As a cloud service, Windows Intune is updated on a regular basis, roughly every quarter. We’re currently rolling out an update to the Windows Intune service which provides support for Windows
Phone 8.1 and Samsung KNOX Standard (formerly Samsung SAFE) support. In Q3, we will add support for Windows 8.1 Update settings specific to “family safety” which are useful for education environments.
In Q4 of CY2014, we’ll be releasing major new functionality specifically focused on managed mobile productivity (managed applications and data protection) and IT enhancements, including bulk enrollment and support for Apple Configurator.
Managed Mobile Productivity
Microsoft has always believed in protecting data through defense in depth. When protecting a Windows PC, using the firewall, keeping the OS, applications, anti-malware signatures up-to-date, not having users running as local administrators, and using appropriate access controls to data all combine to have a more protected PC as well as network environment.
Mobile devices present a more complex challenge, as these devices can be inconsistent in its management capabilities and are often not corporate-owned. They must therefore be managed less than a corporate-owned PC may be; also, people typically use a wide variety of public applications and non-corporate-sanctioned cloud services to access and store corporate data – which can put your organization at risk.
Some vendors have addressed data protection an application management for mobile devices by replacing the productivity apps that people are most familiar with single, monolithic applications which have email, document, and browsing capabilities all-in-one; these apps can be heavily managed, but can provide users with a less-than-optimal experience. These solutions may protect the data, but users ultimately find ways around the restrictive apps with others which may not be as secure.
Microsoft’s approach is more natural – build manageability and data protection into the apps which people choose to use, and extend that capability for enterprises to use with their own apps. This way, people stay productive in the apps they are familiar in, while organizations maintain their compliance requirements.
To do this, we will deliver a unique container solution that is different from the traditional containers offered by other mobile device management solutions on the market. Our solution will provide a rich managed app environment which has the container functionality built directly into the apps people are familiar with – Office mobile apps for iOS and Android, but also be flexible enough for administrators to define not only how each of these apps will interact with data, but also how they will interact with each other.
This managed productivity environment has several features:
Conditional Access Policy
When a user enrolls their device into Windows Intune, an organization’s certificates, Wi-Fi, VPN, and email profiles can automatically be configured on the device. This will enable users to quickly access internal corporate resources with the appropriate security configurations set, without having to call the help desk. Access to email and corporate data stored in OneDrive for Business can be automatically restricted if a user tries to access those resources on a device which is not enrolled for management. Access can automatically be restricted if the device is de-enrolled from Windows Intune or falls out of the compliance policy set by the administrator. For example, if someone jailbreaks their previously-enrolled iPad, access to Exchange and OneDrive for Business can be revoked until the problem is corrected.
Managed Office Mobile Apps
We believe that the future of work is only possible if people are empowered to do their best work anywhere and on any device while businesses have the tools they need to responsibly manage security and compliance. For today’s employees, the mobile device, in particular, is their first and sometimes only connected device. This means businesses need to provide a rich and protected experience to access Office documents and emails without restricting users to a one size fits all application.
With Office and Outlook Web App (OWA) for mobile devices users soon will be able to access corporate data from within Word, Excel, PowerPoint, OneDrive for Business, and OWA mobile in a protected manner based on IT policy defined through Windows Intune. IT departments will be able to apply policies across Office mobile apps to allow their users to create, view, edit, and share content only between managed applications. These managed Office applications will be available for iOS and Android phones shortly after the release of the Q4 update to Windows Intune.
We will also deliver an app wrapping tool which will enable an organization to take their existing internal line of business app and wrap a management policy around it, then distribute it to their users via Intune. Policy can be defined from within the administrator’s console to enable or block such things as cut/copy/paste, define whether the app will allow its data to be opened in another app, or require encryption for a saved file. This tool will be able to wrap apps for both iOS and Android.
We will also provide access to the Internet through a protected browser. This will enable the administrator to require certain web links – for example, found in an email attachment – to be accessed only from the browser, which can be configured with the same data protection policies mentioned above. Lastly, we are also working on managed PDF, audio, and video viewers which can be used within the same managed productivity environment on the device.
These managed apps and their data will also be able to be wiped from the device if the administrator or the device’s owner chooses to initiate a selective wipe on the device.
Susan will be able to access her Exchange inbox only after she enrolls her device for management through Windows Intune. Once enrolled, her device is automatically configured with the certificates required to access internal resources, as well as her Exchange profile. Susan’s able to use OWA for iPad to access her mail, and wants to save Word attachment onto her device. It’s automatically stored and encrypted within the OWA for iPad app. and she is also able to send it to her OneDrive for Business folders in the cloud. She will be unable to send the attachment to other cloud storage services which are not authorized by her company. She is able to easily open the attachment in Word, where she is able to modify its contents, as well as copy some product information into a PowerPoint slide. She will be unable to copy that information into another unmanaged app on her iPad, however.
When the administrator configures VPN profiles to be configured on mobile devices, he can also define which applications should automatically trigger the VPN, enabling Susan to seamlessly access other internal resources. When she clicks on a link in her inbox to access an internal pricing guide, the link will open in the protected web browser, which allows her to view the data, but not cut and paste it into another application.
These apps will be able to be automatically installed on devices without user intervention, ensuring that the right applications are being used by people to access corporate resources; likewise, they can be automatically uninstalled by the administrator when necessary.
Managed Corporate Devices
Not all mobile devices are personally owned and used by knowledge workers. Many are corporate-owned and are for task-based usage; for example, claims, retail, or educational scenarios. In these cases, the administrator would need to enroll these devices into Windows Intune and be able to set policy and install applications based on the device, not the user.
Intune will support the ability to bulk enroll iOS and Android devices, and use a single Intune service account to enroll the devices instead of having separate IDs for each device, since they are not associated with a user each. For iOS, Intune will support Apple’s Device Enrollment Program to do this bulk enrollment.
Intune will also support the ability to configure iOS devices using the Apple Configurator tool, allowing more granular and enforced “lock down” policies through the iOS Supervisor mode. This is especially useful in education scenarios where the student should not be able to un-enroll the device or when more stringent management is required. Additional settings include the ability to allow or block a specific set of applications and URL addresses.
Enterprise mobility is a trend moving at a lightning-fast pace – we even kicked off a brand new Enterprise Mobility blog to drive a deeper conversation around the issues organizations face and how we can help. Stop by and check it out!
Windows Intune is on a rapid release cadence – providing new capabilities every few months – and we have a lot of exciting new capabilities currently under development. If you’re not using Intune yet, sign up for a free 30-day trial today!