Netskope Global Technical Success (GTS)
Prevent Personal Gmail Account Integration in Microsoft Outlook native application
Netskope Cloud Version - 120
Objective
Restrict end-users from adding personal Google Gmail accounts to the Microsoft Outlook native application
Prerequisite
Netskope SWG license is required
Context
This document provides step-by-step instructions for disabling the ability of end-users to add personal Google Gmail accounts to their Microsoft Outlook native applications.
Do You Know?
- Microsoft Outlook native application uses Certificate pinning.
- What is Certificate pinning?
Certificate pinning is a security technique used to enhance the protection of network communications by ensuring that an application only trusts a specific SSL/TLS certificate or a set of certificates.
- Because the Microsoft Outlook native application employs certificate pinning, Netskope cannot perform SSL decryption on traffic generated by Microsoft Outlook.
- Without SSL decryption, the following controls cannot be applied in realtime:
- Netskope Data Loss Prevention (DLP)
- Netskope Threat Prevention
- Netskope Real-time Policy Controls for Post, Upload, Download and other activities
- By default, traffic from the Microsoft Outlook native application is included in the Netskope Client steering exception.
Details
- Launch the Microsoft Outlook Native Application, then follow the steps below:
Lab recreate Operating System - macOS
Image 1
Image 2
Image 3
- Above reference image 1, 2, 3 are from Microsoft Outlook Native Application. Post following image 3, Microsoft Outlook native application redirects the traffic to the browser for the below URL
https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?scope=profile%20email%20https%3A%2F%2Fmail.google.com%2F%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.file%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuser.emails.read%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuser.birthday.read&redirect_uri=https%3A%2F%2Folmoauth.outlook.com%2Fapi%2Fgoogleoauthredir%2Fcom.microsoft.office.outlook%3A%2Fmac%2Fgoogle%2Foauth2redirect&client_id=445112211283-sk04feuogpcjd3dq8eshrdnr4bpm1sfk.apps.googleusercontent.com&login_hint=xxxxxxxxxxxxsingh%40gmail.com&state=264A9C75-3294-4414-A80F-54ACAD2FE471&response_type=code&access_type=offline&prompt=consent&code_challenge=a7Hz1mbdv0IKTCegZsruNH8ALyaHxcmuQ9et0BJwVNY&code_challenge_method=S256&enable_granular_consent=true&service=lso&o2v=2&ddm=0&flowName=GeneralOAuthFlow
Image 4
- ‘accounts.google.com’ domain is responsible for Google suite user authentication
- Traffic from the Microsoft Outlook Native Application will be bypassed by the Netskope Client, while browser-based traffic will continue to route through the Netskope Client.
Reference - Netskope Client Logs
2024/10/21 19:50:57.958787 stAgentNE p70938 t21799 info bypassAppMgr.cpp:1472 BypassAppMgr bypassing flow to exception host: mobile.events.data.microsoft.com, process: microsoft outlook, Dest IP: 20.189.173.12, Dest Port: 443
2024/10/21 09:05:06.905974 stAgentNE p41745 t10527 info tunnel.cpp:972 nsTunnel TLS 7sessId 501] Tunneling flow from addr: 1.0.0.1:49636, process: google chrome helper to host: accounts.google.com, addr: 74.125.68.84:443 to nsProxy
Configuration
- Create a custom URL category
Path: Netskope Tenant UI >>> Policies >>> Profile - - - URL Lists
Path: Netskope Tenant UI >>> Policies >>> Profile - - - Custom Categories
- Real-time protection policy
Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy
Verification
Post following image 3, Microsoft Outlook native application redirects the traffic to the browser and the results will be the below
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
What to Read Next? | |
---|---|
All about - ‘WhatsApp’ | Link |
Limitations with Signal Application | Link |
Limitations with Telegram (Web Access & Native App) | Link |