SOLVED
Home

Outlook iOS - Circumventing App Protection Policies with Add-Ins

%3CLINGO-SUB%20id%3D%22lingo-sub-301679%22%20slang%3D%22en-US%22%3EOutlook%20iOS%20-%20Circumventing%20App%20Protection%20Policies%20with%20Add-Ins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301679%22%20slang%3D%22en-US%22%3E%3CP%3EOutlook%20mobile%20for%20iOS%20now%20includes%20a%20feature%20that%20lets%20you%20install%20Add-Ins%20on%20the%20mobile%20client.%26nbsp%3B%20Although%20I%20see%20how%20this%20could%20be%20viewed%20as%20a%20great%20and%20conducive%20feature%20for%20the%20user%2C%20there%20is%20a%20significant%20problem%20it%20brings%20up%20-%20it%20circumvents%20the%20app%20protection%20policies%20applied%20to%20the%20Outlook%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%3A%26nbsp%3B%20I%20have%20my%20corporate%20email%20added%20to%20the%20Outlook%20iOS%20app%20that%20is%20containerized%20with%20our%20app%20protection%20policies%2C%20I%20then%20add%20the%20Evernote%20add-in%20and%20sign%20in%20with%20my%20personal%20account%20information%2C%20I'm%20now%20able%20to%20save%20%3CSTRONG%3Ecorporate%20emails%3C%2FSTRONG%3Eto%20my%20%3CSTRONG%3Epersonal%20evernote%3C%2FSTRONG%3E.%26nbsp%3B%20And%20as%20far%20as%20I%20can%20tell%2C%20I%20as%20an%20administrator%20have%20no%20visibility%20into%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20disable%20these%20add-ins%20from%20an%20administration%20standpoint%20that%20I%20might%20be%20missing%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-301679%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eapp%20protection%20policies%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%20Add-In%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%20for%20iOS%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-302139%22%20slang%3D%22en-US%22%3ERe%3A%20Outlook%20iOS%20-%20Circumventing%20App%20Protection%20Policies%20with%20Add-Ins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-302139%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Outlook%20add-in%20settings%20are%20cross%20platform%20so%20the%20setting%20affect%20Outlook%20Web%20Access%2C%20Outlook%20Mobile%20and%20Outlook%20Desktop.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20advise%20locking%20down%20the%20Outlook%20add-ins%20so%20that%20users%20cannot%20add%20their%20own%20add-ins%2C%20then%20selectively%20add%20the%20add-ins%20that%20you%20want%20to%20Office%20365.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20way%20you%20get%20the%20best%20of%20both%20worlds%2C%20security%20and%20happy%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFYI%20-%20You%20helped%20me%20because%20this%20little%20trick%20has%20just%20been%20added%20to%20my%20O365%20and%20Intune%20cookbook.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-302138%22%20slang%3D%22en-US%22%3ERe%3A%20Outlook%20iOS%20-%20Circumventing%20App%20Protection%20Policies%20with%20Add-Ins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-302138%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20did%20the%20trick.%26nbsp%3B%20After%20updating%20that%20Policy%20with%20the%20settings%20you%20recommended%20and%20assigning%20it%20to%20my%20mailbox%2C%20I'm%20no%20longer%20able%20to%20add%20those%20add-ins.%26nbsp%3B%20Really%20appreciate%20the%20help%20with%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20I%20just%20need%20to%20test%20if%20this%20will%26nbsp%3Bmess%20up%20add-ins%20on%20the%20Outlook%20desktop%20client%20where%20we%26nbsp%3B%3CSTRONG%3Ewant%26nbsp%3B%3C%2FSTRONG%3Eusers%20to%20be%20able%20to%20run%26nbsp%3Bcertain%20add-ins.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-302137%22%20slang%3D%22en-US%22%3ERe%3A%20Outlook%20iOS%20-%20Circumventing%20App%20Protection%20Policies%20with%20Add-Ins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-302137%22%20slang%3D%22en-US%22%3E%3CP%3ETicket%20was%20submitted%20upon%20discovery%20of%20this.%26nbsp%3B%20Thanks%20for%20the%20reply!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-301929%22%20slang%3D%22en-US%22%3ERe%3A%20Outlook%20iOS%20-%20Circumventing%20App%20Protection%20Policies%20with%20Add-Ins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301929%22%20slang%3D%22en-US%22%3E%3CP%3EOk%2C%20I%20have%20a%20work%20around%20for%20you.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20go%20into%20Exchange%20Online%20then%20go%20to%20Permisions%20then%20User%20roles%3B%20you%20should%20see%20a%20default%20role%20assignment%20policy.%20Edit%20the%20policy%20and%20disable%20all%20of%20the%20app%20roles%20(see%20the%20screenshot).%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20502px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F62805i8C522BD655B26520%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22ExchangeOnline_Role_Policy.png%22%20title%3D%22ExchangeOnline_Role_Policy.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAfter%20you%20save%20the%20policy%20Outlook%20Add-ins%20not%20added%20by%20and%20Admin%20are%20blocked%20in%20the%20mobile%20clients%20and%20OWA.%20The%20user%20experience%20varies%20between%20Android%20and%20iOS%20but%20I%20was%20unable%20to%20install%20add-ins%20in%20Outlook%20on%20either%20platform.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20486px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F62806i2447B86EAC1FED46%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Outlook_Android_Blocked_Addin.jpg%22%20title%3D%22Outlook_Android_Blocked_Addin.jpg%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20563px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F62807i5B3D812F1AB5AABB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Outlook_iOS_Blocked_AddIn.png%22%20title%3D%22Outlook_iOS_Blocked_AddIn.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-301870%22%20slang%3D%22en-US%22%3ERe%3A%20Outlook%20iOS%20-%20Circumventing%20App%20Protection%20Policies%20with%20Add-Ins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301870%22%20slang%3D%22en-US%22%3E%3CP%3EBad%2C%20very%20very%20bad.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGet%20a%20support%20call%20logged%20with%20Intune%20support%20ASAP.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1005706%22%20slang%3D%22en-US%22%3ERe%3A%20Outlook%20iOS%20-%20Circumventing%20App%20Protection%20Policies%20with%20Add-Ins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005706%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45079%22%20target%3D%22_blank%22%3E%40Andrew%20Matthews%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%20how%20to%20stop%20OneNote%20in%20this%20scenario%3F%26nbsp%3B%20We%20are%20seeing%20that%20O365%20keeps%20enabling%20the%20%22send%20to%20OneNote%22%20option%20on%20Outlook%20desktop%2C%20which%20will%20let%20you%20use%20OneNote%20on%20a%20phone%20in%20a%20personal%20account%2C%20and%20transfer%20data%20from%20Intune%2Fcompany%20MAM%20policy%20into%20personal%20OneNote.%26nbsp%3B%20My%20org%20is%20unsure%20if%20this%20is%20a%20Microsoft%20data%20leakage%20issue%2C%20or%20a%20configuration%20issue%20-%20currently%20escalating%20but%20nobody%20seems%20to%20know%2Funderstand.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1024313%22%20slang%3D%22en-US%22%3ERe%3A%20Outlook%20iOS%20-%20Circumventing%20App%20Protection%20Policies%20with%20Add-Ins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1024313%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F254059%22%20target%3D%22_blank%22%3E%40PiSHPoSH%3C%2FA%3E%26nbsp%3Bdid%20MS%20ever%20give%20you%20a%20solution%20to%20this%3F%20we%20are%20having%20the%20same%20issue%20with%20our%20users%20now.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
PiSHPoSH
New Contributor

Outlook mobile for iOS now includes a feature that lets you install Add-Ins on the mobile client.  Although I see how this could be viewed as a great and conducive feature for the user, there is a significant problem it brings up - it circumvents the app protection policies applied to the Outlook app.

 

For example:  I have my corporate email added to the Outlook iOS app that is containerized with our app protection policies, I then add the Evernote add-in and sign in with my personal account information, I'm now able to save corporate emails to my personal evernote.  And as far as I can tell, I as an administrator have no visibility into this.

 

Is there a way to disable these add-ins from an administration standpoint that I might be missing?

 

 

7 Replies

Bad, very very bad.

 

Get a support call logged with Intune support ASAP.

Solution

Ok, I have a work around for you.

 

If you go into Exchange Online then go to Permisions then User roles; you should see a default role assignment policy. Edit the policy and disable all of the app roles (see the screenshot).

ExchangeOnline_Role_Policy.png

After you save the policy Outlook Add-ins not added by and Admin are blocked in the mobile clients and OWA. The user experience varies between Android and iOS but I was unable to install add-ins in Outlook on either platform.

Outlook_Android_Blocked_Addin.jpgOutlook_iOS_Blocked_AddIn.png

 

Ticket was submitted upon discovery of this.  Thanks for the reply!

That did the trick.  After updating that Policy with the settings you recommended and assigning it to my mailbox, I'm no longer able to add those add-ins.  Really appreciate the help with this.

 

Now I just need to test if this will mess up add-ins on the Outlook desktop client where we want users to be able to run certain add-ins.

 

Thanks again!

The Outlook add-in settings are cross platform so the setting affect Outlook Web Access, Outlook Mobile and Outlook Desktop.

 

I would advise locking down the Outlook add-ins so that users cannot add their own add-ins, then selectively add the add-ins that you want to Office 365.

 

That way you get the best of both worlds, security and happy users.

 

FYI - You helped me because this little trick has just been added to my O365 and Intune cookbook.

@Andrew Matthews 

 

Any idea how to stop OneNote in this scenario?  We are seeing that O365 keeps enabling the "send to OneNote" option on Outlook desktop, which will let you use OneNote on a phone in a personal account, and transfer data from Intune/company MAM policy into personal OneNote.  My org is unsure if this is a Microsoft data leakage issue, or a configuration issue - currently escalating but nobody seems to know/understand.  

@PiSHPoSH did MS ever give you a solution to this? we are having the same issue with our users now.

 

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies