Enterprise Mobility and Security Blog

RSS

Earlier this year we released the Mobile Device Management (MDM) for Office 365 service for managing your users’ mobile devices and protecting your corporate assets.  We are happy to announce that you will now be able to use both the Microsoft Intune and MDM for Office 365 solutions concurrently on your tenant. This capability is being released in the November updates for Intune that are currently rolling out globally and then also being turned on through Office 365 so that you will be able to:

  • Switch your MDM solution between MDM for Office 365 and Microsoft Intune MDM without having to contact support or go through any reset procedures, and/or
  • Customize your MDM solutions to meet your requirements by using the MDM for Office 365 to manage one group of users and devices while using Microsoft Intune to manage another group of users and devices

Activating both MDM for Office 365 and Microsoft Intune on the same tenant

To take advantage of this new capability, the first thing you need to do is to activate both MDM for Office 365 and Microsoft Intune MDM on your tenant.  Previously you were not able to do that (once you activated one of the services, you were then blocked from being able to activate the other service).  You can activate both services in either order:

  • First activate your MDM for Office 365 service by going to the Office 365 Admin Center, and from the Mobile Management tab, click “Let’s get started

Then activate your Microsoft Intune MDM service by going to the Intune Admin Console, and from the Admin > Mobile Device Management tab, click “Add Intune as a mobile device management authority

OR

  • First activate your Microsoft Intune MDM service by going to the Intune Admin Console, and from the Admin > Mobile Device Management tab, click “Set Mobile Device Management Authority

Then activate your MDM for Office 365 service by going to the Office 365 Admin Center, and from the Mobile Management tab, click “Let’s get started

Who is managed by What?

Once you have activated both MDM for Office 365 and Microsoft Intune MDM, the question that will most likely come to mind is: “how do I know which of my users and devices are managed by which service?”  The answer is that the “management authority” of a device is set on a “per user” basis (based on the user that the device is associated with), and it is determined based on the user’s assigned license.  The logic is based on the following algorithm:

  • If a user only has an Office 365 license, and does not have an Intune license, then her devices are managed by MDM for Office 365
  • If a user has an Intune license (regardless of whether an Office 365 license is there or not), then her devices are managed by Microsoft Intune

To manage a user’s license assignment, simply go to the Office 365 Admin Center, and from the Users > Active Users tab, select a user and change her assigned license accordingly.

Switching users and devices between services

Based on the algorithm described above if you want to “switch” a user and her devices from one service to another, you no longer have to un-enroll the device, change your tenant MDM authority, and then re-enroll the device.  Instead, you can now simply change the user’s license based on which service you would like to use to manage her devices.  After the license change, the devices will remain enrolled, but when the device checks in with the service (either at the scheduled time or after a manually initiated sync), the settings from the new MDM service will be sent down to the device and overwrite the existing settings that were configured by the previous MDM service.

Switching an entire organization between services

In addition to switching an individual’s management authority, another common scenario is one in which you simply want to switch ALL of your users and devices from using MDM for Office 365 to Microsoft Intune, or vice versa.  Again, previously this would have required you to have all your users un-enroll their devices, then call Microsoft support to have your tenant’s MDM Authority reset, and then have your users re-enroll their devices.  Now, you can simply change the licensing of ALL of your users from one service to another, and shortly after that all of your devices will be managed by the new MDM service, without having to do any un-enroll and re-enroll of devices.  However, please keep in mind that after the licensing switch, the next time the devices connect with the service the settings/policies from the NEW service will OVERWRITE the existing settings/policies from the previous service, so it is very important to make sure that you have configured your management settings in the new service prior to doing the switch.

With great power, comes great responsibilities …

The ability to use both MDM for Office 365 and Microsoft Intune together on the same tenant at the same time provides you with a lot of flexibility to use this combination of MDM services as you see fit for your organization.  However, along with this newfound flexibility and capability comes some potential complexities that you should be aware of.  Here are several of the key areas that you should consider:

  • Common tenant-level settings: there are some settings that are set at the tenant level and shared by the multiple MDM services, and you must be careful not to set them multiple times from different sources with different information, which can result in “overwrites” that can be disastrous.  For example, the Apple Push Notification Service (APNs) certificate is something that is set at the tenant-level and once set is used by both MDM for Office 365 and Microsoft Intune.  Therefore, if you have activated both services, you should always (and only) manage (set, renew, etc.) this from one source to prevent overwriting.  To help you avoid such conflicts, for tenants that have both services activated we have removed your ability to manage APNs certificates from the Office 365 Admin Center, so you will have to do this from the Intune Admin Console instead.
  • Switching results in overwrite: one of the benefit with the new capability is that when devices are switched from one MDM authority to another, there is no longer the need to un-enroll and re-enroll the devices.  However, please keep in mind that the switch will not “selective wipe” the settings/policies from the previous MDM service, but simply “overwrite” with the settings from the new MDM service.  So, if there is a mismatch between the settings from the old and new service, the devices could end up in an inconsistent state.  Therefore, be sure to plan and check your settings between the services prior to doing the switch.
  • Conditional Access: both MDM for Office 365 and Microsoft Intune provides Conditional Access capabilities to help you ensure that your corporate assets (Exchange Online and SharePoint Online) can only be accessed from devices that are in compliance with your compliance policies.  However, there are significant differences in how Conditional Access is implemented for MDM for Office 365 as compared to Microsoft Intune.  For example, in MDM for Office 365, as soon as you deploy a policy to a Security Group, it also turns on Conditional Access for BOTH Exchange Online and SharePoint Online (you cannot separate them) for the devices associated with users in that Security Group.  In comparison, for Microsoft Intune you can specifically target (or exempt) Security Groups from being controlled by Conditional Access, and you can separately configure Conditional Access for Exchange Online and SharePoint Online.
  • Keep things separate: since the MDM authority is set at the user-level, whereas settings are policies are deployed at the Security Group level, things can get quite confusing if a Security Group contains some users who are managed by MDM for Office 365 and some other users who are managed by Microsoft Intune, and then policies are targeted to this Security Group from one or both MDM services.  Things can get quite complicated in a hurry and become difficult to track and manage.  So, if you are going to be using both services concurrently for different groups of users, be sure to keep the users grouped in such a manner that you can easily determine and implement how they are to be managed.

Give it a Try!

Try out this new capability to use both MDM for Office 365 and Microsoft Intune concurrently on your tenant, and provide feedback directly to the engineering team at our Intune feedback site – tell us what additional management capabilities you would like to see added to the MDM for Office 365 and Microsoft Intune service.

Owen Yen, Program Manager

Microsoft Intune Team