How to only allow O365 email access with MDM profile installed
We're deploying MDM profiles to about 150 personal phones/tablets. We're trying to figure out the best way to block access to their O365 work emails unless they have the MDM profile installed. They currently only access their O365 accounts through their work machines and we're using Azure AD for their tenant.
Is there a (easy?)way to deploy something that would limit access on their personal phones unless they have the MDM profile installed?
Deploy the Duo Mobile client to all your devices as part of the profile. You'll need this anyway for MFA.
Then create a Duo device trust policy, saying that Office 365 can only be accessed from trusted devices, and mark all devices with the Duo Health agent (which is included in Duo Mobile) as trusted. For bonus points, you can also specify things like minimum OS version, browser versions, etc.
You can also use the same approach to limit access from corporate-owned Windows and Mac computers. On computers, you can also specify cool things like saying the computer must have the corporate antimalware solution installed before being able to access corporate resources.
Do you know if I opted for a certificate-based solution if System Manager can auto deploy the certificate when they first install the MDM profile? I have it set up so that they log into Azure to install the MDM and it's auto enrolling their email account, but for ease of deployment it would be nice to have the certificate installed at the same time.