Skip to content

Enterprise Mobility + Security


Today marks the three-year anniversary of two big moments in Enterprise Mobility:  On this date in 2014 we announced Microsoft Office on the iPad and the Enterprise Mobility Suite (EMS).

This announcement was made at the very first public event for our newly appointed CEO, Satya Nadella. If you missed the news that day – the recap is here.

I have always thought it was interesting (and not a little bit significant) that our new CEO used his first public appearance to make these announcements; it really highlights the importance of both Office 365 and EMS to Microsoft and our customers.

The following three years have been amazing.  The Office mobile apps are now being used on 10’s of millions of devices (with Outlook being the most highly rated e-mail app on iOS and Android), and EMS has grown to over 41,000 enterprise customers.

With the benefit of hindsight, and maybe a little nostalgia, I wanted to give everyone a look behind the curtain at the discussions we were having and the key decisions we were making in 2012 and 2013 as we planned and built EMS and created the integrated scenarios with Office 365.

This long and careful process brought together leaders from across Microsoft.  Together we studied and projected what we anticipated would be the key trends and the needs of the IT community (and the organizations those IT teams supproted). These strategy sessions were fascinating; they featured expertise in management, identity, security, productivity, collaboration, and more.

Here are some of the key things we identified, and decisions we made, beginning 5 years ago:

Managed Mobile Productivity

As we planned out the core scenarios for mobility in the Enterprise, we were fortunate to have a front row seat to the incredible interest that was building around Office 365.  We also knew a deeply held secret at the time:  The exhaustive engineering project aimed at bringing the Office apps to iOS and Android was already well underway.  Building that software had initially met with some internal resistance, but, after the release of the iPad in 2010, we began to radically rethink what mobile computing looked like.  We also recognized that more and more business would be conducted on mobile devices (with Office playing a huge role here), and that the first/primary use case that organizations wanted was to enable corporate e-mail on mobile devices.

At the outset, there were a couple significant challenges that required elegant solutions.

First, we needed to ensure the solution we built was both “loved by users and trusted by IT.”  Second, because the Office mobile apps get used in both business and personal settings, we needed the ability to apply data loss prevention policy to corporate content while staying out of any personal content and data.  In other words, we needed to be able to protect corporate documents and protect personal privacy. Third, we knew from our own experience that many users would not want to have IT “taking over” their personal devices – and this issue needed a solution.

As we built EMS in 2012/2013, the other EMM solutions in market may have been loved by IT, but they were certainly not loved by users.  These solutions had no concept of multi-user capabilities on iOS and Android, and the only way to apply policy to corporate apps and data was to fully manage the entire device.  This was bad news all around.

To avoid these same serious flaws, we had to get extremely bold with our innovations in each of these areas (and many others, too).  The result is what’s currently available today – something that we believe is the premiere solution for managed mobile productivity.  The combination of Office 365 + EMS + Windows 10 enables what we call the Secure Productive Enterprise.

When I stop and look at how much progress was made so quickly, I am grateful we had so many perspectives and so much experience involved in the planning phase.

Identity Driven Security

While we were planning EMS, we had a firm understanding that compromised identities were the primary attack vector for the attacks we repeatedly saw devastating companies.  We were fortunate to have Active Directory – the authoritative source of corporate identities – right in our backyard, and we were able to combine the astronomically large pool of learnings from running AD with what we’d learned from operating so many of the world’s largest consumer services (Outlook.com, Messenger.com, Xbox Live, etc.).  In other words, we had a ton of real-world experience when it came to something as foundationally important as protecting identities.

Another big boost to this planning/building process was that in mid/late 2012 we were just beginning to hit our stride with Azure and the rich services that Azure could offer around machine learning, data analytics, and Artificial Intelligence.  We could see that the shift to the cloud was not only accelerating but that corporate identity – the cloud corporate identity – would become increasingly important (even fundamentally essential) in the mobile-first, cloud-first world.  We could see that the traditional perimeter-based security model that had been relied upon for decades would not be effective in a world of cloud services. The world needed to add a new security model – and that model had to be based on identity.

By working with the Azure engineering organization, we were able to take all of that capacity/expertise/knowledge and build upon it to start innovating methods to identity suspicious pattern that indicate compromised identities in the massive amount of data/telemetry that comes back to Microsoft every second.

This process drew together a unique mix of experience and perspectives from across identity and cloud computing, combined with the massive amount of data Microsoft has available to use on behalf of our customers.  The culmination of this is what you’ve heard me talk about often:  Identity-driven security.

Never before in my 25+ year career have I enjoyed something more than being a part of the genesis of this identity-based security model.  This deep level of protection could not have been built anywhere else in the industry – and it is awesome to see the incredible things Microsoft can do (and the combined effort we can summon) to make our customers more secure.

Delivered as Cloud Services

One of the most significant (and, looking back, one of the most profound) decisions we made while planning EMS was that these solutions would be delivered as cloud services.  While these solutions would certainly connect with and extend our on-prem solutions (like Active Directory and ConfigMgr), the cloud would be requiredThis type of architecture was nearly unthinkable at the time – and it still doesn’t exist anywhere else.

This idea wasn’t completely out of left field, however – by 2012 we could see the beginnings of a move from on-premises Office to Office 365.  We were also just beginning to see the move to the public cloud for compute and storage.  By sharing ideas and learning from the Office and Azure teams’ experiences, it became very clear that the move to cloud was real and set to accelerate industry wide.  Our big takeaway during this period was that increased usage of the cloud would require services like Office 365 and EMS to be far more agile to keep up with the rate of change and the expected timetable of new capabilities.  Finding a way to develop this agility took a lot of innovation and partnership with the Office team.

If EMS was going to thrive, it had to be a cloud service.  But keep in mind that in late 2012 and early 2013 there were no customers asking for this.  This was a carefully calculated risk on our part; we had confidence that this architecture would enable the kind of performance and functionality our customers would soon need.  So we made a big bet.

The rest is history.

This story is one I’ve repeated quite a few times when meeting with senior IT leaders from around the world.  The two most common questions I get are:

  • What has the leadership at Microsoft done to change the company so dramatically over the past three years?
  • How are the EMS teams able to innovate so quickly?

The answer to both questions is no mystery.  I say the same thing every time:  The cultural changes Satya has driven have been the biggest factor, but architecture has also played a huge role.  The cloud services architecture enables the teams supporting these products to innovate and update their services constantly.  The telemetry that comes back from these services enables us to learn what is working and what isn’t within hours – allowing us to improve the products even more.

I remember, in the really early days of Intune, customers would ask if we delivered the Intune capabilities on-premises. Since we didn’t (and wouldn’t) have an on-premises solution, many customers decided they had to go another direction.  I’ll be honest, there were times in 2012 where I was nervous if we had made the right decision with our architecture.  But, whenever we looked at other solutions, we just could not get comfortable with their client-server architecture.  The client-server setup could never give us the scale and agility that we knew would be needed for what was coming over the next decade.  Sooner or later, every other vendor is going to have to start the long process of rewriting their solutions as cloud services.

It has been an amazing experience to go back and talk with those same customers who evaluated the early version of Intune and hear their stories about migrating to Intune from another EMM product and subsequently reaping the rewards of a cloud-based service.

Comprehensive Capabilities

When we defined (and then later announced) EMS, the idea of bringing together identity, security, and management into a single, integrated solution was new.  At the time, these were solutions that were thought of as separate and unique categories addressed by solitary, standalone products.  For the first 18 months after we released EMS, one of our largest challenges was helping organizations step back and take a broader view of Enterprise Mobility – rather than the traditional way of viewing them as siloed capabilities.

When EMS launched, most organizations had a wide variety of different solutions deployed – one vendor would be used for device management, another for identity management, yet another (if not more) for security, another still for enterprise file sync, etc.  Each of the MDM providers had also expanded to MAM and had built their own apps for things like e-mail and document editing.  Not only was this too many consoles to keep track of, but each solution was operating separately and sometimes at odds with others.  It did not take an overwhelming amount of explaining to show some of the more sophisticated organizations the value of an integrated solution.  The work of making disparate solutions interoperate (often poorly) had been a full time job – now that same full time job could focus on supporting the security and productivity of the business.

The reality is that there are integrations that must be engineered into these products from the ground up – they aren’t things you can bolt on afterward.  When I look at the work we have done to build EMS capabilities like data loss prevention, conditional access, and information protection into the Office apps and Office 365 services – it is amazing to consider how much painstaking engineering work and coordination went into getting the scenarios to work consistently and seamlessly.

The definition of “best-of-breed” has changed significantly in the industry now that organizations are more aware of the full spectrum of needs requiring integrated Enterprise Mobility solutions.

Loved by Users, trusted by IT

I cannot tell you number of times I’ve sat with leaders of major companies and gotten the same response when I ask how they like the work experience they have on their org’s mobile devices.  The most common feedback:  a lot of head shaking, a long sigh, and “it ain’t good, man.”

When we were planning EMS 5 years ago, the feedback from these customer meetings made one thing really clear:  IT was not proud of the solution that was being delivered.  Even though that solution might have met the security needs of IT, it did not deliver the rich, empowering and simple experience their users wanted.

From the beginning, we have sought to deliver on the needs of both end-users and IT.  Meeting these needs and expectations is really hard.  One thing that we have learned is that you have to design and build for both these priorities.  This is another area where the mix of perspectives that we brought together during the planning stages of EMS had incredible impact on the overall direction and focus we took once we began to build.  The management, security and identity teams brought a deep understanding of the needs of IT Professionals and organizations, and the Office team brought a deep understanding of the needs of end-users.  Both perspectives were critical for the overall solution – and both perspectives have impacted the end-results of EMS and Office 365.


Happy birthday, EMS!  I can’t wait to see what you look like at 4.