0

I'm an IT consultant and one of my clients is a large enterprise. They use Office 365 and have always required phones to be enrolled (giving their IT department full access) in order for email etc. to be accessible. However, I used to be able to circumvent this by accessing my Office 365 emails through IMAP. This stopped working a few days ago, though. The error message alternates between "outlook.office365.com is not responding" and "incorrect username/password" - probably because multi-factor authentication (MFA) has been activated and this presumably doesn't work with IMAP?

When I called there IT department, they told me that I would need to enroll my phone. But I'm not sure if that's a standard answer or if it's really no longer possible to use IMAP (due to MFA). He assured me that they don't have access to any data on my phone and that there is no other way to access my company email.

I have to questions now:

  1. Is it possible to use IMAP with Office 365 on an iPhone with MFA turned on?
  2. How can I see what data their IT department can access on my phone?

Co-workers of mine have either not set up email on their phones or bought separate phones because of privacy concerns. I really need these emails on my phone though and I really don't see myself juggling two phones.

I only have this one phone, so I use it for all my personal stuff as well as other clients. I don't want this client to have access to my personal photos, browser history, installed apps etc. I also certainly don't want them to have access to my location. Maybe I could enroll my phone to get email set up and then remove the certificate?

TravelingFox
  • 101
  • 1
    You use your "personal" phone for the work related stuff of your clients? Well...apart from "don't do this!": if their IT don't want you to have _their_ mails by bypassing them using IMAP or whatever, you won't have access to these mails if they don't want you to. Maybe try something like Outlook Web Access? But for real, buy a cheap phone if they won't provision one and use it for this. – Lenniey Jul 04 '19 at 15:33
  • Accoring to my research, IMAP doesn't support MFA. Also as joeqwerty said it is likely that they've disabled IMAP access to mailboxes to prevent access via IMAP. – joyceshen Jul 05 '19 at 03:17
  • @Lenniey I don't use it for work. I have a client-issued laptop for that. It's just handy to be able to read work email on my phone, I don't see the problem with that? I don't work with classified information. I used to work for larger consulting companies a couple years ago (as an employee), and at least in Scandinavia, it's very normal that consultants only have one phone for both personal stuff and work, which the employer pays for. Of course government clients etc. may impose stricter rules, but that usually means that the only way to access email is through a client-issued computer. – TravelingFox Jul 05 '19 at 07:20
  • But you are not an employee of the company, but a consultant. I'd assume you have other clients' data on this phone, too? – Lenniey Jul 05 '19 at 07:23
  • @Lenniey I still do some work for other clients, yes. That's mostly through a former employer who I now work for as a subcontractor. I still have access to that Exchange email account from my phone, yes. With MFA enabled. That's it, just email. So when a client emails me "please look at this bug," I can reply from my phone. Where's the security issue? – TravelingFox Jul 05 '19 at 07:30

1 Answers1

3

They use Office 365 and have always required phones to be enrolled (giving their IT department full access) in order for email etc. to be accessible. However, I used to be able to circumvent this by accessing my Office 365 emails through IMAP.

You clearly don't respect your clients or value their business or the business relationship you have with them. If you did, you'd respect and abide by their policies and requirements.

You have a responsibility and a duty to your clients as an independent consultant to respect and abide by their policies and requirements. As a fellow consultant I'm appalled that you'd think that circumventing their controls is an acceptable thing to do.

What would happen if there was a breach as a result of your circumvention? What would your liability be? Hopefully, you've got appropriate Professional and General Liability insurance.

That being said, AFAIK it isn't possible to use MFA with IMAP and I suspect that they've disabled IMAP access to mailboxes to prevent access via IMAP. I see three options for you:

  1. Don't get email for this mailbox on your phone.

  2. Access your mailbox via the your phone's browser via OWA.

  3. Enroll your device. For more info on what that gives them access to read at the link below.

https://support.office.com/en-us/article/manage-devices-enrolled-in-mobile-device-management-in-office-365-28dd276b-beeb-4c5b-8b22-7551186127fe

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • Sorry, maybe "circumvent" wasn't the right word. English isn't my first language. I was assuming that the reason they were enrolling devices was that it would make it easier for the IT department to troubleshoot connection issues, not because of security. Of course I don't want to break any rules. OWA would be fine, but is there a way to be notified of new emails? Thanks for the link. So the only thing they can do is find out if my phone is compliant with their security policy and wipe it? No list of installed apps, no location, no browser history? – TravelingFox Jul 05 '19 at 07:23