Limiting sensitive data in notifications
Published Nov 15 2019 03:00 AM 26.6K Views
Microsoft

IMPORTANT: Support for blocking sensitive data in notifications with Outlook for iOS has been delayed due to a dependency on notification encryption. To ensure the best customer experience, we are pausing the roll out of notification encryption for O365 tenants, which which is required to support to blocking sensitive data in notifications for Outlook for iOS. We expect to have notification encryption enabled for tenants by the end of May 2020. Limiting sensitive data in notifications is now available for commercial tenants using Outlook for iOS as of May 20, 2020.

 

Mobile app notifications are critical in alerting users of new content or reminding them to act. Users interact with these notifications via the lock screen and in the operating system’s notification center. Notifications often include detailed information, which can be sensitive in nature. This information, unfortunately, can inadvertently be leaked to casual observers.

 

As you can imagine, the notifications that are acted on the most by enterprise users are messaging and calendaring notifications. Outlook for iOS and Android has designed their notifications to enable users to triage email and alert users to upcoming meetings, including incorporating Time to Leave suggestions. Mail notifications include the sender’s address, the subject of the message, and a short message preview of the message body. Calendar reminders include the subject, location, and start time of the meeting.

 

Recognizing that these notifications may include sensitive data, in December Intune will roll out support for limiting sensitive data in notifications and Outlook for iOS and Android is the first app (on both platforms) to take advantage of this new functionality!

 

This functionality is being delivered as a new App Protection Policy (APP) setting, Org Data Notifications. As this is an APP setting, it will apply on all devices (phones, tablets, and wearables) for the user for the apps that support the setting. When the APP Org Data Notifications is set to Block Org Data, this is how mail and calendar notifications from Outlook for iOS and Android will appear:

Limited Notifications.png

In addition, Outlook for iOS and Android is introducing a new data protection App Configuration Policy (ACP) setting that provides additional flexibility with calendar notifications – you can block sensitive information in mail notifications, while allowing sensitive information in calendar notifications. After all, your users might just need to know where they are going and when they should leave, at a glance. When Calendar Notifications is set to Allowed, the notifications will appear as follows:

Cal Notification Exposed.png

The following table outlines the notification experience in Outlook for iOS and Android based on the combination of the APP and ACP settings:

APP setting value ACP Calendar setting value Outlook notification behavior
Allow (default) Not Configured (default) Default client behavior where sensitive data is exposed in mail and calendar notifications
Block Not Configured Sensitive data is exposed in mail and calendar notifications as Outlook ignores the block setting
Block Org Data Not Configured Sensitive data is not available in mail or calendar notifications
Block Org Data Allowed

Sensitive data is not available in mail notifications

Calendar notifications expose sensitive data

As a result of these improvements, Outlook for iOS and Android is removing support for several data protection app configuration keys that were previously used to manage notifications on the iOS platform:

  • microsoft.outlook.Mail.NotificationsEnabled
  • microsoft.outlook.Mail.NotificationsEnabled.UserChangeAllowed
  • microsoft.outlook.Calendar.NotificationsEnabled
  • microsoft.outlook.Calendar.NotificationsEnabled.UserChangeAllowed

These keys will be removed starting the week of December 16th, 2019.

 

We hope you will enable this new APP setting in your deployments once it releases in December. If you have any questions, please let us know.

 

Ross Smith IV
Principal Program Manager
Customer Experience Engineering

36 Comments
Steel Contributor

When I first saw this tweet, I thought you meant the notifications might be obscured based on sensitivity label setting. The rest of this is very cool, and I can't wait to see it delivered. Do you think you will ever expand this feature to block company data, if certain sensitivity labels are used, versus all mail notifications being on/off as a global setting? 

 

This reminds me of these scenario you guys talked about at ignite, with a VP getting an important email with sensitive information in the title showing up as a notification... Perhaps those marked with particular labels like Confidential could be obfuscated, while other lower labels wouldn't? (If configured as such by the org, as an options, similar to obfuscating mail but allowing calendar data in the notifications)

 

I'm not sure how complicated that would be to roll out in the future, just a thought I had when I read the first part of your post. :) Thanks again for bringing so many great features to Outlook mobile via Intune APP and ACP!!!

 

Your gold standard session from ignite was the best session from the week in my opinion, and I've been sharing it with tons of people! Https://aka.ms/OMGSignite if y'all haven't seen it, totally worth the watch (I've already rewatched it a couple times as well) 

Microsoft
@Chris Smith - Right now there are no plans to tie sensitivity labeling with limiting what's returned in a notification, but that's an interesting scenario. Thanks for the feedback! And I'm glad you liked the session!!
Silver Contributor

You talk about Android and only show iOS screens above. Currently on my personal phone and personal IMAP account in Outlook (no work data at all) i see this and i don't like it:

Screenshot_20191109-211200.png

I don't have an older screenshot, but Outlook used to show just a blue icon and a time a week ago (like Keep and other apps). It seems that Outlook already received this support and by this you are breaking Android's design structure introducing this superfluous message that i don't need. I already block sensitive data on lock screen with system wide setting. I've commented about this on Outlook blog https://techcommunity.microsoft.com/t5/Outlook-Blog/Outlook-mobile-makes-the-grade-A-gold-standard-f... and tried to contact in-app support.

 

I also wonder what will happen if system setting is set to block and APP/ACP is set to Allow. I hope you are not going to somehow overrule system setting and push sensitive data to lock screens. Not sure if this is possible. But seeing this new message in Outlook notification, who knows. If org thinks it is ok to show sensitive data on lock screens, user should still be able to decide to hide it.

Microsoft

@wroot - Hi, this was a recent bug fix because we found we were not consistent in how notifications were displayed with respect to the OS setting. This change ensures that when the OS restricts notification content on the lock screen, we display an appropriate response and use the correct APIs. For example, the Samsung mail app states "Content hidden" when the OS setting is enabled. This change does not have anything to do with limiting sensitive notifications via App Protection Policies (APP). APP cannot override the OS control, either. We're implementing the APP controls because our enterprise customers cannot be assured that the OS control is enabled. So, in your example, if the APP is set to allow, and the user has enabled the OS setting, then the content is hidden per the OS control.

Silver Contributor

Very strange. No other app is doing this and certainly no Google app does that like you can see Keep in my screenshot. And this is on Pixel, which should be as standard as it can be. Samsung.. they don't show it either on lock screen. My work S9 just shows blue email or event icon, no text, nothing. It's a pity design is broken with this change.

Silver Contributor

Btw, is this guidance for A9 or A10? I suppose general public can't get a hold of this guidance or is there a link to share?

Microsoft

@wroot - Outlook made the decision to post "Content hidden", but we're using Android APIs to determine that the OS setting is in use - https://developer.android.com/reference/androidx/core/app/NotificationCompat.Builder#setPublicVersio...).

 

And like I said, Samsung Mail exposes "Content hidden", so there are other apps out there that do this.

Silver Contributor

Not that i agree that Samsung could set an example on how Android should behave.. But it doesn't show "Content hidden" anywhere on Samsung S9 with Android 9 and their "One UI". Not with Outlook, nor with their Email app. I can't seem to find same privacy setting for lock screen on Samsung, so can't block showing Outlook emails/events titles in notifications drawer on locked screen. In Samsung's email app i have enabled blocking private content on the lock screen and it still shows the title and no "Content hidden" :) Granted, not on the lock screen itself, in notification drawer, but i haven't seen One UI to show any content other that just icons on the lock screen itself. That's why i don't like Samsung as an example. It's bizarre and flawed. And their Email app should be purged with fire :D

Screenshot_20191118-201500_One UI Home.pngScreenshot_20191118-204107.pngScreenshot_20191118-210131_One UI Home.png

Silver Contributor

You said you have decided to show "Content hidden" in Outlook. I might agree that this is useful if a user is not hiding content with a system wide setting and the APP is blocking such for Outlook. So Outlook will stand out from other apps. But when user is already blocking content for all apps, maybe it is not necessary to show that message? Maybe it is not necessary to show it for personal accounts that are not controlled via APP? Maybe there could be even a setting for a user to suppress this. This is just so ugly ant takes so much space and provides no useful information for me.

Microsoft

Hey @wroot , the bottom line is if you configure the OS to limit notification data when the device is locked, Outlook will respect that OS setting and not expose the data per the OS requirement; there's no per-account configuration here as the OS controls the behavior. In this scenario, Outlook displays "Content hidden". As your concern is with what Outlook displays in this particular scenario, and is not related to the APP setting and the associated Outlook experience this article discusses (and hasn't released yet), we can probably move this to a private chat.

Copper Contributor

How would this work with the MFA App for intune non-managed Android devices when receiving the approval/deny permission on the lock screen?

 

I was able to approve the sign in request using my android one plus 6t  simply by accepting MFA sign on prompt on the lock screen itself  using the ms authenticator application - as shown in the image.

 

Is there a way to protect this further without managing the entire Android device

 

Would this update address such an issue?

 

MFA PromptMFA Prompt

Microsoft

@Agvan_Rodrigues this App Protection Policy (APP) won't affect the Microsoft Authenticator app as the Authenticator app doesn't support APP (kind of a catch-22 - you need to be able to authenticate first in order to get an APP applied, but if that were applied to APP you could get into a situation where you can't authenticate because you cannot get an APP). The only way to restrict that is through the OS notification controls to limit sensitive data.

Copper Contributor

Hey @Ross Smith IV 

 

Do you know if this was implemented in December? I see the option there and my iPhone notifies me there's been a change to the policy, but it doesn't actually block notifications. I've tried both Block Data and Block Org Data but neither seems to work.

 

Thanks!

Brass Contributor

Hi @Ross Smith IV 

 

The Block Org Data does not work on iOS devices with the latest Outlook client. We have a ticket opened with MSFT support and they are able to recreate the issue. I believe it was now passed to the product team. Ticket 17971755. 

 

At the same time, old controls no longer work. Can you please look into this as this is a major security incident for us.

 

Regards

Copper Contributor

Hey @Ross Smith IV  - was just wondering if there was an update on this? We are still not able to block notifications despite this being live for a month.

 

Thanks!

Microsoft

Hey, sorry for the delay in reply. Getting back from vacation. 


There is an issue with Outlook for iOS and blocking sensitive data in notifications. Blocking sensitive notifications is dependent on notification encryption for remote notification delivery which hasn’t been enabled for iOS. A Message Center post was published yesterday on this issue; see MC200112.

 

Ross

Copper Contributor

Thanks! Missed reading that post yesterday but will watch for any updates on it through next month.

Brass Contributor

Thanks for the update @Ross Smith IV. Do you have an ETA for the fix? The old controls no longer work leaving the private information exposed. Due to the nature of the emails received (Legal firm), the risk of exposing information is very high. We had to postpone the migration to ExO until this is resolved. is there anything we can do in the meantime, would it be possible to enable old APIs? 

Brass Contributor

I don't like the implementation at all. The content of the notification should be revealed after authenticating via FaceID or TouchID and that is not the case, the content stays hidden and the end user has to open the app to see what the notification is all about.

 

There is no way to control this behavior, not even on supervised devices as you can not configure the "Preview" function  

 

clipboard_image_0.png

Microsoft

@AlphaSeb Thanks for the feedback. This is by design. The goal of this feature is to help minimize unwanted data leaks. Notifications can reveal a substantial amount of information even when the device is unlocked (while the actual app is protected by an app PIN).

Brass Contributor

@Ross Smith IV Thanks for your reply. I think this should only be blocked in for people, protecting the App with an extra PIN, or in MAM Scenarios where you don't have control on the OS Level.

 

It would help, if we could configure this setting: "Settings>Notifications>Show Preview" on iOS. This way, it would be way more flexible. People that want to block all notifications (like in MAM Scenarios) can use the APP to block Org Data completely....and users in Supervised MDM Scenarios, could configure the "Show Preview" directly in iOS.

 

 

Microsoft

@AlphaSeb - The feature discussed in this article is only available via App Protection Policies (MAM) and as such is configurable (e.g., you could create an APP policy that only blocks org data for notifications on devices that are not enrolled and that are using an APP PIN).

The OS notification controls cannot be managed via App Protection Policies.

For enrolled devices, Apple does provide a number of notification controls per-app, however, the "Show Preview" setting is not one of the controllable settings - https://developer.apple.com/documentation/devicemanagement/notifications/notificationsettingsitem

Brass Contributor

@Ross Smith IV Okay, it's Apple not providing the necessary control for enrolled devices. So we are forced to use the APP Setting, as we can't prevent users from configuring "Show Preview" to "Always", which would expose org data onto the lock screen.

Silver Contributor

"The feature discussed in this article is only available via App Protection Policies (MAM)" how come i get it on my personal IMAP account on my personal phone without any MDM/Intune? Why is it enabled by default if you don't use MAM?

Microsoft

@wroot - we discussed this above. You've enabled a setting on your Android device that Outlook is respecting.

Copper Contributor

ACP and APP don't works for our customer, somebody knows if Microsoft busy at moment for this issue or already have being fixed?

 

APP:

Outlook App > Block Org Data > Enabled to Block

 

ACP:

<dict>
<key>com.microsoft.outlook.Mail.NotificationsEnabled</key>
<string>{{false}}</string>
<key>com.microsoft.outlook.Mail.NotificationsEnabled.UserChangeAllowed</key>
<string>{{false}}</string>
<key>com.microsoft.outlook.Calendar.NotificationsEnabled</key>
<string>{{false}}</string>
<key>com.microsoft.outlook.Calendar.NotificationsEnabled.UserChangeAllowed</key>
<string>{{false}}</string>
</dict>

Microsoft

Hi @Ross Smith IV ,

 

May I know if the "org data notifications" feature would also apply to other O365 apps like Teams in the May roll out of 2020? if not, what apps are supported by this feature besides Outlook? 

Microsoft

@VickyJiang - Outlook is the only app that supports this APP setting today. Other apps, like Teams, are investigating support.

Microsoft

@Ross Smith IV  Thanks for your reply! So would Teams support this feature in the future? Do we have a timeline for Teams?

Microsoft

@VickyJiang I can't provide any timelines at this time.

Copper Contributor

@Ross Smith IV, this is a poor design. You have removed a capability from customers and forced a direction you feel is necessary for everyone. What happened to allowing the customer to decide how they want to protect their data? Microsoft is not the authority on this matter - that sits with the customer - the owner of the data.
 
This just applied to one of my customer's tenants as we are in the middle of a migration to Office 365 and the customer is not enjoying it at all. I am formally requesting that we have the ability to view the 'sensitive' data after device authentication (Face ID). If I unlock my device and I accept that unlock as authorisation to view the data, then I should be able to view the data on the lock screen, to glance if there are any critical emails that require my immediate attention.
 
This change has turned the notification screen into an ocean of 'You have a new message' notifications, which are now completely pointless. You have removed functionality from customer's mobile devices. Roll this back or give us the ability to control how we access to our data from the lock screen, otherwise we will simply disable it completely, and your efforts to 'secure' customer data have completely backfired.
 
This is unacceptable and a really poor customer experience.
 
-Stefano

Microsoft

@StefanoBelluomini - limiting sensitive data in notifications is a setting within an Intune App Protection Policy. First, App Protection Policies are not enabled or assigned to users by default. Second, the setting within the App Protection Policy "Org Data Notifications" is set to Allow by default; this means that all the data is exposed in the notification and not limited in any way. What this means is that an admin within the tenant has to intentionally control how notifications are handled. This means that the control is in hands of the customer, the owner of the data.

 

There are settings within the mobile device operating system that can also come into play that limits what data is exposed on the lock screen. Outlook has no control over those settings and Outlook respects what the OS notification controls dictate. The APP setting discussed above cannot override the OS control, either.

Copper Contributor

@Ross Smith IV This is a very useful and welcome feature, however it doesn't seem to apply to notifications from Shared Mailboxes - these appear on lock screen as if the settings were 'Allow'.   

Microsoft

@Frazzled - I cannot reproduce this with either iOS or Android prod store versions with shared or delegate mailboxes. Not knowing whether we're referring to shared mailboxes in the same manner, I'll refer you to this - https://techcommunity.microsoft.com/t5/intune-customer-success/app-protection-policies-and-shared-de.... If you have things setup correctly, then I recommend opening a support case.

Brass Contributor

@Ross Smith IV 

 

The goal of this feature is to help minimize unwanted data leaks. Notifications can reveal a substantial amount of information even when the device is unlocked (while the actual app is protected by an app PIN).


So when app pin is not set it will behave differently?

Microsoft

@Dimitry Izotov This setting is not related to the APP app PIN. The notifications are limited regardless of the app/device state.

Co-Authors
Version history
Last update:
‎Dec 19 2023 01:19 PM
Updated by: