At the end of 2014, Microsoft bought Acompli, creators of a popular email app that it quickly rebranded as Outlook. The familiar name doubtless drew in more users, but it also gave IT teams a set of expectations about the security and management options a product called Outlook would have.
Given that Acompli's slogan was “Loved by users, and trusted by IT” – and that it was the way they were working with enterprise IT departments that caught Microsoft's attention in the first place – it seemed a perfect example of the “dual use” strategy CEO Satya Nadella often talks about: Instead of two separate versions of every tool – one friendly and easy to use, the other carefully secured and limiting what you can do – develop an application that’s both powerful and intuitive to users, then let the IT team have enough controls to keep information safe without locking things down so much that people don't want to use it.
But which side of that precarious balance matters most? After decades of giving admins the controls to lock down features, the Outlook app was a clear demonstration that Microsoft was prepared to prioritize the user experience.
Building value, not chaos
That was a shift in priority Jared Spataro, the general manager of Office 365, had warned of at the SharePoint 2014 conference, to explain why anyone could create a group in Yammer. “Our philosophy is we will optimize for the user experience first, to prove value to an end user, and then build IT controls.”
Spataro even shared the old Microsoft in-joke that it used to build the switch to turn the feature off before they built the feature, and he insisted it’s not doing that now. He insisted they’re “not trying to create chaos. It's just if we don't deliver value to end users, no matter how much you like it as an IT pro – even if you love it, we have to have people in the business feel like ‘I want this thing; it helps me get my work done’.”
Exchange administrators were surprised to discover that the Outlook app was caching Exchange credentials and a month of email messages, contact details, calendar appointments and possibly attachments in the cloud (originally on AWS servers, and although Microsoft promised to shift that to Azure and Office 365 with regional data centres during 2015, it also indicated that the cloud structure was a strategic part of the Outlook architecture they plan to continue). It needs that information to deliver push notifications for new messages, and for features like easy unsubscribe and the “focused inbox” that highlights messages.
It wasn’t that there was a security flaw in how the credentials and content was being stored. The Exchange password is encrypted with a unique AES-128 key on each device, as well as with another unique key on the cloud service. The encrypted password isn’t stored on the device (which is what EAS clients that connect to Exchange usually do) and the device key isn’t stored in the cloud; instead the key is used to decrypt the password in the cloud, all the connections are over TLS, and all the information cached in the cloud is also encrypted. Admins could also block the Outlook app using MDM products or ActiveSync device management policies and remote wipe devices.
But putting the focus on user experience rather than IT security wasn't what enterprise IT teams had come to expect from Microsoft. The app store approvals policies make it hard for Microsoft to guarantee when an app will come out for iOS, so the IT pros hadn’t had any warning that a new Outlook app with a very different approach was about to show up.
Secure the device. Don’t control the behavior.
They also weren’t happy about the fact that the app didn’t enforce PIN and password policies (that came in an update two weeks after launch). In June, Microsoft also added Active Directory Authentication Library (ADAL)-based authentication, multi-factor authentication, conditional access support so you can check devices that get mail aren’t compromised, and Intune MDM support for stopping users pasting or copying to and from the Outlook app if they aren’t transferring the data to another Intune-managed app – but those are only for Office 365. If your users are on Office 365, the Outlook app now uses Oauth to have Office 365 handle their login rather than passing on their credentials itself; Exchange on your own server doesn’t support that.
That adds up to a good set of security options that let you focus on the security of the device rather than on trying to control user behavior, but Microsoft didn’t wait until they were ready to put the Outlook name on an app that users had been happily using for months under another name. Rather than only focusing on security improvements, the Outlook team kept on working on feature updates like improving the calendar and address book and letting users customize swipes. And most importantly, it didn’t back away from the idea of using a cloud service to deliver a better user experience, even though not all its enteprise customers were comfortable with the idea of email going into even a secure cloud service.
The same kind of questions came up when Microsoft launched the Clutter service on Office 365, for automatically filtering out messages people are less likely to be interested in so they can focus on the email they actually might care about. That’s now being made available to all Office 365 tenants (although there’s an option to disable it) and it’s provoking more discussion. Some administrators wanted to be able to turn the feature on and off for specific users; others wanted to be able to stop mail from the CEO being filed as clutter.
Microsoft backed down and admins can now mark specific senders and messages so that they stay in the inbox, even if they’re the kind of message users ignore or delete. Ironically, the feature is used by Clutter itself, to show you a daily list of all the email messages that it’s decided you didn’t want to see, that you have to delete by hand. (Microsoft tells us the alert is meant to arrive weekly but an unfixed bug is sending it out every day.)
The Clutter bypass rules are good if you have a legal requirement to prove that you delivered a message, not so good if you use them to prevent people controlling their own email experience. Email – even business mail – is very personal, and employees are so used to choosing where, when and how they read their messages that trying to take back control of their inbox is only going to drive them to other mail services…to email alternatives like Slack (or, if you’re lucky, your own enterprise social network).
With even Microsoft firmly committed to prioritising user experience – something it has to do to compete with Apple and Google – CIOs need to evaluate what would be create too much uneasiness for them and what’s just discomfort at switching to securing information rather than devices, and make sure that they have a policy that will deal with the next big-name app that raises these kind of questions.
It’s also time to look at whether IT is going to be the route through which users are going to learn about every new feature on every service that they use. The Office 365 roadmap and other tools will give IT a general heads-up about what’s coming, but with mobile apps and cloud services, users are used to getting new options regularly. Having your IT team curating what features users get and when, and holding some features back until they’re tested and understood, may just drive your users into the warm embrace of shadow IT.