Blog Post

Security, Compliance, and Identity Blog
9 MIN READ

Success with Enterprise Mobility: Secure E-mail

Brad Anderson's avatar
Brad Anderson
Iron Contributor
Sep 08, 2018
First published on CloudBlogs on Sep, 12 2014
E-mail is one of the most critical applications for any organization. The amount of sensitive and confidential information that flows through e-mail is pretty amazing, and a company simply cannot operate at a high level without a mobile productive strategy . Over the past few weeks, I have been writing a lot about Mobile Device Management, Mobile Application Management, Containers, Office, etc. – and, in this post, I will get really specific about the first app that every organization wants to enable for users on the mobile devices: E-mail . Considering the volume of docs/data/files that flow through any given inbox, Secure E-mail is the first line of defense – and this is why it’s the first app that every organizations wants to both enable and protect.  E-mail is (and has been) the “killer” app for Mobile Application Management (MAM). To start, let’s consider a long-view of the e-mail apps that I believe will be used in the Enterprise over the long term. I believe the e-mail apps that are included in Windows, iOS, and Android (along with Outlook on all those platforms) will be the e-mail apps that will have usage in the long run. The e-mail apps in the OS keep getting better and better with each release, and the iOS 8 enhancements in e-mail and calendaring are a great example of this (check out my overview of Day Zero Intune support for iOS 8 here ). Outlook is the standard in the enterprise for e-mail and calendaring, and, as the rich Outlook capabilities continue to be delivered on all the mobile platforms, it will remain one of the primary choices. So what does this mean if you are using an e-mail app from one of the EMM vendors (AirWatch, MobileIron, Good)? What I’m personally seeing across many industries is a shift among organizations to the inbox e-mail app and to Outlook. If you sit down and really game theory this scenario out, the investments that are being made by Microsoft, Apple, and Google in the inbox e-mail apps (as well as the historical and current investments that Microsoft is making in Outlook and all of the Office apps across Windows, iOS, and Android) are just going to deliver a better and more feature-rich experiences for your organization and for your users. My view of this is that if you are using one of the EMM vendors’ e-mail app today , you will be migrating to the inbox app or to Outlook in the future . The work we’re doing to enable Secure E-mail is being done in both! Our job together is to ensure that the corporate e-mail and all the attachments that are flowing through e-mail are kept safe and secure – while delivering the end-user the absolute best experience possible . In this blog I want to focus on both of these points.

Great Experience for the End-User

Most of your users have been using Outlook at work for years, and, in fact, are likely using Outlook on their PCs. As we continue to invest in Outlook across Windows, iOS, and Android your users will continue to have (and expect) the rich capabilities and consistent experience across all their devices (and I’ll talk a lot more about this in a future post).  My team has prioritized the experience of our end users and is focused on delivering a simple, consistent, and rich experience across all the devices they love and use. Using Microsoft Office on all your devices, either with Outlook or the inbox e-mail application that comes with Windows, iOS, and Android is going to deliver that premiere experience. This is what we’ll deliver this fall with Intune and Office. When you think about e-mail, you really cannot think of just the e-mail app itself – you also need to think about the entire productivity solution that is needed. The strengths or weaknesses of that entire solution really come together in e-mail. For example, how many times during your workday do you open an attachment that has been sent to you? I know for me it’s at least 15 times a day. When you open the attachment you expect the document to open quickly, render properly, and be readily editable.  To demonstrate just how good or bad the user experience can be, let’s look the contrast of using Office vs. a 3rd party Office editor. As noted in a previous post , included below is an end-to-end scenario of a typical end-user – and I’ll point out a few things along the way. For demonstration purposes, I’ll use an iPad for this walkthrough. Seen here is an iPad with the upcoming version of Office installed on it. Apparently the user deployed the applications from the Intune iPad Self Service Portal. J To start the scenario the user goes into Outlook (in this case she goes into Mobile Outlook Web Access or MOWA). MOWA delivers a wonderful experience with full caching capabilities so that it can run completely disconnected.                     Here you can see what MOWA looks like on an iPad. This functionality is already available today. With MOWA you have the capabilities you would expect from Outlook, and, as you can see, it has been optimized for the information architecture of an iPad while remaining distinctly Outlook. This gives the user that sought-after consistent experience across all their devices.                         Here is where you’ll notice the first big difference: Have you ever opened an Office document on an iPad (or other device) and, once it finishes opening, the reader or editor that ships with that device and/or management solution presents an image like the one you see here? This situation is all too common. What you see in this image is the default iOS Excel reader trying to render a spreadsheet. It’s not exactly ideal when you’re in the middle of a meeting or trying to prepare for a discussion with your boss.                   The bad news is that images like this are very common with the editors/readers shipped by many of the MDM vendors. The good news is that when an iPad is running Excel, that same spreadsheet looks like this: There’s no other way to say it: It looks beautiful . Because this is “just Office” the document is properly rendered and the user can start working immediately. Here are where a couple big differences have a big impact: First, with the Office + Intune solution is that the users will always have their Office documents rendered properly. The second big difference is consistency. When a user that has been operating Excel on a PC for years opens up Excel on an iPad they’ll immediately notice that what they’re seeing is unmistakably Office! It has the look and feel of the Office they have been using (right down to the ribbon bar) while being optimized for touch.         One of the controls enabled in Office + Intune is the “Open In” capabilities of iOS. This enables IT to express policy that, whenever an Excel spreadsheet is opened, it should be opened “in” a specific app. In the case – always open Excel spreadsheets in Excel for iPad. The usability of Office + Intune also extends to the IT team. IT will have the ability to express policy regarding where users can save corporate documents to – e.g. from within Outlook, in the Office apps, and from any app that is wrapped with the App wrapper than will be released later this year as a part of Intune. This allows IT to enforce policy on corporate documents so that they can only be saved to OneDrive for Business or SharePoint. IT is also well served by the fact that the Office apps will come policy enabled to enable IT to manage the copy and paste of content between apps. A common use case here will be to only allow copy and paste between those applications that are participating in the corporate container. Office will come with these capabilities built in and we will deliver a wrapper that IT can use to wrap any apps that need to participate in the same container as the Office apps.                       For example: If I copy content from the spreadsheet and try to paste that into a personal app (not wrapped) this is what happens: First, the user attempts to paste the corporate data from the spreadsheet into a personal e-mail. Notice that the Paste option is not presented. Because the corporate data is being protected, it automatically cannot be copied and pasted into non-corporate apps.                         However, if the user attempts to paste the content into a corporate e-mail (MOWA), the paste option is readily available and the user is off and running.

If you want to see what the future of mobile productivity looks like, skip ahead to 1:37:48 in the TechEd 2014 keynote below. Julia White’s demo of Office on iPad is simply amazing – and what you’ll see is something that cannot be replicated by any other MDM vendor.

Getting it Right for the IT Professionals

The mission my team focuses on is simple: “ Empower organizations to enable their users to be productive on the devices they love, while helping keep the corporate assets secure.” I briefly touched on some of the things we are doing for the end users and how we help make them productive on all the devices they love – now I want to look at the kinds of policies that IT Professionals can apply to e-mail with Intune and the Enterprise Mobility Suite. Through Intune and the Enterprise Mobility Suite we deliver the ability to define and apply policy to devices as well as to apps. Here are 3 key things we’ve done to “encourage” users to stay compliant.

Compliance Policy

As an IT Professional, you can define a set of rules that need to be complied with by mobile devices in order to gain access to corporate resources. For example, you can specify rules that are mandatory requirements for any devices connecting to corporate e-mail. Below are a couple of views of the Intune Admin console . This is a policy for enabling Secure E-mail access. In this example, the policy that has been defined is that corporate e-mail will not flow to a devices (Windows, iOS, and Android) unless the following three things have happened: The device has been enrolled in Intune for management, the device is secured with a power on password, and the device is encrypted and has not been jail broken.

Conditional Access Policy

Once you have specified an IT compliance policy, you can now specify the list of IT services ( e.g. Exchange Online Active sync (EAS) service, Exchange On-prem EAS service, OneDrive for Business, etc.) whose access will be gated based on the compliance state of the mobile device with respect to the Compliance policy you’ve set up. An administrator can target this policy to specific user groups and also provide exemptions to certain users if needed. This is a wonderful marriage of user and device policies. The conditional access policy is being assigned to users (AAD identities), and it is then applied to any device the user attempts to connect to corporate e-mail.

Encourage End-User to Remain Compliant

The tradeoff between security and user productivity can be a big challenge for IT departments. All too often we have had to make either/or decisions – e.g. If we increase the protection and security on an application we have to make the end-user experience more complex/clumsy. We have to get out of the tyranny of or .”Microsoft has worked very hard to make it as simple as possible for an end user to securely access and work in e-mail while keeping the company assets secure. This is what we did: If a device user, for some reason, goes out of compliance, we make it super simple for them understand this and then return the device back into compliance. As a part of this conditional access, if the user’s device is out of compliance, the next time the user goes into the corporate e-mail app there will be a single e-mail in their inbox. The e-mail notifies the user that their device is not compliant with the corporate security policies and that corporate data has been removed from that device.  That e-mail then provides a link with info about how to bring the device back into compliance. The screen shot below shows the e-mail app when the user has provisioned an Office 365 mailbox but not yet enrolled the device with the management service (Intune). The user is clearly able to see what needs to be done. Since securing e-mail could impact user productivity on devices that are not compliant, we recommend that organizations gradually phase in conditional access policy so that end users have time to become compliant with

One Microsoft

The secure access to e-mail is a great example of our “One Microsoft” approach in action. In order to deliver a superior Secure E-mail user experience to both IT admins and end users, there has been a broad, cross-company effort. The key components of this solution are:
  • Windows Intune This provides MDM management and the infrastructure to define and evaluate the compliance state of a mobile device.
  • Azure AD This provides the authentication and conditional access to IT services based on the device state specified by Windows Intune.
  • Exchange 2013 and/or O365 This provides the e-mail quarantine capability by validating that a user has a compliant device before letting e-mail sync to that device.
I believe that the combination of Intune, AAD and O365 – along with the e-mail rights management capability provided by Azure RMS – makes the Enterprise Mobility Suite approach to Secure E-mail a superior option to any other functionality available anywhere else.
Published Sep 08, 2018
Version 1.0
No CommentsBe the first to comment