What’s Coming Next with Windows Intune

As a cloud service, Windows Intune is updated on a regular basis, roughly every quarter.  We’re currently rolling out an update to the Windows Intune service which provides support for Windows

Phone 8.1 and Samsung KNOX Standard (formerly Samsung SAFE) support.  In Q3, we will add support for Windows 8.1 Update settings specific to “family safety” which are useful for education environments.  

In Q4 of CY2014, we’ll be releasing major new functionality specifically focused on managed mobile productivity (managed applications and data protection) and IT enhancements, including bulk enrollment and support for Apple Configurator.

Managed Mobile Productivity

Microsoft has always believed in protecting data through defense in depth.   When protecting a Windows PC, using the firewall, keeping the OS, applications, anti-malware signatures up-to-date, not having users running as local administrators, and using appropriate access controls to data all combine to have a more protected PC as well as network environment.

Mobile devices present a more complex challenge, as these devices can be inconsistent in its management capabilities and are often not corporate-owned.  They must therefore be managed less than a corporate-owned PC may be; also, people typically use a wide variety of public applications and non-corporate-sanctioned cloud services to access and store corporate data – which can put your organization at risk. 

Some vendors have addressed data protection an application management for mobile devices by replacing the productivity apps that people are most familiar with single, monolithic applications which have email, document, and browsing capabilities all-in-one; these apps can be heavily managed, but can provide users with a less-than-optimal experience.  These solutions may protect the data, but users ultimately find ways around the restrictive apps with others which may not be as secure.

Microsoft’s approach is more natural – build manageability and data protection into the apps which people choose to use, and extend that capability for enterprises to use with their own apps.  This way, people stay productive in the apps they are familiar in, while organizations maintain their compliance requirements.

To do this, we will deliver a unique container solution that is different from the traditional containers offered by other mobile device management solutions on the market. Our solution will provide a rich managed app environment which has the container functionality built directly into the apps people are familiar with – Office mobile apps for iOS and Android, but also be flexible enough for administrators to define not only how each of these apps will interact with data, but also how they will interact with each other.

This managed productivity environment has several features: 

Conditional Access Policy

When a user enrolls their device into Windows Intune, an organization’s certificates, Wi-Fi, VPN, and email profiles can automatically be configured on the device.   This will enable users to quickly access internal corporate resources with the appropriate security configurations set, without having to call the help desk.  Access to email and corporate data stored in OneDrive for Business can be automatically restricted if a user tries to access those resources on a device which is not enrolled for management.  Access can automatically be restricted if the device is de-enrolled from Windows Intune or falls out of the compliance policy set by the administrator.  For example, if someone jailbreaks their previously-enrolled iPad, access to Exchange and OneDrive for Business can be revoked until the problem is corrected.

Managed Office Mobile Apps

We believe that the future of work is only possible if people are empowered to do their best work anywhere and on any device while businesses have the tools they need to responsibly manage security and compliance. For today’s employees, the mobile device, in particular, is their first and sometimes only connected device. This means businesses need to provide a rich and protected experience to access Office documents and emails without restricting users to a one size fits all application.

With Office and Outlook Web App (OWA) for mobile devices users soon will be able to access corporate data from within Word, Excel, PowerPoint, OneDrive for Business, and OWA mobile in a protected manner based on IT policy defined through Windows Intune.  IT departments will be able to apply policies across Office mobile apps to allow their users to create, view, edit, and share content only between managed applications.  These managed Office applications will be available for iOS and Android phones shortly after the release of the Q4 update to Windows Intune.

We will also deliver an app wrapping tool which will enable an organization to take their existing internal line of business app and wrap a management policy around it, then distribute it to their users via Intune.   Policy can be defined from within the administrator’s console to enable or block such things as cut/copy/paste, define whether the app will allow its data to be opened in another app, or require encryption for a saved file.  This tool will be able to wrap apps for both iOS and Android.

Protected Data

We will also provide access to the Internet through a protected browser.  This will enable the administrator to require certain web links – for example, found in an email attachment – to be accessed only from the browser, which can be configured with the same data protection policies mentioned above.   Lastly, we are also working on managed PDF, audio, and video viewers which can be used within the same managed productivity environment on the device.

These managed apps and their data will also be able to be wiped from the device if the administrator or the device’s owner chooses to initiate a selective wipe on the device.

Example Scenario

Susan will be able to access her Exchange inbox only after she enrolls her device for management through Windows Intune.  Once enrolled, her device is automatically configured with the certificates required to access internal resources, as well as her Exchange profile.   Susan’s able to use OWA for iPad to access her mail, and wants to save Word attachment onto her device.   It’s automatically stored and encrypted within the OWA for iPad app. and she is also able to send it to her OneDrive for Business folders in the cloud.   She will be unable to send the attachment to other cloud storage services which are not authorized by her company.    She is able to easily open the attachment in Word, where she is able to modify its contents, as well as copy some product information into a PowerPoint slide.   She will be unable to copy that information into another unmanaged app on her iPad, however.

When the administrator configures VPN profiles to be configured on mobile devices, he can also define which applications should automatically trigger the VPN, enabling Susan to seamlessly access other internal resources.   When she clicks on a link in her inbox to access an internal pricing guide, the link will open in the protected web browser, which allows her to view the data, but not cut and paste it into another application.

These apps will be able to be automatically installed on devices without user intervention, ensuring that the right applications are being used by people to access corporate resources; likewise, they can be automatically uninstalled by the administrator when necessary.

Managed Corporate Devices

Not all mobile devices are personally owned and used by knowledge workers.   Many are corporate-owned and are for task-based usage; for example, claims, retail, or educational scenarios.   In these cases, the administrator would need to enroll these devices into Windows Intune and be able to set policy and install applications based on the device, not the user.

Intune will support the ability to bulk enroll iOS and Android devices, and use a single Intune service account to enroll the devices instead of having separate IDs for each device, since they are not associated with a user each.  For iOS, Intune will support Apple’s Device Enrollment Program to do this bulk enrollment.

Intune will also support the ability to configure iOS devices using the Apple Configurator tool, allowing more granular and enforced “lock down” policies through the iOS Supervisor mode.  This is especially useful in education scenarios where the student should not be able to un-enroll the device or when more stringent management is required.    Additional settings include the ability to allow or block a specific set of applications and URL addresses.

Stay Tuned

Enterprise mobility is a trend moving at a lightning-fast pace – we even kicked off a brand new Enterprise Mobility blog to drive a deeper conversation around the issues organizations face and how we can help.  Stop by and check it out! 

Windows Intune is on a rapid release cadence – providing new capabilities every few months – and we have a lot of exciting new capabilities currently under development.  If you’re not using Intune yet, sign up for a free 30-day trial today! 

Comments (13)

  1. steven C says:

    hi intune team, thanks for the update, looking good here !

    I have 2 parts that I am a little worried about,

    “bulk enroll iOS and Android devices, and use a single Intune service account “

    Dose this mean we will not see this for Windows Phone and Windows RT ? we have shunned iOS for Microsoft platform and this feature would make managing non user devices much easer. please say this will be coming to your own platform soon ?

    “Managed Apps”
    Will MS be providing the app executable (Appx, IPA ect) so enterprise admins can pre-provision devices for end users ( getting users to sign up for a MS ID is tedious work. )

    Please post back if possible !

  2. tony says:

    Sounds all very good but what about us fools who bought into the windows phone platform and deployed them in the enterprise? We have an inferior version of office which cant be managed. We cant bulk enrol and we don’t get to wrap lob apps for management. What do I tell my boss? That we should now buy iPhones and Androids?

  3. Miha Pecnik says:

    WP 8 support it is must, the post was even tagged appropriately.

  4. ManageUsingIpad says:

    I can manage Azure using my iPad, but Windows Intune requires Silverlight. Please fix.

  5. Neil G says:

    Office 365 and Azure support two factor auth, but last I saw Intune does not. Is this still true for Windows Intune?

  6. Potential Customer says:

    Windows Intune needs to support server operating systems and remote access to machines on W8/W8.1.
    Mobile Device Management and Enterprise Mobility is all well and good but for the SMB / Home Office environment these are irrelevant.

  7. Eoin says:

    Please make the focus of the next development "endpoint security", and specifically Application Whitelisting.

    Take the Applocker elements from on-premise Group Policy and sync these to the Intune cloud through dirsync.

    Blocked Apps appear in the Intune console, standard notification emails an alert. In the Intune console, an Admin can approve blocked apps and at the same time write a new rule to the on-premise Applocker group policy. This extends Applocker out past the domain
    and gives admins the ability to lock down endpoints AND allow Apps remotely.

    Bonus points if the Admin can give the offline Intune client a one-time 24h code to allow an app to run, for example an internet connection dongle app – thus getting the client online.

  8. TechnologyPeople says:

    Please re-introduce Remote Assistance support. Without it, Intune is not a viable solution for midd-size companies.

  9. Mitch Denny says:

    Hi guys, what is going on with this product? There hasn’t been an update for quite some time on this blog and there are major missing features with the product:

    1. Silverlight as the admin UI.
    2. No support for publishing *.appx files to Windows Phone 8.1 devices (instead of *.xap packages).
    3. No support for app upgrade scenarios on devices (without this Windows Intune doesn’t really tick the most important items in terms of mobile device management, you have to be able to push updates without requiring the user to go back into the company portal,
    figure out what they should be downloading and then download it again (meaning different isolated storage etc).

  10. James T says:

    "Mobile first, Cloud first" is all well and good but Intune cannot ignore that this service began as a PC management platform and it seems that this is being neglected.
    Remote assistance is the elephant in the room. We need it reinstated for Windows 8/8.1 machines and unattended access (while you’re at it, how about wake-on-LAN using another client machine on the same network – LogMeIn already does this)
    Silverlight for the browser was understandable 3 years ago when Intune launched but a full rewrite in HTML5 would make the admin console faster and cross-platform compatible
    Support for server operating systems with updates and anti-virus is a must. Most small businesses have an on-prem server and no management solution is complete without monitoring the most crucial machine on the network.

  11. Antoine J says:

    As Mitch Denny I’m waiting for the ability to publish Windows Phone 8.1 appx to my phones….

  12. Dixon K says:

    Remote support of 8.1 please.

  13. anonymouscommenter says:

    Today’s Tip… Yesterday, I sent out a tip concerning NAP (Network Access Protection). A couple of readers