About a year ago I was scheduled to share an update with Satya and his direct reports about our progress on Enterprise Mobility Management. Satya had only been CEO for a couple of weeks – this was my first meeting with him since he took the job – and we were all in hardcore planning mode for the pending announcement of Office for iPad and the Enterprise Mobility Suite (EMS).
After months of carefully planning the EMS, I knew that we had a very differentiated, very powerful set of capabilities coming to market. With our investments in productivity, identity and management, and the deep technical integration that was underway amongst the engineering teams across the company, it was clear that we were delivering the most comprehensive set of capabilities for Enterprise Mobility Management (EMM).
It was also clear at this early stage that the capabilities we were building were very unique, and that the level of integration we had built into this solution would cost customers a fraction to acquire and use compared to the resources/time spent trying to cobble together point solutions from multiple vendors.
I was very excited about what I saw coming together. However, I also wanted to be self-critical and I wanted everyone working on it to challenge themselves to look at EMS and make sure it was as complete and comprehensive as it needed to be.
With this need for a comprehensive solution in mind, I spent hours in front of the white board in my office drawing and re-drawing the stack of capabilities that I felt were essential to deliver Enterprise Mobility Management across an organization’s devices – with the various layers of protection included and integrated. The rest of this post is what ended up on my white board when I was finished.
I think these points are a good thought exercise for any organization to consider as they define/refine their Enterprise Mobility strategy. This is my view of the EMM market and its associated players.
Protect Your PCs
Every organization has PC’s that need to be managed and secured, and doing this is a pretty well understood process (e.g. via System Center Configuration Manager). The traditional competitors in this space were companies/products like ZENWorks, LANDesk, Altiris, Marimba – names you don’t hear too often any longer because these organizations missed the move to mobility and are rapidly become obsolete.
Looking at it from the opposite perspective, and keeping in mind this stack, it’s clear that MDM vendors have weak capabilities in PC management.
Protect Your Mobile Devices (MDM)
Mobile Device Management (MDM) is fairly well understood – even though only a small portion of the world’s devices are managed with an MDM solution. MDM offers two primary categories of capabilities:
- Device configuration and lock down (e.g. power-on password, enable encryption, jailbreak detection, etc.).
- Device configuration (e.g. setup the device to participate in an organization’s infrastructure – certificate management, wireless setup, etc.).
It’s a fact that MDM is commoditizing rapidly today. Now, to be clear, commoditization does not mean there isn’t any value – it’s simply a matter of there not being any major differentiation amongst vendors. For example: On an iOS device there are a finite set of profiles that can be set and configured – and, since there is no extensibility, you either do them all or you don’t. As you evaluate your current and/or future EMM partner, take into account that MDM is not going to be the place where you will see significant differentiation across the vendors.
Protect Your Mobile Applications (MAM)
Mobile Application Management (MAM) is less understood than MDM, and, as a result, fewer organizations have deployed MAM at scale.
MAM encompasses capabilities such as containers, wrappers, SDKs, private/corporate stores, etc. In other words, this is the category of protection that delivers the ability to separate corporate apps and data from personal apps and data, and it enables IT to put security policies on the corporate assets. This is, pretty obviously, a key area for enabling secure mobile productivity – and this is an area where there is going to be a significant amount of churn and change over the next few years.
At the moment, every EMM vendor has built their own containers, but no one has been successful in building a rich ecosystem of apps around their containers. This is an area where the industry is really challenged; there are more than a dozen companies delivering containers on the market and every ISV delivering apps for the enterprise is challenged because they do not know which containers to support.
Adding to this difficulty are simple dollars and cents: It is really expensive to support multiple containers. Complicating this area even further is the reality that, over the next few years, the ability to separate corporate and personal content will ship as a native capability in Windows, iOS, and Android.
Looking ahead, Microsoft has already announced and demoed these capabilities coming in Windows 10.
There is huge, intrinsic value in MAM, but it is a space that is going to be tumultuous over the next few years. As I look at MAM, I wonder what the EMM vendors who have built so much of their sales pitch around MAM will do when these capabilities just become a standard part of the OS?
This will be another area that commoditizes.
Protect Your Mobile Productivity Apps (Office)
Easy question: What is the first app most organizations want to deliver and protect? E-mail.
To deliver secure/managed e-mail there’s a mandatory requirement for the e-mail app to be enlightened with the MAM capabilities on the device. Once that mail is delivered, in order for that e-mail app to be truly useful and valuable to end users, it has to have readers or editors for the common attachments that users will receive – that means editors for Word, Excel, PowerPoint, Acrobat as well as a managed browser in which web content can be accessed. These are not small requirements – but they are must-haves.
In my opinion, March 27, 2014 was the most significant event in calendar year 2014 for Enterprise Mobility Management. That was the day Microsoft announced Office for iPad and the Enterprise Mobility Suite (EMS). Office is at the center of most organization’s Enterprise mobility strategy across all their devices, and now the Office mobile apps are all being released “enlightened” with the Intune MAM capabilities. This means that today the Word, Excel, PowerPoint, and OneDrive for Business in the Apple and Android store are able to participate in the Intune MAM capabilities (and only the Intune MAM capabilities).
Adding to this is that the new Outlook apps that came from the Acompli acquisition are beautiful! There has already been millions of downloads of the apps, and I am so excited to get them released with the EMS integration for Conditional Access and MAM (data leakage protection) – coming soon!
Looking ahead, the other Office mobile apps are on the way. The alternative are the Office knock-offs created by EMM vendors to participate in their own containers. When organizations compare the full, rich Office mobile apps being managed by Intune to the Office look-alike apps the EMM vendors have built – there is a clear choice. See here for a side-by-side comparison.
This is where the EMM vendors have been busy working: Delivering MDM, MAM, and their own Office apps. In my conversations with customers using these products, I see a consistent street price of around $4/device/month for these capabilities, or, if you want a per-user price, it’s about $8-$9/user/month. In most cases, customers are going to want a per-user price since you do not want to put any artificial limits on the number of devices your users can use – and you certainly don’t want to spend your time counting devices.
Protect Your Files
The next layer of protection your EMM strategy needs is file protection. To do this correctly, the files need to be self-protecting and the access privileges around the file should travel with that file.
This concept is not as foreign as it may first appear: Most individuals have had experience sending a rights protected e-mail from Outlook (the function that allows you to limit things like the ability of a user to forward or print an attachment), and protecting your files is similar. File protection just takes the level of protection to the next level.
Microsoft is unique in its ability to provide this type of protection. With Azure RMS (one of the components of EMS), whenever a user goes to share a file he/she can identify the individuals who they intend to have receive the file, as well as what rights that recipient has (e.g. read, edit, share). Those access privileges are then embedded into the file itself and they travel with the file no matter where it goes. Thus, in the event that a document with sensitive information is sent to someone that should not have it, the data is kept secure because the file recognizes who has the rights to open it. If it identifies an unapproved recipient, it will permanently remain closed.
The Office apps on Windows are already RMS-enabled today. The Office mobile apps on iOS and Android are also being updated to be RMS aware, and you will be able to deliver this level of protection with files across all your apps soon. Adobe Acrobat also supports RMS. We currently ship an SDK that can be embedded into any app to enable this capability. Really cool stuff.
The EMM vendors cannot, do not, and (for the long-term foreseeable future) will not deliver this critical layer of protection. The other EMM vendors will certainly talk at great length about “content management” (akin to putting a perimeter around a file or set of files), but those fenced-in files are not self-protecting and, if a file makes it outside of that fence, it is not at all protected and the data is entirely exposed.
Another important component of protecting your files is a strong Enterprise File and Sync solution that enables your users to get access to their files on/from any device. OneDrive for Business in Office is a great (and widely available) solution for this.
Protecting Your Data in SaaS Apps
Employees in every company are using SaaS apps – whether or not the company knows about it. This is a scenario sometimes referred to as BYOC – bring your own cloud.
BYOC is what happens when end users start using consumer SaaS apps to do their work. It is very common. The good news is that most organizations are also embracing SaaS apps, and this means that those apps can be paired with user identities and, as a result, be better managed.
When you’re considering the move to SaaS apps, consider how your organization has used Active Directory for the last 15 years. In most organizations, Azure Active Directory (AAD) is the source of Enterprise identities for every employee, and AAD manages a significant portion of the access to corporate assets. This is the exact same set of capabilities you need in the cloud where these SaaS apps are being using.
The solution can be found in the EMS. A big part of the EMS is the ability to discover the SaaS apps already in use within your company and then bring them under management. With this management in place, you can deliver a great SSO experience for your end users, as well as automate the provisioning and de-provisioning of users across SaaS apps.
As of the writing of this blog, we have done the integration work to bring more than 2,400 SaaS apps under management with EMS. No other EMM vendor can do this today. The closest available functionality comes from a couple small organizations (Okta, Ping) delivering Identity-as-a-Service (IDaaS). Standalone services like these are not cheap – often in the range of $5/user/month.
Protecting Your Identities
The ongoing stream of cyber-attacks happening around the globe dramatically underscores the need for strong identity management that is capable of discovering these attacks and then enabling you to block and stop them. You can hear to more about this on a recent podcast.
Identity and Identity Management represent a section of the tech industry where there is (quite literally) no other organization other than Microsoft offering this kind of complete solution. Microsoft’s unique position is a result of the years of work we’ve done building and operating Active Directory and Azure Active Directory.
AAD is the source of every authentication for all the services we deliver for the enterprise, and any time a user goes to access a Microsoft service (e.g. Office 365 or Dynamics) there is data created around that authentication. AAD currently services up to 18B authentications a week. By using machine learning and combining this data with other data sets we have (like the malware data we get from more than 1 billion PCs every month, or the fraud attempts against our services we monitor constantly), we can help identify suspicious identity activities and bring them to your attention. Once you are alerted to the threat you can take action, i.e. disabling the accounts, changing the passwords, or challenging the users with a multi-factor authentication.
For more info about dealing proactively with threats, check out Enterprise Mobility for Every Business and Every Device, Hybrid Identity Management, What’s Next with Enterprise Mobility: Identity, Enterprise Mobility: AAD Sync, A People-centric Approach to Mobile Device Management, and check out this video.
These technical capabilities (as well as the massive amounts of data informing these functions) are unique to Microsoft.
Here is the stack we are delivering with EMS – and we are delivering it at a fraction of the price of any one of the standalone products/services from other vendors.
EMS delivers these multiple layers of protection integrating with Office and Office 365 (represented by the box with the lighter shade of blue) to deliver the absolute best end user experience while providing the necessary and appropriate protection.
The per-user license costs of the complete EMS is more akin to the per-device costs of an EMM solution. You’re getting a far more comprehensive solution at a fraction of the cost.
I have met with a number of organizations that have purchased and deployed multiple products from the companies listed in this graphic (each of them paying over $20/user/month total), and the additional costs each of them carry (in terms of time spent trying to integrate, time on support lines, and time lost due to inefficient workflows) are huge.
EMS is simply a better option; there are more capabilities for a lower price, the integration is done, and the solutions are all familiar.
For much more on the subject of data protection, check out an earlier post in this series: Protecting Data in a Mobile First, Cloud First World.
* * *
Next steps: Meet with your team and put this stack on the board. Be brutally honest about what your organization does/doesn’t need, and what you do/don’t like about how things are currently architected. Talk about the capabilities in each of these layers and consider them in terms of what you have in place today and what you’ll need tomorrow. Discuss the investment you’ve made, the investment you need to make, and what work you’ll need to do to build and deliver the things your end users need.
I’ve had the opportunity to have this conversation with a hundreds of large enterprises, and, in every case, EMS + O365 shines through as the most comprehensive solution for delivering what you need, doing it for less, and giving you more.