A couple of weeks ago I had a customer already using the lightweight MDM solution in Office 365, which is built on Microsoft Intune. The lightweight MDM is part of many Office 365 subscriptions and it allows you to control a bit more settings than you can for instance with Exchange ActiveSync Access Policies, for instance you can also check if a device is rooted or jailbroken. (see the figures for full features)


Security settings in Office 365 MDM

Security settings in Office 365 MDM

You can use (full) Microsoft Intune MDM and Office 365 MDM side by side, based on license assignment you are able to separate both. So if you assign an EMS or Intune license to a user, the device will be managed via Microsoft Intune otherwise Office 365 MDM. If of course configured.

After some issues with the compliance state of the devices (devices were marked as not compliant because of lack of a compliance policy) I wanted to know how the device compliance settings in Microsoft Intune and other configurations in Microsoft Intune impact the devices that are managed via Office 365 MDM.

Compliance state of Office MDM managed devices

While trying to reproduce the issue of the customer, the issue did not occur again and seemed to be fixed. When an Office 365 MDM managed device is enrolled in Microsoft Intune the compliance state is not evaluated, which is perfectly okay. Compliance is calculated based on the policies that are configured by Office 365 MDM.

Default compliance policy is not evaluated

In the list of devices in Microsoft Intune the device is marked as Compliant.

Device is marked as compliant

One thing to keep in mind is that the compliance status validity period setting is also being used by the devices that are managed through the lightweight MDM via Office 365.

After your device is not evaluated for compliance for some time because it is for instance offline, the device is automatically marked as not compliant.

Device is marked as not compliant

The user will need to go online and evaluate the device again.

End-user information in Company Portal (left) and mail client (right)

Device restrictions

The lightweight MDM solution in Office 365 makes use of the device restrictions configured in the Microsoft Intune console, however it only uses the default rule to verify if a platform or OS version is allowed and supported. In the case of the customer we configured to only support Android Enterprise (Android for Work) in the default device restrictions rule. This rule was forcing also the users enabled for the lightweight version of Intune were forced to enable Android for Work, which was not the case earlier, so it looks that something is changed in the service.

Default device restrictions are used

So, when trying to make a special device restriction rule to allow legacy Android MDM support for the group of users that need lightweight MDM, this rule is not being used to allow legacy Android MDM support instead of Android for work. When enabling Android in the default rule, devices can be enrolled for lightweight MDM.

Till next time!