It wasn't that there was a security flaw in how the credentials and content was being stored. The Exchange password is encrypted with a unique AES-128 key on each device, as well as with another unique key on the cloud service. The encrypted password isn't stored on the device (which is what EAS clients that connect to Exchange usually do) and the device key isn't stored in the cloud; instead the key is used to decrypt the password in the cloud, all the connections are over TLS, and all the information cached in the cloud is also encrypted. Admins could also block the Outlook app using MDM products or ActiveSync device management policies and remote wipe devices.
But putting the focus on user experience rather than IT security wasn't what enterprise IT teams had come to expect from Microsoft. The app store approvals policies make it hard for Microsoft to guarantee when an app will come out for iOS, so the IT pros hadn't had any warning that a new Outlook app with a very different approach was about to show up.
Secure the device. Don't control the behavior.
They also weren't happy about the fact that the app didn't enforce PIN and password policies (that came in an update two weeks after launch). In June, Microsoft also added Active Directory Authentication Library (ADAL)-based authentication, multi-factor authentication, conditional access support so you can check devices that get mail aren't compromised, and Intune MDM support for stopping users pasting or copying to and from the Outlook app if they aren't transferring the data to another Intune-managed app but those are only for Office 365. If your users are on Office 365, the Outlook app now uses Oauth to have Office 365 handle their login rather than passing on their credentials itself; Exchange on your own server doesn't support that.
That adds up to a good set of security options that let you focus on the security of the device rather than on trying to control user behavior, but Microsoft didn't wait until they were ready to put the Outlook name on an app that users had been happily using for months under another name. Rather than only focusing on security improvements, the Outlook team kept on working on feature updates like improving the calendar and address book and letting users customize swipes. And most importantly, it didn't back away from the idea of using a cloud service to deliver a better user experience, even though not all its enterprise customers were comfortable with the idea of email going into even a secure cloud service.
The same kind of questions came up when Microsoft launched the Clutter service on Office 365, for automatically filtering out messages people are less likely to be interested in so they can focus on the email they actually might care about. That's now being made available to all Office 365 tenants (although there's an option to disable it) and it's provoking more discussion. Some administrators wanted to be able to turn the feature on and off for specific users; others wanted to be able to stop mail from the CEO being filed as clutter.
Sign up for Computerworld eNewsletters.