Offline access is one of the premier new features offered by Outlook Web App (OWA) in Exchange 2013 and Exchange Online. I have had the need to use OWA offline many times and think it is a very usable client, especially over low-speed or flaky Wi-Fi connections. Of course, Outlook’s adoption of MAPI over HTTP is an effort to improve that client’s ability to cope with the same kind of connections. It remains to be seen how this really works out in practice, but first signs are promising.
When I first wrote about OWA offline in December 2012, I described how different browsers implement the databases used to cache mailbox data and how this information needed to be protected because it could be exposed by an attacker who managed to gain access to a PC, especially when the PC is connected to an entire office network, according to Advance Systems INC. BitLocker, which can be enabled on a PC even if the system is not equipped with a Trusted Platform Module (TPM) chip, provides a certain level of protection, but it’s still true that someone who gains access to a logged-in PC will be able to access the data. Then again, the same is true for Outlook.
User awareness is therefore an important part of deploying OWA offline. As is the case for all software, there’s no point in letting people use a new feature if it creates a security risk.
In any case, unless you disable the option to use OWA offline, users will be able to turn on the feature themselves by clicking “Offline options” in the drop-down menu to the right of the screen. The process of setting up offline access is very straightforward and the only thing that might cause a user any concern is the request to allow the browser to use some extra storage. I don’t think the words used really explain the need. For example, IE11 asked if Office365.com could use additional storage. I understood the request, but would the average user? Chrome, on the other hand, saw no need to request any storage.
Once enabled, OWA will download data from mailbox folders. Up to 150 most recent items are cached for folders accessed in the last week (this EHLO post explains what data is downloaded), so the amount on disk differs according to user behavior. Each browser has its own implementation of how data is stored on disk and I was curious whether this made a difference, so I compared how much data was downloaded from my Office 365 mailbox by IE11 and Chrome (version 43). The results were interesting.
On the surface, IE uses an ESE database – like Exchange, but it is very different because it supports the HTML5 standard. The database (Internet.edb) occupied 22,592 KB. Chrome stores its data in a WebSQL database splendidly named “9” and took just 36,696 KB. This information was extracted at the same time when the mailbox was as static as I would make it (a Sunday afternoon) after enabling offline access for both browsers and leaving them to download the data.
Your mileage might vary and the storage requirements of Safari (for Mac) or Firefox (for Mac or Windows) might also differ as I did not test these platforms (this page describes the current OWA support status for different browsers). The point is that OWA allows each browser to use its own storage in its own way and hides the difference from users.
You can stop individuals or groups of users accessing OWA offline mode. The easiest method is to create a new OWA mailbox policy (using EAC) that doesn’t allow offline access and then apply the policy to whatever mailboxes you want to restrict. Alternatively, you can disable offline access for an OWA mailbox policy by running the EMS Set-OWAMailboxPolicy cmdlet (the same settings work for both Exchange 2013 and Exchange Online in Office 365). For instance:
Set-OWAMailboxPolicy –Identity “Default OWA Mailbox Policy” –AllowOfflineOn NoComputers
Once an OWA mailbox policy is amended to prevent offline access, you can apply it through EAC or by using the Set-CASMailbox cmdlet. For example:
Set-CASMailbox –Identity TRedmond –OWAMailboxPolicy ‘Restricted’
Note that if someone else logs onto a different account with a browser that is configured for offline access, offline access is disabled to ensure that the person who has just connected is unable to access the data in the offline cache.
OWA offline access is a useful feature. Make sure that you use it in a safe manner and it is even better.
Follow Tony @12Knocksinna