Mobile Device Management (MDM) is a technology designed for managing operating systems installed on portable devices like mobile phones and tablets. Android, iOS, Windows 10, and other mobile operating systems have support for MDM built in. MDM is a bit like Group Policy for Windows, although it has less granular settings. MDM is designed for mobile systems that are not permanently connected to a corporate intranet.
Instead of contacting a domain controller, devices managed by MDM connect to a cloud service provider. Microsoft Intune, VMWare AirWatch, and Citrix XenMobile are all popular MDM solutions. Windows Autopilot, Microsoft’s cloud-native deployment service for Windows 10, also relies on MDM for some of its functionality.
For more information on how MDM works in Windows 10, check out Understanding How MDM Policies are Applied in Windows 10 on Petri. Also, read my two-part series on Windows Autopilot here:
MDM is built into mobile operating systems and Windows 10, which is often installed on tablets and other portable form factors. But without an MDM service to manage the MDM client built into the operating system, there’s no way to leverage it as a management solution. That’s where products like Microsoft Intune come in to play.
To confuse matters, Microsoft offers a subset of Intune’s capabilities via Basic Mobility & Security, which comes with all Microsoft 365 and Office 365 licenses except Microsoft Intune, Enterprise Mobility & Security E3, and Enterprise Mobility & Security E5. These three licenses get full access to Microsoft Intune.
Microsoft provides a table of all the plans it offers and whether they come with Basic Mobility & Security, Microsoft Intune, or both here.
There are lots of limitations with Basic Mobility & Security. For a full comparison of the differences between the two products, see Microsoft’s website. For example, Basic Mobility & Security cannot be used with Windows Autopilot for enrolling large numbers of corporate-owned devices. The ability to configure email, Wi-Fi, and VPN profiles is also missing.
Remote actions are limited to retire, wipe, and delete. And Azure Active Directory (AD) Conditional Access policies based on device compliance are limited to controlling access to Exchange and SharePoint Online, Outlook services, and are not supported on Windows 10. If you want support for Android Enterprise, macOS, and iPadOS, you’ll also need to have a Microsoft Intune license.
You can use Basic Mobility & Security and Microsoft Intune in the same organization. For example, set up Basic Mobility & Security first for devices that don’t need Intune. Then add Intune licenses for devices that require the more advanced capabilities that it provides.
Basic Mobility & Security may well be enough for many organizations, or some of the devices in your organization. You should evaluate its capabilities and decide which devices require Microsoft Intune to provide complete management features and security. Azure AD Conditional Access, which lets organizations control from where and how users access corporate resources, is a complete non-starter on Windows 10 devices without Microsoft Intune.