First published on CloudBlogs on Feb 19, 2016
One of the most common questions I hear from customers has to do with the different definitions of Mobile Application Management (MAM) and, specifically, the Data Loss Prevention (DLP) capabilities that MAM can deliver. As the market matures, and as these capabilities mature, I think now is a very good time to explain the different approaches to MAM and DLP. Right now, the Enterprise Mobility Management (EMM) market is experiencing a period of significant turbulence – some of the early entrants are struggling to survive, and the market is beginning to consolidate.  As this happens, it’s very important to understand the ins-and-outs of the different capabilities from various vendors, because this is one of the most important areas of any Enterprise Mobility strategy. Here at Microsoft, when we make decisions about what we’ll build, we start with questions that focus on, "How do we deliver the best possible experience to end-users?"  Our vision for Enterprise Mobility is straightforward:

“Empower users to be productive on the devices and apps they love and achieve more, while helping protect the company data and assets.”

It’s important to us that our vision starts with the end-user.  We recognize that users want and deserve that iconic experience on their mobile devices – and this is what enables them to achieve more.  We’ve worked very hard to strike a balance that both empowers end-users and protects company data.

What is Managed App Config?

Apple has done some great work in iOS to encourage applications developers to build in management APIs that any MDM provider can integrate with to manage settings on their apps.  This is a best practice that a number of ISVs have adopted, and it’s something that all the MDM providers support.  It is up to the developers to determine what they want to expose for management – and, as a result, the settings vary significantly across the ISVs. All of the MDM providers currently support these capabilities, and, as more apps are delivered that have App Config management built into them, we (the,  MDM providers) all expose those settings in our Admin consoles for the IT Professional to configure.  Because we all support these capabilities, what each MDM provider delivers is consistent – without differentiation.  This is a baseline capability customers should demand.  But App Config is only a subset of what is needed.

App Config is Not Enough

There are a couple of significant limitations with App Config that you need to be aware of (and that you need to plan for) if you want to deliver the iconic work environment for your users and protect your company’s data. First of all, there are a handful of apps that users regularly use in their personal life as well as in their business life.  This list is small, but these apps are the most important set of apps used in most organizations.  These are apps like Adobe Acrobat, the Office mobile apps, and the browser.  On a regular basis an employee will use Excel at work tracking a budget or sales, and then, at night, use Excel to track their little league soccer team or PTA budget.  With this variety of uses in mind, we had to figure out a way help guide the user to protect the company data when corporate docs are open, but stay out of those docs when the user has a personal document open. In other words: The apps have to be multi-user aware (more on this here , here , and here ).  When an app is managed via App Config, it becomes a corporate app and should not be used in the users’ personal life – it is not multi-user aware.  This approach secures corporate data, but at the expense of user empowerment.  In our customer research, this has been deemed unacceptable by both organizations and users. Second , when a developer instruments their app to have the clipboard managed through App Config, each app has its own clipboard.  What this means is the users of these apps can no longer share data across apps via cut/copy/paste.  For example:  If we instrumented Word, Excel, PowerPoint, Outlook, etc. to be managed through App Config with the clipboard controls enabled, users could no longer cut/copy/paste across the Office mobile apps.  Once again, this limitation on functionality is considered unacceptable by our organizations and end users.  This is another important example of protecting company data at the expense of user empowerment. Third , we are increasingly hearing from customers that, in BYO scenarios, they want to focus their efforts on managing and securing their corporate apps and data without taking over a users device.  Think of this as MAM without device enrollment or, said another way, MAM without MDM.  We released these capabilities in EMS in November , and, as of this this week, all the Office mobile apps (with the exception of Yammer) can run in a MAM only or MAM/MDM environment. This is a huge win for EMS users: We know that users get (justifiably) uneasy when IT takes over their personal devices, and we know that there are privacy concerns that organizations are beginning to grapple with in the BYO scenario.  This is the solution.  Considering that App Config requires the device be MDM managed, I believe most organizations will find themselves using a combination of MDM/MAM-managed and MAM-managed devices going forward.  Currently App Config does not enable this.  This is, again, an important example of protecting company data at the expense of the user empowerment, experience, and privacy.

Delivering User Empowerment and Data Protection

With the Enterprise Mobility Suite and Office 365, we deliver both User Empowerment and Data Protection – and we deliver this iconic work experience for users.  We fully support App Config with EMS so that any app in the App Config ecosystem is automatically supported.  This is the case for all the EMM providers. On top of this baseline, we then add the capabilities that App Config does not have – functionality that brings all the user empowerment, in addition to data protection.  We do this through the EMS/Intune MAM SDK that is embedded into the mobile apps.  This SDK has been embedded into Word, Excel, PowerPoint, Outlook, Skype for Business, OneNote, OneDrive for Business, Remote Desktop, PowerBI, Dynamics, Box, SAP, Adobe Acrobat, and some of the Citrix apps like Sharefile.  To these apps we’ve added multi-user, the ability to share data across the apps, and the ability to manage these apps without having to take over the users device.  We've also expanded the app ecosystem that App Config supports to all of these apps. You can read more about the work we’ve done with these supported apps here:

• Adobe
• Box
• SAP Fiori
• Acronis
• Citrix
• Foxit

It’s All About the Apps

When making decisions about the solutions and partners you'll choose to enable Enterprise Mobility for your organization, it's important that you really dig into the details and look at the solutions from the perspectives of data protection and user empowerment. One piece of advice:  As you're defining your Enterprise Mobility strategy, list out the apps that your users will be using.  As you list these apps, you'll find that there are tiers of apps.  There will be a top tier of apps that are the most important -- those that will be the most used and most likely to contain sensitive and confidential information.  Once you have this tiered list of apps, look at the EMM providers and ask who can manage those apps in a way that is both empowering and secure.   This is where you will find that Microsoft with EMS has, by far, the largest ecosystem of apps that can be deeply managed. EMS manages the apps that really matter . When I’m meeting with customers I often ask them, “What % of the documents used inside your organization are Microsoft Office?”  The response ranges from 70% to 99%.  When you are looking at MAM solutions, what really matters are the apps in the ecosystem .  It really is all about the Apps!!! And, speaking of apps, with EMS we have also now integrated with more than 2,600 SaaS apps to bring them under management.  With these 2,600+ SaaS apps your users get a fantastic SSO experience, as well as automated user provisioning for a number of them.   All the core SaaS apps your organization is already using are in this list, e.g. Workday, SalesForce, Box, etc. Partnering with Microsoft for your EMM strategy provides you with the baseline ecosystem that App Config enables – and then your capabilities are amplified with the Office mobile apps and the growing list of partners that are embedding the Intune SDK. This is the ecosystem that you want .  This is the ecosystem that both empowers users while protecting company data.