Outlook for iOS and Android & Exchanges Allow/Block/Quarantine List

Standard

Screen Shot 2015-02-04 at 22.00.08

 

On January 29th, Microsoft released Outlook for iOS and Android.

This release has caused somewhat of a stir due to some reported security issues with the app which existed before it’s rebranding from “Accompli”

I’ll be honest, I found a number of the posts on this app to be somewhat alarmist, but a post with the somewhat alarmist title: Warning – Microsofts Outlook app for iOS breaks your company security raised a point that caused me some concern.

This point was: “Shared Exchange ActiveSync ID and device type”

This post will explain why the concern, my findings & how to block “Outlook for iOS and Android” via Exchanges Allow/Block/Quarantine List.

Exchanges Allow/Block/Quarantine List

Since Exchange 2010 (& into O365), Exchange has supported an Allow/Block/Quarantine list (READ: ABQ), this allows you to choose what devices connect to your exchange as you can by default block all devices & manually allow.

We automate this process via PowerShell commands which are triggered when a device is enrolled in our MDM (Airwatch) & our MDM advises that the device is compliant. That for us means:

  • The device is enrolled on our MDM,
  • The device is not jailbroken or rooted
  • The device has a device passcode enforced.

Once a device passes the above, our MDM will run a command like the below on all of our Exchange endpoints to allow the device:

If a device becomes non-compliant, is unenrolled or a user account is disabled in AD the following is run to block the device:

What I really like about the ABQ is that it’s user specific, so a device that is allowed for a user in your environment is not then allowed for all. If another user wishes to access their email on the device, they need to enrol the device as themselves. This then blocks the device on the user it was enrolled under before.

For an example of this, look at the AD attributes msExchMobileAllowedDeviceIDs & msExchMobileBlockedDeviceIDs on a user account with an ABQ. Below is an example showing my account with the multitude of allowed & blocked devices.

deviceIDs

Quarantined Devices

If someone enters our Exchange details on a ActiveSync client that is not enrolled into our MDM, the device is automatically put onto the  list, & on the device they will receive an email like the below:

Unknown

If you login to you Exchange Control Panel, (READ: ECP), & navigate to “Phone” you should see a list of any Quarantined devices.

You can manually allow devices in ECP to grant access, the end result is the same as the allow PowerShell command given above, the device is now allowed for the user that requested access to their email.

ECPThe Device ID

The Device ID is the value that is written to the users msExchMobileAllowedDeviceIDs & msExchMobileBlockedDeviceIDs AD attributes & is used to identify devices by Exchange. As such, this ID should be different per client that connects to your Exchange via ActiveSync.

Via iOS it is, & below is an example of that from the quarantine email shown above:

device ID

Below are the quarantine emails from a 5c (left) & 6Plus (right) connected to the same Exchange account:

Both devices are running “Outlook for iOS” & both have returned the same Device ID.

5c6+

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Ideally as 2 devices are quarantined, we should see 2 devices the ECP’s quarantined devices list. However, as mentioned before, Exchange uses the Device ID with the ABQ to reference the device & as such the device is only shown once:

Screen Shot 2015-02-03 at 11.52.43

 

Allowing that device will allow both to connect via ActiveSync even if one of them was not enrolled onto our MDM & found to be compliant.

Blocking “Outlook for iOS and Android”

Blocking “Outlook for iOS and Android” can be achieved by adding a Device Access Rule via ECP (search for Device Access Rule), or if you have an MDM that supports Exchange ABQ Powershell then that method should work. Lastly, manually allowing devices may also be an option.

More Information

The following is on Exchanges Allow/Block/Quarantine list & how it works with Exchange: http://blogs.technet.com/b/exchange/archive/2010/11/15/3411539.aspx
As mentioned, we can trigger this via Powershell commands & more. Detail is here: http://technet.microsoft.com/en-us/library/aa998933(v=exchg.141).aspx

 

JSS & ABQ

GaToRAID & myself are working on an Events API plugin for the JSS that will run the PowerShell commands on enrolment or unenrolment. Details will be coming for that when we have them.

3 thoughts on “Outlook for iOS and Android & Exchanges Allow/Block/Quarantine List

  1. Great article and thanks for sharing.
    Just a question: do you know if more than one MDM could use the ABQ feature at the same time ?
    Thanks again

  2. Juan

    Amazing you wrote already my today task, You save my time, and our dudes about how to control and prevent to our users with devices with MDM (Airwatch) agent to still using other no corp devices or BYO devices over normal active sync

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.