Blog Post

Security, Compliance, and Identity Blog
4 MIN READ

Integrating Windows 10 Identity Innovations with EMS & SCCM

Brad Anderson's avatar
Brad Anderson
Iron Contributor
Sep 08, 2018
First published on CloudBlogs on May 22, 2015
Yesterday, Alex Simons had a great post that’s part of a series he’s doing on the innovations and enhancements in Identity (both Active Directory and Azure Active Directory) for Windows 10. In this post I’ll outline the work we are doing in the Enterprise Mobility Suite (EMS), as well as System Center Configuration Manager (SCCM) to integrate the identity innovations in Windows 10 – and how this work extends many of those identity innovations to iOS and Android. Alex’s latest post covered the multi-user capabilities of Windows 10, and, with these innovations, you can have a single Windows 10 login session that both a personal (Microsoft Account - MSA) and corporate (AD or AAD) account can be associated with. There has been a lot of work done in Windows 10 to make Windows 10 multi-user enabled. This work is industry-leading in terms of making the OS be multi-user aware within the same login session. Alex’s blog shows how you can easily add an MSA to an existing corporate device as well as add an AAD account to a personal device. This concept of enabling multiple users on a device (and, specifically, multiple user identities within the same login session) is something we have heard that you want on all your devices. This request has come up most often from customers that have been using the Office mobile apps on iOS and Android. One of the unique capabilities of the combined O365/EMS and Office 2013/EMS is the ability to apply data leakage protection (DLP) policies to the Office apps. EMS enables the DLP polices to be set such as where users can save documents, how cut/copy/paste work, as well as the open-in functionality on iOS. No other EMM solution can set these DLP polices . The question that has most often come up has been: “Hey, my users use the Office applications in both their personal and corporate lives. I need the DLP polices to protect the corporate data, but I would also like to enable users to use the Office mobile apps on these devices for their personal use where the DLP policies would not be applied.

Here is what we are doing to make the apps that need to be used in both personal and corporate lives multi-user aware:

There are a handful of apps that people want to use in both personal and business contexts. The browser is certainly one, and the Office mobile apps (Word, Excel, Powerpoint, and Outlook) also top the list. We have made huge investments in the EMS/Intune MAM capabilities to enable “multi-identity” usage in a single app. During the day, you may be using Excel to create, edit, or view corporate content such as sales forecasts or costs. The company wants to protect sensitive data like this and it wants to apply policies about where the user can save this corporate content to (as well as wanting to prevent this data from being copied and pasted into a personal app). At home, this same individual may be using Excel to create, edit, or view details about the budget for the PTA, or for a little league team they are coaching. In this case, the DLP policies should not apply and, in fact, IT should not even be aware of how the app is being used in the individual’s personal life. Here are some screen shots of the multi-user capabilities of EMS/Intune in the upcoming Outlook apps . To begin, a user copies text from a corporate e-mail: When that user attempts to paste that content into a corporate-managed Word file, it works perfectly. When the user tries to paste it into a personal app (Twitter, in this example), the paste option is not available – the data is being contained and protected: Inside of Outlook, the user is able to toggle between inboxes. When in the business or corporate context, all the DLP rules are applied. In the personal context, IT is not involved at all – we believe that this elimination of IT’s connection to personal data is how it should be. Later this quarter, you will see the EMS/Intune MAM “multi-identity” capabilities first released on iOS and Android in the Microsoft Outlook app. As the Outlook app is updated in the iOS and Android stores, it will be multi-user aware and it will enable these DLP capabilities while in the “corporate” context – while enabling IT to stay clear of anything in the personal context. I think the approach the EMS and Office teams came up with here (where it is a single app that understands the multi-user, multi-identity needs of apps like the Office apps) was a clever and great way to deliver this. Over the next few months, you will see these capabilities integrated with all the Office mobile apps as they are updated. Later this year, you’ll see the multi-user and DLP capabilities that are being delivered as a native part of Windows 10. With Windows 10, because the MDM capability is built directly into the platform, device enrollment into Microsoft Intune is a natural extension of the way that you associate your corporate identity with your devices. Microsoft Intune provides great support for all of the new capabilities of Windows 10 that your IT department needs to keep your devices up to date, keep you productive, and keep corporate assets always protected. Over the next few weeks, we’ll have additional posts detailing our multi-identity support, including the experience for Microsoft Outlook. We’re excited to release “multi-identity” to further improve both your ability to protect corporate data and to empower your end users.  Keep your feedback coming – we love hearing what you need and your experiences with our MAM solution!
Published Sep 08, 2018
Version 1.0
No CommentsBe the first to comment