Why Organization Should NEVER Allow their Employees to Use their Default Mobile Phone Mail App

This conversation comes up regularly for me as employees of our customers want to use the default Mail App on their phone (ie: Apple's iPhone Mail app, or the Gmail app on Android) to connect to their corporate Office 365 email, and I always tell business executives you do NOT want to use these native phone apps!

Organizations should REQUIRE their employees to ONLY use the Microsoft Outlook App for their mobile phones, and here's why...

• When a user uses the native Mail apps on their phones, all corporate emails, contacts, and calendar content synchronizes with the Mail app
• When the user launches some other app (like Uber, Facebook, WhatsApp, SnapChat), the app asks for permission to access the user's contacts and calendar appointments (similar to the graphic shown below)

• Users simply tap CONTINUE to give the mobile app / social media company full permission to now UPLOAD your company global address list (including ALL employee names, email addresses, mobile phone numbers, titles, etc (whatever you have in your Global Address list)) from the user's phone up to the 3rd party vendor
• If you've ever wondered how you end up on mailing lists, how Internet sites know your company's org chart, or how your personal mobile number is searchable in LinkedIn, Facebook, or the like when YOU have never openly given out that info, it's because your entire company directory has been repeatedly sucked into these social media sites or ANY mobile app site (overseas gaming vendor sites, black market sites, etc) that ANY of your employees downloaded some random app and tapped to approve that app to access their contacts!

Here's how the Microsoft Outlook mobile app differs:

• When your user connects to Office 365 using the Microsoft Outlook mobile app, ALL emails, contacts, and calendar appointments remain INSIDE the Outlook app

• The user will NOT have your company address book, phone numbers, etc replicated into the normal "contacts" on their phone, thus when they tap to allow other mobile apps access to their contacts, your business address book will not be compromised
• Additionally, when users open email attachments within the Microsoft Outlook mobile app, the files are stored in the FILES of the Outlook mobile app, the files do NOT end up in the mobile phone's generic "files" folder
• When an employee leaves the organization, you can WIPE the Microsoft Outlook App and that'll wipe the user's corporate emails, contacts, calendar appointments, and any files/attachments the user had saved from Outlook.
• You don't have to manage/wipe the entire phone when your users use the Microsoft Outlook mobile app which greatly simplifies endpoint management and enterprise content security

The biggest complaints from users when you force them to use the Microsoft Outlook mobile app instead of allowing them to use the native mail/contact app on their phone:

• When they're in another app like Lyft or WeChat and want to pop a notice out to someone else in their "contacts list" all of your corporate address book users will NOT be visible to these other apps, so for the employee who wants to let a business associate know when their Lyft driver will arrive, they will have to manually type in the recipient's contact info.
• When an employee makes an OpenTable lunch reservation and the app wants to add the reservation to the user's calendar, the OpenTable app does NOT have access to the user's Office 365 / corporate calendar, and thus the appointment cannot be automatically added to the user's business calendar

The Security Reality:

• The niceties of app integration is hindered when 3rd party apps can't easily read and access a user's calendar and contacts, however the alternative is do you really want the calendar information of ALL of your current and future appointments available to OpenTable, Slack, Google, Facebook, etc?
• Do you want the Chinese company WeChat to have your entire company global address book with all email addresses, mobile phone numbers, etc uploaded just because one of your employees uses WeChat?
• With regulatory compliance like the European Union's General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) that restrict the sharing of private information of employees (which a user's name, email address, and mobile phone number clearly fall under Personally Identifiable Information (PII)), when an organization openly "allows" employees to download other employee PII and make it available to 3rd party apps, this falls into an area of regulatory compliance violation.

What Organizations Should Do:

• As much as all employee information is already "out in the wild" with prior employee use of their default mail apps, the organization HAS to do due diligence by minimizing any future distribution of information, especially in the case of current regulatory compliance laws
• The organization needs to set a policy that ONLY allows access to Office 365 emails / contacts / calendars via the Microsoft Outlook mobile app. Any other access (like using the native iPhone or Android mail apps should be blocked)
• The organization should implement a mobile device management solution (even a "light touch" of basic application policies for personal (BYOD) devices) against ALL mobile phones and endpoint devices to ONLY allow access to your Office 365 email/contacts/calendars via the Microsoft Outlook mobile app
• The easiest way to manage endpoints is using Microsoft's Intune and Microsoft's Application Management (MAM) technologies. While 3-5 years ago in the era of endpoint management meaning primarily patch/updates and device management, using 3rd party tools like AirWatch, Mobile Iron, etc were considered "better." However in this day and age when it comes to addressing application and security policies of this type, Microsoft's tools not only does the basic patch and update management, the Microsoft tools also make it WAY easier to implement these types of policies than other products available.
• The organization needs to educate users why it is important that the organization shifts from the native mail app to the Microsoft Outlook mobile app because as noted above, there is "ease of use" functionality that the user will no longer be able to use, and they will complain. The key is to make sure users know that anyone who uses the native Mail Apps are making ALL employee names, email addresses, titles, mobile phone numbers, etc OPENLY available to any/all mobile apps that ANY user in the organization downloads and allows access to "contacts". It's a VERY ugly thing, again, the cat is already out of the bag, but that's not an excuse to continue to allow the abuse of sharing personal information to foreign entities, social media, 3rd party marketing firms, etc.

It's a new era of security, compliance, and information privacy that supersedes "convenience" by users to simply tap their apps to do all the "nice things" that the apps do, when those niceties end up having personal information shared in ways one might have never thought of in the past, and now violates privacy protection laws and regulations.