Any Build/Cooked ROM work with Exchange 2007? - Mogul, XV6800 ROM Development

Hey Everyone -
I hate the sprint stock ROM but it is the only one that will work with Exchange 2007.
Is there any cool cooked ROM/Build that works with Exchange 2007?
Thank you

DCD 3.2.6 syncs with my exchange 2007

All of DCD's
I have used all of DCD's roms and Scott Rosler Reloaded roms with exchange 07 no issues with any of them...

owa works fine for me

I am an Exchange Administrator and I have never had a problem with new WinMo builds syncing with my Exchange 2k7 clusters. Going forward, I anticipate WinMo to drop support for Exchange 2k3 syncing. It's just not as neat, tidy, secure, fast, etc as Exchange 2k7. But that thought is very far fetched, just my thoughts.
Anyway, I have run every Titan ROM put out through XDA and never had an issue with Exchange 2k7. Of course, I use nothing by secure activesync and have full "Autodiscovery" setup with the proper exchange certificates on all the domains, matching the domain names properly, etc. So that could be part of everyone's issue with with Autodiscovery not working or the certificates not matching the domains they were issued for, etc.

djbeames said:
I am an Exchange Administrator and I have never had a problem with new WinMo builds syncing with my Exchange 2k7 clusters. Going forward, I anticipate WinMo to drop support for Exchange 2k3 syncing. It's just not as neat, tidy, secure, fast, etc as Exchange 2k7. But that thought is very far fetched, just my thoughts.
Anyway, I have run every Titan ROM put out through XDA and never had an issue with Exchange 2k7. Of course, I use nothing by secure activesync and have full "Autodiscovery" setup with the proper exchange certificates on all the domains, matching the domain names properly, etc. So that could be part of everyone's issue with with Autodiscovery not working or the certificates not matching the domains they were issued for, etc.
Click to expand...
Click to collapse
I can second everything djbeames said.

Precisely accurate. I too administer 2k7, and agree that the autodiscovery component is key.

djbeames said:
I am an Exchange Administrator and I have never had a problem with new WinMo builds syncing with my Exchange 2k7 clusters. Going forward, I anticipate WinMo to drop support for Exchange 2k3 syncing. It's just not as neat, tidy, secure, fast, etc as Exchange 2k7. But that thought is very far fetched, just my thoughts.
Anyway, I have run every Titan ROM put out through XDA and never had an issue with Exchange 2k7. Of course, I use nothing by secure activesync and have full "Autodiscovery" setup with the proper exchange certificates on all the domains, matching the domain names properly, etc. So that could be part of everyone's issue with with Autodiscovery not working or the certificates not matching the domains they were issued for, etc.
Click to expand...
Click to collapse
Two questions:
1. Do you have the setting "Allow Non-provisionable" devices checked?
2. Do you have the "remote wipe" capability enabled?
It works when they allow non-provisionable devices. Our Exchange admin tested it with me. But when he unchecks then it stops working.
Something to do with the newer ROMs not setup to allow provisioning.
And I have tried full automatic, manual and any other way you think of to test.
Thanks guys!

arifiano said:
Two questions:
1. Do you have the setting "Allow Non-provisionable" devices checked?
2. Do you have the "remote wipe" capability enabled?
It works when they allow non-provisionable devices. Our Exchange admin tested it with me. But when he unchecks then it stops working.
Something to do with the newer ROMs not setup to allow provisioning.
And I have tried full automatic, manual and any other way you think of to test.
Thanks guys!
Click to expand...
Click to collapse
I don't think it has anything to do with that. What "non-provisionable devices" refers to is: A device is considered "non-provisionable" if it cannot apply ALL security policies set by Exchange 2k7. In Exchange 2k7 SP1 Enterprise, there are a TON of settings that are NOT supported by WM 6.1, or even 6.5 (at this time). So if you are wanting to use Exchange 2k7 with ANY device at this time and provision over half the settings, you will HAVE to enable non-provisionable devices.
Here is a link to a matrix of what versions of WM support what:
http://blogs.msdn.com/jasonlan/archive/2007/12/04/exchange-activesync-policies-summary.aspx
And a technet article directly referring to what "is compatible" and what "isn't":
http://technet.microsoft.com/en-us/library/bb232162.aspx
Now. To answer your questions:
1) Yes, I have non-provisionable enabled. You have to.
2) Remote wipe is enabled on all devices. It's an integral part of Exchange 2007. I, on my personal OWN activesync profile, do not require a password. This makes it much easier for me to unlock my phone.. however, I can still do a Remote Wipe. Everyone can.
So to sum it up, you, or your exchange admin (I forgot who you said it was), have created an ActiveSync Profile with some of the settings enabled that current windows mobile (including latest 6.5 builds) do not support yet. You will have to uncheck those options, OR, simply allow non-provisionable devices. ActiveSync will still apply the policies it can, but will just skip the ones it can't apply.
Understand?

djbeames said:
I don't think it has anything to do with that. What "non-provisionable devices" refers to is: A device is considered "non-provisionable" if it cannot apply ALL security policies set by Exchange 2k7. In Exchange 2k7 SP1 Enterprise, there are a TON of settings that are NOT supported by WM 6.1, or even 6.5 (at this time). So if you are wanting to use Exchange 2k7 with ANY device at this time and provision over half the settings, you will HAVE to enable non-provisionable devices.
Here is a link to a matrix of what versions of WM support what:
http://blogs.msdn.com/jasonlan/archive/2007/12/04/exchange-activesync-policies-summary.aspx
And a technet article directly referring to what "is compatible" and what "isn't":
http://technet.microsoft.com/en-us/library/bb232162.aspx
Now. To answer your questions:
1) Yes, I have non-provisionable enabled. You have to.
2) Remote wipe is enabled on all devices. It's an integral part of Exchange 2007. I, on my personal OWN activesync profile, do not require a password. This makes it much easier for me to unlock my phone.. however, I can still do a Remote Wipe. Everyone can.
So to sum it up, you, or your exchange admin (I forgot who you said it was), have created an ActiveSync Profile with some of the settings enabled that current windows mobile (including latest 6.5 builds) do not support yet. You will have to uncheck those options, OR, simply allow non-provisionable devices. ActiveSync will still apply the policies it can, but will just skip the ones it can't apply.
Understand?
Click to expand...
Click to collapse
Yes I completely understand now. It makes complete sense. I talked to our Exchange Admin via email and he said it was corporate policy to not allow non-provisionable devices. We are a 80,000 employee company and according to him, I was the only one having the problem. So they wont change the policy just for me.
But it still makes no sense as to why my stock Sprint ROM works fine with exchange 2007. And the cooked ROMs dont. I think it has to be some sort of a registry fix on the Windows Mobile side that allows it to become provisionable. So even though Exchange 2007 has tighter security settings, it does work fine with the sprint stock WIM 6.1 ROM.

Related

[Q] Multiple Exchange Sync Accounts?

I'd be grateful if someone in the know would clue me in:
Stock Android, I believe since 2.0, has supported multiple Exchange sync accounts (at least for email sync, and probably contacts). Running the
Android emulator on the desktop, I can configure as many accounts as I please.
However... I just took delivery of a Samsung Fascinate (Verizon) and as hard as I try, I can't make it configure a second account (it dumps me into the 'edit' UI for the first account when I ask to create a second one).
So I tried an HTC Incredible that we have here. Same behavior !
Yet, when I Google search 'samsung galaxy s multiple exchange accounts', I find a bunch of people claiming to be using multiple accounts.
What's up with this? Am I just not doing the setup correctly, or did Samsung remove this capability from the devices recently ?
I also figured I could install the stock Android email app as a workaround, but that doesn't exactly seem to be a 'one-click' process. K-9 has no ActiveSync support, so that isn't useful.
Can't speak for anyone else, but I have yet to see any Android phone that supports multiple Exchange accounts out of the box. That's one of the reasons I bought Touchdown, as it supports multiple Exchange profiles. Of course, only one of them can be active at a time, but if I needed to have two accounts active simultaneously, I could use Touchdown for one, and the stock email app for the other. Oh, and just FYI, I didn't mean for this to become a Touchdown advertisement. ^^;
Sent from my SCH-I500 using XDA App
Actually, I have a Touchdown license so this is a good plan.
Presumably the situation is this : stock Android supports multiple accounts but none of the device vendor skins do, yet. Correct ? (and it isn't possible to manifest the stock Android behavior side-by-side with the vendor skin).
I was just coming in here to ask this question. I would like a way to get multiple exchange accounts too. Since it was supported in 2.0 on up i think we should be able to get this to work. Unless Samsung messed this up for us.
Hmm, I thought Sammy left the stock Android email app on the Fascinate, but it looks as though they modified it just enough to cripple it. :-(
Sent from my SCH-I500 using XDA App
There are actually good reasons NOT to do this. Corporate IT admins have massive problems with this, and because Google/Sammy/etc. are actually TRYING to work with corporate IT... you end up with this.
Outlook doesn't allow it either, nor does any other mail program which respects Activesync conventions.
It has to do with security... and compartmentalization.
The Droid X and the Droid supported 2nd Exchange accounts.
I'm sorry, but I disagree that this is a security issue. They are completely disparate accounts, and this functionality should be stock on all Android phones.
That said, the Samsung client is the worst of all of them, and Touchdown is the best option, IMHO.
Gurm said:
There are actually good reasons NOT to do this. Corporate IT admins have massive problems with this, and because Google/Sammy/etc. are actually TRYING to work with corporate IT... you end up with this.
Outlook doesn't allow it either, nor does any other mail program which respects Activesync conventions.
It has to do with security... and compartmentalization.
Click to expand...
Click to collapse
Oh, really? That's interesting. I work on the helpdesk for an IT company that hosts Exchange servers (and much more) for dozens of clients, including numerous medical and financial institutions (i.e. security is a significant concern), and I have never heard about any such security issue. Please explain to me how being able to setup multiple Exchange accounts on a single device is such a huge security concern, and include links to references if possible, as I may want to present the information at our security meeting, which I'm actually attending tomorrow. No joke, that's my job, and I am on the security team.
Btw, Microsoft themselves eliminated the single Exchange account limitation with Outlook 2010. It's still not unlimited, but you can now have three Exchange accounts per Outlook profile. Oh, and did I mention that iOS 4 now also supports multiple Exchange accounts per device? So yeah, if you have any links to share about these alleged security nightmares, feel free to enlighten me.
Sent from my SCH-I500 using XDA App
8notime said:
That said, the Samsung client is the worst of all of them, and Touchdown is the best option, IMHO.
Click to expand...
Click to collapse
While I tend to agree with you, I'd like to point out that I haven't seen any issues with actually reliably syncing with an Exchange server with the Fascinate, whereas the mail client on the original Droid was plagued with bugs, and while it improved later on, one of the more recent post-Froyo patches broke the ability to sync with Exchange 2010 (which has since been fixed).
Also, if I remember correctly, the helpdesk I work on got a bunch of calls from clients who bought the Droid X when it first came out, because it couldn't sync with Exchange 2003, which was a pretty serious bug. Motorola had apparently tested it thoroughly with Exchange 2007 and 2010, but never with 2003. It was so bad that they were giving away licenses for Touchdown for free to anyone that complained, until they were able to issue a patch for it.
Anyway, no mail client is perfect, and all have their pros and cons. Which stock one is better or worse depends on whether the features that don't work right matter to you or not. Me, I'll stick with Touchdown, which basically mops the floor with the stock mail clients, just in sheer volume of features alone.
Sent from my SCH-I500 using XDA App
IOS 4, android 2.* and up and WP7 all support multiple exchange accounts. Unfortunatley Samsung messed this up for us.
I wonder if there is a way to pull the AOSP e-mail.apk and try that? Or if there would be another way around this.
Since someone got a little cranky I will elaborate on the security problem.
The issue is largely one of partition. Let me paint a scenario...
I am government contractor x. I provide you with exchange on your phone. Your phone very helpfully merges all your data together. That violates my policies. Additionally, your android device doesn't respect remote wipe, remote lock, or security policy for disclaimers, password complexity, etc.
But the biggest issue is that the exchange data isn't self-contained.
If the phone, client, or whatever provides partitioning of the data then multiple accounts becomes a possibility.
Essentially I as an exchange admin don't want some other company's mail cross pollinating with mine. And because my company is in Massachusetts, it's actually a violation of state law at this point to let our emails into someone else's system.
Outlook 2010 supports separate cache files, contact lists, and all other data... So it can do multiple accounts. The iphone doesn't, and neither does droid.
I love my android phone, but I cannot let the end users have them, because we can't secure thee data. Full stop.
Sent from my SCH-I500 using XDA App
And yes, ios 4 and some iterations of droid do allow this, but not in s way that is kosher with either microsoft or your mail admins.
Sent from my SCH-I500 using XDA App
Hehe, I wasn't cranky. I just wanted some additional info to back up a rather vague, blanket statement about data security. I could go on to discuss security issues, but it looks like your concerns exist at a much higher level. If the Android platform as a whole is too insecure for you to allow, then whether or not a phone supports multiple Exchange accounts is irrelevant. That being the case, I won't draw this on much longer, as it's beginning to drift off topic.
Based on what you've listed as your security requirements, I believe Touchdown actually has a strong enough feature set to safely allow Android devices to work in your environment. It supports a healthy set of Exchange security policies, namely remote wipe, PIN/password policies, and complete data encryption (it even encrypts the data it stores on the SD card), and since it only allows one account per profile, and all data is contained within the application itself, and not mixed on the phone, the partition requirement is met. Plus, you can deploy a template that dictates desired config settings for the app, and locks them down to prevent users from changing them. Oh, and don't forget the added benefit of standardization, in that you would only have a single email app to support, regardless of which Android device end users have. The only real down side is the added cost, as it's extra software to buy. And for those wondering, no, I do NOT work for NitroDesk, the makers of Touchdown.
I apologize if I'm still failing to understand any of your points in all this. I do have an interest in security topics like this, and while I'm not completely ignorant, I'm by no means an expert either, not by a long shot. If you'd like to discuss this any further, feel free to PM me, so we don't get any further off topic in this thread. Thanks!
Gurm said:
Essentially I as an exchange admin don't want some other company's mail cross pollinating with mine. And because my company is in Massachusetts, it's actually a violation of state law at this point to let our emails into someone else's system.
Click to expand...
Click to collapse
I have never in my life heard of this happening, nor is there any proof that it's technically possible. I get the whole concept of all data being on the same partition, but cross pollination? They are totally different accounts, with their own data stores.
If a companies security policy is this strict, they probably shouldn't have any phone connecting to their network, unless they have a device management tool in place that prohibits installation of any 3rd party apps unless they install them themselves. Oh and they should probably remove the camera too, if they're a government contractor with this much security in place.
I don't think the Fascinate was designed for a company like this.
Just to throw in my 2 cents. A division of the company i work for engineers nuclear plants and because of the strict government regulations only blackberries are permited because other platforms are not secure enough.
Sent from my SCH-I500 using XDA App
8notime said:
I have never in my life heard of this happening, nor is there any proof that it's technically possible. I get the whole concept of all data being on the same partition, but cross pollination? They are totally different accounts, with their own data stores.
Click to expand...
Click to collapse
Really? Your contact list isn't comprised of all the contacts from all the accounts? Do you keep strict track of which little yellow "new mail" envelope you've just pulled down? It can't happen? Think again.
If a companies security policy is this strict, they probably shouldn't have any phone connecting to their network, unless they have a device management tool in place that prohibits installation of any 3rd party apps unless they install them themselves. Oh and they should probably remove the camera too, if they're a government contractor with this much security in place.
Click to expand...
Click to collapse
Yup. Guess why Blackberries are still the biggest corporate device? For exactly this reason. Why is there always a Blackberry variant with no camera? BINGO.
I don't think the Fascinate was designed for a company like this.
Click to expand...
Click to collapse
No Droid or iPhone was.
Then why are we even having this conversation? We're talking about the Fascinate.
Also, we were talking about email, not contacts. Emails are stored in entirely different data stores. I don't have 1 giant inbox with emails from both accounts. They are totally separated.
8notime said:
Then why are we even having this conversation? We're talking about the Fascinate.
Also, we were talking about email, not contacts. Emails are stored in entirely different data stores. I don't have 1 giant inbox with emails from both accounts. They are totally separated.
Click to expand...
Click to collapse
Because Exchange isn't POP or IMAP. It's an entire comm system. It's not just mail, it's contacts and calendar and notes and public folders and a half dozen other things.
If you just want to sync the contents of two Exchange inboxes, sure there's no TECHNICAL reason you can't. But that's not how Exchange WORKS, typically. I'm sure you could write a client that does that, but as yet folks haven't.
You can go in and uncheck to sync the calendar and contacts, but new "events" will still arrive and have to be thrown out by the client. Essentially you would need to write MORE code to NOT have the entire system than you would to HAVE it.
I'm sorry but that isn't true. Like I said earlier, I was able to add more than one Exchange account - contacts, calendar, and email - on both my Droid and Droid X. One Exchange account for work, and the other a personal account through a hosted Exchange provider. There was no "cross pollination" between either account, and each had a completely separate inbox/data stores. So not only is it technically possible, the functionality is also available for use. Also, as a security professional, I think there are other real security concerns/vulnerabilities to focus on, than something that has never been proven to be one.
8notime said:
I'm sorry but that isn't true. Like I said earlier, I was able to add more than one Exchange account - contacts, calendar, and email - on both my Droid and Droid X. One Exchange account for work, and the other a personal account through a hosted Exchange provider. There was no "cross pollination" between either account, and each had a completely separate inbox/data stores. So not only is it technically possible, the functionality is also available for use. Also, as a security professional, I think there are other real security concerns/vulnerabilities to focus on, than something that has never been proven to be one.
Click to expand...
Click to collapse
I understand that you have done it before. I've done it too on an iPhone. My point is that the capability to do so is not something that comes pre-cooked in an Exchange client. MS didn't do it until recently themselves. Given that a lot of the stuff in the Fascinate is pre-2.1 due to Samsung's pidgin kernel (really a 1.5 or 1.6 kernel hacked up for 2.1, from what I've read on here) I'm not at all surprised that functionality only recently available is missing.
Like I said - it takes more code to do it than not to do it... don't hold your breath for it from Samsung, although anything is possible in 2.2!

[Q] Help with Exchange email

Hey guys-
I had been using TouchDown Exchange to access my work email. When I first got android I asked my IT department if they could set it up for me but they replied that they "don't support Android, and because there are so many different android phones, they probably wouldn't ever support". Anyways, I found I could use the web-exchange server (http://xxx.xxxxxxxx.com/exchange/) as my domain on the android app and it would end up sync'ing my email to my phone.
I guess they eventually found out I was doing this somehow and they blocked it. They do support the iPhone, though, and through a coworker I was able to get the server and domain that they use.
Is there anyway I can trick the server into thinking I'm using an iPhone so it will allow me to connect and sync? I tried using the "ActiveSync Device String" and setting it to "iPhone" before connecting to the server, but that didn't work. I don't know much about exchange servers if you couldn't tell, but is there a way they can authorize only certain users to connect? Could I potentially borrow my girlfriends iphone, have them set it up on her device, and then once I get the login permissions, switch the info over to my fascinate?
Sorry to any IT administrators out there, I bet this post will annoy you haha. I just want to have email on my phone because I hate walking into work in the morning and getting blindsided by an email that was sent to me at 2am.
Thanks in advance for your help guys.
Our IT department also has a "no android" policy but I figured out that if I left the Domain blank and used the Webmail url as the Exchange server address everything would sync perfectly. I started out using Touchdown but dropped it for the stock email client.
They specifically denied your phone from syncing via ActiveSync? Even with Touchdown, which more fully supports the ActiveSync protocol than even the iPhone? Sounds like your IT guys are morons. I can fully understand not wanting to support Android phones because of all the variances. I know, because I work for an ASP hosting company that does just that. But really, if they wont support Touchdown, they're just shooting themselves in the foot, because that app will work the sane no matter what Android phone it's installed on, meaning you will have a standardized mail platform for Android that supports any and all necessary security features, including full encryption of the local mail database and any data it stores on the SD card.
I don't know if you'll get anywhere with it, but I would recommend showing the the feature list for Touchdown, including the security features, and ask them to support that one app. If you make the case that they only need to support one app for any Android phone, they should be willing to work with you on that.
Besides, every serious corporate user should be using Touchdown anyway. The stock mail client, no matter what Android phone you have, is lacking some of the most basic features, is buggy,and is essentially useless. And if days encryption is required, you're out of luck with the stock clients. Exchange syncing is really an afterthought by Google, and until they make enterprise features and data security a primary focus, things wont get any better.
Sent from XDA Premium on my Super Clean Fascinate
Oh, and btw, I'm not an expert on the matter, but I know that mobile device syncing can be disabled on a per-user basis. What I'm not sure about is if it can actually allow only certain devices to connect or not.
Sent from XDA Premium on my Super Clean Fascinate

Did anyone get Exchange emails working yet? [CM 7.1.0]

SGH-i777 running CM 7.1.0 on Android 2.3.7. Carrier is obviously AT&T.
I can't for the life of me figure out how to add my Exchange account to the stock e-mail program. I've tried:
* Countless variations of server, domain, and username settings. I've followed this guide **can't post link** and several other guides. I do have access to my company's server information, and while I'm not sure which server is actually being used, I've tried them *all*, several times, and gotten nowhere. With a WiFI connection (no firewall) and just 3G data, signed in or signed out of Outlook Anywhere. No luck, just "Unable to open connection to server".
* K-9 connected to my account, but I was unable to see any e-mails - none would load, even when I had it force check. So I uninstalled it (would rather use the stock app anyway).
Is this a problem with my signal? I read that someone got help from their carrier - they made a custom APN, but that was in another country so I'm a bit skeptical. Can't call Samsung (it's Sunday) and their website offers no help. It's possible my IT doesn't allow phones to read mail, but that's highly unlikely - we've got lots of employees in the field, so this seems like common sense.
I did a lot of digging and this might be an old issue, but it gets pretty technical and I'm obviously a n00b.
What am I missing here???? PLEASE fill me in - I've put hours into this!!
It's quite possible that your IT group who manages your Exchange environment isn't allowing non-approved devices to connect. Typically these are security-certificate based and/or mandatory VPN requirements. I would suggest asking your Exchange administrator in your IT department about this policy.
Under Domain/username, did you try putting the "\" in front of your username? To configure mine I did this and had to use the host name as the Exchange server. Some things to try anyway if you haven't already.
Also ran into issues setting up under a public wifi at work, had to use the ATT network to make it connect for some reason.
I have my work exchange account set up.
Are you making sure to connect to the external exchange server (sometimes different from internal)?
Have you asked your administrator for exchange login details (my IT dept sent out a company-wide email once with those details)?
You might have to type the server name in manually if it doesn't auto-detect (the case with my work email).
Now, my work isn't as strict, but as the previous poster said; you're exchange server might not allow unauthorized devices to connect. In which case you'll have to contact your IT dept.
They may have simply blocked all android devices (until recently didn't support hardware encryption, and spoofed exchange permissions). If that's true, educate them.
The server name may be a link rather than a server name. Ours is mibile.XXXXX.com for example.
probably related to your company's settings. I run my own exchange server and got it sync'd fine with the current cyanogen nightly
I had problems with the stock email and our ms exchange server. I could set it up, but after a while it stopped syncing and I could never really get it back to work. I switched to Touchdown, and after a little trial and error with setup, it's working fine for me. There is a trial version for 30 days or so that you could give a shot. Happy to give you some pointers.
AtlanM87 said:
I had problems with the stock email and our ms exchange server. I could set it up, but after a while it stopped syncing and I could never really get it back to work. I switched to Touchdown, and after a little trial and error with setup, it's working fine for me. There is a trial version for 30 days or so that you could give a shot. Happy to give you some pointers.
Click to expand...
Click to collapse
+1 for touchdown. I've been using it for about a year. It's far superior to any exchange solution the Google offers. I only wish it would populate Google calendar as it does the Google contacts. The UI is getting dated as well. I wish they would come out with a cosmetic update or theme capability.
Sent from my SGH-I777 using xda premium

[Q] Exchange/ActiveSync on Android Permissions -- Options?

I asked this in XDA Android Q&A; posting to this Rezound Q&A as well in case there are any Rezound specific options that can be explored:
I've been debating configuring my personal phone to access my employer's Exchange server; I would be checking it on occasion-- more of a convenience thing to know what's up before I head in for the day.
Using the default Android Mail client and choosing ActiveSync and doing the setup, I inevitably reach a screen with the following:
Activate security policies?
Exchange security policies
Your IT administrator requires that you activate these security policies in order to sync with your Exchange Server.
Activating this administrator will allow the application Mail to perform the following operations:
! Erase all data
Perform a factory reset, which deletes all of your data without any confirmation.
! Set password rules
Restrict the types of passwords that you are allowed to use.
! Monitor screen-unlock attempts
Monitor failed attempts to log into your device.
! Lock the screen
Control when your device locks, requiring that you re-enter your password.
! Device function limitation
Restrict some function on device like Wifi, Bluetooth, Camera etc.
Click to expand...
Click to collapse
Needless to say, this is highly unappealing for my personal phone-- way too much power for the Mail application.
So my questions-- what are my options?
-would a different Exchange connectivity application like Touchdown request those same permissions for access?
-would I be better off setting up ActiveSync on an alternate ROM and booting into that when I want to check work mail (not as frequently as some other users)?
-How far does that remote wipe control extend? Could they wipe the entire phone, including bootloader? Or is it just reference to internal storage? Could they wipe the external SD card?
-is there a way to revoke those permissions from the Mail application while retaining the ability to connect to the Exchange server?
vprasad1 said:
Needless to say, this is highly unappealing for my personal phone-- way too much power for the Mail application.
Click to expand...
Click to collapse
It is designed to protect corp data. If you don't want your personal phone under that control, then don't connect it. That is the choice you have.
So my questions-- what are my options?
-would a different Exchange connectivity application like Touchdown request those same permissions for access?
Click to expand...
Click to collapse
Nope. The policy is from the Exchange servers policies.
-would I be better off setting up ActiveSync on an alternate ROM and booting into that when I want to check work mail (not as frequently as some other users)?
Click to expand...
Click to collapse
Not sure how you would do this.
-How far does that remote wipe control extend? Could they wipe the entire phone, including bootloader? Or is it just reference to internal storage? Could they wipe the external SD card?
Click to expand...
Click to collapse
When you connect, if they have issued the wipe command, it wipes. Distance is not relative. Wipe is wipe.
-is there a way to revoke those permissions from the Mail application while retaining the ability to connect to the Exchange server?
Click to expand...
Click to collapse
No. they could have a different policy setup for different groups of users and have you into that group, but you would have to ask the administrator though.
The exchange policies are part of the requirements of connecting to that exchange server. The policies can be changed by the administrator by putting you into another group, but I doubt they will do that. They are there to protect corp data.
There are other ways that policies can be setup, but that needs to be done again by the administrator.
These types of policies are becoming more and more common as companies realize their contacts, email and attachments are valuable and need to be protected. A lot of people use two phones, one for corp and one for personal, not mixing the two.
Remote wipe and all is a feature of activesync, not necessarily exchange. So, according to what I'm reading, you can find an email client that supports exchange but not eactivesync and get around the permissions.
I am also interested in how far the wipe can extend. It says reset to factory, which would leave your SD card intact.
gthing said:
Remote wipe and all is a feature of activesync, not necessarily exchange. So, according to what I'm reading, you can find an email client that supports exchange but not eactivesync and get around the permissions.
I am also interested in how far the wipe can extend. It says reset to factory, which would leave your SD card intact.
Click to expand...
Click to collapse
As far as I am aware, the Exchange server CAN initiate a full wipe, if your company is on Exchange 2010. The wipe command can be found in OWA settings. The only way you can get around the permissions is to login to OWA via your browser. The security settings are there for a reason, as mentioned above.
Microsoft works very hard with its partners to provide the best security possible. I do not think using Touchdown or another email client will allow you to circumvent security policies enforced by the Exchange server.
Sent from my Dell Streak 7 using Tapatalk 2
vprasad1 said:
So my questions-- what are my options?
-would a different Exchange connectivity application like Touchdown request those same permissions for access?
-would I be better off setting up ActiveSync on an alternate ROM and booting into that when I want to check work mail (not as frequently as some other users)?
-How far does that remote wipe control extend? Could they wipe the entire phone, including bootloader? Or is it just reference to internal storage? Could they wipe the external SD card?
-is there a way to revoke those permissions from the Mail application while retaining the ability to connect to the Exchange server?
Click to expand...
Click to collapse
I use TouchDown for my work e-mail, and while I have never had any administrators use remote wipe, I will let you know my experiences:
-There is an option in the settings screen for "Clean SD card on remote wipe." It's unchecked by default. I assume a remote wipe will only clear TouchDown related data, but am not 100% sure of it. At the very least this option implies that it won't normally wipe your SD card as well.
-TouchDown will ask for the same permissions. However, unlike the default mail application, which will force your whole phone to be pin locked, TouchDown will only force you to enter a pin when you open the application. This feature is nice if you don't want to always enter in a pin to unlock your phone but also want Exchange e-mail.
-As the policies are set on the ActiveSync server, there's no way to get around revoking the permissions.
If you search for it enough, you can probably find a modified mail app that doesn't require these security permissions. I know I've seen one that works with CleanRom and I use it on ICS Business Sense. No lockscreen pin required either and no device administrator.
http://forum.xda-developers.com/showthread.php?t=1456425
Sent from my ADR6425LVW using XDA
Just created the account to reply to this thread.
I am too looking for a solution to avoid giving my employer the access rights to wipe my phone, and I just wanted to comment that IMO, theorically it is not because this setting is on server side that it can't be avoided.
Android can give whatever permissions the server asks for then totally ignore the commands when they eventually come. That would probably require some coding to simulate executing the command without actually doing it, and it would definitely require root access to do this, but I do not see how that would be impossible on Android or on one of its mods.
Now obviously this is not something I'm going to waste time on. if it can't be done, my pro account will not be on my phone. That was me trying to do something for my employer, but if they don't want me to see my mails on weekends, I won't be fool enough to complain.
I'm in a similar situation. With ICS, at least it gave me the ability to only have to enter a PIN after 15 minutes or something when your phone is locked. Prior to that with GB, every screen unlock required the PIN.
I do use a modified Mail.apk, but in a sense, I'm contributing to the problem of my company not allowing android phones on their network, because there are just so many workarounds like this.
LBE Security Guard may be able to inhibit the permissions, though I wouldn't want to have to depend on that as a last line of defense right before my device is potentially WIPED!
There has to be some better solutions to control it on the client side...
My admins at work say they will not change the exchange policy.
They said it comes with Exchange Server 2010 as the default settings, but they won't change it. They have actually tested the remote wipe and it works instantly. They claim they can remote 'unwipe' it as well, but I gave an analogy about formatting drives (quick format vs. full format) that they couldn't answer.
I told them I'm concerned about anyone having that much power over personal "BYOD" phones, and the possibility of someone accidentally or maliciously wiping my device.
They said the policy will not be changed.
Does anyone know of other 3rd party mail OR calendar programs that will update my calendar without allowing these INSANE permissions? Thanks.
I've recently bought a new phone and found these ridiculous permissions when I went to sync with my work exchange.
There must be apps available or possible to develop because the email app on my old phone doesn't ask for these permissions. Unfortunately it isn't available to download, just the default app with that phone.
worldheroes said:
I've recently bought a new phone and found these ridiculous permissions when I went to sync with my work exchange.
There must be apps available or possible to develop because the email app on my old phone doesn't ask for these permissions. Unfortunately it isn't available to download, just the default app with that phone.
Click to expand...
Click to collapse
There are several mail programs in the Google Play store, if you search for 'exchange email'
I saw:
k-9 mail
touchdown
exchange exmail
maildroid
and so on...
k-9 had the best ratings and is open source so I tried it, but it couldn't connect to my exchange server. I got an error during setup:
'Setup could not finish, cannot connect to server. (ioexception)'
Please let me know if you have better luck with any exchange program!
The best choice for you is to install OWA from the play store (outlook web) and that will get you contacts, push mail and calendars without having to accept the exchange policies. All you have to do is point it to your companies webmail page and login.
I searched for OWA in the Play store but didn't find the one you mentioned. (see attachment) Is it a free app?
I have the first one by WWO. It gets the job done. 5 bucks well spent. I'm sure it can be side loaded if you'd like to test the functionality first.
Daistaar said:
I have the first one by WWO. It gets the job done. 5 bucks well spent. I'm sure it can be side loaded if you'd like to test the functionality first.
Click to expand...
Click to collapse
At the risk of asking a silly question - how would I get it to test it?
might want to try this:
http://forum.xda-developers.com/showthread.php?t=1965468
Thanks - the link to the ICS Email APK with Exchange Security removed was exactly what I needed!
I wish that app would be maintained with the current version and be put in the google play store!
If I activate the device administration can I undo it? Can I deactivate it and go back to life as usual?
quarksurfer said:
If I activate the device administration can I undo it? Can I deactivate it and go back to life as usual?
Click to expand...
Click to collapse
Yes, delete the account in question.

[Q] Synching with two exchange servers with security policy conflict

I have the following problem:
I have an SGS2 with the latest ICS release (rooted). I work with two companies supporting sync with the exchange server (2010) on a smartphone.
I can set up both exchange servers at the same time. The first day the both work, but on the second day one of the two (so far always the same) start giving me connection errors, and will no longer sync emails.
I am almost sure that the problem is that for security reasons, both want to have their security policy (admin privileges etc) enforced over my phone, and when they re-check daily they find that the policy is not as they want it.
Can anyone suggest a way to overcome this?
Thanks,
Geza
It could possibly be the Certificate of said company that's configured incorrectly.
Speak to the IT department to check this for you.
I've set the client to accept all certificates, furthermore it works on day 1, stops working on day 2.
Would the certificate problem still be a viable explanation?

Categories

Resources