Better Together: VMware Workspace ONE & Office 365
Consider this: when it comes to securing enterprise applications, you might not have the whole story. You may have heard that an application-only security framework for Office 365 provides adequate protection. However, unless you secure the entire endpoint, applications face security risks. VMware Workspace ONE offers a better approach, blending flexible options and integration capabilities, with comprehensive mobile endpoint security. Integrate Office 365 with Workspace ONE to enable Office 365 application controls, without compromising security. Today’s post explores the pitfalls of taking an application-only security approach for Office 365, and recommends Workspace ONE & Office 365 with Intune MAM to address these shortcomings.
The Office 365 application suite holds the overwhelming share of the enterprise application market. Securing these applications is arguably a key consideration for most IT administrators regardless of vertical or organization size. As a Microsoft product, security configurations for Office 365 require the Intune MAM SDK, which is available with the Intune license.
One well-known way to get the Intune license is through Intune EMM. However, requiring Intune EMM to manage Office 365 doesn’t play well in today’s security market. It would be like saying “If you run Windows you can only use the Internet Explorer browser.” As a result, Microsoft opened up Office 365 management by creating a separate interface called Intune MAM.
What does Intune MAM Do?
Intune Mobile Application Management (MAM) is an Azure portal application. Use it to configure the Intune software development kit (SDK) integrated into Microsoft Office 365 apps like Word and Excel. It has an open API (the Graph API) so VMware’s Workspace ONE can manage the security and deployment of these Intune MAM settings. Intune MAM:
- Provides Office 365 application-level features
- Enables opting out of Intune EMM
- Allows Office 365 to coexist with any EMM product
- Enables the deployment of any application using Intune MAM SDK
Use the Intune MAM SDK to add control into applications without writing the security code yourself. Available application-level features include:
- Restricting the copying and pasting of corporate content into personal areas
- Requiring a passcode for application access
- Encrypting application data using a common framework with sharable data
- Allowing copying and pasting between select Intune SDK applications
Limitations of an Application-Only Security Framework
The application-level features provided by the Intune MAM SDK are helpful controls, but fall short as a comprehensive security solution. A security framework that applies security policies to key applications without securing mobile endpoints exposes itself to unnecessary risk.
Examples of risks include, but are not limited to:
- Being unable to prevent someone from moving the application and its data because you don’t have control of the device
- Being unable to protect the network traffic of the application from interception. EG. by using a per-app VPN
- Being unable to protect the application from a rooted device thus allowing a hacker to look at your data while it’s in memory
Better Together: Workspace ONE & Office 365
VMware Workspace ONE is an enterprise mobility management (EMM) solution that unifies identity management and mobile endpoint security into a single application catalog experience. It provides the comprehensive, yet flexible solution demanded by today’s mobile landscape.
Use Workspace ONE to address the limitations of an application-only security framework, without sacrificing Office 365 application security controls. It’s easier than you might think. Simply integrate Office 365 with Intune MAM into your Workspace ONE endpoint management framework.
The advantages of choosing endpoint security framework with Workspace ONE include: Comprehensive device protection – secure the entire endpoint Robust application security – including, but not limited to Office 365 Simplified management – Manage endpoints and applications in an easy-to-use, integrated console.
Workspace ONE enables true conditional access, meaning devices gain access to resources based on contextual factors like location and organisational role. Establishing trust based on context is a win-win scenario for administrators and end-users.
For administrators, conditional access provides a level of granularity far superior to merely allowing or blocking device access based on MDM enrollment. For end-users, conditional access from a recognised context, reduces their access requirements. Simplifying their workflow and enabling productivity.
Premium User Experience
Tiered access provides end users a seamless, award-winning experience that drives adoption. The end result is that IT can provide a consumer simple experience without sacrificing security and control.
Ease of Deployment
Our architecture is easy to understand and easy to deploy. When securing environments, complexity is the enemy of security. Workspace ONE is consumer simple, enterprise secure, so getting started is easy.
Workspace ONE’s flexibility enables choice. Use this choice to secure as much, or as little as your risk profile demands. Enablement-focused organisations benefit from implementing the adaptive management workflow, while security-focused organisations can elect to use advanced management capabilities.
Advanced Management Capabilities:
- Run Workspace ONE services in an on-premise deployment
- Use the VMware Tunnel application to provide transparent network access control for apps
- Implement VMware Tunnel Appliance with per-app VPN for full network transit control
- Select token based enrollment to prevent unauthorised devices from accessing to corporate resources
Better Together: VMware Workspace ONE & Office 365, by Leon Letto, originally appeared on the VMware EUC Blog.