Set up Basic Mobility and Security
Check out all of our small business content on Small business help & learning.
The built-in Basic Mobility and Security for Microsoft 365 helps you secure and manage users' mobile devices such as iPhones, iPads, Androids, and Windows phones. You can create and manage device security policies, remotely wipe a device, and view detailed device reports.
Have questions? For a FAQ to help address common questions, see Basic Mobility and Security Frequently asked questions (FAQs). Be aware that you cannot use a delegated administrator account to manage Basic Mobility and Security. For more info, see Partners: Offer delegated administration.
Activate the Basic Mobility and Security service
Sign in to Microsoft 365 with your global admin account.
Select Enable feature.
It can take some time to activate Basic Mobility and Security. If the feature is already activated, the Enable feature option will not appear.
Set up Mobile Device Management
When the service is ready, complete the following steps to finish setup.
Step 1: (Required) Configure domains for Basic Mobility and Security
If you don't have a custom domain associated with Microsoft 365 or if you're not managing Windows devices, you can skip this section. Otherwise, you'll need to add DNS records for the domain at your DNS host. If you've added the records already, as part of setting up your domain with Microsoft 365, you're all set. After you add the records, Microsoft 365 users in your organization who sign in on their Windows device with an email address that uses your custom domain are redirected to enroll in Basic Mobility and Security.
Need help with setting up the records? Find your domain registrar and select the registrar name to go to step-by-step help for creating DNS records in the list provided in Add DNS records to connect your domain. Use the following details to create CNAME records:
| Type | Host name | Points to | TTL |
|---|---|---|---|
| CNAME | EnterpriseEnrollment.company_domain.com | EnterpriseEnrollment-s.manage.microsoft.us | 1 hour |
| CNAME | EnterpriseRegistration.company_domain.com | EnterpriseRegistration.windows.net | 1 hour |
After you add the two CNAME records, go back to the Security & Compliance Center and go to Data loss prevention > Device management to complete the next step.
Step 2: (Required) Configure an APNs Certificate for iOS devices
To manage iOS devices like iPad and iPhones, you need to create an Apple Push Notification service (APNs) certificate.
Sign in to Microsoft Azure with your global admin account.
Select I agree to authorize Microsoft to communicate with Apple.
Select Download your CSR and save the certificate signing request to a location on your computer that you'll remember.
Select Create your MDM push certificate to open the Apple Push Certificates Portal.
a. Sign in with an Apple ID.
Important
Use a company Apple ID associated with an email account that will remain with your organization even if the user who manages the account leaves. Save this ID because you'll need to use the same ID when it's time to renew the certificate.
b. Select Create a Certificate and accept the Terms of Use.
c. Browse to the certificate signing request that you downloaded to your computer from Microsoft 365 and then select Upload.
d. Download the APNs certificate created by the Apple Push Certificate Portal to your computer.
Tip
If you're having trouble downloading the certificate, refresh your browser.
Go back to Microsoft Azure and browse to the APNs certificate that you downloaded from the Apple Push Certificates Portal.
Select Upload.
Make sure users enroll their devices
After you've created and deployed a mobile device management policy, each licensed Microsoft 365 user in your organization that the device policy applies receives an enrollment message the next time they sign into Microsoft 365 from their mobile device. They must complete the enrollment and activation steps before they can access Microsoft 365 email and documents. For more info, see Enroll your mobile device using Basic Mobility and Security.
Important
If a user's preferred language isn't supported by the enrollment process, users might receive enrollment notification and steps on their mobile devices in another language. Not all languages supported in Microsoft 365 are currently supported for the enrollment process on mobile devices.
Users with Android or iOS devices are required to install the Company Portal app as part of the enrollment process.
Related content
Capabilities of Basic Mobility and Security (article)
Create device security policies in Basic Mobility and Security (article)
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for