Solving Office 365’s multi-identity crisis on Android

Enterprises that choose Microsoft Office 365 as their preferred suite of productivity apps often face a two-fold security challenge. Not only do they have to secure the enterprise version of Office 365, they may also have to prevent an employee’s personal version of Office 365 from accessing business data on mobile devices enabled for work. In my previous post, I explained how to securely enable multi-identity Office 365 apps on iOS. Now let’s look at how MobileIron secures Office 365 apps on Android.

Challenge: Prevent data transfer between managed and unmanaged apps

Clear separation of business and personal data on devices used for work is essential to ensuring enterprises can protect critical data and employee privacy. This requires the ability to prevent work applications from transferring data to personal applications, such as a personal version of Office 365.

Solution: Deploy Android enterprise

Built directly into Android 5.1 devices and above, Android enterprise has an extensive framework to support flexible, privacy focused, and secure deployment options for both employee-owned and company-owned devices. For devices that are used for both personal and work tasks, MobileIron can create a second encrypted work profile on the device. This limits sharing between the work profile and the device, including contacts and data, to ensure nothing can enter or leave the work profile without explicit consent. For more details on Android deployments, download our most recent white paper, “Android is ready for the enterprise.”

Challenge: Secure multi-identity Office 365 apps

When deploying apps with Android enterprise, any app managed by MobileIron will be configured in the work profile and marked with a work badge. If the app already exists in the personal profile, a second work copy of the same app will be created and badged. This allows an enterprise to clearly separate work and personal profiles while preserving the native device experience users expect.   

However, the challenge is that Microsoft Office 365 apps also support a multi-identity option, which allows a user to have multiple accounts within the same app. As a result, a misconfigured Android deployment may allow the user to add their personal Office 365 account into their Office 365 work app.

Solution: Deploy managed app configuration for Office 365 apps

Android enterprise has supported managed app configurations since Android Lollipop. This configuration allows an administrator to remotely configure and populate app settings for applications deployed into the work profile. Managed app configurations follow a standardized format, do not require proprietary SDKs or app wrappers, and are made available directly in the Google Play store.

Microsoft has recently published a new managed app configuration, called allowed accounts, for some of their apps. Since Android can support multiple profiles natively in the OS, enterprises need full control of accounts allowed in the work profile. The allowed accounts configuration enables an administrator to specify which account(s) can login to an app. This ensures that only specified accounts can sign in. This video offers a more detailed view of how allowed accounts work:




Note that allowed accounts is not currently available for all enterprise applications. Below is a list of Microsoft applications that we tested to check availability for allowed accounts. For apps that have No as a value, users are still able to sign in with their own accounts.


Microsoft App

Allowed Accounts App Config



Azure Information Protection














Power BI






Skype for Business






*App has the configuration, but did not prevent sign-ins

Challenge: Apply data loss prevention (DLP) controls for work apps

Many enterprises have clear requirements for limiting work data from being transferred to personal applications. Some of the most common requirements for enterprises include:

  • Restrict cut/copy/paste controls from work to personal apps.
  • Prevent screenshots in work apps.
  • Require a PIN when opening work apps.

Solution: Use Android’s built-in DLP controls

For Android devices 5.0 and above, admins can block users from taking screenshots with managed apps. For Android devices 6.0 and above, cross-profile data management is supported with Android enterprise. This means administrators can restrict users from pasting data and text from their work apps into their personal apps. Android 7.0 devices and above can also setup a configurable PIN when accessing work applications. The PIN can be more stringent than their device PIN. Most importantly, all of these capabilities are supported for any application, not just Microsoft, that is deployed in the Android work profile.

Challenge: Apply supplemental controls for Office 365 apps  

Although Microsoft leverages some managed app configurations and Android has many built-in security controls, Microsoft decided to build some additional proprietary configuration controls that are specific to Office 365 apps. These proprietary supplemental controls, known as Intune app protection policies, offer an extra application security layer for Android and iOS. The most common challenge is restricting “save as” to specified document repositories inside of Microsoft apps.

Solution: Use MobileIron to apply Office 365 supplemental controls  

MobileIron can manage Intune app protection policies through a single unified console, which greatly simplifies configuration and deployment. By adding Intune app protection policies to the long list of container solutions that we support, including Android enterprise, Samsung Knox, iOS, Windows Information Protection, and our own AppConnect solution, MobileIron continues to give customers the flexibility they need to meet business requirements.

*Special thanks to Christian Jucker from Novartis for pointing me to this new managed app configuration. We truly have some of the best customers in the industry that continue to embrace the future of modern work.