Solving Office 365’s Multi-Identity Crisis on iOS

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Rich Festante | May 7, 2018

Enterprises that choose Microsoft Office 365 as their preferred suite of productivity apps often face a two-fold security challenge: Not only do they have to secure the enterprise version of Office 365, they may also have to prevent an employee’s personal version of Office 365 from accessing business data on mobile devices enabled for work. Without the ability to separate the enterprise version and personal version of Office 365, corporate data may be at risk. For instance, a mobile employee could copy and paste attachments from the work version of Office 365 into the personal version if it’s not secured with the right tools.

Compounding this security challenge is the fact that many enterprise iOS users prefer to use a combination of native iOS applications and Office 365 apps for work. On devices with both personal and enterprise versions of Office 365, enterprises need to ensure that employees can’t use their personal Office 365 apps to access work attachments through native iOS apps.

MobileIron understands that this is a complex scenario for many IT organizations with multi-OS devices and multi-identity Office 365 apps. This post covers some real-world use cases for these security challenges and how MobileIron helps solve them.

Challenge: Prevent data transfer between managed and unmanaged apps

Clear separation of business and personal data on devices used for work is essential to ensuring enterprises can protect critical data and employee privacy. This requires the ability to prevent work applications from transferring data to and from unmanaged applications, such as a personal version of Office 365.

Solution: Apply MobileIron security controls for enterprise apps

MobileIron automatically manages any application deployed through Apple’s Volume Purchase Program (VPP) or through the MobileIron enterprise app store. This also includes native iOS apps such as email and the Safari web browser. For iOS native email, MobileIron deploys a managed Exchange profile with certificate-based authentication for a seamless and secure experience. MobileIron also allows admins to restrict Safari from opening documents that come from specific URLs.

It’s important to note that applications installed directly from the Apple App Store are not automatically managed by MobileIron, but admins can prompt the user to convert the previously unmanaged application to managed in order to protect business data.

Challenge: Secure multi-identity Office 365 apps with open-in controls

Microsoft Office 365 apps support a multi-identity option, which allows a user to have multiple accounts within the same app. Although iOS supports open-in controls that ensures data stays in managed apps, iOS managed open-in can’t prevent data transfer between multi-identity apps. For example, open-in restrictions can’t prevent a user from saving an attachment from their work email account into a personal Office 365 account in OneDrive, as shown in this video.

Solution: Deploy iOS managed app configuration to Office 365 apps

In iOS 7, Apple introduced managed app configuration. This configuration allows an administrator to remotely configure and populate app settings for managed apps on managed devices. Managed app configurations follow a standardized format and do not require proprietary SDKs or app wrappers.

Microsoft Office apps support iOS managed app configurations such as “IntuneMAMUPN,” which allows the MobileIron administrator to set up the Office 365 work account in each Microsoft app. When Microsoft apps are deployed with IntuneMAMUPN, attachments opened from a managed app into Microsoft apps are treated as work documents. For example, an attachment opened from a managed iOS native email account into a Microsoft app can only be saved into the Office 365 work account specified by the managed app configuration. To learn more about deploying IntuneMAMUPN, see Microsoft’s documentation here.

Challenge: Apply supplemental controls for Office 365 apps

Although Microsoft leverages some managed app configurations in apps today, the company decided to build proprietary configuration controls that are specific to Office 365 apps. These proprietary supplemental controls, known as Intune app protection policies, offer an extra application security layer that iOS may not provide natively. These supplemental controls can be leveraged to satisfy enterprise security requirements such as:

Restrict cut/copy/paste controls to managed appsRestrict “save as” to specified document repositoriesRequire a PIN when opening Microsoft apps

Solution: Use MobileIron to apply Office 365 supplemental controls

MobileIron can manage Intune app protection policies through a single unified console, which greatly simplifies configuration and deployment. By adding Intune app protection policies to the long list of container solutions that we support, including Android enterprise, Samsung Knox, iOS, Windows Information Protection, and our own AppConnect solution, MobileIron continues to give customers the flexibility they need to meet business requirements.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About MobileIron
The leader in security and management for mobile apps, documents, and devices, MobileIron's mission is to enable organizations around the world to embrace mobility as their primary IT platform in order to transform their businesses and increase their competitiveness. More than 15,000 companies rely on MobileIron’s scalable architecture, rapid innovation, and best practices for their mobile initiatives. Global companies, including 8 of the top 10 automotive manufacturers, 7 of the top 10 pharmaceutical companies, 5 of the top 10 banks, 5 of the top 10 law firms, and 4 of the top 10 retailers, rely on MobileIron for their Mobile First initiatives.
Promoted Content
MobileIron Cloud Security
The MobileIron Cloud service is MobileIron’s cloud-based solution for provisioning and managing users’ bring-your-own-device (BYOD) and corporate-owned personally enabled (COPE) mobile devices. MobileIron Cloud enables IT administrators to deploy and enforce corporate security policy, deploy and manage enterprise apps, and establish usage policies for apps and content. The MobileIron Cloud service implements numerous technical security controls designed to help secure and isolate enterprise data at rest and data in motion, and to ensure the user’s personal data remains private.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?