The Garage Series: Managing iOS, Android, and Windows devices with identity-based access and Office 365

In this week’s show, Jeremy Chapman and Mark Kashman follow last month’s Extreme Office 365 Mobility and Off-Road Rally Challenge episode to tell the IT pro story about managing user access and devices ranging from Android and iOS to Windows and Windows Phones. They’ll discuss user-pivoted data access and catch up with long time Exchange ActiveSync (EAS) engineer, Greg Baribault, to discuss the evolution of EAS, Allow/Block/Quarantine (ABQ) and OWA for Devices apps. They’ll also show the EAS controls in action as they demonstrate device wipe versus selective wipe and take an early peek at the upcoming Office 365 Admin app.

So if you caught our show on October 6th where Guy Gilbert and I rounded-up all of the experiences from Office 365 on a broad range of devices – spanning Android, iOS, Windows – and you are an IT admin, you may have been thinking, “this sounds great and all, but how do I manage this?” Today’s show is part two in our series for Office 365 and mobile devices and we’ll take a deeper look at how data flow is managed to mobile devices.

As Mark and I explain on the show, it is really all about user access and how permissions are set for viewing or editing files. In simple terms, if I for example can prove I am Jeremy Chapman and the right permissions have been applied to the documents I have access to, it shouldn’t matter what device I am using to access the file. In that sense, some degree of trust is put in the hands of the user versus relying solely on device polices. This is really critical when you have any form of Bring Your Own Device (BYOD) enabled, because policy management of user-owned devices – tablets or phones – is limited by design. This is primarily because these are consumer-class devices with limited settings management versus for example a domain-joined Windows PC.

A few years ago, IT would often provision and provide mobile devices to users and often users would carry a personal and a company-provided device – some organizations still do this. Now many companies are allowing users to connect their devices – iOS, Android, Windows Phone and other platforms – to data and services people need to get work done. If these services are published and made available for easier access via authenticated web services, then it is really about setting permissions to users and groups for data and services. The device – whether its a phone, tablet or even a browser in a home PC or Mac – is just an end point to view and access data. In all cases the user just needs to authenticate. You’re basically assigning sufficient hurdles to access information – you might call them proactive controls. These controls can leverage authentication assigned at the service level with things like Office 365 or in other cases the controls are assigned at the network access level using Virtual Private Networks (VPNs) to access data hosted on premises. The advantage of Office 365 versus VPN access to on-premises stored data is essentially that you have the same levels of file and access controls based on assigned user privileges, but data can be accessed in more ways and via more device types.

Establishing rules for external sharing of site contents in SharePoint Online

So then the question is, “what happens if data is stored on a device then falls into the wrong hands?” We’ve covered Rights Management Services (RMS) at length in our last show to protect access at a file level if leaked outside an organization. In order to further manage these situations, then there are a mix of proactive and reactive controls to limit data access, control the amount of data on the device and how it is stored and finally to reactively wipe a device if lost or stolen. These controls are the essence of Exchange ActiveSync (EAS) and we brought in Greg Baribault, a Microsoft engineer who’s been on the journey of initial scoping with early iterations of EAS, then opening up the protocols for other platforms to tie into Exchange, creation of Allow/Block/Quarantine and then the evolution to what amounts to Microsoft-built EAS clients – OWA for iPhone and OWA for iPad. He also talks about how remote wipe is getting increasingly targeted to just information populated by Exchange email (selective wipe) versus the entire device (device wipe).

Allow/Block/Quarantine controls in Exchange admin center

Of course we wouldn’t go to this much effort telling the story without showing these tools in action, so we navigate the administration controls in SharePoint and Exchange Online, then show EAS controls, Allow/Block/Quarantine logic and demonstrate a full device wipe experience with an Android phone versus selective wipe with a device running OWA for iPad. In addition to all of this, we show a preview of the forthcoming Office 365 Admin app, which will allow you as an Office 365 administrator to monitor the status of Office 365 services directly from your phone. You’ll have to check out the video to see how everything worked out.

Office 365 Admin app for Windows Phone

Next week we’ll bring on Michael Tejedor from the SQL team for a deep dive on the new features of Power BI and in true Garage Series fashion we’ll demonstrate everything set to the backdrop of a bar – to see once and for all if Business Intelligence and alcohol can mix. See you then.

Thanks for reading,


More resources

SharePoint: Control user access with permissions

Set up Information Rights Management (IRM) in SharePoint admin center 

Office 365 Technology Blog: OWA for iPhone and OWA for iPad

TechNet: Exchange ActiveSync in Exchange Online

TechNet: Mobile Device Mailbox Policies in Exchange Online

Garage Series Video Channel

SharePoint Blog

Garage Series Season 1 Blog Archive

Follow @OfficeGarage on Twitter

About the Garage Series hosts

By day, Jeremy Chapman works at Microsoft, responsible for optimizing the future of Office client and service delivery as the senior deployment lead. Jeremy’s background in application compatibility, building deployment automation tools and infrastructure reference architectures has been fundamental to the prioritization of new Office enterprise features such as the latest Click-to-Run install. By night, he is a car modding fanatic and serial linguist. Mark Kashman is a Senior Product Manager on the SharePoint team focusing primarily on SharePoint Online & SharePoint Mobility. He lives in the Redmond, WA area and enjoys kayaking, biking, hiking, ballet/soccer/science club/swimming (all the Dad duties), and quiet-bird-chirping moments for reading books on his #WP8 Kindle app when not playing that darned addictive Bejeweled LIVE+. Follow Mark on Twitter @Mkashman.