Extend WIP to protect Outlook mailbox data
In this Gitlab thread it has been confirmed that at this point in time Windows Information Protection does not protect Outlook OST and PST files for remote wipe or encryption by default.
This means if Outlook is used in Cached Exchange Mode (the default), any mailbox data downloaded by Outlook will not be removed as part of a remote device wipe, nor will it be protected by WIP encryption by default.
This should be highlighted as a major limitation in WIP until it is no longer the case.
Oktay Sari commented
Can confirm, have the same issue. I have a WIP policy configured for devices without enrollment (WIP-WE) and WIP protection mode is set to Block. When performing selective wipe on BYOD (Azure AD registered), the ost file remains on the device. Normally this is not an issue but since the file is not WIP protected to start with, this can be a security risk.
When I export the Inbox to a PST it is WIP protected no matter where I save the PST file so that is a good thing.
I also noticed that all files in AppData\Local\Microsoft\Outlook\Offline Address Books\ (.oab files) are WIP protected upon creation, so that's also good. (File ownership is set to tenant/domain)
When selective wipe is completed. The oab files and pst file show "revoked" as "File Ownership" This is good and I have no access to these files until I add my work account again.
Would be great if .ost and .nst files are WIP protected upon creation, just like the .oab files.
I guess it's going to be best practice to only allow OWA and perhaps even in limited mode untill we can protect Offline Outlook Data Files on BYOD with WIP-WE. I'm not concerned for company owned devices since I can force device compliance with Bitlocker and do a full wipe/factory reset when needed.
One last thing: I copied the OST file from a BYOD (azure ad registered/WIP-WE policy applied) to another device and tried to open it using various ost viewers and ost2pst converters but I was not able to read or convert anything. In ost viewers I can see the Mailbox structure and e-mails but everything is scrambled. Encryption??. Some of the ost viewer even gave a error message saying the file was encrypted or corrupted.
Yes, I also copied another ost file from yet another test-device where I have no WIP protection and simply configured a test e-mail account in outlook. This ost file I can open in my ost viewers and convert it to pst without any issues. I can read emails and everything else. So this final test worked as expected.
Hope this helps