Back when BlackBerry was the mobile phone of choice, you would insert BlackBerry Enterprise Service (BES) servers into your environment to get a ton of mobile device management (MDM) settings for strong control over your mobile environment. When the iPhone took off, other providers came out with MDM servers for iOS and Android that did what BES does for BlackBerry -- again at the cost of having to implement a mobile management infrastructure on top of your existing communications and security infrastructure.
If you didn't invest in an MDM infrastructure, all you could rely on were a handful of Exchange ActiveSync (EAS) policy settings (such as for passwords) that they could use via Exchange 2007. Although the EAS policies evolved in later Exchange versions, and are also available for use by third-party tools, EAS's capabilities never came close to a full-blown MDM server's capabilities.
In the last year or so, Microsoft has been promising to increase the mobile security, not only for devices but also for apps and content, controls within the Exchange server environment you already have.
What Microsoft has done, though, is not expand EAS's policies to better handle mobile security and management but instead promote its own MDM server, Intune, by making it part of the cloud-based Office 365 offering.
To tempt IT organizations to consolidate all their management servers to a Microsoft environment, the company has added a few Microsoft-only controls to Office 365, in what it calls Mobile Device Management for Office 365. You can manage them via the Office 365 admin portal or via Microsoft's Intune MDM product, but not through other MDM servers or via EAS policies.
IT can set a requirement in the Office 365 cloud admin tool that requires users to accept the MDM for Office 365 policy profile that then controls access to the Office 365 apps themselves on Windows Phone 8.1, iOS 6 and later, and Android 4 and later.
Controls include requiring a PIN to access the Office 365 apps, disabling access to corporate Office documents, clicking access by jailbroken devices, and allowing email access only if the account was provisioned to the mobile device by IT (rather than set up by the user).
Not all policies are available for all platforms; MDM for Office 365 has the richest set of controls for iOS devices, while both Android and Windows Phone support different subsets. Among the policies available only for iOS are requiring encrypted backup, blocking document synchronization, blocking voice controls, blocking use of Passbook, and blocking use of Lync video conferences.
MDM for Office 365 also offers most of the policies that EAS does, such as password restrictions and device wipe. If the MDM for Office 365 policies conflict with your Exchange EAS settings, the MDM for Office 365 settings win out.
The MDM for Office 365 capabilities are part of your enterprise Office 365 subscription. Of course you can get more by buying and implementing Intune as your MDM tool.
I've long wished that EAS policies could do more than they do, so I welcome the extra policies available for Office 365 enterprise subscribers. Even if you have a different provider's MDM server, I think you'll appreciate these Office 365 MDM additions.