Thanks very much, for some reason my MS outlook app is working fine now I've installed intune not requiring the workarounds described there. My question is more regarding how much having in tune on my phone with its numerous permissions and trackers is compromising the whole endeavour?

    aethondon Since you work for NHS I am not going to ask any details about your setup (and I suspect you won't be willing to share, and you shouldn't) so what I'd advise is to see if you can open email on mobile. If you can, great for you because it's the least 'invasive' way for you to use mail as outlook is pure shit.. But it's not so great for the security team as I'd suspect this to be more 'managed' ;)

    Edit: and to keep it on topic, if you allowed it to gain device admin (forgot the correct naming convention on Android) it can do a lot of stuff but I don't think it is allowed on gos (someone correct me please if I am wrong) so it would be just a regular app, but with a lot of usage telemetry. Nothing super worrying.

      aethondon depending on how the Microsoft tenant is configured, intune can do practically nothing, or give near full control of the device to the intune administrators. Problem is, even if it does practically nothing now, that can be changed down the road.

      In our instance, Microsoft themselves cannot see our tenant data without very explicit consent so our users' data is really only viewable by the administrators.

      In your case, just keeping it in it's own profile should be enough for the majority of threat models. Without privileged Google Play Services, it's already pretty neutered.

        I only have a very limited experience with intune (it wasn't great), and there might be one or two thing that you might find desirable, but I don't think it would be a fundamental improvement.

        1. A third party authenticator app (e.g. Aegis, Yubikey, or even Google authenticator). The option to enroll an authenticator other than microsoft in your microsoft account is in small text but it is there. There are plenty of tutorial.
        2. You could use a different mail client. There are a few email client that support Oath2 for example, assuming it is allowed by policy. This could be time consuming and offers limited rewards. You might have instructions provided by NHS if you are lucky.

        I wouldn't expect any of this to limit the type and quantity of data collected, but this might give you the option to better separate your work from your personal profile. I personally wouldn't trust Microsoft to make the distinction between my work and personal account, your opinion may be different. Storing some credentials on a Yubikey might make extracting them more difficult for an attacker. Not many malware survive a reboot and GOS support auto-reboot (Settings>Security and Privacy>Exploit protections). NFC only have a range of a few centimetres and you can put a pin on the Yubikey itself, so that any potential attacker bumping into your pocket will be greeted with a password prompt. There are alternatives to a Yubikey, Nitrokey is one of them.

        Again I am no security expert. It's best that you do your own research.

        Thanks so much everyone for this advice. I can't open email on any browser even edge unless I have intune installed. I haven't given it any permissions because it actually hasn't asked for any but did have to install some stupid AI Microsoft keyboard to use the outlook app. The lengths they will go to negate interoperability and keep us in their ecosystem under the guise of security are remarkable. Sounds from what you're saying that given its in a different profile (along with crappy banking apps) means its reasonably contained but on principle I am wondering if I just delete it all and use my old iphone to access work email.

          aethondon one thing to keep in mind, the requirement to use the intune app, outlook app, and Microsoft keyboard, is entirely due to the intune administrators of your employer. We don't require most of that. We only require the official outlook app in order to apply some specific conditional access and data loss policies.

          What your employer is doing is very typical. They're very likely on a GCC tenant with Microsoft. This, coupled with Customer Lockbox means they're not reading your work data.

          In the enterprise environment, I actually do sort of trust Microsoft. Mostly because there's no great alternative. That being said, in the consumer world I wouldn't touch them with a 10 ft pole. They are among the worst.

              GrouchyGrape We don't require most of that. We only require the official outlook app

              Have you tested that what you require for CA policies is sufficient? I know this is kind of offtopic, so I'll keep it short, but what I learned with the MS approach, requiring 'just' a specific 'client' is easily spoofable and CA policies without a management engine like Intune to enforce 'compliance & Management's is often easy to bypass.. just my 2c.

                  0xsigsev you're totally right. Yes, I was able to bypass it in testing. However, for this specific use case the threat model is very low and we're not too concerned about it. We have much higher risk threats that we're in the process of mitigating.

                      GrouchyGrape we're not too concerned about it

                      I wish I could say the same ;) But with the Foci family, and he fact that email is connected to graph I block it as much as I can and allow only very specific use cases ;)