Chapter 16

Managing Mobile Applications

IN THIS CHAPTER

Bullet Tasting the different flavors of mobile application management

Bullet Advancing your MAM skills in Microsoft Intune

Bullet Seeing how end users experience the MAM policies

What do teen idol Justin Bieber, Japanese astronaut Aki Hoshide, and someone you know have in common? Hint: One regularly takes his shirt off when he does it, the other uses a robotic arm to do it, and another one uses an app to perfect it.

I think the last description there probably gave the answer away, but in case you didn’t guess it, all three above have taken selfies! The selfie has become a such global phenomenon that it has spawned an entire industry of selfie cameras, selfie sticks, and selfie apps that ensure your friend’s doe-eyed stare and messy hair make her look like she just woke up. And then there’s the totally amazing selfie taken by Aki Hoshide that gives you a glimpse of the sun, the Earth, and the infiniteness of outer space from the reflection of the astronaut’s spacesuit. It’s published by NASA at this link: https://apod.nasa.gov/apod/ap120918.html.

It may surprise you, but as an someone managing a small business IT environment, a lot about selfies affect your work. Imagine telling someone whose smartphone has hundreds of selfies that have not been synced to an online storage yet that you have to wipe the device — including the selfies — because you think the device is compromised. Or imagine telling your users that they must enroll their device for management and, when they do, they can no longer use their smartphone’s camera app. You’ll could end up dealing with a mutiny or worse — a workplace where no one trusts you.

You don’t want to find yourself in any of those scenarios, so in this chapter, I show you how to win your users over by implementing mobile application management (MAM) policies with or without mobile device management (MDM). I review the out-of-the-box protection policies automatically enabled when you go through the setup configuration wizard in Chapter 5, and then dive deeper into configuring policies in the Device Management portal. The chapter concludes with a walkthrough of how an end user would experience MAM.

Laying the Groundwork for MAM

It always worries me when I see my adult son assembling furniture without reading the manual. I have this image of a bookshelf he put together coming apart suddenly because he put one screw in the wrong place. Fortunately, I’m quite handy, so when something he’s assembled breaks, I can figure out how to fix it.

As an IT admin, you may not have the same luxury as my son has. If you don’t configure your MAM policies right and articulate how they work, you’ll end up with unhappy end users who have no clue how to fix the mess you created.

Not all MAMs are created equal. A basic understanding of the technology and the different flavors of MAM that you can implement in Microsoft 365 Business is an ideal first step in figuring out which MAM is right for your organization.

Understanding app protection policies

In Chapter 15, I walk you through the process of configuring device compliance policies, so you can manage non-compliant devices enrolled in your organization’s MDM. The idea is that you set the rules by which your users should abide by; if they don’t, there are consequences.

In mobile application management (MAM), you still must configure policies, but the policies are set at the app level and are appropriately called app protection policies. When these policies are implemented, they serve as guardrails to protect end users — and ultimately the company — from data leakage and exposure to breaches.

When end users perform non-compliant actions on the app, the policies will simply not allow the action to happen. For example, suppose you have an app policy that prohibits a user from saving a work document in a cloud storage other than OneDrive for Business. If a user attempts to save a document in Dropbox, the app protection policy will not save the document in Dropbox and the mobile device will display a warning notification, as shown in Figure 16-1.

Screenshot displaying a warning notification of the MAM policy prohibiting users from saving files in personal locations.

FIGURE 16-1: MAM policy prohibiting users from saving files in personal locations.

App protection policies are driven by the identity of the end user, not the device. As such, you can protect company data in managed apps without needing a user to enroll devices into MDM. The policies do not affect the end user’s personal data because the policy is applied only to company data.

To illustrate the difference and similarities of MAM and MDM, consider the following scenario. Sarah, the millennial social media manager, has an Android smartphone she uses to access company data and resources. She takes the phone with her wherever she goes so he can work anytime, anywhere. Sarah’s Android phone is enrolled in MDM, giving the IT admin the ability to push the latest apps to Sarah’s phone without touching the device. On top of MDM, the IT admin also applied MAM policies on Sarah’s smartphone so that she won’t accidentally cut and paste company data into her personal Twitter account.

At home, Sarah has an old iPad she uses to watch Netflix. When she gets bored watching a movie, she scans through work emails. For this device, the Outlook app running on the iPad is managed through MAM. The iPad does not need to be enrolled in MDM because Sarah doesn’t regularly use it for work (and besides, the operating system running on the device is too old to be supported by MDM).

Different ways to do MAM

In Microsoft 365 Business, you’re not stuck with just one way of implementing MAM. You can configure app protection policies that can be applied for different scenarios as follows:

  • MAM for devices owned by the company and enrolled in MDM using Microsoft Intune
  • MAM for devices owned by the company and enrolled in MDM using a third-party solution
  • MAM for devices owned by the employee and enrolled in MDM using Microsoft Intune
  • MAM for devices owned by the employee and not enrolled in MDM using Microsoft Intune

In this chapter, we focus only on the scenarios configured in Microsoft Intune, which is included in the Microsoft 365 Business license.

Remember MAM has no dependency on MDM. You can protect apps on mobile devices even if that mobile device isn’t managed. However, implementing MAM on top of MDM has its advantages. As illustrated in Sarah’s first scenario in the preceding section, the app protection policies on Sarah’s enrolled device give the added protection of preventing her from cutting and pasting content from managed company apps into her personal apps.

Reviewing the Default App Policies

The few mouse clicks you take when you go through the Setup wizard in Chapter 5 to set up Microsoft 365 Business create a few app protection policies in your tenant. Although those policies are created without you even thinking about it, the underlying configuration in Microsoft Intune for those policies is involved. That’s the gift Microsoft 365 Business gives you. The solution has given valuable time back to the IT admin by taking the guesswork out of configuring the basic policy settings applicable to SMBs.

Application policy for Window 10

A Microsoft 365 Business license entitles a user to upgrade a Windows 10 Pro device to Windows 10 Business as part of the setup process when connecting the device to Azure Active Directory.

Separately, in setting up the Microsoft 365 tenant, a few device and app policies are created during the Setup wizard process. These policies are captured in Microsoft Intune.

Between Azure Active Directory, which manages the user’s identity, and Microsoft Intune, which manages the policies, you end up with a robust set of out-of-the-box policies. Two of those policies are application policies targeted for Windows 10 devices, as shown in the last two policies in Figure 16-2.

Screenshot of the Microsoft 365 admin center displaying the list of policies created during setup wizard process.

FIGURE 16-2: Policies created during Setup wizard process.

Although the last two application policies look similar, one is designed for personal devices and the other is designed for company-owned devices. The former will protect company data on personal devices that are not managed in Microsoft Intune. The latter protects data on company-owned devices that are managed in Microsoft Intune.

Both policies have the same settings. In the following, you look at the policy for company-owned devices:

  1. Navigate to https://admin.microsoft.com and log in with global admin credentials.

  2. From the left navigation, under Devices, select Policies.

    The Device policies page appears.

  3. Click the second Application Policy for Windows 10 entry.

    The Edit policy pane is displayed, as shown in Figure 16-3.

Screenshot of the home page of Microsoft 365 admin center displaying the application policy for Windows 10 settings.

FIGURE 16-3: Application policy for Windows 10 settings.

In the Edit Policy pane, note that Restrict Copying of Company Data is set to On. You also see a list of apps in which files created by using the apps are protected.

The technology that distinguishes between personal data and company data on Windows devices is called Windows Information Protection (WIP). With this technology, an IT admin can safely wipe company data from devices without touching an end user’s personal data.

Application policy for iOS

The out-of-the-box application policy for iOS in Microsoft 365 Admin Center is an easy way for an IT admin to get started implementing application policies for iOS devices. With this policy, end users do not need to enroll their devices for management. For some employees, this approach gives them a higher degree of confidence that they still control their devices and the personal data on the devices, such as their selfies.

You can view the application policy for iOS in Microsoft 365 Admin Center. In the left menu, under the Devices Group, click Policies to display the screen shown in Figure 16-4.

Screenshot of the Microsoft 365 admin center displaying the list of application policies for iOS devices.

FIGURE 16-4: Accessing the application policy for iOS.

Clicking Application Management for iOS opens the Edit policy pane, which displays the settings that you can change to suit your needs. In Figure 16-5, for Groups Applied To, I edited the group from All Users to MDM Pilot Group because I want to test the policy first before I roll it out to all the users.

Screenshot of the Application Management for iOS Edit policy pane, for editing the application policy for iOS before rolling it out to the users.

FIGURE 16-5: Editing the application policy for iOS.

Let’s test this policy on an iPhone 7 to see what the end user experiences:

  1. From the Edit policy pane (refer to Figure 16-5), click Edit next to Office Documents Access Control.
  2. Click Manage How Users Access Office Files on Mobile Devices to expand the policy and view the settings.

  3. Ensure that the Don’t Allow Users to Copy Content from Office Apps into Personal Apps is set to On, and then click the Cancel button to retain the setting.

    If the toggle switch is set to Off, set it to On and then click the Save button to save your settings.

  4. Back in the Edit policy pane, click the Close button to return to the Device Policies page.

Let’s say I downloaded the Outlook app from the App Store to an iPhone 7. I then set up my company email in Outlook following the setup instructions when I run the app. After my work email is configured in Outlook, I see an email that seems interesting, and I want to cut and paste the contents of that email into my Notes app. I start selecting the text in the email, as shown in Figure 16-6, left. I tap the Copy button.

Screenshots of the Notes pages of an iOS device for copying a block of text from an email in the Outlook mobile app.

FIGURE 16-6: Copying a block of text from an email in the Outlook mobile app.

I then run the Notes app on my iPhone and compose a new note. I tap inside the new note and the Paste menu appears, as shown in Figure 16-6, center.

When I tap the Paste button, the app protection policy is applied, and instead of the copied text, I see a message saying “Your organization data cannot be pasted here,” as shown in Figure 16-6, right.

An application policy for Android is also preconfigured in the Device Policies page of Microsoft 365 Admin Center. The settings are the same as the application policies for iOS. I encourage you to explore the settings and test the functionalities to find the configuration that meets your organization’s needs.

Going Beyond the Basics

In Chapter 15, you went through the process of configuring MDM policies and walked through enrolling an iPhone 7 through the Company Portal app. Picking up from where you left off at the end of that chapter, you’ll add the Microsoft Excel app to the Company Portal app.

Adding an app to the Company Portal app

After you finish with the following steps, the Excel app will be available as a managed app. Managed apps are easy for end users to install, and IT admins can manage the app from Intune or Microsoft Admin Center.

To add the Excel app to the Company Portal app, follow these steps:

  1. Navigate to https://devicemanagement.microsoft.com and log in with your global admin credentials.
  2. In the left menu, click Client Apps.

  3. In the Client Apps blade, under the Manage group, click Apps (see Figure 16-7).

    Note that I have already added a few apps in the Company Portal app.

  4. Click the + Add button in the top navigation.
  5. In the Add App blade, click the box under App Type, and select iOS.
  6. Below Search the App Store, click Select App.
  7. In the Search the App Store blade’s search box, enter Excel and press Enter.
  8. In the search results, click the Microsoft Excel icon (see Figure 16-8), and then click the Select button at the bottom.

  9. Back in the Add App blade, click the Add button at the bottom.

    The system saves the changes and closes the Add App blade.

  10. In the Microsoft Excel blade that appears, under the Manage group, click Assignments, and then click the Add Group button on the right.
  11. In the Add Group blade, under Assignment Type, click Select Assignment Type, and then select Available with or without Enrollment.
  12. Click Included Groups.
  13. In the Assign blade that appears, select Yes next to Make This App Available to All Users, Regardless of Whether Their Devices Are Enrolled in Intune.
  14. Under Selected groups, click Select Groups to Include, select the appropriate group from the Select Groups blade, and then click the Select button.
  15. Back in the Assign blade, click the OK button.
  16. Back in the Add group blade, click the OK button.

  17. Back in the Microsoft Excel — Assignments blade, click the Save button.

    The system saves the changes.

  18. Click Close (X) to go back to the Client Apps blade.

    Microsoft Excel appears in the list of apps that will be pushed to the Company Portal app all for iOS devices.

Screenshot of the Microsoft 365 Device Management window displaying the Client Apps blade to add a few apps in the Company Portal app.

FIGURE 16-7: Displaying the Client Apps blade.

Screenshot of the Microsoft 365 Device Management window for adding the Excel app in the list of App stores displayed.

FIGURE 16-8: Adding the Excel app.

Downloading the Excel app from the Company Portal app

Now that the Excel app has been configured to be available in the Company Portal app for iOS devices, I’ll walk you through the end user’s experience when accessing the Excel app:

  1. From the same iOS device enrolled in MDM in Chapter 15, the user navigates to the Company Portal app.

    In the Home screen, the user sees the newly added Excel app, as shown in Figure 16-9, left.

  2. The user taps the Excel app icon, and then taps the Install button in the next screen.

    The user’s smartphone communicates with Intune, and Intune sends a notification to the phone about the app installation process and prompts the user to tap the Install button, as shown in Figure 16-9, right.

  3. The user taps the Install button.

    The Company Portal app starts downloading the Excel app to the user’s device.

  4. After the app has finished downloading, the user simply taps the Excel icon on the screen.

    The app runs without prompting the user to enter credentials.

Screenshot of the home screen of an iOS device displaying that the Excel app has been added to the Company Portal app.

FIGURE 16-9: The Excel app has been added to the Company Portal app.

From this point on, the same application policies you tested in the preceding section will apply to Excel data.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset