(Microsoft 365)
In Microsoft 365, the Basic Mobility and Security service provides a built- in MDM solution that provides the core device management features.
The Basic Mobility and Security service is hosted by the Intune service and contains a subset of Intune services. Even though it has some of the features used by Intune, according to Microsoft, it’s not an “Intune- lite” solution.
You can use Basic Mobility and Security to manage many types of mobile devices. Each person must have an applicable Microsoft 365 license, and their device must be enrolled in Basic Mobility and Security. Once the devices are enrolled, you can manage, block access to, and even wipe the devices.
When you create policies or profiles, they can only be deployed by assigning them to groups of users. You can’t directly assign a policy to a specific user or to an individual device. The user will receive an enrollment message on their device, and once they have completed the enrollment, then their device will be constrained by the policies that you set. Then, using the MDM management tool, you can monitor the policy deployment.
Using Basic Mobility and Security, you can manage these mobile devices settings:
Organizationwide Device Access Settings You can specify whether you want to allow or deny access to Exchange mail for devices that are not supported by Basic Mobility and Security and which groups should be excluded from access control.
Device Security Policies You can use these policies to protect devices from unauthorized access. These policies include password settings, encryption settings, managing email profile settings, and settings that control the use of device features, such as Bluetooth and videoconferencing.
Many MDM solutions help protect organizational data by making sure that users and devices meet specific requirements. These are known as compliance policies and act as the rules and settings that users and devices must meet in order to be compliant. When you pair them with Conditional Access requirements, you can deny users and devices that do not meet your rules. You can use some of these policies to help affect the entire Microsoft 365 experience:
Compliance Microsoft uses the default compliance rules that are built into Configuration Manager for mobile devices, but also offers configuration items (CIs) and built- in compliance rules whose values are based on Microsoft’s digital security requirements. Microsoft has created a configuration baseline for those CIs and targeted the configuration baseline to mobile devices.
Messaging The default policies for Exchange align policy settings between Exchange ActiveSync (EAS) and MDM.
Security The default policies enforce Microsoft corporate compliance settings on mobile devices, such as password policy and encryption settings.
Policy Settings Using Microsoft Intune
Microsoft Intune is a cloud- based service that focuses on MDM and MAM. With Intune, you can control how your mobile devices are used. It also allows you to configure specific policies that control applications using MAM.
Intune allows you to control how mobiles devices are used whether it’s a corporate owned or a personal device. On personal devices, Intune can help ensure that corporate data is protected, and it can also isolate the corporate data from personal data. Intune allows you to manage multiple devices per person, regardless of the different platforms that are run on the different devices. In Intune, users will see a dialog box that tells them about the policies. They can then select to allow or cancel device enrollment.
You can manage the same settings in Microsoft Intune as in Basic Mobility and Security as well as other settings:
■ Application deployment, configuration policies, and protection policies
■ Conditional Access
■ Device compliance policies
■ Device configuration policies
■ Device enrollment and restrictions
■ Software updates, which include Windows 10/11 update rings and update policies for iOS
While Basic Mobility and Security is part of the Microsoft 365 plans, Microsoft Intune is a stand- alone product included with certain Microsoft 365 plans. Table 14.1 identifies which plans provide the MDM solution.
TABLE 14.1 Microsoft 365 plans
| Microsoft 365 Apps | Yes | No |
| Microsoft 365 Business Basic | Yes | No |
| Microsoft 365 Business Standard | Yes | No |
| Office 365 E1 | Yes | No |
| Office 365 E3 | Yes | No |
| Office 365 E5 | Yes | No |
| Microsoft 365 Business Premium | Yes | Yes |
| Microsoft 365 Firstline 3 | Yes | Yes |
| Microsoft 365 Enterprise E3 | Yes | Yes |
| Microsoft 365 Enterprise E5 | Yes | Yes |
TABLE 14.1 Microsoft 365 plans (Continued)
| Plan | Basic Mobility and Security | Microsoft Intune |
| Microsoft 365 Education A1 | Yes | Yes |
| Microsoft 365 Education A3 | Yes | Yes |
| Microsoft 365 Education A5 | Yes | Yes |
| Microsoft Intune | No | Yes |
| Enterprise Mobility & Security E3 | No | Yes |
| Enterprise Mobility & Security E5 | No | Yes |
Understanding AutoPilot
Windows Autopilot is a set of programs that helps simplify and streamline bulk deployment, setup, and configuration of devices. Autopilot allows you to truly have a zero- touch installation of the Windows client operating system. You can use Autopilot to reset, repurpose, and recover devices, reducing the time spent on deploying, managing, and retiring devices.
Autopilot allows you to:
■ Auto- enroll devices into MDM services.
■ Automatically join devices to Azure AD or Active Directory (via Hybrid Azure AD Join).
■ Create and auto- assign devices to configuration groups based on a device’s profile.
■ Customize out- of- box- experience (OOBE) content specific to your organization.
You can use Autopilot to set up and preconfigure new Windows devices for your organization, right out of the box, without having to build an image or infrastructure to manage. Users go through the process by themselves, without making any decisions and without the need to involve an IT administrator.
With Autopilot Reset, existing devices can be quickly prepared for a new user. The Reset capability can also be used if a device needs to be fixed in order to bring the device back to a working state.
You can provide new devices to your end users without the need to build, maintain, and apply custom operating system images to the devices by using Microsoft Intune and Autopilot. Once deployed, Windows devices can be managed by tools such as Microsoft Intune, Windows Update for Business, Configuration Manager, and other similar tools.
Autopilot allows you to get a list of device IDs from a manufacturer. You enter the device IDs into your Azure environment. You assign a device profile to that machine and that’s it.
Once the user logs on to the Internet, the machine automatically recognizes that it is part of your organization and the installation is completed— without any IT intervention.
