Forum Discussion

Deleted's avatar
Deleted
Dec 19, 2017
Solved

Intune-Managed Devices Can Suddenly Connect to O365 Mail Outside Of Container. What Changed?

We're an E5/EMS org and use Intune Hybrid to manage our mobile devices.  MDM Authority is SCCM. A long time ago we disabled ActiveSync and forced users to go with the containerized Outlook Client w...
  • Deleted's avatar
    Deleted
    Jan 04, 2018

    Just to follow up, I worked with the Intune Team on this, and the answer was that we had not disabled POP3/IMAP for every mailbox, and thus anyone could use it to connect their device to their mailbox. 

     

    This may be a huge oversight on my part, but IDK.  We long ago disabled ActiveX, but nowhere did I ever see that POP3/IMAP were also vulnerable holes.  

     

    The product team was pretty sheepish about this huge security gap in the product, saying that it's 'umm.... not very well-documented.'  I took that to mean that it's a known weakness in the product that they don't advertise.  

     

    Anyway, there are remediation steps for existing mailboxes via 'set-casmailbox -popenabled $false -imapenabled $false'  Easy enough to do for all of your MBX's.

     

    For NEW users/mailboxes, you have to either do it as part of your provisioning, or modify the setting in the 'casmailboxplan'.  

    I found info here: 

     https://blogs.technet.microsoft.com/praveenkumar/2017/06/09/how-to-diable-popimap-protocol-for-all-users-by-default-in-office-365/ 

    Thx

     

     

Deleted's avatar
Deleted
Jan 04, 2018

Just to follow up, I worked with the Intune Team on this, and the answer was that we had not disabled POP3/IMAP for every mailbox, and thus anyone could use it to connect their device to their mailbox. 

 

This may be a huge oversight on my part, but IDK.  We long ago disabled ActiveX, but nowhere did I ever see that POP3/IMAP were also vulnerable holes.  

 

The product team was pretty sheepish about this huge security gap in the product, saying that it's 'umm.... not very well-documented.'  I took that to mean that it's a known weakness in the product that they don't advertise.  

 

Anyway, there are remediation steps for existing mailboxes via 'set-casmailbox -popenabled $false -imapenabled $false'  Easy enough to do for all of your MBX's.

 

For NEW users/mailboxes, you have to either do it as part of your provisioning, or modify the setting in the 'casmailboxplan'.  

I found info here: 

 https://blogs.technet.microsoft.com/praveenkumar/2017/06/09/how-to-diable-popimap-protocol-for-all-users-by-default-in-office-365/ 

Thx

 

 

Resources