Microsoft has shipped an update for Outlook for iOS and Android that includes support for device PIN policies. The new version number with this feature for both iOS and Android versions is 1.0.4.
Lack of support for PIN policies was one of the major criticisms of Outlook for iOS and Android when it first shipped. Basically the application would successfully connect to Exchange or Office 365 if the mobile device policies required a PIN, even when the device itself had no PIN. In effect it was ignoring the mobile device policies set by the organization. This caused some organizations to decide that blocking the app was the the safest approach.
I tested the new version of the app on both iOS and Android and confirmed that the PIN requirements are now enforced.
On iOS if the mobile device has the PIN removed the Outlook app blocks the user from accessing any of the email accounts in the app until the non-compliant account is deleted from the app.
This actually means that the user can’t access any email account in the app, even normal consumer accounts like Outlook.com, as long as the non-compliant account is still configured. A little disruptive to the end user perhaps, but it certainly achieves the desired outcome from a corporate security perspective.
For Android the behaviour is a little different, with the user prevented from removing the PIN code from the device (or at least this is how my Nexus 7 tablet behaved).
Unfortunately this isn’t a clear win for Microsoft or customers. There are some caveats here that you need to be aware of.
When Outlook for iOS and Android connects to your Exchange or Office 365 services it does not connect directly. Instead it connects to some servers that Microsoft operates, and those servers connect to your network to retrieve the user’s emails. This acts as a kind of proxy and allows the application to remain light-weight, be developed and optimized faster, and do intelligent processing of your emails.
However what this also means is that no matter how many devices you are using Outlook for iOS and Android on, you only see one device association for your mailbox.
In the example above an Android device and two iOS devices are connected to a mailbox, but the mailbox only shows a single device association.
PS C:\> Get-MobileDevice | where devicetype -eq "Outlook" | select Device* DeviceId : AB5F6EFCDA6E681E DeviceImei : DeviceMobileOperator : DeviceOS : Outlook for iOS and Android 1.0 DeviceOSLanguage : DeviceTelephoneNumber : DeviceType : Outlook DeviceUserAgent : Outlook-iOS-Android/1.0 DeviceModel : Outlook for iOS and Android DeviceAccessState : Allowed DeviceAccessStateReason : Global DeviceAccessControlRule :
There is no distinction between different devices, nor is there any distinction between different versions of the application. I can still connect a non-compliant version of the application to my mailbox and it will work. Only the devices with the new version will enforce the PIN requirement.
This puts organizations who want to allow the new version of the application in a tricky situation, because removing their device access rule will allow the non-compliant versions to connect again. There is a slightly cumbersome middle ground, where a quarantine rule is used until the IT team is able to confirm that the end user is on the newer version of the app before allowing the device to connect. That process wouldn’t scale very well though.
I’m sure Microsoft has plans to resolve this in a future update, perhaps by updating the user agent or some other characteristic of the app to allow the specific versions to be blocked/allowed with device access rules. But at least we’re seeing the rapid development and updates that were promised when the app was first launched.