Microsoft recently acquired the mobile application Acompli, and has rebranded its iOS and Android apps as “Microsoft Outlook”. This is a concern for staff and faculty at UBC who choose to use the application, because it is not compliant with the Freedom of Information and Protection of Privacy Act (FIPPA) and UBC information security policies and standards.
On February 03, 2015, UBC IT will begin to block the application so that FASmail users will no longer be able to access the Outlook app on iOS or Android phones.
Why is the Outlook app being blocked?
There are four main privacy and security concerns that caused UBC IT to make the decision to block the Outlook app:
- The app stores a copy of the user’s credentials on servers outside of Canada
- Message content is stored on servers located outside of Canada (FIPPA violation)
- After an account is deleted, Microsoft’s servers continue to attempt to retrieve email
- The app does not enforce ActiveSync security policies (e.g. device passcode requirements, ability to wipe remotely, etc.)
The use of this app by employees handling personal information violates UBC Information Security Standards #2, #3, #5 & #7:
- Password and Passphrase Protection
- Transmission and Sharing of UBC Electronic Information
- Encryption Requirements
- Securing Computing and Mobile Storage Devices/Media
In addition, this app violates University Counsel’s requirements for “Privacy of Email Systems” available here.
What will happen if I try to access the Outlook app?
After it is blocked, if you try to access your FASmail account through the Microsoft Outlook App you will not be able to sign in and you will receive an email notice that the connection from Microsoft Outlook for iOS or Android has been blocked due to security policies.
The automated message will look like this:
Subject: Your cell phone has been denied access to the server via Exchange ActiveSync because of server policies.
As a precaution, you are advised to update your CWL password to ensure your account remains safe. Information about your cell phone: Blocked application: Outlook for iOS and Android Device type: Outlook Device ID: ################ Device OS: Outlook for iOS and Android 1.0 Device user agent: Outlook-iOS-Android/1.0 Device IMEI: Exchange ActiveSync version: 14.1 Device access state: Blocked Device access state reason: DeviceRule
I was already using the Outlook app before it was blocked, what should I do now?
At this time, we recommend that you remove the Microsoft Outlook app immediately (it may have been installed to your mobile device as part of an Office 365 subscription if you use an Android device.) Because your CWL information will still be stored by Microsoft, please change your CWL password as soon as possible.
What can I use instead of the Outlook app?
Using the native email application on your mobile device is a safer alternative to the Outlook app. We are currently reviewing other email applications to determine if there are any other privacy or security concerns.
Will other email apps be blocked?
UBC IT will be reviewing the privacy policies of some of the more popular email apps on mobile devices to ensure that they abide by UBC’s privacy and security standards. This may result in similar blocks of these apps to the FASmail email service. Information and service bulletins will be added to the UBC IT website if any additional apps are added to the block list.
Where can I go to find out more information?
For updated information on the Microsoft Outlook App block, and any future apps that get blocked, please visit the FASmail service catalogue page.