Before you can use the Office 365 Mobile Device Management features you will first need to activate it in your Office 365 tenant.

Office 365 MDM leverages Microsoft Intune back end services. If your organization already uses Intune and you activate Office 365 MDM it will effectively remove the Intune configuration. A call to Microsoft Support is then necessary to switch the “Management Authority” back to Intune or to allow co-existence of both Office 365 and Intune. If your Intune is already configured as the “Management Authority” you will be prevented from activating Office 365 MDM and will therefore avoid this problem, and can call Microsoft Support to enable co-existence of Intune and Office 365 MDM in your organization.

Log in to the Office 365 admin center with your tenant administrator credentials. Select Mobile Devices in the left pane and then click the Get Started button.


There will be a short delay while MDM is activated for your tenant. The message suggests waiting a few hours, but I’ve generally seen it complete within a few minutes.


When MDM activation has completed you should see a red warning icon to let you know that some more settings need to be configured.


Click the Manage Settings link to see a report of the MDM setup steps that you need to complete. The required steps are:

  • Configure domains for MDM
  • Configure an APNs  (Apple Push Notifications) certificate for iOS devices


If you have previously turned off DNS checking for the domain name in your Office 365 tenant then you may see a green tick for “Configure domains for MDM” even though you have not configured the domain for MDM. I recommend checking your domain configuration even if you see a green tick for that item.

Configuring Domains for Office 365 Mobile Device Management

To configure your domain navigate to the Domains section of the Office 365 admin portal, select your domain name, and click the Domain settings link.


Click the link to Change domain purpose.


Check the box to enable Mobile Device Management for Office 365, then click Next.


Some additional DNS records, “enterpriseregistration” and “enterpriseenrollment” will be presented for you to add to the public DNS zone for your domain name.


If the new records won’t immediately validate you can still proceed with other MDM setup tasks and check the DNS records again later.

Configure an APNs Certificate for iOS Devices

In the list of required steps for Office 365 MDM setup click the Set up link for configuring an APNs certificate for iOS devices.


Your web browser will be redirected to a page where you can download the certificate signing request (CSR) for provisioning the new APNs certificate. Download the file to a safe location on your computer and click Next.


Next you need to sign in to the Apple APNS Portal to request the certificate. An Apple ID is required for this task. It is strongly recommended that you do not use an Apple ID that is owned by an individual, rather you should create a new one that is associated with an email address in the company. If you don’t already have a company Apple ID take a few minutes now to create one on the Apple website, then return to continue the setup tasks.


After logging in to the Apple APNS Portal click the Create a Certificate button.


After accepting the license agreement click the Browse button and select the CSR that you downloaded from the Office 365 admin portal earlier, then click the Upload button.

The upload returns a JSON formatted file to your web browser. You can save the file if you like, but this is not the certificate file you need.

You will receive a notification to the email address for your Apple ID when the certificate has been created. If your web browser is stuck on the “Uploading…” page simply refresh it to see your available certificates in the portal. Click the Download button to download your new certificate as a PEM file.


Return to the web browser tab or window for Office 365 where you are configuring the APNs certificate, and click Next to continue to the page to upload your new certificate. Click the Browse button and select your PEM file to upload.


The certificate install takes several minutes to complete. If your web browser appears to hang or time out on the upload you can log back in again, start the process of configuring the APNS certificate, and just skip through to the last step to upload the certificate you already have instead of requesting another new one.


If everything is in order you should see a green tick for the Mobile Device Management settings and you can start creating MDM policies for Office 365.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for


  1. Newton

    Does office 365 MDM need the Exchange server 2010 ActiveSync interface to work with regard connecting mobile devices to the exchange server?

Leave a Reply