Microsoft recently announced the release of Outlook for iOS and a preview of Outlook for Android. The new Outlook app brings together the core tools you need to get things done—your email, calendar, contacts and files—helping you get more done even on the smallest screen. While this app is extremely good and it works well for most of us, enterprise administrators are not so happy with this app. This app has created lots of discussions around security and the way that the application and its back-end infrastructure handle user credentials.
Paul Cunningham, an Exchange Server MVP lists the following issues with the new Outlook app,
- Microsoft is storing your credentials (in the case of Gmail I believe OAuth is used instead). How are they stored? This has not been communicated at this stage. However, I trust Microsoft to securely store my data including my credentials, and so do thousands of organizations around the world (take DirSync with Password Sync as an example).
- Corporate policies are being violated. Providing your user credentials to a third party is a breach of many IT usage policies, and the app doesn’t make clear to end users that this is occurring. In fact the typical end user would have no idea that this is happening.
- Data is stored in the USA. For organizations with data sovereignty or regulatory issues with off-shore data storage this will be a problem.
Another issue is around File security.points out the following,
The app has built-in connectors to OneDrive, Dropbox and Google Drive. That means a user can setup his personal account within the app and share all mail attachments using those services. Or use files from those services within his company mail account. That’s a data security nightmare.
As we all know, Microsoft just renamed the Accompli app and released it as new Outlook apps for iOS and Android. Outlook team have already announced that they will add user-focused features that help us get even more done while on the go, and they’ll also expand the capabilities that matter to IT, such as mobile device management. Currently, Outlook seems to be more focused for end-users and the core user experience. I’m sure Microsoft will make it enterprise IT friendly in the near future.
“We provide a service that indexes and accelerates delivery of your email to your device. That means that our service retrieves your incoming and outgoing email messages and securely pushes them to the app on your device. Similarly, the service retrieves the calendar data and address book contacts associated with your email account and securely pushes those to the app on your device. Those messages, calendar events, and contacts, along with their associated metadata, may be temporarily stored and indexed securely both in our servers and locally on the app on your device. If your emails have attachments and you request to open them in our app, the service retrieves them from the mail server, securely stores them temporarily on our servers, and delivers them to the app.”
“If you decide to sign up to use the service, you will need to create an account. That requires that you provide the email address(es) that you want to access with our service. Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain. Other accounts (Google Gmail accounts, for example) use the OAuth authorization mechanism which does not require us to access or store your password.”
If the current architecture of the Outlook app doesn’t meet your corporate security policies, you can use ActiveSync allow/block/quarantine policies rules to block the app. The Outlook app is identified in Exchange ActiveSync management screens with the Device Family ‘outlook-iOS-Android/1.0?.
You can read Microsoft’s response here.
Read more about this issue here.