VMware AirWatch +

Microsoft Office 365:

Enabling More Secure
Collaboration
WHITE PAPER

VMware AirWatch + Microsoft Office 365: Enabling More Secure Collaboration

Table of Contents
A Solution for Balancing Productivity with Protection..................................................................3
The Evolution of Office and the New Security Challenges..........................................................4
Three Steps to Making Office 365 Secure with AirWatch............................................................4
Consider Device Type and Usage.........................................................................................................5
Conclusion................................................................................................................................................7

WHITE PAPER / 2

VMware AirWatch + Microsoft Office 365: Enabling More Secure Collaboration

A Solution for Balancing Productivity with Protection

As a cloud-based business services suite, Microsoft Office 365 provides organizations with access to web, mobile and desktop
versions of traditional Office software tools (Microsoft Word, Excel, PowerPoint), cloud storage space for enterprise file sharing
(via OneDrive for Business), and hosted services for communication and social (Microsoft Exchange, SharePoint, Skype for
Business). By making these services available across desktop, mobile and web platforms, Microsoft is experiencing increased
adoption from consumers and businesses alike, and also expanding the possibilities for anytime-anywhere collaboration.
The cloud service has been well received across large enterprises with more than 70 percent of Fortune 500 companies having
licensed Office 365.1 The service is also appealing to small and medium businesses that want to avoid the cost and complexities
of maintaining on-premises IT infrastructure.

Whats whetting the appetite?

With Office 365, enterprises are reaping the rewards from the efficiency in cloud-based services and the freedom to focus
on their business. For example, many organizations are realizing that managing their Exchange Server on-premises does not
provide any significant benefits over hosting it in the cloud. By migrating to the cloud service, they can offset many of their
capital expenses on infrastructure and software licenses by adopting a more predictable subscription model. Also, their IT staff
can now be repurposed to execute more strategic tasks rather than performing run-of-the-mill maintenance operations.
Users can also take advantage of Microsofts native mobile apps, which further expands the potential for remote and traveling
worker use cases within an organization. Further, with a subscription model, users are assured they always have access to the
latest application versionswhich also include new feature and security fixesas soon as they are released.
Yet for all its promise of anytime-anywhere collaboration, Office 365 poses a meaningful security challenge for the IT
organization. If youre opening up access to business apps from the Internet, how do you keep that data within the apps and
on corporate repositories secure and off limits to unauthorized users and non-compliant devices? How do you protect data if
a device is lost or stolen? How do you make it possible for users to sign in automatically, and securely, using their corporate
identity?
In this white paper well explore how you can address these questions with VMware AirWatch and enable the secure use of
Office 365 across corporate-owned devices, personal devices, or unmanaged devices.

Microsoft, Office 365 Adoption Stats from Microsoft, June 2015.

WHITE PAPER / 3

VMware AirWatch + Microsoft Office 365: Enabling More Secure Collaboration

The Evolution of Office and the New

Security Challenges

Three Steps to Making Office 365 Secure

with AirWatch

For traditional on-premises services such as Exchange,

SharePoint or Active Directory, users previously had to get
through a firewall. Security was maintained by split-level
network access control (NAC), or by implementing secured
DMZ network zones. Subsequently, access to these back-end
repositories was granted through an email gateway.

If your organization is considering Office 365, how can you

best take advantage of its potential for anytime-anywhere
collaboration while also maintaining secure access toand
storage ofcorporate data? By supporting Office 365 with
AirWatch, you can address security concerns in
three steps.

With the advent of Office in the cloudand the expectations

for anytime-anywhere accessnetwork security has become
more complicated.

1. E nable users with self-service access to applications and

convenient single sign-on.

T
 raditional access control mechanisms that are dependent
on network and perimeter security models are no longer
applicable for the mobile and web apps.
W
 ith users accessing the apps across desktop, web and
mobile platforms, IT admins need to deal with and support a
large number of Office 365 clients.
U
 nlike their desktop equivalents, mobile Office apps require
greater consideration for protecting company data on the
devices. For example, when the device is lost or stolen,
or when an employee leaves the organization, security is
compromised.
A
 s an increasing number of users choose to bring their own
devices, it becomes paramount to maintain a clear separation
of personal and work data, and control over how and whether
company data is allowed to be shared across apps.
F
 inally, IT needs to deliver a unified experience across OS
platforms, apps and app types.
-M
 anaging Office apps across personally owned, corporateowned, corporate-shared mobile or cloud-domain joined
devices
-M
 anaging Office apps on older on-premises desktop devices
that are connected to the domain or corporate network
-M
 anaging all other app investments, including native
desktop and mobile, line of business (LOB) or internal, SaaS
or web apps

Support syncing of your existing on-premises directory

services to ensure access to Office 365 is restricted to
licensed users only.
P ush Office 365 apps and email configurations
automatically, or deploy on demand.
S et up users for single sign-on (SSO) access to the Office
apps alongside all other enterprise app investments.
Support integration with existing or best-of-breed identity
solutions that your organization may already be using.
2. E nsure access is restricted to authorized users and
compliant devices by implementing conditional access
policies.
R
 estrict access to Office 365 applications and services,
based on whether or not the device meets required level
of management and company-recommended compliance
criteria, such as device type used, OS version, network
location, etc.
P
 rovide flexibility to require different claims rules
(certificates, domain membership, VPN-based) for
authentication based on the device platform (whether
mobile, desktop or web) and app requesting access.
3. P rotect company data on the device, in use and in transit,
by deploying containerization and data protection
policies. Whether its a web app or a native app, AirWatch
device management and compliance policy engine helps
you control which apps can access your data and how data
is shared.
L
 everage native platform controls to containerize apps,
encrypt devices, set data loss prevention policies (open in,
cut/copy/paste, etc.), and restrict access to company data
on untrusted apps.
E
 nable IT administrators as well as end users to selectively
wipe all work data and apps from lost or stolen devices.
P
 rotect data in transit with SSL encryption and per-app
VPN for security-sensitive deployments.

WHITE PAPER / 4

VMware AirWatch + Microsoft Office 365: Enabling More Secure Collaboration

Consider Device Type and Usage

Each of the security measures we just discussed will vary in
significance due to the type of device you are protecting, and
how those devices are being used. To explain what we mean,
lets examine some use cases for each of the three principal
types of devices: corporate-owned, personal (or shared) and
unmanaged.

1. Corporate-owned devices
Scenario A: As a new employee at Acme, John gets equipped
with a smartphone and a laptop. When he boots up the
laptop powered by Windows 10 operating system, he finds
its already provisioned with Office 365 and set up for single
sign-on (SSO) access to all the corporate applications. And
since the laptop is enrolled under management, the device is
checked in real time against Acmes compliance policies.
When John tries to access Office 365 apps, he is automatically
signed in to the apps. He finds the same SSO experience is
extended to Office 365 web apps that he can launchand
are available alongside all other company web, SaaS, remote
and desktop appsfrom within the VMware Workspace ONE
app catalog. This is because, on the back-end, the AirWatch
identity module has passed a certificate for this Windows 10
device that authenticates a user into its applications.
Scenario B: Acme enforces compliance policies that can
be set to automatically notify users and admins, and also
revoke access if users continue to remain non-compliant. The
automated escalations are carried out without requiring any
IT involvement. Moreover, the real-time compliance engine
can be used to report if a required app is missing on the users
device. When missing, the compliance engine automatically
notifies John and his peers to make them aware of the
Office apps that are available to them. With this approach,
Acme is increasing company-wide adoption of its software
investments.
Scenario C: Later, while traveling, John loses his smart phone.
Fortunately, he can fire up the AirWatch self-service portal
for end users on his laptop and issue a remote wipe command.
As a result, the work account and apps are removed from
the device and the device is unenrolled and made safe from
unauthorized user access.

In the corporate-owned scenario, Johns experience is rooted

in the following AirWatch capabilities.
Install applications and push them automatically for an outof-the-box provisioning experience.
P
 rovide SSO access and a unified app catalog for all work
apps.
E
 nforce conditional access policies to all work apps,
including Office 365 applications.
Encrypt data at rest and in transit.
W
 ipe devices and de-provision accounts to protect sensitive
information in case devices are lost or stolen, or if users
leave the company.

2. Personal/dual-persona devices
Scenario A: Acme has established a BYOD policy, and John
who is comfortable with his own iPhone and a Windows 10
tabletis more than happy to take advantage of it.
When John receives an email to review a spreadsheet
containing sensitive financial data that is saved on the
corporate SharePoint, he is able to quickly launch the
Excel mobile app for iOS and access the SharePoint Online
location from within the work app. For this file, John prefers
working on a larger screen, and he tries to save the file over
to his personal Dropbox folder that syncs with his home PC.
However, hes notified and blocked from adding the personal
content share to the work app. This is due to Acmes corporate
data loss prevention (DLP) policies that restrict employees to
share work data on unmanaged or personal locations.
Scenario B: On his Windows 10 tablet with Enterprise
Data Protection 2 policies, Word 2016 is defined as a work
application. When John saves a document using the Word
2016 app, the file is automatically encrypted to Acmes primary
domain. Subsequently, John cannot open the document using
an unmanaged app, such as Notepad, which wasnt defined
by admins as a work app. Additionally, John cannot open the
encrypted work document even if he unenrolls his personal
device.
Scenario C: Later, John leaves the company. Because
AirWatch has access to only company-owned information
on Johns BYOD phone and tablet, only the enterprise
applications will be wiped from Johns devices on his last day
at work.

 nterprise Data Protection policies are currently in beta and available by Microsoft to Windows TAP
E
and Insiders program members only.

WHITE PAPER / 5

VMware AirWatch + Microsoft Office 365: Enabling More Secure Collaboration

In the use cases for personal devices, John is operating within

the following security parameters.
D
 ifferentiate between corporate and personal data by
taking action only on corporate data, preventing copy and
paste between personal and corporate apps, containerizing
apps and encrypting data by leveraging native platform
controls.
A
 llow users to access and install all work apps on demand
from a unified app catalog.
A
 llow users to flexibly choose the level of control they
desirebased on the apps and resources to which they
need accesswith adaptive management.
S
 eparate work and personal data based on native platform
DLP capabilities.
F
 ederate identity to VMware Identity Manager, so users
are authenticated and device compliance is validated before
allowing access to web apps.
A
 pply different claims rules for authentication based on the
device platform and app requesting access.

3. Unmanaged devices
Scenario A: John also owns an iPhone that is currently not
managed under any device management policies. When
he goes to his native app store and downloads the VMware
Workspace ONE app, the app prompts John for his corporate
credentials once and asks him to set up a unique PIN that will
give him access to all the work apps from a unified location.
Upon recognizing Johns corporate email address, Johns
device is automatically routed to signing in via VMware
Identity Manager. With the Workspace ONE app, John gets
SSO and conditional access to all his work apps (native,
remote, SaaS) from one location without requiring the device
to be managed.
Scenario B: As Acme migrates its employees to the companys
new Office 365 email service, admins can flexibly set
Exchange ActiveSync policies. These policies co-exist, autoremove and also let admins define enrollment windows where
unmanaged devices can still sign in to the Office 365 email
service. Upon setting up his email profile, John is automatically
prompted with an enrollment email providing all the necessary
instructions to enroll his device into management. If John
misses the designated window to complete his enrollment, the
conditional access policies can be defined to revoke access
to unenrolled devices, and thus cut John off from the email
service until he brings his device under management.

Scenario C: John travels on a business trip and tries

logging into the Office 365 web apps using a shared PC at
a hotel lobby. Because the terminal is considered to be an
unrecognized and unmanaged device, John finds that he is
unable to sign into Office web apps or install work apps due to
the conditional access measures set by his company.
Johns access to services, as described above, is based on the
following security measures for unmanaged devices.
P
 rovide conditional access controls and equip IT
administrators to prevent unauthorized access to corporate
data and resources.
M
 aintain multiple email deployments as organizations
migrate to Office 365 email services and new users
transition into management; and cut users off from service
if their devices remain unmanaged within the transition
window.
With conditional access policies, ensure that non-compliant
and unmanaged devices are restricted from installing apps
and setting up email.
Prevent users from signing into Office web apps and
services and bypassing security measures set by the
company.

METROBANK: STRIKING A BALANCE BETWEEN

COLLABORATION AND SECURITY
From its beginnings in 2010, Englands MetroBank has
grown rapidlyadding 27 stores by 2015 and plans to
open 200 by 2020. As part of its business model,
MetroBank is also intent on being an innovator in IT
seeking high standards of communication and
collaboration among its staff. And the Microsoft Office
365 suite plays a key role in achieving that objective.
But as a financial institution, MetroBank is uniquely
sensitive to data protection. And with Office 365, the
bank faced several security challenges, including lack of
endpoint access controlespecially for BYOD users; the
need to monitor the actions of users and administrators
across apps such as Exchange, Yammer, and SharePoint;
and detecting malicious behavior and use of stolen
credentials.
Using AirWatch through third-party vendor Imperva
Skyfence, MetroBank established secure access for
Office 365. With AirWatch, MetroBank gained visibility
and control over all its endpoint access, the ability to
monitor actions of users and administrators across
Office 365 applications, and the ability to react to and
remediate security threats in real-time.
Read more
WHITE PAPER / 6

VMware AirWatch + Microsoft Office 365: Enabling More Secure Collaboration

Conclusion: Where Do I Start?

EACH OS IS DIFFERENT
Regardless of the operating system for the devices you
need to manage, AirWatch enforces containerization of
Office 365 apps to prevent data loss across all platforms.
Apple iOS
O
 nly trusted work apps get permissions to access work
resources, but personal apps dont. And with AirWatch,
you can enact policies such as password requirements,
encryption, prevention of saving to personal data shares,
and remote wiping of devices.
Android
W
 ork apps sit in a container, allowing clear separation of
work and personal appsfor example, a user can have
both a Chrome work app and a Chrome personal app.
AirWatch can also disable screen capture, require device
password and encryption, and enable remote wipe.
Windows 10
P
 revent sharing of Office 365 data between work and
personal apps by requiring a device PIN, enabling device
and file-level encryption, or preventing functions like
copy, paste, and drag-and-drop.

If youre among the growing number of organizations poised

to embrace cloud-based business services such as Office
365, AirWatch can guide you through the three stages of
adoption.
Phase 1: Kick off the process by scheduling a discovery
session with an account manager. We can assess how your
IT environment is set up today and provide direction for
how you can migrate to the cloud.
Phase 2: Once youve evaluated your IT environment,
youre ready to set up Office 365 Mobile Email
Management (MEM) and establish your migration
workflow. AirWatch supports co-existence of multiple
email deployments to enable phased migration of your
users to Office 365 services.
Phase 3: Its time for rollout. We can help you conduct
end-to-end testing of implementation, provide continued
enterprise support and get all devices on-boarded.
AirWatch also issues automated notifications, triggers
escalation actions and supports organizations with BYO
and privacy campaigns to help you encourage adoption.
With AirWatch, you can enable user self-service activation
and secure single sign-on access to Office apps, conditional
access so only authorized users and devices have access
to Office apps, containerization and encryption of data on
the device, and support remote wipe of enterprise apps
and data. These capabilities can be implemented across
platforms and extended beyond the Office 365 apps for all
of your app investmentsinternal, native and SaaS apps.
Learn More
For more information on how to secure Office 365, download
the white paper AirWatch Support for Office 365.

Join Us Online

Blog: blogs.air-watch.com/category/airwatch-emm-solutions
Twitter: www.twitter.com/airwatch
Facebook: www.facebook.com/airwatch

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com
Copyright 2016 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
Item No: 16-VMWA-3252_White_Paper_AirWatch_Office365
05/16