Saved searches
Use saved searches to filter your results more quickly
Cancel Create saved search
Sign up Reseting focus
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.
set-up.md
Latest commit
History
108 lines (71 loc) · 6.12 KB
set-up.md
File metadata and controls
108 lines (71 loc) · 6.12 KB
Set up Basic Mobility and Security
microsoft-365-basic-mobility-security
M365-subscription-management
basic-mobility-security
AdminSurgePortfolio
AdminTemplateSet
basic-mobility-security
Set up Basic Mobility and Security to secure and manage your users' mobile devices by performing actions such as remotely wiping a device.
Set up Basic Mobility and Security
Check out all of our small business content on Small business help & learning.
The built-in Basic Mobility and Security for Microsoft 365 helps you secure and manage users' mobile devices such as iPhones, iPads, Androids, and Windows phones. You can create and manage device security policies, remotely wipe a device, and view detailed device reports.
Have questions? For a FAQ to help address common questions, see Basic Mobility and Security Frequently asked questions (FAQs). Be aware that you cannot use a delegated administrator account to manage Basic Mobility and Security. For more info, see Partners: Offer delegated administration.
Activate the Basic Mobility and Security service
- Sign in to Microsoft 365 with a Directory writers admin account.
- Go to Activate Basic Mobility and Security.
- Select Enable feature. It can take some time to activate Basic Mobility and Security. If the feature is already activated, the Enable feature option will not appear.
When the service is ready, complete the following steps to finish setup.
Step 1: (Required) Configure domains for Basic Mobility and Security
If you don't have a custom domain associated with Microsoft 365 or if you're not managing Windows devices, you can skip this section. Otherwise, you'll need to add DNS records for the domain at your DNS host. If you've added the records already, as part of setting up your domain with Microsoft 365, you're all set. After you add the records, Microsoft 365 users in your organization who sign in on their Windows device with an email address that uses your custom domain are redirected to enroll in Basic Mobility and Security.
Need help with setting up the records? Find your domain registrar and select the registrar name to go to step-by-step help for creating DNS records in the list provided in Add DNS records to connect your domain. Use the following details to create CNAME records:
| Type | Host name | Points to | TTL |
|---|
| CNAME | EnterpriseEnrollment.company_domain.com | EnterpriseEnrollment-s.manage.microsoft.us | 1 hour |
| CNAME | EnterpriseRegistration.company_domain.com | EnterpriseRegistration.windows.net | 1 hour |
After you add the two CNAME records, go back to the Security & Compliance Center and go to Data loss prevention > Device management to complete the next step.
Step 2: (Required) Configure an APNs Certificate for iOS devices
To manage iOS devices like iPad and iPhones, you need to create an Apple Push Notification service (APNs) certificate.
- Sign in to Microsoft Azure with a Directory writers admin account.
- Go to Configure MDM Push Certificate.
- Select I agree to authorize Microsoft to communicate with Apple.
- Select Download your CSR and save the certificate signing request to a location on your computer that you'll remember.
- Select Create your MDM push certificate to open the Apple Push Certificates Portal.
- Sign in with an Apple ID.
[!IMPORTANT] Use a company Apple ID associated with an email account that will remain with your organization even if the user who manages the account leaves. Save this ID because you'll need to use the same ID when it's time to renew the certificate.
[!TIP] If you're having trouble downloading the certificate, refresh your browser.
Make sure users enroll their devices
After you've created and deployed a mobile device management policy, each licensed Microsoft 365 user in your organization that the device policy applies receives an enrollment message the next time they sign into Microsoft 365 from their mobile device. They must complete the enrollment and activation steps before they can access Microsoft 365 email and documents. For more info, see Enroll your mobile device using Basic Mobility and Security.
If a user's preferred language isn't supported by the enrollment process, users might receive enrollment notification and steps on their mobile devices in another language. Not all languages supported in Microsoft 365 are currently supported for the enrollment process on mobile devices.
Users with Android or iOS devices are required to install the Company Portal app as part of the enrollment process.
