Back in January, we learned that the Microsoft Graph API is coming to Intune. This means that there’s a clear path to integrate Intune with third-party management software. Specifically, it also means that other EMM vendors can achieve their long-desired goal of directly managing the Office mobile apps.
Of course, we’re talking about Microsoft licensing, a newer EMM offering, and a competitive market, so there’s a lot to unpack. To date, industry buzz about the Graph API for Intune has actually been quieter than I would have expected, but there will surely be more as vendors decide how to use it and start talking about their plans. In the meantime, let’s take a look at what the Graph API for Intune is all about and what its effects could be.
Office mobile apps and MAM options
We rejoiced in 2014 when Office finally arrived on the iPad, and soon after when document editing and creation became free for consumers. Under the new leadership of Satya, Microsoft was finally putting Office ahead trying to protect Windows from iPad competition.
Soon enough, customers that were turned on to EMM wanted to apply mobile app management policies to Office app (e.g., deploy the client apps, configure data sources, prevent data leakage, and other MAM stuff), so Microsoft built MAM capabilities into the Office apps, using Intune. Now you can use Intune for a whole range of MAM tasks, without the need MDM enrollment. Enabling Office apps with the Intune MAM SDK has always been a good strategy—it instantly gave the Intune ecosystem a boost. (If you need to get up to speed on all the different flavors of MAM, check out this guide.)
One thing that Microsoft hasn’t done, however, is let any other EMM vendors add their MAM SDKs or do app wrapping to the Office apps. Customers without Intune can still turn to MDM to control these apps, though, since iOS and Android have lots of MAM features built in. But there's another catch here, as the Office apps don’t support some the optional configuration controls present in iOS and in Android. You can use MDM to turn off some forms of data sharing, depending on the device, but to make sure everything is air-tight you’ll probably also have to use MDM to configure a per-app VPN and block features like consumer file sharing at the network level.
If you’ve licensed the Office apps properly, you have one other option. (Remember, you’re supposed to have an Office 365 subscription if you’re using them for business, though I’m willing to bet that there are a lot of corporate users that are using them without a license because there’s no enforcement mechanism built into the apps, other than some decreased functionality.) Anyway, most Office 365 business subscriptions come with some free MDM features. It’s pretty basic, though—you can ensure that devices are enrolled before users are allowed to connect to Office 365 content, but you don’t get the ability to lock everything down like you do with Intune.
Aside from these three management options, ever since the Office apps came out, third-party EMMs and customers have wanted a way to manage the apps directly.
Enter the Graph API
This is where the Microsoft Graph API comes in. The original focus was on extending Office 365 and Azure AD, but the API is now expanding to include Intune functionality. Intune support went into preview in December, but it didn’t get much attention until Ojas Rege at MobileIron tweeted about it in January.
The Microsoft Graph API is supposed to be the way in for all functionality, and in fact it is what the new Azure-based console for Intune uses. This also lets Microsoft do things like create custom Intune consoles for products like Intune for Education.
The API is open for other parties to use, so we can connect the dots: Other EMMs can use it as middleware to manage the Office apps, and thus the goal of third-party management can now be realized, in a way.
I spoke to Ojas Rege when all this first came up back in January, and he commented that MobileIron would think of the Intune Graph API just like any other mobile container technology (e.g., iOS managed apps, Android enterprise, Samsung Knox), and plan to offer support. In addition, Citrix has confirmed that this is how they’re integrating XenMobile and Intune.
Naturally, this opens up plenty of other angles, including for all sorts of managed service providers to use. (Though I should point out that other EMMs have been supported integrations like this for years.)
Licensing, market effects, and future demands
In order to use the Graph API for Intune, all the end users have to be covered under a regular Intune license. Intune is easy to get as a part of broader enterprise agreements, which customers will be considering as they move to Office 365 and Azure AD.
The effect on the market? If you need to have Intune to manage Office apps, and it’s easy to get and comes integrated with everything else you’re buying from Microsoft, why not use Intune for all your EMM purposes? This is the Microsoft strategy we’ve seen many times before. Some EMM vendors will compete directly, some will compete by offering features Intune doesn’t have (since the classic Microsoft strategy is to concentrate on the core 80% of features, not everything), others will embrace and extend Intune (running one vendor’s MAM on top of another vendor’s MDM is common), and some won’t be able to compete.
It’s great that Microsoft created the Graph API for Intune, and third-party vendors will find good ways to capitalize on it. But it’s also not hard to imagine that there will be a call for more flexible licensing. Should you have to buy the full Intune stack just to manage the Office apps? This is the old “is it a feature or is it a separate product” conversation again.
Currently, Microsoft makes it clear that Intune licensing is the same whether you’re using the admin console or the API. But what if they made a separate license for just MAM and/or the API, or created some sort of service provider license? Customers and partners would appreciate the flexibility; and it could be a strategic move for Microsoft, as it could help the Intune SDK and MAM stack turn into a de facto standard. Another way Microsoft could add flexibility is by adding support for MDM-managed configurations in the Office apps. And remember, IT departments do have an alternative: just use device-native controls for app management. Android’s built-in MAM has come a long way, and iOS’s has been pretty good for a while now (though it could be more BYOD-friendly).
While things could change, it’s probably too early to say which other aspects of Intune and Office management Microsoft will move around to improve their strategy. (What’s the most valuable part of EUC to hold onto? What should they free up to boost the network effect?) Furthermore, this is only one corner of the broader EUC market, so we have to consider the big picture of productivity suites and identity management in general.
What would you like to do with the Graph API for Intune? And what do you want to see Microsoft do with the API, Intune, MAM, and Office?