Learn how to configure Intune to deploy the Outlook and Word apps on mobile devices with a MAM policy that protects corporate data.
- Now that we've put some policies in place to configure our devices, we're going to move on to how to configure mobile applications. Specifically, we're going to look at configuring mobile applications to support mobile application management. And the Microsoft Office apps are really good examples of this. What we'll do, we'll go ahead and deploy a mobile application. Then we'll apply some policies to it to control what users can do with the data in that application. To begin, we'll go to Mobile apps, and then we'll go to Apps. I've already configured Excel and Word here, but we'll go ahead and add Microsoft Outlook as well.
The app type we want again depends on the platform. You'll have to create entries multiple times if you want to deploy Outlook for iOS and Outlook for Android, they're two separate applications. We'll go with iOS, and then we can search their app store for Outlook. We'll pick Microsoft Outlook. We can configure any properties that we want about the application, like how it appears in the application gallery on the device, whether or not it's a featured application, so it's easy to pick, and any of these other settings.
Since this app's in the app store, it pre-configures all this for us. But if you're deploying a line of business application perhaps that you developed in-house, you would need to fill all these settings in yourself. Once we add that, it'll be available in the list of applications. Again, we need to assign the application so that some people actually get it. We'll go ahead and assign this to the All Users group. And notice it asks what type of assignment we want.
There's a couple of extra choices here. We have available and required. Available means it'll be available when the users goes in the in tune application gallery. And they can select on it to install it. Whereas required means it'll be automatically installed on the device when the user checks in or when they enroll their device. Let's say we want everyone to have Outlook. So we'll go ahead and make this required. The VPN option, if you had an application that needed to connect to a VPN, a virtual private network, to access data, you could push a VPN profile that goes with the application, and then the app will know that it needs to start that VPN before it can function.
Now that we've deployed the application, the other thing we're going to want to do is apply mobile application management to this application, so we can control what users can do with the data. To do that, we'll create what's called an app protection policy. We'll give this a name. We'll call this iOS app protection. We'll select what apps this applies to. We're going to apply this to all the Office apps that we're deploying, Word, Excel, and Outlook.
The list you get to choose from here are the applications that support mobile application management. Microsoft has prefilled the list for you. Then we'll set the settings that this enforces. What you get to do with mobile application management is decide where users can take the data and what they can do with it. To put this another way, let's say you received an email in Outlook. We want to make sure that, because that has corporate information, you can only take it to another managed application. So you can copy and paste that information to Word or Excel, for example, but you couldn't save it to your personal Google drive or copy and paste it into the iOS Notes app, because then it would no longer be in the realm of corporate control.
But likewise, if you also have your personal email account configured in the Outlook app, we want to let you do whatever you want with that. And the apps are smart enough to know whether data originates on the corporate side of the app or the personal side of the app. So what we're going to do here is, when it says allow app to transfer data to other apps, we're only going to let it go to other policy managed apps. But we'll let you paste in from any app. Allow app to receive data from all other apps. We'll also prevent save as, which prevents people from saving this to someplace else.
Cut, copy, and paste, we really only want to allow this to let people paste to other managed apps, but they can paste data in from non-managed apps. We'll encrypt the data when the device is locked. And we won't require a PIN for access here, because we're already requiring a PIN on the mobile device to unlock the device itself. If you were only managing the applications and not the device, you might want to require a PIN to access a managed application, since you have no idea if someone's used a PIN to access the device itself.
You could also require people to log in again to access the application. But, again, we're not going to need that. We will make sure, though, that the app can't be run on a device that's been jail broken. You can also require minimum versions of the app or iOS, in case your policies require that. We'll go ahead and save this, and then we'll create this policy, and this will apply to those managed applications like Outlook, Word, and Excel, that we've deployed. When we go to enroll this device, and then Outlook will be automatically installed, we could of course install Word as well from the gallery, and then we'll be able to see how these protections are enforced.
- Authentication options with Azure AD
- Configuring Azure AD Connect for sync and authentication
- Securing remote access with the Azure Application Proxy
- Managing apps and devices with Intune
- Building and deploying a basic Intune policy for iOS or Android
- Protecting data beyond the firewall with Azure Information Protection (AIP)
- Configuring AIP classification labels and protection
- Integrating Exchange and SharePoint with AIP
- Managing risk with Advanced Threat Analytics
- Connecting Office 365 to cloud app security