Solving Office 365’s Multi-Identity Crisis on iOS
Rich Festante | May 07, 2018
Enterprises that choose Microsoft Office 365 as their preferred suite of productivity apps often face a two-fold security challenge: Not only do they have to secure the enterprise version of Office 365, they may also have to prevent an employee’s personal version of Office 365 from accessing business data on mobile devices enabled for work. Without the ability to separate the enterprise version and personal version of Office 365, corporate data may be at risk. For instance, a mobile employee could copy and paste attachments from the work version of Office 365 into the personal version if it’s not secured with the right tools.
Compounding this security challenge is the fact that many enterprise iOS users prefer to use a combination of native iOS applications and Office 365 apps for work. On devices with both personal and enterprise versions of Office 365, enterprises need to ensure that employees can’t use their personal Office 365 apps to access work attachments through native iOS apps.
MobileIron understands that this is a complex scenario for many IT organizations with multi-OS devices and multi-identity Office 365 apps. This post covers some real-world use cases for these security challenges and how MobileIron helps solve them.
Challenge: Prevent data transfer between managed and unmanaged apps
Clear separation of business and personal data on devices used for work is essential to ensuring enterprises can protect critical data and employee privacy. This requires the ability to prevent work applications from transferring data to and from unmanaged applications, such as a personal version of Office 365.
Solution: Apply MobileIron security controls for enterprise apps
MobileIron automatically manages any application deployed through Apple’s Volume Purchase Program (VPP) or through the MobileIron enterprise app store. This also includes native iOS apps such as email and the Safari web browser. For iOS native email, MobileIron deploys a managed Exchange profile with certificate-based authentication for a seamless and secure experience. MobileIron also allows admins to restrict Safari from opening documents that come from specific URLs.
It’s important to note that applications installed directly from the Apple App Store are not automatically managed by MobileIron, but admins can prompt the user to convert the previously unmanaged application to managed in order to protect business data.
Challenge: Secure multi-identity Office 365 apps with open-in controls
Microsoft Office 365 apps support a multi-identity option, which allows a user to have multiple accounts within the same app. Although iOS supports open-in controls that ensures data stays in managed apps, iOS managed open-in can’t prevent data transfer between multi-identity apps. For example, open-in restrictions can’t prevent a user from saving an attachment from their work email account into a personal Office 365 account in OneDrive, as shown in this video.
Solution: Deploy iOS managed app configuration to Office 365 apps
In iOS 7, Apple introduced managed app configuration. This configuration allows an administrator to remotely configure and populate app settings for managed apps on managed devices. Managed app configurations follow a standardized format and do not require proprietary SDKs or app wrappers.
Microsoft Office apps support iOS managed app configurations such as “IntuneMAMUPN,” which allows the MobileIron administrator to set up the Office 365 work account in each Microsoft app. When Microsoft apps are deployed with IntuneMAMUPN, attachments opened from a managed app into Microsoft apps are treated as work documents. For example, an attachment opened from a managed iOS native email account into a Microsoft app can only be saved into the Office 365 work account specified by the managed app configuration. To learn more about deploying IntuneMAMUPN, see Microsoft’s documentation here.
Challenge: Apply supplemental controls for Office 365 apps
Although Microsoft leverages some managed app configurations in apps today, the company decided to build proprietary configuration controls that are specific to Office 365 apps. These proprietary supplemental controls, known as Intune app protection policies, offer an extra application security layer that iOS may not provide natively. These supplemental controls can be leveraged to satisfy enterprise security requirements such as:
- Restrict cut/copy/paste controls to managed apps
- Restrict “save as” to specified document repositories
- Require a PIN when opening Microsoft apps
Solution: Use MobileIron to apply Office 365 supplemental controls
MobileIron can manage Intune app protection policies through a single unified console, which greatly simplifies configuration and deployment. By adding Intune app protection policies to the long list of container solutions that we support, including Android enterprise, Samsung Knox, iOS, Windows Information Protection, and our own AppConnect solution, MobileIron continues to give customers the flexibility they need to meet business requirements.
To learn more about our iOS and Office 365 security capabilities, see our video here.