Back to the technical side of the house today.
In this post I want to talk about a lesser known gap within Intune App Protection Policies, also known as MAM.
When protecting the Outlook Mobile App there is a small hole that allows corporate data to escape the containerization policies. These are the 'Add-Ins' in the app. These loop in third party services into the Outlook App such as Trello, Wrike, Evernote, etc.
The issue is when you add these extensions you can log into them with a personal account. The App Protection Policies can not distinguish data going into this add-in. I suspect, because it is solely contained within the Outlook App itself, the policy views it as data just moving around internally into the app.
The work around for this is not great either, but its not terrible in my opinion. It really is something that should be disabled anyway for security sake. The fix itself is to remove the ability for end users to allow add-ins. The reason why this is not a 100% great fix is because this permission applies to not just Outlook App, but also OWA and Outlook desktop.
Once you disable these permissions the user will no longer be able to select add-ins and when they try they receive the message below.
Hopefully this can close a small hole some of you may have in your org today.
Have a good one!