Hi All,
New to graphene and android emigrated to GOS and Pixel 8 from iphone about 4 weeks ago to try and escape the tech broligarchy.

Sorry for asking a question and thanks in advance for any help, I'm not very tech savvy but trying to learn. My question is about accessing work emails. I work for the NHS in the UK which has fully signed up to the office 365 app suite and Microsoft enshittification that results. As advised here I have three profiles and have installed outlook then delegated it to the Google profile. To get Outlook to work I've also had to install Microsoft InTune Company Portal and SwiftKey Keyboard. It does now work but I'm worried that having proudly got away from lots the tracking apps I've now installed these and they are going to undo all my good work. Am I right in understanding that at the very worst they could only access data from other apps in the profile that they are installed in? Is there anything specific I can do to limit the scope of how much they compromise my phone? Or should I just give up on accessing work emails on the move?

I tried an alternate approach of opening Outlook 365 on a web browser but Microsoft seem to have totally limited this now, neither vanadium/firefox/brave worked and Edge demanded the same Company Portal app so I don't think is any better. Tried thunderbird and fairemail too but both were denied permission to access my O365 account.

Any tips or thoughts or previous experience would be much appreciated.

Thanks in advance,

Donald

    I'm particularly concerned about this Microsoft InTune Company Portal which according to Exodus demands 70 + permissions to the phone. I think Graphene probably denying some of these but still feels quite compromising.

      Thanks very much, for some reason my MS outlook app is working fine now I've installed intune not requiring the workarounds described there. My question is more regarding how much having in tune on my phone with its numerous permissions and trackers is compromising the whole endeavour?

        aethondon Since you work for NHS I am not going to ask any details about your setup (and I suspect you won't be willing to share, and you shouldn't) so what I'd advise is to see if you can open email on mobile. If you can, great for you because it's the least 'invasive' way for you to use mail as outlook is pure shit.. But it's not so great for the security team as I'd suspect this to be more 'managed' ;)

        Edit: and to keep it on topic, if you allowed it to gain device admin (forgot the correct naming convention on Android) it can do a lot of stuff but I don't think it is allowed on gos (someone correct me please if I am wrong) so it would be just a regular app, but with a lot of usage telemetry. Nothing super worrying.

          aethondon depending on how the Microsoft tenant is configured, intune can do practically nothing, or give near full control of the device to the intune administrators. Problem is, even if it does practically nothing now, that can be changed down the road.

          In our instance, Microsoft themselves cannot see our tenant data without very explicit consent so our users' data is really only viewable by the administrators.

          In your case, just keeping it in it's own profile should be enough for the majority of threat models. Without privileged Google Play Services, it's already pretty neutered.

            I only have a very limited experience with intune (it wasn't great), and there might be one or two thing that you might find desirable, but I don't think it would be a fundamental improvement.

            1. A third party authenticator app (e.g. Aegis, Yubikey, or even Google authenticator). The option to enroll an authenticator other than microsoft in your microsoft account is in small text but it is there. There are plenty of tutorial.
            2. You could use a different mail client. There are a few email client that support Oath2 for example, assuming it is allowed by policy. This could be time consuming and offers limited rewards. You might have instructions provided by NHS if you are lucky.

            I wouldn't expect any of this to limit the type and quantity of data collected, but this might give you the option to better separate your work from your personal profile. I personally wouldn't trust Microsoft to make the distinction between my work and personal account, your opinion may be different. Storing some credentials on a Yubikey might make extracting them more difficult for an attacker. Not many malware survive a reboot and GOS support auto-reboot (Settings>Security and Privacy>Exploit protections). NFC only have a range of a few centimetres and you can put a pin on the Yubikey itself, so that any potential attacker bumping into your pocket will be greeted with a password prompt. There are alternatives to a Yubikey, Nitrokey is one of them.

            Again I am no security expert. It's best that you do your own research.

            Thanks so much everyone for this advice. I can't open email on any browser even edge unless I have intune installed. I haven't given it any permissions because it actually hasn't asked for any but did have to install some stupid AI Microsoft keyboard to use the outlook app. The lengths they will go to negate interoperability and keep us in their ecosystem under the guise of security are remarkable. Sounds from what you're saying that given its in a different profile (along with crappy banking apps) means its reasonably contained but on principle I am wondering if I just delete it all and use my old iphone to access work email.

              aethondon one thing to keep in mind, the requirement to use the intune app, outlook app, and Microsoft keyboard, is entirely due to the intune administrators of your employer. We don't require most of that. We only require the official outlook app in order to apply some specific conditional access and data loss policies.

              What your employer is doing is very typical. They're very likely on a GCC tenant with Microsoft. This, coupled with Customer Lockbox means they're not reading your work data.

              In the enterprise environment, I actually do sort of trust Microsoft. Mostly because there's no great alternative. That being said, in the consumer world I wouldn't touch them with a 10 ft pole. They are among the worst.

                  GrouchyGrape We don't require most of that. We only require the official outlook app

                  Have you tested that what you require for CA policies is sufficient? I know this is kind of offtopic, so I'll keep it short, but what I learned with the MS approach, requiring 'just' a specific 'client' is easily spoofable and CA policies without a management engine like Intune to enforce 'compliance & Management's is often easy to bypass.. just my 2c.

                      0xsigsev you're totally right. Yes, I was able to bypass it in testing. However, for this specific use case the threat model is very low and we're not too concerned about it. We have much higher risk threats that we're in the process of mitigating.

                          GrouchyGrape we're not too concerned about it

                          I wish I could say the same ;) But with the Foci family, and he fact that email is connected to graph I block it as much as I can and allow only very specific use cases ;)