Blocking the Outlook Mobile App for iOS and Android: Difference between revisions
No edit summary |
mNo edit summary |
||
(11 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
{{ | {{BC|Community Sandbox}} | ||
__FORCETOC__ | |||
<div class="col-md-12 ibox-content"> | |||
=Blocking the Outlook Mobile App for iOS and Android= | |||
{{KB|{{Unsupported}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 8.6}}|}} | |||
In February 2015, Microsoft released the Outlook Mobile app for iOS and Android. Previously, with Acompli, the Outlook Mobile App came with a lot of security issues and some companies expressed concerns about it: | |||
In February 2015, Microsoft | |||
* [http://windowsitpro.com/blog/do-ex-acompli-now-outlook-clients-really-compromise-security-or-everyone-overreacting http://windowsitpro.com/blog/do-ex-acompli-now-outlook-clients-really-compromise-security-or-everyone-overreacting] | * [http://windowsitpro.com/blog/do-ex-acompli-now-outlook-clients-really-compromise-security-or-everyone-overreacting http://windowsitpro.com/blog/do-ex-acompli-now-outlook-clients-really-compromise-security-or-everyone-overreacting] | ||
* [http://windowsitpro.com/blog/worried-about-security-and-privacy-outlook-ios-and-android-heres-your-chance-debate-issues http://windowsitpro.com/blog/worried-about-security-and-privacy-outlook-ios-and-android-heres-your-chance-debate-issues] | * [http://windowsitpro.com/blog/worried-about-security-and-privacy-outlook-ios-and-android-heres-your-chance-debate-issues http://windowsitpro.com/blog/worried-about-security-and-privacy-outlook-ios-and-android-heres-your-chance-debate-issues] | ||
* [http://securityaffairs.co/wordpress/33059/hacking/ios-outlook-app-issues.html http://securityaffairs.co/wordpress/33059/hacking/ios-outlook-app-issues.html] | * [http://securityaffairs.co/wordpress/33059/hacking/ios-outlook-app-issues.html http://securityaffairs.co/wordpress/33059/hacking/ios-outlook-app-issues.html] | ||
* [http://www.pcworld.com/article/2881632/eu-parliament-blocks-new-outlook-apps-over-privacy-concerns. | * [http://www.pcworld.com/article/2881632/eu-parliament-blocks-new-outlook-apps-over-privacy-concerns.html http://www.pcworld.com/article/2881632/eu-parliament-blocks-new-outlook-apps-over-privacy-concerns.html] | ||
==Blocking the Outlook Mobile App with the Proxy service== | ==Blocking the Outlook Mobile App with the Proxy service== | ||
If | If you are running Zimbra with the Proxy service, you can block the Outlook Mobile App editing the next commands '''(these changes will survive a restart of the services, but not an upgrade)''' | ||
As the zimbra user, you'll edit the following files. | As the zimbra user, you'll edit the following files. | ||
Line 27: | Line 29: | ||
server | server | ||
{ | { | ||
if ($http_user_agent ~ (Outlook-iOS-Android) ) { | |||
return 403; | return 403; | ||
} | |||
[...] | |||
Edit the HTTPS Nginx template: | Edit the HTTPS Nginx template: | ||
vi /opt/zimbra/conf/nginx/templates/nginx.conf.web. | vi /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template | ||
And add the next content when the server starts: | And add the next content when the server starts: | ||
Line 40: | Line 43: | ||
server | server | ||
{ | { | ||
if ($http_user_agent ~ (Outlook-iOS-Android) ) { | |||
return 403; | return 403; | ||
} | |||
[...] | |||
Restart the Zimbra services to apply the changes [still as the zimbra user]: | Restart the Zimbra services to apply the changes [still as the zimbra user]: | ||
Line 49: | Line 53: | ||
==Log trace== | ==Log trace== | ||
In the nginx log '''/opt/zimbra/log/nginx.access.log''' we can see the access attempts with Outlook Mobile App and the 403 errors [Forbidden] : | |||
54.187.102.116:55301 - zimbra.io\x5Cadmin [11/Feb/2015:10:16:42 -0500] | |||
"POST /Microsoft-Server-ActiveSync?User=zimbra.io%5Cadmin&DeviceId=215CD17123FC80C2&DeviceType=Outlook&Cmd=Sync | |||
HTTP/1.1" 403 310 "-" "Outlook-iOS-Android/1.0" "-" | |||
Note the reference to the IP address of 54.187.102.116, which is the Microsoft Outlook servers, and not from our device ISP provider. | |||
We can also see that Mail.App can continue accession the ZCS server with no issues: | |||
23.23.23.23:51889 - zimbra.io\x5Cadmin [11/Feb/2015:10:17:29 -0500] | |||
"POST /Microsoft-Server-ActiveSync?User=admin&DeviceId=M92PFITKBD0S14XXXXXXXXXXXX&DeviceType=iPad&Cmd=Sync | |||
HTTP/1.1" 200 357 "-" "Apple-iPad2C5/1202.466" "127.0.1.1:8443" | |||
==Related Bugs/RFE's== | |||
* Allow for customizations of nginx regex patterns to block traffic (eg. from specific browsers or user agents) | |||
** https://bugzilla.zimbra.com/show_bug.cgi?id=87471 | |||
* Implement Allow/Block/Quarantine list to control device access | |||
** https://bugzilla.zimbra.com/show_bug.cgi?id=89688 | |||
* Network Deny / Access rules for activesync , blocking external connections | |||
** https://bugzilla.zimbra.com/show_bug.cgi?id=89196 | |||
* RFE: ability to block the mobile sync based on Device Make or OS | |||
** https://bugzilla.zimbra.com/show_bug.cgi?id=71586 | |||
* add ability to block sync from a device | |||
** https://bugzilla.zimbra.com/show_bug.cgi?id=61282 | |||
==Identified Support/Known Issues== | ==Identified Support/Known Issues== | ||
{{Article Footer|Zimbra Collaboration Suite 8. | {{Article Footer|Zimbra Collaboration Suite 8.8, 8.7, 8.6|02/11/2015}} |
Latest revision as of 09:03, 14 September 2017
Blocking the Outlook Mobile App for iOS and Android
In February 2015, Microsoft released the Outlook Mobile app for iOS and Android. Previously, with Acompli, the Outlook Mobile App came with a lot of security issues and some companies expressed concerns about it:
- http://windowsitpro.com/blog/do-ex-acompli-now-outlook-clients-really-compromise-security-or-everyone-overreacting
- http://windowsitpro.com/blog/worried-about-security-and-privacy-outlook-ios-and-android-heres-your-chance-debate-issues
- http://securityaffairs.co/wordpress/33059/hacking/ios-outlook-app-issues.html
- http://www.pcworld.com/article/2881632/eu-parliament-blocks-new-outlook-apps-over-privacy-concerns.html
Blocking the Outlook Mobile App with the Proxy service
If you are running Zimbra with the Proxy service, you can block the Outlook Mobile App editing the next commands (these changes will survive a restart of the services, but not an upgrade)
As the zimbra user, you'll edit the following files.
su - zimbra
Edit the HTTP Nginx template:
vi /opt/zimbra/conf/nginx/templates/nginx.conf.web.http.default.template
And add the next content when the server starts:
# HTTP Proxy Default Configuration # server { if ($http_user_agent ~ (Outlook-iOS-Android) ) { return 403; } [...]
Edit the HTTPS Nginx template:
vi /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
And add the next content when the server starts:
# HTTPS Proxy Default Configuration # server { if ($http_user_agent ~ (Outlook-iOS-Android) ) { return 403; } [...]
Restart the Zimbra services to apply the changes [still as the zimbra user]:
zmcontrol restart
Log trace
In the nginx log /opt/zimbra/log/nginx.access.log we can see the access attempts with Outlook Mobile App and the 403 errors [Forbidden] :
54.187.102.116:55301 - zimbra.io\x5Cadmin [11/Feb/2015:10:16:42 -0500] "POST /Microsoft-Server-ActiveSync?User=zimbra.io%5Cadmin&DeviceId=215CD17123FC80C2&DeviceType=Outlook&Cmd=Sync HTTP/1.1" 403 310 "-" "Outlook-iOS-Android/1.0" "-"
Note the reference to the IP address of 54.187.102.116, which is the Microsoft Outlook servers, and not from our device ISP provider.
We can also see that Mail.App can continue accession the ZCS server with no issues:
23.23.23.23:51889 - zimbra.io\x5Cadmin [11/Feb/2015:10:17:29 -0500] "POST /Microsoft-Server-ActiveSync?User=admin&DeviceId=M92PFITKBD0S14XXXXXXXXXXXX&DeviceType=iPad&Cmd=Sync HTTP/1.1" 200 357 "-" "Apple-iPad2C5/1202.466" "127.0.1.1:8443"
Related Bugs/RFE's
- Allow for customizations of nginx regex patterns to block traffic (eg. from specific browsers or user agents)
- Implement Allow/Block/Quarantine list to control device access
- Network Deny / Access rules for activesync , blocking external connections
- RFE: ability to block the mobile sync based on Device Make or OS
- add ability to block sync from a device
Identified Support/Known Issues