Time by Ping uses the supported MAPI API interface on Microsoft Outlook to access email and calendar information for timekeeping. Under normal operations and the default security settings in Outlook and Windows 10, the user will not see any warning messages from Time by Ping using the MAPI API for access. However if the AV software on the machine is not functioning correctly or out of date, or if the administrator has changed the default security setting in windows to always prompt, the user will see a dialog similar to the screenshot below.
Resolving this depends on whether your timekeeper is using Windows Desktop OS (Windows 10) or Windows Server OS (Server 2016, 2019).
Windows 10 Resolution steps
- Determine the settings for Outlook allowing programmatic access to email information in outlook. This can be done by navigating Outlook -> File -> Options -> Trust Center -> Trust Center Settings - > Programmatic access
Once you open the Programmatic Access Security page, check the settings. If the setting is set to always warn, this is the issue. Please change the setting back to “Warn me about…” which is the default and recommended setting. To change this setting back you have to close outlook and run as administrator or have the domain admin change the setting in group policy.
If the setting is set to “Warn Me…” check the Antivirus status section below. If it is invalid, this is the problem. To address the problem please ensure valid antivirus is enabled, up to date, and functional on the machine.
If the problem still intermittently occurs, the problem is likely that the AV software is reporting to windows that it is enabled and disabled in short periods when Time by Ping attempts to access outlook through the API. You can see this in the windows security center event logs. Check the windows event viewer for error logs with the AV software. To do this run “Event Viewer” and check the WindowsLogs/Application section, and sort the events by Source looking for SecurityCenter events that have Errors from the AV Product.
See the MS Support article Program is trying to send an e-mail message on your behalf - Outlook for more information.
Windows Server OS
When Time By Ping is installed on Windows Server session-based virtualization (RDP/Terminal Services), users receive an outlook warning that the mailbox is being programmatically accessed. This is being caused by an outlook security feature that is not supported on Windows Server 2016 and the outlook security setting must be modified.
This feature works as expected with no user prompts in full VDI based environments as well as laptops and desktops. In these environments, the OS is Windows 10 and the Outlook security feature works as intended and is supported. The issue occurs when using session-based virtualization, which is described in the MS doc Welcome to Remote Desktop Services in Windows Server 2016.
The session based virtual environments run on Windows Server 2016/2019 and the issue occurs since Windows Server 2016/2019 does not support Windows Security center. See the MS Support articles Outlook Trust Center shows antivirus status as unavailable - Outlook and Program is trying to send an e-mail message on your behalf - Outlook.
This Outlook security feature was added around 2010 to prevent machines without AV running from having mass spreading worms programmatically accessing the address book and propagating to all the addresses. This feature checks if AV is on the system, then allows programmatic access, but this is not possible to do in Windows Server 2016 and above since the security center feature is not present on that OS.
Why this change will not lower the security posture of your servers
It will be safe to change this security setting without decreasing your security posture environment for the following reasons.
- The feature only checks if an AV product is on and active when outlook is programmatically accessed.
- There are already multiple protections to ensure any Windows 2016/2019 server has security on and active. See Now available: Windows Server 2016 Security Guide! - Windows Server Blog.
- Individual users in the sessions can not disable AV software, only a server admin can.
- If security is not active, the server is already in a large beach of security policy and has high elevated risk that must be immediately remediated.
First, update your registry to have Outlook use the security policy from GPO settings. In HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Outlook\Security, set the AdminSecurityMode key to type DWORD and value 3. See Outlook Security Mode for more details.
Second, update your GPO policies for the affected timekeepers as follows. Set the following policies under Microsoft Outlook 2016/Security/Security Form Settings/Programmatic Security to “Enabled” and “Automatically Approve”:
- Configure Outlook object model prompt when accessing an address book
- Configure Outlook object model prompt When accessing the Formula property of a UserProperty object
- Configure Outlook object model prompt when executing Save As
- Configure Outlook object model prompt when reading address information
- Configure Outlook object model prompt when responding to meeting and task requests
- Configure Simple MAPI message opening prompt
- Configure Simple MAPI name resolution prompt
To updating policies & verify changes, in the timekeeper’s Windows account, open cmd and run gpupdate.Print policies using gpresult -h report.html, open report.html, and navigate to Settings → Policies → Administrative Templates → Microsoft Outlook 2016/Security/Security Form Settings/Programmatic Security. The report for Microsoft Outlook 2016/Security/Security Form Settings/Programmatic Security should appear as follows.