Enterprise Mobility and Security Blog

RSS

When organizations decide to start supporting mobility in earnest, the first app just about every organization wants to manage and secure first is E-mail.

This is the critical app that empowers mobile end-users to work productively, and it is an essential area for IT to protect. Think of how much of business flows through e-mail today. E-mail is the primary method most of us use to communicate within our organizations and with our partners. There is an incredible amount of confidential and sensitive information that flows through e-mail every day.

Just about every Enterprise Mobility Management (EMM) vendor has built their own custom e-mail application – and, honestly, the feedback I hear when talking with customers using these solutions is very consistent: The user experience is not good.

We can do better.

In December, Microsoft acquired a company named Acompli. Acompli built the premiere e-mail app on iOS and Android. The e-mail experience was incredible and the millions of individuals that had downloaded and used the app gave it rave reviews. In February, Microsoft released updated version of the Acompli e-mail apps on iOS and Android – rebranded as Outlook.

Since that launch in February, the feedback has been extraordinary. There have been millions of downloads and countless articles written about the app.

clip_image002

The new Outlook really does present a rich and empowering experience for individuals.

Over the past 6 months, we have released Word, Excel, PowerPoint, OneDrive for Business, and OneNote for both iOS and Android. All of these applications are integrated with the Data Leakage Protection and Conditional Access capabilities of the Enterprise Mobility Suite (EMS). Your feedback here has been incredible. Your users love the richness and unmistakably Office experience on all their devices, and IT loves that they are able to deliver that rich experience while ensuring the corporate content is safe and secure.

One of the things that we have worked exhaustively to get right is the balance of delivering a rich and empowering experience for our users, while also delivering the security required to protect the corporate data and information that’s being accessed and used by end-users. Your feedback on the integrated EMS+O365 scenarios is that we have got that balance right.

Almost without exception your #1 request around the Office 365 and EMS integration has been to release an EMS-integrated Outlook so that Outlook can participate in the Data Leakage Protection (DLP) and Conditional Access capabilities of EMS. Another top request has been to deliver a “managed e-mail” solution with the rich capabilities and rich experience of Outlook. Last week at Ignite we demonstrated the managed Outlook app and announced it would be available during Q2.

When the Outlooks apps are updated this quarter, they will integrate with the conditional access and mobile application management (MAM) capabilities of EMS. This will allow you to set policies to do things like:

  • Manage the sharing of data from Outlook via cut/copy/paste.
  • Manage where file can be saved to.
  • Designate that e-mail should only be sent to devices that are managed and compliant with IT policies.

The managed Outlook apps will deliver the best and most empowering experience for users while delivering the required security and protection required by IT. The managed Outlook apps will set the bar by which to compare any managed e-mail solution against – and you will find that the e-mail apps delivered by others in the market are woefully inadequate.

The ability the set DLP and Conditional Access policies for Outlook and all the Office mobile apps is a unique value to Intune, Azure Active Directory Premium, and EMS. This is just another reason why EMS is a must-have.

Here’s what it looks like in action:

Let’s take a look at a couple of the DLP scenarios:

To begin, a user copies text from a corporate e-mail:

clip_image004

When that user attempts to paste that content into a corporate-managed Word file, it works perfectly.

clip_image006

When the user tries to paste it into a personal app (Twitter, in this example), the paste option is not available – the data is being contained and protected:

clip_image008

To really see this in action, check out the post recapping my introduction of this new feature in my Ignite keynote.

One of the most interesting things we added to the Intune SDK that was used to build the managed Outlook was multi-identity support.

Multi-identity support enables a single app to be used in both your personal life and your corporate life. This type of functionality has been a common topic of discussion with customers using the managed Word, Excel, and, PowerPoint. The Office apps are pretty universally used in users’ personal and work life – and organizations needed a solution that enabled the data leakage protection for the corporate data, but did not limit users from also using the Office apps in their personal life.

This is an area where the Office team has done a mountain of customer research and they have become really focused on a rich experience that is also simple. Their customer research showed that users did not want to install multiple versions of the Office mobile apps – but wanted a single app that understood the need to use these apps for personal and business use.

With this in mind, we built that capability into our Intune SDK. Now, a user can switch between personal and business use within the same app. When being used for business, all the data leakage protection and security settings defined by IT are in place and enforced. When in personal use, the apps are not managed. Intune/EMS is the solution to deliver this multi-user support – and this represents a unique set of capabilities in the market today.

It makes senses that Microsoft would innovate on this first – there are, after all, only a small handful of apps that are used in both personal and business life, and Office is the most common (others include the browser, Adobe Acrobat, and a small list of others).

In the case of e-mail, Intune/EMS can set policies on the corporate e-mail, while leaving e-mail in the personal inbox untouched. Let’s take a look at how this works:

Inside of Outlook, the user is able to toggle between inboxes. When in the business or corporate context, all the DLP rules are applied. In the personal context, IT is not involved at all – we believe that this elimination of IT’s connection to personal data is how it should be.

IMG_0001

The way Conditional Access works is we have integrated the EMS and Office 365 backend services. When a device is brought under management, we create an object in Azure Active Directory for the device. Intune then writes into the object multiple times a day that the device is in fact managed and if the device is compliant with the configuration policies that have been defined as required for accessing corporate content (PIN, encrypted, not jail broken). Any time a request is made to the Exchange online backend for e-mail, Exchange checks with the EMS components to see if Conditional Access is enabled and if the device requesting e-mail is compliant. If the devices is compliant e-mail flows to the device, and, if the device is not compliant, a single e-mail is sent to the device informing the user that the device does not meet the corporate requirement and a link is provided with instructions on how to bring it under compliance.

 

This is a deep and really exciting level of integration across O365+EMS. This level of cooperation happens around the globe and we actually track the performance and availability of O365+EMS working together globally to ensure the SLAs that we have committed to you. This deep level of integration and global perspective is not possible with other EMM vendors – and this is one of many reasons the Conditional Access and DLP capabilities are a unique value of Office 365+EMS.

And one more thing: We also announced last week that Skype for Business (formerly known as Lync) will be updated in Q3 with these DLP and Conditional Access capabilities.

Microsoft is the only organization delivering this kind of empowerment while providing a secure environment for your users’ content creation, content consumption, collaboration, and communication.