[Q] Security: Exchange + device administrator + Nine ... but now.. - Android Q&A, Help & Troubleshooting

Hi all,
I'm trying to figure out if it is possible to get around the new security requirements by our company regarding smartphone usage.
Previously, if we wanted to use exchange on our devices, I had three possibilities:
1. Add the exchange account to the default email client, accept all the security setting being pushed with the device administrator functionality
2. Add the exchange account to the default email client, and get around the security using Xposed
3. Add the exchange account to the Nine, and let it handle the security setting.
On my Nex5 however the second option vanished with Android 5. So I was using Nine for a while now without any problems.
Now the company is making new security requirements.
The problem is that they want us to install this app from vodafone:
https://play.google.com/store/apps/details?id=com.mobileiron.vodafone.MIClient
to handle all device security settings and device registration.
I don't mind having a device administrator managed by the company on the phone, I do however dislike using a PIN to unlock my device.
Anyone having any experience getting around this?

Related

[Q] Exchange 2010 wipes devices remotly

Hello
I have Galaxy S2 and synch with Exchange 2010. But i was checking on the device and under Location and security - Select device administrator, It has " Enable server-specified security Policies.
Which enables to wipe device remotly. Is there a way to stop that but keep synch.
I did a test and he not only wipes the email side but also wipes the entire device back to default.
Is there a way around this or not?
Thank You
Any update please
Sent from my GT-I9100 using XDA App
I believe the only way to change this is via a policy change at the Exchange Server end.
That said, I do remember seeing something on here about a utility that would bypass Exchange's policies.
Is there another client for the outlook so that the Exchange admin cannot wipe my device
Thank you
try using Enhanced Email, that's what i've been using since Exchange 2010 was implemented in my organisation.
NTOP said:
Hello
I have Galaxy S2 and synch with Exchange 2010. But i was checking on the device and under Location and security - Select device administrator, It has " Enable server-specified security Policies.
Which enables to wipe device remotly. Is there a way to stop that but keep synch.
I did a test and he not only wipes the email side but also wipes the entire device back to default.
Is there a way around this or not?
Thank You
Click to expand...
Click to collapse
This is a feature of Exchange just incase your device is lost the admin or you can remotely wipe all your secure information. Businesses of-course like this because they don't want their trade secrets in the back of some cab somewhere to be sold off to the highest bidder (imagine iPhone 4 but information instead of the physical device).
There are hacks out that removes the checks for security but the Server could then block those devices if they don't reply properly to requests for encryption and such.
There is however no need to try to circumvent this as you'd only ever use it in those cases, it's not like the admin is gonna just wipe your device one day because he is bored at work.
shotta35
I agree with you there if the device was given from the company but if the device is your personal and you are just synch email than i don't want the exchange admin wiping anything so that is my main reason for looking at another client
I think this is a feature of Exchange 2010
Thank You

[Q] Exchange/ActiveSync on Android Options?

I've been debating configuring my personal phone to access my employer's Exchange server; I would be checking it on occasion-- more of a convenience thing to know what's up before I head in for the day.
Using the default Android Mail client and choosing ActiveSync and doing the setup, I inevitably reach a screen with the following:
Activate security policies?
Exchange security policies
Your IT administrator requires that you activate these security policies in order to sync with your Exchange Server.
Activating this administrator will allow the application Mail to perform the following operations:
! Erase all data
Perform a factory reset, which deletes all of your data without any confirmation.
! Set password rules
Restrict the types of passwords that you are allowed to use.
! Monitor screen-unlock attempts
Monitor failed attempts to log into your device.
! Lock the screen
Control when your device locks, requiring that you re-enter your password.
! Device function limitation
Restrict some function on device like Wifi, Bluetooth, Camera etc.
Click to expand...
Click to collapse
Needless to say, this is highly unappealing for my personal phone-- way too much power for the Mail application.
So my questions-- what are my options?
-would a different Exchange connectivity application like Touchdown request those same permissions for access?
-would I be better off setting up ActiveSync on an alternate ROM and booting into that when I want to check work mail (not as frequently as some other users)?
-How far does that remote wipe control extend? Could they wipe the entire phone, including bootloader? Or is it just reference to internal storage? Could they wipe the external SD card?
-is there a way to revoke those permissions from the Mail application while retaining the ability to connect to the Exchange server?
try this:
http://forum.xda-developers.com/showpost.php?p=14577188
Thanks for that! I checked it out and unfortunately, HTC uses a different email program which is incompatible with rustamabd 's script. When there are daily driver AOSP ROMs avail for my phone, I'll try it out.

[Q] Exchange/ActiveSync on Android Permissions -- Options?

I asked this in XDA Android Q&A; posting to this Rezound Q&A as well in case there are any Rezound specific options that can be explored:
I've been debating configuring my personal phone to access my employer's Exchange server; I would be checking it on occasion-- more of a convenience thing to know what's up before I head in for the day.
Using the default Android Mail client and choosing ActiveSync and doing the setup, I inevitably reach a screen with the following:
Activate security policies?
Exchange security policies
Your IT administrator requires that you activate these security policies in order to sync with your Exchange Server.
Activating this administrator will allow the application Mail to perform the following operations:
! Erase all data
Perform a factory reset, which deletes all of your data without any confirmation.
! Set password rules
Restrict the types of passwords that you are allowed to use.
! Monitor screen-unlock attempts
Monitor failed attempts to log into your device.
! Lock the screen
Control when your device locks, requiring that you re-enter your password.
! Device function limitation
Restrict some function on device like Wifi, Bluetooth, Camera etc.
Click to expand...
Click to collapse
Needless to say, this is highly unappealing for my personal phone-- way too much power for the Mail application.
So my questions-- what are my options?
-would a different Exchange connectivity application like Touchdown request those same permissions for access?
-would I be better off setting up ActiveSync on an alternate ROM and booting into that when I want to check work mail (not as frequently as some other users)?
-How far does that remote wipe control extend? Could they wipe the entire phone, including bootloader? Or is it just reference to internal storage? Could they wipe the external SD card?
-is there a way to revoke those permissions from the Mail application while retaining the ability to connect to the Exchange server?
vprasad1 said:
Needless to say, this is highly unappealing for my personal phone-- way too much power for the Mail application.
Click to expand...
Click to collapse
It is designed to protect corp data. If you don't want your personal phone under that control, then don't connect it. That is the choice you have.
So my questions-- what are my options?
-would a different Exchange connectivity application like Touchdown request those same permissions for access?
Click to expand...
Click to collapse
Nope. The policy is from the Exchange servers policies.
-would I be better off setting up ActiveSync on an alternate ROM and booting into that when I want to check work mail (not as frequently as some other users)?
Click to expand...
Click to collapse
Not sure how you would do this.
-How far does that remote wipe control extend? Could they wipe the entire phone, including bootloader? Or is it just reference to internal storage? Could they wipe the external SD card?
Click to expand...
Click to collapse
When you connect, if they have issued the wipe command, it wipes. Distance is not relative. Wipe is wipe.
-is there a way to revoke those permissions from the Mail application while retaining the ability to connect to the Exchange server?
Click to expand...
Click to collapse
No. they could have a different policy setup for different groups of users and have you into that group, but you would have to ask the administrator though.
The exchange policies are part of the requirements of connecting to that exchange server. The policies can be changed by the administrator by putting you into another group, but I doubt they will do that. They are there to protect corp data.
There are other ways that policies can be setup, but that needs to be done again by the administrator.
These types of policies are becoming more and more common as companies realize their contacts, email and attachments are valuable and need to be protected. A lot of people use two phones, one for corp and one for personal, not mixing the two.
Remote wipe and all is a feature of activesync, not necessarily exchange. So, according to what I'm reading, you can find an email client that supports exchange but not eactivesync and get around the permissions.
I am also interested in how far the wipe can extend. It says reset to factory, which would leave your SD card intact.
gthing said:
Remote wipe and all is a feature of activesync, not necessarily exchange. So, according to what I'm reading, you can find an email client that supports exchange but not eactivesync and get around the permissions.
I am also interested in how far the wipe can extend. It says reset to factory, which would leave your SD card intact.
Click to expand...
Click to collapse
As far as I am aware, the Exchange server CAN initiate a full wipe, if your company is on Exchange 2010. The wipe command can be found in OWA settings. The only way you can get around the permissions is to login to OWA via your browser. The security settings are there for a reason, as mentioned above.
Microsoft works very hard with its partners to provide the best security possible. I do not think using Touchdown or another email client will allow you to circumvent security policies enforced by the Exchange server.
Sent from my Dell Streak 7 using Tapatalk 2
vprasad1 said:
So my questions-- what are my options?
-would a different Exchange connectivity application like Touchdown request those same permissions for access?
-would I be better off setting up ActiveSync on an alternate ROM and booting into that when I want to check work mail (not as frequently as some other users)?
-How far does that remote wipe control extend? Could they wipe the entire phone, including bootloader? Or is it just reference to internal storage? Could they wipe the external SD card?
-is there a way to revoke those permissions from the Mail application while retaining the ability to connect to the Exchange server?
Click to expand...
Click to collapse
I use TouchDown for my work e-mail, and while I have never had any administrators use remote wipe, I will let you know my experiences:
-There is an option in the settings screen for "Clean SD card on remote wipe." It's unchecked by default. I assume a remote wipe will only clear TouchDown related data, but am not 100% sure of it. At the very least this option implies that it won't normally wipe your SD card as well.
-TouchDown will ask for the same permissions. However, unlike the default mail application, which will force your whole phone to be pin locked, TouchDown will only force you to enter a pin when you open the application. This feature is nice if you don't want to always enter in a pin to unlock your phone but also want Exchange e-mail.
-As the policies are set on the ActiveSync server, there's no way to get around revoking the permissions.
If you search for it enough, you can probably find a modified mail app that doesn't require these security permissions. I know I've seen one that works with CleanRom and I use it on ICS Business Sense. No lockscreen pin required either and no device administrator.
http://forum.xda-developers.com/showthread.php?t=1456425
Sent from my ADR6425LVW using XDA
Just created the account to reply to this thread.
I am too looking for a solution to avoid giving my employer the access rights to wipe my phone, and I just wanted to comment that IMO, theorically it is not because this setting is on server side that it can't be avoided.
Android can give whatever permissions the server asks for then totally ignore the commands when they eventually come. That would probably require some coding to simulate executing the command without actually doing it, and it would definitely require root access to do this, but I do not see how that would be impossible on Android or on one of its mods.
Now obviously this is not something I'm going to waste time on. if it can't be done, my pro account will not be on my phone. That was me trying to do something for my employer, but if they don't want me to see my mails on weekends, I won't be fool enough to complain.
I'm in a similar situation. With ICS, at least it gave me the ability to only have to enter a PIN after 15 minutes or something when your phone is locked. Prior to that with GB, every screen unlock required the PIN.
I do use a modified Mail.apk, but in a sense, I'm contributing to the problem of my company not allowing android phones on their network, because there are just so many workarounds like this.
LBE Security Guard may be able to inhibit the permissions, though I wouldn't want to have to depend on that as a last line of defense right before my device is potentially WIPED!
There has to be some better solutions to control it on the client side...
My admins at work say they will not change the exchange policy.
They said it comes with Exchange Server 2010 as the default settings, but they won't change it. They have actually tested the remote wipe and it works instantly. They claim they can remote 'unwipe' it as well, but I gave an analogy about formatting drives (quick format vs. full format) that they couldn't answer.
I told them I'm concerned about anyone having that much power over personal "BYOD" phones, and the possibility of someone accidentally or maliciously wiping my device.
They said the policy will not be changed.
Does anyone know of other 3rd party mail OR calendar programs that will update my calendar without allowing these INSANE permissions? Thanks.
I've recently bought a new phone and found these ridiculous permissions when I went to sync with my work exchange.
There must be apps available or possible to develop because the email app on my old phone doesn't ask for these permissions. Unfortunately it isn't available to download, just the default app with that phone.
worldheroes said:
I've recently bought a new phone and found these ridiculous permissions when I went to sync with my work exchange.
There must be apps available or possible to develop because the email app on my old phone doesn't ask for these permissions. Unfortunately it isn't available to download, just the default app with that phone.
Click to expand...
Click to collapse
There are several mail programs in the Google Play store, if you search for 'exchange email'
I saw:
k-9 mail
touchdown
exchange exmail
maildroid
and so on...
k-9 had the best ratings and is open source so I tried it, but it couldn't connect to my exchange server. I got an error during setup:
'Setup could not finish, cannot connect to server. (ioexception)'
Please let me know if you have better luck with any exchange program!
The best choice for you is to install OWA from the play store (outlook web) and that will get you contacts, push mail and calendars without having to accept the exchange policies. All you have to do is point it to your companies webmail page and login.
I searched for OWA in the Play store but didn't find the one you mentioned. (see attachment) Is it a free app?
I have the first one by WWO. It gets the job done. 5 bucks well spent. I'm sure it can be side loaded if you'd like to test the functionality first.
Daistaar said:
I have the first one by WWO. It gets the job done. 5 bucks well spent. I'm sure it can be side loaded if you'd like to test the functionality first.
Click to expand...
Click to collapse
At the risk of asking a silly question - how would I get it to test it?
might want to try this:
http://forum.xda-developers.com/showthread.php?t=1965468
Thanks - the link to the ICS Email APK with Exchange Security removed was exactly what I needed!
I wish that app would be maintained with the current version and be put in the google play store!
If I activate the device administration can I undo it? Can I deactivate it and go back to life as usual?
quarksurfer said:
If I activate the device administration can I undo it? Can I deactivate it and go back to life as usual?
Click to expand...
Click to collapse
Yes, delete the account in question.

[Q] Synching with two exchange servers with security policy conflict

I have the following problem:
I have an SGS2 with the latest ICS release (rooted). I work with two companies supporting sync with the exchange server (2010) on a smartphone.
I can set up both exchange servers at the same time. The first day the both work, but on the second day one of the two (so far always the same) start giving me connection errors, and will no longer sync emails.
I am almost sure that the problem is that for security reasons, both want to have their security policy (admin privileges etc) enforced over my phone, and when they re-check daily they find that the policy is not as they want it.
Can anyone suggest a way to overcome this?
Thanks,
Geza
It could possibly be the Certificate of said company that's configured incorrectly.
Speak to the IT department to check this for you.
I've set the client to accept all certificates, furthermore it works on day 1, stops working on day 2.
Would the certificate problem still be a viable explanation?

[Q] Microsoft Exchange application to avoid device policy

My company recently updated their exchange server and when I attempt to add the account my phone tells me that some security settings will be changed to be in alignment with the exchange server policy. I'd rather not do that because I don't want my company administering the phone I bought myself.
My question is if any of the alternative Exchange applications (for example, Touchdown) would allow me to add the account without enforcing that device policy. My thought is that the application could implement it's own security (like a PIN, which is part of what is required for me to add this account) without affecting the rest of the device.
Sorry if this is the wrong place but I wasn't sure where else to post it.

Categories

Resources