Microsoft Message ID

microsoftmessageid

Panoramica Basic Mobility + Security – Microsoft 365 admin

Microsoft Technical Article






Basic Mobility and Security in Microsoft 365: Technical Overview

🚀 Overview: Basic Mobility and Security in Microsoft 365

Basic Mobility and Security serves as a foundational Mobile Device Management (MDM) subset of Microsoft Intune, specifically tailored for organizations using Microsoft 365 Business Basic, Business Standard, and select Office 365 subscriptions. This integrated solution provides IT Administrators with a zero-cost mechanism to secure and manage mobile devices that access organizational data.

The primary objective of this service is twofold: protecting corporate assets (such as Exchange Online email, calendars, and OneDrive documents) and ensuring that devices connecting to the environment meet specific security compliance standards. While it offers robust MDM capabilities, it is important to distinguish it from Mobile Application Management (MAM). While MDM grants the organization full control over the hardware—ideal for corporate-owned assets—MAM is designed for Bring Your Own Device (BYOD) scenarios, where control is limited to specific applications rather than the entire device.

⚙️ Key Technical Details

Device Management Lifecycle

  • Activation: Administrators must first trigger the Basic Mobility and Security service within the Microsoft 365 Admin Center to establish the organizational environment.
  • Policy Creation: Admins define security baselines. These policies dictate required settings (like PIN complexity) and how the system should handle non-compliant hardware.
  • Enrollment: Management begins only after a device is enrolled. Users typically perform this via the Company Portal app or during the initial setup of a supported productivity application.
  • Active Management: Once enrolled, admins gain the ability to view detailed inventory reports, perform remote wipes of corporate data, and monitor compliance status.

🛡️ Supported Platforms & OS Requirements

The service supports a broad range of modern operating systems, though feature parity varies by platform:

  • iOS/iPadOS: Comprehensive support for Apple mobile devices.
  • Android: Includes support for standard Android and Samsung Knox. Note: Password management settings for Samsung Knox require Android version 9.0 or later.
  • Windows 10/11: Supports both traditional x86/x64 PCs and Windows on ARM devices.

🛑 Policy Enforcement Logic

Administrators can implement two distinct types of access logic through the Microsoft Purview portal or via PowerShell:

  • Allow Access Policies: If a user accesses data on an unenrolled device, they are automatically prompted to begin the enrollment process. This aligns with the New-DeviceConfigurationPolicy and New-DeviceConfigurationRule cmdlets.
  • Block Access Policies: Access is denied immediately if the device is not managed. The user is not automatically prompted to enroll but must manually initiate enrollment to regain access. This aligns with the New-DeviceConditionalAccessPolicy and New-DeviceConditionalAccessRule cmdlets.

📱 Application Compatibility

The following applications support MDM enforcement across iOS, Android, and Windows:

  • Productivity: Outlook, Word, Excel, PowerPoint.
  • Storage & Collaboration: OneDrive, Microsoft 365 App.
  • System Mail: The native “Mail” apps on mobile platforms. Note: Windows native mail apps require Microsoft Entra ID P1 or P2 licenses for enforcement; otherwise, Windows enrollment is not strictly forced for these specific apps.

⚠️ Important Exception: Basic Mobility and Security does not block access via mobile web browsers (OWA, SharePoint Online, etc.). Users can still access data through a browser without enrolling their device.

🔒 Security & Configuration Settings

Policies are divided into two categories:

  1. Access Requirements: User-facing settings that must be met to gain access. These include:
    • PasswordRequired: Mandating a device PIN.
    • PasswordMinimumLength: Setting the character count (default 4, range 4-14).
    • MaxPasswordAttemptsBeforeWipe: Triggering a local data wipe after repeated failures (range 4-11).
    • AllowJailbroken: Detecting and blocking compromised/rooted hardware.
    • PhoneMemoryEncrypted: Requiring storage encryption on Android/Samsung Knox.
  2. Configuration Settings: Transparent settings applied to the device without user intervention, such as:
    • AllowScreenshot: Preventing screen captures on iOS and Samsung Knox.
    • AllowiCloudBackup: Disabling cloud backups on supervised iOS devices.
    • AllowDiagnosticSubmission: Blocking the transmission of telemetry to vendors.

📅 Impact

For IT Administrators

Admins gain centralized visibility into the mobile fleet. The most critical capability is the Selective Wipe, which allows for the removal of corporate data (emails, documents) without touching the user’s personal photos or apps. This is a vital security control for offboarding employees or handling lost devices. Furthermore, Basic Mobility and Security policies override legacy Exchange ActiveSync (EAS) mailbox policies (*-MobileDeviceMailboxPolicy), ensuring modern management takes precedence.

For End Users

Users experience a “Gatekeeper” effect. If their device does not meet the organization’s security bar (e.g., they don’t have a PIN set), they will be blocked from Outlook or OneDrive until they update their device settings. For iOS users, the system may require the removal of manually created email profiles (RequireEmailProfile) to allow the managed profile to be deployed, ensuring the organization can perform a selective wipe if necessary.

Read the full article on Microsoft.com


Prev :
Next :

Most Read

Recent News