Capabilities of Basic Mobility and Security

Basic Mobility and Security can help you secure and manage mobile devices like iPhones, iPads, Androids, and Windows Phones used by licensed Microsoft 365 users in your organization. You can create mobile device management policies with settings that can help control access to your organization’s Microsoft 365 email and documents for supported mobile devices and apps. If a device is lost or stolen, you can remotely wipe the device to remove sensitive organizational information.

In this article

Supported devices

You can use Basic Mobility and Security to secure and manage the following types of devices.

  • iOS 11.0 or later versions

  • Android 5.0 or later versions***

  • Windows 8.1*

  • Windows 8.1 RT*

  • Windows 10**

  • Windows 10 Mobile**

* Access control for Windows 8.1 RT devices is limited to Exchange ActiveSync.

** Access control for Windows 10 requires a subscription that includes Azure AD Premium and the device needs to be joined to Azure Active Directory.

*** After June 2020, Android versions above 9 will not be able to manage password settings except on Samsung Knox devices.  

Note: Devices that are already enrolled with lower OS versions will continue to function although the capabilities may change without notice.

If people in your organization use mobile devices that aren't supported by Basic Mobility and Security, you might want to block Exchange ActiveSync app access to Microsoft 365 email for those devices, to help make your organization's data more secure. Steps for blocking Exchange ActiveSync: See Manage device access settings.

Access control for Microsoft 365 email and documents

The supported apps for the different types of mobile devices in the following table will prompt users to enroll in Basic Mobility and Security where there is a new mobile device management policy that applies to a user’s device and the user hasn’t previously enrolled the device. If a user’s device doesn’t comply with a policy, depending on how you set the policy up, a user might be blocked from accessing Microsoft 365 resources in these apps, or they might have access but Microsoft 365 will report a policy violation.

iOS 10.0+

Android 5.0 or later version

Exchange

Exchange ActiveSync includes built-in email and third-party apps, like TouchDown, that use Exchange ActiveSync Version 14.1 or later.

iPhone Mail mobile icon

Mail

Android email icon

Email

Office and OneDrive for Business

Outlook

OneDrive

Word

Excel

PowerPoint

On phones and tablets:

Outlook

OneDrive

Word

Excel

PowerPoint

On phones only:

Office Mobile

Notes: 

  • Support for iOS 10.0 and later versions includes iPhone and iPad devices.

  • Management of BlackBerry OS devices isn’t supported by Mobile Device Management for Microsoft 365. Use BlackBerry Business Cloud Services (BBCS) from BlackBerry to manage BlackBerry OS devices. Blackberry devices running Android OS are supported as standard Android devices

  • Users won’t be prompted to enroll and won’t be blocked or reported for policy violation if they use the mobile browser to access Microsoft 365 SharePoint sites, documents in Office Online, or email in Outlook Web App.

The following diagram shows what happens when a user with a new device signs in to an app that supports access control with Basic Mobility and Security. The user is blocked from accessing Microsoft 365 resources in the app until they enroll their device.

Shows enrollment process for new device.

Note: Policies and access rules created in MDM for Microsoft 365 Business Standard will override Exchange ActiveSync mobile device mailbox policies and device access rules created in the Exchange admin center. After a device is enrolled in MDM for Microsoft 365 Business Standard, any Exchange ActiveSync mobile device mailbox policy or device access rule applied to the device will be ignored. To learn more about Exchange ActiveSync, see Exchange ActiveSync in Exchange Online.

Policy settings for mobile devices

If you create a policy to block access with certain settings turned on, users will be blocked from accessing Microsoft 365 resources when using a supported app that is listed in Access control for Microsoft 365 email and documents. The settings that can block users from accessing Microsoft 365 resources are in these sections:

  • Security

  • Encryption

  • Jail broken

  • Managed email profile

For example, the following diagram shows what happens when a user with an enrolled device isn’t compliant with a security setting in a mobile device management policy that applies to their device. The user signs in to an app that supports access control with Basic Mobility and Security. They are blocked from accessing Microsoft 365 resources in the app until their device complies with the security setting.

Shows user is blocked when device isn't compliant.


The following sections list the policy settings you can use to help secure and manage mobile devices that connect to your organization's Microsoft 365 resources.

Security settings

Setting name

iOS 7.1+

Android 5+

Samsung Knox

Require a password

Prevent simple password

Require an alphanumeric password

Minimum password length

Number of sign-in failures before device is wiped

Minutes of inactivity before device is locked

Password expiration (days)

Remember password history and prevent reuse

Encryption settings

Setting name

iOS 7.1+

Android 5+

Samsung Knox

Require data encryption on devices

✔*

* With Samsung Knox, you can also require encryption on storage cards.

Jail broken setting

Setting name

iOS 7.1+

Android 5+

Samsung Knox

Device cannot be jail broken or rooted

Managed email profile option

The following option can block users from accessing their Microsoft 365 email if they’re using a manually created email profile. Users on iOS devices must delete their manually created email profile before they can access their email. After they delete the profile, a new profile will be automatically created on the device. See Existing Company Email account was found for instructions on how end users can get compliant.

Setting name

iOS 7.1+

Android 5+

Samsung Knox

Email profile is managed

Cloud settings

Setting name

iOS 7.1+

Android 5+

Samsung Knox

Require encrypted backup

Block cloud backup

Block document synchronization

Block photo synchronization

Allow Google backup

N/A

Allow Google account auto sync

N/A

System settings

Setting name

iOS 7.1+

Android 5+

Samsung Knox

Block screen capture

Block sending diagnostic data from device

Application settings

Setting name

iOS 7.1+

Android 5+

Samsung Knox

Block video conferences on device

Block access to application store

Require password when accessing application store

Device capabilities settings

Setting name

iOS 7.1+

Android 5+

Samsung Knox

Block connection with removable storage

Block Bluetooth connection

Additional settings

You can set the following additional policy settings by using PowerShell cmdlets. For more information, see Microsoft 365 Security & Compliance Center cmdlets.

Setting name

iOS 7.1+

Android 5+

CameraEnabled

RegionRatings

MoviesRatings

TVShowsRating

AppsRatings

AllowVoiceDialing

AllowVoiceAssistant

AllowAssistantWhileLocked

AllowPassbookWhileLocked

MaxPasswordGracePeriod

PasswordQuality

SystemSecurityTLS

WLANEnabled

Settings supported by Windows

You can manage Windows 10 devices by enrolling them as mobile devices. After an applicable policy is deployed, users with Windows 10 devices will be required to enroll in Basic Mobility and Security the first time they use the built-in email app to access their Microsoft 365 email (requires Azure AD premium subscription).

The following settings are supported for Windows 10 devices that are enrolled as mobile devices. These setting won’t block users from accessing Microsoft 365 resources.

Security settings

  • Require an alphanumeric password

  • Minimum password length

  • Number of sign-in failures before device is wiped

  • Minutes of inactivity before device is locked

  • Password expiration (days)

  • Remember password history and prevent reuse

    Note: The following settings regulating passwords only control local Windows accounts. Windows accounts provided through join a domain or Azure Active Directory aren't affected by these settings.

System settings

Block sending diagnostic data from device

Additional settings

You can set the following additional policy settings by using PowerShell cmdlets:

  • AllowConvenienceLogon

  • UserAccountControlStatus

  • FirewallStatus

  • AutoUpdateStatus

  • AntiVirusStatus

  • AntiVirusSignatureStatus

  • SmartScreenEnabled

  • WorkFoldersSyncUrl

Remotely wipe a mobile device

If a device is lost or stolen, you can remove sensitive organizational data and help prevent access to your organization’s Microsoft 365 resources by doing a wipe from Security & Complieance center>Data loss prevention>Device management. You can do a selective wipe to remove only organizational data or a full wipe to delete all information from a device and restore it to its factory settings.

For more information, see Wipe a mobile device in Microsoft 365.

See Also

Overview of Mobile Device Management for Microsoft 365

Create and deploy device security policies

Stay a step ahead with Microsoft 365

Need more help?

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×