantage of these features, we recommend the following steps be taken:
STEP 1 - Block POP3 and IMAP access to mailboxes.
- This will only allow applications that support Active Sync devices to connect so we can control the type of app.
- This has the additional benefit of forcing modern authentication and not allowing attackers to bypass multifactor authentication.
- You can disable POP and IMAP per mailbox, but we recommend that you use the Set-CASMailboxPlan command to disable for all users. That way new users will have it disabled after their accounts are created too.
- Make sure to run reports against your Microsoft 365 tenant ahead of time to make sure nothing is currently using POP or IMAP.
STEP 2 – Create application consent policies to only allow trusted app access.
- This will prevent unapproved apps from connecting to Office 365. Just go to Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings. And set User and Group owner consent to “do not allow…” so an Administrator must approve an app first.
- This will block mobile apps like the gmail or iOS mail apps in addition to apps that use 365 for authentication like ShareFile.
- This has the additional benefit of protecting your data from application based attacks like consent phishing as it has become a very popular attack method as two-factor authentication becomes more prevalent.
- Any app that does need access can be whitelisted for all users in the company. Will write more on this in a future article, but approving an app is a matter of constructing a link like this based on the Tenant and App IDs: https://login.microsoftonline.com/<TenantID>/oauth2/authorize?client_id=<AppID>&response_type=code&prompt=admin_consent
- We can also block specific devices and apps in The Exchange admin center under mobile -> mobile device access. This may help us force existing users to switch to the Outlook app.
In addition to the Microsoft Outlook app, we recommend limiting File access to the Microsoft OneDrive, SharePoint and Teams apps for Android and iOS in addition to preventing file synchronization with other operating systems.
- Prevent access form applications that cannot enforce device-based restrictions
- Prevent access from applications that don’t support modern authentication (two-factor)
- Log users out of apps withing 1 hour of blocking sign-in to their Office 365 account or changing the password.
- Enforce device encryption when combined with the Microsoft Outlook app.
- Enforce device password / pin codes when combined with the Microsoft Outlook app.
- Trust the OneDrive and SharePoint apps to block access to data within one hour of revoking user access instead of being able to perform a selective data wipe on the device.
To effectively take advantage of these features, we recommend the following steps be taken:
- Limit OneDrive file synchronization only to PCs joined to the int.nga.org domain to prevent personal and non-corporate owned Windows devices from synchronizing a copy of files
- We recommend blocking OneDrive file synchronization on Mac OS as well. Mac users can still access OneDrive, but they will not be able to synchronize the files to their local computer.
- Disable access from apps that don’t use modern authentication (This will break access from office 2010 and older).
- Block downloading files, copying files, and copying content within files in the mobile apps
- Block backing up app data
- Block opening OneDrive and SharePoint files in other apps
- Encrypt app data when device is locked
- Require Office 365 sign-in every 7 days
You can also take things a step further and apply company policies to the entire device by enabling the Basic Mobility and Security features in your Microsoft 365 tenant. These features are licensed as part of your existing subscription and do not require any additional licensing payments to Microsoft. If you choose to go this route, Android and iOS devices must install the Microsoft inTune Company Portal before being permitted to access email and company documents. This will allow you to enforce additional policies on the devices themselves. These additional policies include:
- Perform selective data wipes to remove all company data (Outlook, OneDrive, SharePoint, and Teams) from a device without wiping personal data.
- Require a password
- Prevent simple passwords
- Alphanumeric passwords
- Minimum and maximum lengths
- Minimum password length
- Password expirations
- Password history
- Number of failures before wiping or locking the device for a period of time
- Require device encryption
- Prevent jail broken or rooted devices from connecting
- Require managing email profiles (selective wipe)
- Require encrypted backups
- Block cloud backups
- Block document and/or photo synchronization
- Block screen capture
- Block video conferencing
- Block sending of diagnostic data
- Block access to the application store
- Require password when accessing the application store
- Block connections with removable storage
- Block Bluetooth connections
- Block downloading of files for the OneDrive/SharePoint apps
- Block taking screenshots in the OneDrive/SharePoint apps (Android Only)
- Block copying files and the content within files from the OneDrive/SharePoint apps
- Block printing files in the OneDrive/SharePoint apps
- Block backup up app data from the OneDrive/SharePoint apps
- Require a passcode to access the OneDrive/SharePoint apps and how many bad password attempts before wiping data
- Block opening OneDrive and SharePoint files in other apps
- Encrypt app data when the device is locked
- Require periodic verification and how long to wipe data if an app has been offline (days)
While requiring the installation of the Microsoft InTune Company Portal does not give the company immediate access to a device or allow the company access to personal data, some users may have concerns about privacy and the installation of another app on their personal device. In some cases, it may make sense to require the inTune Company Portal only for users with corporate owned and provided devices or revert all users to the app-based control mechanisms above.
Additional References:
App-Based Control Mechanisms in Microsoft 365
Basic Mobile Security in Microsoft 365
