Last week an announcement was made: The native mail app in Apple's iOS has zero-day vulnerabilities, deemed critical. No patch is available at this time.
More information about the vulnerability can be found here.
For you as IT admin this means that you probably have work to do. The main questions you may be facing from management or your security officer are:
- How many people use the native mail app in our organization?
- Can you block access to people using the native mail app?
I'll answer these two questions in this blog post, for the on-premises environment and for Office 365.
How many people use the native iOS mail app?
To gain insights into the current usage of the native mail app, we need to use Windows PowerShell.
Note:
Although the official support for Exchange Server 2010 ends October 2020, I 'm also adding the commands for Exchange Server 2010 to this blogpost. Organizations are (unfortunately) still using it.
To execute the commands you will need to be connected through the Exchange Management Shell. This applies to all versions of Exchange. The minimum permissions needed are Recipient Administrator.
Query Microsoft Exchange Server 2010
For Micrososft Exchange Server 2010, we need the Get-ActiveSyncDevice and Get-ActiveSyncDeviceStatistics Windows PowerShell cmdlets.
Use the below lines of Windows PowerShell to query Microsoft Exchange Server 2010 for usage of the native iOS mail app:
$AlliOSDevices = Get-ActiveSyncDevice -Filter {(DeviceOs -like "iOS*") -and (ClientType -eq "EAS")}
$QueryResults = $AlliOSDevices | %{Get-ActiveSyncDeviceStatistics -Identity $_.Identity} | Sort-Object -Descending -Property LastSuccessSync
$QueryResults | Export-Csv C:\temp\iOSDevicesResult.csv -Delimiter ","
$QueryResults | Out-GridView
Note: the warning shown in the example, is caused by the fact that for Microsoft Exchange Server 2013 and higher a different command is recommended. See Query Microsoft Exchange Server 2013 or Later for more information.
The results are now available on the C:\temp folder on the server. Load the results in Microsoft Excel and the last successful synchronization is shown on top.
Query Microsoft Exchange Server 2013, or later, and Microsoft Exchange Online
For Microsoft Exchange Server 2013, newer versions of Microsoft Exchange Server and for Microsoft Exchange Online (part of Microsoft Office 365 and Microsoft 365), we need the Get-MobileDevice and Get-MobileDeviceStatistics Windows PowerShell Cmdlets.
Use the below lines of Windows PowerShell to query Microsoft Exchange Server 2013, and later, for usage of the native iOS mail app:
$AlliOSDevices = Get-MobileDevice -Filter {(DeviceOs -like "iOS*") -and (ClientType -eq "EAS")}
$QueryResults = $AlliOSDevices | %{Get-MobileDeviceStatistics -Identity $_.Identity} | Sort-Object -Descending -Property LastSuccessSync
$QueryResults | Export-Csv C:\temp\iOSDevicesResult.csv -Delimiter ","
$QueryResults | Out-GridView
The results are now available on the C:\temp folder on the server. Load the results in Microsoft Excel and the last successful synchronization is shown on top.
How to block the iOS native mail app
Using the previous scripts, we known who is using the native iOS mail app. The service desk and/or security officer can use direct communications to these employees. Their message should be that use of the native mail app is (about to be) disabled. The employees should configure the Microsoft Outlook app for iOS to regain access to e-mail on their mobile devices.
Block Access
To create the block rules for iPad and iOS, we are using Windows PowerShell with an active management connection to the Microsoft Exchange Server Environment. We recommend to be be logged in as Organization Administrator of the Exchange Server environment.
In Exchange Online you'll need to have the Exchange Administrator role. The Windows PowerShell cmdlet that we are going to use is New-ActiveSyncDeviceAccessRule.
To block access for iPad and iPhones, please use the following lines of Windows PowerShell:
New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "iPhone" -AccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "iPad" -AccessLevel Block
Remove block rule
To rollback or remove the rules, you can use the following lines of Windows PowerShell from the Exchange Management connection. The Windows PowerShell cmdlet we are going to use is: Remove-ActiveSyncDeviceAccessRule.
Remove-ActiveSyncDeviceAccessRule "iPhone (DeviceType)" -confirm:$false
Remove-ActiveSyncDeviceAccessRule "iPad (DeviceType)" -confirm:$false
Is it working?
After applying the policy, it is a recommended practice to review mobile devices. In the past, a device may be manually allowed and will continue to function after activating the block rules.
To gain insight in the block status and the excluded devices, we are going to use the same Windows PowerShell cmdlets as before. This time, we're adding an additional where filter: We are going to filter out the ‘DeviceAccessStateReason’ with the global value. These devices will be automatically blocked. Below, I'll show the example for Microsoft Exchange Server 2010 and for Microsoft Exchange Server 2013 and later.
Is it working on Microsoft Exchange Server 2010?
Use the following lines of Windows PowerShell to figure out if the block rule is working on Microsoft Exchange Server 2010:
$AlliOSDevices = Get-Activesyncdevice -Filter {(DeviceOs -like "iOS*") -and (ClientType -eq "EAS")}
$QueryResults = $AlliOSDevices | %{Get-ActivesyncDeviceStatistics -Identity $_.Identity} | where {$_.DeviceAccessStateReason -ne "Global" }| Sort-Object -Descending -Property LastSuccessSync
$QueryResults | Export-Csv C:\temp\iOSDevicesBlockedAllowed.csv -Delimiter ","
$QueryResults | Out-GridView
Is it working on Microsoft Exchange Server 2013, or later, and Microsoft Exchange Online?
Use the following lines of Windows PowerShell to figure out if the block rule is working on Microsoft Exchange Server 2013, newer versions of Microsoft Exchange Server and for Microsoft Exchange Online (part of Microsoft Office 365 and Microsoft 365), :
$AlliOSDevices = Get-MobileDevice -Filter {(DeviceOs -like "iOS*") -and (ClientType -eq "EAS")}
$QueryResults = $AlliOSDevices | %{Get-MobileDeviceStatistics -Identity $_.Identity} |where {$_.DeviceAccessStateReason -ne "Global" }| Sort-Object -Descending -Property LastSuccessSync
$QueryResults | Export-Csv C:\temp\iOSDevicesBlockedAllowed.csv -Delimiter ","
$QueryResults | Out-GridView
Concluding
Don't panic when you get difficult questions from management and\or the security officer. The answer is Yes, thanks to Windows PowerShell.
We can see who is using the native app and we can block access. With a few lines of Windows PowerShell we gain insight and take control.
I hope that the above information is helpful to you in regaining security, until the zero day in the iOS native mail app is fixed.