Blocking the Outlook Mobile App for iOS and Android: Difference between revisions

mNo edit summary
 
(15 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{Article Infobox|{{admin}}|{{ZCS 8.6}}||{{ZCS 8.5}}|||}}
{{BC|Community Sandbox}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=Blocking the Outlook Mobile App for iOS and Android=
{{KB|{{Unsupported}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 8.6}}|}}


= Blocking the Outlook Mobile App for iOS and Android =
In February 2015, Microsoft released the Outlook Mobile app for iOS and Android. Previously, with Acompli, the Outlook Mobile App came with a lot of security issues and some companies expressed concerns about it:
In February 2015, Microsoft release the Outlook Mobile app for iOS and Android. Previously Acompli, the Outlook Mobile App came with a lot of security issues and companies around the World are concerned about it:
* [http://windowsitpro.com/blog/do-ex-acompli-now-outlook-clients-really-compromise-security-or-everyone-overreacting http://windowsitpro.com/blog/do-ex-acompli-now-outlook-clients-really-compromise-security-or-everyone-overreacting]
* [http://windowsitpro.com/blog/do-ex-acompli-now-outlook-clients-really-compromise-security-or-everyone-overreacting http://windowsitpro.com/blog/do-ex-acompli-now-outlook-clients-really-compromise-security-or-everyone-overreacting]
* [http://windowsitpro.com/blog/worried-about-security-and-privacy-outlook-ios-and-android-heres-your-chance-debate-issues http://windowsitpro.com/blog/worried-about-security-and-privacy-outlook-ios-and-android-heres-your-chance-debate-issues]
* [http://windowsitpro.com/blog/worried-about-security-and-privacy-outlook-ios-and-android-heres-your-chance-debate-issues http://windowsitpro.com/blog/worried-about-security-and-privacy-outlook-ios-and-android-heres-your-chance-debate-issues]
* [http://securityaffairs.co/wordpress/33059/hacking/ios-outlook-app-issues.html http://securityaffairs.co/wordpress/33059/hacking/ios-outlook-app-issues.html]
* [http://securityaffairs.co/wordpress/33059/hacking/ios-outlook-app-issues.html http://securityaffairs.co/wordpress/33059/hacking/ios-outlook-app-issues.html]
* [http://www.pcworld.com/article/2881632/eu-parliament-blocks-new-outlook-apps-over-privacy-concerns.htmlhttp://www.pcworld.com/article/2881632/eu-parliament-blocks-new-outlook-apps-over-privacy-concerns.html]
* [http://www.pcworld.com/article/2881632/eu-parliament-blocks-new-outlook-apps-over-privacy-concerns.html http://www.pcworld.com/article/2881632/eu-parliament-blocks-new-outlook-apps-over-privacy-concerns.html]


==Blocking the Outlook Mobile App with the Proxy service==
==Blocking the Outlook Mobile App with the Proxy service==
If we are running Zimbra with the Proxy service, we can block the Outlook Mobile App editing the next commands '''(this changes will survive a restart of the services, but not an upgrade)'''
 
If you are running Zimbra with the Proxy service, you can block the Outlook Mobile App editing the next commands '''(these changes will survive a restart of the services, but not an upgrade)'''
 
As the zimbra user, you'll edit the following files.
 
su - zimbra


Edit the HTTP Nginx template:
Edit the HTTP Nginx template:
     vi /opt/zimbra/conf/nginx/templates/nginx.conf.web.http.default.template
     vi /opt/zimbra/conf/nginx/templates/nginx.conf.web.http.default.template


And add the next content when the server starts:
And add the next content when the server starts:
     # HTTP Proxy Default Configuration
     # HTTP Proxy Default Configuration
     #
     #
     server
     server
     {
     {
         '''if ($http_user_agent ~ (Outlook-iOS-Android) ) {
         if ($http_user_agent ~ (Outlook-iOS-Android) ) {
         return 403;'''
         return 403;
     }
        }
     [...]
Edit the HTTPS Nginx template:
Edit the HTTPS Nginx template:
     vi /opt/zimbra/conf/nginx/templates/nginx.conf.web.http.default.template
 
     vi /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template


And add the next content when the server starts:
And add the next content when the server starts:
     # HTTPS Proxy Default Configuration
     # HTTPS Proxy Default Configuration
     #
     #
     server
     server
     {
     {
         '''if ($http_user_agent ~ (Outlook-iOS-Android) ) {
         if ($http_user_agent ~ (Outlook-iOS-Android) ) {
         return 403;'''
         return 403;
     }
        }
     [...]
 
Restart the Zimbra services to apply the changes [still as the zimbra user]:


Like user zimbra, restart Zimbra services to apply the changes:
     zmcontrol restart
     zmcontrol restart


==Log trace==
In the nginx log '''/opt/zimbra/log/nginx.access.log''' we can see the access attempts with Outlook Mobile App and the 403 errors [Forbidden] :
    54.187.102.116:55301 - zimbra.io\x5Cadmin [11/Feb/2015:10:16:42 -0500] 
  "POST /Microsoft-Server-ActiveSync?User=zimbra.io%5Cadmin&DeviceId=215CD17123FC80C2&DeviceType=Outlook&Cmd=Sync
  HTTP/1.1" 403 310 "-" "Outlook-iOS-Android/1.0" "-"


==Testing the changes==
Note the reference to the IP address of 54.187.102.116, which is the Microsoft Outlook servers, and not from our device ISP provider.
Once the Zimbra server is up, we can go to our devices and open the Mail.app in iOS and send to us a email, we will see it.
If we open the Outlook Mobile App, we will not sync Mail, Contacts, or Calendar, anymore.


==Log trace==
We can also see that Mail.App can continue accession the ZCS server with no issues:
In the Logs we can see the attempts of access since the Outlook Mobile App and the 403 error like this:
 
    54.187.102.116:55301 - zimbra.io\x5Cadmin [11/Feb/2015:10:16:42 -0500]  "POST /Microsoft-Server-ActiveSync?User=zimbra.io%5Cadmin&DeviceId=215CD17123FC80C2&DeviceType=Outlook&Cmd=Sync HTTP/1.1" 403 310 "-" "Outlook-iOS-Android/1.0" "-"
  23.23.23.23:51889 - zimbra.io\x5Cadmin [11/Feb/2015:10:17:29 -0500]   
  "POST /Microsoft-Server-ActiveSync?User=admin&DeviceId=M92PFITKBD0S14XXXXXXXXXXXX&DeviceType=iPad&Cmd=Sync  
  HTTP/1.1" 200 357 "-" "Apple-iPad2C5/1202.466" "127.0.1.1:8443"


AS we can see, the IP 54.187.102.116, is from the Outlook servers, and not from our device ISP provider.
==Related Bugs/RFE's==


And see the Log from the Mail.app accesing without problem:
* Allow for customizations of nginx regex patterns to block traffic (eg. from specific browsers or user agents)
    23.23.23.23:51889 - zimbra.io\x5Cadmin [11/Feb/2015:10:17:29 -0500]  "POST /Microsoft-Server-ActiveSync?User=admin&DeviceId=M92PFITKBD0S14XXXXXXXXXXXX&DeviceType=iPad&Cmd=Sync HTTP/1.1" 200 357 "-" "Apple-iPad2C5/1202.466" "127.0.1.1:8443"
** https://bugzilla.zimbra.com/show_bug.cgi?id=87471
* Implement Allow/Block/Quarantine list to control device access
** https://bugzilla.zimbra.com/show_bug.cgi?id=89688
* Network Deny / Access rules for activesync , blocking external connections
** https://bugzilla.zimbra.com/show_bug.cgi?id=89196
* RFE: ability to block the mobile sync based on Device Make or OS
** https://bugzilla.zimbra.com/show_bug.cgi?id=71586
* add ability to block sync from a device
** https://bugzilla.zimbra.com/show_bug.cgi?id=61282


==Identified Support/Known Issues==
==Identified Support/Known Issues==




{{Article Footer|Zimbra Collaboration Suite 8.6, 8.5|11/02/2014}}
{{Article Footer|Zimbra Collaboration Suite 8.8, 8.7, 8.6|02/11/2015}}

Latest revision as of 09:03, 14 September 2017

Blocking the Outlook Mobile App for iOS and Android

   KB 21518        Last updated on 2017-09-14  




0.00
(0 votes)

In February 2015, Microsoft released the Outlook Mobile app for iOS and Android. Previously, with Acompli, the Outlook Mobile App came with a lot of security issues and some companies expressed concerns about it:

Blocking the Outlook Mobile App with the Proxy service

If you are running Zimbra with the Proxy service, you can block the Outlook Mobile App editing the next commands (these changes will survive a restart of the services, but not an upgrade)

As the zimbra user, you'll edit the following files.

su - zimbra

Edit the HTTP Nginx template:

   vi /opt/zimbra/conf/nginx/templates/nginx.conf.web.http.default.template

And add the next content when the server starts:

   # HTTP Proxy Default Configuration
   #
   server
   {
       if ($http_user_agent ~ (Outlook-iOS-Android) ) {
       return 403;
       }
   [...]

Edit the HTTPS Nginx template:

   vi /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template

And add the next content when the server starts:

   # HTTPS Proxy Default Configuration
   #
   server
   {
       if ($http_user_agent ~ (Outlook-iOS-Android) ) {
       return 403;
       }
   [...]

Restart the Zimbra services to apply the changes [still as the zimbra user]:

   zmcontrol restart

Log trace

In the nginx log /opt/zimbra/log/nginx.access.log we can see the access attempts with Outlook Mobile App and the 403 errors [Forbidden] :

   54.187.102.116:55301 - zimbra.io\x5Cadmin [11/Feb/2015:10:16:42 -0500]  
  "POST /Microsoft-Server-ActiveSync?User=zimbra.io%5Cadmin&DeviceId=215CD17123FC80C2&DeviceType=Outlook&Cmd=Sync 
  HTTP/1.1" 403 310 "-" "Outlook-iOS-Android/1.0" "-"

Note the reference to the IP address of 54.187.102.116, which is the Microsoft Outlook servers, and not from our device ISP provider.

We can also see that Mail.App can continue accession the ZCS server with no issues:

  23.23.23.23:51889 - zimbra.io\x5Cadmin [11/Feb/2015:10:17:29 -0500]  
 "POST /Microsoft-Server-ActiveSync?User=admin&DeviceId=M92PFITKBD0S14XXXXXXXXXXXX&DeviceType=iPad&Cmd=Sync 
 HTTP/1.1" 200 357 "-" "Apple-iPad2C5/1202.466" "127.0.1.1:8443"

Related Bugs/RFE's

Identified Support/Known Issues

Verified Against: Zimbra Collaboration Suite 8.8, 8.7, 8.6 Date Created: 02/11/2015
Article ID: https://wiki.zimbra.com/index.php?title=Blocking_the_Outlook_Mobile_App_for_iOS_and_Android Date Modified: 2017-09-14



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search