Mobile Device Management (MDM) is a technology designed to manage operating systems installed on portable devices such as mobile phones and tablets. Android, iOS, Windows 10, and other mobile operating systems support built-in MDM. MDM is a lot like Group Policy for Windows, although it has less granular settings. MDM is designed for mobile systems that are not permanently connected to a corporate intranet.
Instead of contacting a domain controller, devices managed by MDM connect to a cloud service provider. Microsoft Intune, VMWare AirWatch, and Citrix XenMobile are all popular MDM solutions. Windows Autopilot, Microsoft’s native cloud deployment service for Windows 10, also relies on MDM for some of its functionality.
For more information on how MDM works in Windows 10, see Understand how MDM policies are applied in Windows 10 on Petri. Also read my two part series on Windows Autopilot here:
How to manually embed devices on Windows Autopilot – Part 1
How to Manually Integrate Devices with Windows Autopilot – Part 2
Mobile device management is limited for subscriptions without Microsoft Intune
MDM is built into mobile operating systems and Windows 10, which is often installed on tablets and other portable form factors. But without MDM service to manage the MDM client built into the operating system, there is no way to leverage it as a management solution. This is where products like Microsoft Intune come in.
To complicate matters, Microsoft offers a subset of Intune functionality through Basic Mobility & Security, which comes with all Microsoft 365 and Office 365 licenses except Microsoft Intune, Enterprise Mobility & Security E3, and Enterprise. Mobility & Security E5. These three licenses get full access to Microsoft Intune.
Microsoft provides a table of all the plans on offer and whether they come with Basic Mobility & Security, Microsoft Intune, or both here.
Basic mobility and security vs Microsoft Intune
There are many limitations with basic mobility and security. For a full comparison of the differences between the two products, see Microsoft’s website. For example, Basic Mobility & Security cannot be used with Windows Autopilot to enroll large numbers of company-owned devices. The ability to configure email, Wi-Fi and VPN profiles is also missing.
Remote actions are limited to remove, erase and delete. And Azure Active Directory (AD) conditional access policies based on device compliance are limited to controlling access to Exchange and SharePoint Online, to Outlook services, and not supported on Windows 10. If you want To support Android Enterprise, macOS, and iPadOS, you’ll also need a Microsoft Intune license.
You can use Basic Mobility & Security and Microsoft Intune in the same organization. For example, set up basic mobility and security first for devices that don’t need Intune. Then add Intune licenses for the devices that require the more advanced features it provides.
Choosing between mobility and basic security and Microsoft Intune
Basic mobility and security may be sufficient for many organizations or for some of your organization’s devices. You need to assess its capabilities and decide which devices require Microsoft Intune to provide full management and security functionality. Azure AD Conditional Access, which allows organizations to control where and how users access corporate resources, is a complete non-starter on Windows 10 devices without Microsoft Intune.