The updates Microsoft has made to its Intune PC and device management service this week are partly catching up to other MDM systems with features like containers for apps and files, a managed browser and bulk enrollment for iOS devices. But they also add unique options for managing Office apps on iOS and Android.
Intune now lets you set conditional access to Exchange Online and Office 365 (a feature that was already available to customers with Exchange 2013 on-site). "Before you let email or files flow onto a device, you can go check if it's managed by Intune and if it's compliant," senior director of product marketing Andrew Conway explained. "You can set up the compliance policy: you can require a 4-digit PIN, you can require a device that's not jail-broken or rooted."
If you have images, videos or PDF files you want to restrict, Intune now includes managed viewers for those on Android. If you want to make sure users keep work and personal browsing separate, you can set corporate websites and Web apps to open only in the new managed browser for iOS and Android, even if they're following a link sent to them in email.
But the most important new feature is the ability to manage the Office apps. "Unlike some of the other vendors in the industry where they have a very mobile device or settings-centric solution that really just encompasses device management and the BYOD trend, we're looking at this in a much more encompassing way. It's centered on empowering people to get their work down," said Conway. "It's about enabling to people to be productive. Managing the Office apps is our showpiece feature. No one else is able to do that."
With Office already available on iPad and in preview on Android, Intune lets you restrict cut, copy and paste in Word, PowerPoint and Excel so users can't copy information onto websites or into personal email, make sure that documents from corporate locations like OneDrive for business open in the Office apps rather than other views, and only allow documents to be saved in corporate locations, not on the device or in cloud services.
"Office remains the gold standard for productivity," claimed Conway. "You can't be asking your users to use a specific email app and different editors, different viewers. They don't want to be running home-spun email applications; they frankly don't want an email application from IT. They're either going to use the native experience on the device or they want Office. And when it comes to manipulating Word, Excel, PowerPoint files on the device, it's the same thing - they want to use Office."
This is similar to the MDM features Microsoft recently added to Office 365, which are actually powered by Intune and also give administrators the option to lock down the Office apps on devices. But with Intune you can set up conditional access for other apps and use the new containers to secure apps and files. "We are offering app wrapping with support for iOS and Android," Conway said. Companies can deploy line-of-business apps with Intune, which can be used to control what users can open, save and whether they can cut, copy or paste, Conway said.
You can also combine that with the device settings already in Intune and the new integration with the Apple Configurator. "You can do a lockdown on an iOS device using supervisor mode," Conway said. "You can set policy to turn an iPad into a kiosk that only runs one app; you can't rotate the screen, you can't change the volume. It literally just has the app on it."
One thing Intune doesn't have at this stage is management for Windows 10-specific security features, including the per-file encrypted containers for business documents. Microsoft has promised that Intune will be able to manage those features, but they aren't in the current technical preview. A preview version of System Center Configuration Manager to support Windows 10 and Windows Server vNext will be available in the first half of 2015 and that's a likely timescale for Intune support as well.