Microsoft has released the Outlook for iOS and Android app, which is intended to replace the OWA for Devices mobile client on Apple iOS and Google Android smartphones and tablets.
The Outlook for iOS and Android app is essentially another ActiveSync client for connecting mobile devices to Exchange and Office 365. It also supports other mail services like Outlook.com.
For some organizations there are a number of security and compliance concerns with the way the new Outlook for iOS and Android app functions that will mean those organizations will want to block or quarantine the app from connecting to their Exchange or Office 365 mailboxes until it can be further evaluated.
You can read more about the new app and some of the technical concerns people have with it here:
In the meantime, here's how to block or quarantine Outlook for iOS and Android app. First let's look at how it appears as a mobile device association in Exchange.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[PS] C:>Get-MobileDevice -Mailbox alex.heyne | fl FriendlName,Device*,Client*,Is* FriendlyName : Outlook for iOS and Android DeviceId : 94B42B2A37D109AE DeviceImei : DeviceMobileOperator : DeviceOS : Outlook for iOS and Android 1.0 DeviceOSLanguage : DeviceTelephoneNumber : DeviceType : Outlook DeviceUserAgent : Outlook-iOS-Android/1.0 DeviceModel : Outlook for iOS and Android DeviceAccessState : Allowed DeviceAccessStateReason : Global DeviceAccessControlRule : ClientVersion : 14.1 ClientType : EAS IsManaged : False IsCompliant : False IsDisabled : False |
For Exchange Server 2010 use Get-ActiveSyncDevice instead of Get-MobileDevice.
ActiveSync device access rules can be based on a few different device criteria. From the information above it looks like the DeviceModel will be the simplest approach here, as others such as UserAgent may change with later versions of the Outlook for iOS and Android app.
To block the Outlook for iOS and Android app in Office 365, Exchange Server 2010 or 2013 with a device access rule:
|
1 |
[PS] C:>New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Block |
To quarantine instead:
|
1 |
[PS] C:>New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Quarantine |
Devices should now appear as blocked or quarantined with the reason of “DeviceRule”.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[PS] C:>Get-MobileDevice -Mailbox alex.heyne | fl FriendlName,Device*,Client*,Is* DeviceId : 94B42B2A37D109AE DeviceImei : DeviceMobileOperator : DeviceOS : Outlook for iOS and Android 1.0 DeviceOSLanguage : DeviceTelephoneNumber : DeviceType : Outlook DeviceUserAgent : Outlook-iOS-Android/1.0 DeviceModel : Outlook for iOS and Android DeviceAccessState : Blocked DeviceAccessStateReason : DeviceRule DeviceAccessControlRule : Outlook for iOS and Android (DeviceModel) ClientVersion : 14.1 ClientType : EAS IsManaged : False IsCompliant : False IsDisabled : False |
Additional info: Outlook for iOS/Android Still Able to Connect After Disabling ActiveSync
Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Thanks for getting this out there. I bet a lot of enterprise customers will be scrambling to block due the caching of email and passwords to the cloud. Not particularly happy with how MS handled this acquisition.
Giving customers the choice to allow or block the app (which we have) is the most important thing. Microsoft is already committed to making the app more enterprise-friendly and I expect we’ll see a lot of updates over the next 12 months to get us there.
Dear paul,
if i want to go back to after blocking “Outlook for iOS and Android App”. should i have to delete these new created rule form EMS, if yes can u please provide me command
Thz
Use Remove-ActiveSyncDeviceAccessRule or do it via the Exchange Admin Center/Console.
Hi Paul, I posted a comment on your other article, https://practical365.com/creating-activesync-device-access-rules-exchange-server-2010/#comment-154032 about this same thing, then came accross this article as this is what I am looking for.
I created the rule, but the devices or application is not getting blocked. I do have another mail application, Touchdown, on the same device, not sure if that is the issue. We do use Mass360 as well to enforce policy’s to devices, maybe that is the issue.
any thoughts?
You’ll need to show me the output of this command:
Get-MobileDevice -Mailbox yourmailboxname | fl FriendlName,Device*,Client*,Is*
And then show me exactly what command you ran to create the device access rule.
Hi Paul, below is the output. At first I used powershell to create the rules, then i deleted those and used to gui to create it. I put the output of that at the end of this comment as well. Also, I just did an IISReset on all of our CAS servers, and it still looks like it didn’t help. Thanks in advance for all your help!
[PS] C:SCRIPTS>Get-ActiveSyncDeviceStatistics -Mailbox bolukrsw | fl FriendlName,Device*,Client*,Is*
DeviceType : Outlook
DeviceID : C62DDA89E034BB93
DeviceUserAgent : Outlook-iOS-Android/1.0
DeviceWipeSentTime :
DeviceWipeRequestTime :
DeviceWipeAckTime :
DeviceModel : Outlook for iOS and Android
DeviceImei :
DeviceFriendlyName : Outlook for iOS and Android
DeviceOS : Outlook for iOS and Android 1.0
DeviceOSLanguage :
DevicePhoneNumber :
DeviceEnableOutboundSMS : False
DeviceMobileOperator :
DeviceAccessState : Allowed
DeviceAccessStateReason : Individual
DeviceAccessControlRule :
DevicePolicyApplied : WindowsPhoneNoPassword
DevicePolicyApplicationStatus : AppliedInFull
DeviceActiveSyncVersion : 14.1
IsRemoteWipeSupported : True
DeviceType : Toggle
DeviceID : d36a7cc005f99e9d7124337829c55fc5
DeviceUserAgent : Toggle/3.0
DeviceWipeSentTime :
DeviceWipeRequestTime :
DeviceWipeAckTime :
DeviceModel : SM-T800
DeviceImei :
DeviceFriendlyName : SM-T800
DeviceOS : Android 4.4.2
DeviceOSLanguage :
DevicePhoneNumber :
DeviceEnableOutboundSMS : False
DeviceMobileOperator :
DeviceAccessState : Allowed
DeviceAccessStateReason : Individual
DeviceAccessControlRule :
DevicePolicyApplied : WindowsPhoneNoPassword
DevicePolicyApplicationStatus : AppliedInFull
DeviceActiveSyncVersion : 14.1
IsRemoteWipeSupported : True
DeviceType : Touchdown
DeviceID : 3939303030343437363831383835
DeviceUserAgent : TouchDown(MSRPC)/8.4.00086/
DeviceWipeSentTime :
DeviceWipeRequestTime :
DeviceWipeAckTime :
DeviceModel : SM-G900P
DeviceImei : 99000447681885
DeviceFriendlyName : Android_ynhh_bolukrsw
DeviceOS : Android 4.4.4
DeviceOSLanguage : English
DevicePhoneNumber : ******0820
DeviceEnableOutboundSMS : False
DeviceMobileOperator :
DeviceAccessState : Allowed
DeviceAccessStateReason : Individual
DeviceAccessControlRule :
DevicePolicyApplied : WindowsPhoneNoPassword
DevicePolicyApplicationStatus : AppliedInFull
DeviceActiveSyncVersion : 14.1
IsRemoteWipeSupported : True
[PS] C:SCRIPTS>Get-ActiveSyncDeviceAccessRule
RunspaceId : f30cf520-9f0e-441f-974d-4ac0d6895665
QueryString : Outlook for iOS and Android
Characteristic : DeviceModel
AccessLevel : Block
Name : Outlook for iOS and Android (DeviceModel)
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : CN=Outlook for iOS and Android (DeviceModel),CN=Mobile Mailbox Settings,CN=xxxxxxxCN=Microsoft Exchange,CN=Services,CN=Configuration,DC=YNHHSC,DC=ORG
Identity : Outlook for iOS and Android (DeviceModel)
Guid : 3bab0fa7-8659-4280-9d35-99c78c126745
ObjectCategory : xxxxxxx/Configuration/Schema/ms-Exch-Device-Access-Rule
ObjectClass : {top, msExchDeviceAccessRule}
WhenChanged : 2/2/2015 4:45:01 PM
WhenCreated : 2/2/2015 4:44:09 PM
WhenChangedUTC : 2/2/2015 9:45:01 PM
WhenCreatedUTC : 2/2/2015 9:44:09 PM
OrganizationId :
OriginatingServer : xxxxx
IsValid : True
DeviceAccessState : Allowed
DeviceAccessStateReason : Individual
That means the device has been allowed as a personal exemption for your mailbox.
Run this:
Get-CASMailbox yourmailboxname | fl
You’ll see an ActiveSyncAlloweDeviceIDs attribute. There will be one or more device IDs in there. You need to remove the one for Outlook for iOS and Android.
Once it is removed as a personal exemption it will be caught be the device access rule instead.
You can learn more about that here:
https://practical365.com/existing-activesync-device-associations-when-changing-organization-default-access-level/
If you want to learn more about how ActiveSync works please consider this ebook:
https://practical365.com/ebooks/the-beginners-guide-to-exchange-server-2010-activesync/
Thank you Paul! You’ve been a great help.
One last question, if I only have the default organization setting, is the indiviual access state coming from Mass360?
Not all MDMs operate the same way and I haven’t worked with Mass360 so I couldn’t say either way.
Paul, in your example you had a specific client used in the get-mobile…statement. is there way to see if anyone in the store has enabled this without knowing a specific user? I use 2010 exchange.
David, I don’t have any results to verify but try the following:
Get-ActiveSyncDevice | where-object {$_.DeviceModel -like ‘*Outlook for iOS and Android*’}
or
Get-ActiveSyncDevice | where-object {$_.DeviceAccessStateReason -like ‘*DeviceRule*’}
Use Get-EASDeviceReport.ps1
https://practical365.com/powershell-script-activesync-device-report/
Paul,
i am a little confused about the output of this report when using the -age 30. I was thinking that would setup for seeing all done in the last thirty days. apparently its for any sync’s beyond 30 days??
In one instance, i see under lastsyncattempttime and lastsuccesssync it shows a return value of april 2014 . i know this person gets their email on the phone currently and has all along.
In the case of my phone (have three listings for different phones associated with my name)the last one has me way back to 12/8/2013. (that might have been when i got my current phone)
What does that LSAT and LSS fields really tell us? What are they really recording?? is this recording the last time they interacted with the sync process or the last time they “registered” with the system?? is there a way to see ongoing sync’s so we can see who is communicating currently?
thanks
dave
The -Age parameter specifies “Devices that have not synced in more than X days”. So it is a way to only report on old/stale devices that haven’t recently synced.
Hi Paul !
Great info ! We are on exchange 2007 and outlook for IOS violates our policies – can you advise options for exchange 2007 ?
We use Isa as a reverse proxy as an option too ?
Look at using ISA to block the user agent or some other identifier such as the source IPs. I couldn’t tell any specifics though, haven’t touched ISA in a long time.
Hi Paul
We need to block this on exchange 2007 but the cmdlet above doesnt seem to work, could you advise?
The error i get is :
[PS] C:Windowssystem32>New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString “Outlook for iOS and Android” -AccessLevel Block
The term ‘New-ActiveSyncDeviceAccessRule’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify th
the path is correct and try again.
At line:1 char:31
+ New-ActiveSyncDeviceAccessRule <<<< -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Block
+ CategoryInfo : ObjectNotFound: (New-ActiveSyncDeviceAccessRule:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Many thanks, great article
Exchange 2007 doesn’t have that feature. You’ll need to look at other ways to block it, such as blocking the user agent in IIS or on your reverse proxy.
We have a mixed 2007 & 2013 environment. Will blocking it on the 2013 CAS servers also effectively block it for the 2007 mailboxes. That is, I assume the EAS rule is applied to the CAS piece.
Not sure, but I would assume so. Only way to know for sure is to test it.
Thanks a lot Paul, we just blocked it on Exchange 2010.
We would like to monitor the users using it despite being blocked, so as to be able to inform them that they should delete their account in the cloud and change their password.
Will your Get-EASDeviceReport.ps1 still be able to track those users or should we only quarantine instead of blocking it, to be able to see who is attempting to use it?
Rosario
Why not try it yourself and see the results first hand? You’ve put the block rule in place, grab a test device and install the app and try to connect.
YES! I scheduled your Script to run every night and I can see new users having made an attempt. SyncAge displays NEVER and LastSyncAttemptTime and LastSuccessSync are empty.
GREAT, that is what we need.
I modified the if clause in your script to filter out only the new iOS-Android users/devices and inverted to show SyncAge LESS than the given 30 days to get only users/devices who connected in the last few days, like this:
if ($EASDevice.DeviceModel -like ‘*Outlook for iOS and Android*’ -and ($syncAge -le $Age -or $syncAge -eq “Never”))
Of course you could omit the whole syncAge part if you are only intrested in tracking the iOS-Android users that started only recently as the app was released.
Yours, Rosario
Hy Paul,
We have a multitenant Exchange 2010 environment (Multitenancy by ABP’s). Can I apply an ActiveSyncDeviceAccessRule to (all users of) only one customer?
All users of this customer have one common value in a custom attribute (ABP is applied by that value) and are in a common Security and Distribution Group.
No.
By default we quarentine all devices and only allow the ones we want, so in a way we are ok on that front.
We have a very strict password Policy, so having credentials on a 3rd party server is a big issue with us. I can see that a number of users have tried to connect using Outlook for IOS, so my question is, given that they have tried to connect but were quarentined, does it mean that the passwords are still stored in the cloud?
I may have to force a password change on them.
Thanks
Possibly. If it is a concern then force a password reset. Frankly that would be what I would do, if my org policies were explicitly against it.
In other words, as was just described to me by our messaging architects – this does nothing to solve the problem of _registering_ the app and providing it the creds required to manage mail, it only blocks access once the app tries to sync.
So, my enterprise users that have unfortunately already installed Outlook and started using it have already exposed their creds to a third party server. Further, absent a fully configured and deployed MAM solution that can prevent mobile application installation, I also cannot prevent additional users from installing and configuring the app.
It looks like I’d better get that email security bulletin and out the door. How ironic that some of our users will be reading it from the app it warns them not to use!
Thanks for the timely post and information, Paul.
What about using the “Blocked Application” option under the ActiveSync properties using the Exchange GUI?
Wouldn’t it better to block just the APP instead the device itself. Blocking devices may create issues for IT in case the CEO has decided to test this app in the middle of the night.
If this option works, what should be the Application name to use?
Thanks,
Chris
I’m not sure that option even works actually.
How do you setup the opposite policy? How do you allow access to Exchange from the Outlook app only? I don’t want connections from any other mail apps except from the Outlook app. Please do not rail against this question. I just want to know how to do this. Thanks.
Set an org level policy to block or quarantine (quarantine is probably going to be better for you) then set either approve devices on a case by case basis or set a device access rule to allow the specific devices/apps you want.
https://practical365.com/preventing-new-activesync-device-types-from-connecting-to-exchange-server-2010/
do you know if you run the script to block “Outlook for iOS and Android”, will the user be able to still use the native email client to connect? (native being iOS)
I would test this on my own, but i don’t want to upgrade to iOS8, :(.
I can tell you running the script to block “Outlook for iOS and Android”. I can still use the native email client. But i want to know if a device gets blocked for attempting to use Outlook APP, can the same device then connect via EAS using the native client?
you have to have iOS8 to install the Outlook App. Thx
Blocking the Outlook app doesn’t block the native mail app on the same device.
Can this be accomplished in Exchange 2007?
Thanks,
Pari
Exchange 2007 doesn’t have the same capabilities as 2010/2013/O365. You’ll need to look at blocking it with IIS rules or at your reverse proxy.
How to block users from using “mail+ for outlook” app to access their mailbox? since its using OWA, firewall rule will help ?
Paul, we only allow a certain group of people to use ActiveSync, Is ActiveSync required in order for Outlook for iOS to work? I want to make sure this is not going to let just anyone connect to Exchange on their phones without approval.
Thank You.
Yes, Outlook for iOS uses ActiveSync.
What about blocking Gmail app from Android 5.0 and up and new Inbox app?
how to do the above in ECP? there is no query string to be modified.
Why not just use PowerShell? Fast and easy.
Hi Paul,
On the same mobile device, suppose that we have setuped 3 email client apps connecting to Exchange server, such as: Native email app, Outlook-iOS app, Touchdown app
By using cmdlets as your post above, is it possible to quarantine and block: Native email app and Outlook-iOS app, but only allow Touchdown app on the device to access exchange server? Could you help me some quickly guideline for that case?
Any help will highly appriciated!
Many Thanks
I think you could have a look at my if-clause in my post here. The filtering is done on a string basis, so, knowing the string with which the eMail-Client-App will connect to the Exchange server should be enough to quarantine or block it. Unless Exchange can only see the mobile device and not the eMail-App’s signature.
Hi Paul,
Is it possible to create restriction based on device GUID?
For example: Have a list of company distributed devices (GUID’s) allowed and all other devices quarantined.
Thanks,
Marinko
Hi Paul,
I got to know this article from one of post in MobileIron community and I read all article related to Blocking Active sync on 2010 and these are very simple and interesting.
Hope you can help me out this.
We have Exchange 2010 and integrated with MobileIron MDM. We have following setup:
1) using Native Client & Email+ app on Android devices to fetch Mail, Contact, Calendar etc.
2) Using only Native Client on iOS device to fetch Mail, Contact, Calendar etc.
We want to Allow Only Native Client & Email+ app on Android devices and Native Client on iOS devices and Block else (It can be any apps) since on Play Stores and App Stores there are number of apps that can access exchange data and we can’t find all these app and block them.
I know there are some other ways to achieve this and we implemented those as well but couldn’t fully block Active sync.
Any help will be highly appreciated.
Thanks,
Manoj
If you’re using MobileIron you should be controlling it all through MobileIron.
Any way to make an exception for 1 or 2 users? I need to let some security people to install it and connect for testing, but I don’t want to open it for everyone to make this happen.
How to customize the email send to user when the block policy is enabled.
You can only customize the quarantine message, not the block message.
Paul, nice article. Any experience with blocking Windows 8 and 10 default mail app. It seems to connect via ActiveSync. That is a definite hole if only allowing external access through OWA with TFA and passcode protected ActiveSync devices.
Yes, you can block them.
Is this still the case for the outlook apps provided for IOS and ANDROID?
Which part?
HI Paul,
how can we restrict IOS and android native email client or only outlook, kindly share the command for Exchange server 2013 and we need to allow only for certain user.
Hi Paul,
How can you restrict OWA access for a whole domain? We are currently controlling ActiveSync access with Quarantine, but if someone download the OWA app, they can get around our quarantine restrictions and automatically access email.
We are using Office 365.
You can disable the app per-mailbox. Look at Set-CASMailbox and the OWAforDevicesEnabled property.
So if I want to disable OWA for android and iOS mobile devices on say, Exchange 2016, it would essentially be the same process?
New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString “Outlook for iOS and Android” -AccessLevel Block
Yes.
This link suggests that the New-ActiveSyncDeviceaccessRule method won’t work, but suggests a “Set-CASMailbox -OWAforDevicesEnabled” method:
(removed)
That article was from 2013 and refers to a completely different app.
Hello Paul,
The New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString command “Outlook for iOS and Android” -AccessLevel Block no longer works with Office 365.
Error message :
New-ActiveSyncDeviceAccessRule: The term “New-ActiveSyncDeviceAccessRule” is not recognized as a cmdlet name,
That cmdlet works fine for me. Do you have PowerShell connected to Exchange Online?
Hello,
I redid the test is it works, Thanks
You can set exemptions for specific user:
1. Select Manage My Organization and then click on Users & Groups;
2. Search the user for whom you want to create the exemption for, and then select Details;
3. Under Phone & Voice Features, select Exchange ActiveSync and then select Edit;
4. Under Mobile Devices, select the device that you want to exempt and then click either Allow;
5. Click Save to create the exemption.