Thursday, August 20, 2020

App Protection Policies and Outlook Add-Ins

Hello Everyone!

Back to the technical side of the house today.

In this post I want to talk about a lesser known gap within Intune App Protection Policies, also known as MAM. 

When protecting the Outlook Mobile App there is a small hole that allows corporate data to escape the containerization policies. These are the 'Add-Ins' in the app. These loop in third party services into the Outlook App such as Trello, Wrike, Evernote, etc.


The issue is when you add these extensions you can log into them with a personal account. The App Protection Policies can not distinguish data going into this add-in. I suspect, because it is solely contained within the Outlook App itself, the policy views it as data just moving around internally into the app.

The work around for this is not great either, but its not terrible in my opinion. It really is something that should be disabled anyway for security sake. The fix itself is to remove the ability for end users to allow add-ins. The reason why this is not a 100% great fix is because this permission applies to not just Outlook App, but also OWA and Outlook desktop. 


Once you disable these permissions the user will no longer be able to select add-ins and when they try they receive the message below. 



Hopefully this can close a small hole some of you may have in your org today.

Have a good one!

Edit 3/26/2021 I have received this from a Microsoft contact I have

The good news is this has got into the roadmap now , we will soon provide a way through MAM app config to control this so that add ins can be disabled only on the mobile app. ETA for this is H2CY21 


No comments:

Post a Comment