Professional Documents
Culture Documents
Table of Contents
A Solution for Balancing Productivity with Protection..................................................................3
The Evolution of Office and the New Security Challenges..........................................................4
Three Steps to Making Office 365 Secure with AirWatch............................................................4
Consider Device Type and Usage.........................................................................................................5
Conclusion................................................................................................................................................7
WHITE PAPER / 2
T
raditional access control mechanisms that are dependent
on network and perimeter security models are no longer
applicable for the mobile and web apps.
W
ith users accessing the apps across desktop, web and
mobile platforms, IT admins need to deal with and support a
large number of Office 365 clients.
U
nlike their desktop equivalents, mobile Office apps require
greater consideration for protecting company data on the
devices. For example, when the device is lost or stolen,
or when an employee leaves the organization, security is
compromised.
A
s an increasing number of users choose to bring their own
devices, it becomes paramount to maintain a clear separation
of personal and work data, and control over how and whether
company data is allowed to be shared across apps.
F
inally, IT needs to deliver a unified experience across OS
platforms, apps and app types.
-M
anaging Office apps across personally owned, corporateowned, corporate-shared mobile or cloud-domain joined
devices
-M
anaging Office apps on older on-premises desktop devices
that are connected to the domain or corporate network
-M
anaging all other app investments, including native
desktop and mobile, line of business (LOB) or internal, SaaS
or web apps
WHITE PAPER / 4
1. Corporate-owned devices
Scenario A: As a new employee at Acme, John gets equipped
with a smartphone and a laptop. When he boots up the
laptop powered by Windows 10 operating system, he finds
its already provisioned with Office 365 and set up for single
sign-on (SSO) access to all the corporate applications. And
since the laptop is enrolled under management, the device is
checked in real time against Acmes compliance policies.
When John tries to access Office 365 apps, he is automatically
signed in to the apps. He finds the same SSO experience is
extended to Office 365 web apps that he can launchand
are available alongside all other company web, SaaS, remote
and desktop appsfrom within the VMware Workspace ONE
app catalog. This is because, on the back-end, the AirWatch
identity module has passed a certificate for this Windows 10
device that authenticates a user into its applications.
Scenario B: Acme enforces compliance policies that can
be set to automatically notify users and admins, and also
revoke access if users continue to remain non-compliant. The
automated escalations are carried out without requiring any
IT involvement. Moreover, the real-time compliance engine
can be used to report if a required app is missing on the users
device. When missing, the compliance engine automatically
notifies John and his peers to make them aware of the
Office apps that are available to them. With this approach,
Acme is increasing company-wide adoption of its software
investments.
Scenario C: Later, while traveling, John loses his smart phone.
Fortunately, he can fire up the AirWatch self-service portal
for end users on his laptop and issue a remote wipe command.
As a result, the work account and apps are removed from
the device and the device is unenrolled and made safe from
unauthorized user access.
2. Personal/dual-persona devices
Scenario A: Acme has established a BYOD policy, and John
who is comfortable with his own iPhone and a Windows 10
tabletis more than happy to take advantage of it.
When John receives an email to review a spreadsheet
containing sensitive financial data that is saved on the
corporate SharePoint, he is able to quickly launch the
Excel mobile app for iOS and access the SharePoint Online
location from within the work app. For this file, John prefers
working on a larger screen, and he tries to save the file over
to his personal Dropbox folder that syncs with his home PC.
However, hes notified and blocked from adding the personal
content share to the work app. This is due to Acmes corporate
data loss prevention (DLP) policies that restrict employees to
share work data on unmanaged or personal locations.
Scenario B: On his Windows 10 tablet with Enterprise
Data Protection 2 policies, Word 2016 is defined as a work
application. When John saves a document using the Word
2016 app, the file is automatically encrypted to Acmes primary
domain. Subsequently, John cannot open the document using
an unmanaged app, such as Notepad, which wasnt defined
by admins as a work app. Additionally, John cannot open the
encrypted work document even if he unenrolls his personal
device.
Scenario C: Later, John leaves the company. Because
AirWatch has access to only company-owned information
on Johns BYOD phone and tablet, only the enterprise
applications will be wiped from Johns devices on his last day
at work.
nterprise Data Protection policies are currently in beta and available by Microsoft to Windows TAP
E
and Insiders program members only.
WHITE PAPER / 5
3. Unmanaged devices
Scenario A: John also owns an iPhone that is currently not
managed under any device management policies. When
he goes to his native app store and downloads the VMware
Workspace ONE app, the app prompts John for his corporate
credentials once and asks him to set up a unique PIN that will
give him access to all the work apps from a unified location.
Upon recognizing Johns corporate email address, Johns
device is automatically routed to signing in via VMware
Identity Manager. With the Workspace ONE app, John gets
SSO and conditional access to all his work apps (native,
remote, SaaS) from one location without requiring the device
to be managed.
Scenario B: As Acme migrates its employees to the companys
new Office 365 email service, admins can flexibly set
Exchange ActiveSync policies. These policies co-exist, autoremove and also let admins define enrollment windows where
unmanaged devices can still sign in to the Office 365 email
service. Upon setting up his email profile, John is automatically
prompted with an enrollment email providing all the necessary
instructions to enroll his device into management. If John
misses the designated window to complete his enrollment, the
conditional access policies can be defined to revoke access
to unenrolled devices, and thus cut John off from the email
service until he brings his device under management.
Join Us Online
Blog: blogs.air-watch.com/category/airwatch-emm-solutions
Twitter: www.twitter.com/airwatch
Facebook: www.facebook.com/airwatch
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com
Copyright 2016 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
Item No: 16-VMWA-3252_White_Paper_AirWatch_Office365
05/16