The Office suite of applications is an essential set of tools for many businesses. With the growth of mobile devices in the workplace, it is also essential to secure these applications everywhere.
What users expect from devices and applications is constantly changing. In turn, IT organizations must adapt to user demands for access to business applications and workflows. Admins need to ensure teams are productive on mobile and desktop, wherever they are, while trying to keep all that data secure.
To secure corporate information on mobile devices, IT teams often use management platforms such as mobile device management (MDM) or unified endpoint management (UEM). However, end users are often reluctant to give up control of their devices. Many worry about the degree of control a company has over its devices. To ensure employees have the freedom they want on their devices while securing desktop apps and data, organizations can consider mobile application management (MAM) tools.
What is MAM?
MAM is a capability of an MDM or UEM product. However, there are standalone products that provide MAM functions, but these are often not sufficient for comprehensive mobility management, so organizations are moving towards more efficient MDM and UEM tools.
IT uses MAM to secure apps and data on a device without having to enroll it in a device management platform. Microsoft Endpoint Manager provides MAM functionality, as do other UEMs such as VMware Workspace One. However, to specifically apply protection policies to Office apps, Microsoft’s Intune tool is required. Organizations using Office 365 can subscribe to Intune, which is part of Microsoft Endpoint Manager, for an additional fee.
MAM uses app protection policies to configure apps for unenrolled and fully managed user devices. Organizations often use MAM for personal devices or BYOD, where users want to access corporate data without having to register with their company’s device management platform. Users can download apps directly from the Apple App Store or Google Play Store and authenticate into the app with their company credentials. Apps will embed specific security configurations into the app. MAM protection policies can include the following:
- block or allow data backup to iCloud (iOS only);
- block or allow the import of corporate data into other managed or unmanaged applications;
- restrict cutting, copying and pasting between other applications;
- block or allow third-party keyboards;
- enforce application encryption;
- configure PIN and credential requirements that users must meet to access managed apps;
- set device and app blocking; and
- Set actions for conditions such as jailbroken devices, maximum pin attempts, and offline grace periods.
Platforms such as Intune support the following MAM scenarios, and other MDMs that also support MAM will be similar:
- Fully Registered or Company Owned, Personally Activated (COPE). IT manages both at the device level and at the application level.
- Not managed by MDM or BYOD. The IT department only manages the applications on a device.
- Managed by a third-party MDM. IT can use Microsoft app protection policies while using a different MDM for comprehensive management and additional security configurations at the device level.
App protection policies require users to have an Azure Active Directory account and an appropriate Microsoft 365 license, which must include a Microsoft Enterprise Mobility and Security license. Additionally, app protection policies only work with Microsoft Office mobile apps or apps that have been integrated with the Intune SDK or wrapped by the Intune App Wrapping Tool. Microsoft maintains a list of requests that meet these requirements and are available for public use.
How to configure app protection policies for Office apps
To configure app protection policies in Microsoft Intune, IT admins can go to their Endpoint Management web console and select Apps > App protection policies > Create policy.
How to Clear Office Apps Data with Microsoft Intune
In addition to being able to restrict data access with MAM-based apps, admins can also remotely delete or selectively wipe app data. A remote wipe is useful if a device is lost or stolen, or if the end user decides to leave the company. Since mobile devices are smaller and easier to lose than other terminals, the remote wipe option is particularly important. If a device ends up in the hands of a malicious actor, administrators must erase all corporate data on it, preventing unauthorized access to sensitive information.
There are three different methods for wiping devices: full wipe, removal, or selective wipe. A full wipe removes all data and apps from the device and restores it to a factory reset state. This is an ideal method when administrators no longer need a device, need to reset and reassign a device to another function, or want to ensure that data is not lost on a missing device. A retreat, on the other hand, is a better option for a BYOD environment. This type of wipe leaves the user’s personal data behind while targeting work data exclusively from selected apps, removing the device from MDM management.
Users and administrators can issue commands remotely from MDM portals, such as the Intune Company Portal, to managed devices. This is ideal for self-service for users who want to take back control of their devices and experience.
To initiate a full cleanup or deletion in Intune, follow these steps:
- Login to Microsoft Endpoint Manager Portal.
- Select Devices.
- Select the device you want to erase.
- At the top of the screen, select Wipe Where withdraw.
Administrators can also apply wipe and removal commands to multiple devices at once. This is often referred to as mass or group actions. To apply a bulk device action, select Devices > All devices > Bulk device actions.
Selective wiping is another ideal method for BYOD. With this type of wipe, administrators can remove corporate MDM policies and apps from the device, leaving personal apps and data untouched. To initiate a selective device or user cleanup in Intune, follow these steps:
- Log in to the Microsoft Endpoint Manager portal.
- Select apps in the left column.
- Scroll down to the “Other” section and select Application Selective Wipe.
- Select the preferred erasure request (device-based or user-based).
- For selective device-based cleaning, select Erasure requests and follow the prompts to select the user and data you want to erase. Then select Create a deletion request.
- For user-based selective cleaning, select User-Level Wipe, which prompts you to select the user. Then select Create a deletion request.
Self-service requests for users
End users can also wipe, remove, and check the status and compliance of their own devices through the MDM Portal apps. For an end user to remove or wipe a self-service device through Microsoft Intune, administrators can instruct the user to follow this process:
- Open the iOS or Android Intune company portal
- Select Devices at the bottom of the screen.
- Select the device you need to reset or remove.
- Select the ellipsis icon, which looks like this: ….
- Depending on the action you want to perform, select one of the following options:
- Remove device
- Check status
- Factory reset