Enterprise Mobility and Security Blog


If Enterprise Mobility is important to your organization, this post includes some calendar-worthy dates.

Over the last couple weeks I’ve been hinting at some big announcements – a number of big “events,” to be specific. After all that build up, today is the day to put a few of these cards on the table.

Announcement #1: Confirming Our Dates!

Back in May, at TechEd North America, we shared some details about the Microsoft Intune and Office mobile apps roadmaps. Today, I’m happy to confirm the timing of some of these announcements, as well as some new Intune updates.

Today we are confirming the release of the Office for iPad Apps that will be natively instrumented to be managed by Intune.

Because Intune has been built as a true cloud service, we are able to continuously update the features to deliver new capabilities and scenarios. In the next few months we will update Intune with deep integration across Office 2013 (on-premises Office) and as well as deep integration with Office 365.

In my view, this is the most significant set of Intune updates we have ever released. Here is a summary of what is coming:

  • Intune-managed Office mobile apps that enable your workforce to securely access corporate information using the apps they know and love while preventing data leakage. This is achieved by managing/restricting actions such as copy/cut/paste/save-as and interaction/”open in” between apps in your managed app ecosystem.
  • Mobile Application Management for iOS and Android devices that enable you to keep corporate apps and content separate from user’s personal apps and data. This feature empowers IT to apply policy to the corporate content while staying clear of the user’s personal content. Microsoft is building containers for Windows devices that will be released as a part of Windows 10, and we have worked to drive consistent APIs across the containers being delivered across Windows, iOS, and Android devices.  The data protection coming in Windows 10 will enable automatic encryption of corporate apps, data, e-mail, website content and other sensitive information as it arrives on the device from corporate network locations.
  • App wrapping capabilities that help secure your existing line-of-business applications and integrate them into your managed app ecosystem without further development or code changes. Using the Intune wrapper your line-of-business applications will be able to participate in the same managed app ecosystem as the Office mobile apps and securely share content and data with those Office mobile apps. No wrapper from any other EMM vendor can do this.
  • Managed browser, PDF viewer, AV player, and Image viewer apps for Intune that allow users to securely view content on their devices within the managed app ecosystem.
  • Grant conditional access to corporate resources, including access to Exchange e-mail and OneDrive for Business documents. This access is based on device enrollment and compliance policies set by the administrator. This is also something that no other EMM solution can deliver.
  • Bulk enrollment of devices using Apple Configurator or a service account, simplifying administration and enabling policies and applications to be deployed at a scale (you can read more about this here).

Unparalleled Agility with Our Cloud Architecture

Because Intune is purely a cloud service, our rapid cadence of updates to our capabilities means that you are always operating the most refined product possible. A couple of years ago we were faced with a decision about whether or not to simply host ConfigMgr from the cloud or spend the additional time to engineer a true cloud service to deliver Enterprise Mobility. Looking back, I believe we made the right choice: Create Microsoft Intune as a cloud service and then integrate it with SCCM.

Every single day we see the positive impact of that decision – Intune delivers a level of agility, flexibility, and scale that you simply cannot get from an on-premises product.

While we were studying the question of whether to transform SCCM or build Intune, we had a really impactful learning experience that set the tone for everything we did next. A lot of you may remember that several years ago we launched a Desktop Management Service (it was actually called DMS) and, with its launch, Microsoft assumed responsibility for managing the PC’s of three different organizations (with each of those orgs having about 6,000 PCs). This effort was run from my engineering team, and we approached this responsibility as an opportunity to learn every possible challenge associated with managing PC’s, as well as to identify ways to better quantify the associated costs and complexities of PC management.

We learned a LOT!

One of the biggest things we learning was the importance of “code velocity.” Code velocity is one of the key elements we measure in our engineering teams here at Microsoft – it is a measure of the time that elapses between when a software engineer checks in code until the time that code appears in the live service. With a true cloud service you can have a code velocity that can be measured in hours instead of weeks or months. That is the kind of velocity we aspire to have here at Microsoft, and it’s what you should demand from your Enterprise Mobility Management partners.

One really important thing to point out: As you look around the industry you’ll notice that each of these competitors is essentially hosting their on-prem products and then calling it a service. I know first-hand the challenges associated with doing this, and I know all too well that they will never have the kind of agility you need.

Over the next few months I’ll be writing regularly for a new series focusing on the architecture of what we have built with Intune and the integrated scenarios across AAD, Office 365 and Intune. The series is called “Architecture Matters.” And it really, really does matter.


Why Are These Announcements Game Changers?

A quick question: What is the most commonly used application in business? That one’s easy: Microsoft Office.

Office has long been a foundational part of many organizations, and we see that continuing. The seriousness of our vision for the future of Office (for enterprises and across all devices) has been most recently demonstrated by the release of Office for iPad. Our vision here is pretty clear: We will offer the most comprehensive and rich solution for enabling users to be productive on the devices they love while helping secure corporate assets.

The integrated solution that we are delivering brings together identity, productivity, and management in a way never before seen in the industry. End-users have that beautiful, unmistakably Office experience across all their devices. Access to the corporate applications they need is managed and audited via Azure Active Directory. Intune delivers the ability to apply policy and protect the corporate data being created and viewed in the Office mobile apps. And, of course, we’ve already done all the deep technical integration work.

This integrated solution will also help drive some much needed consistency in the market. Today there are at least 10 different container solutions from various vendors. The Enterprise Mobility Management market is super young and no solution has achieved a significant market share. But consider how many mobile devices are being used to access corporate assets around the globe today. For the sake of argument, let’s say the number is 500m (which I think is pretty likely to be low). To-date there have been maybe 20m licenses purchased across all the EMM vendors, and about 50% of those are deployed. This is, indeed, a very, very young market.

At the moment, each of the primary EMM vendors have built their own container solution, but none of these containers have been successful in building a rich partner ecosystem around that container. Customers and ISV’s around the globe are voicing their frustration around this complexity, and the ISV’s (Microsoft included) simply cannot afford to do the integration work necessary to support so many different containers. The frustration is understandable – customers have been unable to get their internal and ISV-delivered applications all participating together in a common mobile application management solution.

We have a solution in mind: Our integrated solution around identity, productivity and management will help drive convergence across the industry. For all the obvious reasons, every ISV we’ve spoken to wants to participate in the same mobile application management solution as the Office mobile apps so that corporate content can be securely shared across their apps and the Office mobile apps. ISV’s see the same thing we do: A way to bring some rationalization and consistency to the industry and deliver a more integrated and more complete solution for customers.

One final note here on why this is a set of game changing announcements:

Over the past year I have personally been able to speak with 100’s of customers about their Enterprise Mobility needs. And what I’ve heard more times than I can count is this: “I just wish we could deliver the richness of Outlook and Office for our users across all their devices.” I’ve been very proud to respond to this feedback with the news that Microsoft is now delivering the richness (both capabilities and experience) of Office to the devices users want to use – and that this is all managed and secure.

If you’re using an EMM solution from another organization (AirWatch, MobileIron, Good Technology, etc.), I really encourage you to step back and ask yourself if you want to continue to use the homespun e-mail app and associated editors from those vendors, or if your long-term strategy is going to include the countless benefits of using Microsoft Office. Most organizations around the world want the ability to use Office across various platforms – we are delivering a secure and well managed way to do exactly that!