Microsoft Intune+mobile Office apps = Greatness!

Microsoft Office: Word, PowerPoint, Outlook, Excel, OneNote, OneDrive, etc, who doesn’t know these applications? Most of you know the apps from a corporate point of view and I think it is safe to say the Office suite of products is the corporate standard. As we know, there is another world besides the laptop/desktop/Windows based one: the mobile devices world. And besides desktop/laptop vs mobile, we also have a corporate vs private world. To make it even more exciting, the mixture of all worlds is happening all around us.

Wouldn’t it be great to use the same productivity apps you are used to use among all these different devices? What maybe isn’t known to many people is the fact Microsoft has developed many apps for IOS and Android. You can use the complete Office suite on your mobile devices. Find the Microsoft apps on iTunes here. So, if you want to have the same experience on your mobile devices, or even on your Apple Macs as on your corporate device, you can. The Office Suite is developed for all platforms.

Great, users can have the same experience, on Windows, Mac and mobile devices. But when these mobile devices are used professionally, IT would like to manage at least the productivity apps. It is great you can access and consume corporate data by using the Office apps, but you would like to secure the data as well.

To do this security, other MDM/MAM (Mobile Device Management/Mobile Application Management) vendors have created their own productivity apps. Their own email clients and data clients which previews Microsoft Word, Excel and PowerPoint documents. Those apps are not what end users know and like. Also, it isn’t the core business of these MDM/MAM vendors to develop Office/productivity tools.

With Microsoft Intune, it is possible to let users use what they know and like and secure the Office apps in multiple ways:

  1. Traditionally, you can enrol your device in Intune and manage the device and the Office apps: MDM-MAM,
  2. It also is possible to use the apps and secure them without enrolment: MAM Only
  3. If you currently are using another MDM tool, you still can use #2 by using Intune for the MAM part.

Bullit 1 is pretty clear: you enrol the device and policies are being pushed regarding the device and apps, by using Intune. With #2 and #3, the application policies are being pushed after users sign in, within the office apps on IOS and Android, with their accounts in Microsoft Azure/Intune.




So, what can be configured using MDM-MAM or MAM only?

  1. You can allow/deny copy/past from the Office apps to other native apps,
  2. You could allow copy/paste from native apps to the Office apps,
  3. You can set a PIN on all apps for another level of security,
  4. You can specify that links need to open in the Managed Browser,
  5. You can prohibit “save as”, to prevent users to save a corporate document on another, unmanaged location.

With Intune and the Microsoft productivity apps, users use familiar apps for productivity, and which are built for that purpose and IT can secure access to and from these apps, and secure corporate data. Check out this Microsoft blog for more details and screen shots. Also, check out this website to see more apps that can be managed by Intune.

“The Dark Side of BYO”; Spot on! Solutions please!

Today I have been reading an interesting article about Bring Your Own Device. I loved the title; The Dark Side of BYOD and it covered Privacy, Personal Data Loss and Device seizure. Do read it for the complete story. It is spot on!!

The article covered what could happen to your personal device, like a phone or tablet when you also use it for work related activities. Companies will enforce ActiveSync policies like use of a password, remote wipe and lock. What happens when a relative doesn’t know the password and used the wrong password 3 times? Your phone could get wiped because of company policies. Your company data is sensitive so I do understand the policy. Most likely company data can be restored but what about your personal data like music and pictures?

Also, think about privacy. What when an investigation is going on at your company and they require your device? What about your personal data, bookmarks, music (legal/illegal), pictures of your family and also data around location tracking? Do you really want your company to know/see all that?

So, how do you handle “the dark side”? I have to say, this is keeping me busy. Is there a perfect way of handling BYOD and can you use this for all different devices? Perfect might not be the right word. User freedom/usability and security/privacy are competing and how strictly do you want to separate the personal and corporate side?

Let’s start with mobile devices; phones and tablets. I wrote and article about VMware Horizon Mobile a while ago. Still in beta but I do believe this is the solution for mobile devices. VMware Horizon Mobile is basically putting a corporate virtual Android phone on someone’s private Android phone.  IT only controls the vPhone and can only monitor what’s happening on there. Also, wiping the vPhone is the only wiping they can do. Privacy shouldn’t be an issue as well. Personal data and corporate data are separated and it should be possible to have separate billing of voice and data. Even without separate billing of voice and data, privacy should be covered in my opinion. The company being able to find out where you have been isn’t that big of a deal to me.

VMware Horizon Mobile is about Android but what about iPhones? I don’t have a answer on that. Maybe Horizon Mobile will become available for IOS as well. Maybe companies can provide specific, more intelligent applications, which they can manage individually instead of just wiping the complete phone. But then again, what about privacy? Just accept that part?

Another challenge are BYO-laptops. What solutions are there today to separate personal and corporate identity and secure privacy?

Of course, email is most likely accessible with an application and you can generate data when you want locally. You probably won’t have the remote wiping issue because I can’t see my company wiping my MacBook. But, it isn’t secure and also privacy can be an issue.  IT can’t set policies on my personal device. Also, there are applications, which for example don’t run on Mac OSX.

VMware Fusion and Workstation could be used. Everything will be separated perfectly but is that the way to go? I have to say, from a user perspective it works, at least for me. I have a MacBook Pro, which I use personally. I ran VMware Fusion and on Fusion I have my corporate vDesktop. The only downside it, that I use Windows as my corporate VM. It isn’t about Windows specifically but I can’t use the OS I’d prefer when I want complete separation. From a company perspective I can imagine this isn’t what they want. Companies give employees an amount of money for them to buy a personal device and on top of that companies need to develop, roll out and maintain vDesktops to remote devices. I can see a win for companies but is it significant enough?

What solutions are there when you leave Tier 2 solutions like Workstation and Fusion out of the picture? Yes, of course, VDI!! Complete separation, secure and privacy secure. But also in this case, Windows might not be the OS users want to use. Also, connectivity might be an issue. Offline desktop/Local Mode isn’t available for Mac devices.

Anything else, that might help? Well, Horizon App Manager might be the solution for BYO-laptops.  “Might be” because in-depth details are still unknown or not publically available. Also not all planned features are currently in Horizon App Manager. Horizon App Manager is a central user portal with strong identity management, which has different techniques to bring applications to end points. VDI might be a technique but also, ThinApp, XenApp, Terminal Service etc. On top of that policies can be set; which application will be available, when, on which devices, from which location. Integrate Octopus for data and this could be a secure solution for BYO.

It’s interesting to see, in my opinion that the security/privacy and data loss risk with BYO-mobile devices, currently is high for the user and not for the company but this is vice versa when you talk about BYO-laptops. Today, secure BYO is difficult to realize on mobile devices and laptops. It’s either, take that risk of wait for a complete solution.  I will try to be careful, separate as much as possible and use Cloud services as much as possible. Now it is time to stop thinking about it and wait patiently. Now, that’s a challenge.


User Virtualization in the Post PC-era?

Today I ran into an article which had an interesting quote;

 Persona Management isn’t mature enough yet, and VMware knows it, Dunkin’s Brennan said. The company probably added it just to “check the box”, but he speculated that VMware would get profile management up to speed by making an acquisition

We can have a discussion about the the first part in another article but especially the acquisition part caught my attention.

So, will VMware acquire another company to speed up its profile management? I think that is an interesting question. A different question but related to the first 1 could be; how important will User Virtualization be in, let’s say, 5 years? Yet another question; will you still need User Virtualization in 5 years?

First, let’s take 1 step back for a minute; Once upon a time, there were Windows PC’s and in Windows NT the profiling scheme was introduced. Then there were roaming profiles, mandatory profiles, default user profiles and Group Policies; all mechanisms to control the user, control and save their settings like printers/wallpaper, their permissions to shares and folders, what they are or aren’t allowed to do like accessing Control Panel. Also, store profiles centrally and users will have the same look and feel from any Windows PC. Separate the user from the Operating System.

Third party vendors like RTO, Appsense, RES and LiquidWare got into this space as well to fill gaps and add new features, moving on where standard Microsoft profiles and GPO’s stopped.

But, all the tools have 1 thing in common; Windows. That’s not a bad thing but it isn’t the only platform anymore to run applications. IOS/Android phones/tablets and Macs are out there in the enterprise, even privately owned ones. The world is changing and I believe it is the Post PC-era already.

Management will change. It has to change. Applications and data will be delivered to different devices in different ways; you access ThinApp apps via VMware View from your private Android Tab 1 moment. Next, you access a SaaS app on your corporate iPhone.

Instead of managing most things on a Windows level/device level, you have to take that management up a couple of levels. To me, that’s the user level. It will become more important who is allowed to access which application/data from what device and place. The underlying Operating System and device will become less important. Horizon App Manager will be that Universal Broker where you set those user based rules.

Don’t get me wrong, I believe Windows will be around for a long time as a platform to execute specific applications. But will that platform be considered to be big enough for VMware to invest in a Windows profile management tool? Again, interesting questions.

Fling; VMware Zimbra for Android

VMware Zimbra for Android (VZA) has been around for a while but it’s not known that well.  It is an email client for Android devices which supports Zimbra backends. At this moment the VZA is a “fling”; a client to test drive, officially not supported.

I have been using the VZA for a while now and I can say it’s a decent client. I find it easy to install and use. It gives me my work email, calendar, tasks and Briefcase. I have my corporate email and files available in 1 app. On top of that, I run the VZA on my Samsung Galaxy SII  and Galaxy Tab 10.1.

The VZA runs on Android 2.1 and above and the current version is 1.28. The app does require an ActiveSync enabled email client on your Android device (on most devices that’s the case). Also, because the VZA is available outside the Android Marketplace, you will need to enable your device to install applications from “unknown sources”.

You can download the client on More information is available on that site like comments and a video.

If your email environment is Zimbra and you have an Android device, go ahead, download the app and test it.