Office 365 Client Lockdown with EMS

June 27, 2017
Editorial Staff


Editorial Staff

When moving applications and services to the cloud there are always a lot of questions related to the security of data. Do I still own my data? Who has access to my data? Is my data being sold? Where is my data being stored? These are just a few examples of questions businesses ask themselves when considering moving their information to the cloud. Often overlooked however, is how moving to the cloud improves the accessibility and availability of company data. Let me give you a common example:

As many businesses have found out, Office 365 provides excellent value. The most common Enterprise SKU we see being adopted around the world is Office 365 E3, which includes Exchange Online, OneDrive for Business, and Office 365 ProPlus (among others). Office 365 ProPlus is often seen as a great value-add for employees who can install Office on up to five machines. However, this creates a problem. With users able to install Office on up to five machines and connect to Exchange Online, this means users, and thus their data, can be accessed and downloaded on non-sanctioned machines. One concern we hear time and again is that Outlook, by default, will download 12 months of cached data to the machine. The thought of 12 months of cached data being left on the personal devices of end users is a frightening thought for any IT and security department.

Luckily, help is at hand with Enterprise Mobility Suite (EMS), which includes several great products that can be used to protect your data by intelligently managing your user’s identity wherever they are, rather than attempting to lock users out at the perimeter. Locking down typically does not work in today’s mobile world.

With Azure (Active Directory) AD Premium, conditional access rules can be applied to the users identity, providing access to resources when certain criteria are met; such as only logging on from a managed device, logging on from specific locations, requiring Multi-factor Authentication (MFA), etc.

Conditional Access Policy

This is further enhanced with Microsoft Intune to expand conditional access to mobile devices as well as apply policy to those devices to protect the organization from wider security breaches. Mobile Device Management through Intune can be used to enforce PIN security, device encryption, and prevent access from potentially compromised jailbroken devices. Granular control of mobile Microsoft Office Apps through Mobile Application Management can be used to prevent data leakage by disabling copy and paste and exporting documents third party services. And before you ask – yes this includes the notoriously sandboxed iOS too.

Mobile Application Policy

Of course, this is just scratching the surface of the power available in the EMS suite. If you are a business interested in learning more about Office 365 or EMS please contact us at SoftwareONE. We would love to hear from you.


Leave a Reply