Using the G Suite MDM to manage MS devices.

This process sets up a simple BYOD management policy for Microsoft Devices.This information builds on the instructions given for the Android platform an earlier post. The objective is the same in both cases -  to apply a security policy if the user accesses data using an organisational account.

This post should be read alongside the Android post which outlines the general approach and details some important deployment considerations.

This topic can be a bit confusing because of the terminology that's employed.

Unlike Android, Google does not download a Device Configuration app to the device.  Management is provided through Active Sync, an builtin application that synchronizes information with a range of handheld devices and desktop computers.

The first point of confusion is the fact that the service that pushes data to Active Sync clients is called Google Sync. The second is that Google Sync not only works with Windows Phones, mobiles and tablets but also iOS and BlackBerry 10 devices, so although Google Sync is primarily targeted at Windows devices it can also be applied to other platforms.

Note: iOS has its own management platform and this should be used in preference to Google Sync

So with all that cleared up how can you use Google Sync to manage Windows BYOD mobile devices.

Compared with other management clients Google Sync has a fairly limited feature set and although it can deliver a security profile it can’t transfer a wireless configuration. This means that you can use it to control synchronised mail and calendar data for organisational accounts but not as a gateway to the wireless network. In this case you are reduced to a manual configuration which once applied cannot be removed remotely because its not part of the profile.

However all is not lost.

Because of the limitations of Active Sync the workflow for on-boarding Windows devices is slightly different. First the users use the local mail client to set up an Active Sync session with the organisation account following the instructions here.  This can be done on mobile LTE connection or home broadband WiFi.

The most common mistake at this stage is to not select the Advanced option which allows you to point the mail client at Google (

The console settings for Device Management -> Setup -> Mobile Management should be set as shown above.

As each user registers the device will appear marked as type Google Sync under Device Management -> Device Approvals

At this point administrator can use the approvals process to manually install the wireless profile. 

Until the device is approved the user will be unable to synchronize mail and calendar data to the device. To prevent the user setting up a mail client using other protocols such as POP3 and IMAP4 these can be turned off part of a general security policy.

If the device is subsequently blocked access to synced data is revoked (left).

Once approved the administrator has rights to remote wipe the device removing all the organisations synced data.

The process does not prevent the user using a local browser to access mail and data but to work offline the user must enroll the device through Google Sync.

Other functions include the ability to require a security PIN in a similar manner to the Android client but there are no controls over peripherals such as the camera.

The inventory information is also fairly limited but gives some useful information such as user details and last sync time.

These policies are listed below with a suitable setting for BYOD. Only licence free options are listed.

Device Management →  Password Settings.

Password SettingsRequire users to set a passwordOFF

      Device password strength.
      Minimum password length.
      Number of invalid passwords allowed before the device is wiped.
      Number of recently expired passwords that are blocked.
      Number of days before a device password expires.
      Number of idle minutes before a device automatically locks.

Device Management → Advanced Settings → Google Sync

IP WhitelistControls a list of IP addresses where user can access Google SyncON

Sync while roamingControls if sync can occur while roaming.

No comments:

Post a Comment