Work Folders for iOS: November update – advanced features on mobile devices
Published Apr 10 2019 04:04 AM 459 Views
First published on TECHNET on Nov 16, 2015

Earlier this year, in January and April, we released the Work Folders app for Apple® iPad and iPhone.
Since its release, a lot of work has been done to integrate Work Folders with the larger ecosystem to help enhance enterprise control and protection of corporate owned data inside the Work Folders app.

With the recent iOS app refresh, we are now releasing Work Folders integration with a series of products that enables enterprises to have more granular control over their data.

  • RMS
    Work Folders is now integrated with the Rights Management Service (RMS) which encrypts and protects individual files, no matter where they travel. Our integration is centered around the newer
    .p-file format for RMS protected files. This way an enterprise can ensure that any highly sensitive information cannot easily be accessed by an unauthorized person.
    A current limitation is that natively encrypted office files (non .p-files) cannot be viewed in the Work Folders app for this release.

    The Work Folders app supports RMS deployed on-prem or the use of the Azure RMS online service.
    Using RMS with Work Folders provides an organization with the utmost level of file security on devices. Files are always encrypted while in the Work Folders application and the user must be authorized by a token-based authentication in order to view a file. This feature combination is ideal for organizations where file security is essential and the integration in the Work Folders app provides a streamlined user experience.


  • Microsoft Intune
    Work Folders is now integrated with Microsoft Intune, a mobile device management service (MDM).
    Using Intune and Work Folders together improves an organization’s capabilities to accomplish the following :

    • Prevent a file from leaving the Work Folders app
      Using Windows Intune, you can now set a policy that prevents the Work Folders user to “open-in” a file into another application, thus making a copy of the file and handing over control over the file to the other app.

      Why is it important to limit open-in?
      Work Folders keeps your files safe. The files are encrypted at all times independent of the device’s encryption settings. When a user opens the file in another app, however, Work Folders is forced to hand the file over to the next application, stripped of the Work Folders encryption layer (other file encryption, such as RMS, remains intact).

      The receiving application may or may not be controlled by your organization as it can be any application on the device that has registered to handle the file type.
      Preventing open-in for the Work Folders app prevents the file from leaving the controlled Work Folders environment altogether.

      Outside of Work Folders, Intune offers a policy to disable open-in for the entire device and not just the Work Folders app. This policy is less useful on devices that are shared between personal use and work use as users are less likely to tolerate the absence of the widely used iOS feature for their personal use. The Work Folders collaboration with Intune gives you a precision instrument to affect only corporate data.

    • Enforce universal PIN
      Work Folders protects access to the app through an App-PIN, at all times.
      Once the device is under Intune management and there is a universal App-PIN configured by Intune, Work Folders will respect the superior PIN and substitute the Work Folders app-PIN for the universal one. That enables the user to have a single PIN across all managed apps. This PIN policy is managed by the organization and provides a common restore experience.

    • Perform targeted Remote wipe
      When using an MDM such as Intune, an organization has the ability to remotely wipe an entire device. As devices are often used for both personal and business, it has long since become a blocker for users to get their device under management when an organization can wipe the entire device.
      A more precise solution is needed. With Work Folders and Intune, you now have a precision instrument to remotely wipe just the Work Folders encrypted files from the Work Folders app, leaving the rest of the device intact.
      A user has to properly re-authenticate to use Work Folders again as they would on any device where Work Folders is setup for the first time.

      We will soon release a blog post explaining how to configure Work Folders to use ADFS as its authentication solution and link to this post from here.

Registered Devices only
When using Work Folders with an ADFS authentication solution, the Work Folders app can be configured to only authenticate a user on a device that is registered with your organization. Device registration is typically done through an MDM, such as Microsoft Intune. The requirement for this feature is ADFS configured on a Windows Server 2016, Technical Preview 4 or later.
Version history
Last update:
‎Apr 10 2019 04:04 AM
Updated by: