We've previously discussed the benefits of device management and how the ability to have full control over your corporate endpoints, provides you with much greater granularity, when allowing people access to your data.
The most significant benefit with device management is, being able to apply a blanket policy that prevents access to any data, unless the user is connecting from a managed device.
However, what if you want to allow people to have access to data from an unmanaged, or personal device, if it can be done securely? Giving employees the option to use their own device can be cost effective and resource efficient, enabling them to access their emails from any location, whilst protecting the company data they may access.
Application Protection from Microsoft 365 allows you to apply policies that protect the application and corporate data, even on a personal device.
What is Application Protection?
Application Protection is a solution that allows you to specify how individuals can access company data, from personal or corporate devices. You do this by specifying a list of managed apps. A managed app has app protection policies applied to it and can be managed by Microsoft 365. Using Application Protection, you can enforce rules that apply when a user attempts to access or move corporate data. You can also specify prohibited or monitored actions, that will take effect when a user is inside a managed app.
As a result, you have the option to promote a Bring Your Own Device (BYOD) policy, possibly negating the need for procuring corporate mobile endpoints. Instead of managing devices, you are managing applications. A user can be allowed access to their corporate email on a personal device, providing it is done through a managed app, such as Outlook. You can enforce multi factor authentication, application PIN protection and block the transfer of data out of the app. Corporate data and the app can even be removed from the device, if it is reported lost or stolen.
None of this requires the device to be enrolled in device management, it is all done through Application Protection.
How does it work?
In order to use Application Protection, we need to create a list of managed apps. It will be mandatory to use these apps in order to access company data from personal devices. Whilst all Microsoft apps support the managed app functionality, this is not the case for everything available in the IOS or Android stores. However, vendors such as Adobe, Citrix and ServiceNow also support this capability.
Apps that support being managed, allow you to secure them with data protection settings and access requirements. Data Protection policies include settings to encrypt the data, block the transfer of data out of the app, disable copy and paste, screen capturing and backup. These settings will apply to anyone using the managed app to access your company data.
Access requirement settings are used to dictate the requirements that users must meet to access the app for work. This typically means requiring a PIN to launch the app and specifying inactivity timeouts. These policies can then be assigned to all users or limited to particular groups.
The last thing you’ll want to do to is create a conditional access policy that states only managed applications can be used to access corporate data. This results in any app that does not appear on the managed list, being blocked from connecting to 365.
For instance, if a user has a personal device and uses Microsoft Outlook to access their personal mail account. Their device is pin protected, but the app is not.
If they want to access corporate emails on their device. They must read the BYOD policy, which will state that this is allowed, if using Outlook Mobile. Due to the conditional access policy in place, it is not possible for them to connect using their native mail app.
As such, the user would need to set up a new account in their Outlook app. After entering their corporate email address and password, they will be informed that their organisation uses Application Protection. Therefore, certain policies are applied when using this app for work purposes.
Once the user accepts the message, they will be prompted to set a PIN to access the app. This PIN will only be required for access to their corporate mail account, in Outlook. The policy will not apply when accessing personal mail.
If a user switches from their personal account to their work account, a PIN is required to continue. Should they attempt to save an email to their device, the access requirements and data protection settings will take effect and prohibit the action.
Should the user lose their device, they can contact their IT department who can search for their details within 365 and remove company data from the appropriate device. All other data and applications will remain untouched.
The above examples demonstrate the end user experience when working with managed apps. The concept of separating corporate access from personal means that someone can use one device for both purposes, only seeing restrictions when they access the app for business.
Why do I need it?
Application Management is a key feature of Microsoft 365. It allows you to offer freedom of choice to your staff, without compromising on security. You can deliver a blend of device management and application management, allowing staff to choose the option that best suits them.
Not everyone wants a second device just for accessing their emails. These people can take advantage of your BYOD policy, with Application Protection. You are still in control of the data and the access requirements; you just don’t manage the entire device.
Others would prefer a corporate owned device to have that true separation between work and personal. These individuals can opt for a company device and be governed by full device management.
The two solutions can co-exist, or you can opt for one over the other. Crucially, both methods will help you enforce access requirements to your data, as well as how individuals can interact with it.
Without one of these solutions, you can either block access to everything or allow access to everything. One results in a terrible user experience and the other guarantees a data breach.
How do I get it?
Application Management is available with Microsoft 365 Business Premium, E3 and E5. It is also available as a standalone service or as part of Enterprise Mobility and Security (EMS) E3 or E5.
It’s highly recommended to utilise this service as part of Microsoft 365 or EMS, in order to take full advantage of the capabilities highlighted in this blog.
If your business is less than 300 users, Microsoft 365 Business Premium is essential. It includes Endpoint Management, Identity Protection, Information Protection and the full suite of Office 365 capabilities.
If you are over 300 users and already using Office 365 E3, adding EMS E3 will let you to take full advantage of endpoint management.
How can LIMA help?
LIMA is an expert in driving modern workplace transformation. We provide tools and resources that ensure employees can collaborate effectively and share information securely, no matter where they work.
As a Microsoft Gold Cloud Productivity Partner, we are perfectly placed to assist our customers with evaluating and integrating solutions, from the entire Microsoft 365 stack.
LIMA’s Microsoft 365 modern desktop assessment has been purpose built to help you move to modern management. Through this service, you can expect to receive the following high-level outcomes:
Through this powerful toolset, your business can re-architect how devices are provisioned, how applications are deployed and how your employees access their data.
Speak to your Account Manager or email firstname.lastname@example.org to find out more about how LIMA can help mobilise your workforce, with our Microsoft 365 Assessment Services.Contact us Back to News & Events
For the past 20 years, we’ve been solving business challenges by designing and delivering intelligent IT solutions with a passion for technical excellence and customer satisfaction.
If you have a question you'd like to ask, we’d love to answer it.
Fill in the contact form below and we’ll get back to you as soon as possible.