HOME       BLOG      CONTACT

 

shutterstock_184473665.jpg

Summit 7 Team Blogs

Office 365 Mobile Device Management Strategy for Compliance

With many contractors addressing DFARS 7012 and NIST 800-171 compliance while trying to embrace bring-your-own-device (BYOD) in the workplace, owners and CEOs need a way to ensure that their company's data is protected.

Mobile Device Management (MDM) within Office 365 and Intune provides these companies several security policies for mobile devices accessing their data - even if the company provides a company phone, The following session from Summit 7's Ben Curry at SPTechCon 2018 summarizes some of the current features for Office 365 and Office 365 GCC High.

SPTechCon - Managing Office 365 Data on Mobile Devices - Part 1

Part 1 

SPTechCon - Managing Office 365 Data on Mobile Devices - Part 2

Part 2

I have spent some time researching the policies that are available within Office 365 MDM. Many sites provide the available policies, but none really explain what the policy does/enforces. Therefore, I have created the table below, which lists the available policies within MDM, as well as a short description and the supported devices. Please note, the "Additional PowerShell Policies" require the use of the Get-DevicePolicy PowerShell cmdlets.

 

Type of Policy Setting Name Description

iOS 8.0+

Android 4+

Security Settings Require a password Require users to set a password on the device.

Security Settings Prevent simple password Disable users from using simple numeric passwords. A simple numeric password is defined as any PIN or password in which the offset between each character is uniform (i.e. 1111 or 1234).

X

Security Settings Require an alphanumeric password Require users to set a password using alphanumeric characters.

X

Security Settings Minimum password length Sets the minimum length a password must be.

Security Settings Number of sign-in failures before device is wiped Sets the number of incorrect password attempts to accept before the device wipes its data.

Security Settings Minutes of inactivity before device is locked Sets how long a device can be inactive before the device becomes locked.

Security Settings Password expiration (days) Sets how long before a password expires and the user must create a new one.

Security Settings Remember password history and prevent reuse Prevents users from reusing their previous password(s).

Encryption Settings Require data encryption on devices Requires the device data to be encrypted.

Jail broken Settings Device cannot be jail broken or rooted Require that the device is not jail broken or rooted. This is always enabled.

X

Managed Email Profile Settings Email profile is managed Prevents users from accessing their Office 365 email if they are using a manually created email profile.

X

Cloud Settings Require encrypted backup Requires the phone to perform an encrypted backup.

X

Cloud Settings Block cloud backup Prevents users from backing up data to a cloud service.

X

Cloud Settings Block document synchronization Prevents users from syncing documents.

X

Cloud Settings Block photo synchronization Prevents users from syncing photos.

X

System Settings Block screen capture Prevents users from taking screen captures (screenshots) on the device.

(Samsung Knox only)
System Settings Block sending diagnostic data from device Prevents the device can send diagnostic data.

X

Application Settings Block video conferences on device Prevents users from performing video conferences on the device.

X

Application Settings Block access to application store Prevents users from accessing the device's application store.

X

Application Settings Require password when accessing application store Requires a password/pin in order to access the application store.

X

Device Capability Settings Block connection with removable storage Prevents the use of removable storage on the device.

X

X

Device Capability Settings Block Bluetooth connection Prevents the use of Bluetooth on the device.

X

X

Additional PowerShell Policies CameraEnabled Prevents users from using the camera on the device.

Additional PowerShell Policies RegionRatings Sets the region (or country) to use for the ratings on the device.

X

Additional PowerShell Policies MoviesRatings Sets the max age rating of a Movies that will be permitted for download.

X

Additional PowerShell Policies TVShowsRating Sets the max age rating of a TV Shows that will be permitted for download.

X

Additional PowerShell Policies AppsRatings Sets the max age rating of an App that will be permitted for download.

X

Additional PowerShell Policies AllowVoiceDialing Prevents the use of voice dialing on the device.

X

Additional PowerShell Policies AllowVoiceAssistant Prevents the use of Voice Assistant on the device.

X

Additional PowerShell Policies AllowAssistantWhileLocked Prevents the use of Voice Assistant while the device is locked.

X

Additional PowerShell Policies MaxPasswordGracePeriod Sets the amount of time after a device was locked that a device can be unlocked without requiring the password.

X

Additional PowerShell Policies PasswordQuality Sets the password requirements for Android devices (such as alphanumeric)

X

Additional PowerShell Policies SystemSecurityTLS Prevents the device from connecting with untrusted TLS certificates.

X

Additional PowerShell Policies WLANEnabled Prevents the use of Wi-Fi on the device.

X

X

 

I hope this table better clarifies the policies and what they do. Below I have listed some useful links for additional information about Office 365 MDM.

 

SHARE THIS STORY | |
About Michael Wilke