Jailbreaking (iOS) or rooting (Android) phones has been around for quite a while. People do this because they want the freedom to be able to do anything on their device. However, they are basically turning off the phone’s security and opening it up to malware and viruses and other security problems. Some people who do this know the risk but others who want to have that hot game where they can get unlimited moves or other paid apps that can be downloaded for “free” do not realize the risk they are taking. The bundled apps you can download from various places other than the official app stores often have other things in them that can potentially steal data — and data is pretty valuable today. For Microsoft 365 security admins dealing with work-from-home employees using their own devices, this can have a devastating effect on the organization.
Unlocked — and unsafe
Imagine having a device that is unlocked, and you connect that device to your laptop or desktop? That malware has the ability to infect your machine and steal data or, if it is really bad, deploy ransomware.
Users with these kinds of devices have started complaining that they can no longer access Outlook on their mobile device as the application keeps crashing or work with any of the Microsoft 365 Office applications due to the same reason. The forums list applications that can be used to bypass this and let you access your email or work information. This should make any Microsoft 365 admin in charge of security very nervous.
As for the employee, the same phone that you use for company email and documents is used to access your banking application. Can you see where I am going with this? Security nightmare. How many people send passwords over email or sensitive information but do not encrypt the email? If your rooted or jailbroken phone is hacked, they have access to everything. They have your password to your email and can now use this to log in to Microsoft 365 and change your password or forward those documents to themselves. Some malware is quite bad, especially on Android. Some can steal a one-time password (OTP) sent to your phone, so there goes your banking security out the window as well.
Using Microsoft 365 for better security
Back to Microsoft 365. In Microsoft 365, you can create an app security management policy that can deny access to work files for jailbroken and rooted devices. It might not be what people want to read, but the organization should have this in place. If you want to apply this, you need to be on Microsoft 365 Business Premium, so just be aware of that.
The first thing to do is to log in to the Microsoft 365 admin center.
On the left-hand side, select Devices and then Policies, and lastly, click Add.
You now need to enter a name for this policy, and after that, you can select one of the following:
- Application Management for Android
- Application Management for iOS
If you want to see all options you can select, you can expand “Protect work files when devices are lost or stolen” and “Manage how users access Office files on mobile devices.”
Under the second option, you can enable the slider for “Deny access to work files on jailbroken or rooted devices” as shown below:
If this is the only option you want to enable, you can click on Done to save your policy, and you can assign it to devices.
If the above is not enough, you can go a step further and block Outlook for iOS and Android using conditional access policies. If you are wondering why you cannot access your company email on Outlook or launch any of the applications in the Microsoft 365 Office suite, it is probably because the device security policy has been enabled.
On Office 365, you can also look at Basic Mobility and Security. This allows you to secure and manage mobile devices for users in your organization. There is a setting here that prevents a device from being jailbroken or rooted, and it applies to the following:
- iOS 7.1 and higher
- Android 5 and higher
- Samsung Knox
Below is a sample of the jailbroken setting:
If you want to set up mobile device management (MDM) and all these policies, you need to perform the following tasks:
- Activate Basic Mobility and Security. (To do this, you need to navigate to protection.office.com.)
- Configure your domains for MDM.
- Configure an APNs certificate for iOS devices.
- Set up multifactor authentication. (Recommended by Microsoft.)
- Manage device security policies.
The above is out of scope for this article, but as you can see, you can set up all these policies to ensure that you prevent a security issue with data being stolen or networks hacked because of a device that has its security turned off. If you want to know more, you can head over to this Microsoft site regarding all the options listed above.
On a final note, ensure that you keep your device — or if you are in charge of Microsoft 365 security for your organization, the devices used by your employees — up-to-date with the latest builds and also ensure that your applications are also up-to-date. Running older software on phones is considered a security problem due to all the security holes fixed in new builds.
Get mobile apps only from the official app stores
Installing Office applications from the app stores like the Google Play Store for Android and the App Store for iOS ensures that you download a clean version of the applications and not a sideloaded application from an untrustworthy website because you won’t know if malware or ransomware is embedded within the application you are downloading.
Featured image: Designed by Macrovector / Freepik