This release has caused somewhat of a stir due to some reported security issues with the app which existed before it’s rebranding from “Accompli”
I’ll be honest, I found a number of the posts on this app to be somewhat alarmist, but a post with the somewhat alarmist title: Warning – Microsofts Outlook app for iOS breaks your company security raised a point that caused me some concern.
This point was: “Shared Exchange ActiveSync ID and device type”
This post will explain why the concern, my findings & how to block “Outlook for iOS and Android” via Exchanges Allow/Block/Quarantine List.
Exchanges Allow/Block/Quarantine List
Since Exchange 2010 (& into O365), Exchange has supported an Allow/Block/Quarantine list (READ: ABQ), this allows you to choose what devices connect to your exchange as you can by default block all devices & manually allow.
We automate this process via PowerShell commands which are triggered when a device is enrolled in our MDM (Airwatch) & our MDM advises that the device is compliant. That for us means:
- The device is enrolled on our MDM,
- The device is not jailbroken or rooted
- The device has a device passcode enforced.
Once a device passes the above, our MDM will run a command like the below on all of our Exchange endpoints to allow the device:
If a device becomes non-compliant, is unenrolled or a user account is disabled in AD the following is run to block the device:
What I really like about the ABQ is that it’s user specific, so a device that is allowed for a user in your environment is not then allowed for all. If another user wishes to access their email on the device, they need to enrol the device as themselves. This then blocks the device on the user it was enrolled under before.
For an example of this, look at the AD attributes msExchMobileAllowedDeviceIDs & msExchMobileBlockedDeviceIDs on a user account with an ABQ. Below is an example showing my account with the multitude of allowed & blocked devices.
If someone enters our Exchange details on a ActiveSync client that is not enrolled into our MDM, the device is automatically put onto the list, & on the device they will receive an email like the below:
If you login to you Exchange Control Panel, (READ: ECP), & navigate to “Phone” you should see a list of any Quarantined devices.
You can manually allow devices in ECP to grant access, the end result is the same as the allow PowerShell command given above, the device is now allowed for the user that requested access to their email.
The Device ID is the value that is written to the users msExchMobileAllowedDeviceIDs & msExchMobileBlockedDeviceIDs AD attributes & is used to identify devices by Exchange. As such, this ID should be different per client that connects to your Exchange via ActiveSync.
Via iOS it is, & below is an example of that from the quarantine email shown above:
Below are the quarantine emails from a 5c (left) & 6Plus (right) connected to the same Exchange account:
Both devices are running “Outlook for iOS” & both have returned the same Device ID.
Ideally as 2 devices are quarantined, we should see 2 devices the ECP’s quarantined devices list. However, as mentioned before, Exchange uses the Device ID with the ABQ to reference the device & as such the device is only shown once:
Allowing that device will allow both to connect via ActiveSync even if one of them was not enrolled onto our MDM & found to be compliant.
Blocking “Outlook for iOS and Android”
Blocking “Outlook for iOS and Android” can be achieved by adding a Device Access Rule via ECP (search for Device Access Rule), or if you have an MDM that supports Exchange ABQ Powershell then that method should work. Lastly, manually allowing devices may also be an option.
JSS & ABQ