Call us: (407) 567-0096
Open a ticket
Chat with us
USA flag German flag Spanish flag
BLOG Published on 2016/10/30 by Asitha De Silva in Tech-Tips

Microsoft Intune – Manage Office Apps with Security

Most of the large Office 365 environments tend to deploy Enterprise Mobility suite to manage their mobile devices. This is mainly because some office 365 plans contain the EMS licenses and some Office 365 deployments require EMS features such as AD premium. From this post I’m trying to explain how we use Microsoft Intune to facilitate Office 365 apps, security and management of devices.


Office apps are available for download in Google, Apple and windows stores. It’s free to use, but you need to sign in using a live account for applications like OneDrive. In Enterprise environment we cannot allow users to use their personal account for these apps, it will pose a security risk for the company data. Office 365 accounts such as E3 plan have all Office apps plus OneDrive for business. After user enroll their device to the Intune, we can push all the office apps and user will have to login to them using the corporate credentials of their Office 365 plan. So it will enable all the office apps plus corporate can protect data by applying policies to the apps. Office apps can be managed as Managed Apps.



Deploy Office Apps



  1. Login to the Intune Portal
  2. Go to the Apps Tab and click Add App, it will download application publish plugin
  3. For the android apps select External link


  4. For iOS select Manage iOS Apps


  5. Next you need to get the URL of the Office app paste it in the App URL

    - Office apps for android can be found on - https://play.google.com/store/apps
    - Office apps for iOS can be found on - https://itunes.apple.com
    - If you feel difficult to find the app from stores, google it and get the URL



  6. As an example following URL for OneDrive for Android and iOS
    - Android - https://play.google.com/store/apps/details?id=com.microsoft.office.onenote&hl=en
    - iOS - https://itunes.apple.com/us/app/microsoft-onedrive-file-photo/id477537958?mt=8




  7. In Next window provide the Information of the App, add the Application icon so it will display in the Phone. Featured app tick will show the App in the home window of the user’s company portal


  8. Upload the Application


  9. Next you have to publish the app, to do this select the App and click Manage Deployment.


  10. Select User group that you want to deploy the app and Click Add, Next


  11. In Deployment Action select Available Install and Next


  12. Next select the application management policy, I will discuss the creation of this in next topic.


  13. Click next to VPN, Mobile App Configurations and Finish. After few minutes application will be available in the Company portal. Select the Application and Install.

Secure Office Apps using Application Management Policy (Manage Apps)

Application Management policy is a configuration policy in Intune which can provide some sort of a management and control authority over the deployed applications. When considering Office 365 Apps following configurations are important to implement.


  • Restrict cut, copy, and paste with other applications.

    You can restrict coping and moving data from office apps to other apps, so you can copy Excel data to Word app or Outlook to send a mail but you cannot paste that data to other apps which are not managed by Intune. 

  • Require simple PIN Access

    Mobile phone is a personal device, but you cannot say that to your wife or your children’s. J, they might ask for the device to play a game or surf the internet. So the initial screen lock will not help in these moments because you have to unlock the device for their use.  So how we protect our Emails and Documents in these scenarios? Implementing PIN access on manage apps will require you to punch a simple numeric code on Opening Manage apps, such as OneDrive and Outlook. So the office apps are getting additional security from unauthorized use or miss use. 

  • Prevent Save As

    You can configure to restrict Save As on Office apps (Manage apps). So data from office apps such as email attachments cannot be saved in the local storage of the device. But you can save the data in the OneDrive because it’s configured as a Manage Apps. 

  • Block screen capture – Android Only 

    This is still an android only feature, which you can block getting screen shorts on manage apps. 

  • Also you can implement following configurations
    - Block managed apps from running on jailbroken or rooted
    - Encrypt app data
    - Prevent cloud backups










To configure the policies, follow these steps


  1. Login to the Intune portal, Policy tab – Configurations Policies
  2. Click Add
  3. For iOS , open software tab and select Mobile Application Management and Create policy
  4. For Android, open software tab and select Mobile Application Management and Create policy 


  5. Add the configurations to the policy. 





















Conditional Access for Office 365 Emails

Conditional access is an evolving feature in Intune which require a separate article to explain how it works. But here I’m addressing briefly on how to use Conditional Access to secure your Office 365 emails. Enabling conditional access for exchange online policy will enforce device should be compliant and enrolled to access the company emails. Following settings can be implemented for email access.


  • Only Enrolled devices can access Emails
    Device need to be enrolled first to access emails, if the device is wiped or user uninstalled the company portal (un-enrolled), then user need to enroll the device back to Intune to access the corporate emails.


  • Restrict OWA
    You can restrict OWA access to the corporate emails. So user have to go through the Outlook app deployed by Intune, this is a manage app and security controls are enforced to it.


  • Block Exchange ActiveSync apps use basic authentication.
    You can restrict third party apps and some default email clients of the device to access the corporate email account. This is important because when organization want to wipe the corporate data, email clients should support the wipe.



Before implementing Conditional access to Exchange online policy, you need to create a Compliance policy to all devices. And also you have to test it using a test user group. Create a test group and target that group first. Follow these steps to enable conditional access.


  1. Login to the Intune Portal, Policy – Exchange online policy 
  2. Tick Enable conditional access policy
  3. Select the platforms and OWA a settings you prefer
  4. In policy deployment select the test user group and save.
     

  5. Now all the users in the group which is accessing corporate emails without enrolling will receive an email asking to enroll their device to access emails.


Microsoft Intune is evolving day by day, new features, new configurations, new polices. By the time you are following this article technology might be updated. And this document is not. So google it if you came to any conflict. Hope this article is useful

Thanks


Asitha De Silva









Asitha De Silva

Consultant Cloud Solutions

Expert in architecting and implementing cloud-based infrastructure solutions.

Popular
Volume Activation Management Tool 3.1 – Implementing and Activating
By  Asitha De Silva  -   2015/12/13
Windows File Server 2016 | Map Network Drive for Users and Group Drive using GPO
By  Asitha De Silva  -   2017/12/28
Multiple Password Policies for Domain Users
By  Asitha De Silva  -   2019/11/16
Newsletter

To keep up with the news and updates related to our products, make sure to subscribe to our newsletter!

Copyright © 2025 Terminalworks. All Rights Reserved

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Cookie Policy. Privacy details