Meraki

Community

How to only allow O365 email access with MDM profile installed

CortrucentDerek
Conversationalist
‎Jul 26 2022 8:45 AM
‎Jul 26 2022 8:45 AM

How to only allow O365 email access with MDM profile installed

Hey everyone!

 

We're deploying MDM profiles to about 150 personal phones/tablets. We're trying to figure out the best way to block access to their O365 work emails unless they have the MDM profile installed. They currently only access their O365 accounts through their work machines and we're using Azure AD for their tenant.

 

Is there a (easy?)way to deploy something that would limit access on their personal phones unless they have the MDM profile installed?

Labels:
0 Kudos
5 Replies 5
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 26 2022 10:22 AM
‎Jul 26 2022 10:22 AM

To my knowledge you have to do some kind of tennant restriction which can be quite a challenge. 

 

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 26 2022 11:27 AM
‎Jul 26 2022 11:27 AM

The easy way is also the most expensive.  I tend to use this approach for large corporates.

 

Use Cisco Duo for your MFA (you really should - it is so good!).  You need the "Beyond" plan.

https://duo.com/editions-and-pricing 

Deploy the Duo Mobile client to all your devices as part of the profile.  You'll need this anyway for MFA.

 

Then create a Duo device trust policy, saying that Office 365 can only be accessed from trusted devices, and mark all devices with the Duo Health agent (which is included in Duo Mobile) as trusted.  For bonus points, you can also specify things like minimum OS version, browser versions, etc.

You can also use the same approach to limit access from corporate-owned Windows and Mac computers.  On computers, you can also specify cool things like saying the computer must have the corporate antimalware solution installed before being able to access corporate resources.

https://duo.com/docs/trusted-endpoints 

 

CortrucentDerek
Conversationalist
‎Jul 28 2022 12:35 PM
‎Jul 28 2022 12:35 PM

Thanks for the replies!

 

Do you know if I opted for a certificate-based solution if System Manager can auto deploy the certificate when they first install the MDM profile? I have it set up so that they log into Azure to install the MDM and it's auto enrolling their email account, but for ease of deployment it would be nice to have the certificate installed at the same time.

 

-Derek

0 Kudos
In response to CortrucentDerek
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 28 2022 1:08 PM
‎Jul 28 2022 1:08 PM

https://documentation.meraki.com/SM/Profiles_and_Settings/Certificates_Payload_(Pushing_Certificates... 

In response to PhilipDAth
CortrucentDerek
Conversationalist
‎Jul 28 2022 1:21 PM
‎Jul 28 2022 1:21 PM

I think this will work. I'll test tomorrow. Thank you!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.