Microsoft updates its mobile-device management timeline, game plan

Eight months after launching its Enterprise Mobility Suite, how close is Microsoft to enabling users to manage not just devices, but also the apps and data on those devices?
Written by Mary Jo Foley, Senior Contributing Editor

Bring your own device (BYOD) is passe, according to Microsoft execs. What matters more these days is BYO apps and services.


Unsurprisingly, that shift works in Microsoft's favor, given its small mobile-device market share. Even if Microsoft doesn't manage to somehow storm the world with Lumia phones, Surface tablets and other third-party-made Windows phones and tablets, all is not lost.

Microsoft is positioning itself to be relevant by being able to manage mobile devices of all kinds, including iOS, Android and Windows devices. Though many of us didn't really think this through back in March when Microsoft simultaneously launched Office for iPad and the company's Enterprise Mobility Suite (EMS), EMS was as important -- if not more so -- to Microsoft's grand plan for mobile relevance.

EMS has three parts: Azure Active Directory Premium, Azure Rights Management services and Intune (the mobile-device management service that until recently was known as Windows Intune.) Currently, EMS is only available as a bundle to large enterprise users with volume plans, though Microsoft execs are hinting that requirement may be relaxed some time relatively soon.

Microsoft has been touting for the past few months that EMS will enable users to protect their devices, identity, apps and data across devices. Now that it's eight months after the launch of EMS, where is Microsoft, in terms of being able to do this?

Each of the three EMS components provides different pieces of this scenario, as the Microsoft-provided slide embedded above in this post makes clear.

Azure Active Directory is what handles tasks like multifactor authentication, self-service password reset and single sign-on. Intune provides the mobile-device settings and application management, plus the conditional access and selective wipe capabilities. And Azure Rights Management is what provides the information protection and bring-your-own-key functionality.

Azure Active Directory Premium and Intune have been getting regular major updates, which are being pushed to customers automatically, said Andrew Conway, Senior Director of Product Marketing for Windows Server and System Center. Via Windows Azure Active Directory Premium, users have the option to do single sign-on to more than 2,400 software-as-a-service apps.

On November 6, Microsoft execs provided an update as to what users should expect next, in terms of the ability to manage the new versions of Office for iPad, iPhone and Android. Office for iPad apps will be able to be managed by Intune and EMS in the first quarter of 2015, as will the new Office for iPhone apps. Both sets of apps will require updates in order for this to occur. Office for Android apps, which are due out will be "enlightened to be manageable by Intune," which means they will be manageable at that point using Intune, a Microsoft spokesperson confirmed.

Update (November 10): Microsoft has modified the timing in its blog post. Instead of commiting to the management of Office for iPad apps in Q1 2015, Microsoft officials are now saying that will happen "in the next few months."

There will be more Intune updates coming over the next several months, as Microsoft officials have previously said. IT will be able to set policies around users's Office apps, and after that, an app-wrapping tool is on tap. App wrapping will allow the creation of management policies around existing internal line-of-business applications that can be distributed via Intune.

Following those waves, Microsoft will provide the promised conditional access to corporate resources and then simplified bulk device management, Conway said.

At Tech Ed Europe last week, Microsoft officials also announced they are building a subset of Intune's mobile-device-management features into the company's Office 365 for business plans. That functionality should be rolling out starting in the first quarter of 2015. The MDM subset in Office 365 includes the aforementioned conditional access, IT policy enforcement (around passcode/PIN, data encryption and jailbreak detection) and selective wipe.

Editorial standards