White Papers
Abstract
Use Case - Customer wants to deploy an Office 365 App (e.g. Teams, Outlook, Ondrive) and use MaaS360 to manage application distribution and security.
The following provides a high-level solution and some relevant links.
Content
Microsoft 365 Use Case Guidance
Use Case - Customer wants to deploy a Microsoft 365 App (e.g. Teams, Outlook, OneDrive) and use MaaS360 to manage application distribution and security.
Maas360 UEM can support your M365 app deployments by enabling the secure distribution, management and access to all M355 Apps and services. Read on to understand how to accomplish this.
The following provides a high-level solution and some relevant links.
- Deploy Applications – Get the app to the right users and use MDM controls to manage and secure the application data.
- Use the MaaS360 Catalog to publish and distribute the app to appropriate users, device and groups. By using the MaaS360 Enterprise catalog, the apps become “Managed” and flags can be added to dictate policy controls such as removing the apps when MDM control is removed, etc.
- On IOS, make sure that Allow Open from Managed to Unmanaged apps and Allow Open from Unmanaged to Managed Apps are set to No if you have concerns about Data Loss Prevention. See https://www.ibm.com/support/knowledgecenter/en/SS8H2S/com.ibm.mc.doc/pag_source/tasks/pag_apps_add_ios_enterprise.htm
- If there is a concern about Data Security on Android, use the Android Enterprise Managed Profile capability and the Managed Google Play Store to deploy the apps to the Managed Profile only. See https://www.ibm.com/support/knowledgecenter/en/SS8H2S/com.ibm.mc.doc/pag_source/concepts/afw_managing_apps_for_afw.htm
- Control Access - Depending on the identity and conditional access solution being used, there are options on how to control access to the app and add MFA to the login process.
- AzureAD Conditional Access – Many customers choose to control access to Microsoft 365 services using AzureAD Conditional Access configurations. MaaS360 now integrates with the Microsoft Endpoint Manager Compliance Partner Integration (https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-partners) to sync MaaS360 Device Compliance data with AzureAD and allow MaaS360 device data to be used within the AzureAD Condition Access Device Trust framework. When enabled, MaaS360 will sync Device Trust information (isEnrolled, isCompliant) to AzureAD. This allows the customer to include and enforce MaaS360 activated device information in Azure AD Conditional Access rules. In addition, MFA can be enabled in the AzureAD console and optionally , an Azure AD Conditional Access rule requiring MFA can be applied. See https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa
- SAML Federation (Ping, Okta, IBM Security Verify) – MaaS360 can leverage IdP integration to ensure only trusted devices connect to your deployed SaaS apps including all the M365 apps and services. For Microsoft 365 app to be controlled, they must be configured to use the target IdP. This has likely already been done and beyond the scope of this article. Once the target Microsoft 365 app is configured as an app in the IdP, Access Rules and MFA policy can be applied.
Identity Provider |
Access Rules |
MFA |
Okta |
Using Okta/MaaS360 Integration, device trust policies can be configured. See https://exchange.xforce.ibmcloud.com/hub/extension/1766bcfe43278fb5d32360f2f011eb0c |
Use Okta MFA or other (e.g. Duo) |
Ping |
Ping can be configured for various user and application trust access rules. See Ping documentation. |
Use Ping MFA or other. |
IBM Cloud Identity |
Use native MaaS360/CI integration for Native App SSO and Conditional Access. See https://www.ibm.com/support/knowledgecenter/en/SS8H2S/com.ibm.mc.doc/concepts/mc_ci_overview.htm |
Use IBM Verify or other MFA. |
- Secure Data – Use MaaS360 and Microsoft 365 Application Protection technology to secure and contain application data depending on risk tolerance.
-
- Depending on risk tolerance related to users leaking sensitive data from Microsoft 365 applications, a combination of controls that can be applied. For customers with a moderate risk tolerance, MaaS360 can apply various controls to provide a reasonable set of controls for preventing most Data Loss scenarios (see chart below).
If a high level of control is required where risk tolerance is lower, Microsoft technology is required to prevent users using cut/copy/paste to and from non-sanctions apps and from saving files to unauthorized Cloud services. This technology is called “Intune App Protection” See https://docs.microsoft.com/en-us/intune/apps/app-protection-policy
These policies can be managed from the Endpoint Manager console or from MaaS360 which can create, manage and deploy these policies. See https://www.ibm.com/support/knowledgecenter/en/SS8H2S/com.ibm.mc.doc/pag_source/tasks/intune_app_policies_config.htm
The following table provides a list of desired DLP Policies and how they might be applied on IOS and Android enterprise devices.
-
-
- DLP capabilities required protect data in Microsoft Applications on IOS Managed Devices.
-
Assumptions
- Devices are enrolled in MDM.
- Apps are distributed from the Enterprise app store and are Managed IOS Apps.
- Allow Open from Managed to Unmanaged apps and Allow Open from Unmanaged to Managed Apps are set to No.
DLP Feature |
MDM Settings |
MaaS360 Persona Policy |
Intune App Protection |
Recommendation for Risk Averse DLP |
iCloud/iTunes backups |
Managed Apps are not Backed up by default. |
MaaS360 Persona Policy default. |
Data Transfer Policy - Restrict Backups. |
Use IOS MDM Policy |
Send data to other apps |
Managed App Open-In |
Persona Policy – allowlist Microsoft apps. |
Data Transfer Policy – Allow Policy managed apps |
Use IOS and MaaS360 Policies to limit data sharing |
Receive data from other apps |
Managed App Open-In |
Persona Policy - allowlist Microsoft apps. |
Data Transfer Policy - All apps with incoming Org data |
Use IOS and MaaS360 Policies to limit data sharing |
Save As to Cloud Services |
NA – MDM cannot influence |
Persona Policy – Restrict export of managed content and email attachments |
Data Transfer Policy - Save copies of Org data |
** Use MaaS360 Persona Policies and Intune App Prot (only if there is a concern related to Cloud Save Back) |
Cut/Copy/Paste |
NA – MDM cannot influence |
Persona Policy – Restrict Clipboard Export |
Data Transfer Policy – Policy managed apps. |
** Use MaaS360 Persona Policies and Intune App Prot (only if there is a concern related to Cut/Copy/Past) |
Encrypt |
Device Level Encryption |
On by default |
Encrypt Org data |
Use IOS Policy |
Contacts, Printing, Browser |
NA |
As needed |
As needed |
Settings do not influence interaction between MaaS360 and Microsoft apps. |
**The user may require an InTune License
-
-
- Table of DLP capabilities required protect data in Microsoft Applications on Android Enterprise managed devices.
-
Assumptions
- Device is activated in Android Enterprise Profile Owner or COPE mode.
- Apps are distributed from the Enterprise App store using Managed Google Play store.
- Android Enterprise settings configured to limit data sharing to only Managed Profile apps.
DLP Feature |
MDM Settings |
MaaS360 |
Intune |
Recommendation for Risk Averse DLP |
Cloud backups |
Allow Backup to Google set to off. |
MaaS360 Persona Policy default. |
Data Transfer Policy - Backup Org data to Android backup services |
Use AE Managed Profile to limit data sharing |
Send data to other apps |
Managed Profile controls. |
Persona Policy – allowlist Microsoft apps |
Data Transfer Policy – Allow Policy managed apps |
Use AE Managed Profile to limit data sharing |
Receive data from other apps |
Managed Profile controls. |
Persona Policy - allowlist Microsoft apps. |
Data Transfer Policy - All apps with incoming Org data: |
Use AE Managed Profile to limit data sharing |
Save As to Cloud Services |
NA – Managed Profile cannot influence |
Persona Policy – Restrict export of managed content and email attachments |
Data Transfer Policy - Save copies of Org data |
** Use MaaS360 Persona and Intune App Prot (only if there is a concern related to Cloud Save Back) |
Cut/Copy/Paste |
Managed Profile controls. |
Persona Policy – Restrict Clipboard Export |
Data Transfer Policy – Policy managed apps. |
Use AE Managed Profile to limit data sharing |
Encrypt |
Device Level Encryption |
On by default |
Encrypt Org data |
Use AE Managed Profile to limit data sharing |
Contacts, Printing, Browser |
Managed Profile controls. |
As needed |
As needed |
Use AE Managed Profile to limit data sharing |
**The user may require an InTune License
Was this topic helpful?
Document Information
Modified date:
01 March 2021
UID
ibm16147735