Some problems only reveal themselves at scale. For instance, the get-msoluser commandlet only returns the first 1000 results, a problem that most 999...
On The Topic Of Enforcing Cell Phone PINs...
May 15, 2017
They say you don’t know what you got until it’s gone. I say “They” because after 5 minutes on google I still wasn’t sure who the original source was and I began to realize it’s not super important to the point of this post.
We’re here to talk about requiring your users to have a PIN on their phone’s lock screen. Adding a PIN to your phone is not going to be the silver bullet to making sure sensitive content is safe but it’s about as good of a start as you’ll find. Requiring that all mobile devices that connect to your Office 365 tenant have a lock screen PIN will help ensure that your user’s emails stay secure.
Fair warning before enforcing PINs, it’s been my experience that most users fall into two categories. The first is users who already have a PIN on their phone and won’t even care that you’re now requiring one. The second is users who will flip their lid and begin thinking you are the original author of Mein Kampf. I say this not to discourage what I’m about to show you but rather to prime you for the fallout.
To begin enforcing PINs for mobile devices you’ll first want to sign in to the Exchange Control Panel. Swing on down to the mobile tab on the left and move to the mobile device mailbox policies heading to view the default policy that Office 365 uses. After highlighting the default policy, click the pencil to open the settings dialog.
On the first tab you see you will want to uncheck the box highlighted below as doing so ensures only devices that can support the required security settings are allowed to sync content.
Moving onto the security tab you’ll uncover a wealth of options. Just how far beyond a basic PIN requirement you want to go is completely up to you. The settings shown below represent what suffices for 99% of the Office 365 tenants in my experience. They’re also a good balance between securing your tenant and not alienating your users. These settings will ensure your users have at least a 4 digit numeric PIN stronger than 1111, a phone that auto locks after 60 seconds of sitting on a bar stool, and if a thief or drunk user fails to enter the password 5 times in a row then the device will wipe.