In this month’s installment of the tech industry’s official enterprise mobility talk show©, we review the HUGE announcements from this last month. HUGE!
This month The Endpoint Zone examines:
Wow!!!
Last week, after several weeks of hinting at some big “events,” we made two big announcements: The first one confirmed the General Availability (GA) dates for the upcoming Intune updates, as well as the updates for the Office for iPad apps. The second one announced that Office 365 will now have MDM natively instrumented by integrating a subset of Microsoft Intune.
Today’s announcement is Game Changer #3: A beautiful, unmistakably Office experience on the Android Tablet.
You can watch my detailed discussion of this on today’s new episode of The Endpoint Zone.
Questions about when Office is coming to Android has been one of the most common questions I’ve received from family, friends and customers over the past few months. Everyone wants that incredible Office experience on all their devices – and now that’s possible.
This news comes on the heels of our recent announcements about new Office apps for the iPhone, updates to the Office for iPad, and confirmation that new, touch-optimized Office apps for Windows 10 are in the works.
There are currently more than 1B users of Microsoft around the world, and, with these recent announcements, those 1B (and constantly growing!) can use Office across all their devices.
Workers using Android tablets and iPhones have had to settle for poor experiences for far too long. The experiences they’ve been getting from other EMM vendors attempting to deliver Office capabilities have simply fallen short. Really short.
No longer.
With these recent announcements, organizations can now deliver the Office experience to all their users, across all their devices.
Looking at the very near future, there is good reason to get really excited:
This deep level of management offered for the Office mobile apps (e.g. the ability to control where files can be saved, as well as sharing data with the Office mobile apps in a managed environment) will require Intune as the MDM/MAM solution. The reason is simple and practical: The work we have done to integrate these apps with Azure Active Directory and Intune is massive and intensively thorough. I am really proud of the work the team has done to bring together this end-to-end solution.
I am going to write about this deep integration over the next couple of months in a series focused on architecture.
As you start to use these Office apps, I think you’ll appreciate the fact that we have done the technical integration, as well as the operations, customer service, and customer escalation. Bottom line: We have thought about and built this end-to-end, and we’re delivering an incredible integrated experience that is not replicable anywhere else.
But enough talk – here are what the Office for Android Tablet apps look like!
Word for Android Tablet
Excel for Android Tablet
PowerPoint for Android Tablet
A few weeks ago I wrote about the importance (and, for many vendors, the difficulty) of protecting at the app layer (via MAM in Intune). The first app that every organization wants to protect is e-mail and I wrote about Secure E-mail – using both Outlook and the native e-mail app that ships on a device.
What’s the next app that everyone wants to protect? The most common answer is the browser that is being used to access corporate data, websites, and the SaaS apps being used. When you think through the complete scenarios, you recognize that far more than just a browser is required; you need a set of apps that can all participate with the browser to deliver the experience the users expect. Apps like Microsoft Office editors/viewers, PDF viewers, image viewers, an AV player, etc.
Just like in e-mail, many organizations will want to separate the corporate content being accessed through a browser from the personal content or website the user accesses. The easiest way to provide this for end-users is to actually give them two browser apps – the default one they are accustomed to using for personal use, and then a browser that is expressly used for accessing corporate sites and data. In this setup, IT is able to apply policies to the corporate browser without ever touching the personal browser.
There is both a corporate and personal benefit here: IT is able to protect the corporate data being accessed while staying away from the personal browser so that the user’s device privacy remains intact.
As noted in one of last week’s 2 big announcements, in the next few months the Intune Managed Browser and viewers will ship natively instrumented to be managed by Intune’s app management policies, and the Managed Browser will provide organizations with the ability to provide protection at the app layer for web content found in an intranet, on the internet, on SharePoint sites, or within SaaS applications. The Intune browser is built using the platform framework, and it uses the same rendering engine as Safari for iOS and Google Chrome for Android.
The value of a Managed Browser is huge, so, before I dive into the differentiations we’ve built into ours, I want to highlight a few scenarios where a Managed Browser is indispensable:
The Managed Browser that we have built offers the needed solution for each of these scenarios – and many more. The importance of this Managed Browser is going to continue to grow. What I generally see within organizations today are employee-facing apps predominately written as web apps that can be accessed from devices. An increasing amount of corporate content is going to flow through the browser – and users are going to demand an experience that keeps pace.
With this Managed Browser functionality, IT admins can be really proactive about the security of this easily overlooked part of the infrastructure. For example, admins can define and enforce browsing policies from the Intune admin console that not only enable managed browsing but also limit that browsing to pre-approved websites.
To prevent data leakage as a result of browser-based activities, IT admins can also set the Intune MAM policies which specify that any attachments or URLs in MAM-enlightened apps can only be opened using the Managed Browser or viewers. IT admins can also set the app management policies on the browser for restricting data leakage and enforcement of any corporate data access requirements.
The Managed Browser is an integral part of our data protection story. The complete package of Office Mobile apps + browser + viewer apps is perhaps the most unique value we are offering. This empowers the end-to-end secure email and collaboration story. The Microsoft Office mobile apps (Outlook, OneDrive, Word, PowerPoint, etc.), along with the Managed Browser and the viewer apps, will provide the most productive and most secure experience for end users across all of the mobile OS platforms.
The list of policies supported by the Managed Browser is pretty impressive:
These policies are delivered as an integrated security solution, and this gives the IT teams a tremendous amount of power. I’m talking about integration, configuration, UI, UX, and control features that are simply not available from other vendors and which dramatically differentiate the solution we’ve brought to market.
For example, the exhaustive work we’ve done to integrate management and productivity is really impressive. The MAM-enlightened Office apps seamlessly work with the MAM-enlightened Intune browser and viewer apps to prevent data leakage throughout the workflow.
Configuration of policies is simple. The IT admin can configure both the MAM policies and browser URL allow/deny policies in one convenient workflow within the Intune admin console.
The allow/deny URL policies can also be used to provide kiosk mode-like solution. This simple, powerful UI empowers the IT team to configure only one URL domain – just like they allow for kiosk mode.
Because the MAM-enlightened Intune browser is so functional and it’s UX so polished, it can be used as a standalone browser when the native browser is blocked.
The browser URLs specified by the IT admin in the allow/block list accepts wildcards and this gives IT Admins greater control at a granular level. Now they can specify at sub domains or folders levels.
I think users will really appreciate the intuitive user experience on Intune Managed Browser. It is very similar to the native browsers that users are already comfortable using (common features like a navigation bar, navigation arrows, and refresh button). The tabbed browsing allows multiple websites to be open in the same window and, by adding, editing and deleting bookmarks, you can manage shortcuts to key webpages.
This is a MAM-enabled Word document with an http URL. To start, select and click on “Open.”
The link opens in the Intune Managed Browser:
Clicking on the bookmarks icon displays any key sites you want to list:
Editing a bookmark is also simple:
So is deleting a bookmark:
It’s also simple to add or delete tabs:
As noted earlier, the controls from the browser are very familiar:
Blocking access to certain sites is also easy. If an IT admin has blocked a specific URL the user is trying to access, they’ll see this message:
IT admins can also block copying from the browser to an un-managed app. In the image below, you can see that the user can copy from the browser but he cannot paste it to the unmanaged Notes app because “Paste” is disabled in the options:
However, the user can paste it to a MAM enlightened Word app:
The Intune Managed Browser is another example of our “One Microsoft” approach in action for a secure productivity solution.
The three big takeaways here:
The combination of Intune, AAD, and Office makes the Intune Managed Browser a superior option to any other functionality available anywhere else.
There was an interesting survey recently published by Ovum that looked at enterprise end users and their concerns about bringing their own devices into work (BYO). The research revealed that the number one concern of both enterprises end-user is “a lack of trust in employers and a lack of faith that individual privacy will be protected.”
As an industry, we talk a great deal about containers and how container technology enables us to keep corporate data separate from personal data. Our conversations are really focused on corporate data and securing that corporate data. There are definitely two sides to this coin: Containers provide a level of protection for corporate data, but it also provides a level of protection for the end-user as well. For example, consider your smart phone; chances are it is a very personalized device. In many ways, our phones become an extension of us – they contain personal content in e-mail, texts, photos, financial information – and we don’t want IT venturing into any of this. As we have been building our Mobile Application Management capabilities, we have defined scenarios that apply to protecting corporate information as well as protecting the users information.
Now when we talk about MAM, a lot of the conversation is really about “containing” corporate apps and corporate data and keeping it separate from the personal apps and data. The very first app that every organization wants protected is, of course, corporate e-mail. Next on the list is corporate web content, and third is corporate files. These three things represent the first tier of apps that need to protected, and the next tier is largely made up of internal line of business apps.
In previous posts, I’ve talked about layered data protection, as well as a Secure E-mail workflow (which is often the on-ramp into documentation collaboration). In this post I’m going to dig into the document workflow and look at how the work we’ve done enables end-users to be productive on the go and protect corporate data.
In organizations all over the world, the following user scenario occurs every day with lots of end-users:
An information worker is using an Android device that has previously been enrolled for management and it is complying with the IT-defined MDM policies (e.g. setting a device PIN). This is the first layer of protection (the device).
Next, the worker self-provisions a set of apps to his/her device – some are company specific (like an expense reporting app), and others are ISV apps being delivered from the various stores (like Word or OneDrive for Business).
The worker now needs to create some content and post to the company website, so he/she opens Word. Behind the scenes, without the end-user even noticing, the configuration of the device is quickly compared with a set of IT policies (e.g. does it have a power-on password, is the device encrypted, has it been jailbroken) When the service (Intune) verifies that the device is compliant the app is launched. This is a conditional access policy that is operating at the App layer.
Once the post is done and ready for review, it is saved to OneDrive for Business within Word so that colleagues can review and edit the document – this is allowed by the MAM policy. Because this device and profile are still compliant, the app launches and the authoring begins. Within that post the worker adds a couple links to company videos and some images pulled from SharePoint via OneDrive for Business. When the author needs to test the links, a list of managed apps that can open that content pops up.
Elsewhere in the post, there’s a need for data that currently sits in an Excel file. The worker can easily open that file on a device and copy charts into the post since Excel is also policy managed. Once the post is done and ready for review it is saved to OneDrive for Business within Word so all the necessary colleagues can review it – this is allowed by the MAM policy. This is the second layer of protection (the app).
The post is further protected on the SharePoint site since the IT Pro configured the document library to automatically apply RMS to all Word documents. This is the third layer of protection (the file).
Finally your worker has authenticated with a corporate identity at each step, including authenticating to the SharePoint service using AAD to launch your company apps (with SSO so the user experience is not impacted).
This is the fourth layer of protection (the identity).
Now let’s consider the new components of this scenario:
As I discussed in my App & Data Protection post, Intune provides a set of MAM policies specifically targeted at data leakage. In the scenario above we saw a couple of these in action.
In that scenario, data sharing in all three applications (OneDrive for Business, Word and Excel) was restricted to only allow data sharing with other managed apps. This resulted in the user only seeing managed apps as available viewers for the video link (a protocol) in the Word doc. Between-app data can be managed for data incoming to a managed app and also outgoing from a managed app. The options include none (no sharing), policy managed (only other managed apps) and any (any app).
In the scenario, C/C/P in Excel was restricted to only allow paste into other managed apps. Again, the options include none (no sharing), policy managed (only other managed apps) and any (any app).
Some mobile applications support direct saving to the local file system or services via SDKs integrated in the app. In the scenario, Word was allowed to save to OneDrive for Business. The Save As options include enabled (restricts save as) and disabled (allows save as).
Other data leakage policies include:
I used all Microsoft apps in the above example to make a specific point. I want to point out that this kind of management can be added into any app on iOS and Android devices. We are releasing wrappers and an SDK that can be used to invite or enlighten any application to participate in the Intune MAM solution (containers).
The bigger point I wanted to make is this: If you want this level of management/control over Outlook, Word, PowerPoint, Excel, Lync, OneNote, and One Drive for Business you will need to use the Intune MAM solution as this level of management of the Office mobile apps is only possible through Intune and EMS. You can read more about this here.
To support the MAM policy, applications need to be updated. As in the scenario above, app developers can incorporate an Intune App SDK so that apps posted in app stores can be managed by Intune. Another option for LOB apps, such as the expense app in the scenario, is the Intune App Wrapping Tool. This tool allows an IT Pro to take an existing company owned app package and add support for MAM policy via a simple command line tool that can be scripted or integrated into a company app packaging workflow.
These two options provide flexibility to ensure policy can be applied both for commercial applications that are distributed and maintained via the app stores, and for internal LOB apps that are managed and packaged by IT.
Certain content is common across apps, images, videos, audio content, and web links. To support policy managed applications, Microsoft is releasing a small set of content viewers to enable the document collaboration workflow – specifically, a Managed Browser and platform-specific Viewers.
This is a lightweight web viewer designed to support opening web content from managed applications. It supports the standard MAM policies in addition to browser-specific policies such as URL filtering. The Managed Browser ensures your users have a means to access protected content from managed apps. The browser is automatically launched, if required by policy, from any managed app.
For Android, we also offer specific format viewers for PDF, Image, and AV. These viewers allow viewing the associated file formats in a protected way that is manageable by the standard MAM policies. For iOS, the format viewers are embedded in the Managed Browser.
As discussed previously, Conditional Access allows IT to protect access to service-based resources – i.e. making sure devices are healthy and compliant with IT policy before allowing access to data stored in that service. In the context of document collaboration, especially on mobile devices, data is often accessed from online services such as SharePoint Online or OneDrive. As noted in the scenario at the top of this post, if the device does not meet the device policies set by the IT Pro or if the app is not updated to authenticate to the services using Azure AD, access will be blocked. This further protects company data from an access perspective, and it complements the MAM policy controls for document collaboration.
Securing company data happens most effectively when each component within an end-to-end solution supports applicable layers of data protection. In the scenario noted above, SharePoint Online and OneDrive for Business are a great examples of this.
SharePoint Online ensures that your workers are connecting from secure, compliant devices, and it supports Conditional Access. By supporting the Intune App SDK, OneDrive for Business provides a cross-platform solution to protect data via enforcement of MAM Policy.
Across the application (OneDrive), the management components (the Intune App SDK and service) and the service (SharePoint Online), Azure Active Directory is used to simplify the sign-in process via a common authentication and identity model. This ensures your workers a robust identity solution regardless of device or platform.
In this episode, we look at a topic that has, in the past, been pretty tough for IT and ISV's to solve: Securing corporate data throughout the workflow process.
The solution is a secure container, but how to build one, how it should be used, and how to even define it has always been debated.
Today's discussion will look at the work we've done with the Enterprise Mobility Suite to keep data secure no matter where it goes while also enabling device users to access the information they need. It's a tenuous balance, but I think Microsoft has developed the industry's best solution to this very difficult challenge.
To read more on this topic, check out the Success with Enterprise Mobility Series, and the "Secure Collaboration" post in particular.