Eric Kraus


Microsoft BYOD and Mobile Device Management

LOTS of recent announcements on Microsoft mobile device management strategy are worthy of an aggregated post.

EMM Game-Changing Announcement #1


Intune-managed Office mobile apps that enable your workforce to securely access corporate information using the apps they know and love while preventing data leakage. This is achieved by managing/restricting actions such as copy/cut/paste/save-as and interaction/”open in” between apps in your managed app ecosystem.

Mobile Application Management for iOS and Android devices that enable you to keep corporate apps and content separate from user’s personal apps and data. This feature empowers IT to apply policy to the corporate content while staying clear of the user’s personal content. Microsoft is building containers for Windows devices that will be released as a part of Windows 10, and we have worked to drive consistent APIs across the containers being delivered across Windows, iOS, and Android devices.

App wrapping capabilities that help secure your existing line-of-business applications and integrate them into your managed app ecosystem without further development or code changes. Using the Intune wrapper your line-of-business applications will be able to participate in the same managed app ecosystem as the Office mobile apps and securely share content and data with those Office mobile apps. No wrapper from any other EMM vendor can do this.

Managed browser, PDF viewer, AV player, and Image viewer apps for Intune that allow users to securely view content on their devices within the managed app ecosystem.

Grant conditional access to corporate resources, including access to Exchange e-mail and OneDrive for Business documents. This access is based on device enrollment and compliance policies set by the administrator. This is also something that no other EMM solution can deliver.

Bulk enrollment of devices using Apple Configurator or a service account, simplifying administration and enabling policies and applications to be deployed at a scale (you can read more about this here).


EMM Game-Changing Announcement #2


Device Settings Management Exchange administrators can define configuration policies that are applied to Windows, iOS and Android devices and regularly review compliance reports for all the devices accessing corporate e-mail. There are more than 100 additional settings that can be configured over and above EAS.

  • Advanced passcode/pin settings
  • Device encryption
  • Jailbreak detection

Conditional Access to Office 365 Data Exchange administrators can define and apply conditional access policies for access to Exchange Online and SharePoint Online. Corporate e-mail and file-sync do not flow to the mobile device unless the policies required in the conditional access policy are met. If for any reason the device becomes non-compliant, e-mail and file sync are stopped until the device is compliant once again. This significantly increases the level of protection of corporate data on mobile devices.

Selective Wipe of Office 365 Data If a mobile device is lost/stolen, or if an individual leaves the organization, IT professionals can wipe the Office 365 corporate data from devices while keeping any personal data intact.

Integrated Administration within Office 365 Exchange administrators can set policies directly from within the Office 365 administration portal via an easy to use interface with wizard-based set up. Office 365 administrators will see a rich device compliance dashboard that shows exactly what devices are being managed and the settings that have been applied, as well as which devices are/not compliant


Introducing built-in mobile device management for Office 365


These new MDM capabilities, set to roll out in the first quarter of 2015, will help you manage access to Office 365 data across a diverse range of phones and tablets, including iOS, Android and Windows Phone devices, so you can:

Help secure and manage corporate resources—Apply security policies on devices that connect to Office 365 to ensure that Office 365 corporate email and documents are synchronized only on phones and tablets that are managed by your company.

Apply mobile device settings—Set and manage security policies such as device level pin lock and jailbreak detection on devices to help prevent unauthorized users from accessing corporate email and data when a device is lost or stolen.

Perform a selective wipe of Office 365 data—Remove Office 365 corporate data from a device when an employee leaves your organization, while leaving their personal data, photos and apps intact.

Preserve Office 365 productivity experience—Unlike third-party MDM solutions that have replaced productivity apps with restrictive all-in-one apps for corporate email, calendars and documents, MDM for Office 365 is built directly into the productivity apps your employees know and love. You can set access policies to help secure company data while keeping employees productive.

Manage policies with ease—Administer mobile device policies directly from within the Office 365 administration portal, through an easy to use interface with wizard-based set up. View reports on which devices are connected to Office 365 and identify devices that have been blocked due to non-compliance.

BYOD has nothing to do with devices

Ok, so maybe nothing is a bit of a stretch, but here is a different take on the traditional: “how do we manage devices?” challenge.

[dropcap]L[/dropcap]et’s start with a baseline understanding of what we do. A fairly neutral definition of IT is to provide organizations with access to information and tools to enable employees to make informed and timely decisions in the most efficient way possible – all at a justifiable cost. Fair enough? At the end of the day, employee productivity is about the creation and consumption of and decisions that surround information. In most cases, devices such as phones, tablets, PCs are just tools that give us the ability to create and interact with that information in order to make decisions for better of the business. That information is built from data generated in emails, meeting notes, reports, etc. etc. So, in summary, it should be fair to say, day-to-day business is all about data.

What’s the real problem?

Now to define the problem. How do you define a BYOD (“Bring Your Own Device”) effort? Is it an initiative to eliminate the cost of issuing employee devices? Is it allowing users to bring in any device from home with the premise that it is used for enhancing their productivity (making better/faster decisions)? Is it something ‘we have to do’ to appeal to a new generation of workforce? Or, is it simply, “all of the above” with a subtext, “how do we safely manage those devices?” Here lies the problem with any of those definitions: If the fundamental goal is to figure out how to manage all of today and tomorrow’s devices, it’s a losing proposition. Innovation is too great, and technology changes in a moment’s time. Besides, at the end of the day, how does that device ‘management’ help the business with access to their data?

Rarely in BYOD discussions do I spend a significant amount of time talking about data. Typically conversations are around MDM/MAM/Phone/OS strategy, etc. Rather, I see a need to change the conversation to “Data Management Strategy.” A focus on securing the data first and then offering a tiered approached of device management based on the end-user experience desired (more on this later). In the end, a data strategy first will have lowered the risk of accidental intellectual property loss in a manner that is device agnostic and allows room to scale.

A lesson from the music industry 

Take for example, digital rights managed (DRM) music. As a music lover, you want unlimited access to music. So you enter into a ‘contract’ with a company that licenses music (let’s say Xbox Music). In return for your monthly fee, a certificate is granted to you and the world of music is available to you. All of the music that you download can be played across multiple devices (tablets, phones, etc.) online or offline. The music file is what is managed, not the device, nor album art, or playlists, etc. Upon termination of our agreement, the certificate is removed from my device and access to play the music is revoked. The powerful benefit of this model is that Xbox Music knows very little of my machine therefore ‘wiping’ the device of all music isn’t required…the files just become obsolete.

Is it full proof? Like any system, it’s not 100% full proof. The system is not designed to be perfect, but rather protect against easy ways to exploit the system…mostly accidental loss and some intentional. Anyone seeking to be malicious, will probably succeed.

Build an ‘experience matrix’

In the world of security, user-experience is usually inversely proportional to protection. The more secure you want to make a system, the worse the experience gets for the user (think two-factor authentication). If organizations can protect their data first, managing devices becomes more of an experience discussion and security is determined by the level of experience desired. Microsoft (internally) offers a rich BYOD experience. MSIT has accomplished this by enabling employees with tools to protect the data first. A clear policy and mandatory training ensures employees understand how to secure the data. Then, MSIT publishes a support/management matrix for a wide category of devices. The matrix includes what experiences are enabled and what level of management is required to obtain that experience.

Recommendations for a Data Management (BYOD) Strategy

  • Data classification. Protecting IP is important, but spending a million dollars over a year-long project to protect the holiday party catering menu, is not efficient. One size doesn’t fit all.
  • Develop a matrix of experiences you want to offer with devices you will support. As much of this exercise is deciding what you will/won’t support as it is clearly documenting it for users to rationalize
  • Build change into the strategy. One thing is for certain, by the time you implement a strategy, it will have new requirements. Build the strategy with agility in mind and answer question like:
    • What if iPads were no longer supported tomorrow?
    • What if WiFi is no longer free wherever you go?
    • Is the strategy flexible enough to support these and other situations?

Consumerization of IT at Microsoft

At Microsoft, we have been supporting “Consumerization of IT” long before it was hot industry trend. Our internal IT department (MSIT) has always had a strategic goal of enabling the workforce and not inhibiting it. Employees are empowered to use devices that increase their productivity, including devices running Windows and even devices running non-Windows software.

However, Microsoft sees Consumerization of IT as more than just devices. Here are a few additional challenges MSIT frequently evaluates:

  • Devices (Phones, Tablets, Slates, Netbooks, etc.)
  • Identity (Corporate, Live, OpenID, etc.)
  • Social Media
      -Internal (OfficeTalk, //mysites, SharePoint, Lync, etc.)
    -External (Facebook, Twitter, Skype, blogs, etc.)
  • Cloud Services (SkyDrive, LiveMesh, Google+, Mozy, etc.)
  • Application and Media Marketplace (Zune, iTunes, Amazon)
  • Rich Media (YouTube, Hulu, Netflix, etc.)

With consumerization planning, organizations need to weigh Business Value against Risk Mitigation.


Business Value at Microsoft

Hardware – Microsoft has a 3 tier model for classifying user hardware. MSIT Standard, MSIT supported consumer, Self-hosted consumer devices.

Support – The global helpdesk is tiered much like hardware is. Standard hardware has full support from MSIT, whereas supported consumer products are supported by an offsite third party.  Self-hosted devices have no MSIT support.

Mobile – Microsoft recognizes the EAS (Exchange ActiveSync) logo certification process in determining which devices should be allowed to connect.  Line-of-business applications are supported and identity is handled through an intranet portal.

External Sites – Microsoft supports social media and encourages employees to use sites appropriately through regular training and awareness.  Very few sites are blocked at Microsoft and employees are allowed to connect with other employees, partners and customers through these mediums while at work.

Rich Media – Microsoft does not block rich media as it has become an effective way of distributing information.

Productivity – Enabling Anywhere, Anytime, Any Device mindset enables user to be productive in new ways.

Risk Mitigation by MSIT

Data – Blurring the line between business and personal data is risky.  Microsoft invested a great deal of time defining policies around data security (within IT and within the user population).

Procurement – Based on the tiered model of support, the Procurement department prepares hardware from the standard list as it would normally.  In the case of supported consumer devices, MSIT may work with third-parties to purchase these devices.  Self-hosted devices are purchased by the end user.

Provisioning – Microsoft manages both standard and supported devices under tools such as System Center – Configuration Manager. At this time, consumer devices are unmanaged and are the sole responsibility of the end user.

Software – Some applications are known to be problematic (e.g. peer-to-peer sharing software). Those software packages are among the few that are blocked from running on managed devices.

Management – Both standard and supported devices are domain joined and grant CorpNet (intranet) access. Self-hosted devices are not managed by MSIT.  However, there is limited connectivity to CorpNet available for these devices.

Support – Because all standard MSIT devices include a TPM chip, those devices in addition to supported consumer devices that also have a TPM chip, are allowed to configure DirectAccess. Consumer devices that do not meet these requirements must connect through Exchange ActiveSync.

Training – Microsoft has developed training modules on effective use of public social media tools.  Microsoft employees are also required to participate in regular training around disclosures and confidentiality.


As a Microsoft employee, I am able to choose the right device to do my job most effectively.  As a user, there is little thought I need to invest when it comes to how I connect a device to do my job.  The experience is seamless.  More than ever Microsoft is making investments in supporting multiple platforms, heterogeneous environments, and enabling users with a word-class software experience.