Microsoft Adds MDM Capabilities to Outlook for iOS and Android
- By Kurt Mackie
- June 19, 2015
Users of the Microsoft Outlook client for Android and iOS devices now have access to new mobile device management (MDM) and mobile application management (MAM) features.
The Outlook improvements, which Microsoft rolled out on Thursday, are part of Microsoft's broad mobile push. The company has been leveraging the container technologies of OS platforms, including Android, iOS and Windows, to add various management capabilities to its applications. These management capabilities come from an Intune software development kit (SDK), which gets built into the applications, according to past Microsoft descriptions. The management capabilities can vary, depending on what's permitted by the OS platform.
Now, though, Microsoft's Outlook clients have Android and iOS mobile management capabilities. Previously they didn't.
"Previously, Outlook did not support the MDM capabilities in Office 365 or MAM and CA [conditional access] with Intune," a Microsoft spokesperson clarified via e-mail. "The announcement today is that it now supports both."
Essentially, Microsoft is giving the all-clear signal. Organizations can start using its new mobile management capabilities for Outlook clients on both Android and iOS devices. The capabilities were announced in this Office blog post, as well as this Intune blog post.
Those organizations wanting to see MDM/MAM support for Windows 10 devices on July 29, when Windows 10 launches, will have to wait. The spokesperson stated via e-mail that "we will provide more information on this at a later date."
Microsoft has previous provided examples of its new MDM capabilities. They include things like "conditional access," device-level policy enforcements and a "selective wipe" capability.
With conditional access turned on, an Outlook client can only access company-managed e-mail if the device is managed by IT and in a healthy state. IT can also set device-level policies, such as restricting Outlook access to cases where the end user has a personal identification number (PIN) or the device hasn't been "jail-broken." Lastly, the selective wipe capability is Microsoft's term for the ability of IT departments to remotely delete the applications and data that are under management by an organization, while not touching personal apps and data.
In March, Microsoft announced that conditional access, device-level security and selective wipe MDM capabilities would all be available for no extra cost for certain Office 365 business, government and education subscribers. These MDM capabilities are available for both "native" Office apps as well as the Office Web apps that come with those Office 365 subscriptions.
MAM capabilities are a different story, though. Getting those capabilities won't be free and will require a subscription to the Microsoft Intune device management service. Alternatively, Microsoft sells its Enterprise Mobility Suite bundle, which includes an Intune subscription along with licensing rights for Azure Active Directory Premium and the Azure Rights Management Service.
Here's how the spokesperson described the distinction:
Built-in MDM for Office 365 are a core set of Intune features for customers that need the basics, available for any Office 365 customer as part of their subscription. If you are an Office 365 customer, you can do CA (conditional access), device management and selective wipe without an Intune subscription for supported devices. If you want deeper controls (advanced device management, MAM, PC management), customers can subscribe to Intune. This is true regardless of the platform (Windows, iOS, etc.).
Intune is a requirement for tapping the MAM capabilities that are built into Office 365 apps.
"The Intune MAM capabilities available to Office apps can only be managed by Intune," the spokesperson explained. "And while third-party vendors do not have the ability to directly manage the Office apps, they do have the ability to manage certain features in Office 365, such as Exchange ActiveSync."
One new MAM capability added to the Android and iOS Outlook apps today is a "multi-identity management" feature. It allows end users to use a single Outlook app on a device for both work and personal correspondence purposes. Microsoft is planning to build this multi-identity management capability into "additional Office mobile apps over the coming months," according to the Intune blog.
Organizations looking to use some of the application-level restrictions that were shown off at the recent Microsoft Build and Ignite conferences -- such as the ability to restrict copy-and-paste actions by end users from corporate-managed apps to personal apps on a single device -- will need to leverage Microsoft's MAM capabilities through Intune licensing. The new Outlook apps for Android and iOS now have those MAM copy-and-paste restriction capabilities, according to the Office blog.
Microsoft described four Outlook MAM capabilities for Android and iOS devices that are now available. First, organization can set "data relocation" restrictions, which prevents the transfer and copying of corporate data into personal storage. Second, there's an ability to prevent users from taking screenshots of application content. A third capability is the ability to set application-access restrictions. Lastly, Outlook for Android and iOS devices can be set to encrypt corporate data.
Microsoft's MAM vs. MDM distinctions can be confusing to follow. For instance, the selective wipe feature is described as a free MDM feature, but it's also described by Microsoft as an Intune MAM feature that's now supported in the Outlook for Android and iOS apps.
Microsoft often talks about "managed apps" when describing its mobile management scenarios. It's a key phrase, and it means that the apps that have Intune MAM capabilities built into them. Specifically, these apps include the Intune SDK code. For instance, organizations wanting a browser with MAM capabilities would use Microsoft's "Intune Managed Browser" app. So, in order to have MAM capabilities, organizations need to push out these managed apps to their end users.
Here's how the spokesperson described how to identify managed apps from regular apps: "[Managed] apps will appear on the list here, and also when the app is added to Intune, it will have the property, 'Supports App Policy,' as detected by Intune."
The current list of managed apps varies slightly per Android and iOS platform. However, both platforms support an Intune Managed Browser, along with Excel, OneDrive, Outlook, PowerPoint and Word managed apps.
If an organization wants to distribute these managed apps to end users, then they are going to need an Intune subscription. The spokesperson explained that "Intune is required for the MAM capabilities."