In my last post, we examined Workplace Join. In this post, we’ll take a look at another mobile-management feature of Windows 8.1 and Windows Server 2012 R2: Work Folders.
Besides expecting to work anywhere on any device, users today also expect to be able to work on multiple devices and to have their work saved and synchronized locally across these devices.
For example, a CEO begins her week at the office using her domain-joined PC to write a document. The main copy of this document resides on a network share, but she also needs it synchronized on her other devices—when she flies to Asia for business the next day, she expects to be able to review and edit the same file locally on her personal tablet during the flight. And when she returns to the office the following week, she will want to see all the updates she made during her business trip automatically synchronized with the copy on her network share.
Traditionally, users have used cloud-based storage solutions, like Dropbox or SkyDrive, to do this. (And before those options were available, they sent the documents to themselves via email.) This works okay for most users, but it can be a nightmare for IT departments. Not only might sensitive information be floating around in the wild, but IT can’t protect it with things like rights management nor can they have any hope of remaining in compliance with document retention for such files.
Sync data across devices with your corporate file share
Work Folders is a new optional component of the File Server role in Windows Server 2012 R2 that efficiently answers the need for more secure synchronization of personal or work documents across multiple devices. With Work Folders, a personal user folder stored on a company file server is synchronized to a specific location on other external devices. For now, Work Folders are supported only on Windows 8.1 and Windows 8.1 RT devices, but Microsoft has stated plans to support other Windows clients, Apple iPad devices, and Android devices in the future.
Work Folders rely on special shares, called Sync Shares, which you can set up on file servers. When you set up a Sync Share, you establish a device policy in which you can enforce any or all of three security mechanisms:
- Limit access to registered devices: This option requires devices synching to the Work Folder to have Workplace Join in place, which in turn opens up the possibility for conditional access to the work folder.
- Apply encryption: This option requires that the files synchronized to a device be encrypted through Encrypting File System (EFS) on that device. The key used for encryption in this case is associated with the enterprise domain. When Work Folders are used with mobile-management software, access to the data can be revoked by wiping the key, preventing the encrypted data associated with the domain from being unencrypted if the device is lost or stolen.
- Require password and screen lock: This option requires the user to log back on to the device after it is left idle.
Maintain control of data even on mobile devices
In addition to the security features that are enforceable when you create the Sync Share, you can also apply all of the same management and security policies to the share that you can with other folders in Windows Server 2012.
For example, you can use File Server Resource Manager to apply quotas, assign file classification attributes to be used with conditional access, or apply Rights Management Services protection to ensure that the files remain encrypted even if they are copied and removed from the device. And because the files are synchronized on corporate file shares, all of your data retention tools work on them as well.
For more information on mobile-friendly features in Windows 8.1 and Windows Server 2012 R2, check out our white paper Windows Device Management Goes Mobile on Intel.com. And stay tuned for my next post, where I will look at the feature that makes things like Work Folders possible: Web Application Proxy.