Security Manager for Microsoft® Outlook® .NET, VCL, and ActiveX Editions
1
Add-in Express™ www.add-in-express.com
Outlook Security Manager
Security Manager for Microsoft® Outlook ®
Security Manager for Microsoft® Outlook ®
Revised on 3-Nov-14
Copyright © Add-in Express Ltd. and MAPILab Ltd. All rights reserved. Add-in Express, ADX Extensions, ADX Toolbar Controls, Afalina, Afalinasoft and Afalina Software are trademarks or registered trademarks of Add-in Express Ltd. in the United States and/or other countries. Microsoft, Outlook and the Office logo are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Borland and the Delphi logo are trademarks or registered trademarks of Borland Corporation in the United States and/or other countries.
THIS SOFTWARE IS PROVIDED "AS IS" AND ADD-IN EXPRESS LTD. MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, ADD-IN EXPRESS LTD. MAKES NO REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE LICENSED SOFTWARE, DATABASE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
2
Add-in Express™ www.add-in-express.com
Outlook Security Manager
Contents
Contents Introduction ..........................................................................................4 Terminology ................................................................................................................................................................ 4 What is Outlook Security Manager .............................................................................................................................. 4 Compatibility................................................................................................................................................................ 4 System Requirements ................................................................................................................................................. 5 Examples .................................................................................................................................................................... 5 Technical Support ....................................................................................................................................................... 5
The .NET Edition .................................................................................6 Example #1 – Outlook Add-ins .................................................................................................................................... 7 Example #2 – Automate Outlook................................................................................................................................. 9 Deployment ............................................................................................................................................................... 10 Per-user Registration .............................................................................................................................................. 11 Attention! ................................................................................................................................................................ 12 The SecurityManager Class ...................................................................................................................................... 12 DisableCDOWarnings ............................................................................................................................................. 12 DisableOOMWarnings ............................................................................................................................................ 12 DisableSMAPIWarnings ......................................................................................................................................... 13 Check ..................................................................................................................................................................... 13 ConnectTo .............................................................................................................................................................. 14 Disconnect .............................................................................................................................................................. 15
The VCL Edition ................................................................................16 Example #1 – Outlook Add-ins .................................................................................................................................. 16 Example #2 – Automate Outlook............................................................................................................................... 18 Deployment ............................................................................................................................................................... 20 Attention! ................................................................................................................................................................ 21 The TOlSecurityManager Class ................................................................................................................................ 21 DisableCDOWarnings ............................................................................................................................................. 21 DisableOOMWarnings ............................................................................................................................................ 21 DisableSMAPIWarnings ......................................................................................................................................... 22 Check ..................................................................................................................................................................... 22 ConnectTo .............................................................................................................................................................. 23 Disconnect .............................................................................................................................................................. 23
The ActiveX Edition ...........................................................................24 Example #1 – Outlook Add-ins .................................................................................................................................. 24 Example #2 – Automate Outlook............................................................................................................................... 26 Deployment ............................................................................................................................................................... 28 Attention! ................................................................................................................................................................ 28 The OutlookSecurityManager Object ........................................................................................................................ 29 DisableCDOWarnings ............................................................................................................................................. 29 DisableOOMWarnings ............................................................................................................................................ 29 DisableSMAPIWarnings ......................................................................................................................................... 29 Check ..................................................................................................................................................................... 29 ConnectTo .............................................................................................................................................................. 30 Disconnect .............................................................................................................................................................. 30
3
Add-in Express™ www.add-in-express.com
Outlook Security Manager
Introduction
Introduction
Terminology Protected Outlook objects - Outlook objects (COM interfaces), their properties or methods that being called fire security warnings. Protected CDO objects - CDO objects (interfaces), their properties or methods that being called fire security warnings. Protected Simple MAPI calls - Simple MAPI functions that being called fire security warnings. Outlook Security - the Outlook mechanisms that prevent a developer from using Outlook objects, CDO objects or Simple MAPI functions programmatically. Microsoft started this feature with Outlook E-mail Security Update for Outlook 2000. You can find the complete description of interoperability issues with Outlook Security at http://support.microsoft.com/?kbid=264128.
What is Outlook Security Manager Outlook Security Manager is an in-process COM object that allows a developer to avoid Outlook Security when they use protected objects from the Outlook Object Model, protected CDO objects or protected Simple MAPI functions. Outlook Security Manager makes possible to avoid Outlook Security using just three properties that disable security warnings for Outlook Object Model (OOM), Collaboration Data Objects (CDO) and Simple MAPI. Outlook Security Manager is delivered in three editions, .NET, VCL and ActiveX.
Compatibility Outlook Security Manager for .NET, VCL and ActiveX platforms directly supports C#, Managed C++, Visual Basic .NET, J#, Delphi 7 – XE7, Visual Basic 6, C++ MFC/ATL, VBA, VBScript etc. Outlook Security Manager is compatible with Outlook 2000 with E-mail Security Patch and higher.
4
Add-in Express™ www.add-in-express.com
Outlook Security Manager
Introduction
System Requirements The .NET edition: Visual Studio 2005, 2008, 2010, 2012, 2013 Outlook 2000, 2002, 2003, 2007, 2010 (32-bit and 64-bit), 2013 (32-bit and 64-bit)
The VCL edition: Delphi 7, 2005, 2006, 2007, 2009, 2010, XE, XE2, XE3, XE4, XE5, XE6, XE7 Outlook 2000, 2002, 2003, 2007, 2010 (32-bit and 64-bit), 2013 (32-bit and 64-bit)
The ActiveX edition Any development tool supporting using ActiveX components. Outlook 2000, 2002, 2003, 2007, 2010 (32-bit and 64-bit), 2013 (32-bit and 64-bit)
Examples Several examples are downloadable at http://www.add-in-express.com/downloads/osm.php.
Technical Support Please email any questions or comments to support@add-in-express.com. But first, please check Add-in Express Web-site and Add-in Express Forums where you will find the latest news, FAQ, as well as the tips and tricks section.
5
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The .NET Edition
The .NET Edition
The examples described below are developed in C# but you can use Outlook Security Manager in all .NET compatible programming languages. To add a reference to Outlook Security Manager to your project, just use the Add Reference dialog box and select the “Outlook Security Manager .NET” assembly.
6
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The .NET Edition
To create an instance of Outlook Security Manager you can use the following code: private AddinExpress.Outlook.SecurityManager SecurityManager; this.SecurityManager = new AddinExpress.Outlook.SecurityManager();
Example #1 – Outlook Add-ins The first example is an Outlook COM add-in based on Add-in Express for Microsoft Office and .net (http://www.add-in-express.com/add-in-net/); accordingly, to run the sample, you must have Add-in Express
installed.
You
can
download
the
example
at
http://www.add-in-
express.com/downloads/osm.php. Please note that all the examples use Outlook 2000 interop assembly. Microsoft claims that COM add-ins can be trusted and this completely solves the security problem. Aha! We have tried this many times; but trusted add-ins work in Outlook 2003-2013 only. However, even in these Outlook versions you may get security warnings when accessing the CurrentUser property in the Outlook + Exchange environment (if specified by the Exchange administrator).
This add-in adds a new command bar with three buttons to the Explorer window. The first button is a switcher that disables or enables Outlook Security, the second button shows Outlook contacts, and the third one shows the details of a selected message. When Outlook Security is enabled (by default), you get a security message when clicking the contact or details buttons. If you disable Outlook Security, the alert message doesn’t appear.
7
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The .NET Edition
How this works. Open the add-in solution in Visual Studio IDE and then open the add-in module. You can find the SecurityManager component, an instance of the SecurityManager class. In the DoEnumContacts and DoGetInfo methods of the add-in module you can see the following lines:
if (btnOnOff.State == AddinExpress.MSO.ADXMsoButtonState.adxMsoButtonDown) SecurityManager.DisableOOMWarnings = true; try { …some actions with protected Outlook objects… } finally { if (btnOnOff.State == AddinExpress.MSO.ADXMsoButtonState.adxMsoButtonDown) SecurityManager.DisableOOMWarnings = false; }
The first “if” sentence disables Outlook Security if the security button is down. The “finally” section enables Outlook Security. Between these lines, you write code that uses protected Outlook objects. That’s all. Just remember that the DisableOOMWarnings property of the SecurityManager class disables Outlook Security when you use protected objects from Outlook Object Model (OOM) and if you set this property to True. Also remember that you must turn on Outlook Security inside the “finally” section. You should be aware that Outlook Security Manager may potentially open a door for unsafe content. To avoid this you must enable Outlook security in a protected finalization code after each elementary call of the protected objects as shown in the example above. Now you know how to disable Outlook Security when you use protected Outlook objects. But you can also disable Outlook Security when you use protected CDO objects or protected Simple MAPI functions. Just use other properties of SecurityManager, namely DisableCDOWarnings and DisableSMAPIWarnings. We will not comment on the whole code of this add-in and give you an opportunity to examine it yourself.
8
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The .NET Edition
Example #2 – Automate Outlook You can find this example at http://www.add-in-express.com/downloads/osm.php. It shows how to use Outlook Security Manager from an application that automates Outlook. With this application you can send messages using Outlook as a “mail engine”. In this project there is one form mimicking the Outlook Mail window with an Outlook Security check box.
If you check this check box, you disable Outlook Security and this application can send a message. Otherwise, it will not be able to send it and you will get a warning like this:
As well as in Example #1 – Outlook Add-ins above, protected Outlook objects are used here. To disable Outlook Security, we use the DisableOOMWarnings property. But there is one peculiarity
9
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The .NET Edition
here. To use Outlook Security Manager inside an application interacting with Outlook you should connect it to Outlook.Application used by this application. To do this you can use the ConnectTo method of the SecurityManager class. For example (you can find this code in the form): if (chkOnOff.Checked) { SecurityManager.ConnectTo(outlookApp); SecurityManager.DisableOOMWarnings = true; } try { …some actions with protected Outlook objects… } finally { SecurityManager.DisableOOMWarnings = false; }
Thus, if you want to disable Outlook security use Outlook Security Manager and remember to call the ConnectTo method before disabling Outlook Security. We remind you once again. Please always turn on Outlook Security inside the “finally” section. You should be aware that Outlook Security Manager may potentially open a door for unsafe content. To avoid this you must enable Outlook security in a protected finalization code after each elementary call of the protected objects as shown in the example above.
Deployment To deploy your software that uses Outlook Security Manager, include the secman.dll and secman64.dll files into your setup package and, depending on the Outlook version installed on the target PC, register one of them as a COM object. You need to register secman64.dll only for 64bit Outlook 2010-2013. You can find the Outlook 2010-2013 bitness by checking the Bitness value in the registry key below; if the value is "x64", register secman64.dll, otherwise, register secman.dll. The registry key to check is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\{14 or 15}.0\Outlook
10
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The .NET Edition
To register secman.dll (secman64.dll), you can use the regsvr32 utility or special options of your installer (vsdrfCOMSelfReg for example). In addition, your setup package must include SecurityManager.2005.dll that must be located in the application install folder. Note that administrative permissions are required to register secman.dll or secman64.dll. Note that for a standalone application (not an Outlook add-in!), the bitness of the application must be the same as that of Outlook, not the bitness of the operating system. That is, your application must be 32-bit if used for Outlook 2000-2007 and Outlook 2010-2013 32-bit; it must be 64-bit if used for Outlook 2010-2013 64-bit. In terms of Visual Studio, you must never use AnyCPU as the platform for which you build the application; the platform must be x86 for Outlook 2000-2007 and Outlook 2010-2013 32-bit and x64 for Outlook 2010-2013 64-bit. You set a correct platform in the Configuration Manager dialog, see menu Build | Configuration Manager. Pay attention, please, that you should place secman.dll (secman64.dll) as a shared DLL into the shared folder of Windows, Common Files \ Outlook Security Manager. Do not unregister secman.dll (secman64.dll) if it existed before installing your product. You can find the complete information about deploying shared files on the MSDN website: Windows 2000 Application Specifications: Component Sharing You can find the redistributable versions of secman.dll and secman64.dll files in the Redistributable subfolder of the Outlook Security Manager folder.
Per-user Registration Note that you can deploy your .NET solution that uses the Security Manager using ClickOnce. You don't need to do anything special; just deploy your solution. There's a problem however: if two solutions install the Security Manager in this way, then uninstalling one of them will break the other one. To bypass this problem use RegFree COM which is available for Windows XP and higher. Please have a look at the following samples on our blog: Outlook Security Manager deployment: Reg Free COM & ClickOnce for Outlook 64bit, part 5
11
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The .NET Edition
Attention! You should understand that Outlook Security Manager may potentially open a door for unsafe content. To avoid this you must enable Outlook security in a finalization code after each elementary call of the protected objects as shown in the examples above.
The SecurityManager Class The SecurityManager class is a wrapper over Outlook Security Manager COM object. Its properties allow a developer to disable / enable Outlook security warnings for Outlook objects interoperability, CDO and Simple MAPI calls. Namespace: AddInExpress.Outlook
DisableCDOWarnings Disables / enables security warnings when using protected CDO objects. [Visual Basic] Public Property DisableCDOWarnings As Boolean [C#] public bool DisableCDOWarnings {get; set;} [C++] public: __property bool get_DisableCDOWarnings () __property void set_DisableCDOWarnings ( bool )
Set this property to True to disable Outlook security warnings when you call protected CDO objects.
DisableOOMWarnings Disables / enables the security warnings when using protected Outlook objects. [Visual Basic] Public Property DisableOOMWarnings As Boolean [C#] public bool DisableOOMWarnings {get; set;}
12
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The .NET Edition
[C++] public: __property bool get_DisableOOMWarnings () __property void set_DisableOOMWarnings ( bool )
Set this property to True to disable Outlook security warnings when you call protected Outlook objects.
DisableSMAPIWarnings Disables / enables the security warnings when using Simple MAPI functions. [Visual Basic] Public Property DisableSMAPIWarnings As Boolean [C#] public bool DisableSMAPIWarnings {get; set;} [C++] public: __property bool get_DisableSMAPIWarnings () __property void set_DisableSAMPIWarnings ( bool )
Set this property to True to disable Outlook security warnings when you call Simple MAPI functions.
Check Checks the possibility of disabling Outlook security warnings. [Visual Basic] Public Function Check(ByVal kind As OutlookSecurity.osmWarningKind) _ As OutlookSecurity.osmResult Public Enum osmResult As Integer Public Enum osmWarningKind As Integer [C#] public OutlookSecurity.osmResult Check ( OutlookSecurity.osmWarningKind kind ) public sealed enum osmResult : System.Enum public sealed enum osmWarningKind : System.Enum
13
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The .NET Edition
[C++] public OutlookSecurity::osmResult Check ( OutlookSecurity::osmWarningKind kind ) public __value enum osmResult public __value enum osmWarningKind
Determines the possibility of disabling security warnings for the security kind specified by the AKind parameter. The kind parameter can be: osmObjectModel – the possibility will be determined for protected Outlook objects. osmCDO - the possibility will be determined for protected CDO objects. osmSimpleMAPI - the possibility will be determined for protected Simple MAPI function.
The Check function returns one of the following values: osmOK – Outlook Security can be disabled. osmDLLNotLoaded – Outlook Security cannot be disabled because Outlook Security Manager is not registered. osmSecurityGuardNotFound – Outlook Security cannot be disabled. osmUnknownOlVersion – Outlook Security cannot be disabled because Outlook Security Manager cannot determine the Outlook version. osmCDONotFound - Outlook Security cannot be disabled because CDO is not installed.
ConnectTo Connects to an existing Outlook.Application object. [Visual Basic] Public Sub ConnectTo(ByVal outlookApp As Object) [C#] public void ConnectTo (System.Object outlookApp) [C++] public void ConnectTo (System::Object outlookApp)
Call this method if and only if both of the following conditions are met:
14
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The .NET Edition
If your code uses the Outlook Object Model
If your code runs in a process other than Outlook
That call must be performed before the first use of the DisableOOMWarnings property.
Disconnect Disconnects from the previously connected Outlook Application Object. [Visual Basic] Public Sub Disconnect(ByVal outlookApp As Object) [C#] public void Disconnect (System.Object outlookApp) [C++] public void Disconnect (System::Object outlookApp)
15
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The VCL Edition
The VCL Edition
The examples described below are developed in Borland Delphi 7. Please note that to add a reference to Outlook Security Manager into your project, just place the TOlSecurityManager component from the Add-in Express tab on the Component Palette to your form or another container:
Or you can use the uses clause and the Create constructor: Uses OutlookSecMan; … SecurityManager := TOlSecurityManager.Create(nil);
Example #1 – Outlook Add-ins The first example is an Outlook COM add-in based on Add-in Express for Microsoft Office and VCL (http://www.add-in-express.com/add-in-delphi/). You can find the example at http://www.add-inexpress.com/downloads/osm.php.
16
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The VCL Edition
Microsoft claims that COM add-ins can be trusted and this completely solves the security problem. Aha! We have tried this many times; but trusted add-ins work in Outlook 2003-2013 only. However, even in these Outlook versions you may get security warnings when accessing the CurrentUser property in the Outlook + Exchange environment (if specified by the Exchange administrator). This add-in adds a new command bar with three buttons to the Explorer window. The first button is a switcher that disables or enables Outlook Security, the second button shows Outlook contacts, and the third one shows the details of a selected message. When Outlook Security is enabled (by default), you get a security message when clicking the contact or details buttons. If you disable Outlook Security the alert message doesn’t appear.
And here's how this works. Open the add-in project in the Delphi IDE and then open the add-in module. You can find the SecurityManager component, an instance of the TOlSecurityManager class. In the DoEnumContacts and DoGetInfo methods of the add-in module, you can see the following lines:
17
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The VCL Edition
if CmdBar.Controls[0].AsButton.State = adxMsoButtonDown then SecurityManager.DisableOOMWarnings := True; try …some actions with protected Outlook objects… finally if CmdBar.Controls[0].AsButton.State = adxMsoButtonDown then SecurityManager.DisableOOMWarnings := False; end;
The first “if” sentence disables Outlook Security if the security button is down. The “finally” section enables Outlook Security. Between these lines there is a code that uses protected Outlook objects. That’s all. Just remember that the DisableOOMWarnings property of the TOlSecurityManager class disables Outlook Security when you use protected objects from the Outlook Object Model (OOM) and if you set this property to True. Also remember that you must turn on Outlook Security inside the “finally” section. You should be aware that Outlook Security Manager may potentially open a door for unsafe content. To avoid this you must enable Outlook security in a protected finalization code after each elementary call of the protected objects as shown in the example above. This is how you disable Outlook Security when using protected Outlook objects. But you can disable Outlook Security when you use protected CDO objects or protected Simple MAPI functions. Just
use
other
properties
of
TOlSecurityManager,
namely
DisableCDOWarnings
and
DisableSMAPIWarnings. We will not comment the whole code of this add-in and give you an opportunity to examine it yourself.
Example #2 – Automate Outlook You can find this example at http://www.add-in-express.com/downloads/osm.php. This example shows how to use Outlook Security Manager from applications that automate Outlook. With this application you can send messages using Outlook as a “mail engine”.
18
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The VCL Edition
In this project, there is one form that mimics the Outlook Mail window with an Outlook Security toggle button.
If you click this toggle button, you disable Outlook Security and this application can send a message. Otherwise, it will not be able to send it and will fire this warning:
As well as in Example #1 – Outlook Add-ins above, protected Outlook objects are used here. To disable Outlook Security we use the DisableOOMWarnings property. But there is one peculiarity here. To use Outlook Security Manager inside an application interacting with Outlook, you should connect it to Outlook.Application used by this application. To do this, you can use the ConnectTo method of the TOlSecurityManager class. For example (you can find this code in the form): var
19
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The VCL Edition
Outlook: Outlook2000.TOutlookApplication; begin Outlook := TOutlookApplication.Create(nil); SecurityManager.ConnectTo(Outlook.Application); SecurityManager.DisableOOMWarnings = True;; try …some actions with protected Outlook objects… finally SecurityManager.DisableOOMWarnings := False; Outlook.Free; end;
Thus, if you want to disable Outlook security use Outlook Security Manager and remember to call the ConnectTo method before disabling Outlook Security. We remind you once again. Please always turn on Outlook Security inside the “finally” section. You should be aware that Outlook Security Manager may potentially open a door for unsafe content. To avoid this, you must enable Outlook security in a finalization code after each elementary call of the protected objects as shown in the example above.
Deployment To deploy your software that uses Outlook Security Manager, include the secman.dll and secman64.dll files into your setup package and, depending on the Outlook version installed on the target PC, register one of them as a COM object. You need to register secman64.dll only for 64bit Outlook 2010-2013. You can find the Outlook 2010-2013 bitness by checking the Bitness value in the registry key below; if the value is "x64", register secman64.dll, otherwise, register secman.dll. The registry key to check is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\{14 or 15}.0\Outlook To register secman.dll (secman64.dll), you can use the regsvr32 utility or options of your installer. Note that administrative permissions are required to register these files. Pay attention, please, that you should place secman.dll (secman64.dll) as a shared DLL into the shared folder of Windows, Common Files \ Outlook Security Manager. Do not unregister secman.dll (secman64.dll) if it existed before installing your product. You can find the complete information
20
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The VCL Edition
about deploying shared files on the MSDN website: Windows 2000 Application Specifications: Component Sharing You can find the redistributable versions of secman.dll and secman64.dll files in the Redistributable subfolder of the Outlook Security Manager folder.
Attention! You should understand that Outlook Security Manager may potentially open a door for unsafe content. To avoid this you must enable Outlook security in a finalization code after each elementary call of the protected objects as shown in the examples above.
The TOlSecurityManager Class The TOlSecurityManager class is a wrapper over the Outlook Security Manager COM object. Its properties allow a developer to disable / enable Outlook security warnings for Outlook objects interoperability, CDO and Simple MAPI calls.
DisableCDOWarnings Disables / enables security warnings when using protected CDO objects. public property DisableCDOWarnings: boolean default False;
Set this property to True to disable Outlook security warnings when you call protected CDO objects.
DisableOOMWarnings Disables / enables security warnings when using protected Outlook objects. public property DisableOOMWarnings: boolean default False;
Set this property to True to disable Outlook security warnings when you call protected Outlook objects.
21
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The VCL Edition
DisableSMAPIWarnings Disables / enables the security warnings when using Simple MAPI functions. public property DisableSMAPIWarnings: boolean default False;
Set this property to True to disable Outlook security warnings when you call Simple MAPI functions.
Check Checks the possibility of disabling Outlook security warnings. public function Check(const AKind: TosmWarningKind): TosmResult; type TosmWarningKind = (osmObjectModel, osmCDO, osmSimpleMAPI); TosmResult = (osmOK, osmDLLNotLoaded, osmSecurityGuardNotFound, osmUnknownOlVersion, osmCDONotFound);
Determines the possibility of disabling security warnings for the security kind specified by the AKind parameter. The AKind parameter can be: osmObjectModel – the possibility will be determined for protected Outlook objects. osmCDO - the possibility will be determined for protected CDO objects. osmSimpleMAPI - the possibility will be determined for protected Simple MAPI function.
The Check function returns one of the following values: osmOK – Outlook Security can be disabled. osmDLLNotLoaded – Outlook Security cannot be disabled because Outlook Security Manager is not registered. osmSecurityGuardNotFound – Outlook Security cannot be disabled. osmUnknownOlVersion – Outlook Security cannot be disabled because Outlook Security Manager cannot determine the Outlook version. osmCDONotFound - Outlook Security cannot be disabled because CDO is not installed.
22
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The VCL Edition
ConnectTo Connects to an existing Outlook.Application object. public procedure ConnectTo(OutlookApp: OleVariant);
Call this method if and only if both of the following conditions are met:
If your code uses the Outlook Object Model
If your code runs in a process other than Outlook
That call must be performed before the first use of the DisableOOMWarnings property.
Disconnect Disconnects from the previously connected Outlook Application Object. public procedure Disconnect(OutlookApp: OleVariant);
23
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The ActiveX Edition
The ActiveX Edition
The examples described below are developed in Visual Basic 6 (VBA). You can use the following code to create an instance of Outlook Security Manager: Dim SecurityManager As Object Set SecurityManager = CreateObject("AddInExpress.OutlookSecurityManager")
Example #1 – Outlook Add-ins The first example is an Outlook COM add-in developed in Visual Basic 6 (VBA) and based on the standard add-in approach. You can find it at http://www.add-in-express.com/downloads/osm.php. Microsoft claims that COM add-ins can be trusted and this completely solves the security problem. Aha! We have tried this many times; but trusted add-ins work in Outlook 2003-2013 only. However, even in these Outlook versions you may get security warnings when accessing the CurrentUser property in the Outlook + Exchange environment (if specified by the Exchange administrator). This add-in adds a new command bar with three buttons to the Explorer window. The first button is a switcher that disables or enables Outlook Security, the second button shows Outlook contacts, and the third one shows the details of a selected message. When Outlook Security is enabled (by default) you get a security message when clicking the contact or details buttons. If you disable Outlook Security the alert message doesn’t appear.
24
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The ActiveX Edition
Here's how this works. Open the add-in project in the VB IDE (VBA IDE) and then open the Connect
module.
You
can
find
the
SecurityManager
variable,
an
instance
of
the
AddInExpress.OutlookSecurityManager COM object. In the Click event handlers, you can see the following lines: SecurityManager.DisableOOMWarnings = True On Error Goto Finally …some actions with protected Outlook objects… Finally: SecurityManager.DisableOOMWarnings = False
The first “if” sentence disables Outlook Security if the security button is down. The “finally” section enables Outlook Security. Between these lines there is a code that uses protected Outlook objects. That’s all. Just remember that the DisableOOMWarnings property of the OutlookSecurityManager object disables Outlook Security when you use protected objects from the Outlook Object Model (OOM) and if you set this property to True. Also remember that you must turn on Outlook Security inside the “finally” section. You should be aware that Outlook Security Manager may potentially open a door for unsafe content. To avoid this you must enable Outlook security in a finalization code after each elementary call of the protected objects as we showed in the example above. This is how you disable Outlook Security when using protected Outlook objects. But you can disable Outlook Security when you use protected CDO objects or protected Simple MAPI functions.
25
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The ActiveX Edition
Just use other properties of OutlookSecurityManager, namely DisableCDOWarnings and DisableSMAPIWarnings. We will not comment the whole code of this add-in and give you an opportunity to examine it yourself.
Example #2 – Automate Outlook You can find the second example at http://www.add-in-express.com/downloads/osm.php. This example shows how to use Outlook Security Manager from applications that automate Outlook. With this application you can send messages using Outlook as a “mail engine”. In this project there is one form, a small copy of the Outlook Mail window, with an Outlook Security switcher.
If you check the OFF radio button, you disable Outlook Security and this application can send a message. Otherwise, it will not be able to send it and will fire this warning:
26
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The ActiveX Edition
As well as in Example #1 – Outlook Add-ins above, protected Outlook objects are used here. To disable Outlook Security we use the DisableOOMWarnings property. But there is one specificity here. To use Outlook Security Manager inside an application interacting with Outlook, you should connect it to Outlook.Application used by this application. To do this, you can use the ConnectTo method of the OutlookSecurityManager object. For example (you can find this code in the form): Dim Outlook As Object Set Outlook = CreateObject(“Outlook.Application”) SecurityManager.ConnectTo Outlook SecurityManager.DisableOOMWarnings = True On Error Goto Finally …some actions with protected Outlook objects… Finally: SecurityManager.DisableOOMWarnings = False Set Outlook = Nothing
Thus, if you want to disable Outlook security, use Outlook Security Manager and remember to call the ConnectTo method before disabling Outlook Security. We remind you once again. Please always turn on Outlook Security inside the “finally” section. You should be aware that Outlook Security Manager may potentially open a door for unsafe content. To avoid this, you must enable Outlook security in a finalization code after each elementary call of the protected objects as shown in the example above.
27
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The ActiveX Edition
Deployment To deploy your software that uses Outlook Security Manager, include the secman.dll and osmax.ocx as well as secman64.dll and osmax64.ocx files into your setup package and, depending on the Outlook version installed on the target PC, register one of the pairs as COM objects. You need to register osmax64.ocx and secman64.dll only for 64bit Outlook 2010-2013. You can find the Outlook 2010-2013 bitness by checking the Bitness value in the registry key below; if the value is "x64", register secman64.dll and osmax64.ocx, otherwise, register secman.dll and osmax.ocx. The registry key to check is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\{14 or 15}.0\Outlook To register, you can use the regsvr32 utility or special options of your installer; administrative privileges are required. Note that for a standalone application (not an Outlook add-in!), the bitness of the application must be the same as that of Outlook, not the bitness of the operating system. That is, the application must be 32-bit if used for Outlook 2000-2007 and Outlook 2010-2013 32-bit; it must be 64-bit if used for Outlook 2010-2013 64-bit. Please pay attention that you should place secman.dll, secman64.dll, osmax.ocx, and osmax64.ocx as shared DLLs into the shared folder of Windows, Common Files \ Outlook Security Manager. Please do not unregister them if they existed before installing your product. You can find the complete information about deploying shared files on the MSDN website: Windows 2000 Application Specifications: Component Sharing You can find the redistributable versions of secman.dll, secman64.dll, osmax.ocx and osmax64.ocx in the Redistributable subfolder of the Outlook Security Manager folder.
Attention! You should understand that Outlook Security Manager may potentially open a door for unsafe content. To avoid this, you must enable Outlook security in a finalization code after each elementary call of the protected objects as shown in the examples above.
28
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The ActiveX Edition
The OutlookSecurityManager Object The OutlookSecurityManager class is a wrapper over the Outlook Security Manager COM object. Its properties allow a developer to disable / enable Outlook security warnings for Outlook objects interoperability, CDO and Simple MAPI calls.
DisableCDOWarnings Disables / enables security warnings when using protected CDO objects. public property DisableCDOWarnings As Boolean
Set this property to True to disable Outlook security warnings when you call protected CDO objects.
DisableOOMWarnings Disables / enables the security warnings when using protected Outlook objects. public property DisableOOMWarnings As Boolean
Set this property to True to disable Outlook security warnings when you call protected Outlook objects.
DisableSMAPIWarnings Disables / enables the security warnings when using Simple MAPI functions. public property DisableSMAPIWarnings As Boolean
Set this property to True to disable Outlook security warnings when you call Simple MAPI functions.
Check Checks the possibility of disabling Outlook security warnings. public function Check(AKind As Integer) As Integer
29
Add-in Express™ www.add-in-express.com
Outlook Security Manager
The ActiveX Edition
Determines the possibility of disabling security warnings for the security kind specified by the AKind parameter. The AKind parameter can be: osmObjectModel – the possibility will be determined for protected Outlook objects. osmCDO - the possibility will be determined for protected CDO objects. osmSimpleMAPI - the possibility will be determined for protected Simple MAPI function.
The Check function returns one of the following values: osmOK – Outlook Security can be disabled. osmDLLNotLoaded – Outlook Security cannot be disabled because Outlook Security Manager is not registered. osmSecurityGuardNotFound – Outlook Security cannot be disabled. osmUnknownOlVersion – Outlook Security cannot be disabled because Outlook Security Manager cannot determine the Outlook version. osmCDONotFound - Outlook Security cannot be disabled because CDO is not installed.
ConnectTo Connects to an existing Outlook.Application object. public sub ConnectTo(OutlookApp As Object)
Call this method if and only if both of the following conditions are met:
If your code uses the Outlook Object Model
If your code runs in a process other than Outlook
That call must be performed before the first use of the DisableOOMWarnings property.
Disconnect Disconnects from the previously connected Outlook Application Object. public sub Disconnect(OutlookApp As Object)
30
Add-in Express™ www.add-in-express.com