Microsoft offers two mobile device management methods: MDM for Office 365 and Microsoft Intune.
The enterprise mobility industry has changed significantly in the past few years. Mobile device management (MDM) platforms such as MDM for Office 365 were once enough for most organizations. As iPads, wearables and IoT devices became prevalent in the enterprise, many organizations needed advanced management capabilities and a unified console. Unified endpoint management (UEM) products such as Intune entered the market, allowing IT admins to manage a range of different devices under a single console.
MDM for Office 365 provides a limited feature set, but it is included in the price of many Office 365 subscriptions. This built-in tool offers organizations an integrated, inexpensive way to manage mobile devices. Microsoft Intune, on the other hand, provides a rich feature set and comes with additional costs.
MDM for Office 365 capabilities
MDM for Office 365 provides a lightweight version of MDM that does not include mobile application management (MAM). It provides organizations with MDM policies and settings that will help to control access to Office 365 data for supported mobile devices and apps. For stolen or lost devices, it offers the ability to remotely wipe the device to remove corporate data.
MDM for Office 365 provides support for the following platforms:
- IOS 14.0 or later.
- Android 8.0 or later.
- Windows 10 or 11 -- this requires the device to be Azure Active Directory joined.
Supported access control scenarios
MDM for Office 365 provides a few scenarios that will prompt users to enroll their devices. When the user's device doesn't comply with the policy, the user might be blocked from accessing Office 365 data, depending on the policy configuration.
These are the following scenarios:
- Access to Exchange by using the built-in mail app on iOS 14 or later.
- Access to Exchange by using the built-in mail app on Android 8 or later.
- Access to Office and OneDrive for Business by using the Outlook, OneDrive, Word, Excel or PowerPoint app on iOS 14 or later.
- Access to Office and OneDrive for Business by using the Outlook, OneDrive, Word, Excel, PowerPoint or the Office Mobile app on Android 8 or later.
People using mobile browsers to access Office 365 data will not be prompted to enroll their devices and will not be blocked.
Supported policy settings
With MDM for Office 365, IT can enable certain settings as requirements to access Office 365 data. IT can use these settings in the supported access control scenarios to block users from accessing Office 365 data. These settings are divided into the following categories:
- Security, which require password settings.
- Encryption, which require encryption settings.
- Jailbroken, which require non-jailbroken devices.
- Managed email profile, which require managed email profile.
MDM for Office 365 also provides a limited set of policies that IT can use to configure user device settings, such as policies to prevent data loss on devices, access public clouds, make screen captures and access the store.
Microsoft Intune capabilities
Microsoft Intune is a UEM platform that provides MDM and MAM functionality and comes with additional costs, as it's not part of the different Office 365 subscriptions. It requires an organization to have licenses that include the rights to use Microsoft Intune. These licenses include Microsoft Intune standalone, the Enterprise Mobility + Security and Microsoft 365 subscriptions.
Microsoft Intune helps organizations provide MDM and MAM policies and settings that will help control access to corporate data. This includes data in Office 365 and nearly all corporate data available from apps exposed via Azure Active Directory (AAD). For stolen or lost devices, Intune provides the ability to remotely wipe the device or app to remove corporate data. It also allows organizations to secure and manage mobile devices, apps and corporate data.
Microsoft Intune provides support for the following platforms:
- IOS and iPadOS 14.0 and later.
- MacOS 11.0 and later.
- Windows 10, including Windows 10 Teams, Windows 10 IoT and Windows Holographic for Business.
Supported access scenarios
Microsoft Intune supports many scenarios. The main difference of MDM for Office 365 versus Intune is that Intune is not limited to Office 365-related scenarios. For most organizations, the management boundaries must expand to include all apps and data that can be exposed via AAD and all apps on devices that can use modern authentication. Intune integrates well within a Microsoft ecosystem, including Office 365.
Microsoft Intune can do more than control access to corporate apps and data. IT can use Intune to verify compliance of devices; deploy applications; assign advanced configurations, including Wi-Fi configuration; push certificates and VPN configurations; provide inventory information; and more. And that's only mentioning MDM scenarios. It also provides MAM scenarios, including limiting access to corporate apps and data and performing a selective wipe of only the app.
Supported policy settings
Microsoft Intune provides many policy settings and listing all the possibilities is nearly impossible. It provides the policy settings available with MDM for Office 365 and many more. These policy settings are categorized to provide the functionality to address the supported access scenarios -- for example, policies to verify access requirements; verify compliance; configure settings; configure updates; and the ability to deploy, configure and manage apps.
MDM for Office 365 vs. Microsoft Intune
The following table provides an overview of the main capabilities of MDM for Office 365 versus Microsoft Intune.
It should be clear that Microsoft Intune is the most logical choice from a security and management perspective. That doesn't mean there is no use case for MDM for Office 365. It could be enough for smaller organizations or organizations that only use Office 365. However, that requires strong agreements with the employees, as MDM for Office 365 only provides basic security for accessing Office 365 data.
MDM for Office 365 is a good starting point for any organization deploying MDM. To provide real security and management capabilities, however, any organization should eventually consider using Microsoft Intune when using more than just Office 365.
Organizations can run both products alongside each other to support a migration path from MDM for Office 365 and Microsoft Intune. When a user gets a Microsoft Intune license, the enrollment process will automatically prefer the Microsoft Intune enrollment above the MDM for Office 365 enrollment.