IBM MaaS360

IBM MaaS360

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  Removal of MaaS360-installed Outlook account without removing Outlook app on iPhone iOS 14.4

    Posted Fri February 12, 2021 10:14 AM
    Hi!

    A colleage came across this problem in InTune, and it seems it is the same in MaaS360:

    - iPhone is enrolled in MaaS360 using Device Enrollment
    - iOS OutLook app is added to MaaS360 and configured to install an Exchange account
    - Outlook is deployed to iPhone, and during install the Exchange account is configured
    - I enter my Exchange userid and password, and my mail is retrieved

    Case A): If Outlook is configured to not be un-installed during Remove Control/Selective Wipe:
    - Remove Control does NOT remove the Exchange account that was configured during install of Outlook. I can still access and read my mail

    Case B): If Outlook IS configured to be un-installed during Remove Control/Selective Wipe:
    - The Outlook app and the Exchange account are removed

    If you instead of using Outlook use the native iOS mail app, the mail account can be removed while leaving the app behind!

    In a BYOD scenario this is what you want.

    Since the same thing is apparently seen using InTune, is this an Apple problem?

    This indicates it may in fact be an Apple problem, although not the same scenario (orphaned profile in this case):
    https://www.reddit.com/r/Intune/comments/jwp068/ios_remove_orphan_email_profile/

    Anybody else come across this?

    Regards,
    Arne



    ------------------------------
    Arne Halsteinslid
    ------------------------------


  • 2.  RE: Removal of MaaS360-installed Outlook account without removing Outlook app on iPhone iOS 14.4

    Posted Mon February 15, 2021 09:56 AM

    Hi Arne,

    This is more a limitation of the AppConfig behavior on iOS than iOS itself.  When we push settings via the policy, they live in the MDM profile on the device, so when the profile is removed, the settings are removed as well.  In app config scenarios, such as using Outlook, where there is no policy feature, but rather the settings are set in the app itself, when the MDM profile is removed there is no more sway over the app itself if it is left on the device, so the settings will remain.

    Since iOS currently doesn't have any methods for clearing individual app caches, this is going to have to be a consideration.  It's especially burdensome with the Outlook agent because it has embedded APIs that can bypass activesync and other mail quarantine controls by design.  The only real workaround, that I am aware of, is to block the Outlook app signature for the individual users at the mail server level. 



    ------------------------------
    Matt Shaver
    System Architect
    IBM
    mshaver@us.ibm.com
    ------------------------------



  • 3.  RE: Removal of MaaS360-installed Outlook account without removing Outlook app on iPhone iOS 14.4

    Posted Mon February 15, 2021 10:26 AM
    Thank you Matt for a quick response and detailed answer!

    My colleague, who has been working with InTune and Azure AD for quite some time, did some more research. He thinks it may be possible to adress scenario A) using InTune App Protection Policies and user group memberships in Azure AD. I searched the MaaS360 documentation and discovered that InTune App Portection Policies can also be used in MaaS360 through integration with Azure AD.

    According to my colleague, removing the user from the Azure AD user group (or of course deactivating the user) will then clean up and remove the Exchange account on the iOS device. Does this sound right?

    Thanks and regards,
    Arne

    ------------------------------
    Arne Halsteinslid
    ------------------------------



  • 4.  RE: Removal of MaaS360-installed Outlook account without removing Outlook app on iPhone iOS 14.4

    Posted Mon February 15, 2021 10:39 AM

    Intune app protection can definitely help, but I think a more robust solution would be Azure Conditional Access.  This is still in beta (both on our side and Microsofts), but it allows for tuning access to the MS services based on compliance policies in MaaS360.  It's a bit more of a handshake between our services than app protection, but the beta aspect may be a show stopper for some clients.

    As for the account deactivation, that should work, but I suggest verifying hands on before implementing that as a solution, just to be sure.



    ------------------------------
    Matt Shaver
    System Architect
    IBM
    mshaver@us.ibm.com
    ------------------------------



  • 5.  RE: Removal of MaaS360-installed Outlook account without removing Outlook app on iPhone iOS 14.4

    Posted Mon February 15, 2021 10:45 AM
    Thanks again Matt!

    Looking forward to the MaaS360 Features and Functionality review on March 16.

    ------------------------------
    Arne Halsteinslid
    ------------------------------