Part I: MobileIron and Microsoft Intune
Ojas Rege | May 02, 2018
Mobility is a Tier 1 service that requires Tier 1 security and reliability. If mobile goes down, your CEO knows right away. MobileIron is a best-in-class security and enablement platform for modern work. We establish a zone of trust around endpoints and clouds so everyone can work easily and effectively from anywhere. MobileIron integrates with Microsoft Intune App Protection to set additional security controls for Microsoft Office 365 apps. Intune is a complement, but not a security substitute, for MobileIron.
This three-part blog is my perspective on how MobileIron and Microsoft are better together, including our integration with Microsoft Intune. My opinions are based on publicly available and third-party data, customer and partner feedback, and ongoing analysis of Microsoft’s actions. Part I of this blog discusses how MobileIron and Microsoft Intune App Protection work together to secure Office 365 apps. Part II discusses the advantages of MobileIron over Intune as a unified endpoint management (UEM) solution. Part III describes the role of MobileIron and Microsoft in a broader enterprise strategy.
Most MobileIron customers are also Microsoft customers. Our mission is to be the secure foundation for modern work. That includes enabling our customers to quickly and securely deploy Office 365, as well as all the non-Microsoft services they use, across Apple, Google, and Microsoft operating systems.
What is Microsoft Intune?
Microsoft Intune has two main functions:
- Policy control for Office 365 apps
- Modern management for endpoints
Intune is sold by Microsoft as part of the Enterprise Mobility + Security and/or Microsoft 365 bundles. It can be bought standalone as well, though I usually see it sold as part of one of the bundles. The MobileIron integration described in this part of the blog does still require the customer to have an Intune license, either standalone or as part of a bundle.
How does policy control work for Office 365 mobile apps?
Intune has an SDK that an application developer can integrate into a client app on Android or iOS. The SDK integration adds a set of security controls (Intune App Protection Policies) to the app, like limiting where the app can save its data or enforcing copy/paste protections. This creates a Microsoft “container” on the device, which itself can be part of other containers. A “container” is simply a set of controls that protect data in apps that are inside the container and prevent that data from leaking to apps that are outside the container. Not every vendor likes to use the word “container” for this concept, but it provides a good visualization for how such policies work.
What apps are supported by these policies?
There are currently 20+ Microsoft mobile apps supported. There are a handful of third-party, non-Microsoft apps supported as well. Third-party developers must integrate the Intune SDK to leverage these controls, and most developers are moving away from vendor-specific SDKs toward native app security controls in Android and iOS. As a result, though these policies could be used with non-Microsoft apps, the primary use case in MobileIron customers will be for Microsoft’s own mobile apps.
How does the MobileIron integration work?
You can now set these policies through the MobileIron console. In the past, they could only be set through the Intune console. MobileIron already has support for several other containers such as native Android enterprise, native iOS, proprietary MobileIron (AppConnect), and proprietary Samsung (Knox Workspace). “Microsoft Intune App Protection” is another proprietary container we now support. After the administrator sets the app policies in MobileIron, those policy settings are communicated from MobileIron to the Intune service in Azure, which then configures the Microsoft apps on the device.
How do I secure Office 365 with MobileIron?
Here are the steps you would take to secure Office 365:
- Enroll the Android or iOS device in MobileIron so that you can enforce encryption, protect data on the device, and provision business services for the end user.
- Deploy Office apps as managed apps through MobileIron so that they exist in the native work container on the device. This allows you to delete those apps.
- Set native security controls through MobileIron to prevent managed apps from sharing data with personal apps. This prevents unintended data loss.
- Set Intune App Protection policies through MobileIron for an additional layer of security control for the Office apps.
- Use MobileIron Access to ensure untrusted devices and apps are not accessing Office 365 cloud services.
- Use MobileIron Threat Defense to detect and remediate ongoing attacks and vulnerabilities for apps, devices, and networks.
See the “Securing Office 365 with MobileIron” white paper here for more details.
Are Office 365 apps secure without the Intune policies?
Yes. MobileIron can secure Office 365 apps without the Intune policies. Only step 4 above requires these policies. However, these policies add additional security functionality that I expect to be useful for many of our customers.
Why do I need MobileIron to set the Intune policies? Can I just use the Intune console directly?
It’s easier for the administrator to have a unified console (MobileIron) through which to manage all mobile policies.
Can I use the policies in a “MAM-only” mode without enrolling the device?
You can, but you will put your data at risk. “MAM-only” refers to only protecting data at the application level (“mobile application management”). In this case, that means only protecting the Microsoft container. But the Microsoft container can’t protect the thousands of non-Microsoft apps, like Salesforce1, that companies deploy. And standalone containers can be vulnerable to device and network exploits. We always recommend a layered security model in which you first enroll the device in MobileIron so that you can enforce OS-level protections like native encryption, passwords, native app containment, and app deletion. You then layer on additional app protections through MobileIron, as described above.
Can I use MobileIron AppConnect to secure Office 365 apps?
No. The Office 365 apps don’t use the MobileIron AppConnect SDK or wrapper.
Why did Microsoft build proprietary APIs for Office apps instead of using native standards like AppConfig?
I believe it is to maintain control. Strategically, Microsoft wants the full control plane for Office apps to be in Azure, and the native standards from Apple and Google don’t require Azure. AppConfig (www.appconfig.org) is an industry-wide community of EMM/UEM vendors and application developers that promotes the native app security frameworks of Apple and Google as a better long-term alternative to vendor-specific SDKs. Because Microsoft is the only major UEM or application provider that is not a member of the community, I expect most app controls Microsoft builds in the future will continue to be exposed through proprietary APIs instead of as native app configurations. That being said, there are some controls in Office apps today, such as securing multi-identity access, that can be set through native methods.
Is MobileIron committed to working with Microsoft?
MobileIron is highly committed to working closely with Microsoft to make Microsoft services incredibly successful for our mutual customers. I believe that opening up the Intune App Protection policies through Microsoft Graph indicates an expanding focus on partnership within Microsoft as well.
Please read Part II of this series, “Choosing between MobileIron and Microsoft Intune for UEM.”
Any information concerning products and services other than MobileIron’s comes from public and third-party sources. Although we believe it to be accurate, we have not independently verified it and we cannot guarantee its accuracy.