cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Outlook iOS - Circumventing App Protection Policies with Add-Ins

PiSHPoSH
Copper Contributor

‎Dec 13 2018 11:31 AM

‎Dec 13 2018 11:31 AM

Outlook iOS - Circumventing App Protection Policies with Add-Ins

Outlook mobile for iOS now includes a feature that lets you install Add-Ins on the mobile client.  Although I see how this could be viewed as a great and conducive feature for the user, there is a significant problem it brings up - it circumvents the app protection policies applied to the Outlook app.

 

For example:  I have my corporate email added to the Outlook iOS app that is containerized with our app protection policies, I then add the Evernote add-in and sign in with my personal account information, I'm now able to save corporate emails to my personal evernote.  And as far as I can tell, I as an administrator have no visibility into this.

 

Is there a way to disable these add-ins from an administration standpoint that I might be missing?

 

 

5,782 Views
0 Likes
8 Replies
Reply
8 Replies
Andrew Matthews

‎Dec 13 2018 10:13 PM

‎Dec 13 2018 10:13 PM

Re: Outlook iOS - Circumventing App Protection Policies with Add-Ins

Bad, very very bad.

 

Get a support call logged with Intune support ASAP.

1 Like
Reply
best response confirmed by PiSHPoSH (Copper Contributor)
Andrew Matthews

‎Dec 14 2018 02:14 AM

‎Dec 14 2018 02:14 AM

Solution

Re: Outlook iOS - Circumventing App Protection Policies with Add-Ins

Ok, I have a work around for you.

 

If you go into Exchange Online then go to Permisions then User roles; you should see a default role assignment policy. Edit the policy and disable all of the app roles (see the screenshot).

ExchangeOnline_Role_Policy.png

After you save the policy Outlook Add-ins not added by and Admin are blocked in the mobile clients and OWA. The user experience varies between Android and iOS but I was unable to install add-ins in Outlook on either platform.

Outlook_Android_Blocked_Addin.jpgOutlook_iOS_Blocked_AddIn.png

 

3 Likes
Reply
PiSHPoSH

‎Dec 14 2018 11:53 AM

‎Dec 14 2018 11:53 AM

Re: Outlook iOS - Circumventing App Protection Policies with Add-Ins

Ticket was submitted upon discovery of this.  Thanks for the reply!

0 Likes
Reply
PiSHPoSH

‎Dec 14 2018 11:56 AM

‎Dec 14 2018 11:56 AM

Re: Outlook iOS - Circumventing App Protection Policies with Add-Ins

That did the trick.  After updating that Policy with the settings you recommended and assigning it to my mailbox, I'm no longer able to add those add-ins.  Really appreciate the help with this.

 

Now I just need to test if this will mess up add-ins on the Outlook desktop client where we want users to be able to run certain add-ins.

 

Thanks again!

0 Likes
Reply
Andrew Matthews

‎Dec 14 2018 12:02 PM

‎Dec 14 2018 12:02 PM

Re: Outlook iOS - Circumventing App Protection Policies with Add-Ins

The Outlook add-in settings are cross platform so the setting affect Outlook Web Access, Outlook Mobile and Outlook Desktop.

 

I would advise locking down the Outlook add-ins so that users cannot add their own add-ins, then selectively add the add-ins that you want to Office 365.

 

That way you get the best of both worlds, security and happy users.

 

FYI - You helped me because this little trick has just been added to my O365 and Intune cookbook.

0 Likes
Reply
bsauro

‎Nov 13 2019 07:09 AM

‎Nov 13 2019 07:09 AM

Re: Outlook iOS - Circumventing App Protection Policies with Add-Ins

@Andrew Matthews 

 

Any idea how to stop OneNote in this scenario?  We are seeing that O365 keeps enabling the "send to OneNote" option on Outlook desktop, which will let you use OneNote on a phone in a personal account, and transfer data from Intune/company MAM policy into personal OneNote.  My org is unsure if this is a Microsoft data leakage issue, or a configuration issue - currently escalating but nobody seems to know/understand.  

0 Likes
Reply
Harkamal1013

‎Nov 21 2019 07:15 AM

‎Nov 21 2019 07:15 AM

Re: Outlook iOS - Circumventing App Protection Policies with Add-Ins

@PiSHPoSH did MS ever give you a solution to this? we are having the same issue with our users now.

 

0 Likes
Reply
Sujith Suriya

‎May 13 2020 02:33 AM

‎May 13 2020 02:33 AM

Re: Outlook iOS - Circumventing App Protection Policies with Add-Ins

@Andrew Matthews 

 

That's an excellent way to block add-ins. it would be really good if there is a way to allow only certain approved apps like onenote as add-ins OR hide this option from the apps (outlook) itself would be also good.

 

Alternatively, if there is a way to create role assignment policy and assign it to a specific group would be an option in my opinion. 

 

Overall, I am happy with this option for the time being.:smile:

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by PiSHPoSH (Copper Contributor)
Andrew Matthews

‎Dec 14 2018 02:14 AM

‎Dec 14 2018 02:14 AM

Solution

Re: Outlook iOS - Circumventing App Protection Policies with Add-Ins

Ok, I have a work around for you.

 

If you go into Exchange Online then go to Permisions then User roles; you should see a default role assignment policy. Edit the policy and disable all of the app roles (see the screenshot).

ExchangeOnline_Role_Policy.png

After you save the policy Outlook Add-ins not added by and Admin are blocked in the mobile clients and OWA. The user experience varies between Android and iOS but I was unable to install add-ins in Outlook on either platform.

Outlook_Android_Blocked_Addin.jpgOutlook_iOS_Blocked_AddIn.png

 

View solution in original post

3 Likes
Reply