Blocking the Outlook Mobile App for iOS and Android
Blocking the Outlook Mobile App for iOS and Android
In February 2015, Microsoft released the Outlook Mobile app for iOS and Android. Previously, with Acompli, the Outlook Mobile App came with a lot of security issues and some companies expressed concerns about it:
- http://windowsitpro.com/blog/do-ex-acompli-now-outlook-clients-really-compromise-security-or-everyone-overreacting
- http://windowsitpro.com/blog/worried-about-security-and-privacy-outlook-ios-and-android-heres-your-chance-debate-issues
- http://securityaffairs.co/wordpress/33059/hacking/ios-outlook-app-issues.html
- http://www.pcworld.com/article/2881632/eu-parliament-blocks-new-outlook-apps-over-privacy-concerns.html
Blocking the Outlook Mobile App with the Proxy service
If you are running Zimbra with the Proxy service, you can block the Outlook Mobile App editing the next commands (these changes will survive a restart of the services, but not an upgrade)
As the zimbra user, you'll edit the following files.
su - zimbra
Edit the HTTP Nginx template:
vi /opt/zimbra/conf/nginx/templates/nginx.conf.web.http.default.template
And add the next content when the server starts:
# HTTP Proxy Default Configuration # server { if ($http_user_agent ~ (Outlook-iOS-Android) ) { return 403; } [...]
Edit the HTTPS Nginx template:
vi /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
And add the next content when the server starts:
# HTTPS Proxy Default Configuration # server { if ($http_user_agent ~ (Outlook-iOS-Android) ) { return 403; } [...]
Restart the Zimbra services to apply the changes [still as the zimbra user]:
zmcontrol restart
Log trace
In the nginx log /opt/zimbra/log/nginx.access.log we can see the access attempts with Outlook Mobile App and the 403 errors [Forbidden] :
54.187.102.116:55301 - zimbra.io\x5Cadmin [11/Feb/2015:10:16:42 -0500] "POST /Microsoft-Server-ActiveSync?User=zimbra.io%5Cadmin&DeviceId=215CD17123FC80C2&DeviceType=Outlook&Cmd=Sync HTTP/1.1" 403 310 "-" "Outlook-iOS-Android/1.0" "-"
Note the reference to the IP address of 54.187.102.116, which is the Microsoft Outlook servers, and not from our device ISP provider.
We can also see that Mail.App can continue accession the ZCS server with no issues:
23.23.23.23:51889 - zimbra.io\x5Cadmin [11/Feb/2015:10:17:29 -0500] "POST /Microsoft-Server-ActiveSync?User=admin&DeviceId=M92PFITKBD0S14XXXXXXXXXXXX&DeviceType=iPad&Cmd=Sync HTTP/1.1" 200 357 "-" "Apple-iPad2C5/1202.466" "127.0.1.1:8443"
Related Bugs/RFE's
- Allow for customizations of nginx regex patterns to block traffic (eg. from specific browsers or user agents)
- Implement Allow/Block/Quarantine list to control device access
- Network Deny / Access rules for activesync , blocking external connections
- RFE: ability to block the mobile sync based on Device Make or OS
- add ability to block sync from a device
Identified Support/Known Issues