[Q] Exchange Security Policy & encryption & password lock - Galaxy Note GT-N7000 General

Hi,
I configured our exchange server for corporate push mail on my Galaxy Note with March 2012 firmware. There's "optional encryption" requirement in the policy, where Exchange server ask for encryption if the device supports it.
Since Galaxy Note supports encryption, it enabled the encryption and asked me for a password.
Now, each time the screen locks, I have to enter a complicated password (consisting of characters, digits & a special character!) to unlock it! The phone became very unusable!
I understood from the post of "Eviip" in the page below that this is actually a requirement from Samsung side when you enable encryption, since my Exchange policy definitely does not require this. All other colleagues with Androids that can't do encryption or using iPhone's can just type a 4-digit pin code and use their phones.
http://www.google.com/support/forum/p/Google+Mobile/thread?tid=6355566b726a0932&hl=en
Is there anything I can do for this, except buying a 3rd party mail application?

Weird, because as far add I understand it GB doesn't support device encryption, only ICS does...
What ROM are you running?
Also, did the exchange policy configure the encryption or did you do it? Because as I understand it the exchange policies don't demand device encryption, just mail stream encryption (but I'll look into that further) and that is pretty innocuous stuff...
Sent from my GT-N7000 using Tapatalk

I see the same behaviour (gNote running 2.3.6 XXLA6; ActiveSync / Exchange Server 2007 SP2). With ActiveSync policy pushed through to device, I have to use strong password to unlock, even though the policy only calls for 4-digit PIN.
I'm using TouchDown mail client as a workaround (at least for the next 30 days) but hoping the ICS update due out "soon" will fix the "problem".
Is there any feedback avenue to Samsung regarding this "feature"?

thomas_d_j said:
I see the same behaviour (gNote running 2.3.6 XXLA6; ActiveSync / Exchange Server 2007 SP2). With ActiveSync policy pushed through to device, I have to use strong password to unlock, even though the policy only calls for 4-digit PIN.
I'm using TouchDown mail client as a workaround (at least for the next 30 days) but hoping the ICS update due out "soon" will fix the "problem".
Is there any feedback avenue to Samsung regarding this "feature"?
Click to expand...
Click to collapse
touchdown is no option for me, because it supports 2 different exchange accounts at a time only with "profiles", which is unusable for me!
regarding your problem: i know for sure that there were some hacks for this (a modified apk which doesn't incorporate the lock requirements. the downside is: with every rom upgrade you would have to redo this hack, as the mentioned apk may change in the system itself to a newer version...

Yeah, same to me
I 've update to 4.0.3 ICS but now I want to no use password or PIN for unlock screen mean that can I not use my exchange policy? (cause my GN haven't any privacy data to secure
so can you show for me? thanks!

I finally gave up with this and used the patch that I found in the forums (for rooted phones). It works pretty well!
http://forum.xda-developers.com/showthread.php?t=1117452

Related

Needed Development - Security Policies on Exchange Servers

In my work to access OWA I need passcode(RSA, that is a pain in the ass if your connection is cut), and due to the security policy of my work, I can't access the Exchange e-mail account in the android (is on a Exchange server 2003 SP1, with forced password policy, that prompt for password every minute without use and wipes everything, when two many times the password is wrong)
iPhones and WM based devices they are activated normally throw the same server address to exchange mobile service (with the security police enforced), but (i think) due to the unlock pattern tech, that there's no password and security sucks, I just can't configure it.
Even the Radius server blocks my nt account after a few attempts.
On the other e-mail with the Exchange server 2007 SP1, no policy, it works great..
I love android and I don't really like the idea of coming back to a WM or trying a iPhone or maybe a Blackberry since we have a BES too..
On the WM devices I installed a program that remove the annoying requesting always for password without removing the certification stamp that I'm following the policy...
Somebody came up with something like this for android?
Is something it can be worked around on future developments?
Any idea on working around on my issue?
Simply install something like Touchdown....
In any case.. this is not really a development question.

Exchange security policy

I've read a few threads after searchign on Android and Exchange but can't really find what I'm after.
I need to enforce a security policy if users want to sync their exchange account. There's a few people in the office who want Android devices (we provide them with a device) but until there's somethign which enforces something along the lines fo a PIN after 20 mins ala WinMo then we can't do it.
Anyone have any ideas if it's coming or if there's an app to do it? I've tried Touchdown but just seems the same as the Hero Exchange app to me.
I've not tried Touchdown, but they say they support PIN enforcement.
http://www.nitrodesk.com/dk_touchdownFeatures.aspx
Regards,
Dave
Yes, Touchdown and Roadsync both support the PIN function (they ignore it somehow, as android doesn't have a PIN function!)
although i do believe that it is technically possible to exclude individual accounts from the policy on the server (although not exactly the best idea in terms of security).
Alternatively, just do what we did at work and say 'No, you cannot have an Android Phone for your Work Phone'.
Since the ROM update on the HTC hero, I have been able to access my work email (a massive highly secured company who generally know what they are doing) and I know for a fact that they enforce this kind of security arangement on mobiles that want to connect - however android has somehow got around this and there is no remote enforcement and I can use my phone for these emails via PUSH. (I use the gesture lock as a password) You could get them to sign an agreement that they will apply this kind of thing to their phone manually. I don't know if there is an app for remote wipe.
Your company isn't allowing you in some backdoor or anything... depending on their version of exchange they are simply allowing you to use activesync through exchange.
What we all really need is an andriod client to take advantage of exchange 2007's exchange web services protocol, activesync is old technology and limited.
O.P. - You can limit users on a single user basis, if you're running windows active directory. Need a little more info on what you are trying to accomplish. If you're allowing them to use their mail client setup they are saving a password that is not clear text and is hashed... you can install a remote wipe on the phone and if they lose it, simply wipe it and forget it.

Unlock Code Changed (BSB Tweaks Prob)

Okay, my HD2 yesterday forgot my unlock passcode, I have not installed any version of sype, and running 1.66 WWE stock Rom. My Exchange Server security policies forces a passcode.
What i have found (tested) is that an option in BsB Tweaks is causing the problem.
The option that is causing this (or at least for me) is 'Owner Information - show or hide owner in settings'
When enabled, with the show notes, your Owner information and notes are displayed when you wake the phone (before slide to unlock) I wanted this option because it gives you a slightly better chance of recovering your phone if it gets lost.
It works well initially, then for some reason it fails to show, restart the phone and BANG, your passcode wont work!! I have experimented this and it happens every time.
Thought I'd let you all know my findings, and hopefully this bug can be ironed out.
regards
Paul
I've tested it some more today, and I'm pretty sure that it is the Owner info. Going to leave it off now, but would definitely want this feature fixed As i said before it does give me a slightly better chance in getting it back if it gets lost!
Have you tried using the Recovery Password from the Outlook Web Access for your exchange server?
It's not the Exchange password that gets forgotten, it the unlock code for the phone!!! You just cant unlock the phone, hard re-set is the only option!!
Its a know problem for some people that install sype! Same thing your passcode just will not work
Paul Boy said:
My Exchange Server security policies forces a passcode.
Click to expand...
Click to collapse
Microsoft said:
You can use the EMC, the Shell, or Microsoft Office Outlook Web App to recover a device password.
You can require a device password through Microsoft Exchange ActiveSync policies. A user can configure a device password even if your Exchange ActiveSync policies don't require one. If users forget their password, you can obtain a recovery password using the EMC or the Shell. The recovery password unlocks the device and lets the user create a new password. Users can also recover their device passwords by using Outlook Web App.
Click to expand...
Click to collapse
Is what I think you are looking for.

[Q] Corporate email on Gingerbread

actually this is a question to all Gingerbread rom developers.
while using froyo i was able to use corporate exchange email and calendar without any security limitations, but after i tried almost all Gingerbread roms everyone force me to set phone unlock password and threatening me to provide to the server admins ability to wipe my phone remotely....how i can bypass that??just to have a same exchange features without that security staff??
tonyio said:
actually this is a question to all Gingerbread rom developers.
while using froyo i was able to use corporate exchange email and calendar without any security limitations, but after i tried almost all Gingerbread roms everyone force me to set phone unlock password and threatening me to provide to the server admins ability to wipe my phone remotely....how i can bypass that??just to have a same exchange features without that security staff??
Click to expand...
Click to collapse
If you revert back to FROYO does it not require PIN security? Is there any chance that you company now requires this?
I have Both G2 on CM 6.1.1 and HD2 on Gingerbread. However, my company does require PIN security. Now what bugs me is my Droid X did require a PIN every time I put the phone into "Sleep" Mode.
this is something that your companies Exchange Server admins have enforced. I know mine is that way.
i got back to the froyo and it DOES NOT required me to set any pin or password,it just works as before.
is there any way to port email application from froyo to gingerbread??
There is an excellent app on the Market which I have used for this purpose as my company block access from my phone. This bypasses, and even though I only have owa it acts as though I have active sync.
I have not posted the name as whilst it is free on trial for 30 days , it is then a paid app ( and it's not cheap!)
Pm me if you want more information
i know what u r talking abt, but i'd like not to share any passwords with 3rd part app.
i rolled back to froyo
i payed attention that corporate blackberry does not require any passwords, just simply unlocking the keyboard.
tonyio said:
i payed attention that corporate blackberry does not require any passwords, just simply unlocking the keyboard.
Click to expand...
Click to collapse
Blackberrys (*spit*) are different, they rely on a BES server which interfaces between the phones and the exchange server.
They can be be set to require a password, and can be set so that if you get the password wrong enough times it wipes the device.

[Q] Exchange wants a "Security update"?

I've had my Acer for about two weeks, and have had some trouble with connecting to my Exchange server at work. Actually, with every setup (Stock 3.1, HoneyVillain, Toobinay), I can set up my account and start using e-mail. Then, after a couple of days, I get a notification "Security update required" in the notification area, and a similar message across the top of the screen in the e-mail client. After this, the account sync stops. Touching the messages does nothing (does not launch a setup screen or anything like that). Deleting and re-configuring the account has worked temporarily, but stop shortly thereafter.
Is there a known work around for this problem?
I read in one (semi-related) thread that Acer required encryption, but if that was the case, then why would the account sync for a while and then stop working?
Is this build-related? I thought I some someone mention some fixes in the latest builds (...41), but this didn't work for the time that I was on Stock 3.1 (I don't recall the build number, but was there an update in the last two weeks?)
Would a HC3.2 ROM fix this issue?
Conversely, is there a separate client that anyone could work in managing the security for that e-mail (i.e. K9 or Touchdown) that also works well in tablet form factor?
Just as an update. Tried a 3.2 ROM (Minimal) without a change in the behavior. Then tried providing a password for encryption under security settings and activating ability to store encrypted credentials. This seems to have worked, but other measures have appeared to work. Keep my fingers crossed.
It's funny, IIRC, other devices of mine have automatically set that part up when connecting to my account.
I can't connect to Exchange account either. Mine at work is Exchnage 2010.
first you have to set a pin, then you have to encrypt your tablet, this is obviously something included since 1.39 in 3.01.
this may take up to an hour approximately.
then you should be able to connect.
by default, exchange 2007 and 2010 require device pins. You have to set one unless the exchange admin configures the server to allow insecure mobile devices in the exchange server configuration. I haven't come across a requirement for encrypting a mobile device yet, but it is likely a similar setting.
I usually turn off the pin requirement as it is rather annoying and does not always go over well with management types that want quick access to their phones. Fortunately that trend is changing with newer security threats and high profile phone losses/thefts.
I'm surprised you were able to connect at all. The native email client and touchdown both respect the pin requirements and won't allow you to finish configuring the account until the requirement is met.
With what I have done, I find that I can connect and use the exchange functions, but I continue to get the same message every now and then. Strangely enough, tapping on the message is now effective in re-enabling sync with my company's exchange server.
I have not yet done the whole device encryption as a possible solution. Does anyone know the kind of performance effects (if any) there are with encryption of the device?
Sent from my A500 Xoom using XDA Premium App
Now requesting security update again and is not syncing e-mail.
I encrypted device this morning without any benefit to the sync process.
On a related note, do I have to factory data wipe to remove encryption before making any other changes to my ROM (update current ROM or change to another)?
Figured out my primary issue. The administrators set a requirement for a alpha passcode that Android doesn't pick up, so my numeric passcode was creating a problem. Unfortunately, the system couldn't tell me it was a problem.
Still wondering what to do with my encryption now.
Sent from my Nexus S 4G using XDA Premium App
first of all, encryption does not slow down the ICONIA, because it decrypts data only during power up process, after the data is decrypted.
I am connecting to an exchange server 2007, and everything works fine once the encryption process is done. Otherwise no way to connect to the exchange server with or without ssl.
Thats why i found it strange that you can connect without encryption, because it is part of ANDROID 3.01 1.39 and upwards 3.14 and 3.2. This is not specifique to ACER in my mind.
So what ROM are you using?
zoubidou said:
first of all, encryption does not slow down the ICONIA, because it decrypts data only during power up process, after the data is decrypted.
I am connecting to an exchange server 2007, and everything works fine once the encryption process is done. Otherwise no way to connect to the exchange server with or without ssl.
Thats why i found it strange that you can connect without encryption, because it is part of ANDROID 3.01 1.39 and upwards 3.14 and 3.2. This is not specifique to ACER in my mind.
So what ROM are you using?
Click to expand...
Click to collapse
I'm using Minimal 3.2(.1), but was able to obtain the (limited) connectivity even with Stock, Taboonay, HV prior to encrypting.
I'm considering going back to stock and see what happens with different settings.
My clue to the passcode part was that I also have an iPad, which works fine to connect to the Exchange server (with an alpha passcode). I just tried switching it to a numeric passcode and could no longer connect. iOS was worst than Android as far as reasons, though, it just sat there trying to connect without any kind of error message.
There must have been something they changed recently in the security protocols for my company's Exchange, because the problem even happened on my phone, and I've been using a numeric passcode on that for some time. Trouble was, our IT helpdesk had no idea if anything was changed, so they were no help in identifying the issue.
which exchange server version are you running? 2003 2007 or 2010
i can give you a hint on 2007 which possibly also works with 2010
You open Exchange management, go into organisation configuration, client access,
create a new profile, go into "password" remove password required, and in "genera"l
activate "authorize dumb peripherals".
Make this new profile the default profile, then try again.
Right now, everything *seems* to be working (crosses fingers). I've even gone back to rooted stock with custom kernel, kept tablet encryption and all other security settings (alpha passcode, secure credentials, etc.).
I think I'll take the advice in your sig -- and not fix it
Thanks.
A further update.
Continues to work, but I still get the update required message on and off. At least I've determined an easy way to reset it in the accounts section. I think the tablet and/or server are somehow forgetting each other.
Sent from my A500 using XDA Premium App
first of all encryption does not hinder anything, as long as you use a stock compliant kernel like richardtip works very well including oc.
update or changing ROM does not require any changes as kong as they are compliant with stock and you don't have to factory reset.
mevensen said:
A further update.
Continues to work, but I still get the update required message on and off. At least I've determined an easy way to reset it in the accounts section. I think the tablet and/or server are somehow forgetting each other.
Sent from my A500 using XDA Premium App
Click to expand...
Click to collapse
Spoke too soon, now the security update message won't go away. I don't think I'll go back to 3.2 until the Acer update in a couple of weeks. Meanwhile, trying Moxier Mail application.
Sent from my A500 using XDA Premium App
I would only use stock 3.1 or stock compliant custom rom's with or without richardtrip's kernel. because obviously when it does a first time installation it calculates an offset (possible where there keys are stored) and this offset is never on the same place. It seems that this is proper to ACER, XOOM is doing things a different way, and hence does not work on an acer machine. The ACER 3.2 should be available end of this month (after 25), so why nit wait 10 days.

Categories

Resources