News

Microsoft Rolling Out Security Enhancements for Outlook, Intune and OneDrive for Business

• By Kurt Mackie
• 05/20/2015

Microsoft expects to release a new "managed Outlook app" sometime this quarter that will enable enhanced data security protections for organizations.

This managed Outlook app will let organizations set controls on the conditions when data can be copied and pasted (described as a "data leakage protection" scheme by Microsoft). It can also control where files can be saved. The app also will let organizations set "conditional access" terms, such as only allowing e-mails to be sent by devices that comply with IT policies.

Microsoft typically uses this "managed app" nomenclature in reference to its Enterprise Mobility Suite bundle, which is a requirement for these data security protections. Microsoft has also talked about a "managed browser" in that context, too. The Enterprise Mobility Suite, announced last year, provides the licensing rights to use Windows Azure Active Directory Premium, Windows Intune and Windows Azure Rights Management Services.

Managed Outlook App
The new managed Outlook app is capable of distinguishing between personal uses and business uses on a device to prevent data leakage through copying and pasting. That's enabled via a "multi-identity support" API that was built for the Microsoft Intune mobile device management service, explained Brad Anderson, corporate vice president for Enterprise Client and Mobility at Microsoft, in Microsoft's announcement. Because of this API, the managed Outlook app "can switch between personal and business use within the same app."

This conditional access feature depends on the capabilities of the Enterprise Mobility Suite. Anderson explained how it works:

The way Conditional Access works is we have integrated the EMS and Office 365 backend services. When a device is brought under management, we create an object in Azure Active Directory for the device. Intune then writes into the object multiple times a day that the device is in fact managed and if the device is compliant with the configuration policies that have been defined as required for accessing corporate content (PIN, encrypted, not jail broken). Any time a request is made to the Exchange online backend for e-mail, Exchange checks with the EMS components to see if Conditional Access is enabled and if the device requesting e-mail is compliant.

If the device is noncompliant, the user gets an automatic e-mail response with a link that describes how to address the issue.

Microsoft also plans to issue an update to its Skype for Business client that will have similar conditional access and data leakage prevention capabilities. The new Skype for Business client is expected to appear in the third quarter of this year, according to Anderson.

Microsoft announced earlier this year that it plans to make some of these protections available for free to certain Office 365 subscribers using Office apps and Office Web apps. For instance, those apps will have conditional access protection capabilities. Other protections, though, would require a purchase of Enterprise Mobility Suite licensing.

Intune Updates
The Intune mobile device management solution now gets monthly updates. Microsoft's next update has already started rolling out and will include a new App Wrapping Tool for Android solution. Organizations can use this tool to add security to their business apps. The May Intune update also lets organizations specify help-desk permissions for IT personnel. A fuller list of the May Intune improvements can be found in this blog post.

The May Intune updates are just for the "standalone" version of Intune. While it's possible to link System Center Configuration Manager to Intune through a connector solution, the new Intune improvements this month don't yet apply to that sort of arrangement. Microsoft lists the joint Intune-Configuration Manager capabilities at this TechNet page.

Microsoft plans to host a Webinar on securing Office 365 mobile apps with Microsoft Intune on May 26 at 10:00 Pacific Time. It'll have a live Q&A period. An overview of Intune mobile device management also is described in this Ignite talk.

Outlook Web App and OneDrive
In other Outlook news, Microsoft announced this week that it's possible to now use the Outlook Web App to save e-mail attachments directly to the OneDrive for Business storage service. It will save these e-mail attachments to a OneDrive for Business folder called "Email attachments."

This improvement also helps in cases when users try to send e-mails with large file attachments. They get prompted to save the attachment to OneDrive for Business first when the attachment is over 25MB, which is the default maximum message size. Microsoft recently announced the ability of IT pros to increase Office 365 message sizes to 150MB.

Currently, the Outlook Web App can save files to OneDrive for Business that are 200MB maximum, but Microsoft plans to increase that limit to 2GB "over the next 4-8 weeks."

Also announced this week is the addition of "data loss prevention" protections in cases where end users sync files to OneDrive for Business. Organizations can use this capability to permit the syncing of files only when the PC is deemed to be domain joined or managed. The feature today works only with PCs that can be managed via Active Directory Group Policy.

For future OneDrive for Business capabilities, as announced during Ignite, see this blog post. The future improvements, such as removing the 20,000 file limit and 10GB file uploads with sync, are scheduled for release toward the end of this year. Microsoft also is promising a "selective sync" capability, as well as the ability to merge the consumer OneDrive with the OneDrive for Business sync client.