+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 19
Cloud Services Thread, Office 365 - Restricting Outlook? in Technical; Hi, I am investigating moving from Exchange to Office 365. One thing we want is to restrict it so only ...
  1. #1

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,971
    Thank Post
    886
    Thanked 1,715 Times in 1,481 Posts
    Blog Entries
    12
    Rep Power
    450

    Office 365 - Restricting Outlook?

    Hi,

    I am investigating moving from Exchange to Office 365. One thing we want is to restrict it so only schools computers can connect via outlook. We don't want schools data on peoples personal devices.

    Is it possible to set this somehow? Maybe restrict it so only connections from our IP are allowed?

    Thanks
    Last edited by FN-GM; 6th February 2014 at 07:52 PM.

  2. #2
    fairm010's Avatar
    Join Date
    Jun 2010
    Location
    C:/Windows/System32/
    Posts
    1,184
    Thank Post
    47
    Thanked 152 Times in 133 Posts
    Rep Power
    46
    How strange i was wondering the same thing too! I'm curious to see if this is possible.

  3. #3

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,971
    Thank Post
    886
    Thanked 1,715 Times in 1,481 Posts
    Blog Entries
    12
    Rep Power
    450
    If you do find something let me know

  4. #4
    fairm010's Avatar
    Join Date
    Jun 2010
    Location
    C:/Windows/System32/
    Posts
    1,184
    Thank Post
    47
    Thanked 152 Times in 133 Posts
    Rep Power
    46

  5. Thanks to fairm010 from:

    FN-GM (7th June 2014)

  6. #5
    Boredguy's Avatar
    Join Date
    Jun 2011
    Location
    Swindon
    Posts
    578
    Thank Post
    4
    Thanked 130 Times in 121 Posts
    Rep Power
    50
    That only works if you go down the full FS route and not just DirSync though.
    You could always set the autodiscover DNS setting only on your local DNS server and not on your main domain hosting DNS.

    It won't stop devices connecting altogether but will cause more of a headache.
    And it does not stop users accessing the e-mails via the OWA and mobile devices.

    Surely a better route is educating the staff only to use Outlook in school, or to configure cacheless mode on Outlook if they need it on workstations outside of the school environment so that there is nothing stored locally?

  7. Thanks to Boredguy from:

    FN-GM (7th June 2014)

  8. #6

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,971
    Thank Post
    886
    Thanked 1,715 Times in 1,481 Posts
    Blog Entries
    12
    Rep Power
    450
    It doesn't shown is how to do only outlook. Plus you seem to need ADFS.

  9. #7
    fairm010's Avatar
    Join Date
    Jun 2010
    Location
    C:/Windows/System32/
    Posts
    1,184
    Thank Post
    47
    Thanked 152 Times in 133 Posts
    Rep Power
    46
    Meh I knew it. I agree though, staff need to be educated not to use outlook on personal hardware.

  10. Thanks to fairm010 from:

    FN-GM (7th June 2014)

  11. #8

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,971
    Thank Post
    886
    Thanked 1,715 Times in 1,481 Posts
    Blog Entries
    12
    Rep Power
    450
    It won't stop devices connecting altogether but will cause more of a headache.
    And it does not stop users accessing the e-mails via the OWA and mobile devices.
    We want them to use OWA

    Surely a better route is educating the staff only to use Outlook in school, or to configure cacheless mode on Outlook if they need it on workstations outside of the school environment so that there is nothing stored locally?
    Education isn't good enough, if they do download the data and it gets in the wrong hands we are in trouble. They might not even intend to do it. We can't control external devices so can't turn it off for them. So its needs to be blocked.

    If you tell them not to do it, they will know they can do it.
    Last edited by FN-GM; 6th February 2014 at 08:35 PM.

  12. #9
    jbailey's Avatar
    Join Date
    Jan 2011
    Posts
    77
    Thank Post
    21
    Thanked 31 Times in 17 Posts
    Rep Power
    34
    "We can't control external devices so can't turn it off for them."

    This may help:

    Managing Exchange ActiveSync Devices: Exchange 2010 Help

    Exchange Active Sync can be used to enforce a passcode on mobile devices, has remote wipe “Nuke the entire site from orbit--it's the only way to be sure” capability and office 365 control panel can be used to recreate policies for different users\devices to enforce it.

    we allows staff and students access to OWA - as without it they used personal emails at home to communicate - and configure active sync policies to address safety concerns, not saying it will tick all your boxes but I think active Sync has allowed us to move forward without our plan for:

    Office 365 + OWA + SkyDrive Pro = blocking pen drives and PST creation on site for everyone, so a lot more secure than it was.

  13. Thanks to jbailey from:

    FN-GM (7th June 2014)

  14. #10
    Boredguy's Avatar
    Join Date
    Jun 2011
    Location
    Swindon
    Posts
    578
    Thank Post
    4
    Thanked 130 Times in 121 Posts
    Rep Power
    50
    Quote Originally Posted by FN-GM View Post
    We want them to use OWA

    Education isn't good enough, if they do download the data and it gets in the wrong hands we are in trouble. They might not even intend to do it. We can't control external devices so can't turn it off for them. So its needs to be blocked.

    If you tell them not to do it, they will know they can do it.
    Well you could put it into your Staff Agreement Policies that they only use Outlook on school devices. Education and policies should be sufficient unless you decide to switch to full ADFS as the whole purpose behind 365 is to make connectivity easier =/

  15. Thanks to Boredguy from:

    FN-GM (7th June 2014)

  16. #11

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,971
    Thank Post
    886
    Thanked 1,715 Times in 1,481 Posts
    Blog Entries
    12
    Rep Power
    450
    Quote Originally Posted by jbailey View Post
    "We can't control external devices so can't turn it off for them."

    This may help:

    Managing Exchange ActiveSync Devices: Exchange 2010 Help

    Exchange Active Sync can be used to enforce a passcode on mobile devices, has remote wipe “Nuke the entire site from orbit--it's the only way to be sure” capability and office 365 control panel can be used to recreate policies for different users\devices to enforce it.

    we allows staff and students access to OWA - as without it they used personal emails at home to communicate - and configure active sync policies to address safety concerns, not saying it will tick all your boxes but I think active Sync has allowed us to move forward without our plan for:

    Office 365 + OWA + SkyDrive Pro = blocking pen drives and PST creation on site for everyone, so a lot more secure than it was.
    Outlook doesn't use ActivSync, so we can't use that.

  17. #12
    jamesbmarshall's Avatar
    Join Date
    Feb 2010
    Location
    Reading, UK
    Posts
    528
    Thank Post
    26
    Thanked 231 Times in 161 Posts
    Rep Power
    86
    This is a huge topic that's not just technical.

    You can restrict connection protocols so that POP, IMAP etc. can't be used to connect to a mailbox - thereby limiting folks to ActiveSync. You can then set policies for connection (i.e. device must have a PIN, etc.) to ensure that devices accessing mailboxes are not unsecured. The connecting devices must enforce policies that support the ability to remote wipe the device if needs be (again this can all be set in policy).

    That means you can securely allow folks to connect to Exchange Online with the ability to wipe that data/device in an emergency.

    You can also go down the more complex route of ADFS and you can then really simply limit connection to inside the school network.

    The BIG question is: why not let staff/students access school mail on their device IF you can mandate a degree of security on that device?

  18. Thanks to jamesbmarshall from:

    FN-GM (7th June 2014)

  19. #13

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,971
    Thank Post
    886
    Thanked 1,715 Times in 1,481 Posts
    Blog Entries
    12
    Rep Power
    450
    Quote Originally Posted by jamesbmarshall View Post
    The BIG question is: why not let staff/students access school mail on their device IF you can mandate a degree of security on that device?
    School policy. We don't want data stored on devices that are not encypted. Outlook uses IMAP so it doesn't have the features to enforce the encyption.

  20. #14
    Boredguy's Avatar
    Join Date
    Jun 2011
    Location
    Swindon
    Posts
    578
    Thank Post
    4
    Thanked 130 Times in 121 Posts
    Rep Power
    50
    Strange, our Outlook clients are not using IMAP to connect to Office 365.

    Also you can disable protocols for users via Powershell
    http://support.microsoft.com/kb/2573225
    Last edited by Boredguy; 7th February 2014 at 12:07 PM.

  21. Thanks to Boredguy from:

    FN-GM (7th June 2014)

  22. #15
    jamesbmarshall's Avatar
    Join Date
    Feb 2010
    Location
    Reading, UK
    Posts
    528
    Thank Post
    26
    Thanked 231 Times in 161 Posts
    Rep Power
    86
    Quote Originally Posted by FN-GM View Post
    Outlook uses IMAP so it doesn't have the features to enforce the encyption.
    Only if that's how you set it up - 2007, 2010 and 2013 should all connect using ActiveSync or Outlook Anywhere. As I say, you can disable IMAP and POP and prevent anyone connecting that way.

  23. Thanks to jamesbmarshall from:

    FN-GM (7th June 2014)

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Greyed out Outlook, Calendar and People in Office 365
    By Mr_Jiminy in forum Cloud Services
    Replies: 5
    Last Post: 7th May 2013, 10:39 AM
  2. Replies: 1
    Last Post: 17th April 2013, 04:21 PM
  3. Office 365 alternate email for users
    By timbo343 in forum Cloud Services
    Replies: 4
    Last Post: 27th March 2013, 10:33 PM
  4. Office 365 federated users, locked out
    By mbedford in forum Cloud Services
    Replies: 5
    Last Post: 27th February 2013, 07:34 PM
  5. Replies: 31
    Last Post: 8th January 2013, 12:11 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •