The Microsoft Word, Excel, PowerPoint and OneDrive apps are hugely popular on iOS and are natively instrumented for management only with Microsoft Intune. On Android, OneDrive, Office Mobile, and many other apps are also natively instrumented only for Intune. In this post, you’ll learn about Mobile Application Management in Microsoft Intune, including containers, encryption, policies, and app deployment. Dive in!
Enterprise Mobility Management (EMM) is a rapidly evolving technology. Every few weeks the operating systems we manage add new features, new apps are released and our users do something new. One of the technology subsets of EMM that’s arisen is the Mobile Application Management (MAM): essentially application deployment, lifecycle, policy, and removal technologies. Every EMM platform has them. Of course, the one I’m most interested in is Microsoft Intune (itself the MDM and MAM subset of Enterprise Mobility Suite) which interacts at the Mobile Device Management (MDM) layer.
MAM lets you have granular control of applications and provides a container that isolates corporate data and apps from personal ones on the device.
Most EMM products have their own apps that can live within these containers to perform “good enough” functions that users commonly need. The trouble is that “good enough” and “choice” don’t sit well together. Why should your spreadsheet application be “good enough” when your users can go get Microsoft Excel from the app store? Why use a document app when you can use Microsoft Word? The list goes on.
The Microsoft Word, Excel, PowerPoint apps top the charts on iOS, Android, and Windows. It is clear people love them.
Why do organizations need to use MAM? That’s clear too. We need to protect our company resources; our intellectual property, our customer information and our personnel information. Where’s the intersection of these two stories? Microsoft Word, Excel, PowerPoint, OneNote and OneDrive come with mobile application management built in and managed through Microsoft Intune!
SDK Managed Apps
Microsoft Word, Excel, PowerPoint, OneNote iOS apps and OneDrive iOS and Android apps have the Microsoft SDK built into them, meaning that they know how to interpret configuration payloads from Microsoft Intune. The Office team took the SDK and implemented it right into the Office code. As a matter of fact, they are only natively instrumenting for Microsoft Intune.
SDK managed apps live in an encrypted container on iOS using the inbuilt iOS encryption engine, which is FIPS 140-2 certified. On Android, SDK managed apps implement their own encryption algorithm. Any corporate data is protected inside the container.
SDK managed apps also can “policy managed”, meaning that they know how to interpret a payload that Microsoft Intune sends to the device. This allows IT to control many aspects of the apps’ behaviors. For example, by setting an Intune Managed Application Policy, it’s possible to redirect any web browsing to a Secure Browser. IT can also enable policy managed apps to need a PIN or authentication of corporate credentials before allowing the user into the app, increasing the container security. Other neat features include encrypting data when saving files to external storage, such as SD cards.
A mobile application management policy spans apps, meaning that the policy becomes the “link” between, for example, Word, Excel and OneDrive. All the data is secured by the policy and the apps are managed by the policy.
When a developer integrates the Microsoft Intune SDK into an app they can later publish the app to the store. Microsoft is working with partners to do this right now.
One of the biggest concerns with enterprise mobility is the “un-enrollment” scenario, or what happens when a user no longer requires access to corporate information. Since SDK managed apps are generally published to a public store there is always the possibility that they will also have interacted with personal data which the user might want to keep private (although there is a policy to disable this if IT want). In the case of an SDK managed app, when the device is “un-enrolled” the app data is wiped out, but the app remains.
In the future, it will also be possible to use the SDK for a Line of Business (LoB) app, but another route, App Wrapping, might be more suitable.
Although I’m focusing this post on managing Office apps on iOS and Android they probably won’t exist alone. Many organizations are developing custom LoB apps for iOS, and they want to be able to secure them too. Budgets for LoB apps, however, remain tight in most organizations and so redeveloping an existing app to incorporate the SDK might not always be good. Enter the app wrapper.
Today, wrapping is available for iOS and it requires the wrapping be done from a Mac; not a problem, since you need a Mac to develop for iOS. There are some requirements around wrapping:
- Apps must be developed and signed by your company or an independent software vendor (ISV). You cannot use this tool to process apps from the Apple Store
- The app must be written for iOS 7.0 or later
- Apps must be in the Position Independent Executable (PIE) format. For more information about the PIE format, see your Apple developer documentation
- The app must have the extension .app, or .ipa format
- The app must be a 32-bit app (64-bit apps are not supported)
- When you use the app wrapping tool to process apps that need to use an Internet site, you must make sure that the URL is to the ‘ExternalHosts’ array in the applications preference (.plist) file. Some mobile device development frameworks (such as PhoneGap), restrict the URLs that can be accessed from the app unless they are added to this array
The wrapped app are managed with the same mobile application management policies as SDK managed apps. This means that they form part of the container and that the same policy requirements are apparent.
There is a third type of app that Microsoft Intune cares about: Managed Apps. These are apps in the iOS store that include specific iOS functionality such as implementing managed open in. To cut to the chase, these applications can be set as Required Installations, meaning that they are installed automatically. Additionally, using a mobile device policy for iOS in Microsoft Intune, you can control the behavior of even these apps, allowing or preventing those apps sharing data with unmanaged apps.
For completeness, unmanaged apps are those apps available from the app store that do not implement wrapping or the Microsoft Intune SDK and are not managed by Microsoft Intune using MDM application management policy. AKA they’re just another app.
Managing Word, Excel, PowerPoint and OneDrive. Step-By-Step.
We’re going to start by assuming that you have Microsoft Intune (and an Office 365 subscription for the Office apps). If you don’t you can go start a Microsoft Intune trial.
Step 1: Add the iOS App
Let’s start by adding PowerPoint as a managed app in Microsoft Intune. In the Intune console select the Software workspace and then Managed Software. Next click Add Software to start the process. A ClickOnce installer will download that you need to run. Upon doing so you’ll be asked to sign in with a Microsoft Intune administrator account.
Once you’re signed into the Microsoft Intune Software Publisher, select Add software and click Next. Because Microsoft PowerPoint is in the iOS App store, let’s select Managed iOS App from the App Store and then specify the URL to the app in the App Store. Personally I usually find this by opening a browser and just searching for the app. The URL will be something like: https://itunes.apple.com/us/app/microsoft-powerpoint/id586449534?mt=8 . Click Next to move on.
Now we need to set some information about the app. Remember, your users will see this in your Company Portal app. I usually also use the Snipping Tool to grab the app icon from the App Store web page. When you’ve provided your info, click Next and select which device type (iPad, iPhone or both) you want to target. We’ll select iPad. Click Next again, read the summary and click Upload. Since all you are uploading is your app icon it will complete very quickly!
Back in the Microsoft Intune management portal, click Detected Software and then back to Managed Software to refresh the list and confirm that PowerPoint is listed. Highlight PowerPoint and click View Properties at the top of the Managed Software list. Notice that the Supports App Policy detail is marked Yes; this indicates it’s a wrapped or SDK managed app.
Step 2: Create the Mobile Application Management Policy
We now need to create a policy to manage the app. Click the Policy workspace and navigate to Configuration Policies. To create a new mobile application management policy click Add… Next on the Create a New Policy screen, select the Software drop down and then select Mobile Application Management Policy (iOS 7 and later). Then select Create a Policy with the Recommended Settings and click Create Policy.
Now select your new policy which, at this point, is called Mobile Application Management Policy (iOS 7 and later) create and click Edit… You now have the opportunity to rename the policy and change any of the default settings that created by this template. By default this Mobile Application Management policy will:
- Open any web pages requested by the app in the secure browser (if present, which you need to deploy)
- Prevent containerized data being backed up to iCloud
- Allow data to be transferred to other apps managed by the policy
- Allow the policy managed apps to receive data from any other apps, even unmanaged
- Prevent the Save As dialog in the app, to prevent the user saving the data elsewhere
- Allow the policy managed apps to receive data from the clipboard
- Require a PIN to use the app and if the user gets it wrong more than 5 times reset the app
- Not require corporate credentials to use the app
- Require that the device meets corporate policy* and recheck compliance every 30 minutes and cache compliance offline for 720 minutes
- Encrypt data when the user locks the device or it locks itself
*this is a Conditional Access Policy and will make sure that the device is not jailbroken and has a long, complex enough password for your organization. This policy can be set in the Compliance Policies node.
Step 3: Assign the MAM policy and deploy the app
The next step is to associate the policy to the app and deploy the app. Go back to the Software workspace, select Managed Software and PowerPoint then click Manage Deployment… Now select the users that need the app. You can select All Users, a group, or a device group. All Users is good in a lab, then click Add and Next.
For Deployment Action, there’s a couple of options. Required Install will automatically install the app when the user enrolls their device or when policy is next refreshed for devices already enrolled. Available Install will place the app into the Company Portal application for the user to manually select. In this case, choose Required Install and click Next.
Now choose the App Management Policy that we created earlier and click Next. Next is choosing a VPN profile. Selecting a VPN profile, if you have one, will tunnel all the app’s traffic through the VPN connection, useful if your app is on-premises. In our case, Office 365 is not on-prem so we can just click Finish.
PowerPoint will now be deployed to users’ iPads upon enrollment or policy refresh and will be protected by the mobile application management policy.
So that PowerPoint has something to talk to, repeat this process to add Microsoft Word, Excel and OneDrive. You don’t need to create a new mobile application management policy though, so just repeat step 1 and step 2 above.
Take a look at the video below to see the outcome of what we just built, which of course you can try on any iOS devices you’ve enrolled:
Add PowerPoint for Android Tablets
Adding Android apps is very similar to iOS but with a few differences. First let’s add OneDrive for Android.
Step 1: Add the Android App
In the Intune console select the Software workspace and then Managed Software. Next click Add Software to start the process, a ClickOnce installer will download that you need to run. Upon doing so you’ll be asked to sign in with a Microsoft Intune administrator account again.
Once you’re signed into the Microsoft Intune Software Publisher, select Add software and click Next. Because Microsoft OneDrive is in the Google Play store, let’s select External Link and then specify the URL to the app in the Google Play Store. Again I usually find this by opening a browser and just searching for the app. The URL will be something like: https://play.google.com/store/apps/details?id=com.microsoft.skydrive . Click Next to move on.
Enter the publisher details, and again, snip the icon from the Google Play store. Click Next and then Upload. Finally, click Close.
Step 2: Create the Mobile Application Management Policy
We now need to create a policy to manage the app. MAM policies are specific to each platform, iOS and Android. Click the Policy workspace and navigate to Configuration Policies. To create a new mobile application management policy click Add… Next, on the Create a New Policy screen select the Software drop down and then select Mobile Application Management Policy (Android 4 and later). Then select Create a Policy with the Recommended Settings and click Create Policy.
Select the new policy called Mobile Application Management Policy (Android 4 and later) create <today’s date> and click Edit… You can again change any of the template settings which in this case are:
- Open web content in the managed browser; again you’ll need to deploy this for Android just like any other policy managed app
- Android backups are prevented
- The policy managed app can transfer data to any other app managed by the policy
- The policy managed app can receive data from any other app, including unmanaged apps
- Save As is stopped
- Cut, Copy and Paste into the app is allowed from any app but blocked to apps not managed by the policy
- PIN is required with 5 attempts
- Corporate credentials aren’t required
- Device compliance with conditional access policy is required, with rechecks after 30 minutes and offline caching of 720 minutes
- App data is encrypted
- Screen capture is blocked
Save any changes by clicking Save Policy.
Step 3: Assign the MAM policy and deploy the app
The next step is to associate the policy to the app and then deploy it. Go back to the Software workspace, select Managed Software and OneDrive then click Manage Deployment… Now select the users that need the app. You can select All Users, or a user group; All Users is good in a lab. Then click Add and Next.
For Deployment Action, Android only gives us one option; Available Install, which places the app into the Company Portal for the user to select. Select Available Install and click Next.
Now, choose the App Management Policy created earlier and click Next. Android doesn’t allow us to give a per-app VPN so just click Finish.
Other managed apps are in the Google Play store:
- Intune Managed Browser – a web browser that lets you manage the actions that users can do, including the sites they can visit and how links to content within the browser are opened
- Intune PDF Viewer – Lets users view PDF files from Intune managed apps
- Intune AV Player – Lets users’ access audio and video content from Intune managed apps
- Intune Image Viewer – Lets users view images from Intune managed apps
- Microsoft Office Mobile
Today, not as many Office apps for Android are manageable as on the iOS platform. Android, while a great platform, isn’t as natively manageable as iOS at this stage (although Lollipop should change this, but isn’t widely available at time of writing).
Where can I learn more?
We’ll be covering more on MAM in the upcoming Microsoft Intune episode of the Enterprise Mobility Core Skills Jumpstart series. Also, take a look at this course on Microsoft Virtual Academy on Samsung KNOX management with Microsoft Intune, this free virtual Lab on TechNet and the following places in the Microsoft TechNet library: