The recent discussions provoked by Microsoft’s decision to release a rebranded version of the Acompli client acquired in late 2014 as the Outlook for iOS and Outlook for Android apps were interesting in many ways. I’m sure that Javier Soltero and his ex-Acompi colleagues received a taste of what it means to be responsible for a Microsoft client that serves such a large installed base of enterprise customers. It’s a tad different from being a startup selling a client via the Apple app store.
The major issues raised can be categorized into functionality, security, manageability, and customer communications, all of which were fully exercised during a “YamJam” on February 4. The briefing document released by Microsoft after that event is reproduced below. It's an update of what they released beforehand and might provide an answer that you need.
It is fair to say that many people like the way the new Outlook apps work, including the tight connection between inbox and calendar and the approach taken to speed processing of a large number of Inbox messages. But they want more, specifically the features that make users more productive when they use an app for work rather than personal email. Access to corporate directories and contacts is important. Rights management support is needed to protect confidential messages in the same elegant manner as implemented in Mobile Outlook on Windows Phone. Support for OneDrive for Business rather than OneDrive (personal) and Dropbox is preferred, and we won’t even go near public folder access...
As is the norm in these matters, security generated the most heat. Microsoft attempted to get ahead of the game by publishing a document detailing how the Outlook apps work (A lot of focus was given to the way that the Acompli developers had chosen to use Amazon Web Services to store data fetched from user mailboxes and transform it into the focused Inbox that became Acompli’s signature feature. Two problems exist first. First, using AWS is an appropriate tactic for a startup because the storage is cheap and available, but doesn’t come under the kind of security guarantees extended by Microsoft for its cloud services (as described in the Office 365 Trust Center). Microsoft is well aware that data has to move off AWS to Azure and be locked down to gain customer trust. The second issue is for non-U.S. citizens, who want their data held in datacenters located outside the U.S. It’s another reasonable and must-have ask, especially for global companies.
Mobile device management (MDM) via ActiveSync policies is only the start as it’s obviously desirable that the Outlook apps should be controllable via Microsoft InTune and third party MDM frameworks such as VMware’s Airwatch or MobileIron EMM. The signs are that the Outlook development team understand that management is a high priority item because large enterprises are unlikely to want to deploy the clients if they can’t be managed.
Customers were surprised by Microsoft’s announcement that the Outlook apps were available from the Apple app store and Google Play. So were many Microsoft employees as Technical Account Managers (TAMs) and other customer-facing personnel scrambled to explain matters to customers and pour oil over troubled waters. It’s natural that competitive pressures mean that product announcements need to be restricted before they are unveiled to the public, but it seems that in this case a better job could have been done to prepare for customer questions as administrators woke up to the fact that users could download and use the apps without any hindrance. BYOD policies are such fun at times.
On the upside, the apps have received high ratings from users. The user interface looks good and works well. The new development group is making all the right signs to show that they understand that they have a lot of work to do to transform the Outlook apps from being an interesting beta release to an industry-leading email client that’s suitable for both personal and corporate deployments. Microsoft promises that development will happen at a rapid cadence with updates expected “every few weeks”. If all goes to plan, customers will see real improvements very soon. We can but wait.
In the meantime, the older Outlook Web App for iOS client remains available for customers who need the kind of enterprise functionality and control that is missing from the new Outlook apps. Once the new apps are upgraded with equivalent capabilities, the OWA client will be removed.
The net is that the Outlook apps should be viewed as beta software until Microsoft has had a chance to execute their plans to upgrade security, manageability, and functionality. Go ahead and deploy if you see value in the current iteration of Outlook, just like Walt Mossberg did when he reviewed the Outlook apps. If not, go ahead and block the app and be happy, just as many large organizations (including the European Parliament) have done.
We are 12 weeks from the Ignite show. Perhaps we’ll see four updates between now and then. It should be interesting to see what the Outlook team can do, now that they realize just what enterprise customers expect.
Follow Tony @12Knocksinna
Updated version (slightly edited for space) of the Outlook for iOS and Android document released by Microsoft.
Architecture of the app
You want a fast and feature rich email experience on your phone. We built Outlook to provide this with a rich native app as the front end, powered by a secure and scalable cloud service on the backend.
Outlook's cloud service (ed: currently running on Amazon Web Services) allows us to build great experiences for you. Our focused inbox feature’s intelligence is controlled in this cloud. This cloud allows us to provide 1-click unsubscribe features from mailing lists, improve search speed and effectiveness and enable you to forward and send large files without first downloading them to your phone. This app front end and cloud backend will enable us to provide even more capability to you going forward.
Outlook is designed to make it easy to access your email, calendar, people & files across all your accounts, including personal ones. We want to provide this to end users, while still enabling IT to control the accounts they own. Having a cloud-backed service makes it easy for us to expand support for new services and capabilities that enhance your Outlook experience. It also allows us to move faster to improve performance and stability, we can keep our application light on local code and rely on the cloud for the heavy lifting.
Passwords and security
Outlook uses Oauth for the accounts that support it (Outlook.com, OneDrive, Dropbox, Box, Gmail). For those not familiar, this provides us a way to access those cloud services without ever touching your password. For accounts that don’t support Oauth (Exchange ActiveSync, Yahoo, iCloud), we handle this differently.
When a user logs into Exchange and Office 365, we encrypt their password with a unique key that is specific to that user’s device and stored securely on it. The encrypted password is then passed along to Outlook’s cloud service and used to connect the accounts. The device must check in with the cloud service periodically in order to maintain continuous delivery of new messages and updates from Exchange or Office 365. If there is a period of prolonged device inactivity, Outlook’s cloud service will flush the password and lose access until the next device sync.
This architecture means that in order to gain access to your password, you would have to have access to both our cloud service and have physical access to the unlocked device. This applies to both us as well as anyone who would attempt to gain access from the outside.
As we continue to innovate on both our app and our service we will leverage alternative mechanisms such as OAuth as soon as they are available.
As mentioned above, we store a subset of email, calendar information and files in a cloud service to facilitate fast, secure delivery down to the device. Because the app is based on Microsoft's recent acquisition of Acompli, today that cloud service runs on Amazon Web Services. We are making great progress in moving to Azure and integrating with the full Office 365 cloud fabric. We plan to have that move completed later this year, which will enable it to be covered by the Office 365 Trust Center.
The information in Outlook cloud service is currently stored in the United States. As we move from our current platform to Azure, we will align to the principles of the Office 365 Trust Center with a regionalized data center strategy. In Office 365 a customer’s country or region, which the customer’s administrator inputs during the initial setup of the services, determines the primary storage location for that customer’s data.
ActiveSync policies and mobile device management
Outlook for iOS & Android has partial support for Exchange ActiveSync policies today. The Remote Wipe command is supported; which removes corporate email data from any devices the user has connected to the service. This is a selective wipe, not a device wipe: corporate email, calendar, contacts and files are removed, but a user’s personal email accounts and information stay intact. It will also remove any data stored in Outlook’s cloud components.
Other Exchange ActiveSync policies are in development and will be available on Outlook soon. These are at the top of the Outlook priority list:
- PIN lock – enforce PIN at the device or application level
- Maximum failed password attempts – wipe device or app after a set number of failed password attempts
- Activity time-out – if user has not loaded the app a pre-determined period of time, the app will prompt the user for PIN.
We will also be adding mobile device management integration, including support for Intune and the built-in mobile device management features of Office 365 we announced last year.
Blocking the app
Each organization has different policies regarding security and device management. If the current version of Outlook doesn’t meet your needs, you can block the app using Exchange ActiveSync device management policies. The Outlook app is identified in Exchange ActiveSync management screens with the Device Family 'outlook-iOS-Android/1.0'. See Controlling Device Access in TechNet for specific steps.
Office 365 and Exchange Server 2013 customers can continue using the OWA for iPhone/iPad/Android apps – these apps are rich in enterprise features and we are leaving them in market while we work on adding similar capabilities to Outlook.