Microsoft To Give Office 365 an MDM Boost with Intune
- By Kurt Mackie
- March 04, 2015
Microsoft this week talked up its layered security approach to enterprise mobility, which will eventually include embedding Intune's mobile device management (MDM) capabilities into its Office 365 products.
The information comes from Microsoft's "Success with Enterprise Mobility" Web broadcast on Tuesday. The prerecorded talk, which included a "live" Q&A portion, featured Brad Anderson, corporate vice president for Enterprise Mobility, along with Alex Simons, director of program management for Active Directory.
The combination of Office 365 services and Microsoft's Enterprise Mobility Suite products will provide four layers of protection -- app, device, file and identity -- to mobile communications, according to the talk. All other software vendors are offering just two layers of protection, Anderson contended.
Intune into Office 365
Anderson spoke about an evolution of Exchange ActiveSync -- an early Microsoft method of protecting mobile applications -- that's now happening inside Microsoft's Office products. He said that an identity management system should be "conscious" of the app. To that end, Microsoft is embedding Intune's MDM capabilities into Office 365 products, which will happen sometime this calendar year.
Microsoft is enabling such protections for Office 365 apps on other platforms besides Windows. The company has built containers for Android and iOS, as well as SDKs and wrappers, that will let organizations take their apps or apps built by independent software vendors (ISVs) and have them "participate in the same containers that Office participates in," Anderson said.
ISVs can build an app for Office that will connect with a corporate client strategy surrounding the device state and the identity state, Simons explained. Microsoft has built a conditional access policy engine that gauges the ability of users to access a cloud service based on the state of the device, he added. It checks the state of the device and then reports back to Azure Active Directory.
Simons added that Microsoft uses a container technology associated with its Office apps. For an end user using Word, the container will check to see if the device is in a "good health state." If so, it will let the Word program launch.
Anderson added that for these sorts of protections to work, organizations will need the Office 365 and Enterprise Mobility Suite combination.
Microsoft also has a "self-protecting" file approach with its Azure Rights Management Service (RMS), which is part of the Enterprise Mobility Suite, along with Intune. Essentially, a policy gets written to an Office file, which is encrypted. Simons explained that Microsoft uses its Active Directory system to first prove the identity of a person using a mobile device and then uses its RMS service to unlock the data. He said that this system works "across company boundaries" to protect against information disclosure. Because the RMS service works across other platforms, the kind of mobile device used to access the data isn't a concern, he added.
Microsoft contends that its container technologies will allow personal apps and data on a mobile device to be distinguished from corporate apps and data. IT pros can selectively wipe the corporate apps and data remotely, if wanted, while leaving the personal items, according to this concept. The team was asked about how this approach might appear to end users -- that is, would they be able to distinguish corporate from personal apps? Anderson said that Microsoft is making this easier for end users with Windows 10. For instance, Microsoft is building something called a "managed browser."
"In Windows 10, there actually is the capability that will be built into the data leakage protection capabilities that actually enables an application to have two profiles on it: a personal profile and a corporate profile," Anderson explained. What we see most organizations doing today is essentially having separate apps for corporate from their personal. The classic example here is the browser. So you've got browser on an iOS device and people use Safari, and what we have done is we've also released a managed browser. That managed browser is a part of a mobile access management system, so it's part of a container. All of your corporate access can flow to that managed browser. It's going to allow you to also contain all of the URLs, all of the data that comes out, and have that be participants in the containers, along with the other Office applications and any other applications you want to bring into the container."
Another question concerned the status of Microsoft's Intune managed browser app for Apple iOS. Anderson indicated it's being held back on Apple's end from getting released in the Apple Store.
"I'm not sure why Apple is having a having a hard time approving this," Anderson said. "We're not quite sure what the holdup is."
One question was about support for integrating the Azure RemoteApp with the Enterprise Mobility Suite. Anderson said that Microsoft is doing that, adding that "we will do the integration so you can manage all of the Azure RemoteApp applications from within Intune."
The team was asked whether it wasn't true that Google offers the same thing (Google announced its Android for Work MDM program last week, for instance). Anderson flatly said, "No."
Dave Howell, a group program manager for authentication and authorization on the Active Directory team, who joined the Q&A session, added that Google isn't doing the same thing as Microsoft with SaaS application management. In addition, Microsoft is pushing its security value proposition by enabling multifactor authentication with Office 365 services.
Anderson added that Microsoft is able to leverage its telemetry data from a billion PCs through Windows Update and it has broader data access than Google. He said that Google is "expressly in the cloud." Microsoft can share its security protections to organizations with private datacenters, which is "very different from Amazon and Google."
Earlier, Anderson had downplayed competing MDM products compared with Intune, based on Microsoft's ability to harvest consumer and enterprise telemetry data from its 200-plus services. He said that AirWatch, MobileIron and Good Technology mobile management systems lacked such capability, adding that it's "very unique to Microsoft, and maybe Google."
While this talk was the last one in this six-part series, Microsoft announced today that it plans to host more enterprise mobility webinars in the coming months. The next one starts on March 10.