First published on CloudBlogs on Nov, 03 2014
A few weeks ago I wrote about the importance (and, for many vendors, the difficulty) of protecting at the app layer (via MAM in Intune). The first app that every organization wants to protect is e-mail and I wrote about Secure E-mail – using both Outlook and the native e-mail app that ships on a device. What’s the next app that everyone wants to protect? The most common answer is the browser that is being used to access corporate data, websites, and the SaaS apps being used. When you think through the complete scenarios, you recognize that far more than just a browser is required; you need a set of apps that can all participate with the browser to deliver the experience the users expect. Apps like Microsoft Office editors/viewers, PDF viewers, image viewers, an AV player, etc. Just like in e-mail, many organizations will want to separate the corporate content being accessed through a browser from the personal content or website the user accesses. The easiest way to provide this for end-users is to actually give them two browser apps – the default one they are accustomed to using for personal use, and then a browser that is expressly used for accessing corporate sites and data. In this setup, IT is able to apply policies to the corporate browser without ever touching the personal browser. There is both a corporate and personal benefit here: IT is able to protect the corporate data being accessed while staying away from the personal browser so that the user’s device privacy remains intact. As noted in one of last week’s 2 big announcements , in the next few months the Intune Managed Browser and viewers will ship natively instrumented to be managed by Intune’s app management policies, and the Managed Browser will provide organizations with the ability to provide protection at the app layer for web content found in an intranet, on the internet, on SharePoint sites, or within SaaS applications. The Intune browser is built using the platform framework, and it uses the same rendering engine as Safari for iOS and Google Chrome for Android. The value of a Managed Browser is huge, so, before I dive into the differentiations we’ve built into ours, I want to highlight a few scenarios where a Managed Browser is indispensable:
A few weeks ago I wrote about the importance (and, for many vendors, the difficulty) of protecting at the app layer (via MAM in Intune). The first app that every organization wants to protect is e-mail and I wrote about Secure E-mail – using both Outlook and the native e-mail app that ships on a device. What’s the next app that everyone wants to protect? The most common answer is the browser that is being used to access corporate data, websites, and the SaaS apps being used. When you think through the complete scenarios, you recognize that far more than just a browser is required; you need a set of apps that can all participate with the browser to deliver the experience the users expect. Apps like Microsoft Office editors/viewers, PDF viewers, image viewers, an AV player, etc. Just like in e-mail, many organizations will want to separate the corporate content being accessed through a browser from the personal content or website the user accesses. The easiest way to provide this for end-users is to actually give them two browser apps – the default one they are accustomed to using for personal use, and then a browser that is expressly used for accessing corporate sites and data. In this setup, IT is able to apply policies to the corporate browser without ever touching the personal browser. There is both a corporate and personal benefit here: IT is able to protect the corporate data being accessed while staying away from the personal browser so that the user’s device privacy remains intact. As noted in one of last week’s 2 big announcements , in the next few months the Intune Managed Browser and viewers will ship natively instrumented to be managed by Intune’s app management policies, and the Managed Browser will provide organizations with the ability to provide protection at the app layer for web content found in an intranet, on the internet, on SharePoint sites, or within SaaS applications. The Intune browser is built using the platform framework, and it uses the same rendering engine as Safari for iOS and Google Chrome for Android. The value of a Managed Browser is huge, so, before I dive into the differentiations we’ve built into ours, I want to highlight a few scenarios where a Managed Browser is indispensable:
Scenario 1:
- An employee is going through her work e-mails in the iOS Outlook app when she gets a mail from a colleague with a link to a SharePoint doc about a new feature in an upcoming release. When she clicks on the link it opens the Word Online document in her default Safari browser. The new features are really impressive, and she is really excited about them – so excited, in fact, that she decides to post some of the text on Facebook to show her friends. This is a huge potential data leakage problem.
- Solution: IT Professionals need to be able to set policy so that internal corporate links will always open in the Managed Browser and where copy and paste can be managed and limited to corporate applications.
Scenario 2:
- One of your employees has lost his device. He was browsing corporate sites and the browser cached the history, data, and cookies. There is a lot of sensitive data (and links to data) inside this device.
- Solution: The IT admin needs a way to remove the corporate browsing history and browser cache with the touch of a button.
Scenario 3:
- A school district wants students using school-issued iPads to only access a few pre-defined, pre-approved websites.
- Solution: IT admins need a way to quickly and easily create policies that allow browsing on only specifically defined URLs.
- Allow/Block list of URLs
- Allow/Block Copy/Paste
- Allow/Block Screen Capture
- Allow/Block Print
- Prevent file backup to unauthorized locations
- Restrict sharing of data between applications, e.g. data can be shared only between Intune MAM enlightened application – thus, any app can be “wrapped” and “enlightened.”
- Require a PIN for launching the app, e.g. the administrator can specify the PIN complexity and caching duration
- Require authentication using corporate credentials before launching the app
- Require compliance to device policies for launching the app, e.g. if the device is jail broken, the application will not launch
- Enforce encryption of app data at rest
- Remote wipe of data(cookies, history, cache)
Browser User Experience:
I think users will really appreciate the intuitive user experience on Intune Managed Browser. It is very similar to the native browsers that users are already comfortable using (common features like a navigation bar, navigation arrows, and refresh button). The tabbed browsing allows multiple websites to be open in the same window and, by adding, editing and deleting bookmarks, you can manage shortcuts to key webpages.Example of iOS Intune Browser:
This is a MAM-enabled Word document with an http URL. To start, select and click on “Open.” The link opens in the Intune Managed Browser: Clicking on the bookmarks icon displays any key sites you want to list: Editing a bookmark is also simple: So is deleting a bookmark: It’s also simple to add or delete tabs: As noted earlier, the controls from the browser are very familiar: Blocking access to certain sites is also easy. If an IT admin has blocked a specific URL the user is trying to access, they’ll see this message: IT admins can also block copying from the browser to an un-managed app. In the image below, you can see that the user can copy from the browser but he cannot paste it to the unmanaged Notes app because “Paste” is disabled in the options: However, the user can paste it to a MAM enlightened Word app: The Intune Managed Browser is another example of our “One Microsoft” approach in action for a secure productivity solution. The three big takeaways here:- Microsoft Intune provides the Mobile Application Management (MAM) for the apps.
- Microsoft Office and the Intune browser apps are natively enabled to accept the MAM policies and work seamlessly together.
- Azure AD provides the authentication and single-sign-on for all the MAM enlightened apps.
Published Sep 08, 2018
Version 1.0Brad Anderson
Iron Contributor
Joined September 06, 2018
Security, Compliance, and Identity Blog
Follow this blog board to get notified when there's new activity