I'd be grateful if someone in the know would clue me in:
Stock Android, I believe since 2.0, has supported multiple Exchange sync accounts (at least for email sync, and probably contacts). Running the
Android emulator on the desktop, I can configure as many accounts as I please.
However... I just took delivery of a Samsung Fascinate (Verizon) and as hard as I try, I can't make it configure a second account (it dumps me into the 'edit' UI for the first account when I ask to create a second one).
So I tried an HTC Incredible that we have here. Same behavior !
Yet, when I Google search 'samsung galaxy s multiple exchange accounts', I find a bunch of people claiming to be using multiple accounts.
What's up with this? Am I just not doing the setup correctly, or did Samsung remove this capability from the devices recently ?
I also figured I could install the stock Android email app as a workaround, but that doesn't exactly seem to be a 'one-click' process. K-9 has no ActiveSync support, so that isn't useful.
Can't speak for anyone else, but I have yet to see any Android phone that supports multiple Exchange accounts out of the box. That's one of the reasons I bought Touchdown, as it supports multiple Exchange profiles. Of course, only one of them can be active at a time, but if I needed to have two accounts active simultaneously, I could use Touchdown for one, and the stock email app for the other. Oh, and just FYI, I didn't mean for this to become a Touchdown advertisement. ^^;
Sent from my SCH-I500 using XDA App
Actually, I have a Touchdown license so this is a good plan.
Presumably the situation is this : stock Android supports multiple accounts but none of the device vendor skins do, yet. Correct ? (and it isn't possible to manifest the stock Android behavior side-by-side with the vendor skin).
I was just coming in here to ask this question. I would like a way to get multiple exchange accounts too. Since it was supported in 2.0 on up i think we should be able to get this to work. Unless Samsung messed this up for us.
Hmm, I thought Sammy left the stock Android email app on the Fascinate, but it looks as though they modified it just enough to cripple it. :-(
Sent from my SCH-I500 using XDA App
There are actually good reasons NOT to do this. Corporate IT admins have massive problems with this, and because Google/Sammy/etc. are actually TRYING to work with corporate IT... you end up with this.
Outlook doesn't allow it either, nor does any other mail program which respects Activesync conventions.
It has to do with security... and compartmentalization.
The Droid X and the Droid supported 2nd Exchange accounts.
I'm sorry, but I disagree that this is a security issue. They are completely disparate accounts, and this functionality should be stock on all Android phones.
That said, the Samsung client is the worst of all of them, and Touchdown is the best option, IMHO.
Gurm said:
There are actually good reasons NOT to do this. Corporate IT admins have massive problems with this, and because Google/Sammy/etc. are actually TRYING to work with corporate IT... you end up with this.
Outlook doesn't allow it either, nor does any other mail program which respects Activesync conventions.
It has to do with security... and compartmentalization.
Click to expand...
Click to collapse
Oh, really? That's interesting. I work on the helpdesk for an IT company that hosts Exchange servers (and much more) for dozens of clients, including numerous medical and financial institutions (i.e. security is a significant concern), and I have never heard about any such security issue. Please explain to me how being able to setup multiple Exchange accounts on a single device is such a huge security concern, and include links to references if possible, as I may want to present the information at our security meeting, which I'm actually attending tomorrow. No joke, that's my job, and I am on the security team.
Btw, Microsoft themselves eliminated the single Exchange account limitation with Outlook 2010. It's still not unlimited, but you can now have three Exchange accounts per Outlook profile. Oh, and did I mention that iOS 4 now also supports multiple Exchange accounts per device? So yeah, if you have any links to share about these alleged security nightmares, feel free to enlighten me.
Sent from my SCH-I500 using XDA App
8notime said:
That said, the Samsung client is the worst of all of them, and Touchdown is the best option, IMHO.
Click to expand...
Click to collapse
While I tend to agree with you, I'd like to point out that I haven't seen any issues with actually reliably syncing with an Exchange server with the Fascinate, whereas the mail client on the original Droid was plagued with bugs, and while it improved later on, one of the more recent post-Froyo patches broke the ability to sync with Exchange 2010 (which has since been fixed).
Also, if I remember correctly, the helpdesk I work on got a bunch of calls from clients who bought the Droid X when it first came out, because it couldn't sync with Exchange 2003, which was a pretty serious bug. Motorola had apparently tested it thoroughly with Exchange 2007 and 2010, but never with 2003. It was so bad that they were giving away licenses for Touchdown for free to anyone that complained, until they were able to issue a patch for it.
Anyway, no mail client is perfect, and all have their pros and cons. Which stock one is better or worse depends on whether the features that don't work right matter to you or not. Me, I'll stick with Touchdown, which basically mops the floor with the stock mail clients, just in sheer volume of features alone.
Sent from my SCH-I500 using XDA App
IOS 4, android 2.* and up and WP7 all support multiple exchange accounts. Unfortunatley Samsung messed this up for us.
I wonder if there is a way to pull the AOSP e-mail.apk and try that? Or if there would be another way around this.
Since someone got a little cranky I will elaborate on the security problem.
The issue is largely one of partition. Let me paint a scenario...
I am government contractor x. I provide you with exchange on your phone. Your phone very helpfully merges all your data together. That violates my policies. Additionally, your android device doesn't respect remote wipe, remote lock, or security policy for disclaimers, password complexity, etc.
But the biggest issue is that the exchange data isn't self-contained.
If the phone, client, or whatever provides partitioning of the data then multiple accounts becomes a possibility.
Essentially I as an exchange admin don't want some other company's mail cross pollinating with mine. And because my company is in Massachusetts, it's actually a violation of state law at this point to let our emails into someone else's system.
Outlook 2010 supports separate cache files, contact lists, and all other data... So it can do multiple accounts. The iphone doesn't, and neither does droid.
I love my android phone, but I cannot let the end users have them, because we can't secure thee data. Full stop.
Sent from my SCH-I500 using XDA App
And yes, ios 4 and some iterations of droid do allow this, but not in s way that is kosher with either microsoft or your mail admins.
Sent from my SCH-I500 using XDA App
Hehe, I wasn't cranky. I just wanted some additional info to back up a rather vague, blanket statement about data security. I could go on to discuss security issues, but it looks like your concerns exist at a much higher level. If the Android platform as a whole is too insecure for you to allow, then whether or not a phone supports multiple Exchange accounts is irrelevant. That being the case, I won't draw this on much longer, as it's beginning to drift off topic.
Based on what you've listed as your security requirements, I believe Touchdown actually has a strong enough feature set to safely allow Android devices to work in your environment. It supports a healthy set of Exchange security policies, namely remote wipe, PIN/password policies, and complete data encryption (it even encrypts the data it stores on the SD card), and since it only allows one account per profile, and all data is contained within the application itself, and not mixed on the phone, the partition requirement is met. Plus, you can deploy a template that dictates desired config settings for the app, and locks them down to prevent users from changing them. Oh, and don't forget the added benefit of standardization, in that you would only have a single email app to support, regardless of which Android device end users have. The only real down side is the added cost, as it's extra software to buy. And for those wondering, no, I do NOT work for NitroDesk, the makers of Touchdown.
I apologize if I'm still failing to understand any of your points in all this. I do have an interest in security topics like this, and while I'm not completely ignorant, I'm by no means an expert either, not by a long shot. If you'd like to discuss this any further, feel free to PM me, so we don't get any further off topic in this thread. Thanks!
Gurm said:
Essentially I as an exchange admin don't want some other company's mail cross pollinating with mine. And because my company is in Massachusetts, it's actually a violation of state law at this point to let our emails into someone else's system.
Click to expand...
Click to collapse
I have never in my life heard of this happening, nor is there any proof that it's technically possible. I get the whole concept of all data being on the same partition, but cross pollination? They are totally different accounts, with their own data stores.
If a companies security policy is this strict, they probably shouldn't have any phone connecting to their network, unless they have a device management tool in place that prohibits installation of any 3rd party apps unless they install them themselves. Oh and they should probably remove the camera too, if they're a government contractor with this much security in place.
I don't think the Fascinate was designed for a company like this.
Just to throw in my 2 cents. A division of the company i work for engineers nuclear plants and because of the strict government regulations only blackberries are permited because other platforms are not secure enough.
Sent from my SCH-I500 using XDA App
8notime said:
I have never in my life heard of this happening, nor is there any proof that it's technically possible. I get the whole concept of all data being on the same partition, but cross pollination? They are totally different accounts, with their own data stores.
Click to expand...
Click to collapse
Really? Your contact list isn't comprised of all the contacts from all the accounts? Do you keep strict track of which little yellow "new mail" envelope you've just pulled down? It can't happen? Think again.
If a companies security policy is this strict, they probably shouldn't have any phone connecting to their network, unless they have a device management tool in place that prohibits installation of any 3rd party apps unless they install them themselves. Oh and they should probably remove the camera too, if they're a government contractor with this much security in place.
Click to expand...
Click to collapse
Yup. Guess why Blackberries are still the biggest corporate device? For exactly this reason. Why is there always a Blackberry variant with no camera? BINGO.
I don't think the Fascinate was designed for a company like this.
Click to expand...
Click to collapse
No Droid or iPhone was.
Then why are we even having this conversation? We're talking about the Fascinate.
Also, we were talking about email, not contacts. Emails are stored in entirely different data stores. I don't have 1 giant inbox with emails from both accounts. They are totally separated.
8notime said:
Then why are we even having this conversation? We're talking about the Fascinate.
Also, we were talking about email, not contacts. Emails are stored in entirely different data stores. I don't have 1 giant inbox with emails from both accounts. They are totally separated.
Click to expand...
Click to collapse
Because Exchange isn't POP or IMAP. It's an entire comm system. It's not just mail, it's contacts and calendar and notes and public folders and a half dozen other things.
If you just want to sync the contents of two Exchange inboxes, sure there's no TECHNICAL reason you can't. But that's not how Exchange WORKS, typically. I'm sure you could write a client that does that, but as yet folks haven't.
You can go in and uncheck to sync the calendar and contacts, but new "events" will still arrive and have to be thrown out by the client. Essentially you would need to write MORE code to NOT have the entire system than you would to HAVE it.
I'm sorry but that isn't true. Like I said earlier, I was able to add more than one Exchange account - contacts, calendar, and email - on both my Droid and Droid X. One Exchange account for work, and the other a personal account through a hosted Exchange provider. There was no "cross pollination" between either account, and each had a completely separate inbox/data stores. So not only is it technically possible, the functionality is also available for use. Also, as a security professional, I think there are other real security concerns/vulnerabilities to focus on, than something that has never been proven to be one.
8notime said:
I'm sorry but that isn't true. Like I said earlier, I was able to add more than one Exchange account - contacts, calendar, and email - on both my Droid and Droid X. One Exchange account for work, and the other a personal account through a hosted Exchange provider. There was no "cross pollination" between either account, and each had a completely separate inbox/data stores. So not only is it technically possible, the functionality is also available for use. Also, as a security professional, I think there are other real security concerns/vulnerabilities to focus on, than something that has never been proven to be one.
Click to expand...
Click to collapse
I understand that you have done it before. I've done it too on an iPhone. My point is that the capability to do so is not something that comes pre-cooked in an Exchange client. MS didn't do it until recently themselves. Given that a lot of the stuff in the Fascinate is pre-2.1 due to Samsung's pidgin kernel (really a 1.5 or 1.6 kernel hacked up for 2.1, from what I've read on here) I'm not at all surprised that functionality only recently available is missing.
Like I said - it takes more code to do it than not to do it... don't hold your breath for it from Samsung, although anything is possible in 2.2!
So ive tried a bunch of different email clients and they all experience the same issue when connecting to a corporate exchange server. About once a day, at random times, they will crash and i have to force stop them and reopen the app to get it to receive exchange push email updates.
Clients I have tried are: Improved Email, Enhanced Email, K-9 and the Moxie trial. I cant find any common link as to why they all end up non-responsive. At first i thought it happened when i lose signal (such as when im in the subway) but I havent taken the subway the past few days and it still happens.
Is there something included with the atrix that kills these processes after a certain amount of time?
I manage our corporate exchange servers (2003 and 2010) and have had really good success with the built in Corporate Sync app for the atrix.
Is there something you are syncing that it can't hanfle? The calendar and contacts work great. I haven't tried tasks as I don't use them.
Aside from that, make sure on task manager that the mail clients aren't set to auto kill.
Sent from my MB860 using XDA Premium App
I wish I could get email from our exchange server, but unfortunately my company isn't going to allow that until Android becomes more secure.
beatphreek said:
I manage our corporate exchange servers (2003 and 2010) and have had really good success with the built in Corporate Sync app for the atrix.
Is there something you are syncing that it can't hanfle? The calendar and contacts work great. I haven't tried tasks as I don't use them.
Aside from that, make sure on task manager that the mail clients aren't set to auto kill.
Sent from my MB860 using XDA Premium App
Click to expand...
Click to collapse
I didnt think i had corporate sync, but i just took a look now and it seems like I do. I didnt think about trying to set it up as a new "account" in the phone.
On the bright side, enhanced email hasnt crashed in a while. I think one of the other email apps processes was killing it. I have uninstalled them all. If it crashes again, I will try the built in Corporate Sync.
Caelan, what doesnt your company like about android? All the exchange clients ive tried allow remote management which i know was a sticking point for a lot of companies when android was newer. Though I'll admit im not really up on the security issues of android... Im kind of lucky because my company lets us bring any device onto the network, and we get to admin our own computers. The benefits of working at a tech company staffed completely with geeks
albinojoe said:
Caelan, what doesnt your company like about android? All the exchange clients ive tried allow remote management which i know was a sticking point for a lot of companies when android was newer. Though I'll admit im not really up on the security issues of android... Im kind of lucky because my company lets us bring any device onto the network, and we get to admin our own computers. The benefits of working at a tech company staffed completely with geeks
Click to expand...
Click to collapse
I am not sure exactly what it is that is a security problem, but I work for a big R&D company. All our laptops, thumb drives, etc. are encrypted, and we use RSA secure tokens to connect to our network externally when OOO. As an example, if you want email access on your iPhone, the company installs security software requiring a lengthy password to even get past the lock screen, and also remote wipe ability so they can wipe your iPhone if you lose it. We have a lot of proprietary R&D documentation which they do not want to lose.
Apparently there are some security holes which should be fixed with 2.3.4, and they may already be testing this at corporate IT.
We also have full admin rights to our laptops, but they are also very secure with full HDD encryption.
Android does meet all the security requirements that Microsoft has in place for Activesync licensing, it forces a passcode to unlock, it encrypts the exchange data, and it does remote wipe.
The only thing I can think would be that due to the ability to easily root the device there are programs that get around the lock screen requirements. They may have other reasons though.
I asked this in XDA Android Q&A; posting to this Rezound Q&A as well in case there are any Rezound specific options that can be explored:
I've been debating configuring my personal phone to access my employer's Exchange server; I would be checking it on occasion-- more of a convenience thing to know what's up before I head in for the day.
Using the default Android Mail client and choosing ActiveSync and doing the setup, I inevitably reach a screen with the following:
Activate security policies?
Exchange security policies
Your IT administrator requires that you activate these security policies in order to sync with your Exchange Server.
Activating this administrator will allow the application Mail to perform the following operations:
! Erase all data
Perform a factory reset, which deletes all of your data without any confirmation.
! Set password rules
Restrict the types of passwords that you are allowed to use.
! Monitor screen-unlock attempts
Monitor failed attempts to log into your device.
! Lock the screen
Control when your device locks, requiring that you re-enter your password.
! Device function limitation
Restrict some function on device like Wifi, Bluetooth, Camera etc.
Click to expand...
Click to collapse
Needless to say, this is highly unappealing for my personal phone-- way too much power for the Mail application.
So my questions-- what are my options?
-would a different Exchange connectivity application like Touchdown request those same permissions for access?
-would I be better off setting up ActiveSync on an alternate ROM and booting into that when I want to check work mail (not as frequently as some other users)?
-How far does that remote wipe control extend? Could they wipe the entire phone, including bootloader? Or is it just reference to internal storage? Could they wipe the external SD card?
-is there a way to revoke those permissions from the Mail application while retaining the ability to connect to the Exchange server?
vprasad1 said:
Needless to say, this is highly unappealing for my personal phone-- way too much power for the Mail application.
Click to expand...
Click to collapse
It is designed to protect corp data. If you don't want your personal phone under that control, then don't connect it. That is the choice you have.
So my questions-- what are my options?
-would a different Exchange connectivity application like Touchdown request those same permissions for access?
Click to expand...
Click to collapse
Nope. The policy is from the Exchange servers policies.
-would I be better off setting up ActiveSync on an alternate ROM and booting into that when I want to check work mail (not as frequently as some other users)?
Click to expand...
Click to collapse
Not sure how you would do this.
-How far does that remote wipe control extend? Could they wipe the entire phone, including bootloader? Or is it just reference to internal storage? Could they wipe the external SD card?
Click to expand...
Click to collapse
When you connect, if they have issued the wipe command, it wipes. Distance is not relative. Wipe is wipe.
-is there a way to revoke those permissions from the Mail application while retaining the ability to connect to the Exchange server?
Click to expand...
Click to collapse
No. they could have a different policy setup for different groups of users and have you into that group, but you would have to ask the administrator though.
The exchange policies are part of the requirements of connecting to that exchange server. The policies can be changed by the administrator by putting you into another group, but I doubt they will do that. They are there to protect corp data.
There are other ways that policies can be setup, but that needs to be done again by the administrator.
These types of policies are becoming more and more common as companies realize their contacts, email and attachments are valuable and need to be protected. A lot of people use two phones, one for corp and one for personal, not mixing the two.
Remote wipe and all is a feature of activesync, not necessarily exchange. So, according to what I'm reading, you can find an email client that supports exchange but not eactivesync and get around the permissions.
I am also interested in how far the wipe can extend. It says reset to factory, which would leave your SD card intact.
gthing said:
Remote wipe and all is a feature of activesync, not necessarily exchange. So, according to what I'm reading, you can find an email client that supports exchange but not eactivesync and get around the permissions.
I am also interested in how far the wipe can extend. It says reset to factory, which would leave your SD card intact.
Click to expand...
Click to collapse
As far as I am aware, the Exchange server CAN initiate a full wipe, if your company is on Exchange 2010. The wipe command can be found in OWA settings. The only way you can get around the permissions is to login to OWA via your browser. The security settings are there for a reason, as mentioned above.
Microsoft works very hard with its partners to provide the best security possible. I do not think using Touchdown or another email client will allow you to circumvent security policies enforced by the Exchange server.
Sent from my Dell Streak 7 using Tapatalk 2
vprasad1 said:
So my questions-- what are my options?
-would a different Exchange connectivity application like Touchdown request those same permissions for access?
-would I be better off setting up ActiveSync on an alternate ROM and booting into that when I want to check work mail (not as frequently as some other users)?
-How far does that remote wipe control extend? Could they wipe the entire phone, including bootloader? Or is it just reference to internal storage? Could they wipe the external SD card?
-is there a way to revoke those permissions from the Mail application while retaining the ability to connect to the Exchange server?
Click to expand...
Click to collapse
I use TouchDown for my work e-mail, and while I have never had any administrators use remote wipe, I will let you know my experiences:
-There is an option in the settings screen for "Clean SD card on remote wipe." It's unchecked by default. I assume a remote wipe will only clear TouchDown related data, but am not 100% sure of it. At the very least this option implies that it won't normally wipe your SD card as well.
-TouchDown will ask for the same permissions. However, unlike the default mail application, which will force your whole phone to be pin locked, TouchDown will only force you to enter a pin when you open the application. This feature is nice if you don't want to always enter in a pin to unlock your phone but also want Exchange e-mail.
-As the policies are set on the ActiveSync server, there's no way to get around revoking the permissions.
If you search for it enough, you can probably find a modified mail app that doesn't require these security permissions. I know I've seen one that works with CleanRom and I use it on ICS Business Sense. No lockscreen pin required either and no device administrator.
http://forum.xda-developers.com/showthread.php?t=1456425
Sent from my ADR6425LVW using XDA
Just created the account to reply to this thread.
I am too looking for a solution to avoid giving my employer the access rights to wipe my phone, and I just wanted to comment that IMO, theorically it is not because this setting is on server side that it can't be avoided.
Android can give whatever permissions the server asks for then totally ignore the commands when they eventually come. That would probably require some coding to simulate executing the command without actually doing it, and it would definitely require root access to do this, but I do not see how that would be impossible on Android or on one of its mods.
Now obviously this is not something I'm going to waste time on. if it can't be done, my pro account will not be on my phone. That was me trying to do something for my employer, but if they don't want me to see my mails on weekends, I won't be fool enough to complain.
I'm in a similar situation. With ICS, at least it gave me the ability to only have to enter a PIN after 15 minutes or something when your phone is locked. Prior to that with GB, every screen unlock required the PIN.
I do use a modified Mail.apk, but in a sense, I'm contributing to the problem of my company not allowing android phones on their network, because there are just so many workarounds like this.
LBE Security Guard may be able to inhibit the permissions, though I wouldn't want to have to depend on that as a last line of defense right before my device is potentially WIPED!
There has to be some better solutions to control it on the client side...
My admins at work say they will not change the exchange policy.
They said it comes with Exchange Server 2010 as the default settings, but they won't change it. They have actually tested the remote wipe and it works instantly. They claim they can remote 'unwipe' it as well, but I gave an analogy about formatting drives (quick format vs. full format) that they couldn't answer.
I told them I'm concerned about anyone having that much power over personal "BYOD" phones, and the possibility of someone accidentally or maliciously wiping my device.
They said the policy will not be changed.
Does anyone know of other 3rd party mail OR calendar programs that will update my calendar without allowing these INSANE permissions? Thanks.
I've recently bought a new phone and found these ridiculous permissions when I went to sync with my work exchange.
There must be apps available or possible to develop because the email app on my old phone doesn't ask for these permissions. Unfortunately it isn't available to download, just the default app with that phone.
worldheroes said:
I've recently bought a new phone and found these ridiculous permissions when I went to sync with my work exchange.
There must be apps available or possible to develop because the email app on my old phone doesn't ask for these permissions. Unfortunately it isn't available to download, just the default app with that phone.
Click to expand...
Click to collapse
There are several mail programs in the Google Play store, if you search for 'exchange email'
I saw:
k-9 mail
touchdown
exchange exmail
maildroid
and so on...
k-9 had the best ratings and is open source so I tried it, but it couldn't connect to my exchange server. I got an error during setup:
'Setup could not finish, cannot connect to server. (ioexception)'
Please let me know if you have better luck with any exchange program!
The best choice for you is to install OWA from the play store (outlook web) and that will get you contacts, push mail and calendars without having to accept the exchange policies. All you have to do is point it to your companies webmail page and login.
I searched for OWA in the Play store but didn't find the one you mentioned. (see attachment) Is it a free app?
I have the first one by WWO. It gets the job done. 5 bucks well spent. I'm sure it can be side loaded if you'd like to test the functionality first.
Daistaar said:
I have the first one by WWO. It gets the job done. 5 bucks well spent. I'm sure it can be side loaded if you'd like to test the functionality first.
Click to expand...
Click to collapse
At the risk of asking a silly question - how would I get it to test it?
might want to try this:
http://forum.xda-developers.com/showthread.php?t=1965468
Thanks - the link to the ICS Email APK with Exchange Security removed was exactly what I needed!
I wish that app would be maintained with the current version and be put in the google play store!
If I activate the device administration can I undo it? Can I deactivate it and go back to life as usual?
quarksurfer said:
If I activate the device administration can I undo it? Can I deactivate it and go back to life as usual?
Click to expand...
Click to collapse
Yes, delete the account in question.