Categories
Endpoint Manager Intune MAM Microsoft 365 security

Intune MAM Exemptions – Discovering URL Protocols

In Microsoft Intune you can create a secure container where the data in your apps cannot leak outside of. That is, you can restrict copy/paste outside of the supported apps and restrict opening the data in a different app.

But sometimes you need to open the data in a different app and with the Intune Mobile Application Management (MAM) policy (also known as App Protection Policy, APP) in place you are restricted from doing so.

On Android adding the exception for apps is easy – its part of the URL to the app in the Google Play Store. For example to allow data to be sent to Google Maps you would look up the app URL (https://play.google.com/store/apps/details?id=com.google.android.apps.maps&hl=en&gl=us) and exempt the app in Intune MAM policy by using the ID value, so com.google.android.apps.maps in this case.

On iOS this is next to impossible. Microsoft in their article on this subject at iOS/iPadOS app protection policy settings – Microsoft Intune | Microsoft Docs and Data transfer policy exceptions for apps – Microsoft Intune | Microsoft Docs suggest this is done by contacting the app developer. I have had no success doing this, as often the app first line support has no idea what you are asking.

So here is how to get the URL Protocol, or more correctly speaking, the URL Scheme for the app. I think the first battle is in working out the correct terminology!

To get the information you need you have to have access to the ipa file that is the app on the iOS device. I use iMazing for this and my steps here are for the PC, but a Mac version is also available. iMazing is available for purchase on a per device basis but works on a short trial basis which might be enough time to do this for some of your obvious apps – buying a license to allow you do this as new apps get used or older apps change their schemes is a good investment.

Once iMazing is installed you need to plug in your iPhone/iPad to your PC. Ensure the apps you need are installed on the device.

An iPhone Displayed in the iMazing App

In the middle-right column there is an option called Manage Apps. This lists the library of apps you have on the device and the option to download the app to your PC. I am going to work through the process of getting the URL Scheme for Cisco WebEx Meet, which is the app Microsoft have in their documentation as well, as you can see from my app library below there appears to be two apps called “Webex Meet” – so lets see what is going on.

Viewing apps in iMazing

For each app you need to determine the URL Scheme/URL Protocol for, download the app by clicking the “cloud + down arrow” icon to the right of the app.

Downloading an app in iMazing

You will need to login to the Apple account ID used by the iOS device to complete this step.

Once I have downloaded the app the version number is displayed. I had previously downloaded Webex Meet 41.3.2 and the new download is version 41.3.3. So this is why I see multiple versions. The trashcan icon can be used to clean up your download folder. The arrow icon bottom right will give you an option to update all the downloaded apps to their latest version is new versions are available as well.

Once you have downloaded the app you can export the .ipa file for the app. This is done via the same arrow button bottom right. It will export the .ipa file for the selected app to a folder of your choosing.

Exporting the .ipa file for the selected app

Choose the folder to export to and then open that folder in Windows Explorer

The downloaded .ipa files in Windows Explorer

You can see the exported Webex Meet 41.3.3.ipa file in this folder, and the previously downloaded, and renamed, file as well. This rename is the next step. The .ipa file is just a ZIP compressed file, so add .zip to the end of the file name and open the compressed file. Don’t extract the contents of the file, as we are only looking for a single file in all the contents.

Inside the compressed file, navigate into Payload > AppName.app and find info.plist. Copy this file only out of the compressed file.

Inside the compressed .ipa file looking for info.plist

Once you have the info.plist file outside of the compressed folder, open this file in Notepad.

info.plist in Notepad

Now to search for the URL Scheme in this file. Search for CFBundleURLSchemes, and unfortunately you may see more than one of these. We know from the Microsoft documentation that they say the URL Protocol for WebEx is wbx and we see this value as a <string> under <array> under <dict> where <key> is CFBundleURLSchemes

CFBundleURLSchemes in the info.plist file

The <string> value is the URL Scheme, and so for WebEx is is wbx. The value is found under Key=CFBundleURLName, Key=CFBundleURLSchemes, String=. At this point it is all down to testing on the device. So add the most likely string to Intune MAM policy exceptions and wait for that to sync to the phone (browse to about:intunehelp in Edge Browser on the device) and click View Intune App Status

Then select an app, for example Outlook, from the scroller at the top and scroll down to ProtocolExclusions near the bottom – once your new addition is listed here you can test to see if you can open the new app from a link in the source app:

For example, in the above I have the following URL Schemes added as well as some I am still testing:

  • zoomus = Zoom
  • gmeet = Google Meet
  • bjn (or bjn-intunemam or bjn-a2m) = BlueJeans
  • mobilepassplus = Mobile Pass+ from Thales
  • com.mimecast.mobile.saml = Mimecast
  • pdfe-callback (or pdfe2int1 or pdfefile) = PDF Expert

It is still a bit hit and miss once you have info.plist, but you have a list of values for the URL Protocol that you can test against now.

Categories
EOP error exchange exchange online Exchange Online Protection spam

550 5.1.8 Access denied, bad outbound sender AS(42003)

“Your message couldn’t be delivered because you weren’t recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it’s no longer allowed to send email. Contact your email admin for assistance.”

This is an error you get when your anti-spam “outbound” policy restricts the user from sending email. These settings are set in the “Recipient Limits” tab of the outbound policy as show:

Outbound Anti-Spam Policy in Exchange Online Protection (low values)

In the above, the user is set to no more than 20 external emails a day. This will trigger the above error message on the 21st email and later!

The default settings, which would fix this error, are shown below – but you can set any settings you need, but obviously if the values are too low you will get the above error message.

Outbound Anti-Spam Policy in Exchange Online Protection (Default Settings)

The default policy for recipient limits is 500 external per hour, and 1000 internal and daily limit – with the action being to restrict the user. This means the user, if they hit the limits (which are now higher than the low example above) will be able to send emails after the hour.

Categories
EOP exchange exchange online Exchange Online Protection Outlook owa security spam

[New] External Email Notification in Exchange Online

This is a new feature released in March 2021 that adds support in Outlook (Mac, OWA, Mobile) for the display of the external status of the sender – note at the time of writing it does not add this feature to Outlook for the PC. This should be used to replace the way this has been commonly done for years with the modification of the message body.

Modifying the message body has in my opinion two problems, the first being a permanent change to the message that was sent, which will appear in search results or the message preview, and the second issue being that the first breaks DKIM in some scenarios. DKIM is a digital signature added to the message headers by the senders email system that attests to the integrity of the message body (and other headers such as sender). Modifications to the message body break DKIM and I have seen this where you have complex routing in place, for example a cloud email filtering service (ProofPoint, Mimecast, etc) or on-premises before Exchange Online. When you modify the senders message in (say) Mimecast, Mimecast has already checked that DKIM passes, but now when the message arrives at Exchange Online, Exchange Online Protection wants to do the same thing and DKIM fails and this can have message integrity issues.

So, back to the issue at hand. If I can avoid tampering with the message at all this is better, but in the case of DKIM I should not tamper until the last point in the email chain (I digress though!).

The Exchange Online PowerShell cmdlet Set-ExternalInOutlook -Enabled $True will turn on a header in Outlook Mobile and OWA and the new Mac Outlook. In Outlook for Windows on the PC it will work in Office 365 build 2021 and later (Jan 2021 releases), which at the time of writing is “Current Channel” and soon to be “MonthlyEnterprise Channel”.

To turn this feature on run the above cmdlet in your tenant and wait 24-48 hours for the change to roll out. Try it in a test tenant first if you have one, but look below for detail images of what your users will see.

Connecting to Exchange Online PowerShell
Run Set-ExternalInOutlook to enable this setting

If you have a few different tenants and you would consider some of these “internal” then run Set-ExternalInOutlook -Enabled $true -AllowList otherdomain.com,diffdomain.com.

Setting some external domains to appear as internal
https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWxp8e?ver=43b2
What The Feature Looks Like In Outlook Mobile
Categories
Azure Active Directory Azure AD AzureAD consent exchange exchange online Exchange Server Zoom

Azure AD Consent For Zoom App Not Applying

This is a issue where you enabled Admin Approved Consent in Azure AD (as you should) and you require apps that have high data access rights to be approved. The Zoom add-in/desktop app falls into this category as it requires write access to your calendar and your contacts in Exchange Online.

But if you set up admin consent requests in Azure AD you may find this breaks – the user requests consent calendar and contact access via the Zoom profile page (https://zoom.us/profile), chooses Office 365 and gets the following prompt.

End user consent form for Zoom application

The admin gets a request for approval email (as consent requested permissions are high [write calendar and write contacts]) and then once approved the user gets an email telling them so.

So the user goes back to the Zoom profile and tries again – and they get the same option as above. Though the admin has approved the app, it appears the user keeps asking for the admin to approve it.

The fix for this is in the Zoom admin Account Settings pages at https://zoom.us/account/setting and then scrolling down a long way to the “Calendar and Contacts” section (just search the page for 365 to find this bit).

Here you need to disable the option where users are asked to request consent. As in Azure AD you have set “admin grants consent”, you need to match this setting in the Zoom admin pages. This setting is as follows:

Zoom options on who requests consent and the O365 OAuth 2.0 option

Ensure the option highlighted matches your Azure AD consent settings – that means, as admin approval is recommended in Azure AD this setting in Zoom should be turned off (user does not request consent).

Other useful options you can set when you are here are to force the user to only consent for Office 365 (remove Google and Exchange Server options). Obviously if you have users mailboxes on either of these platforms and O365 you would not set the lock to the right as shown below:

Select your mail platform and lock consent options to that platform only

This hides this option from the user when they go to choose consent:

Which service to access in Zoom – this option can be locked to the only service you need

Once the platform is locked, the users experience removes the above page and shows the following in their Zoom profile:

Zoom profile and calendar access limited to a single platform

Then finally, you can enable the “Enforce OAuth 2.0 option” for Office 365, which is the last option in this section. This stops the user consenting via a legacy method that uses EWS and requires more than necessary permissions. By disabling this option you reduce the end user choices during calendar consent – that is you chose to consent and it is done rather than their being more steps than might be useful!

Here are my recommended settings for Zoom consent as described above:

My recommended settings
  1. Choose your service provider. If using Exchange Server and one of the other two cloud platforms, set Exchange Server as the default so that the EWS URL is provided to the user. Set the others as default and the EWS URL is blank in Zoom profile and the user needs to enter it.
  2. Lock this if using only one provider
  3. Turn this off and ensure you require Admin Consent (Microsoft default to this since the end of 2020)
  4. Set O365 consent to OAuth 2.0 to turn off the EWS option for Exchange Online. This setting does not affect your Exchange Server EWS URL mentioned above.

Photo by Julia M Cameron from Pexels
Categories
exchange exchange online iOS Outlook

iOS and Outlook Mobile and Duplicate Contacts

Of the back of a few conversations recently on having duplicate contacts in the iOS platform because of syncing via multiple different routes or devices I decided to try to reproduce the issues and see what I could work out.

I looked on my test iPhone to see if I could see any duplicates and to try and resolve – and given the conversations I was not suprised to find there were already a number of duplicates. So I have eight contacts and some of those where duplicates, some were missing on the device (only in iCloud) and some where different in Outlook Mobile from Contacts etc.

Here are some things I did to resolve these duplicates.

  1. I made the assumption that all my contacts where mastered in Exchange. So I was willing to delete everything on the phone as Exchange would put it back. I did find one contact in iCloud that was not on the phone and that was myself! So I did not delete that one.
  2. I have multiple test devices, two iPhones and one iPad. Each are signed into with the same Apple iCloud account, but each at any time could be synced to different tenants. This is probably a unique scenario to a consultant, but do ensure that each iOS device a user has under the same iCloud account is synced to the same tenant. Different tenants? Maybe try different iCloud accounts or be prepared for duplicates (see last paragraph for more info on this).
  3. Outlook Mobile > Settings > for each Email Account > Save Contacts – Turn Off > Delete from my iPhone
  4. Device Settings > Contacts > Accounts > iCloud > iCloud (yes, twice) > turn off Contacts > Delete from my iPhone
  5. Settings > Contacts > Accounts > other accounts > repeat above to delete.
  6. Open Contacts app on phone – it should be empty. On my device it now says “No Contacts”.
  7. Login to iCloud
  8. View Contacts from iCloud Contacts
  9. Delete them all (or at least those in Exchange). You can select more than one here at a time. So it is easy to tidy up contacts from here whereas on the phone it is delete one by one!

Then its time to restore the contacts to the phone.

  1. Open Outlook Mobile and Settings > for each Email Account > Save Contacts to On > Save to my iPhone
  2. Contacts app should list these (more will take longer, but they should start to sync shortly)
  3. Settings > Contacts > Accounts > iCloud > iCloud (yes, twice) > turn ON Contacts > Merge (there is nothing to merge if you deleted them all in #9 above)
  4. Your contacts now appear in iCloud (again, quite quickly but I guess this depends upon the number of them)
iCloud Contacts
iCloud Contacts – Duplicates Removed

If you have multiple iOS devices and you are signed into each of them with the same Outlook Mobile account AND you enable Save Contacts on more than one device, then you will get duplicates. You need to turn off Save Contacts on all but one device. This will remove the duplicates but it might take 24 hours for Microsoft to reconcile this duplicate state for you. I found this was instant though (but I only have a few intentional contacts and duplicates).

If you later on try to enabled Save Contacts on a second Outlook Mobile device you will get told that sync is already happening on a different device and that to sync from the current device will require contact deletion and sync to start. This will happen to attempt to ensure no duplicates across multiple devices.

Outlook Mobile (iPad) and Save Contacts being turned back on again (second device)

If you have more than one email account in Outlook Mobile then ensure that iCloud is the default for Contact Sync in Settings > Contacts > Accounts to give the best experience.

If you have multiple tenants in use but a single iCloud account then you will see the correct contacts in the Outlook Mobile for each device, but the Contacts app will show all the contacts from all the tenants. If the same contact is created in multiple tenants then you will have a duplicate. The Outlook link in each contact will only work on the device that is logged into that source tenant.

Categories
AIP Microsoft 365 Office 365 sensitivity labels

Removing a Default Sensitivity Label

In Microsoft 365 Sensitivity Labels you can have a label policy that requires that all content is labelled. If you enable this and then later decide this is not for you, you can republish your label policy and disable the default label and the require label policies.

That is, your settings start like this:

Policy settings before change

And then you change the settings in the label policy and you end up with these settings, which are published to the end users upon you saving the changes to the policy:

Policy settings after the change

As you can see from the before/after screenshots, the label required by default on documents has gone from Confidential to None.

But I have found sometimes this changes does not take full effect! You can only see it though if you look in PowerShell for this policy. The PowerShell module to use is the Exchange Online Management module (Install-Module ExchangeOnlineManagement if you don’t have it already) and then run Connect-IPPSSession to connect to the Microsoft 365 Protection Center. Once connected run Get-LabelPolicy and then (Get-LabelPolicy <name_of_your_policy>).Settings to return the settings.

If I get the settings as above before I remove the mandatory requirement for a label I see:

[requiredowngradejustification, true]
[mandatory, true]
[defaultlabelid, be5e9727-67cc-4056-a87b-1dbbf67b7b9b]

Where the DefaultLabelID matches the GUID for the default label (Get-Label GUID should return the label that is the default).

But, once I remove the mandatory label and the default label, the “mandatory” setting should change to false and the “defaultlabelid” should be removed.

If the defaultlabelid does not get removed and the users do not see the policy change pushed out then it time for PowerShell to the rescue.

Set-LabelPolicy <Name> -AdvancedSettings @{defaultlabelid=""}

The above cmdlet changes the named policy label to remove the defaultlabelid value. Once you have run this, (Get-LabelPolicy <name>).Settings should not show the requirement for a default label.

Categories
2016 2019 antivirus Defender Exchange Server

Unable To Update Defender Preferences

I was trying to add Microsoft Defender exceptions via PowerShell to a clients server (Windows Server 2016 if that matters) the other day and it was always failing – the error was:

PS> Add-MpPreference -ExclusionExtension .config
Add-MpPreference : Failed to modify preferences.
At line:1 char:1
+ Add-MpPreference -ExclusionExtension .config
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference],
   CimException
    + FullyQualifiedErrorId : HRESULT 0x8007007e,Add-MpPreference

This was returning “Failed to modify preferences” on the Add-MpPreference cmdlet and the error code 0x80070073

To fix I needed to uninstall Windows Defender and reboot and then reinstall it.

This was the following cmdlets, with the reboot indicated between them:

Uninstall-WindowsFeature -Name Windows-Defender
#Reboot here
Install-WindowsFeature -Name Windows-Defender
Install-WindowsFeature -Name Windows-Defender-GUI
#Reboot here (again)

Once this was done I was able to add Defender exceptions. The addition of exceptions also failed when done via the Defender Settings application as well (it asks you to authenticate and fails). This also worked after the uninstall/reinstall:

Categories
Azure Active Directory AzureAD exchange exchange online EXO Microsoft 365 Uncategorized

Why Do Comments In Microsoft 365 Planner Disappear?

So first you need an Exchange Online mailbox for comments to work. Comments to the tasks of Plans are stored in the Microsoft 365 Group mailbox, and you need an Exchange Online mailbox to access the M365 Group mailbox.

Behind the scenes, or actually not that behind the scenes, the process for comments is as follows.

  1. Create task
  2. Add comment to task – this places a new message in the Microsoft 365 Group that underlies the Planner.
  3. You can add more comments – the underlying message in the group is modified – this is where the comments are stored.
  4. You can reply to the message in the Microsoft 365 Group, and this adds a new comment
  5. You can add a new comment to the message in the Microsoft 365 Group. This adds a new comment.
  6. You can reply to the message you are sent in your inbox when someone replies to your comment – this adds a comment
  7. You can click the Green box in the group thread or the link in the notification email and this opens up the planner task in a new browser window and then you can reply. This adds the reply to the message in the Microsoft 365 Group.

Whatever you do though, you must not delete the underlying message in the Microsoft 365 Group as this is where the comments are stored. If you delete the message all the comments disappear. The next comment you add after deleting the message creates a new message and this then stores the entire new thread of future comments – the old thread is gone and so are the old comments in Planner.

Replies to notifications based of the old thread are not added to the task. The old comments are still visible in the notification emails, just not in the Plan!

This might be hard to explain, so lets also try it in pictures:

  1. I have two tasks in the Element Plan (which means I have an Microsoft 365 Group/Team called Element). The Plan is called “Test For Comments” and the two tasks are “Task 1 For Adding Comments” and “Task Two”
  1. Inside Outlook I open the Groups > Element group
  1. I have three messages here – this is because I deleted the message that originally appeared for “Comments on task ‘Test 1 for Adding Comments’”. If all the correct though I should have ONE MESSAGE PER PLAN. I can now only reply to the working thread. If I reply to the thread belonging to a previous delete it will not update the comments.
  2. If I reply to “Task Two” it works – this thread was never deleted
  3. If I reply to one of the “Task 1…” threads it gets added to the plan
  1. Note – no #8 visible here, but #8 appears in the top message thread in the Outlook screenshot
    Only if I reply to the other thread do I get a new comment.
  2. How did I end up with two threads? One was deleted in Outlook and then later I replied to the notification belonging to that conversation from my inbox. In the interim I had added a new comment in Planner and generated a new thread.

Lets intentionally break it!

  1. I have this in Planner:

    This contains replies numbered 4, 6, 7 and 9.
  2. In Outlook I delete the thread that shows #7
    1. Before
    2. Deletion warning – I cannot get this message back
    3. Item gone

  3. What does Planner look like

    Comments are gone! I deleted them and I confirmed the “permanently deleted” prompt. The data is lost.
  4. If I go into my Inbox and find a notification AND CLICK THE LINK in the notification, Planner opens and I can add a comment – a new message is created. I have edited the Plan directly in the browser

  5. If though I REPLY TO THE OLD EMAIL NOTIFICATION IN MY INBOX I get a reply to the old thread (which was deleted). As this old thread is NOT now the master for comments, any reply to this thread is out of date and though I can see the old comments here, if I reply to it the Plan will not be updated.

Comments with “From:” or “Sent:” will also fail – this is covered in the Planner support article at Comment on tasks in Microsoft Planner – Office 365

Other reasons, though more complex than the above, for comments disappearing in Plans is that the email routing for the comment is being sent to the wrong place. For example if you have a mail flow rule for hybrid or an external system (for example cloud signature software) and the messages to the group are being routed outside of Exchange Online then they will fail to deliver. You can check this in the Message Trace functionality and see if the messages are being routed outside of the service and then you need to fix your mail flow rules.

Categories
android Apple ATP Defender email EOP exchange exchange online Exchange Online Protection EXO iOS iPhone Office 365 Advanced Threat Protection phish phishing spam

Exchange Online Warning On Receipt Of New Email Sender

Released recently to no fanfare at all, Microsoft now has a SafetyTip that appears if you receive email from a first time recipient.

Most often phish emails will come from an address you have never received email from before, and sometimes this email will try to impersonate people you communicate with or are internal to your organization. Warning for attempted spoofed domains or users is part of Microsoft Defender for Office 365 (previously known as Advanced Threat Protection for Office 365) and the functionality to warn based on similar sender is also part of this product if you enable the “mailbox intelligence” option. But the option to warning for a new sender is available for all Exchange Online users without ATP licences.

The user sees the SafetyTip above the email body as shown below once this new feature is enabled:

New Sender Safety Tip

To turn on this option you enable a custom message header in a transport rule and then within 30 minutes or so, every new sender under the scope of the rule is warned when they receive email from a new sender. This also includes senders that have not send a lot of message to you, as I see that this Safety Tip appear on subsequent messages from the same sender. Not sure yet when this stops appearing for slightly less new senders!

To enable this feature create the following transport rule, restricting the scope of the rule to some users only to start with and then when happy with the functionality changing the rule to apply to all users.

First Contact Safety Tip Transport Rule

Open Exchange Online Control Panel (at the time of writing this is in the old UX for this, so these screenshots represent the classic view – this will change at some point in the future) and select Mail Flow > Rules

Click the + icon > Modify Messages and fill in the name “Enable First Contact Safety Tip”

Select under Apply this rule if… The sender is located > Outside the organization

Select under Do the following… Set the message header to this value and click the first option for Enter text and copy and paste the following string X-MS-Exchange-EnableFirstContactSafetyTip

Click the second option for Enter text and enter any value you like. I have had reports that only “enable” works but that is not my experience and I had this working with the value AnythingYouLike!

I turn off the audit option and then save the rule as shown:

New Transport Rule for First Contact Safety Tip

To set the rule for a pilot program, click More options and then the newly displayed add condition button and then select that the rule should only apply if the recipient is and select a few names from your global address list.

Pilot Program for First Contact Safety Tip

Within 30 minutes and then the next new sender and Outlook, Outlook Web Access and Outlook Mobile will display the new safety tip

Categories
exchange exchange online Microsoft 365 Office Office 365 Raspberry Pi

Microsoft 365 From A Raspberry Pi 400 Personal Computer

So my new computer arrived today, its a keyboard and a few cables, and as my first computer was a ZX Spectrum when I was 14, this brings back a few memories.

New boxed Raspberry Pi 400 PC kit

But, is it usable today with services such as Microsoft 365? Lets see…

First, the actual computer is in the keyboard, but its smaller than a standard PC sized keyboard. Indeed the manual the comes with it! is almost as big and heavier than the computer.

The manual, the Pi Keyboard (white) and a standard PC keyboard (black)

Plugging it in was easy, and once connected to the monitor and powered on it runs through a first use series of steps. With all that out of the way and the latest updates downloaded and installed the device rebooted and I logged in.

Cables everywhere. It supports WiFi as well so I could have avoided the purple Ethernet cable

Starting the web browser is easy – there is an icon top left and Chromium opens. Logging into Office 365 via https://office.com is as you would expect, though some of the fonts used are not present and so the login screen looks slightly wrong.

From Office homepage I clicked Teams icon and it presented me with the below – an offer to install the Teams Linux client and two choices, Linux DEB or Linux RPM.

Teams on Pi and an offer of two installers though neither of these work on an ARM processor

Neither of these work with ARM based Raspberry Pi computers though, so need to use the web application. Also from the Teams perspective, there is no built in camera or microphone, but it did only cost £95 for the entire kit. A Bluetooth microphone might connect, but I don’t have one to hand to test with. Any USB microphone would work and a USB camera, with a microphone, can be enabled with a few commands run at the prompt.

Enabling video with the fswebcam installer

Chromium comes with the uBlock Origin extension enabled, which blocks some functionality in Teams such as notifications. I just turned off the EasyPrivacy list for the rest of my introductory testing and not a lot was blocked after that.

Outlook Web App, Word etc all worked efficiently though slightly slow for my preference, but again – its a sub £100 computer.

When using Office in Chromium it offers to add a link to the desktop – this adds the Office icon and then Office appears like an app, though its only Chromium. This is a nice feature akin to Chromebooks.

Office icon on the desktop and Office open and not looking like its really a browser

This functionality is not limited to Office, for example in Outlook Web App I can choose to “Install Outlook” from the three dots icon top right of the browser. This opens Outlook as a separate web app and adds an icon to the desktop like Office got when I opted to “pin” Office when prompted to do so in that web page.

Install Outlook menu item in Chromium when OWA is the open tab
Install App confirmation
Outlook – on the Raspberry Pi

So that will do for now – everything else I can do in the Raspberry Pi for Microsoft 365 is generally as I can do it in any of the web apps on any platform.

Categories
DNS EOP exchange exchange online Exchange Online Protection Exchange Server smtp

Enabling Better Mail Flow Security for Exchange Online

At Microsoft Ignite 2020, Microsoft announced support for MTA-STS, or Mail Transfer Agent Strict Transport Security. This is covered in RFC 8461 and it includes making TLS for mail flow to your domains mandatory whereas it is currently down to the decision of the sender.

You can publish your SMTP endpoint and offer the STARTTLS verb but there is no requirement for the sender to use it unless you have configured the sender as well to ensure that they only email you over TLS (for example RequireTLS and TLSDomain settings in Exchange Server/Exchange Online connectors). MTA-STS allows you, the domain owner, to publish your TLS requirements.

You publish your requirements by placing a policy file in your websites “.well-known” directory. The policy will have version: STSv1 and mode: [testing|enforce|none] and mx record. “Testing” for mode says send the delivery of the email will work regardless of success or failure, but also send a report if it failed. “Enforce” means security must pass or the message delivery fails and “none” clears the policy, acting as if you don’t have a policy but giving you a route to remove the policy cleanly rather than what might happen if the policy was to disappear (mail flow should stop). The policy will also have a max_age value in seconds on how long the sender should cache the policy. For example:

version: STSv1
mode: testing
mx: mail.domain.com
mx: c7solutions-com.mail.protection.outlook.com
max_age: 86400

In the above example, my policy is for testing and so I have set a short max_age value, though a value of weeks or more would typically be expected with 31557600 being the largest value you can set (a year and 1/4 of a day in seconds).

The text file must be called mta-sts.txt in the .well-known folder of the mts-sts domain, for example https://mta-sts.c7solutions.com/.well-known/mta-sts.txt

Finally, the policy is published via DNS with the _mta-sts subdomain record:

_mta-sts.c7solutions.com  TXT  "v=STSv1; id=202009241541"

This DNS record must be v=STSv1 and the id needs to be a value that changes when the policy file changes, so I have just used a date string, but it could be anything that you change as the policy changes. The DNS record can also be a CNAME record instead of a TXT record when someone else hosts your email infrastructure and in this case the value points to the MTA-STS domain of the provider instead.

Testing mode was mentioned above, and that is covered in my second blog post today on this topic – Reporting on MTA-STS Failures

Categories
EOP exchange exchange online Exchange Online Protection Exchange Server

Reporting on MTA-STS Failures

This article is a follow up to the Enabling Better Mail Flow Security for Exchange Online which discusses setting up MTA-STS and in this article we cover the reporting for MTA-STS.

To get daily reports from each sending infrastructure to receive reports on MTA-STS you just create a DNS record in the following format:

_smtp._tls.c7solutions.com IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@c7solutions.com"

It took about a week before I got some reports and at this time they have only come, now daily, from Google. They come as a JSON file compressed in the GZip format and once expanded appear as follows:

{
 "organization-name":"Google Inc.",
 "date-range":
 {
  "start-datetime":"2020-10-08T00:00:00Z",
  "end-datetime":"2020-10-08T23:59:59Z"
 },
 "contact-info":"smtp-tls-reporting@google.com",
 "report-id":"2020-10-08T00:00:00Z_c7solutions.com",
 "policies":
 [
  {
   "policy":
   {
    "policy-type":"sts",
    "policy-string":
    [
     "version: STSv1\r",
     "mode: testing\r",
     "mx: mail.domain.com\r",
     "mx: c7solutions-com.mail.protection.outlook.com\r",
     "max_age: 86400"
    ],
    "policy-domain":"c7solutions.com"
   },
   "summary":
   {
    "total-successful-session-count":1,
    "total-failure-session-count":0
   }
  }
 ]
}

As we can see, nothing interesting – it worked for the one email I got into this domain from Gmail that day! On one result its not time to change the policy from “testing” to “enforce” but it might be soon as I know it is working.

Categories
enhanced filtering EOP exchange exchange online Exchange Online Protection Exchange Server mimecast Office 365 spam

Enable EOP Enhanced Filtering for Mimecast Users

Blog post updated March 2020 to include more specific IP ranges for all Mimecast regions and to fix an issue where the email sender is also using the same Mimecast region as yourself and the risk of SPF failures.

Enhanced Filtering is a feature of Exchange Online Protection (EOP) that allows EOP to skip back through the hops the messages has been sent through to work out the original sender.

Take for example a message from SenderA.com to RecipientB.com where RecipientB.com uses Mimecast (or another cloud security provider). The MX record for RecipientB.com is Mimecast in this example. When EOP gets the message it will have gone from SenderA.com > Mimecast > RecipientB.com > EOP, or it will have gone SenderA.com > Mimecast > EOP if you are not sending via any other system such as an on-premises network.

A second example (added to blog March 2020) is where a message from SenderA.com to RecipientB.com where both SenderA.com and RecipientB.com uses the same Mimecast (or another cloud security provider) region. The MX record for RecipientB.com is Mimecast in this example and outgoing email from SenderA.com leaves Mimecast as well. When EOP gets the message it will have gone from SenderA.com > Mimecast > Mimecast > RecipientB.com > EOP, or it will have gone SenderA.com > Mimecast > Mimecast > EOP if you are not sending via any other system such as an on-premises network. The Mimecast double-hop is because both the sender and recipient use Mimecast.

EOP though, without Enhanced Filtering, will see the source email as the previous hop – in the above examples the email will appear to come from Mimecast or the on-premises IP address – and in the first case neither of these are the true sender for SenderA.com and so the message fails SPF if it is set to -all (hard fail) and possibly DMARC if set to p=reject. Note that EOP won’t, because of this complexity in routing, reject hard fails or DMARC rejects immediately.

When the sender also uses the same Mimecast region as yourself, SPF does not fail at EOP, but this is only because the senders SPF records list the inbound IP addresses that EOP is getting all your email from.

So how can you tell EOP about your complex routing and the use of some other service in front of EOP and configure EOP to cater for this routing? The fix is Enhanced Filtering. You add the public IPs of anything on your part of the mail flow route. This could include your on-premises network and your (in this case as we as are talking about Mimecast) the cloud filter that processes your emails as well. And you need to configure these public IPs on the Inbound Connector in the Exchange Online Management portal in Office 365 and on the Enhanced Filtering portal in the Office 365 Protection Center.

This article assumes you have already created your inbound connector in Exchange Online for Mimecast as per the Mimecast documentation (paywall!). You need a connector in place to associated Enhanced Filtering with it.

For any source on your routing prior to EOP you need the list of public IPs and I have listed here are the IPs at the time of writing for Mimecast datacenters in an easy to use PowerShell cmdlet to add them to your Inbound Connector in EOP – you need the PowerShell for your datacenter and the correct name in the cmdlet for your inbound connector.

Note that the IPs listed on these connectors are a subset of the IPs published by Mimecast. This list is ONLY the IPs that Mimecast sends inbound messages to the customer from. They do not publish this list (instead publish the full inbound/outbound range as a single list in their docs). When you configure an inbound delivery route in Mimecast it will only deliver from these below IPs per region and so in the scenario described above where you have the sender using Mimecast and you use Mimecast both same region, the use of the full published range that Mimecast provides means Enhanced Filtering looks beyond both your Mimecast subscription and the senders subscription and requires that the sender lists their public IP before Mimecast in their SPF – and they probably won’t do this, as Mimecast says they do not need to (though I disagree, and all IP senders of my domain should be in my SPF record).

Because Mimecast do not publish the list of IPs that they use for inbound delivery routes and instead publish their entire IP range (delivery outbound to MX and inbound delivery routes to customers) I recommend that you check that the four IPs listed below for your region are still correct. At the time of writing in March 2021 this list is correct, but not all these IPs are owned by Mimecast and they are changing those that they do not own to those that they do at some point. You can easily check the IPs by looking at 20 or so inbound messages to your email environment – they should all come from the below four addresses for your region. If this has changed, drop a comment below for everyone’s benefit. If you use these lists, drop a comment below so you get updated if we change the list based on other users investigations.

Set-InboundConnector "Inbound from Mimecast USA" -EFSkipIPs 205.139.110.61/32,205.139.110.120/32,207.211.31.81/32,207.211.31.120/32

Set-InboundConnector "Inbound from Mimecast Europe" -EFSkipIPs 195.130.217.76/32,195.130.217.221/32,91.220.42.220/32,91.220.42.227/32

Set-InboundConnector "Inbound from Mimecast Germany" -EFSkipIPs 51.163.159.21/32,51.163.158.241/32,62.140.10.21/32,62.140.7.241/32

Set-InboundConnector "Inbound from Mimecast Australia" -EFSkipIPs 103.13.69.22/32,103.13.69.101/32,124.47.150.22/32,124.47.150.101/32

Set-InboundConnector "Inbound from Mimecast Africa" -EFSkipIPs 41.74.193.80/32,41.74.193.103/32,41.74.197.79/32,41.74.197.102/32

Set-InboundConnector "Inbound from Mimecast Offshore" -EFSkipIPs 213.167.75.27/32,213.167.75.25/32,213.167.81.27/32,213.167.81.25/32
The Enhanced Filtering for Connectors popout in the Office 365 Security and Compliance Center with one of the above ranges added to a connector called “Inbound from Mimecast”

In the above, get the name of the inbound connector correct and it adds the IPs for you. It takes about an hour to take effect, but after this time inbound emails via Mimecast are skipped for spf/DMARC checking in EOP and the actual source is used for the checks instead.

For organisations with complex routing this is something you need to implement.

Photo by Miguel Á. Padriñán from Pexels
Categories
attribution domain enhanced filtering EOP exchange exchange online Exchange Online Protection Exchange Server mimecast Office 365 smtp transport

Mail Flow To The Correct Exchange Online Connector

In a multi-forest Exchange Server/Exchange Online (single tenant) configuration, you are likely to have multiple inbound connectors to receive email from the different on-premises environments. There are scenarios where it is important to ensure that the correct connector is used for the inbound message rather than any of your connectors. Here is one such example.

With multiple inbound connectors you might be happy and successfully complete your testing if the email from on-premises appears in the correct cloud mailbox. But what about when you use Enhanced Filtering. Here you need to add the intermediate IP addresses of all the hops the message can go through to the specific connector so that Exchange Online Protection can determine the real source IP address and then do spam/spf etc. on the true sender IP and not the hop before Exchange Online Protection (likely your on-premises server and not the actual source).

For example, lets send an email from SenderDomain.com to RecipientDomain.com, where RecipientDomain.com uses Mimecast, has Exchange Servers and has moved mailboxes to Exchange Online. The mail flow for this scenario is:

SenderDomainServer Public IP > MX (Mimecast) > Mimecast IPs > On-Premises IPs (internal) > Public IP for on-premises servers > EOP

From the EOP view point, the email is received from the public IP for the on-premises servers and not from the actual sending IP address. This means that the message will fail SPF as you have complex routing in-front of the receipt by EOP. This, out of interest, is the reason why EOP will not reject SPF failures even if DMARC reject is in place.

When the message arrives at EOP, the message needs to be attributed to the correct connector. If you have multiple Exchange Server orgs in separate on-premises environments you need to make sure that the message is associated (attributed) to the correct Inbound Connector.

This message attribution is done by looking for all Inbound Connectors of type On-Premises in your tenant. If you have more than one connector of type On-Premises, looking up the TlsSenderCertificateName value on the Inbound Connectors to find the connector that best matches the certificate used to encrypt the inbound message. So lets take a look at the example above again. In the “Public IP for on-premises servers > EOP” hop this message will be encrypted with a certificate called (lets say) “mail.recipientdomain.com” and the Exchange Hybrid Wizard will have created the Inbound Connector for this mail flow with TlsSenderCertificateName set to *.recipientdomain.com. Other Inbound Connectors from other on-premises orgs are possibly going to have similar certificates (they should not have the same one) with similar subject names and the Hybrid Wizard could have made more than one Inbound Connector with *.recipientdomain.com as the TlsSenderCertificateName value. If you have multiple Inbound Connectors of type On-Premises and more than one connector with TlsSenderCertificateName set to *.recipientdomain.com then the message could be attributed to the wrong connector.

If you have set Enhanced Filtering IPs to the other connector though, the Enhanced Filtering will not work because the message is not received by the connector you think it should be received by.

So how do you fix this. You modify the Hybrid Wizard created Inbound Connector TlsSenderCertificateName value to be the subject name of the certificate, so not *.recipientdomain.com but mail.recipientdomain.com and you register mail.recipientdomain.com as a domain in Office 365. You need to do both. The reason the Hybrid Wizard sets TlsSenderCertificateName to *.recipientdomain.com is to avoid you needing to add domains to Office 365 that match your certificate precisely, but if you have multiple connectors this is the only way to guarantee message attribution to the correct connector.

Now you can add the IPs you want to skip with Enhanced Filtering to the specific connector, mail flow will use the specific connector and the IPs will be skipped. EOP will resolve the correct sender IP (SenderDomain Public IP in the above example) even though the message has gone through Mimecast and on-premises servers as well. The message headers will now show:

X-MS-Exchange-SkipListedInternetSender ip=[Sender Server IP Address];domain=FQDN of sender

And not list Mimecast (or whomever you are using as a second cloud filter) or your on-premises IP addresses as the true sender.

Categories
android Apple AutoPilot Deployment Endpoint Manager Graph Intune iOS

What Is The Value of enrollmentProfileName

In Microsoft EndPoint Manager there are a few different device registration scenarios that make use of a property called device.enrollmentProfileName. To find and apply other settings (apps, config, etc) to these devices later on you need to have a Dynamic Device Group based on this property. The problem is the value of the property is not available to view in PowerShell or the Endpoint Manager portal.

This value is used by AutoPilot, Apple Business Manager devices (aka DEP) and Android Fully Managed device profiles.

So how can I see what a devices value is so I can create a group to contain that device. I need to use the Graph Explorer.

In the Graph Explorer, using the Beta endpoint, I can get data for my device using the query https://graph.microsoft.com/beta/devices/{objectId}

This gets BETA endpoint graph data, which includes enrollmentProfileName. The version 1.0 endpoint does not return enrollmentProfileName in the response.

If you have never used the Graph Explorer before, here are the steps to get this info:

Open the Graph Explorer from https://developer.microsoft.com/en-us/graph/graph-explorer

Click Sign In button to the left, and once signed in, select Beta (highlighted) and paste in the query replacing /me with /devices/{objectID}

Graph Explorer to look for a device properties (beta endpoint)

You may not have permissions (consent) to view the data you need, so you might need to click on Modify Permissions tab (also highlighted above) to request and approve consent to access the data. This consent may need administrator approval depending upon your security settings in Azure AD.

Click Run Query button and view the results in the Response Preview section below:

Response to a Device query in the Graph

The value of enrollmentProfileName will be the profile the device was enrolled under, at the time of enrollment. Its possible that the profile was renamed or deleted since the device was enrolled, or that you have many profiles, and so actually working out which profile the device is under can be tricky.

Also a top tip – don’t name your profiles all starting with “Test”. In the tenant where the above screenshots where taken from we found DEP profiles called “Test…” and AutoPilot profiles called “Test…”, so creating dynamic device groups where the device.enrollmentProfileName -contains “Test” was returning too many devices!

Categories
mdatp security web windows 10

Free Web Content Filtering With Microsoft Defender ATP

Well free as in you need an MDATP licence first, but as this used to be an add on feature on top of MDATP with an additional cost, this is now effectively free once you are licensed for MDATP. The feature enables your organisation to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns.

So how do you set it up from scratch.

Visit the MDATP admin portal at https://securitycenter.microsoft.com/ and click the cog icon to change to the settings view.

Under General, Advanced Features enable Preview Features (whilst this feature is in preview, once it stops being a preview feature this step is no longer required).

On the same list of Advanced Features toggle the option for Web Content Filtering to enable the feature and click Save Preferences.

Enabling Web Content Filtering in MDATP Settings

In the option where you enable Web Content Filtering click the link to create a web content filtering policy to take you to the settings for this feature.

This opens a second tab but all it does it takes you to the Web Content Filtering node of the Settings page! Click + Add Item to start adding content filtering categories.

First, give the policy a name and click Next. Then choose a category or parent category. For example you could select the parent category Adult Content which will turn on seven categories, or you could select just a category such as Nudity. The parent categories are, in addition to Adult Content, High Bandwidth (with peer to peer, and streaming media sites included), Legal Liability (with categories such as child abuse, hacking, and criminal activity included), Leisure (including chat, games, and social networking as categories) and the blanket Uncategorized.

Blocked Categories page in MDATP Web Content Filtering policy creation

Click Next and then enable for all devices in your admin scope (so if you are Global Admin, that’s all devices!) or pick one or more device groups.

Roll Out Web Content Filtering To A Device Group

You need to have made the device groups in advance of setting up the policy, and this is available from the Settings page as well. In the above screenshot I have selected the UK device group which is a MDATP Tag set by the registry on all our UK machines. Create a pilot group tag and roll out this feature to a limited number of devices to test.

Click Next to get to the Summary page and then finish the policy creation.

Web Content Filtering Policies in MDATP

The policy you created and others if you have more than one are then shown.

There are no client agents to install for this feature to work – the MDATP sensor built into Windows 10 (1609 and later) does all the work. The website categories that are blocked are blocked in the browser with a warning. Blocks are performed by SmartScreen (Edge) and Network Protection (Chrome and Firefox). Network Protection is not a message in the browser though – it is a popup at the Operating System level. The Web Content Filter interrupts network traffic to the blocked sites, so Chrome and Firefox will show a network level error, and the OS popup will give the reason. Edge Browser integrates with the OS to show a proper error message (unless SmartScreen is disabled, in which case Network Protection will be the experience here in Edge as well).

Edge SmartScreen Block

In addition to the browser “requirement” for a nice error message, you also need to have the latest updates for Windows Defender signatures and platform, known as MoCAMP. An Advanced Hunting query on GitHub allows you to check the versions across your MDATP estate.

All viewed categories, blocked or not blocked, are reported back to MDATP via the telemetry – so you can create reports on the visited site categories even without blocking users. These reports are available from the MDATP portal and Reports > Web Protection:

Web Protection Report in MDATP

The above screenshot shows the only activity at the moment was Custom Indicators (see Blocking Apps With A Low Reputation) but as categories of web content and browsed they will appear on this report.

Web Categories As Shown On Day Web Content Filtering Was Turned On!

You can access the Report details for each card by selecting a table row or coloured bar from the chart in the card. The report details page for each card contains data about web content categories, website domains, and device groups.

If you create a Web Content Filtering Policy that has no blocked items in it, but apply this to all devices, you will get a report within a few days of the scope of all your users across all your devices (in MDATP that is) and the categories of URL they are visiting. Therefore, if you need to know what to block before you block it – create a policy that does not include any categories to block.