Recently had some issues where another tech company was unable to properly setup MDM for their clients, so reviewed the documentation and their current efforts then came to the conclusion that they had skipped a couple steps in the initial setup that were causing the issue. Here is the proper initial setup steps:
Activate Mobile Device Management in Office 365
1. Sign in to Office 365 as an administrative user
2. Click on the Admin pane
3. Click on Mobile Management on the list to the left hand side
4. Click on the “Get Started” button
5. Wait awhile (5 minutes to 2 hours) for the setup to complete
Configure Initial Domain DNS Settings
1. Back in the Mobile Management section, look for the red x circle and click on “Manage settings”
2. First to configure custom DNS needed for automatic configuration, click on the “Set up” next to “Configure domains for MDM”
3. Click on the primary domain used for Autodiscover, etc. then click on “Domain settings”
4. Under “Domain purpose” click on “Change domain purpose”
5. Put a check next to “Mobile Device Management for Office 365” then click on “Next”
6. Take note of the following cname records:
enterpriseregistration enterpriseregistration.windows.net 3600
enterpriseenrollment enterpriseenrollment.manage.microsoft.com 3600
7. Enter these into the customers custom DNS records along with any others that are listed on that page which weren't entered previously.
8. Return to this page to confirm that the DNS settings have changed properly.
Configure Apple Push Notification (APN) Certificate
1. Back in the Mobile Management section, look for the red x circle and click on “Manage settings”
2. Click on “Set up” next to “Configure an APNs Certificate for iOS devices” to request the needed certificate to manage Apple devices.
3. Click on “Download your CSR file” to save the file locally then click “Next”
4. Click on “Apple APNS Portal” to open the Apple Push Certificates Portal
5. Sign in with a valid (hopefully domain associated) Apple ID
6. Click on the “Create a Certificate” button
7. Agree to the Terms of Use
8. Upload the Certificate Signing Request (CSR) that was save locally earlier
9. Download the new Mobile Device Management certifcate and save it locally
10. Go back to the “Install Apple Push Notification Certificate” page and click “Next”
11. Upload the new Mobile Device Management certifcate tjat was saved locally from Apple
Configure Basic Mobile Device Management Policy
1. Create a Security Group in Active directory that will be used to apply the MDM policy and run DirSync manually.
2. Back in the Mobile Management section, click on “Manage device security policies and access rules”
3. Click on the + to add a new policy
4. Give the policy a name and click “Next”
5. On the pop-up page leave the defaults and check next to “Require managing email profile (required for selective wipe on iOS)”
6. Also select “Block access and report violation” to keep users off the network until they comply with the new policy then click “Next”
7. On the following page there are additional option that give additional security but are not required, when done click “Next”
8. Change selection to “Yes” and chose the Security Group in Active Directory that will be used for MDM enforcement then click “Next”
9. Click on “Finish” to begin enforcing this new policy
The next time any user opens an associated Office App on their supported devices it will ask them to start the enrollment process which goes through a compliance check which usually requires them to delete their current Exchange Active Sync profile to continue.
Special thanks to the guys at ExchangeServerPro.com for their blog entry with the basics. Also a thanks to the Microsoft Office Blog Team for their detailed look at MDM policy setup.
If your company is using Office 365 or has a Bring Your Own Device (BYOD) policy which need mobile device management, then contact us for assistance.