IBM Security MaaS360

 View Only
  • 1.  BYOD phones - Apple, Android, Office365 and the Outlook app

    Posted Fri July 24, 2020 10:05 AM
    Hi All,
    We have been using MaaS360 on employee's personal mobile phones for a while now. Generally, once enrolled MaaS will set a few basic policy requirements and provision company email in the device's default mail app. 
    What we are looking at now is many users prefer to use the Outlook app on their devices for company  email. 
    I am sure this has been discussed at length in the past, but am curious what - if anything - MaaS360 users are doing to work with this scenario these days... since the Outlook app shows as its own device in Exchange Online / Office365... even if a device is enrolled there could be compliance rule issues, the Outlook app "device" getting blocked, etc.?

    Much appreciated,
    ~D

    ------------------------------
    David
    ------------------------------


  • 2.  RE: BYOD phones - Apple, Android, Office365 and the Outlook app

    Posted Mon July 27, 2020 05:50 AM
    Hi David

    Great question! As you might expect MaaS360 provides you with a number of solutions to this issue ensuring flexibility in your approach. 
    As you might expect also, our customers use any of the following options or a combination of them. I'll give you a few links to get started with our documentation and let us know if you need more. 

    1. Blacklist client for enrolled devices
    If you have devices that are enrolled into MaaS360 you have the ability to use Application Compliance settings in your device policy to blacklist Outlook or other mail apps and depending on the device, a greater or lesser level of control. For example, devices enrolled into Apple DEP or Android Enterprise will give you the confidence that users do not have options, while using Device Management settings in the device policy, ensuring that users need to know a numeric code before they can uninstall the MaaS360 profile, helps you to enforce the settings you have set in the device policy such as blacklisting. 
    https://www.ibm.com/support/knowledgecenter/SS8H2S/com.ibm.mc.doc/pag_source/concepts/mdm_policy_gde_security_policies.htm

    2. Cloud Extender
    The Exchange / Office365 and Traveler integrations modules in Cloud Extender allow you to take control at a server or mail platform level. By using Auto-Quarantine or an equivalent function, you can block devices from synching mail. Combining this with your Cloud Extender settings, you can specify which mail client should be used to access the mail account, so for example only MaaS360 Secure Mail and nothing else. 
    https://www.ibm.com/support/knowledgecenter/SS8H2S/com.ibm.mc.doc/ce_source/references/ce_exchange_settings.htm
    https://www.ibm.com/support/knowledgecenter/SS8H2S/com.ibm.mc.doc/ce_source/references/ce_traveler_settings.htm

    3. Integration with Azure AD and Office365
    You can also use Microsoft's Intune App Protection settings to enable usage by specific apps, MaaS360 is able to integrate with this so you can tie the two systems in and configure apps to access data and the authentication (user verification) mechanisms used. 
    https://www.ibm.com/support/knowledgecenter/SS8H2S/com.ibm.mc.doc/pag_source/concepts/intune_app_policies_overview.htm

    In addition to this you may also have (mail) platform- or server-side controls to configure or block access to specific mail clients. You can see an example for this on the Microsoft side but I would encourage you to do further research on this if you need. 
    https://docs.microsoft.com/en-us/exchange/clients/outlook-on-the-web/mailbox-access?view=exchserver-2019

    I hope this helps!

    ------------------------------
    Eamonn O'Mahony
    Technical Account Manager
    IBM Ireland
    Dublin
    ------------------------------



  • 3.  RE: BYOD phones - Apple, Android, Office365 and the Outlook app

    Posted Mon July 27, 2020 12:54 PM

    Thanks for the reply Eamonn,

    We have just recently re-deployed Cloud Extender, and reading though the admin guides I think we still have some work to do there - which is fine (services accounts, RBAC, etc.)
    Most of what you shared seems to be based around prevention... but I am trying to think of ways to allow users to use the Outlook app on their personal mobile devices while still maintaining compliance and control with MaaS360.

    So, knowing that we can enroll devices in MaaS360 and provision the Outlook app from there, we can perform selective wipes to hide the app and corporate email data, or remove device control if an employee exits the company, thus removing the app and company email data.

    This is good - but is there a way to tell MaaS360 that - when it sees our O365 service via CE - the "devices" created by the use of the Outlook app are allowed as long as the device is enrolled. Is there a way to distinguish between an enrolled device that is using Outlook app vs a non-enrolled device that is using the Outlook app...?

    Also - the guidelines in the documentation - service accounts for device discovery and dedicated service accounts... The recommendation goes by number of mailboxes (increments of 500). Is this 500 total mailboxes in the O365 tenant? Or per 500 enrolled user mailboxes? For example, if there are 500 users with mailboxes and mobile devices, but the tenant has 1000 mailboxes total (including shared mailboxes, etc.)... do we go off the total number?

    Thanks,



    ------------------------------
    David
    ------------------------------



  • 4.  RE: BYOD phones - Apple, Android, Office365 and the Outlook app

    Posted Tue July 28, 2020 07:37 AM
    Edited by Eamonn O'Mahony Tue July 28, 2020 07:39 AM

    Hi David

    Reply to your points inline.

    We have just recently re-deployed Cloud Extender, and reading though the admin guides I think we still have some work to do there - which is fine (services accounts, RBAC, etc.)
    Understood - please review minimum requirements for CE server as per document below as some have changed.  
    https://www.ibm.com/support/knowledgecenter/SS8H2S/com.ibm.mc.doc/ce_source/references/ce_min_req.htm

    Most of what you shared seems to be based around prevention... but I am trying to think of ways to allow users to use the Outlook app on their personal mobile devices while still maintaining compliance and control with MaaS360.
    Configuration of Outlook in a way that facilitates user access can be done via InTune Mobile Application Management and Protection, see documentation here for setup: 
    https://www.ibm.com/support/knowledgecenter/SS8H2S/com.ibm.mc.doc/pag_source/concepts/intune_app_policies_overview.htm

    So, knowing that we can enroll devices in MaaS360 and provision the Outlook app from there, we can perform selective wipes to hide the app and corporate email data, or remove device control if an employee exits the company, thus removing the app and company email data.

    This is good - but is there a way to tell MaaS360 that - when it sees our O365 service via CE - the "devices" created by the use of the Outlook app are allowed as long as the device is enrolled. Is there a way to distinguish between an enrolled device that is using Outlook app vs a non-enrolled device that is using the Outlook app...?
    If you have the mail server / platform integration, ActiveSync records ('ActiveSync Managed') are visible in your Devices > Inventory list. If I remember correctly the devices using Outlook have device names called 'Outlook MDM' and followed by serial number. The problem is that they cannot be auto-merged with enrolled devices as the device information is different for Outlook / Exchange / O365 records than for enrolled devices. To see Exceptions (devices where the ActiveSync record and MDM/enrolled device have not merged), go to Devices > Exceptions. 
    In addition you could use filter criteria via Devices > Advanced Search, use the filters such as ActiveSync Managed = Yes. If you want to search for Outlook you can either use the Device name contains 'Outlook MDM' (see above, get a sample device to review format), and for enrolled devices you can search for Outlook by using 'Software Installed' / App ID contains '(AppID for Outlook, just check it on an installed device)'.
    Remember that the Advanced Search feature also allows you to create device groups based on the filter criteria you have just used. 

    Also - the guidelines in the documentation - service accounts for device discovery and dedicated service accounts... The recommendation goes by number of mailboxes (increments of 500). Is this 500 total mailboxes in the O365 tenant? Or per 500 enrolled user mailboxes? For example, if there are 500 users with mailboxes and mobile devices, but the tenant has 1000 mailboxes total (including shared mailboxes, etc.)... do we go off the total number?
    I think you're referring to the 'Office 365 budgets' documentation which refers to the number of client 'listening' licences that you need to use in order to ensure acceptable performance in the O365 integration. If so please see the link below: 
    https://www.ibm.com/support/knowledgecenter/SS8H2S/com.ibm.mc.doc/ce_source/concepts/ce_exchange_adv_office_int.htm
    The number of mailboxes to consider is the number of mailboxes existing on the platform irrespective of whether the users connect to them or not ('theoretical maximum') and therefore the total number. As per the document you can increase the total number queried by each licence but this may effectively introduce delays and/or reduced performance. 

    Best



    ------------------------------
    Eamonn O'Mahony
    Technical Client Success Manager
    IBM
    Dublin
    ------------------------------



  • 5.  RE: BYOD phones - Apple, Android, Office365 and the Outlook app

    Posted Thu August 12, 2021 03:13 PM
    David,

    I found this thread in my search and was wondering if you can provide some insight.

    We (City of Tacoma, WA) use MaaS as our MDM.  We are running into the same issue with Outlook Mobile as you described in your post.

    Did the suggestions made by IBM provide a suitable resolution?

    If you get this, any feedback is greatly appreciated.

    John Lasky


    ------------------------------
    John Lasky
    ------------------------------