I've been debating configuring my personal phone to access my employer's Exchange server; I would be checking it on occasion-- more of a convenience thing to know what's up before I head in for the day.
Using the default Android Mail client and choosing ActiveSync and doing the setup, I inevitably reach a screen with the following:
Activate security policies?
Exchange security policies
Your IT administrator requires that you activate these security policies in order to sync with your Exchange Server.
Activating this administrator will allow the application Mail to perform the following operations:
! Erase all data
Perform a factory reset, which deletes all of your data without any confirmation.
! Set password rules
Restrict the types of passwords that you are allowed to use.
! Monitor screen-unlock attempts
Monitor failed attempts to log into your device.
! Lock the screen
Control when your device locks, requiring that you re-enter your password.
! Device function limitation
Restrict some function on device like Wifi, Bluetooth, Camera etc.
Click to expand...
Click to collapse
Needless to say, this is highly unappealing for my personal phone-- way too much power for the Mail application.
So my questions-- what are my options?
-would a different Exchange connectivity application like Touchdown request those same permissions for access?
-would I be better off setting up ActiveSync on an alternate ROM and booting into that when I want to check work mail (not as frequently as some other users)?
-How far does that remote wipe control extend? Could they wipe the entire phone, including bootloader? Or is it just reference to internal storage? Could they wipe the external SD card?
-is there a way to revoke those permissions from the Mail application while retaining the ability to connect to the Exchange server?
try this:
http://forum.xda-developers.com/showpost.php?p=14577188
Thanks for that! I checked it out and unfortunately, HTC uses a different email program which is incompatible with rustamabd 's script. When there are daily driver AOSP ROMs avail for my phone, I'll try it out.
My company recently updated their exchange server and when I attempt to add the account my phone tells me that some security settings will be changed to be in alignment with the exchange server policy. I'd rather not do that because I don't want my company administering the phone I bought myself.
My question is if any of the alternative Exchange applications (for example, Touchdown) would allow me to add the account without enforcing that device policy. My thought is that the application could implement it's own security (like a PIN, which is part of what is required for me to add this account) without affecting the rest of the device.
Sorry if this is the wrong place but I wasn't sure where else to post it.
Hey everyone, this thread is both to let everyone know of a possible issue in Android M and to poll the community to see if this issue is isolated or if we will all be seeing it. First a bit of background on how the security policies work in Exchange ActiveSync as I understand it:
- When you assign an Exchange policy for ActiveSync devices you can basically tell it to require a password or not, encryption, etc. From there the OS of the device determines what that means. For example in Android if you are set to require a password it disables Pattern, Swipe and Face Unlock as choices for securing your phone. It assigns each a security level something like: Swipe = Not secure, Pattern = Weak security, Face Unlock = Medium Security (those are just examples.... I'm not saying thats what they are actually are) and the OS decides what level of security is acceptable when the password requirement is set. It also disables features like Smart Lock for trusted locations/bluetooth devices
As one of the admins of my own network I long ago set my policy to NOT require a password but I still do configure and use a PIN to secure my phone. The reason I set my device to not require a password was solely for the Smart Lock feature.
So the other day I flashed a 6.0 ROM on my Nexus 4 (no factory images available obviously). So I joined my phone to my Exchange server before I had setup any security and shockingly it said that it required I have a PIN. I double-checked my policy on the server and I am most definitely set to not require a password still. So now even with that policy set I am not able to use my phone without a PIN and am not able to use the Smart Lock feature and my fear is that this will also include not being able to unlock my phone with the fingerprint sensor (ouch!)
I'm sure many of you are thinking exactly what I did and that it was an issue with the ROM since it was a port. So with that in mind I setup my Exchange account on my freshly factory imaged Nexus 9 tablet and the exact same issue happens with it.
So either Google jacked up the security settings when connecting an Exchange account or there is a bug that causes the requirement of a PIN even if your policy is set not to.
Anyone else running Android 6.0 connected to an Exchange server that previously did not require a password and now does? One of the things I was most looking forward to was being able to secure my phone using my fingerprint instead of a PIN so this is a big bummer for me
If I am not mistaken, requiring a PIN is the policy of android pay, which comes default with Marshmallow, and is also a device manager. This makes sense, because Google wouldn't want someone draining your bank account in addition to stealing your phone.
rajendra82 said:
If I am not mistaken, requiring a PIN is the policy of android pay, which comes default with Marshmallow. This makes sense, because you wouldn't want someone draining your bank account in addition to stealing your phone.
Click to expand...
Click to collapse
If I dont join my Exchange server I can set any type of security I want so its not related to that
Wow, that's pretty upsetting. I too run my own Exchange Server. I always use PIN but I like the Smart Lock feature. And of course I had expected to use the fingerprint sensor. I wonder if rooting and using a combination of Tasker and the Secure Settings plug-in would allow you to get around it.
I currently have an HTC M8 and 6.0 is supposed to be out for it before the end of the month. I guess I'll load that and see how it works.
My Nexus 6 had been on M since the previews. I have a pin and I use smartlock with my moto 360. It's mostly unlocked and exchange works fine. My servers are set to require passwords and everyone at work has iphones with finger print and they work with that also.
Sent from my Nexus 6 using XDA Free mobile app
SymbioticGenius said:
My Nexus 6 had been on M since the previews. I have a pin and I use smartlock with my moto 360. It's mostly unlocked and exchange works fine. My servers are set to require passwords and everyone at work has iphones with finger print and they work with that also.
Sent from my Nexus 6 using XDA Free mobile app
Click to expand...
Click to collapse
What version of Exchange? We are running the latest 2013. My Smart Lock menu is completely greyed out and says "Disabled by administrator"
I am using Exchange 2013 and have no issues with my Nexus 5x. I am using smartlock with my Huawei Watch, location, and facelock. Maybe I'm confused about the issue here.
hollowlog said:
I am using Exchange 2013 and have no issues with my Nexus 5x. I am using smartlock with my Huawei Watch, location, and facelock. Maybe I'm confused about the issue here.
Click to expand...
Click to collapse
Nope you are understanding. I flashed 6.0 then activated my phone on my Exchange server and now it says my Smart Lock is disabled by administrator despite my policy not even requiring a password.... very odd
I use mobimail through the OWA instead of going through the Exchange Server Active Sync
I am using Nine as my exchange email client, that allows me to set a Pin on the email itself instead of needing it on the phone. Our company requires a PIN or a Password for mobile usage.
I'm using touchdown and a hosted exchange, no phone pin, nexus 5, Android 6.0 and no issues
I have used Nine before. It's not bad. Touchdown (the last time I used it) was complete garbage.
Anyone using the Gmail app that can still use smart lock in M?
I use touchdown so it's independent of my OS therefore i can set it only on the app.
WoodroweBones said:
I have used Nine before. It's not bad. Touchdown (the last time I used it) was complete garbage.
Anyone using the Gmail app that can still use smart lock in M?
Click to expand...
Click to collapse
I must admit it's got worse since symantec bought it..... but i paid for it when it was cheap and it still works so may as well make use of it.
can you post the exchange server-side security settings here? i wouldn't be surprised if google did something to "up" the security of their exchange apk. also - testing with a third party app would be a valid test as well. remove all exchange accounts from your device, confirm your basic security is re-enabled and then try an app (like nine). if the app requires security configuration, it's server-based.
640k said:
can you post the exchange server-side security settings here? i wouldn't be surprised if google did something to "up" the security of their exchange apk. also - testing with a third party app would be a valid test as well. remove all exchange accounts from your device, confirm your basic security is re-enabled and then try an app (like nine). if the app requires security configuration, it's server-based.
Click to expand...
Click to collapse
Attached
Just an update to this....
I went ahead and removed my Exchange account and immediately was able to access those other features that were previously greyed out. I then installed Nine and setup my account there and it allows me to use it without any security at all. Very odd
EDIT: Wow... Nine has improved! I might go this route anyway. I also like having my work account in a separate app as there has been a few times when I've sent a work email from my gmail account
Ok and not only does Nine have a Dark theme but it has a "True Black" option which I'm guessing was made specifically for AMOLED.... too good not to use!
kumarshah said:
I am using Nine as my exchange email client, that allows me to set a Pin on the email itself instead of needing it on the phone. Our company requires a PIN or a Password for mobile usage.
Click to expand...
Click to collapse
I use Nine as well, love it.
My company requires a pin or password, but I'm also able to use a pattern, which is much better than a pin or password for ease of use. Your fingerprint scanner on the new Nexus will be an option in addition to pin or password. No worries, it will all work.
WoodroweBones said:
Ok and not only does Nine have a Dark theme but it has a "True Black" option which I'm guessing was made specifically for AMOLED.... too good not to use!
Click to expand...
Click to collapse
also - you can change the notification icon from their little circle thingy to something that actually looks like a mail icon.
640k said:
also - you can change the notification icon from their little circle thingy to something that actually looks like a mail icon.
Click to expand...
Click to collapse
Very nice! It also does per folder notification which is just about the only reason I rooted my phone previously....
So far I've always seen that the security in the android phones is (OR) PATRON or FINGERPRINT or IRIS or PASSWORD or FACIAL RECOGNITION, something that in my view is not the most advisable given that we have demaciada personal information in the devices mobile.
I would like to know if there is a way to change this by another security algorithm that rewards the (AND) FACIAL RECOGNITION if this level happens then IRIS after overcoming this FINGERPRINT surpassing this PASSWORD, that would be the global idea of my doubt.
The idea would be to have more than one authentication factor in our devices as we do in our email accounts that we have the password and as a second factor of authentication we have a code by SMS or another.
I liked someone to help me know if this is possible.
Thank you.
To be honest. Mobile security is a myth and unless you are the president of the US or Putin then your data is not the focus of the theft to begin with.
Bio metrics are not secure as law enforcement can force you to unlock those, as can any thief. A password is about as secure as most people can get. There is better security. But that is not for 99.9% of people.
Hello everyone,
I am looking forward on using the Face-Unlock feature to not have to manually write all my different 27 digit password for banking, keepass,...
How ever, I really wonder how all this works and how this is still secure. For example "KeePass":
- I have a Keepass database with a master password for the database
- No one except me knows what password and it isn't saved or written down anywhere else
- Currently I enter the password, KeePass will test if it is the correct input for decryption, and if so, it will decrypt.
This is the point where I would want to use Face-Unlock in the feature.
So does my KeePass database then have two password (1x master password and 1x my facial scan)?
Or will I will to tell "Android" my master password for all my apps and it will store it somewhere in Android and simply "pass it on" to KeePass if the Face-Unlock is verfied?
I am asking because I do not want any app or system or whatever to save my master password as this might cause security risks that no one can really evalute.
Also I wouldn't want to add a second unlocking feature to my KeePass databe (the facial scan). Because it might be less secure than my master password and there for weaken the encryption of my database?
Thanks in advance!