First published on CloudBlogs on Nov, 03 2014
A few weeks ago I wrote about the importance (and, for many vendors, the difficulty) of protecting at the app layer (via MAM in Intune). The first app that every organization wants to protect is e-mail and I wrote about Secure E-mail – using both Outlook and the native e-mail app that ships on a device. What’s the next app that everyone wants to protect? The most common answer is the browser that is being used to access corporate data, websites, and the SaaS apps being used. When you think through the complete scenarios, you recognize that far more than just a browser is required; you need a set of apps that can all participate with the browser to deliver the experience the users expect. Apps like Microsoft Office editors/viewers, PDF viewers, image viewers, an AV player, etc. Just like in e-mail, many organizations will want to separate the corporate content being accessed through a browser from the personal content or website the user accesses. The easiest way to provide this for end-users is to actually give them two browser apps – the default one they are accustomed to using for personal use, and then a browser that is expressly used for accessing corporate sites and data. In this setup, IT is able to apply policies to the corporate browser without ever touching the personal browser. There is both a corporate and personal benefit here: IT is able to protect the corporate data being accessed while staying away from the personal browser so that the user’s device privacy remains intact. As noted in one of last week’s 2 big announcements , in the next few months the Intune Managed Browser and viewers will ship natively instrumented to be managed by Intune’s app management policies, and the Managed Browser will provide organizations with the ability to provide protection at the app layer for web content found in an intranet, on the internet, on SharePoint sites, or within SaaS applications. The Intune browser is built using the platform framework, and it uses the same rendering engine as Safari for iOS and Google Chrome for Android. The value of a Managed Browser is huge, so, before I dive into the differentiations we’ve built into ours, I want to highlight a few scenarios where a Managed Browser is indispensable:

Scenario 1:

• An employee is going through her work e-mails in the iOS Outlook app when she gets a mail from a colleague with a link to a SharePoint doc about a new feature in an upcoming release. When she clicks on the link it opens the Word Online document in her default Safari browser. The new features are really impressive, and she is really excited about them – so excited, in fact, that she decides to post some of the text on Facebook to show her friends. This is a huge potential data leakage problem.
• Solution: IT Professionals need to be able to set policy so that internal corporate links will always open in the Managed Browser and where copy and paste can be managed and limited to corporate applications.

Scenario 2:

• One of your employees has lost his device. He was browsing corporate sites and the browser cached the history, data, and cookies. There is a lot of sensitive data (and links to data) inside this device.
• Solution: The IT admin needs a way to remove the corporate browsing history and browser cache with the touch of a button.

Scenario 3:

• A school district wants students using school-issued iPads to only access a few pre-defined, pre-approved websites.
• Solution: IT admins need a way to quickly and easily create policies that allow browsing on only specifically defined URLs.

The Managed Browser that we have built offers the needed solution for each of these scenarios – and many more. The importance of this Managed Browser is going to continue to grow. What I generally see within organizations today are employee-facing apps predominately written as web apps that can be accessed from devices. An increasing amount of corporate content is going to flow through the browser – and users are going to demand an experience that keeps pace. With this Managed Browser functionality, IT admins can be really proactive about the security of this easily overlooked part of the infrastructure. For example, admins can define and enforce browsing policies from the Intune admin console that not only enable managed browsing but also limit that browsing to pre-approved websites. To prevent data leakage as a result of browser-based activities, IT admins can also set the Intune MAM policies which specify that any attachments or URLs in MAM-enlightened apps can only be opened using the Managed Browser or viewers. IT admins can also set the app management policies on the browser for restricting data leakage and enforcement of any corporate data access requirements. The Managed Browser is an integral part of our data protection story. The complete package of Office Mobile apps + browser + viewer apps is perhaps the most unique value we are offering. This empowers the end-to-end secure email and collaboration story. The Microsoft Office mobile apps (Outlook, OneDrive, Word, PowerPoint, etc.), along with the Managed Browser and the viewer apps, will provide the most productive and most secure experience for end users across all of the mobile OS platforms. The list of policies supported by the Managed Browser is pretty impressive:

• Allow/Block list of URLs
• Allow/Block Copy/Paste
• Allow/Block Screen Capture
• Allow/Block Print
• Prevent file backup to unauthorized locations
• Restrict sharing of data between applications, e.g. data can be shared only between Intune MAM enlightened application – thus, any app can be “wrapped” and “enlightened.”
• Require a PIN for launching the app, e.g. the administrator can specify the PIN complexity and caching duration
• Require authentication using corporate credentials before launching the app
• Require compliance to device policies for launching the app, e.g. if the device is jail broken, the application will not launch
• Enforce encryption of app data at rest
• Remote wipe of data(cookies, history, cache)

These policies are delivered as an integrated security solution, and this gives the IT teams a tremendous amount of power. I’m talking about integration , configuration , UI , UX , and control features that are simply not available from other vendors and which dramatically differentiate the solution we’ve brought to market. For example, the exhaustive work we’ve done to integrate management and productivity is really impressive. The MAM-enlightened Office apps seamlessly work with the MAM-enlightened Intune browser and viewer apps to prevent data leakage throughout the workflow. Configuration of policies is simple. The IT admin can configure both the MAM policies and browser URL allow/deny policies in one convenient workflow within the Intune admin console. The allow/deny URL policies can also be used to provide kiosk mode-like solution. This simple, powerful UI empowers the IT team to configure only one URL domain – just like they allow for kiosk mode. Because the MAM-enlightened Intune browser is so functional and it’s UX so polished, it can be used as a standalone browser when the native browser is blocked. The browser URLs specified by the IT admin in the allow/block list accepts wildcards and this gives IT Admins greater control at a granular level. Now they can specify at sub domains or folders levels.

Browser User Experience:

I think users will really appreciate the intuitive user experience on Intune Managed Browser. It is very similar to the native browsers that users are already comfortable using (common features like a navigation bar, navigation arrows, and refresh button). The tabbed browsing allows multiple websites to be open in the same window and, by adding, editing and deleting bookmarks, you can manage shortcuts to key webpages.

Example of iOS Intune Browser:

This is a MAM-enabled Word document with an http URL. To start, select and click on “Open.” The link opens in the Intune Managed Browser: Clicking on the bookmarks icon displays any key sites you want to list: Editing a bookmark is also simple: So is deleting a bookmark: It’s also simple to add or delete tabs: As noted earlier, the controls from the browser are very familiar: Blocking access to certain sites is also easy. If an IT admin has blocked a specific URL the user is trying to access, they’ll see this message: IT admins can also block copying from the browser to an un-managed app. In the image below, you can see that the user can copy from the browser but he cannot paste it to the unmanaged Notes app because “Paste” is disabled in the options: However, the user can paste it to a MAM enlightened Word app: The Intune Managed Browser is another example of our “One Microsoft” approach in action for a secure productivity solution. The three big takeaways here:

• Microsoft Intune provides the Mobile Application Management (MAM) for the apps.
• Microsoft Office and the Intune browser apps are natively enabled to accept the MAM policies and work seamlessly together.
• Azure AD provides the authentication and single-sign-on for all the MAM enlightened apps.

The combination of Intune, AAD, and Office makes the Intune Managed Browser a superior option to any other functionality available anywhere else.