The Office suite of applications is an essential set of tools for many businesses. With the growth of mobile devices in the workplace, it is also essential to secure these applications everywhere.
What users expect from devices and applications is constantly changing. In turn, IT organizations must adapt to user requests for access to work applications and workflows. Administrators need to ensure that teams are productive on both mobile and desktop, wherever they are, while trying to secure all that data.
To secure business information on mobile devices, IT teams often use management platforms such as mobile device management (MDM) or unified endpoint management (UEM)† However, end users are often hesitant to give up control of their devices. Many worry about how much control a company has over their devices. To ensure employees have the freedom they want on their devices while protecting office applications and data, organizations should consider: mobile application management (MAM) tools.
What is MAM?
MAM is a capability of an MDM or UEM product. However, there are standalone products that provide MAM features, but these are often not sufficient for complete mobility management, so organizations are leaning towards more effective MDM and UEM tools.
IT uses MAM to secure the applications and data on a device without having to enroll it with a device management platform. Microsoft Endpoint Manager offers MAM capabilities, as do other UEMs such as VMware Workspace One. However, to apply specific protection policies to Office apps, Microsoft’s Intune tool is required. Organizations using Office 365 can subscribe to Intune — what one is part of Microsoft Endpoint Manager — at an additional cost.
MAM uses app protection policies to configure applications for both unenrolled and fully managed user devices. Organizations often use MAM for personal or BYOD devices, where users want to access corporate data without having to enroll in their company’s device management platform. Users can download applications directly from the Apple App Store or Google Play Store and authenticate in the application with their company credentials. The applications will embed specific in-app security configurations. MAM protection policies may include the following:
- block or allow data backup to iCloud (iOS only);
- allow blocking or importing of company data into other managed or unmanaged applications;
- restrict cutting, copying and pasting between other applications;
- block or allow third-party keyboards;
- enforce application encryption;
- configure pin and credential requirements that users must meet to access managed apps;
- set device and app block; and
- Set actions for conditions such as jailbroken devices, maximum pin attempts, and offline grace periods.
Platforms such as Intune support the following: MAM scenariosand other MDMs that also support MAM are similar:
- Fully enrolled, or company owned, personally engaged (COPE† IT manages both at the device level and at the application level.
- Not managed by MDM or BYOD. IT only manages the applications on a device.
- Managed by third-party MDM. IT can leverage Microsoft app security policies while using a different MDM for full control and additional device-level security configurations.
App security policies require users to have an Azure Active Directory account and the appropriate Microsoft 365 licenses, which must include a Microsoft Enterprise Mobility and Security license. In addition, the app protection policy only works with Microsoft Office mobile applications or applications that are integrated with the Intune SDK or packaged by the Intune App Wrapping Tool† Microsoft maintains a list of applications that meet these requirements and are available for public use.
Set app protection policies for Office apps
To set app protection policies in Microsoft Intune, IT administrators can navigate to their Endpoint Management web console and select Apps > App protection policies > Create policy.
Clear data from Office applications with Microsoft Intune
In addition to the ability to restrict data access with MAM-based applications, administrators can also remotely remove or selectively delete application data. A remote wipe is useful if a device is ever lost or stolen, or if the end user decides to leave the company. Because mobile devices are smaller and easier to lose than other endpoints, the remote wipe option is particularly important. If a device falls into the hands of a malicious actor, administrators must wipe all corporate data from the device to prevent unauthorized access to sensitive information.
There are three different methods of wiping devices: complete wipe, pull back, or selective wipe. A complete wipe removes all data and applications from the device and returns it to factory settings. This is an ideal method when administrators can no longer use a device, need to reset a device and reuse it for another function, or want to ensure no data is lost on a missing device. Retirement, on the other hand, is a better option for a BYOD environment. This type of wipe leaves the user’s personal data behind while focusing solely on corporate data from certain applications, removing the device from the management of the MDM.
Both users and administrators can issue remote commands from MDM portals, such as the Intune Company Portal, to managed devices. This is ideal for self-service for users who want to take back control of their devices and experience.
To initiate a full wipe or retirement in Intune, do the following:
- Log in to the Microsoft Endpoint Manager portal†
- Select Devices†
- Select the device you want to erase.
- Select at the top of the screen wipe or Retire†
Admins can also apply wipe and revoke commands to multiple devices at once. This is often referred to as bulk or group actions. To apply a bulk device action, select Devices > All Devices > Bulk Device Actions.
Selective erasure is another ideal method for BYOD. This type of wipe allows administrators to remove MDM policies and applications from the device, leaving personal applications and data intact. Follow these steps to initiate a selective wipe of devices or users in Intune:
- Sign in to the Microsoft Endpoint Manager portal.
- Select apps in the left column.
- Scroll down to the ‘Other’ section and select Selectively clear app†
- Select the desired wipe request (device-based or user-based).
- For selective wipe based on a device, select Clear requests and follow the prompts to select the user and the data you want to delete. Then select Make delete request†
- For a user-based selective erase function, select Erase at user level, prompting you to select the user. Then select Make delete request†
User Self-Service Requests
End users can also wipe, remove and monitor the health and compliance of their own devices through the MDM portal applications. If an end user can remove or factory reset a device through Microsoft Intune self-service, administrators can direct the user to follow this process:
- Open the iOS or Android Intune Company Portal
- Select Devices at the bottom of the screen.
- Select the device you want to reset or remove.
- Select the ellipsis icon, which looks like this: ††
- Select one of the following options, depending on the action you want to perform:
- remove device
- To check status
- Factory reset