Microsoft Extends Some Mobile Device Management Capabilities to Commercial Office 365 Plans
Microsoft announced today that it is adding three mobile device management capabilities to certain Office 365 subscription plans at no extra cost.
The three capabilities include "conditional access," "selective wipe" and certain device-level security compliance qualifications that IT pros can set, such as requiring devices to have "pin lock and jailbreak detection" to gain access to apps. Subscribers to most Office 365 Business, Enterprise, Government and Education plans will get these capabilities as early as today, but Microsoft is gradually rolling them out to subscribers worldwide. The new security and management protections are expected to arrive to all qualified subscribers over the next four to six weeks, according to Microsoft's announcement.
While there's no charge for the new security capabilities, the company's announcement noted that other "advanced" management capabilities are optional. Getting access to those optional capabilities entails having a Microsoft Intune mobile device management subscription or Enterprise Mobility Suite licensing. The new free capabilities are enabled by Intune, as well as by Microsoft Azure Active Directory services, so Microsoft essentially has just carved out some of those capabilities and offered them at no cost to its Office 365 subscribers.
It's hard to tell from Microsoft's documentation which Office apps have the new free mobile device management capabilities. Office 365 subscribers get the traditional Excel, Outlook, PowerPoint and Word apps in a full suite that Microsoft calls "Office ProPlus." In addition, most Office 365 subscriptions (except for the Business Essentials plan) also include "online" Web-enabled Office apps accessed through a browser, as well as mobile Office apps. Possibly, the new free mobile device management capabilities only apply to the Office Web apps. It doesn't seem that the mobile apps get these new protections unless an organization also has an Intune subscription or Enterprise Mobility Suite licensing. Here's how a Microsoft spokesperson explained it:
If a customer wishes to manage all their company apps (including O365, Salesforce, Box, etc. etc.) -- you can simply step up to the full Microsoft EMS/Intune subscription -- they manage all apps, including Office mobile apps across different device types.
A Microsoft TechNet article shows that the new free "built-in" mobile device management capabilities in Office 365 subscriptions extend to iOS, Android and Windows Phone devices. For Windows devices, an Intune subscription is needed, according to the first table in that article. Consequently, it would seem that an Intune subscription would be required to get these management capabilities for a Windows tablet device.
Windows 10, still at the preview stage, isn't part of the current supported devices list for the new Office 365 mobile device management capabilities. The list just shows support for "Windows Phone 8.1, iOS 6 or later versions, Android 4 or later versions, Windows 8.1 and Windows 8.1 RT."
The new conditional access capability that's now part of Office 365 subscriptions is Microsoft's concept for the ability of IT pros to set certain conditions for devices before end users can access e-mail and Office documents. It's designed to protect access to Excel, PowerPoint and Word documents, as well as "other business applications," according to Microsoft's announcement. Organizations likely will need Intune for those other business applications, though, it seems.
Selective wipe is a security measure for lost or stolen devices. IT pros can use the Office 365 Admin Center to delete all information from a device or just the organizational data.
The device-level protections in Office 365 subscriptions let IT pros set conditions for user access. Users might be required to have a password of a certain complexity or length, for instance. The compliance specifications that can be set will vary depending on the device's operating system platform. For instance, IT pros can't force Android 4 (or greater) devices to prevent the use of simple passwords as a compliance criterion, nor can they compel Windows Phone 8.1 devices to not be jail broken, an according to Microsoft's TechNet description.
Some of Microsoft's Office 365 protection schemes are based on its Rights Management Service technology, but that's likely an extra cost for organizations managing mobile devices. Microsoft has frequently demonstrated an Office 365 capability that prevents copy-and-paste actions by end users, as demonstrated by Julia White, general manager of Microsoft Office product management, at Microsoft's TechEd event last year. However, that capability, which apparently taps the Azure Rights Management Service, will require having Enterprise Mobility Suite licensing in place. Microsoft has also described this technology as being built into Windows 10 through the use of container technology.
In a nutshell, it appears that the new free Office 365 mobile device management capabilities likely just apply to the use of Office Web apps. Specific mobile management capabilities will vary per the OS platform deployed. In other words, it's a complicated picture, and that complexity could help Microsoft sell its Enterprise Mobility Suite licensing or Intune subscriptions for organizations going down the mobility device management road.
Update: In addition to Microsoft's newly available mobile device management capabilities applying to Office Web apps, they also apply to so-called "native apps" for Office, a Microsoft spokesperson claimed via e-mail on Tuesday. Those native apps were built to run on top of a particular OS, for instance, rather than to be run in a browser. Microsoft currently has such native Office apps built for iOS devices and Android tablets, as well as the full Office suite built for Windows. The documentation that Microsoft released yesterday about the new mobile device management capabilities, though, do not indicate the specifics about either Web app or native app support. Organizations likely will have to talk with their Microsoft partner, or consult the next Products Use Rights document for Online Services, to get a more definitive answer.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.