Home » Exchange Server » How to Block or Quarantine the Outlook for iOS and Android App in Exchange Server and Office 365

How to Block or Quarantine the Outlook for iOS and Android App in Exchange Server and Office 365

Microsoft has released the Outlook for iOS and Android app, which is intended to replace the OWA for Devices mobile client on Apple iOS and Google Android smartphones and tablets.

The Outlook for iOS and Android app is essentially another ActiveSync client for connecting mobile devices to Exchange and Office 365. It also supports other mail services like Outlook.com.

For some organizations there are a number of security and compliance concerns with the way the new Outlook for iOS and Android app functions that will mean those organizations will want to block or quarantine the app from connecting to their Exchange or Office 365 mailboxes until it can be further evaluated.

You can read more about the new app and some of the technical concerns people have with it here:

In the meantime, here’s how to block or quarantine Outlook for iOS and Android app. First let’s look at how it appears as a mobile device association in Exchange.

For Exchange Server 2010 use Get-ActiveSyncDevice instead of Get-MobileDevice.

ActiveSync device access rules can be based on a few different device criteria. From the information above it looks like the DeviceModel will be the simplest approach here, as others such as UserAgent may change with later versions of the Outlook for iOS and Android app.

To block the Outlook for iOS and Android app in Office 365, Exchange Server 2010 or 2013 with a device access rule:

To quarantine instead:

Devices should now appear as blocked or quarantined with the reason of “DeviceRule”.

Additional info: Outlook for iOS/Android Still Able to Connect After Disabling ActiveSync

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

63 comments

  1. Tim says:

    Thanks for getting this out there. I bet a lot of enterprise customers will be scrambling to block due the caching of email and passwords to the cloud. Not particularly happy with how MS handled this acquisition.

    • Giving customers the choice to allow or block the app (which we have) is the most important thing. Microsoft is already committed to making the app more enterprise-friendly and I expect we’ll see a lot of updates over the next 12 months to get us there.

  2. Sahin Boluk says:

    Hi Paul, I posted a comment on your other article, http://practical365.com/creating-activesync-device-access-rules-exchange-server-2010/#comment-154032 about this same thing, then came accross this article as this is what I am looking for.

    I created the rule, but the devices or application is not getting blocked. I do have another mail application, Touchdown, on the same device, not sure if that is the issue. We do use Mass360 as well to enforce policy’s to devices, maybe that is the issue.

    any thoughts?

    • You’ll need to show me the output of this command:

      Get-MobileDevice -Mailbox yourmailboxname | fl FriendlName,Device*,Client*,Is*

      And then show me exactly what command you ran to create the device access rule.

  3. Sahin Boluk says:

    Hi Paul, below is the output. At first I used powershell to create the rules, then i deleted those and used to gui to create it. I put the output of that at the end of this comment as well. Also, I just did an IISReset on all of our CAS servers, and it still looks like it didn’t help. Thanks in advance for all your help!

    [PS] C:SCRIPTS>Get-ActiveSyncDeviceStatistics -Mailbox bolukrsw | fl FriendlName,Device*,Client*,Is*

    DeviceType : Outlook
    DeviceID : C62DDA89E034BB93
    DeviceUserAgent : Outlook-iOS-Android/1.0
    DeviceWipeSentTime :
    DeviceWipeRequestTime :
    DeviceWipeAckTime :
    DeviceModel : Outlook for iOS and Android
    DeviceImei :
    DeviceFriendlyName : Outlook for iOS and Android
    DeviceOS : Outlook for iOS and Android 1.0
    DeviceOSLanguage :
    DevicePhoneNumber :
    DeviceEnableOutboundSMS : False
    DeviceMobileOperator :
    DeviceAccessState : Allowed
    DeviceAccessStateReason : Individual
    DeviceAccessControlRule :
    DevicePolicyApplied : WindowsPhoneNoPassword
    DevicePolicyApplicationStatus : AppliedInFull
    DeviceActiveSyncVersion : 14.1
    IsRemoteWipeSupported : True

    DeviceType : Toggle
    DeviceID : d36a7cc005f99e9d7124337829c55fc5
    DeviceUserAgent : Toggle/3.0
    DeviceWipeSentTime :
    DeviceWipeRequestTime :
    DeviceWipeAckTime :
    DeviceModel : SM-T800
    DeviceImei :
    DeviceFriendlyName : SM-T800
    DeviceOS : Android 4.4.2
    DeviceOSLanguage :
    DevicePhoneNumber :
    DeviceEnableOutboundSMS : False
    DeviceMobileOperator :
    DeviceAccessState : Allowed
    DeviceAccessStateReason : Individual
    DeviceAccessControlRule :
    DevicePolicyApplied : WindowsPhoneNoPassword
    DevicePolicyApplicationStatus : AppliedInFull
    DeviceActiveSyncVersion : 14.1
    IsRemoteWipeSupported : True

    DeviceType : Touchdown
    DeviceID : 3939303030343437363831383835
    DeviceUserAgent : TouchDown(MSRPC)/8.4.00086/
    DeviceWipeSentTime :
    DeviceWipeRequestTime :
    DeviceWipeAckTime :
    DeviceModel : SM-G900P
    DeviceImei : 99000447681885
    DeviceFriendlyName : Android_ynhh_bolukrsw
    DeviceOS : Android 4.4.4
    DeviceOSLanguage : English
    DevicePhoneNumber : ******0820
    DeviceEnableOutboundSMS : False
    DeviceMobileOperator :
    DeviceAccessState : Allowed
    DeviceAccessStateReason : Individual
    DeviceAccessControlRule :
    DevicePolicyApplied : WindowsPhoneNoPassword
    DevicePolicyApplicationStatus : AppliedInFull
    DeviceActiveSyncVersion : 14.1
    IsRemoteWipeSupported : True

    [PS] C:SCRIPTS>Get-ActiveSyncDeviceAccessRule

    RunspaceId : f30cf520-9f0e-441f-974d-4ac0d6895665
    QueryString : Outlook for iOS and Android
    Characteristic : DeviceModel
    AccessLevel : Block
    Name : Outlook for iOS and Android (DeviceModel)
    AdminDisplayName :
    ExchangeVersion : 0.10 (14.0.100.0)
    DistinguishedName : CN=Outlook for iOS and Android (DeviceModel),CN=Mobile Mailbox Settings,CN=xxxxxxxCN=Microsoft Exchange,CN=Services,CN=Configuration,DC=YNHHSC,DC=ORG
    Identity : Outlook for iOS and Android (DeviceModel)
    Guid : 3bab0fa7-8659-4280-9d35-99c78c126745
    ObjectCategory : xxxxxxx/Configuration/Schema/ms-Exch-Device-Access-Rule
    ObjectClass : {top, msExchDeviceAccessRule}
    WhenChanged : 2/2/2015 4:45:01 PM
    WhenCreated : 2/2/2015 4:44:09 PM
    WhenChangedUTC : 2/2/2015 9:45:01 PM
    WhenCreatedUTC : 2/2/2015 9:44:09 PM
    OrganizationId :
    OriginatingServer : xxxxx
    IsValid : True

  4. Sahin Boluk says:

    One last question, if I only have the default organization setting, is the indiviual access state coming from Mass360?

  5. David Knudson says:

    Paul, in your example you had a specific client used in the get-mobile…statement. is there way to see if anyone in the store has enabled this without knowing a specific user? I use 2010 exchange.

    • Ian says:

      David, I don’t have any results to verify but try the following:
      Get-ActiveSyncDevice | where-object {$_.DeviceModel -like ‘*Outlook for iOS and Android*’}
      or
      Get-ActiveSyncDevice | where-object {$_.DeviceAccessStateReason -like ‘*DeviceRule*’}

      • David Knudson says:

        Paul,
        i am a little confused about the output of this report when using the -age 30. I was thinking that would setup for seeing all done in the last thirty days. apparently its for any sync’s beyond 30 days??

        In one instance, i see under lastsyncattempttime and lastsuccesssync it shows a return value of april 2014 . i know this person gets their email on the phone currently and has all along.

        In the case of my phone (have three listings for different phones associated with my name)the last one has me way back to 12/8/2013. (that might have been when i got my current phone)

        What does that LSAT and LSS fields really tell us? What are they really recording?? is this recording the last time they interacted with the sync process or the last time they “registered” with the system?? is there a way to see ongoing sync’s so we can see who is communicating currently?

        thanks
        dave

  6. David says:

    Hi Paul !

    Great info ! We are on exchange 2007 and outlook for IOS violates our policies – can you advise options for exchange 2007 ?

    We use Isa as a reverse proxy as an option too ?

  7. Ste Mc says:

    Hi Paul

    We need to block this on exchange 2007 but the cmdlet above doesnt seem to work, could you advise?

    The error i get is :

    [PS] C:Windowssystem32>New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString “Outlook for iOS and Android” -AccessLevel Block
    The term ‘New-ActiveSyncDeviceAccessRule’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify th
    the path is correct and try again.
    At line:1 char:31
    + New-ActiveSyncDeviceAccessRule <<<< -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Block
    + CategoryInfo : ObjectNotFound: (New-ActiveSyncDeviceAccessRule:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    Many thanks, great article

  8. Rosario Carcò says:

    Thanks a lot Paul, we just blocked it on Exchange 2010.

    We would like to monitor the users using it despite being blocked, so as to be able to inform them that they should delete their account in the cloud and change their password.

    Will your Get-EASDeviceReport.ps1 still be able to track those users or should we only quarantine instead of blocking it, to be able to see who is attempting to use it?

    Rosario

      • Rosario Carcò says:

        YES! I scheduled your Script to run every night and I can see new users having made an attempt. SyncAge displays NEVER and LastSyncAttemptTime and LastSuccessSync are empty.

        GREAT, that is what we need.

        I modified the if clause in your script to filter out only the new iOS-Android users/devices and inverted to show SyncAge LESS than the given 30 days to get only users/devices who connected in the last few days, like this:

        if ($EASDevice.DeviceModel -like ‘*Outlook for iOS and Android*’ -and ($syncAge -le $Age -or $syncAge -eq “Never”))

        Of course you could omit the whole syncAge part if you are only intrested in tracking the iOS-Android users that started only recently as the app was released.

        Yours, Rosario

  9. Arjen says:

    Hy Paul,

    We have a multitenant Exchange 2010 environment (Multitenancy by ABP’s). Can I apply an ActiveSyncDeviceAccessRule to (all users of) only one customer?

  10. Marc says:

    By default we quarentine all devices and only allow the ones we want, so in a way we are ok on that front.
    We have a very strict password Policy, so having credentials on a 3rd party server is a big issue with us. I can see that a number of users have tried to connect using Outlook for IOS, so my question is, given that they have tried to connect but were quarentined, does it mean that the passwords are still stored in the cloud?
    I may have to force a password change on them.

    Thanks

      • Joey Peloquin says:

        In other words, as was just described to me by our messaging architects – this does nothing to solve the problem of _registering_ the app and providing it the creds required to manage mail, it only blocks access once the app tries to sync.

        So, my enterprise users that have unfortunately already installed Outlook and started using it have already exposed their creds to a third party server. Further, absent a fully configured and deployed MAM solution that can prevent mobile application installation, I also cannot prevent additional users from installing and configuring the app.

        It looks like I’d better get that email security bulletin and out the door. How ironic that some of our users will be reading it from the app it warns them not to use!

        Thanks for the timely post and information, Paul.

  11. Chris says:

    What about using the “Blocked Application” option under the ActiveSync properties using the Exchange GUI?
    Wouldn’t it better to block just the APP instead the device itself. Blocking devices may create issues for IT in case the CEO has decided to test this app in the middle of the night.
    If this option works, what should be the Application name to use?

    Thanks,
    Chris

  12. John says:

    How do you setup the opposite policy? How do you allow access to Exchange from the Outlook app only? I don’t want connections from any other mail apps except from the Outlook app. Please do not rail against this question. I just want to know how to do this. Thanks.

  13. tonydiesel says:

    do you know if you run the script to block “Outlook for iOS and Android”, will the user be able to still use the native email client to connect? (native being iOS)

    I would test this on my own, but i don’t want to upgrade to iOS8, :(.

    I can tell you running the script to block “Outlook for iOS and Android”. I can still use the native email client. But i want to know if a device gets blocked for attempting to use Outlook APP, can the same device then connect via EAS using the native client?

    you have to have iOS8 to install the Outlook App. Thx

  14. John says:

    How to block users from using “mail+ for outlook” app to access their mailbox? since its using OWA, firewall rule will help ?

  15. Oscar says:

    Paul, we only allow a certain group of people to use ActiveSync, Is ActiveSync required in order for Outlook for iOS to work? I want to make sure this is not going to let just anyone connect to Exchange on their phones without approval.

    Thank You.

  16. Hoa Nguyen says:

    Hi Paul,
    On the same mobile device, suppose that we have setuped 3 email client apps connecting to Exchange server, such as: Native email app, Outlook-iOS app, Touchdown app
    By using cmdlets as your post above, is it possible to quarantine and block: Native email app and Outlook-iOS app, but only allow Touchdown app on the device to access exchange server? Could you help me some quickly guideline for that case?
    Any help will highly appriciated!

    Many Thanks

    • Rosario says:

      I think you could have a look at my if-clause in my post here. The filtering is done on a string basis, so, knowing the string with which the eMail-Client-App will connect to the Exchange server should be enough to quarantine or block it. Unless Exchange can only see the mobile device and not the eMail-App’s signature.

  17. Marinko says:

    Hi Paul,

    Is it possible to create restriction based on device GUID?

    For example: Have a list of company distributed devices (GUID’s) allowed and all other devices quarantined.

    Thanks,
    Marinko

  18. Manoj Kumar says:

    Hi Paul,

    I got to know this article from one of post in MobileIron community and I read all article related to Blocking Active sync on 2010 and these are very simple and interesting.

    Hope you can help me out this.

    We have Exchange 2010 and integrated with MobileIron MDM. We have following setup:
    1) using Native Client & Email+ app on Android devices to fetch Mail, Contact, Calendar etc.
    2) Using only Native Client on iOS device to fetch Mail, Contact, Calendar etc.

    We want to Allow Only Native Client & Email+ app on Android devices and Native Client on iOS devices and Block else (It can be any apps) since on Play Stores and App Stores there are number of apps that can access exchange data and we can’t find all these app and block them.

    I know there are some other ways to achieve this and we implemented those as well but couldn’t fully block Active sync.

    Any help will be highly appreciated.

    Thanks,
    Manoj

  19. Megan Sheppard says:

    Any way to make an exception for 1 or 2 users? I need to let some security people to install it and connect for testing, but I don’t want to open it for everyone to make this happen.

  20. Fidel Quintela says:

    Paul, nice article. Any experience with blocking Windows 8 and 10 default mail app. It seems to connect via ActiveSync. That is a definite hole if only allowing external access through OWA with TFA and passcode protected ActiveSync devices.

  21. Brent Braun says:

    Hi Paul,

    How can you restrict OWA access for a whole domain? We are currently controlling ActiveSync access with Quarantine, but if someone download the OWA app, they can get around our quarantine restrictions and automatically access email.

  22. bonesleon says:

    So if I want to disable OWA for android and iOS mobile devices on say, Exchange 2016, it would essentially be the same process?

    New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString “Outlook for iOS and Android” -AccessLevel Block

Leave a Reply

Your email address will not be published. Required fields are marked *