Mobile Device Management Suggestions

[Graham Carter]

The company I work for have in the last month, migrated their on-premise email to 365 email services.Relatively small company with just over 100 employees.

For desktop and laptops, we have an internal domain, which is used for device authentication and vpn.Every 90 days our AD policy requires users to reset their password.

 

For pc and laptop users, both local and remote, because their kit has been added to our domain, the password change isn't too much of a problem.

However for mobile users, on android and iOS devices, using a mix of outlook app and built in email app, changing password becomes quite a manual fair, especially since some have multiple mobile devices (iPad, iPhone etc)

 

The password change date causes frequent account lockouts because the 365 domain controller also replicates with our internal domain controller, and when users for example change their password on their desktop pc, account locks quickly happened when they haven't manually changed their mobile device password!

 

Would products like Microsoft Intune MDM be the logical solution for the above? What kind of pricing would we be looking at if so?

One caveat is that we dont currently have the option / service to allow users to reset their password via the web / 365

[Guest]

On 7/18/2022 at 11:44 PM, Graham Carter said:

Would products like Microsoft Intune MDM be the logical solution for the above? What kind of pricing would we be looking at if so?

 

MDM, whether that be Microsoft Endpoint Manage (Intune) or a 3rd party tool won't resolve the issue as it's caused by identity & policy, all of which supersedes any control an MDM solution would apply.

 

The only two options you have are

• Enable password writeback & self service password reset for Azure AD
  • Enable Azure Active Directory password writeback - Microsoft Entra | Microsoft Docs
  • Enable Azure Active Directory self-service password reset - Microsoft Entra | Microsoft Docs

AND/OR

• Change your AD password policy to not expire passwords. The concept of 90 day expiries is quite antiquated, I'd suggest yearly if not completely disabled. 
  • NIST no longer recommends passwords regularly be changed for no reason: NIST Special Publication 800-63B