Enterprise Mobility and Security Blog



There was an interesting survey recently published by Ovum that looked at enterprise end users and their concerns about bringing their own devices into work (BYO). The research revealed that the number one concern of both enterprises end-user is “a lack of trust in employers and a lack of faith that individual privacy will be protected.”

As an industry, we talk a great deal about containers and how container technology enables us to keep corporate data separate from personal data. Our conversations are really focused on corporate data and securing that corporate data. There are definitely two sides to this coin: Containers provide a level of protection for corporate data, but it also provides a level of protection for the end-user as well. For example, consider your smart phone; chances are it is a very personalized device. In many ways, our phones become an extension of us – they contain personal content in e-mail, texts, photos, financial information – and we don’t want IT venturing into any of this. As we have been building our Mobile Application Management capabilities, we have defined scenarios that apply to protecting corporate information as well as protecting the users information.

Now when we talk about MAM, a lot of the conversation is really about “containing” corporate apps and corporate data and keeping it separate from the personal apps and data. The very first app that every organization wants protected is, of course, corporate e-mail. Next on the list is corporate web content, and third is corporate files. These three things represent the first tier of apps that need to protected, and the next tier is largely made up of internal line of business apps.

In previous posts, I’ve talked about layered data protection, as well as a Secure E-mail workflow (which is often the on-ramp into documentation collaboration). In this post I’m going to dig into the document workflow and look at how the work we’ve done enables end-users to be productive on the go and protect corporate data.

In organizations all over the world, the following user scenario occurs every day with lots of end-users:

An information worker is using an Android device that has previously been enrolled for management and it is complying with the IT-defined MDM policies (e.g. setting a device PIN). This is the first layer of protection (the device).

Next, the worker self-provisions a set of apps to his/her device – some are company specific (like an expense reporting app), and others are ISV apps being delivered from the various stores (like Word or OneDrive for Business).

The worker now needs to create some content and post to the company website, so he/she opens Word. Behind the scenes, without the end-user even noticing, the configuration of the device is quickly compared with a set of IT policies (e.g. does it have a power-on password, is the device encrypted, has it been jailbroken) When the service (Intune) verifies that the device is compliant the app is launched. This is a conditional access policy that is operating at the App layer.

Once the post is done and ready for review, it is saved to OneDrive for Business within Word so that colleagues can review and edit the document – this is allowed by the MAM policy. Because this device and profile are still compliant, the app launches and the authoring begins. Within that post the worker adds a couple links to company videos and some images pulled from SharePoint via OneDrive for Business. When the author needs to test the links, a list of managed apps that can open that content pops up.

Elsewhere in the post, there’s a need for data that currently sits in an Excel file. The worker can easily open that file on a device and copy charts into the post since Excel is also policy managed. Once the post is done and ready for review it is saved to OneDrive for Business within Word so all the necessary colleagues can review it – this is allowed by the MAM policy. This is the second layer of protection (the app).

The post is further protected on the SharePoint site since the IT Pro configured the document library to automatically apply RMS to all Word documents. This is the third layer of protection (the file).

Finally your worker has authenticated with a corporate identity at each step, including authenticating to the SharePoint service using AAD to launch your company apps (with SSO so the user experience is not impacted).

This is the fourth layer of protection (the identity).

Now let’s consider the new components of this scenario:

  • MAM data leakage policies
  • Policy manageable applications
  • Policy managed viewers
  • Conditional Access for document services
  • Integrated client and service solution

MAM Data Leakage Policies

As I discussed in my App & Data Protection post, Intune provides a set of MAM policies specifically targeted at data leakage. In the scenario above we saw a couple of these in action.

Data Sharing Between Apps

In that scenario, data sharing in all three applications (OneDrive for Business, Word and Excel) was restricted to only allow data sharing with other managed apps. This resulted in the user only seeing managed apps as available viewers for the video link (a protocol) in the Word doc. Between-app data can be managed for data incoming to a managed app and also outgoing from a managed app. The options include none (no sharing), policy managed (only other managed apps) and any (any app).

Cut/Copy/Paste Between Apps

In the scenario, C/C/P in Excel was restricted to only allow paste into other managed apps. Again, the options include none (no sharing), policy managed (only other managed apps) and any (any app).

Saving Data from an App

Some mobile applications support direct saving to the local file system or services via SDKs integrated in the app. In the scenario, Word was allowed to save to OneDrive for Business. The Save As options include enabled (restricts save as) and disabled (allows save as).

Other data leakage policies include:

  • Prevent local and remote file backup – enabled/disabled
  • Block screen capture – enabled/disabled
  • Encrypt data at rest – yes/no (with platform specific options)

Policy Manageable Applications

I used all Microsoft apps in the above example to make a specific point. I want to point out that this kind of management can be added into any app on iOS and Android devices. We are releasing wrappers and an SDK that can be used to invite or enlighten any application to participate in the Intune MAM solution (containers).

The bigger point I wanted to make is this: If you want this level of management/control over Outlook, Word, PowerPoint, Excel, Lync, OneNote, and One Drive for Business you will need to use the Intune MAM solution as this level of management of the Office mobile apps is only possible through Intune and EMS. You can read more about this here.

To support the MAM policy, applications need to be updated. As in the scenario above, app developers can incorporate an Intune App SDK so that apps posted in app stores can be managed by Intune. Another option for LOB apps, such as the expense app in the scenario, is the Intune App Wrapping Tool. This tool allows an IT Pro to take an existing company owned app package and add support for MAM policy via a simple command line tool that can be scripted or integrated into a company app packaging workflow.

These two options provide flexibility to ensure policy can be applied both for commercial applications that are distributed and maintained via the app stores, and for internal LOB apps that are managed and packaged by IT.

Policy Managed Viewers and Managed Browser

Certain content is common across apps, images, videos, audio content, and web links. To support policy managed applications, Microsoft is releasing a small set of content viewers to enable the document collaboration workflow – specifically, a Managed Browser and platform-specific Viewers.

Managed Browser

This is a lightweight web viewer designed to support opening web content from managed applications. It supports the standard MAM policies in addition to browser-specific policies such as URL filtering. The Managed Browser ensures your users have a means to access protected content from managed apps. The browser is automatically launched, if required by policy, from any managed app.


For Android, we also offer specific format viewers for PDF, Image, and AV. These viewers allow viewing the associated file formats in a protected way that is manageable by the standard MAM policies. For iOS, the format viewers are embedded in the Managed Browser.

Conditional Access for document services

As discussed previously, Conditional Access allows IT to protect access to service-based resources – i.e. making sure devices are healthy and compliant with IT policy before allowing access to data stored in that service. In the context of document collaboration, especially on mobile devices, data is often accessed from online services such as SharePoint Online or OneDrive. As noted in the scenario at the top of this post, if the device does not meet the device policies set by the IT Pro or if the app is not updated to authenticate to the services using Azure AD, access will be blocked. This further protects company data from an access perspective, and it complements the MAM policy controls for document collaboration.

Integrated Client and Service Solutions

Securing company data happens most effectively when each component within an end-to-end solution supports applicable layers of data protection. In the scenario noted above, SharePoint Online and OneDrive for Business are a great examples of this.

SharePoint Online ensures that your workers are connecting from secure, compliant devices, and it supports Conditional Access. By supporting the Intune App SDK, OneDrive for Business provides a cross-platform solution to protect data via enforcement of MAM Policy.

Across the application (OneDrive), the management components (the Intune App SDK and service) and the service (SharePoint Online), Azure Active Directory is used to simplify the sign-in process via a common authentication and identity model. This ensures your workers a robust identity solution regardless of device or platform.