MS Office 365 Security

Discussion in 'iPhone' started by boulderuser, Apr 14, 2016.

  1. boulderuser macrumors newbie

    Joined:
    Apr 14, 2016
    #1
    Our company has MS Office 365. Many of us have set up email exchange with this service to access company email. Recently I learned that the company has the ability to remotely wipe my personal iPhone. This seems like a pretty big backdoor in my iPhone. Other than my companies access of the phone, are there other security concerns using this service?

    Thanks
     
  2. Closingracer macrumors 68000

    Joined:
    Jul 13, 2010
    #2
    It's not really a backdoor since your stuff is saves on a Microsoft server not on your device
     
  3. mildocjr macrumors 65816

    #3
    The only way they could remotely wipe your personal phone is if you let them manage it using MDM software, outside of that the only thing that it would do is just wipe the emails from the device and prevent it from reconnecting until a valid username and password were entered back into the device.
     
  4. dave006 macrumors 68020

    Joined:
    Jul 3, 2008
    #4
    Sounds like your company has a BYOD program that allows you to access company resources from your personal iPhone. Do they have a published policy?

    You should review any policy to insure that you fully understand your responsibilities while employed and what happens when you leave the company or lose your device.

    A BYOD program allows users to set up and configure their own devices. To gain access to corporate resources, users can configure settings manually, install a configuration profile, or more commonly, enroll their devices with an MDM solution.

    An advantage of using MDM to enroll personal devices is that it allows corporate resources and data to be managed in a way that is secure, yet also respectful of the user’s personal privacy, data, and apps. IT can enforce settings, monitor corporate compliance, and remove corporate data and apps, while leaving personal data and apps on each user’s device intact.

    Dave
     
  5. boulderuser thread starter macrumors newbie

    Joined:
    Apr 14, 2016
    #5
    Thank you for the replies. We are a small group, who unfortunately use our personal phone for work. Some of our members have microsoft exchange setup for email. I do not currently have this set up on my phone. Our office manager and our president have told me that they have the ability to lock the phones and do a complete wipe of all data in case they are stolen or lost. If they are able to do this with the phone, I am concerned that this could be exploited. We currently do not have a policy in place. I know very little about security but MS has a history of exploitable problems with their software.
     
  6. dave006 macrumors 68020

    Joined:
    Jul 3, 2008
    #6
    It really has very little to do with Microsoft and more to do with Apple in this case. MS Office 365 is just mail and other MS apps. The ability to lock a device and remotely erase a device are controlled by Apple Enterprise software or a third party MDM system. A full MDM system can control many key features of your iPhone. I will post a list if you are interested.

    You really should ask a few questions, so that you are an informed employee.

    Dave
     
  7. boulderuser thread starter macrumors newbie

    Joined:
    Apr 14, 2016
  8. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #8
    Simply adding an Exchange account can affect some other things, like being required to have a passcode (sometimes even a longer one), or having to use shorter auto-lock options, etc.
     
  9. noanker macrumors member

    noanker

    Joined:
    Sep 30, 2015
    #9
    Good for Enterprise is one such app that can allow controlled access to your company's Exchange server. From the Good Management Console you can then remotely wipe the app and any contacts associated with your company's Global Address List.

    If anyone is ever offered the choice between using a company's app on your iPhone or being given a company-provided (and paid for) phone, choose the latter. I always believe in keeping personal and work a minimum of a universe apart.
     
  10. boulderuser thread starter macrumors newbie

    Joined:
    Apr 14, 2016
    #10
    I really appreciate the quick replies. We are a small group, I would not be surprised if we end up going the company phone route, I have never liked have both personal information and personal information on the same device.
     
  11. electronicsguy macrumors 6502a

    electronicsguy

    Joined:
    Oct 12, 2015
    Location:
    Pune, India
    #11
    yup, that seems the best way to go.
     
  12. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #12
    This is not a backdoor. What you see are so-called Exchange policies that an Exchange server can communicate to the device via the EAS protocol. The policies are actually enforced by Apple's Mail client. Besides remote wiping, an Exchange server can also instruct the device to enforce a few other policies such as a minimum length of the device passcode.
    Exchange policies are not a security concern. They don't give your company or Microsoft access to any other data on your device. They are just a means to protect data that belongs to the company. If you don't like it, don't access corporate mail on your device.

    Now, if the company requires you to install a proprietary app on your device, that's a different story ...
     
  13. dave006 macrumors 68020

    Joined:
    Jul 3, 2008
    #13
    There is much more than just remote wiping and a few other policies such as a minimum length of the device passcode and as a means to protect data that belongs to the company. Here are a few other capabilities:

    Enable / Disable - SMS Txt messaging / iMessaging
    Enable / Disable - Camera
    Enable / Disable - Bluetooth / IrDA, WiFi
    Enable / Disable - Non-Exchange mail accounts
    Enable / Disable - Web browser access
    Remote Wipe - mentioned by OP
    Remote Lock
    Remote Passcode Change
    Enable / Disable - Siri

    There are many more that also don't "need" a proprietary company app to be installed.

    You really need to know your company's policy covering use of Personal Devices that access company resources / data and what you privacy / security you give away by just trying to be a good productive employee.

    Now, a good Mobile Device Management (MDM) system would allow the company to protect their data while also securing your privacy. Using a good MDM system they can only wipe their data from your device, leaving all of your data save and secure.

    Dave
     
  14. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #14
    You are saying any/all of those things can be affected/changed simply by connecting to an Exchange account on the device (and nothing more)?
     
  15. Beelzbub macrumors regular

    Joined:
    Feb 6, 2012
    #15
    These are features of the exchange server.

    They are there to keep company data safe. I have the same features on my server at work. I would suggest using the Outlook App, it is free, then the company cannot wipe your phone as the data is only contained in the app. This is what I advise my users to do when they are using their personal phones.

    Company phones are a different matter. They are setup like you normally would setup email, and the policy's on the server are sent to the phone.

    Wiping of the phone allows admins to wipe the phone if it is lost or stolen, or the employee refuses to turn the device back in when they leave the company. I actually had that happen to me, an employee left, took the phone with them to a competitor and thought we would not notice. I sent the wipe command and got a reply back that it was successful and then called AT&T and had them suspend the number. Rumor had it this employee was giving a Best Buy employee an earful wanting them to pull the pictures off their SIM card a day later. I also had a high level person in the office lose their iPhone. So the wipe command was sent. That is why that command exists. And any good admin would have two factor authentication setup on the administrator account to prevent malicious access, I do.

    There are other features like the ability to shut off the camera, Bluetooth and so on, even only allow certain wireless access points to be used. Again, these features are there to keep things safe. One office I worked in would not allow camera phones, so with this you can give someone an iPhone to use for their email and such and disable the camera. Might sound mean, but if the company has high level proprietary designs, they do not want someone snapping pictures of them. There are lots of things you can do, enforce password policy's and so on.

    I would use the Outlook app like I mentioned earlier on. It is free and will work with Office 365, so will Word and Excel. You can also use your Touch ID with the Outlook app. So if you are letting your kid play with your phone, they cannot get into your email. An Admin cannot wipe your phone when you are using that or disable anything, Exchange policies do not apply when to the phone when using the Outlook app.
     
  16. dave006 macrumors 68020

    Joined:
    Jul 3, 2008
    #16
    Yes. If you are using Exchange, ActiveSync ( mail, calendar, contacts ), it is that easy. It has taken Apple a while to implement the bulk of the Exchange protocol features but use caution and understand what the impact might be to you.

    Dave
     
  17. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #17
    This list is not correct. For example, disabling texting/messaging or Bluetooth/Wifi via Activesync is not supported by iOS. Here's the actual list according to Apple:

    Supported Exchange ActiveSync
    security policies
    • Remote wipe
    • Enforce password on device
    • Minimum password length
    • Maximum failed password attempts
    (before local wipe)
    • Require both numbers and letters
    • Inactivity time in minutes (1 to 60 minutes)

    Additional Exchange ActiveSync policies
    (for Exchange 2007 and 2010 only)
    • Allow or prohibit simple password
    • Password expiration
    • Password history
    • Policy refresh interval
    • Minimum number of complex characters
    in password
    • Require manual syncing while roaming
    • Allow camera
    • Allow web browsing

    Source: https://www.apple.com/cn/ipad/business/docs/iOS_6_EAS_Sep12.pdf
    MDM policies are far more powerful (and thus intrusive) than Activesync policies. I would never allow my employer to manage my personal phone using MDM.
    --- Post Merged, Apr 15, 2016 ---
    I'd strongly advise to check with the IT department first. Many companies prohibit the use of this app because it exposes your access credentials and all emails to Microsoft.
     
  18. dave006 macrumors 68020

    Joined:
    Jul 3, 2008
    #18
    Actually your list is obsolete. You referenced iOS 6 EAS information. You need to spend a little more time in your research and see the magic that has happened since your version. We are now as iOS 9 with ActiveSync V16. Keep researching and you will find the "correct" information. :rolleyes::eek::D

    Let me know if you need the latest list... look for the allowChat key - Value: Optional. When false, disables the use of the Messages app with supervised devices. Availability: Available in iOS 6.0 and later.

    Dave
     
  19. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #19
    If you have a newer source, be so kind and share it with us.
     
  20. dave006 macrumors 68020

    Joined:
    Jul 3, 2008
    #20
  21. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #21
  22. IHelpId10t5 macrumors 6502

    Joined:
    Nov 28, 2014
    #22
    All posts so far have missed the important distinction between accepting the ActiveSync policy when using the built-in iOS Mail app and using the Microsoft Outlook app instead. Once an iOS user has added an Exchange account to the iOS native apps then remote policy an wipe is certainly possible.

    However, if the user instead uses the Microsoft Outlook app instead, then the scope of the wipe is the app itself and not the iOS device. This is a very important difference to those users that are doing BYOD and value their own iPhone control and security over their employer's policy.
     
  23. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #23
    This was actually mentioned above. But the Outlook app is a big security risk for enterprises. It stores your corporate mail password on Microsoft servers (oauth is not supported for corporate Exchange servers), and routes all your emails through Microsoft as well. This violates the security policies of many companies. Do not use this app for work email unless you have cleared it with your employer first. Many companies block the app in their Exchange servers anyway.

    Of course this is less a concern if your employer uses Office 365 (as opposed to their own Exchange servers), since then the data is already in the Microsoft cloud anyway.

    Besides, no administrator will just wipe your phone for fun. In reality this will only happen if you report the phone lost or stolen.
     

Share This Page