Windows Intune Getting Data Security Protections for Android and Apple Devices
Microsoft announced that new mobile device management improvements will be coming to its Windows Intune management solution, arriving sometime in the fourth quarter.
The Windows Intune management improvements center on two data protection schemes for devices. Those schemes include a new "container solution" and a new "app-wrapping tool," according to Microsoft's announcement on Monday. Those concepts weren't explained too well. However, container solutions carve out an encrypted zone on a device, while app wrapping is better known as the software security "sandboxing" technique that's used with apps vetted by an app store. At least that's the explanation offered by Apperian, a mobile app management platform builder founded by Apple executives. Microsoft may have a different view on the containers vs. wrappers distinction, though.
Microsoft had hinted before TechEd that it would show a debut of a "native containers" technique to be added to Windows Intune and Microsoft Azure Active Directory. Containers allow policies to be set for business data vs. personal data on mobile devices. This week, Microsoft's offered a little more clarification. Its device data protection scheme will be "built into the apps which people choose to use." And that built-in protection will be enabled by a "unique container solution," the announcement explained:
To do this, we will deliver a unique container solution that is different from the traditional containers offered by other mobile device management solutions on the market. Our solution will provide a rich managed app environment which has the container functionality built directly into the apps people are familiar with -- Office mobile apps for iOS and Android, but also be flexible enough for administrators to define not only how each of these apps will interact with data, but also how they will interact with each other.
Microsoft updated Windows Intune last month. Along with adding Windows Phone 8.1 support in Windows Intune in that April update, Microsoft added support for Samsung's Knox standard, which is a security solution that adds "secure boot" protection for Android devices. The Knox standard appears to be an example of a container solution that Microsoft plans improve upon with its next Windows Intune update release.
For the Windows Intune improvements coming in the fourth quarter, Microsoft plans to add a way for organizations to control access to corporate data via Microsoft Office and the Outlook Web App. Microsoft is targeting that app wrapper capability for the Android and iOS device platforms "shortly after the release of the Q4 update to Windows Intune," according to the announcement. The capability will also apply to so-called "line-of-business" apps:
We will also deliver an app wrapping tool which will enable an organization to take their existing internal line of business app and wrap a management policy around it, then distribute it to their users via Intune. Policy can be defined from within the administrator’s console to enable or block such things as cut/copy/paste, define whether the app will allow its data to be opened in another app, or require encryption for a saved file. This tool will be able to wrap apps for both iOS and Android.
Brad Anderson, speaking during the Microsoft TechEd keynote on Monday, described the app wrapper capability as controlling things like copy-and-paste functions in applications. He said (Microsoft transcript) that the app wrapping capabilities were being built by Microsoft's Application Virtualization (App-V) team:
What's App-V? It's a wrapper for Windows applications. The team that has built our wrappers is the App-V team, which I would debate is the most qualified organization in the world to build wrappers. This will all be available in the second half of this calendar year and this combination of Office, and of Intune as a component of the enterprise mobility suite, will give you far and away the best productivity and management solution for your users.
The copy-and-paste restrictions were demonstrated during the TechEd keynote on Monday by Julia White, general manager of Microsoft Office product management. She showed how pasting content extracted from an Excel attachment accessed via a managed Outlook Web App e-mail program on an iPad did not work when she tried to paste that content into an unmanaged consumer app on the same device.
Microsoft is planning a few other data protection enhancements as part of its mobile device management solutions. For instance, there will be a way to restrict access to Web links on a device so that they can only be accessed through a "protected browser." In addition, it will be possible for organizations to set data access restrictions on the use of "managed PDF, audio, and video views" on a device, according to Microsoft's announcement.
Windows Intune is also getting some Apple tools support. It will get support for Apple's Device Enrollment Program, which is used to perform the bulk enrollment of iOS devices. Microsoft also will be adding support for Apple Configurator, which is used to configure policies on iOS devices.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.