Showing posts with label MAM. Show all posts
Showing posts with label MAM. Show all posts

Thursday, August 20, 2020

App Protection Policies and Outlook Add-Ins

Hello Everyone!

Back to the technical side of the house today.

In this post I want to talk about a lesser known gap within Intune App Protection Policies, also known as MAM. 

When protecting the Outlook Mobile App there is a small hole that allows corporate data to escape the containerization policies. These are the 'Add-Ins' in the app. These loop in third party services into the Outlook App such as Trello, Wrike, Evernote, etc.


The issue is when you add these extensions you can log into them with a personal account. The App Protection Policies can not distinguish data going into this add-in. I suspect, because it is solely contained within the Outlook App itself, the policy views it as data just moving around internally into the app.

The work around for this is not great either, but its not terrible in my opinion. It really is something that should be disabled anyway for security sake. The fix itself is to remove the ability for end users to allow add-ins. The reason why this is not a 100% great fix is because this permission applies to not just Outlook App, but also OWA and Outlook desktop. 


Once you disable these permissions the user will no longer be able to select add-ins and when they try they receive the message below. 



Hopefully this can close a small hole some of you may have in your org today.

Have a good one!

Edit 3/26/2021 I have received this from a Microsoft contact I have

The good news is this has got into the roadmap now , we will soon provide a way through MAM app config to control this so that add ins can be disabled only on the mobile app. ETA for this is H2CY21 


Posted by at No comments:
Labels: , , , ,

Tuesday, April 2, 2019

Intune App Protection Policies and iOS Exemptions

Disclaimer: While the below information should be true, it can still be hit or miss getting this to work!

 Hello Everyone!

 No amount of searching has been very helpful for me personally when trying to find iOS application identifier URLs. 

A URL identifier is a unique name that each iOS application must have. Using this name an existing application on an iOS device can call upon that app to perform actions, such as open a file. 

 To my knowledge there is no list out there for such identifiers. What I would like to do is start that list here in this post A Mobile Attempt: List Of Possible iOS Identifiers

Edit: 5/2021 If something is not on that list you can try the simple method below of follow the more in depth method here https://c7solutions.com/2021/04/intune-mam-exemptions-discovering-url-protocols

 My only methods to finding out this URL identifier are to either ask the developer or to take a guess and test it inside of safari. If you open safari and type the following into the address bar

 guessedappname:// 

 You should get a result of either app not found, or something that asks if you would like to allow an app to open the webpage. For an example using Salesforce (salesforce1://) see screen shots below.

 BAD GUESS


CORRECT GUESS

 Without further ado here is the very short list of ones I have used in the past. If you know any additional ones leave a comment below and lets get them added to the list.
  • Salesforce - salesforce1
  • Go To Meeting - gotomeeting
  • AutoCAD DWG Viewer and Editor - autocad
  • Webex - wbx
  • Zoom Cloud Meetings - zoomus
  • Slack - slack
  • Apple Maps - maps
  • Google Maps - googlemaps
  • Docusign - Docusignit

The items on this list were generated by myself and the community. I have not verified the accuracy of most of them. I am asking for the communities help in either adding to the list or for a more foolproof way of finding out the applications URL identifier.

Thanks everyone!
Posted by at 29 comments:
Labels: , , , ,
Subscribe to: Posts (Atom)