Since the release of the Outlook for iOS and Android app, and my tutorial on how to block or quarantine the app using ActiveSync device access rules, a lot of people have asked me for a direct recommendation on what they should do about it.
I'd love to give a single answer, but really it depends on a few factors. So instead I will walk you through a short decision making process that will hopefully clear things up for you.
Firstly, let me just say that I am using the app myself. I have it connected to my Office 365 mailbox and I am likely to continue using it and watching how Microsoft is able to improve some of the user experiences and features.
I happily use the app because I've considered the following factors and decided the application is safe and secure for me to use.
Data Storage in US-based Cloud Servers
Outlook for iOS and Android acts as a proxy for your email account, storing mailbox data in a cloud service that Microsoft runs.
If you have a concern with this model for your organization, such as a data sovereignty or regulatory issue, then you should block/quarantine the app.
Credential Storage in the Cloud
Similar to the data storage point, Microsoft's servers store an encrypted version of your user credentials so that they can connect to your Exchange/Office 365 mailbox and retrieve data. The encryption key is unique to your device and is stored on your device. Read more about that here.
If that credential disclosure by your users is prohibited by your IT usage policies, or you otherwise object to the storage of encrypted credentials, then you should block/quarantine the app.
ActiveSync Policy Compliance
Outlook for iOS and Android does not support PIN codes or in-app data encryption. It also reports itself to Exchange/Office 365 as compliant with these requirements, in effect bypassing any such requirement that you have set in your policies.
If your organization has PIN/encryption requirements for mobile devices, and you aren't able to trust your users to maintain a suitable PIN or enable encryption on their device, then you should block/quarantine the app.
Note – the default ActiveSync policy for Exchange 2013 and Office 365 do not require PIN or encryption. Some customers may be unaware of this and not realise that the software configuration does not match their written policies. I recommend reviewing your ActiveSync policies to verify that they match what you think they should be.
Update – Microsoft has shipped an update to the app that adds compliance with PIN code enforcement policies set by administrators.
ActiveSync Remote Wipe
Although Outlook for iOS and Android supports remote wipe, and does so in a “selective” manner (ie, only application data is wiped, not the entire device), it does not report remote wipe results back to your Exchange/Office 365 service. Therefore, you'll never know whether a remote wipe of a lost device was successful.
This is also a risk with other remote wipe scenarios, which are often thwarted by things like airplane mode being enabled on the device, SIM cards being disabled, or passwords being changed.
If you are not satisfied that this remote wipe behaviour meets your IT security expectations then you should block/quarantine the app.
Integration with Other Services
The app has integration with additional services such as Dropbox, Box, iCloud, Google, OneDrive, and Yahoo! If your organization sees this as a risk, such as a data leakage or theft risk, then you should block/quarantine the app.
What if Users Still Try to Use the App?
Unless you have a mobile device management system deployed to the devices connecting to your Exchange/Office 365 system there's nothing you can really to do prevent users from trying to use Outlook for iOS and Android. Even if you're blocking or quarantining the app this means that the user credentials are still likely being stored by Microsoft, at least for a short time.
If that is a concern for your organization I recommend reviewing the ActiveSync device associations for mailboxes. You can do this quite easily using my Get-EASDeviceReport.ps1 script.
What Would I Do?
As I wrote earlier I do use the app myself and I'm happy to do so. I have no data sovereignty concerns, am satisfied that credentials are being securely stored, and I have a PIN and encryption enabled on my device.
However, if I was working for an organization that had one of the above reasons to block/quarantine the app then my response would be:
- Configure an ActiveSync device access rule to quarantine the app (refer to this article for exact steps).
- Periodically review mobile device associations using Get-EASDeviceReport.ps1.
- When a user is found to have attempted to use the app, force a password reset on the user's account and contact them to request they remove the app from their devices.
I hope that helps you with your decision making.