After yesterday's TechEd announcements, here’s all you need to know about Microsoft’s EMM plans.

Yesterday at TechEd Europe Microsoft unveiled more of its plans for Intune, the Enterprise Mobility Suite, and Office 365. There's a lot to like-especially with regards to mobile app management and the Office mobile apps-but naturally to get the greatest benefits out of it, companies will have to be dedicated to doing everything the Microsoft way.

Yesterday at TechEd Europe Microsoft unveiled more of its plans for Intune, the Enterprise Mobility Suite, and Office 365. There’s a lot to like—especially with regards to mobile app management and the Office mobile apps—but naturally to get the greatest benefits out of it, companies will have to be dedicated to doing everything the Microsoft way.

There are still a few more announcements pending in the coming weeks and months, but now is a good time to take stock of Microsoft’s EMM efforts. I had a chance to talk to Brad Anderson yesterday to get more details. (His blog posts are here and here.)

How Intune stacks up

Intune and the Enterprise Mobility Suite are looking looking pretty good now. Whereas a year ago Intune was barely on the radar in the EMM space, it is now (or will be soon be as more features roll out in the coming months).

  • It does full MDM for iOS, Android, and Windows Phone.
  • It’s integrated with SCCM.
  • It will soon have managed browser, PDF viewer, AV player, and image viewer apps.
  • App wrapping is coming out soon.
  • Users will be able access corporate resources from the Company Portal Apps, including internal web apps, cloud apps, remote desktops, and native mobile apps.
  • The full Enterprise Mobility Suite, with Intune, Azure Active Directory, and Azure Rights Management Server will enable an impressive set of integrated capabilities, including identity management, single sign on, and conditional access policies.

The key difference

The major differentiator for Intune is that it will be able to manage and integrate with the Office mobile apps. This is obviously super attractive for companies that want to have “real” Office apps instead of third-party document viewers and editors. Intune will be able to wipe corporate data from the apps and control document sharing and cut/copy/paste.

This should be attractive for ISVs, too. As I’ve mentioned frequently, one of the issues with app-level MAM is that there are several competing ecosystems from different EMM vendors. This can be challenging for ISVs that try to accommodate all the different ecosystems, and it can be limiting for customers, too.

It’s true that Microsoft is creating yet another one of these ecosystems, but this one will be “the one with the real Office apps,” making it more attractive for customers and ISVs alike.

Pending components

We’re still waiting for all the Office apps to come out on Android, but according to Brad, that should be coming soon.

The other thing the Intune still needs is a new mobile email app, as the current ones are woefully out of date. No replacement has been announced, but it’s pretty easy to read between the lines and assume that one is coming.

Office 365 + MDM

Also announced at TechEd Europe was that Office 365 will include MDM, via an embedded subset of Intune capabilities. Administrators will be able to set conditional access policies for Office 365 as well as selectively wipe corporate data. (There’s a fuller explanation of what is and isn’t included in Brad’s blog post.) The more advanced Office app management features will require Intune, but naturally there’s an upgrade path.

(On a related note it turns out that Office 365 is not needed to manage the Office mobile apps—the advanced controls will be available for companies that use on-premises Office 2013, too.)


All of the integrated capabilities of the Enterprise Mobility Suite are quite impressive, but customers do have to be ready to use the cloud. Microsoft puts a lot of effort into making that as painless as possible, though.

One caveat is that in order to manage Office apps on iOS devices, the devices must be enrolled in MDM. I think this could be a detriment and should be removed, as there are many scenarios where companies do not want to manage users’ devices.

But overall, Microsoft is clearly on the verge of being a top EMM vendor. There are a lot of companies that are used to buying  a lot of Microsoft’s products, and they’ll be in good shape.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

So really, this is Microsoft kind of being a *** here because they're not allowing other EMM products to manage Office and/or to wrap Office iOS apps? (And in that case, why does Microsoft allow Intune to manage third party apps? They expect other ISVs to do what they won't?)

Other than that though this seems pretty great. O365 looks to be pretty powerful with managed open in and wipe and the ability to manage other apps, and obviously everyone loves that it's *real* Office.


"All problems in computer science can be solved by another level of indirection, except of course for the problem of too many indirections." - David Wheeler

If Intune becomes the only way to manage Microsoft Apps/Services, we risk seeing the rise of managers of managers.

Completely concur with Jack that enrolling in MDM as a 'ticket to ride' for Office iOS App Management won't last long as users will refuse and IT departments won't risk the backlash.


It seems that this move towards a proprietary MAM framework for Office apps is fighting the trend towards OS-enabled MAM, or native containerization.

We can see this with Android Lollipop, which integrates elements of the Knox container and evolves Android's multi-user framework. This OS-enabled MAM for Android will likely get more powerful as the Divide team's expertise in dual-persona influences Android enterprise evolution going forward.

Similarly, iOS has been adding OS-enabled MAM capabilities beginning with iOS 7. These capabilities include managed apps, app-level VPN, managed open in, among others. Of course, there are still many challenges with this approach, which is why proprietary container frameworks are used quite heavily. Over the long term, however, I would expect Apple will continue to add OS-enabled MAM capabilities and that these additions will chip away at the value provided by proprietary MAM frameworks. Just look at Apple's website content and you'll see phrases such as ""corporate data protected, without the container".

Lastly, Microsoft announced with Windows 10 that Windows Phone MDM APIs can be used to manage Win 10 laptops and desktops. Just as Apple and Google are doing with iOS and Android, I would expect the Windows team to also add OS-enabled MAM capabilities over time, at which point this Office MAM approach would be somewhat at odds with Microsoft's OS strategy.

So, in the long-term, if you believe that the OS vendors (including Microsoft) will be adding OS-enabled MAM / native containerization, what management and security benefits will a proprietary Office MAM framework provide?

This leads us to considering the value in the short-term. In the short-term, since Microsoft will require MDM on iOS, what value is there to their proprietary MAM capabilities? If you still have to manage the whole device and so can leverage iOS-enabled MAM & MDM capabilities, how useful is it to have Microsoft's MAM capabilities? Copy/paste control at the expense of vendor lock-in? Maybe it's a better story on Android where full device management is not required? @Jack -- A comparative analysis of the different options might be helpful to understand what the short-term benefits of this approach might be.


@Naveed, isn’t that the eternal debate in MAM right now? :)

For the time being I’m sticking by my assertion that there will almost always be a need for both OS-based MAM and app-based MAM, which each have their inherent advantages and disadvantages.

The interesting thing will be to watch as they both mature to a point where the disadvantages aren’t so pronounced.

With iOS device-based MAM, that would require more flexible options as I outlined recently in TL;DR version: it needs to allow connections to multiple MDM servers and a more clear way of limiting MDM server rights to make it more acceptable for BYOD. Of course for Android, we still have to wait and see how Work APIs can get productized.

For App-level MAM, I could see a few things happening:

—More enterprise-oriented apps will have appropriate management features built in, independent of any particular MAM vendors’ platforms. This could result in them being silos, though. (And of course OS-level MAM could still be used as an additional layer to provide a lingua franca for secure communication between apps on the device.)

—OS-level MAM standards could emerge. (It’s been a while since this came up, but I’m still passionate about it!)

—The EMM market could settle down so that a top 2 or 3 MAM ecosystems emerge, so there’s no more “ISV MAM ecosystem fatigue.”

Also, as more ways to “get in between apps and the device” emerge, issues will be eased, too. I’m thinking of MobileSpaces on Android, as well as Bluebox on iOS and Android. (I’ll have an article on them on Tuesday. Exciting stuff!)

In the short term, like I said I’m still a little puzzled why Microsoft would have the MDM-limitation for Office app management. I still think the best strategy for right now is for any vendor to give equal support to managed and unmanaged device scenarios. (It’s been really interesting watching marketing messages change over the last few years—first when more MDM vendors started doing app-level MAM, then when iOS 7 came out, and now again with Lollipop. :)


@Jack -- Totally agree that there will always be a need for both OS-based MAM and 3rd-party delivered MAM. The OS vendors will evolve their native containerization capabilities, but there will continue to be management & security gaps, for which 3rd-party container complements will be necessary.

I am betting that the best EUC vendors will be those that can deliver flexible infrastructures that enable enterprises to use proprietary and OS-enabled container frameworks on both PC and mobile platforms, depending on their use cases.


This move by Microsoft underlines why enterprises can't trust them in mobile and should look elsewhere.