Enterprise Mobility and Security Blog

RSS

~ Dilip Radhakrishnan | Principal PM Manager

We are incredibly excited to announce significant new capabilities in the upcoming Microsoft Intune service update that will be rolled out globally over the next few weeks. New features and enhancements that will be made available as part of this service update include:

  • Managing Office mobile apps without MDM: Microsoft Intune Mobile Application Management (MAM) without requiring the device to be enrolled for management. In short “Intune MAM without enrollment”. This is particularly useful for BYO scenarios where end users don’t want to or can’t enroll their devices for IT management. This capability is also useful in cases where a device is already enrolled in another MDM solution. As part of this month’s service update, Microsoft Word, Excel, PowerPoint, and OneDrive will support Intune MAM without enrollment. Support for Outlook is coming soon. This new capability is an addition to the existing Intune MAM capabilities that require enrollment into Intune mobile device management (MDM).
  • Managing additional Microsoft apps: Intune MAM support for additional Microsoft apps, including Power BI and Remote Desktop client, will be available in the next few weeks.  Support for Skype for Business and Dynamics CRM apps is coming soon.
  • Managing 3rd party apps: Major companies like Box and Adobe have announced iOS and Android apps with native support for Intune mobile application management (MAM). Custom SAP Fiori mobile apps customized and built by SAP’s customers using SAP Fiori mobile service will also support these management and data protection capabilities delivered by Microsoft Intune.  Additionally, Acronis, Foxit, and Citrix have integrated support for Intune MAM into their mobile apps.
  • Mac OS X support: You can now enroll and manage Mac OS X devices using Intune’s MDM capabilities. This includes simple web-based enrollment, the ability to deploy resource access profiles like Wi-Fi and VPN profiles, device-level configuration policy, and reporting. Stay tuned for a detailed blog post on this topic next week.
  • Windows 10 enhancements:  Microsoft recently announced the first major update to Windows 10. This Intune service update supports new compliance and configuration policy rules for Windows 10 devices.
  • Self-service device PIN reset: Employees can now reset the PIN of their managed devices directly from the Intune Web Portal (portal.manage.microsoft.com) without calling the help desk.
  • Co-existence with MDM for Office 365: You can now activate and use both MDM for Office 365 and Intune concurrently on your tenant and set the management authority to either Intune or MDM for Office 365 for each user to dictate which service will be used to manage their mobile devices. User’s management authority is defined based on the license assigned to the user. If the user is assigned with the EMS or Intune license, Intune will manage user’s devices and apps. If the user is assigned with the Office 365 license (without the EMS or Intune license), then MDM for Office 365 will manage user’s devices. Stay tuned for a detailed blog post on this topic in the coming weeks.

You can view the full list of features being released to Intune standalone (cloud only) by visiting the what’s new in Intune page in the TechNet library. Additionally, you can view the list of features being released to System Center Configuration Manager integrated with Intune (hybrid) by visiting the what’s new for MDM in Configuration Manager page in the TechNet library.

In the rest of this blog post, I will provide a drill down into the enhanced MAM features that we are introducing in this release.

[View:https://www.youtube.com/watch?v=4YPIGdAj8hc:0:0]

New scenarios enabled with Intune MAM capabilities

Typically, the most common model for securing and managing mobile devices (either corporate-owned or personally-owned) is to require the device to enroll into an MDM solution. After enrollment, IT policies are applied to the device and apps, and then end users are allowed to access corporate data from those devices. With the new Intune MAM without enrollment feature, there is now a choice for our customers.

  • Light weight BYOD management: You can choose to leverage Intune MAM to protect corporate data from Office 365 (email, documents, etc.) by managing just the application and data – not by managing the entire device through MDM. This is a great use case for managing BYOD devices where the user just wants to check corporate email or view SharePoint Online documents, and they don’t need any advanced IT management services like VPN or Wi-Fi access. Even though the device is not enrolled in MDM, Intune still protects the applications and data through the following types of MAM policy settings:
    • Require PIN/fingerprint/corp credentials on application launch
    • Block access, if app is running on a jailbroken device
    • Encryption of data at rest
    • Prevent corporate data leaking to an unmanaged app or account (block copy/paste, data sharing between apps, screenshots etc.)
    • Prevent corporate data from being saved to an unmanaged location (e.g.: personal OneDrive/Dropbox locations)
    • Selectively wipe corporate data
  • End user control on BYOD: Your employees can now choose to access corporate data without giving up control of their personal devices through MDM enrollment. They can access their familiar Office productivity apps like Outlook and OneDrive to access Office 365 corporate data without risking intrusion of their privacy and protect themselves from accidental data loss due to an accidental device wipe triggered by their enterprise MDM administrator.
  • B2B scenario: Today across all OS platforms, a mobile device can be enrolled into only one MDM solution.  Thus, if a contractor, partner or vendor is already enrolled in their organization’s MDM solution, they cannot be enrolled in your company’s MDM solution as well to access and collaborate during the course of a business partnership. In this scenario, Intune MAM helps IT enable secure access to corporate Office 365 data for partners, contractors and vendors without managing their devices.
  • Intune coexistence/migration scenario: And last but not least, if you already have an MDM solution in place, Intune MAM can help you manage and secure Office applications and Office 365 data without needing to un-enroll employee devices and re-enroll them in Intune MDM

The new Intune MAM features are not a replacement for MDM solutions. The MDM protocol is required for comprehensive device management scenarios like VPN, Wi-Fi, certificate management, application deployment, and configuring device level security settings. Typically for corporate-owned devices, you are likely to require full MDM enrollment to give IT control of the device. As you can see from the diagram above, Intune gives you flexibility to either manage the device through its MDM features or just manage applications and data through its MAM feature. In both cases you can be assured of the best in class protection and control over corporate data.

Simplified end user experience

Despite wide adoption of MDM solutions, we often hear from our customers that they have struggled to balance ITs desire to protect enterprise data on personal devices and an employee’s concern about personal data security and privacy and a poor end user experience enforced by OS MDM features when they need to access corporate data. We have come across several instances where the number of end user devices accessing Exchange ActiveSync drops once MDM enrollment requirement is in place. While this can be interpreted as more security for the enterprise, it also means you have made your users less productive.

For employees, Intune MAM has made the whole process of accessing Office 365 corporate data entirely seamless. Let us do a quick walkthrough of an end user experience when a user just wants to access corporate data through the Microsoft OneDrive iOS app that he or she downloaded from the Apple App Store.

Employees use their Office 365 credentials to log into Office mobile apps, and they can take advantage of the familiar Office experience—for both work and personal use.

Step #1: On launching the app, the users are prompted to ‘Sign in’ with their corporate credentials, if they want to access corporate data.

Step #2: Users enter their corporate credentials. Optionally, if you had enforced multi-factor authentication (MFA), at this point users might be prompted for a second level of authentication.

 

Step #3 – On successful login, Intune MAM security policies are automatically applied. Users will be prompted to restart the OneDrive app (a one-time step that we are working hard to remove in the upcoming releases to make it even more seamless for the end user).


That’s it. When the users restart the app, they have access to all of their corporate data while you as an IT administrator have complete control over the documents and other corporate data that are being accessed from this app.


Isn’t this so simple and awesome? There are no nagging prompts for the end user to accept complex terms and conditions, multiple prompts for enrollment, certificates etc. The user is accessing corporate data and is automatically subject to security policies for that data.

Next Generation IT Pro Experience

One of the major pain points that IT administrators have often complained about is the sheer number of IT administration tools that they have to use day to day. This is very challenging for a number of reasons, including the inconsistencies in concepts and information architecture models in those tools, lack of consistent enterprise features like role-based access control, ability to run on any device, ability to customize, and automate IT tasks.

At Microsoft, we have made significant investments in addressing the above challenges. The new Microsoft Azure portal (currently in preview) is our next generation IT Pro console that provides you with a single, unified console to build manage and monitor everything from simple web apps to large Office 365 and SaaS app deployments. We are pleased to announce that Intune’s MAM features are now available in this Azure portal. This is our first step in a series of Intune service updates where over a period of time, all of Intune’s MDM and MAM features will be made available through this new admin console. The benefit for you as an IT administrator is you can do all your directory management tasks like User and Security group management, configuring security controls like MFA etc. in the same console where you will be doing your mobile device and app management.  No longer are you navigating administration consoles or relearning concepts. The new Azure portal provides you a role based access control, complete customization of the portal/dashboard to suit your business needs, and enables complete automation of any IT admin task that is accomplished through the user interface.


Let me now do a quick walkthrough of how simple and easy it is to deploy Intune MAM features in your enterprise in just a few clicks.

Step #1 – Navigate to the Azure portal (https://portal.azure.com) and pin the Intune Mobile application management blade to your start page.


Step #2 – Create an Intune MAM a policy. Provide a policy name, select the applications for which you want to enforce this policy. Example: Excel, OneDrive, Word, etc.


Step #3 – Specify the data protection settings that you want to enforce for those mobile applications. You could choose the default recommended settings or customize to meet your security requirements.


Step #4 – Target and deploy this policy to desired user groups.


That’s it! You’re done. With this simple IT workflow, you have successfully created an Intune MAM policy and deployed it to users. At this point, every user who is logging into the targeted apps, will be subject to Intune MAM policies, and your corporate data is protected. As you can see there was NO infrastructure that you needed to deploy.

Conclusion

Intune’s enhanced MAM features described in this blog post are truly game changing innovations in the enterprise mobility space. As mentioned earlier in this post, it is not a replacement of MDM but an excellent complementary choice along with MDM for specific BYOD, partner/vendor management, and protecting Office mobile apps scenarios. Your end users will love their onboarding experience while you can be assured of security of your Office 365 corporate data. We look forward to you trying this feature out and all of the other new features in our November release as soon as the release is available globally to everyone over the next few weeks.

 

Additional resources:

Note: To see the specific timeframe for when your tenant will be updated, please visit the Microsoft Intune status page. You can identify the Service Instance that your Intune subscription is running on by opening your Intune administration console, clicking on the Admin tab and then selecting View Service Status. Your Service Instance will be displayed at the top of this page