Skip to main content


Ignite 2015 – Skype4B Mobility Security Improvements

I’ll admit that the title is a bit misleading because much of what existed (in regards to mobility) in Lync Server 2013 still exists in Skype for Business Server 2015.  Unfortunately there has not been a great leap forward in functionality….YET.  The “Yet” is there because there are HUGE improvements forthcoming in the Skype for Business mobile client release (and subsequent server release), which is expected sometime in Q3 CY 2015.  Looking forward to that release date, some of the information available through the Ignite conference about those future features are outlined below.
Mobile Device Management
Very limited MDM integration exists with Lync/S4B today.  Things like device posture checking or requiring encryption or requiring PIN codes for security simply are not available or enforceable by either the server or the client.  This will be changing in S4B/S4B-Online and the direction for the product will be to utilize the Microsoft Intune Service for all MDM functionality.  One of the big items that Intune will bring to the table is the concept of protected applications.  This was demo’d in the keybote where you couldn’t copy/paste text from a work-managed application into a non-work-managed application.  Some may view this as quasi-DLP funtionality, which it definitely is, but it is handled solely by Intune MDM policies.  Additionally, Microsoft will not be supporting or integrating any other MDM solution on the market into Skype for Business Server (or S4B Online).  Despite the “limitation” of only supporting Intune, the Intune service is hugely powerful and will continue to evolve and adapt.
If Intune is not utilized, Microsoft is adding a two new mobility policy settings in an upcoming CU:
Require an application PIN for the S4B mobile client
Require device encryption
Those two policy features will be configurable via the Set-CsMobilityPolicy cmdlet after the S4B mobility client is released.
Data Loss Protection
The DLP story for Lync/S4B today is lacking and third-party vendors have stepped up to try and fill the gap.  Lync Server 2013 and Lync 2013 clients today support IRM, in that they will not display via screen share a document that has been protected via IRM, but that is truly the limit of the DLP functionality.  Dynamic content inspection or compliance reporting or real-time IM analysis simply is not available in the solution – things that Exchange Server has had via Hub Transport rules and continues to grow with each product release.  That being said, the unfortunate news from Ignite is that DLP won’t truly be integrated into S4B mobile, at least not yet.  Microsoft has added loads of DLP improvements into the Office 2016 stack and Office365 service which impacts Exchange, SharePoint, and OneDrive, but the S4B client (and server) are sadly omitted.  The good news is that Microsoft is aware of this missing piece and is working with the product groups to add functionality in to future releases.  Things like dynamic content inspection and compliance reporting will be coming in future releases of the product, but the full picture is not known yet.
Authentication Improvements
In Lync Server 2013, the only way to get MFA for mobile clients was to utilize a feature called Passive Authentication.  It solved the problem of getting “MFA” but it actually introduced more problems by utilizing the feature – one of those problems was severely restricting capabilities of clients to integrate with Exchange Server.  Moving forward with S4B, Microsoft has announced that Azure Active Directory Authentication Library will be the desired solution for all MFA and in fact all authentication, period.  ADAL brings several important investments to the table:  powerful MFA configurations for conditional access are possible, it integrates tightly with AD-FS and most importantly, it will be supported across all server 2016 and client 2016 products.  No longer will you have one separate authentication piece for Lync/Skype and then another for the rest of the product portfolio.  If you are looking for a powerful authentication solution to handle not only Lync/S4B mobile, but all of your corporate applications, this is it.

Thoughts on “Ignite 2015 – Skype4B Mobility Security Improvements”

  1. Hi,
    Do you know if conversation history can be disabled just on the S4B mobile client ?

  2. Trevor Miller

    No you cannot disable Conversation History on the mobile client only. ConvoHistory is defined by a Client Policy that is granted to a user account and that policy roams across devices, so at this time there is no functionality to do what you are looking for. Additionally disabling ConvoHistory will effect features such as AutoAccept and ServerSideConversation history functionality, so if you disable ConvoHistory you actually disable new features that were introduced in Skype4B. Microsoft is examining the ability in future releases to disable functionality on a per-device basis but that will most likely not come until 2016 at the earliest (speculation only)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Trevor Miller

More from this Author

Follow Us