Office 365 shops have more options than ever to manage their mobile apps.
Most of the top mobile app management (MAM) providers now support the Microsoft Graph API, which enables their products to manage Office 365 apps -- but only among organizations that also own Microsoft Intune licenses. The latest addition to this market is BlackBerry's Enterprise Bridge app, which also provides a container where IT can apply MAM policies to Office apps. Organizations likely won't switch out their existing MAM software to get this Office mobile app management feature, however.
"I don't anticipate that control of the Office apps is going to be a differentiator for any EMM platform," said Andrew Garver, research director at Gartner. "It's going to be a box to check."
Options for Office 365 MAM
Microsoft's Graph API allows third-party EMM products to apply policies from Intune directly to Office 365 mobile apps through the third party's console. VMware, Citrix, BlackBerry and MobileIron have all added support for the Office mobile app management API, which became generally available in February.
"There is no question that this capability is required," said Eric Klein, director of mobile software at VDC Research. "There are too many people using Microsoft Office. This is really about the ability to protect your data in your Office 365 mobile apps at rest and in motion ... and distribute your apps securely."
More than 64% of respondents in the TechTarget 2018 IT Priorities survey said they will deploy productivity apps such as Office 365 or Google G Suite this year.
The new BlackBerry Enterprise Bridge also allows users to access Office 365 apps on Apple iOS or Google Android devices through BlackBerry apps such as Work -- which live in Dynamics, BlackBerry's secure container for business applications. When building Bridge, BlackBerry used both the Intune and Dynamics SDKs to improve interoperability, said Frank Cotter, senior vice president of product management at BlackBerry.
Eric Kleindirector of mobile software, VDC Research
Using a third-party EMM platform for Office mobile app management, IT can enforce encryption, block apps, wipe data, restrict interactions with other apps and more.
For users, integration with their organization's EMM makes it easier to perform workflows that involve Office and other business apps. With Bridge, for instance, a user can tap an email attachment in BlackBerry Work, which opens a list of options in the Bridge app, and the user can choose to open the file in the native Microsoft Word app. There, the user can view, edit, save and email the file back to someone from Work, all while Bridge protects the file on the back end.
"The user experience at the end of the day is really what's driving these advancements," Klein said. "It used to be cumbersome to do this kind of workflow."
Users must sign into both Dynamics and Intune, which allows Bridge to enforce identity authentication across the entire workflow. BlackBerry has filed patents for this identity capability, so the company cannot share more details about how it works at this point, Cotter said.
"BlackBerry typically has been the strongest when it comes to containerization," said Willem Bagchus, a messaging and collaboration specialist at United Bank, an Intune and Office 365 shop based in Parkersburg, W.Va. "This is a way of porting the same idea into a sandbox, if you will. With BlackBerry's reputation in the enterprise, it's probably very high quality."
Like the other EMM, Bridge uses the Graph API to set policies, but the integration between the Intune container and the Dynamics container for added security is unique.
"That's what to watch for -- how well integrated these things are," Klein said. "IT constantly has to be on the lookout for tools that can complement the EMM they have."
Microsoft Intune hits lower notes
Microsoft's Intune license requirement for Graph API support means that product will continue to be a mainstay. Microsoft provides Intune licenses along with some of its other products, so many organizations have them already but may not actually use the software.
"By exposing Intune through the Graph API and still requiring Intune, Microsoft is securing their place in the enterprise and letting other platforms to still build on top of it," Garver said.
The requirement for Office mobile app management also allows Microsoft to boost its license counts, while acknowledging that IT departments have existing investments in EMM that they want to keep, Klein said.
"They've probably come to the recognition that that's not going to be a viable option to replace an incumbent," he said.
Other EMM vendors provide more advanced capabilities than Intune, so for enterprise customers that need highly scalable management options and a wide variety of security policies, Intune might not be the top choice.
"If you're just looking for basic MDM and MAM, you will very likely be able to do what you need to do with Intune," Garver said.
United Bank was using VMware AirWatch for EMM but recently switched to Intune because of licensing renewal problems with VMware and because Intune provided good enough MAM, Bagchus said. The company now does Office mobile app management with Intune to support employees that use their mobile devices for email and Word document revisions. The per-app VPN feature also allows IT to provide secure access to the bank's web apps.
Still, the Intune console has presented some usability challenges because it recently switched from a Silverlight model to an interface based on Azure Active Directory and HTML5, Bagchus said.
"It needs improvement," he said. "But Microsoft is very proactive about working with customers."