Intune: Protecting your data in the user’s device, not the device itself.

With the growing trend of employees bringing their own smartphones and tablets to work to access company email and other corporate data, this presents a challenge for IT to ensure that data is well protected. With Microsoft Intune, you can enroll the device into Mobile Device Management (MDM) to manage the complete device – but that might be too much overhead or too much complexity for your organization and it's business needs. Well, Microsoft Intune also has Mobile Application Management (MAM) capabilities, that enable you to manage just the app and the corporate data inside it, while leaving the rest of the device untouched. This is known as "sandboxing" and provides a great experience for not only the end-user but for IT as well. In this blog we'll explore how this works.

Note:I will not be discussing Intune MAM in-depth. Please refer to the technical documentation for more information.

From my personal iOS device, I wish to access my company email on it. To do this my company has instructed me to use the Outlook app as it's the approved app. So I'll download that from the App Store:

I'll tap get started:

 

I'll type in my credentials:

Next, my company's sign-in page will be displayed and I will type in my password to finish the sign in process:

Upon signing in I will be prompted that my organization is now protecting it's data in this app and that I need to restart the app to continue.

When the app restarts, it looks like my company requires a passcode each time I open the app – so I'll create a new passcode now:

My mailbox will now be displayed:

 

If I wish to download an attachment and maybe save it locally, it looks like my company prevents me from doing that. Here I'll bring up the message for you to see:

Upon opening the attachment and tapping the share icon, there's no options to download or open with another app. My company wants it's data to stay within the Outlook app:

Another example of how the app is locked down, is it looks like I cannot copy and paste data out of the app and into another app. Here I'll try to copy data out of a sensitive email:

And then attempt to paste it into the Notes app. Notice the text that is pasted says "Your organization's data cannot be pasted here":

 

 

Now if I leave the company or get terminated, they can remotely remove any company data from the Outlook app. Here's an example, I went to launch the Outlook app and was presented with this error:

When I tap OK and relaunch Outlook, it looks like I have to sign in again and have no access to my mailbox:

 

 

Now let's step behind the scenes and into Intune to understand how to configure this capability, starting with configuring Intune Mobile Application Management. I'm going to start by launching Intune Application Management in the Azure portal, and then select App Policy:

I'm going to click on the policy I created, then click Policy Settings. Here you can see the configuration I specified. I'm preventing iTunes and iCloud from backing up data in the app. I'm not allowing data to transfer outbound/inbound to other apps. Preventing Save As. Requiring a Passcode,etc.

Here's more of the policy:

As for user scope of the policy, I have it applied to a security group of MAM Users:

Clicking on Targeted Apps, it is only targeting the Outlook app (on iOS):

To remove just the company data from the app, I'm going to navigate to Wipe Requests and submit a new wipe request

Note: If I had a personal email account in the Outlook app and my company email was also in the app, this wipe will ONLY remove the company email data. My personal email data will remain untouched.

Next I'll select the user and her device:

The wipe request will be sent to the device:

 

Conclusion: It's fairly easy to setup MAM for your end-users. I encourage you to test this and see how it can enable new business outcomes for your organization. Enjoy!

Comments

  • Anonymous
    January 09, 2019
    It might be worth noting that the wipe command must be sent before the users EMS license is removed & account disabled.Additionally - I believe you have to use the Graph API if you wish to automate it & tie it into an automated termination process - which we haven't done yet, but may be looking into.