Windows Phone 8.1+ | iOS 10.0+ | Android 4.4+ |
|---|
Exchange Exchange ActiveSync includes built-in email and third-party apps, like TouchDown, that use Exchange ActiveSync Version 14.1 or later. | Exchange | Mail | Email |
Office and OneDrive for Business | No supported apps | Outlook OneDrive Word Excel PowerPoint | On phones and tablets: Outlook OneDrive Word Excel PowerPoint On phones only: Office Mobile |
Notes:
Support for iOS 10.0 and later versions includes iPhone and iPad devices.
Management of BlackBerry OS devices isn’t supported by Mobile Device Management for Office 365. Use BlackBerry Business Cloud Services (BBCS) from BlackBerry to manage BlackBerry OS devices. Blackberry devices running Android OS are supported as standard Android devices
Users won’t be prompted to enroll and won’t be blocked or reported for policy violation if they use the mobile browser to access Office 365 SharePoint sites, documents in Office Online, or email in Outlook Web App.
The following diagram shows what happens when a user with a new device signs in to an app that supports access control with MDM for Office 365. The user is blocked from accessing Office 365 resources in the app until they enroll their device.
Note: Policies and access rules created in MDM for Office 365 will override Exchange ActiveSync mobile device mailbox policies and device access rules created in the Exchange admin center. After a device is enrolled in MDM for Office 365, any Exchange ActiveSync mobile device mailbox policy or device access rule applied to the device will be ignored. To learn more about Exchange ActiveSync, see Exchange ActiveSync in Exchange Online.
Policy settings for mobile devices
If you create a policy to block access with certain settings turned on, users will be blocked from accessing Office 365 resources when using a supported app that is listed in Access control for Office 365 email and documents. The settings that can block users from accessing Office 365 resources are in these sections:
Security
Encryption
Jail broken
Managed email profile
For example, the following diagram shows what happens when a user with an enrolled device isn’t compliant with a security setting in a mobile device management policy that applies to their device. The user signs in to an app that supports access control with MDM for Office 365. They are blocked from accessing Office 365 resources in the app until their device complies with the security setting.
The following sections list the policy settings you can use to help secure and manage mobile devices that connect to your organization's Office 365 resources.
Security settings
Setting name | Windows Phone 8.1+ | iOS 7.1+ | Android 4+ | Samsung Knox |
|---|
Require a password | ✔ | ✔ | ✔ | ✔ |
Prevent simple password | ✔ | ✔ | ✖ | ✖ |
Require an alphanumeric password | ✔ | ✔ | ✖ | ✖ |
Minimum password length | ✔ | ✔ | ✔ | ✔ |
Number of sign-in failures before device is wiped | ✔ | ✔ | ✔ | ✔ |
Minutes of inactivity before device is locked | ✔ | ✔ | ✔ | ✔ |
Password expiration (days) | ✔ | ✔ | ✔ | ✔ |
Remember password history and prevent reuse | ✔ | ✔ | ✔ | ✔ |
Encryption settings
Setting name | Windows Phone 8.1+ | iOS 7.1+ | Android 4+ | Samsung Knox |
|---|
Require data encryption on devices | Windows Phone 8.1 is already encrypted and cannot be unencrypted | ✖ | ✔ | ✔* |
Microsoft Exchange Security Group
* With Samsung Knox, you can also require encryption on storage cards.
Jail broken setting
Setting name | Windows Phone 8.1+ | iOS 7.1+ | Android 4+ | Samsung Knox |
|---|
Device cannot be jail broken or rooted | ✖ | ✔ | ✔ | ✔ |
Managed email profile option
The following option can block users from accessing their Office 365 email if they’re using a manually created email profile. Users on iOS devices must delete their manually created email profile before they can access their email. After they delete the profile, a new profile will be automatically created on the device. See Existing Company Email account was found for instructions on how end users can get compliant.
Setting name | Windows Phone 8.1+ | iOS 7.1+ | Android 4+ | Samsung Knox |
|---|
Email profile is managed | ✖ | ✔ | ✖ | ✖ |
Cloud settings
Setting name | Windows Phone 8.1+ | iOS 7.1+ | Android 4+ | Samsung Knox |
|---|
Require encrypted backup | ✖ | ✔ | ✖ | ✖ |
Block cloud backup | ✖ | ✔ | ✖ | ✖ |
Block document synchronization | ✖ | ✔ | ✖ | ✖ |
Block photo synchronization | ✖ | ✔ | ✖ | ✖ |
Allow Google backup | N/A | N/A | ✖ | ✔ |
Allow Google account auto sync | N/A | N/A | ✖ | ✔ |
System settings
Setting name | Windows Phone 8.1+ | iOS 7.1+ | Android 4+ | Samsung Knox |
|---|
Block screen capture | ✔ | ✔ | ✖ | ✔ |
Block sending diagnostic data from device | ✔ Adobe photoshop cs2 activation code. For help finding the serial number, see.Flash PlayerAcrobat ReaderShockwave PlayerN/AN/AYou don’t need to activate these products. For help finding the serial number, see.Photoshop ElementsPremiere ElementsHelp Sign InHelp Sign OutThe product activates once you start it for the first time after entering the serial number. Choose one of the following options to deactivate Acrobat XI, X, Creative Suite 6, and Creative Suite 5:. Deactivate or Suspend Activation: These options deactivate the software but retain licensing information on your computer. | ✔ | ✖ | ✔ |
Application settings
Setting name | Windows Phone 8.1+ | iOS 7.1+ | Android 4+ | Samsung Knox |
|---|
Block video conferences on device | ✖ | ✔ | ✖ | ✖ |
Block access to application store | ✔ | ✔ | ✖ | ✔ |
Require password when accessing application store | ✖ | ✔ | ✖ | ✖ |
Device capabilities settings
Setting name | Windows Phone 8.1+ | iOS 7.1+ | Android 4+ | Samsung Knox |
|---|
Block connection with removable storage | ✔ | ✖ | ✖ | ✔ |
Block Bluetooth connection | ✔ | ✖ | ✖ | ✔ |
Additional settings
Microsoft Exchange Security Features 2017
You can set the following additional policy settings by using PowerShell cmdlets. For more information, see Office 365 Security & Compliance Center cmdlets.
Setting name | Windows Phone 8.1+ | iOS 7.1+ | Android 4+ (including Samsung Knox) |
|---|
CameraEnabled | ✔ | ✔ | ✔ |
RegionRatings | ✖ | ✔ | ✖ |
MoviesRatings | ✖ | ✔ | ✖ |
TVShowsRating | ✖ | ✔ | ✖ |
AppsRatings | ✖ | ✔ | ✖ |
AllowVoiceDialing | ✖ | ✔ | ✖ |
AllowVoiceAssistant | ✖ | ✔ | ✖ |
AllowAssistantWhileLocked | ✖ | ✔ | ✖ |
AllowPassbookWhileLocked | ✖ | ✔ | ✖ |
MaxPasswordGracePeriod | ✖ | ✔ | ✖ |
PasswordQuality | ✖ | ✖ | ✔ |
SystemSecurityTLS | ✖ | ✔ | ✖ |
WLANEnabled | ✔ | ✖ | ✖ |
Settings supported by Windows
You can manage Windows 8.1 and Windows 10 devices by enrolling them as mobile devices. After an applicable policy is deployed, users with Windows 8.1 and Windows 10 devices will be required to enroll in MDM for Office 365 the first time they use the built-in email app to access their Office 365 email (requires Azure AD premium subscription).
The following settings are supported for Windows 8.1 and Windows 10 devices that are enrolled as mobile devices. These setting won’t block users from accessing Office 365 resources.
Security settings
Require an alphanumeric password
Minimum password length
Number of sign-in failures before device is wiped
Minutes of inactivity before device is locked
Password expiration (days)
Remember password history and prevent reuse
System settings
Block sending diagnostic data from device
Additional settings
You can set the following additional policy settings by using PowerShell cmdlets:
AllowConvenienceLogon
UserAccountControlStatus
FirewallStatus
AutoUpdateStatus
AntiVirusStatus
AntiVirusSignatureStatus
SmartScreenEnabled
WorkFoldersSyncUrl
Remotely wipe a mobile device
If a device is lost or stolen, you can remove sensitive organizational data and help prevent access to your organization’s Office 365 resources by doing a wipe from Security & Complieance center>Data loss prevention>Device management. You can do a selective wipe to remove only organizational data or a full wipe to delete all information from a device and restore it to its factory settings.
For more information, see Wipe a mobile device in Office 365.
See Also
