MS Office 365 Security

[boulderuser]

Our company has MS Office 365. Many of us have set up email exchange with this service to access company email. Recently I learned that the company has the ability to remotely wipe my personal iPhone. This seems like a pretty big backdoor in my iPhone. Other than my companies access of the phone, are there other security concerns using this service?

Thanks

 

[Closingracer]

It's not really a backdoor since your stuff is saves on a Microsoft server not on your device

 

[mildocjr]

The only way they could remotely wipe your personal phone is if you let them manage it using MDM software, outside of that the only thing that it would do is just wipe the emails from the device and prevent it from reconnecting until a valid username and password were entered back into the device.

 

[dave006]

Sounds like your company has a BYOD program that allows you to access company resources from your personal iPhone. Do they have a published policy?

You should review any policy to insure that you fully understand your responsibilities while employed and what happens when you leave the company or lose your device.

A BYOD program allows users to set up and configure their own devices. To gain access to corporate resources, users can configure settings manually, install a configuration profile, or more commonly, enroll their devices with an MDM solution.

An advantage of using MDM to enroll personal devices is that it allows corporate resources and data to be managed in a way that is secure, yet also respectful of the user’s personal privacy, data, and apps. IT can enforce settings, monitor corporate compliance, and remove corporate data and apps, while leaving personal data and apps on each user’s device intact.

Dave

 

[boulderuser]

Thank you for the replies. We are a small group, who unfortunately use our personal phone for work. Some of our members have microsoft exchange setup for email. I do not currently have this set up on my phone. Our office manager and our president have told me that they have the ability to lock the phones and do a complete wipe of all data in case they are stolen or lost. If they are able to do this with the phone, I am concerned that this could be exploited. We currently do not have a policy in place. I know very little about security but MS has a history of exploitable problems with their software.

 

[dave006]

It really has very little to do with Microsoft and more to do with Apple in this case. MS Office 365 is just mail and other MS apps. The ability to lock a device and remotely erase a device are controlled by Apple Enterprise software or a third party MDM system. A full MDM system can control many key features of your iPhone. I will post a list if you are interested.

You really should ask a few questions, so that you are an informed employee.

Dave

 

[boulderuser]

Thank you, I am asking a lot of questions.

 

[C DM]

Our company has MS Office 365. Many of us have set up email exchange with this service to access company email. Recently I learned that the company has the ability to remotely wipe my personal iPhone. This seems like a pretty big backdoor in my iPhone. Other than my companies access of the phone, are there other security concerns using this service?

Thanks

Simply adding an Exchange account can affect some other things, like being required to have a passcode (sometimes even a longer one), or having to use shorter auto-lock options, etc.

 

[noanker]

Good for Enterprise is one such app that can allow controlled access to your company's Exchange server. From the Good Management Console you can then remotely wipe the app and any contacts associated with your company's Global Address List.

If anyone is ever offered the choice between using a company's app on your iPhone or being given a company-provided (and paid for) phone, choose the latter. I always believe in keeping personal and work a minimum of a universe apart.

 

[boulderuser]

I really appreciate the quick replies. We are a small group, I would not be surprised if we end up going the company phone route, I have never liked have both personal information and personal information on the same device.

 

[electronicsguy]

I really appreciate the quick replies. We are a small group, I would not be surprised if we end up going the company phone route, I have never liked have both personal information and personal information on the same device.

yup, that seems the best way to go.

 

[Rigby]

Our company has MS Office 365. Many of us have set up email exchange with this service to access company email. Recently I learned that the company has the ability to remotely wipe my personal iPhone. This seems like a pretty big backdoor in my iPhone.

This is not a backdoor. What you see are so-called Exchange policies that an Exchange server can communicate to the device via the EAS protocol. The policies are actually enforced by Apple's Mail client. Besides remote wiping, an Exchange server can also instruct the device to enforce a few other policies such as a minimum length of the device passcode.

Other than my companies access of the phone, are there other security concerns using this service

Exchange policies are not a security concern. They don't give your company or Microsoft access to any other data on your device. They are just a means to protect data that belongs to the company. If you don't like it, don't access corporate mail on your device.

Now, if the company requires you to install a proprietary app on your device, that's a different story ...

 

[dave006]

There is much more than just remote wiping and a few other policies such as a minimum length of the device passcode and as a means to protect data that belongs to the company. Here are a few other capabilities:

Enable / Disable - SMS Txt messaging / iMessaging
Enable / Disable - Camera
Enable / Disable - Bluetooth / IrDA, WiFi
Enable / Disable - Non-Exchange mail accounts
Enable / Disable - Web browser access
Remote Wipe - mentioned by OP
Remote Lock
Remote Passcode Change
Enable / Disable - Siri

There are many more that also don't "need" a proprietary company app to be installed.

You really need to know your company's policy covering use of Personal Devices that access company resources / data and what you privacy / security you give away by just trying to be a good productive employee.

Now, a good Mobile Device Management (MDM) system would allow the company to protect their data while also securing your privacy. Using a good MDM system they can only wipe their data from your device, leaving all of your data save and secure.

Dave

 

[C DM]

There is much more than just remote wiping and a few other policies such as a minimum length of the device passcode and as a means to protect data that belongs to the company. Here are a few other capabilities:

Enable / Disable - SMS Txt messaging / iMessaging
Enable / Disable - Camera
Enable / Disable - Bluetooth / IrDA, WiFi
Enable / Disable - Non-Exchange mail accounts
Enable / Disable - Web browser access
Remote Wipe - mentioned by OP
Remote Lock
Remote Passcode Change
Enable / Disable - Siri

There are many more that also don't "need" a proprietary company app to be installed.

You really need to know your company's policy covering use of Personal Devices that access company resources / data and what you privacy / security you give away by just trying to be a good productive employee.

Now, a good Mobile Device Management (MDM) system would allow the company to protect their data while also securing your privacy. Using a good MDM system they can only wipe their data from your device, leaving all of your data save and secure.

Dave

You are saying any/all of those things can be affected/changed simply by connecting to an Exchange account on the device (and nothing more)?

 

[Beelzbub]

These are features of the exchange server.

They are there to keep company data safe. I have the same features on my server at work. I would suggest using the Outlook App, it is free, then the company cannot wipe your phone as the data is only contained in the app. This is what I advise my users to do when they are using their personal phones.

Company phones are a different matter. They are setup like you normally would setup email, and the policy's on the server are sent to the phone.

Wiping of the phone allows admins to wipe the phone if it is lost or stolen, or the employee refuses to turn the device back in when they leave the company. I actually had that happen to me, an employee left, took the phone with them to a competitor and thought we would not notice. I sent the wipe command and got a reply back that it was successful and then called AT&T and had them suspend the number. Rumor had it this employee was giving a Best Buy employee an earful wanting them to pull the pictures off their SIM card a day later. I also had a high level person in the office lose their iPhone. So the wipe command was sent. That is why that command exists. And any good admin would have two factor authentication setup on the administrator account to prevent malicious access, I do.

There are other features like the ability to shut off the camera, Bluetooth and so on, even only allow certain wireless access points to be used. Again, these features are there to keep things safe. One office I worked in would not allow camera phones, so with this you can give someone an iPhone to use for their email and such and disable the camera. Might sound mean, but if the company has high level proprietary designs, they do not want someone snapping pictures of them. There are lots of things you can do, enforce password policy's and so on.

I would use the Outlook app like I mentioned earlier on. It is free and will work with Office 365, so will Word and Excel. You can also use your Touch ID with the Outlook app. So if you are letting your kid play with your phone, they cannot get into your email. An Admin cannot wipe your phone when you are using that or disable anything, Exchange policies do not apply when to the phone when using the Outlook app.

 

[dave006]

You are saying any/all of those things can be affected/changed simply by connecting to an Exchange account on the device (and nothing more)?

Yes. If you are using Exchange, ActiveSync ( mail, calendar, contacts ), it is that easy. It has taken Apple a while to implement the bulk of the Exchange protocol features but use caution and understand what the impact might be to you.

Dave

 

[Rigby]

There is much more than just remote wiping and a few other policies such as a minimum length of the device passcode and as a means to protect data that belongs to the company. Here are a few other capabilities:

Enable / Disable - SMS Txt messaging / iMessaging
Enable / Disable - Camera
Enable / Disable - Bluetooth / IrDA, WiFi
Enable / Disable - Non-Exchange mail accounts
Enable / Disable - Web browser access
Remote Wipe - mentioned by OP
Remote Lock
Remote Passcode Change
Enable / Disable - Siri

This list is not correct. For example, disabling texting/messaging or Bluetooth/Wifi via Activesync is not supported by iOS. Here's the actual list according to Apple:

Supported Exchange ActiveSync
security policies
• Remote wipe
• Enforce password on device
• Minimum password length
• Maximum failed password attempts
(before local wipe)
• Require both numbers and letters
• Inactivity time in minutes (1 to 60 minutes)

Additional Exchange ActiveSync policies
(for Exchange 2007 and 2010 only)
• Allow or prohibit simple password
• Password expiration
• Password history
• Policy refresh interval
• Minimum number of complex characters
in password
• Require manual syncing while roaming
• Allow camera
• Allow web browsing

Source: https://www.apple.com/cn/ipad/business/docs/iOS_6_EAS_Sep12.pdf

Now, a good Mobile Device Management (MDM) system would allow the company to protect their data while also securing your privacy. Using a good MDM system they can only wipe their data from your device, leaving all of your data save and secure.

MDM policies are far more powerful (and thus intrusive) than Activesync policies. I would never allow my employer to manage my personal phone using MDM.
[doublepost=1460775216][/doublepost]

These are features of the exchange server.

They are there to keep company data safe. I have the same features on my server at work. I would suggest using the Outlook App, it is free, then the company cannot wipe your phone as the data is only contained in the app. This is what I advise my users to do when they are using their personal phones.

I'd strongly advise to check with the IT department first. Many companies prohibit the use of this app because it exposes your access credentials and all emails to Microsoft.

 

[dave006]

This list is not correct. For example, disabling texting/messaging or Bluetooth/Wifi via Activesync is not supported by iOS. Here's the actual list according to Apple:....

Actually your list is obsolete. You referenced iOS 6 EAS information. You need to spend a little more time in your research and see the magic that has happened since your version. We are now as iOS 9 with ActiveSync V16. Keep researching and you will find the "correct" information.

Let me know if you need the latest list... look for the allowChat key - Value: Optional. When false, disables the use of the Messages app with supervised devices. Availability: Available in iOS 6.0 and later.

Dave

 

[Rigby]

Actually your list is obsolete. You referenced iOS 6 EAS information. You need to spend a little more time in your research and see the magic that has happened since your version. We are now as iOS 9 with ActiveSync V16. Keep researching and you will find the "correct" information.
Let me know if you need the latest list...

If you have a newer source, be so kind and share it with us.

 

[dave006]

Ok since you asked nicely here is an online reference from Apple so you don't have to worry about download security.

Linky: https://developer.apple.com/library...tionProfileRef/Introduction/Introduction.html

Dave

 

[Rigby]

Ok since you asked nicely here is an online reference from Apple so you don't have to worry about download security.

Linky: https://developer.apple.com/library...tionProfileRef/Introduction/Introduction.html

This page describes options in configuration profiles that can be installed e.g. using MDM or Apple Configurator. Nowhere does it list the Activesync polices supported by iOS.

 

[IHelpId10t5]

All posts so far have missed the important distinction between accepting the ActiveSync policy when using the built-in iOS Mail app and using the Microsoft Outlook app instead. Once an iOS user has added an Exchange account to the iOS native apps then remote policy an wipe is certainly possible.

However, if the user instead uses the Microsoft Outlook app instead, then the scope of the wipe is the app itself and not the iOS device. This is a very important difference to those users that are doing BYOD and value their own iPhone control and security over their employer's policy.

 

[Rigby]

All posts so far have missed the important distinction between accepting the ActiveSync policy when using the built-in iOS Mail app and using the Microsoft Outlook app instead.

This was actually mentioned above. But the Outlook app is a big security risk for enterprises. It stores your corporate mail password on Microsoft servers (oauth is not supported for corporate Exchange servers), and routes all your emails through Microsoft as well. This violates the security policies of many companies. Do not use this app for work email unless you have cleared it with your employer first. Many companies block the app in their Exchange servers anyway.

Of course this is less a concern if your employer uses Office 365 (as opposed to their own Exchange servers), since then the data is already in the Microsoft cloud anyway.

Besides, no administrator will just wipe your phone for fun. In reality this will only happen if you report the phone lost or stolen.