Microsoft email servers "require remote control of Android device security features"

Question

Just tried to set up my student email address with the default email client on my Android device. The email servers used by the university are outlook.office365.com (incoming) and smtp.office365.com (outgoing). So I set it up like I always do with a new account, but at the very end I was presented with an alarming ultimatum:

Unusual. But okay, sure.

Slightly concerning, but it's probably nothing.

???

I'm not usually one to freak out about smartphone app permissions, but this is different. This is directly from a Microsoft server. This is crazy. I just want to check my email. Why does that require me to surrender these remote administration capabilities to Microsoft? What is going on? Is it normal? Is it safe? Is it ridiculous; or is it nothing?

I faced same issue today. I was confused as to why an email application asks such permissions. I won't use this, rather use browser based email. — retromuz, Nov 02 '18 at 21:31

score 12 · Answer 1 · edited Sep 10 '18 at 09:09

Thankfully, you don't surrender remote admin capabilities to Microsoft. However, you do surrender them to the e-mail system's administrator or some other IT admin there.

Generally this is kind of security done at a corporate level. Corporations are as a whole concerned about loss of their intellectual property or privileged information (such as customer financial data or medical records). As such, when they manage phones, they have to be able to remotely wipe a phone in the event of theft or loss to protect their reputation, their intellectual property, and their customers' privacy.

Is it safe? Generally, although there are cases of admins getting something wrong and wiping the wrong phone. Thankfully Android allows you to sync your data up to Google, so you generally don't lose anything, including purchases made through the application store.

I'm not a big fan of doing this for a university setting where you are a student. You shouldn't have access to privileged or confidential data. However, given the sex scandals that seem to crop up regularly, I suppose that they need to be able to wipe a phone where video of an assault is being distributed or stored. For a university employee, OTOH, it makes perfect sense to me.

This is an enrollment in a Mobile Device Management solution as part of viewing email on the device. Technically it's not being managed by the email servers.

Forcing ActiveSync (that's what this function is called) on students' accounts on University-provided emails is not appropriate. It's perfectly normal for University or corporate staff so that minimum device standards can be maintained in order to protect the business. But students should not be forced to hand over that level of control over their normally personal device. In the EU, GDPR has a lot to say about this level of access, too. — schroeder, Sep 10 '18 at 09:14
*"Thankfully, you don't surrender remote admin capabilities to Microsoft. However, you do surrender them to the e-mail system's administrator or some other IT admin there."* I feel like that's worse. — voices, Feb 05 '19 at 12:35

score 8 · Answer 2 · answered Nov 23 '17 at 07:10

I have seen several universities doing it this way:

You can access your mailbox either using the Exchange protocol or using IMAP + SMTP.
If you try to use the Exchange protocol with Android devices, you will get the remote access silliness that you described.
However, if you use IMAP + SMTP, you can avoid this issue.

(Yes, this doesn't make much sense. Yes, IT people are aware of it, this is a "feature", and using IMAP + SMTP on mobile phones is not forbidden.)

So if your university has a similar configuration, just read your email using IMAP + SMTP. In practice, it may be easier to set up everything this way if you use a mail client that doesn't know anything about Exchange.

Exchange protocol allows for remote admin options, but this is normally optional. It it is enforced but IMAP+SMTP is allowed, this is nothing but a blatant mis-configuration. It is like putting a strong lock of the front door of a house, and letting the back door wide opened. — Serge Ballesta, Aug 08 '18 at 06:39

score 1 · Answer 3 · answered Nov 16 '18 at 17:05

I have this issue too. I've read the text multiple times, and the way I interpret it is that the Gmail app is requesting all those permissions from the OS. The Gmail app doesn't tell how much of those permissions the Exchange server in question is actually allowed to use.

Unlike you, I have this issue when connecting to my private @hotmail.com account. I'm thinking this is some new default setting for all Microsoft e-mail servers. How much of those permissions are actually delegated to the domain owner (your university in your case, Microsoft themselves in my case) remains unclear, because Microsoft isn't clear about this.

My work e-mail on my work phone is also setup through Office 365/Outlook/Exchange. I've noticed that it disables certain insecure ways of unlocking the phone. It forces me to use either a PIN or password. I'm not allowed to use a pattern or no lock at all.

In case of my employer, I understand this. They don't want potential classified information to leak. However, for student e-mails and private e-mails, this is ridiculous. Searching the internet indicates that there isn't really a solution, unless you're willing to change to IMAP (which sucks, imo).

Microsoft has to step and fix this nonsense.

Microsoft can’t fix this - it is disabled by default for Office 365 tenants - this has been enabled consciously by the University and they are the only ones who can fix it. — HomoTechsual, Apr 05 '19 at 07:06
It's also enabled for their own hotmail.com/outlook.com accounts though. And they have full control over that. — RdJNL, Apr 05 '19 at 12:33
I just started having this problem with the "Exchange" account to my private Hotmail on my personal Android 7.1.1 device just yesterday. Super-confusing. — Tanz87, Nov 09 '19 at 12:51

score 0 · Answer 4 · answered Feb 06 '19 at 20:09

0

Set up the remote access using IMAP instead of Exchange, first selecting the option to set up the connection "mannually" on your Android. Often your IT will provide the procedure for setting up the email on a computer (e.g. for windows). Just enter the same settings (for incoming IMAP and outgoing servers) and it should work. It did for me.

answered Feb 06 '19 at 20:09

gabie

1

IMAP is an option if only email is to be synced. It doesn't support syncing calendar and address book. – Tanz87 Nov 09 '19 at 13:09

Microsoft email servers "require remote control of Android device security features"

4 Answers4

Linked