SOLVED

Outlook iOS - Circumventing App Protection Policies with Add-Ins

Copper Contributor

Outlook mobile for iOS now includes a feature that lets you install Add-Ins on the mobile client.  Although I see how this could be viewed as a great and conducive feature for the user, there is a significant problem it brings up - it circumvents the app protection policies applied to the Outlook app.

 

For example:  I have my corporate email added to the Outlook iOS app that is containerized with our app protection policies, I then add the Evernote add-in and sign in with my personal account information, I'm now able to save corporate emails to my personal evernote.  And as far as I can tell, I as an administrator have no visibility into this.

 

Is there a way to disable these add-ins from an administration standpoint that I might be missing?

 

 

8 Replies

Bad, very very bad.

 

Get a support call logged with Intune support ASAP.

best response confirmed by PiSHPoSH (Copper Contributor)
Solution

Ok, I have a work around for you.

 

If you go into Exchange Online then go to Permisions then User roles; you should see a default role assignment policy. Edit the policy and disable all of the app roles (see the screenshot).

ExchangeOnline_Role_Policy.png

After you save the policy Outlook Add-ins not added by and Admin are blocked in the mobile clients and OWA. The user experience varies between Android and iOS but I was unable to install add-ins in Outlook on either platform.

Outlook_Android_Blocked_Addin.jpgOutlook_iOS_Blocked_AddIn.png

 

Ticket was submitted upon discovery of this.  Thanks for the reply!

That did the trick.  After updating that Policy with the settings you recommended and assigning it to my mailbox, I'm no longer able to add those add-ins.  Really appreciate the help with this.

 

Now I just need to test if this will mess up add-ins on the Outlook desktop client where we want users to be able to run certain add-ins.

 

Thanks again!

The Outlook add-in settings are cross platform so the setting affect Outlook Web Access, Outlook Mobile and Outlook Desktop.

 

I would advise locking down the Outlook add-ins so that users cannot add their own add-ins, then selectively add the add-ins that you want to Office 365.

 

That way you get the best of both worlds, security and happy users.

 

FYI - You helped me because this little trick has just been added to my O365 and Intune cookbook.

@Andrew Matthews 

 

Any idea how to stop OneNote in this scenario?  We are seeing that O365 keeps enabling the "send to OneNote" option on Outlook desktop, which will let you use OneNote on a phone in a personal account, and transfer data from Intune/company MAM policy into personal OneNote.  My org is unsure if this is a Microsoft data leakage issue, or a configuration issue - currently escalating but nobody seems to know/understand.  

@PiSHPoSH did MS ever give you a solution to this? we are having the same issue with our users now.

 

@Andrew Matthews 

 

That's an excellent way to block add-ins. it would be really good if there is a way to allow only certain approved apps like onenote as add-ins OR hide this option from the apps (outlook) itself would be also good.

 

Alternatively, if there is a way to create role assignment policy and assign it to a specific group would be an option in my opinion. 

 

Overall, I am happy with this option for the time being.:smile:

1 best response

Accepted Solutions
best response confirmed by PiSHPoSH (Copper Contributor)
Solution

Ok, I have a work around for you.

 

If you go into Exchange Online then go to Permisions then User roles; you should see a default role assignment policy. Edit the policy and disable all of the app roles (see the screenshot).

ExchangeOnline_Role_Policy.png

After you save the policy Outlook Add-ins not added by and Admin are blocked in the mobile clients and OWA. The user experience varies between Android and iOS but I was unable to install add-ins in Outlook on either platform.

Outlook_Android_Blocked_Addin.jpgOutlook_iOS_Blocked_AddIn.png

 

View solution in original post