Mobile Device Management Activation
Start course

In this course, I will take you through the features provided by Microsoft 365 that allow you to monitor, protect, and manage devices across an organization. 

Learning Objectives

  • The differences and benefits of both the Configuration Manager and Microsoft Intune
  • What co-management is and what benefits it provides
  • The capabilities and differences between the MDM solutions provided within Microsoft 365, which are Basic Mobility and Security and Microsoft Intune
  • How other Microsoft tools integrate with MDM solutions to provide better security for organizations

Intended Audience

  • Users looking to learn about Managing Devices with Microsoft 365


  • Have a basic understanding of Microsoft 365

Before managing devices with either solution, you need to first activate your organization's MDM service. This can be done by utilizing an activation link and following the steps to activate the service. This link can be found below the course. Once you follow the steps and the service has been activated, an email will be sent with steps on configuring your MDM. The first two steps are optional depending on your environment, however they include configuring your domain. If you don't already have a domain, then this step can be skipped. 

If you do have a domain, then you need to provide DNS records. Next, you need to configure an Apple Push Notification Service certificate. Again, this step is optional depending on if your environment utilizes iOS devices as this is required in order to enroll those devices in either MDM solution, but we'll talk about that in a moment. The next step would be setting up multi-factor authentication. This is the first required step when enrolling devices if the first two steps were irrelevant to your environment. The next step is setting up device security policies.

This is where you create policies to protect organization data and they can be changed or added onto later. And finally, you need to validate the enrollment of the devices. Once deployed, users will receive a notification the next time they sign into Microsoft 365 on a qualified device. They will then be led through activation before they can access company data. If the device is an android or iOS device, they'll need to install the company portal to enroll the device. Once those steps are completed, you are ready to manage devices with Basic Mobility and Security functionality. However, if organizations want to manage devices using Intune, there is one more step they must complete. That step is configuring the MDM Authority to one of three options. Intune MDM Authority, Configuration Manager MDM Authority, and None. Intune MDM Authority is exactly what it sounds like. Intune will be the sole authority when managing corporate devices. Configuration Manager MDM Authority is a bit different in that it is a hybrid MDM.

This option should be chosen when the organization utilize the Configuration Manager for on-premises devices. It integrates Intune functionality into the Configuration Manager, splitting the workload between the two. And finally None which simply means that no MDM has been selected and thus Intune cannot be used. Generally, when an organization has Microsoft Intune access, it is suggested that you utilize Intune MDM Authority to minimize the spread of resources. Once you have your MDM configured and your MDM Authority set to Intune, you're ready to start customizing your MDM. Since Intune integrates with Azure AD, it can be used as the identity management tool to validate user permissions and access. You can add users and groups connected with Azure AD that can be used to assign applications, settings, and other company resources.

Intune also adds additional configuration options to manage devices such as device profiles for preconfigured device settings, company apps that can be assigned and automatically installed, application security policies which protect apps based on settings you decide, and customization of a company portal for enrollment and app installations. The good news about Intune is that it streamlines a lot of processes that were previously more in-depth with features like auto-enrollment utilizing Azure AD. Since Microsoft Intune can integrate with Azure AD, you can configure auto-enrollment of devices that log in with their Azure AD credentials. If an organization doesn't utilize Azure AD, they can utilize the Windows 10 built-in auto-discover feature to enroll devices in their MDM.

However, whenever an organization wants to manage an iOS device, they need to obtain something called an Apple Push Notification Service certificate. This is specific to Apple products, and once set up, allows device enrollment using a company portal app or one of Apple's bulk enrollment methods being the device enrollment program, Apple School Manager, or the Apple configurator. The Apple Push Service certificate is exactly that; a certificate that is valid for one year and must be renewed as needed. 

Before enrolling Apple devices, an organization must go through the steps to add the APNS certificate to the Microsoft Endpoint Manager, and these steps include: Granting Microsoft permission to send user and device information to Apple, download the Intune certificate signing request required to create an Apple MDM push certificate, create an Apple MDM push certificate, enter the Apple ID used to create your Apple MDM push certificate, and browse to your Apple MDM push certificate to upload. Once those settings are complete, you're ready to manage Apple devices with your MDM.


About the Author
Learning Paths

Lee has spent most of his professional career learning as much as he could about PC hardware and software while working as a PC technician with Microsoft. Once covid hit, he moved into a customer training role with the goal to get as many people prepared for remote work as possible using Microsoft 365. Being both Microsoft 365 certified and a self-proclaimed Microsoft Teams expert, Lee continues to expand his knowledge by working through the wide range of Microsoft certifications.