How to only allow O365 email access with MDM profile installed

CortrucentDerek
Conversationalist

How to only allow O365 email access with MDM profile installed

Hey everyone!

 

We're deploying MDM profiles to about 150 personal phones/tablets. We're trying to figure out the best way to block access to their O365 work emails unless they have the MDM profile installed. They currently only access their O365 accounts through their work machines and we're using Azure AD for their tenant.

 

Is there a (easy?)way to deploy something that would limit access on their personal phones unless they have the MDM profile installed?

5 REPLIES 5
RaphaelL
Kind of a big deal
Kind of a big deal

To my knowledge you have to do some kind of tennant restriction which can be quite a challenge. 

 

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions

PhilipDAth
Kind of a big deal
Kind of a big deal

The easy way is also the most expensive.  I tend to use this approach for large corporates.

 

Use Cisco Duo for your MFA (you really should - it is so good!).  You need the "Beyond" plan.

https://duo.com/editions-and-pricing 

Deploy the Duo Mobile client to all your devices as part of the profile.  You'll need this anyway for MFA.

 

Then create a Duo device trust policy, saying that Office 365 can only be accessed from trusted devices, and mark all devices with the Duo Health agent (which is included in Duo Mobile) as trusted.  For bonus points, you can also specify things like minimum OS version, browser versions, etc.

You can also use the same approach to limit access from corporate-owned Windows and Mac computers.  On computers, you can also specify cool things like saying the computer must have the corporate antimalware solution installed before being able to access corporate resources.

https://duo.com/docs/trusted-endpoints 

 

CortrucentDerek
Conversationalist

Thanks for the replies!

 

Do you know if I opted for a certificate-based solution if System Manager can auto deploy the certificate when they first install the MDM profile? I have it set up so that they log into Azure to install the MDM and it's auto enrolling their email account, but for ease of deployment it would be nice to have the certificate installed at the same time.

 

-Derek

I think this will work. I'll test tomorrow. Thank you!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels