On January 29, Microsoft launched their Outlook for iOS and Android apps. These apps have generated a great deal of visibility and positive buzz in the marketplace, particularly for ease of use, but there are concerns the apps could pose enterprise security and policy risks.
While the Outlook for iOS and Android apps are branded as Microsoft products, they were originally developed by the startup Accompli, which was acquired by Microsoft in December 2014. At their core, the apps are email clients that facilitate authentication and connection to Microsoft Exchange and Office 365. The apps store email and calendar data, as well as some files, in a US-based cloud service, running on Amazon Web Services.
Cloud services, server locations and device policy limitations compromise enterprise security.
The main security concerns raised by these apps include:
- Email traffic first travels through a 3rd party cloud (Amazon Web Services) operated by Accompli / Microsoft before entering your email infrastructure.
- Since the traffic flows through a non-corporate controlled server this may violate United States and/or European privacy laws and expose your organization to the inherent security risks of storing data outside the corporate environment. .
- The apps allow access to email, calendar, contacts and file attachments across personal and corporate apps. This leads to the potential for corporate data to commingle with personal data.
- Exchange ActiveSync policies are only partially supported. The Outlook for iOS and Android apps currently have no capability to force a device PIN code, wipe a device or require encryption to be enabled.
- From the back end, if the apps are installed on multiple devices belonging to or issued to an individual user, each device will not present a unique Device ID. There is no way to determine if the app has been installed on personal devices, in addition to corporate-owned devices.
End user perception could already be driving shadow adoption of Outlook for iOS and Android.
A combination of factors make it difficult to prevent Outlook for iOS and Android from making its way into your organization. Customer reaction to the apps’ user experience is overwhelmingly positive, driving widespread adoption – even among enterprise users, some of whom knowingly violate organizational policy in favor of the convenience these apps provide. But efforts to counter the apps’ proliferation in your organization could be stymied by the fact that even the latest Mobile Device Management (MDM) APIs for iOS don’t enable organizations to restrict users from installing specific apps.
While prevention is difficult, it’s not impossible; but given the growing popularity of Outlook for iOS and Android, if you need to keep these apps out of your organization it will be critical to act now.
Use these tactical measures to keep your risk low.
We recommend a combination of communication and technology measures to prevent Outlook for iOS and Android from putting your organization at risk and control any exposure you may already face:
- Review your Policy: Review employee-facing IT policy to ensure policy items regarding apps and app security are adequately reflected. If not, you may need to update the policy.
- Communicate to all end users: Reiterate corporate mobility policies with all employees, especially policies restricting how users may connect to corporate resources, and why those restrictions are in place. Remember, some end users may feel these apps are significantly easier to use than your organization’s approved methods of accessing resources, and ease of use is a difficult objection to counter. But if employees understand the reasoning why the app cannot be used in your organization’s environment, there is likely to be less dissatisfaction and a reduction in “shadow” apps in use.
- Use MDM to restrict connections: If this functionality is supported, leverage your existing Mobile Device Management platform to only allow devices already approved and registered on the platform to access corporate email, and block connections to any devices not already approved and enrolled with the MDM platform. This way, corporate email won’t synchronize to unregistered devices – no matter how the synchronization is being initiated.
- Use MDM to detect the app: Use MDM tools to identify users who have installed the app, communicate that the app is not approved for use (and why), and instruct them to remove it immediately. Set a time frame suggesting urgency (48 hours, for example) for the end user to remove the app, before their MDM registration will be revoked.
- Quarantine or Block the app in Exchange: An additional recommendation from other experts is to block or quarantine the Outlook for iOS and Android app in your exchange server. This can be particularly useful if you do not have an MDM product with blocking capabilities. More information can be found at Exchange Server Pro.
Need help with the heavy lifting?
Wireless Analytics has been helping enterprise organizations tackle their mobility challenges since 2003. Whether it's managing security policies or managing wireless expenses, our mission is to make mobility easy.