As you likely noticed, over the last couple weeks I’ve been hinting at some big “events” and earlier today I discussed the first one: Confirmation of the General Availability (GA) dates for the upcoming Intune updates as well as the updates for the Office for iPad apps that will enable secure, managed mobile productivity. Check the link above where I go through all the reasons that this genuinely changes the game for the EMM industry.

Now, let’s look at the 2nd one:

Event #2: MDM is a Part of Office 365!

Office 365 will be updated in Q1 2015 to include mobile device management (MDM) capabilities by integrating a subset of Microsoft Intune MDM capabilities directly into Office 365. This means that going forward Office 365 will include built-in MDM capabilities to help organizations manage iOS, Android, and Windows Phone devices that connect to Office 365.

The license for the MDM capabilities is included in the Office 365 license, and the Intune MDM capabilities will be deeply integrated into the Office 365 administrative console. This is a HUGE value for customers. Let me explain why:

The Most Broadly Used MDM Solution Just Got Better

Let’s start with a question from today’s previous post: What application is managing more mobile devices than any other? Easy: Exchange.

Years ago, the Exchange team was one of the first groups in the industry to recognize and understand the need to manage and secure mobile devices. The scenario in question was simple: Users wanted to get corporate e-mail on their mobile devices, and IT needed a way to do that while ensuring that data was secure and protected. In response to this scenario, Exchange Active Sync (EAS) was born.

Today, Exchange via EAS is (by a very wide margin) the most commonly used MDM solution in the world. It is estimated that EAS is currently managing 100s of millions of devices around the globe. With today’s announcement, the MDM capabilities of Exchange delivered through Office 365 are significantly richer. These new MDM capabilities in Office 365 will enable organizations to deliver e-mail (Exchange) and file sync (OneDrive for Business) to users across all the devices they want to use – and this will be done with the confidence that the sensitive and confidential data accessed through these devices is secure.

`A subset of Intune MDM capabilities will be seamlessly integrated into the Office 365 administrative console. As Office 365 administrators go to the console in Q1 they will see an “MDM” set of capabilities light up right next to where the current EAS capabilities are configured. All the administration is done through the Office 365 console and then Office 365 communicates with the Intune service through a secure and integrated Web service API to effect the changes. It’s just that simple. Here is a screen shot I took earlier today of the actual pre-production service. Notice how integrated the MDM capabilities being delivered by Intune are in the Office 365 experience.

We have also built monitors for the end-to-end scenarios across Office 365, AAD, and Intune – all of these are working together to deliver this secure, managed, mobile productivity. We have integrated the operations, servicing, and escalation processes across AAD, Intune, and Office 3656 to provide an integrated end-to-end experience for you – if/when you need to call for support.

What MDM Scenarios are Enabled in Office 365?

With the new MDM capabilities for Office 365 there are now more than 100 additional configurations and settings that O365 admins can use across Windows, iOS, and Android devices which were not available with EAS.

The way the industry should think about this is pretty straightforward: The MDM capabilities of Intune represent the evolution of EAS, and this is where everyone using EAS should upgrade to for more feature-rich MDM capabilities.

Amongst all these great new MDM capabilities, there are a couple big features included in Office 365 that early users have already identified as key reasons to upgrade from EAS:

Here is a capture (again taken yesterday from the pre-production O365 service) of some of the MDM settings that can be configured from within the Office 3656 console.

Is there a Simple Upgrade to the Full Intune/EMS?

Absolutely!

The MDM capabilities being delivered through Office 365 are a great start for organizations embracing Enterprise Mobility Management. This is a very simple way to get started and put additional layers of protection around corporate e-mail and corporate files being accessed on mobile devices. This is perhaps the fastest way to get started and add additional protection.

For the 100’s of millions of devices being managed through EAS, this is a huge step-up in functionality. As these capabilities are delivered in Q1 to customers already using Office 365, you will have a pretty straight forward process to upgrade from EAS to the MDM functionalities. For customers that are looking to move to Office 365 (just about every customer I meet with is in the process of considering this move), you will have a rich subset of the MDM solution waiting there for you.

Just last week I was in meetings with the CIO’s of 3 big organizations and, just to gauge their reaction, I gave each of them a heads up about this announcement as well as the next announcement we will be making (stay tuned). The level of interest that was expressed was incredible and, for the next hour, the conversation revolved around the deep integration we have done across AAD, Intune, and Office 365. All three of these CIOs had deployed other EMM solutions, and, by the end of our conversation, all 3 were saying the same thing: “I can clearly see why I will want to use the integrated solution from Microsoft.”

With that in mind, we started planning the migration from their “existing EMM solution” to the combination of Office 365 and the Enterprise Mobility Suite (EMS).

Getting specific, the following is a chart that demonstrates at a high level the Intune capabilities that are not included inside of O365. We believe many organizations will want the full Intune capabilities – especially around managing and securing Office mobile apps, selective wipe for all corporate content, and integrated PC management. The key here is you have a simple place to start with the MDM capabilities included in O365 and a clear/simple upgrade path to the full Intune/EMS solution.

Why is this Announcement a Game Changer?

We talk a lot in the industry about the “infrastructure” that is used to deploy, secure, and protect company assets. All of the work we do as an industry is ultimately targeted at protecting the apps and the data that is getting created, accessed, and used. It’s all about the apps! When looking at Enterprise Mobility Management (EMM), it’s no big secret what app everyone wants to protect first. E-mail!

With today’s announcement, the first app every organization wants to secure and protect now comes with MDM capabilities natively built into it. These MDM capabilities can be applied to Outlook running on mobile devices, as well as the in-box e-mail applications (e.g. the in-box e-mail app that ships on iOS devices). As organizations start their EMM journey, most begin with applying settings (MDM) to devices and then proceed to managing applications (starting with e-mail). Now all of that can be done natively from Office 365.

We expect that there will be 10’s of millions of devices under management via the new MDM capabilities included in Office 365. One of the big benefits (which may not come to mind immediately) you get from that kind of volume has to do with the benefits of massive scale. Intune will become the most commonly used MDM/EMM solution on the market, and, as that usage scales, we will constantly be learning from that volume of usage. These learnings will all us to constantly improve the scenarios that are enabled and the capabilities of the service as we monitor our telemetry and react daily to that data and feedback from around the world.

Pretty incredible, right?

If Enterprise Mobility is important to your organization, this post includes some calendar-worthy dates.

Over the last couple weeks I’ve been hinting at some big announcements – a number of big “events,” to be specific. After all that build up, today is the day to put a few of these cards on the table.

Announcement #1: Confirming Our Dates!

Back in May, at TechEd North America, we shared some details about the Microsoft Intune and Office mobile apps roadmaps. Today, I’m happy to confirm the timing of some of these announcements, as well as some new Intune updates.

Today we are confirming the release of the Office for iPad Apps that will be natively instrumented to be managed by Intune.

Because Intune has been built as a true cloud service, we are able to continuously update the features to deliver new capabilities and scenarios. In the next few months we will update Intune with deep integration across Office 2013 (on-premises Office) and as well as deep integration with Office 365.

In my view, this is the most significant set of Intune updates we have ever released. Here is a summary of what is coming:

• Intune-managed Office mobile apps that enable your workforce to securely access corporate information using the apps they know and love while preventing data leakage. This is achieved by managing/restricting actions such as copy/cut/paste/save-as and interaction/"open in" between apps in your managed app ecosystem.
• Mobile Application Management for iOS and Android devices that enable you to keep corporate apps and content separate from user’s personal apps and data. This feature empowers IT to apply policy to the corporate content while staying clear of the user’s personal content. Microsoft is building containers for Windows devices that will be released as a part of Windows 10, and we have worked to drive consistent APIs across the containers being delivered across Windows, iOS, and Android devices.  The data protection coming in Windows 10 will enable automatic encryption of corporate apps, data, e-mail, website content and other sensitive information as it arrives on the device from corporate network locations.
• App wrapping capabilities that help secure your existing line-of-business applications and integrate them into your managed app ecosystem without further development or code changes. Using the Intune wrapper your line-of-business applications will be able to participate in the same managed app ecosystem as the Office mobile apps and securely share content and data with those Office mobile apps. No wrapper from any other EMM vendor can do this.
• Managed browser, PDF viewer, AV player, and Image viewer apps for Intune that allow users to securely view content on their devices within the managed app ecosystem.
• Grant conditional access to corporate resources, including access to Exchange e-mail and OneDrive for Business documents. This access is based on device enrollment and compliance policies set by the administrator. This is also something that no other EMM solution can deliver.
• Bulk enrollment of devices using Apple Configurator or a service account, simplifying administration and enabling policies and applications to be deployed at a scale (you can read more about this here).

Unparalleled Agility with Our Cloud Architecture

Because Intune is purely a cloud service, our rapid cadence of updates to our capabilities means that you are always operating the most refined product possible. A couple of years ago we were faced with a decision about whether or not to simply host ConfigMgr from the cloud or spend the additional time to engineer a true cloud service to deliver Enterprise Mobility. Looking back, I believe we made the right choice: Create Microsoft Intune as a cloud service and then integrate it with SCCM.

Every single day we see the positive impact of that decision – Intune delivers a level of agility, flexibility, and scale that you simply cannot get from an on-premises product.

While we were studying the question of whether to transform SCCM or build Intune, we had a really impactful learning experience that set the tone for everything we did next. A lot of you may remember that several years ago we launched a Desktop Management Service (it was actually called DMS) and, with its launch, Microsoft assumed responsibility for managing the PC’s of three different organizations (with each of those orgs having about 6,000 PCs). This effort was run from my engineering team, and we approached this responsibility as an opportunity to learn every possible challenge associated with managing PC’s, as well as to identify ways to better quantify the associated costs and complexities of PC management.

We learned a LOT!

One of the biggest things we learning was the importance of “code velocity.” Code velocity is one of the key elements we measure in our engineering teams here at Microsoft – it is a measure of the time that elapses between when a software engineer checks in code until the time that code appears in the live service. With a true cloud service you can have a code velocity that can be measured in hours instead of weeks or months. That is the kind of velocity we aspire to have here at Microsoft, and it’s what you should demand from your Enterprise Mobility Management partners.

One really important thing to point out: As you look around the industry you’ll notice that each of these competitors is essentially hosting their on-prem products and then calling it a service. I know first-hand the challenges associated with doing this, and I know all too well that they will never have the kind of agility you need.

Over the next few months I’ll be writing regularly for a new series focusing on the architecture of what we have built with Intune and the integrated scenarios across AAD, Office 365 and Intune. The series is called “Architecture Matters.” And it really, really does matter.

Why Are These Announcements Game Changers?

A quick question: What is the most commonly used application in business? That one’s easy: Microsoft Office.

Office has long been a foundational part of many organizations, and we see that continuing. The seriousness of our vision for the future of Office (for enterprises and across all devices) has been most recently demonstrated by the release of Office for iPad. Our vision here is pretty clear: We will offer the most comprehensive and rich solution for enabling users to be productive on the devices they love while helping secure corporate assets.

The integrated solution that we are delivering brings together identity, productivity, and management in a way never before seen in the industry. End-users have that beautiful, unmistakably Office experience across all their devices. Access to the corporate applications they need is managed and audited via Azure Active Directory. Intune delivers the ability to apply policy and protect the corporate data being created and viewed in the Office mobile apps. And, of course, we’ve already done all the deep technical integration work.

This integrated solution will also help drive some much needed consistency in the market. Today there are at least 10 different container solutions from various vendors. The Enterprise Mobility Management market is super young and no solution has achieved a significant market share. But consider how many mobile devices are being used to access corporate assets around the globe today. For the sake of argument, let’s say the number is 500m (which I think is pretty likely to be low). To-date there have been maybe 20m licenses purchased across all the EMM vendors, and about 50% of those are deployed. This is, indeed, a very, very young market.

At the moment, each of the primary EMM vendors have built their own container solution, but none of these containers have been successful in building a rich partner ecosystem around that container. Customers and ISV’s around the globe are voicing their frustration around this complexity, and the ISV’s (Microsoft included) simply cannot afford to do the integration work necessary to support so many different containers. The frustration is understandable – customers have been unable to get their internal and ISV-delivered applications all participating together in a common mobile application management solution.

We have a solution in mind: Our integrated solution around identity, productivity and management will help drive convergence across the industry. For all the obvious reasons, every ISV we’ve spoken to wants to participate in the same mobile application management solution as the Office mobile apps so that corporate content can be securely shared across their apps and the Office mobile apps. ISV’s see the same thing we do: A way to bring some rationalization and consistency to the industry and deliver a more integrated and more complete solution for customers.

One final note here on why this is a set of game changing announcements:

Over the past year I have personally been able to speak with 100’s of customers about their Enterprise Mobility needs. And what I’ve heard more times than I can count is this: “I just wish we could deliver the richness of Outlook and Office for our users across all their devices.” I’ve been very proud to respond to this feedback with the news that Microsoft is now delivering the richness (both capabilities and experience) of Office to the devices users want to use – and that this is all managed and secure.

If you’re using an EMM solution from another organization (AirWatch, MobileIron, Good Technology, etc.), I really encourage you to step back and ask yourself if you want to continue to use the homespun e-mail app and associated editors from those vendors, or if your long-term strategy is going to include the countless benefits of using Microsoft Office. Most organizations around the world want the ability to use Office across various platforms – we are delivering a secure and well managed way to do exactly that!

Quick update to the Enterprise Mobility community: 

Over the next couple weeks I’m going to be blogging about some major announcements that will be game-changing in the Enterprise Mobility Management industry.  These announcements are going to raise the expectations enterprises have about what EMM should do for them.

I’ll cover each of the announcements right here and discuss in detail what each one means, its benefits, and how to get started.

The first announcement is just a few days away……

What’s better than purchasing the Enterprise Mobility Suite (EMS)? Purchasing EMS and getting professional services included from a partner of your choice to help you start using the service as quickly as possible!

That kind of deal is exactly what we are offering right now! Who knows, we may even throw in some Ginsu knives in the future!

Every week here at Microsoft HQ we spend a lot of time reviewing the list of customers that have purchased subscriptions to our services (like Microsoft Intune) but have not yet started to use the service offering. The reason for these weekly reviews is simple and really important: As engineers, one of the things we love the most is seeing the things we create being used. To see the adoption rates of our products, we use these meetings to wallow in the minute details of the usage telemetry of our services. Usage is the real indicator of the value and utility of what you have built – so we spend a lot of time reviewing it and finding ways to help people get the most out of the solutions they already own.

[Quick tangent: If you are a software engineer looking to work on what will very soon be the most commonly used Enterprise Mobility Management Platform, contact me – we are doing lots of hiring!]

To help enable usage, we’ve developed an incredible program that I think everyone will really like: Starting now, we are offering deployment funding so you can hire experts to help you get up and running with your software as quickly as possible.

You read that correctly: We’ll provide time with your trusted partner to help get you deployed on Microsoft Intune, Azure RMS, and Azure Active Directory Premium as quickly as possible.

These professional services will help you start using the services you’ve already purchased. This program has been in place for 3 months and (predictably) we’re seeing huge uptake in this program. Since this program started in July we’ve seen nearly 50% of all the EMS purchases make a request – and we’ve filled every single one.

As great as this sounds, I know there’s one big question: “How much help are you talking about?”

For customers that purchase more than 1,000 EMS seats, you’ll get $10,000 worth of professional services to help deploy one of the services, and number doubles to $20,000 if you decide to deploy 2 or more of the services.   If your organization is under 1,000 seats there are also funding options available.

Making the request is simple: Contact your local Account team before December 31st, 2014 and ask them how to get help with your EMS deployment, and to find out about any restrictions, terms, or restrictions.

To help with as many implementations as possible, we recently brought in a collection of key partners from around the world to train them on EMS. The demand for these trained resources is high, so I recommend completing your EMS purchase and scheduling your time ASAP!!!

In this episode of the ITC Podcast, I look at the topic of cloud-based Machine Learning and the big things it can do to set your mobile strategy apart right now.  I’m joined again by Alex Simons, and this topic really builds upon our discussion last week about cloud-based data protection with Azure RMS.

To read more about this topic, check out my post New Levels of Security via Machine Learning, and also visit the Machine Learning Blog.