Lost Features - No more KNOX container... what the hell Samsung? - Verizon Galaxy S 5 Q&A, Help & Troubleshooting

So after upgrading to the S5 today, I've noticed there seems to be no way to enable KNOX Personal containers on the device like I could on my S4.
Believe it or not, KNOX containers are awesome for accessing corporate resources on your personal device (e.g. exchange account for email and calendar synchronization), when accessing those resources makes you subject to domain policies, including giving IT the ability to remote wipe the device. Separate home screen, separate data storage for email/files/etc, are all things I depend on on a daily basis.
When using a KNOX container, a corporate remote wipe will just blow away the container contents, rather than erasing my entire phone. Losing this feature is almost a dealbreaker for me as it means I can no longer effectively use my personal phone for work. (The antithesis of the very BYOD Samsung is trying to promote with KNOX.)
I may be the odd man out for being one of the few people on these forums that actually has a use for KNOX, but I depend on it for my daily workflow, especially when I'm away from my desk. Thanks Samsung.

Related

[GUIDE] Using KeePass and Dropbox to manage passwords

I had a situation where a friend's PASSWORD (singular) was hacked. He lost control of his email accounts, facebook, and several other things (luckily not his bank accounts). I wanted to share with you all, in case it is helpful for someone out there, how I manage my passwords in a secure way.
I use KeePass and Dropbox to manage my passwords.
I chose to do it this was because 1) Its free 2) I get multi-platform support 3) I control the encryption without having any other outside company holding the 'key' to my encryption [I'm not that paranoid, but it is an additional benefit worth noting].
I have a KeePass database (my 'password vault' as I call it) with a very strong password. I then have that database file on Dropbox (and in fact, I have the entire KeePass application in Dropbox as well as a Portable app so I can have my configuration settings, etc. synced as well.) This covers syncing my passwords in a secure and encrypted way to my PCs.
Then, I use KeePassDroid on my Android devices. I use DropSync (which acts like the 2-way syncing of the desktop Dropbox app) to sync the 'password vault' to my device. Whenever I update a password and save the password database, it then gets synced to my other PCs and my Android devices. The database is there but encrypted so I just have to enter my strong password each time I need one and then I get access to all of my passwords. On some of my devices that I don't use as regularly for things where I'll need passwords, I just use the Dropbox app to open the password database on an as-needed basis.
One of the nice features of KeePass, which I'm pretty sure some of the others have as well, is the ability to generate a random password for me. I can specify how 'complex' I want it to be, etc and it makes it for me. This way I don't ever have to remember my password and it makes it nearly impossible to guess what the password actually is.
You can also accomplish basically the same setup using Google Drive or Copy.com.
There are other companies out there, like LastPass, mSecure, etc, which offer great products as well (some of which cost money though). This is simply the route I chose to go. Like I said - a little more complex to get set up, but I'm very happy with the setup now that I've done the initial legwork.
The point of all of this is though - KEEP YOURSELF SAFE! Have STRONG passwords and NEVER, NEVER, NEVER use the SAME password for multiple things!
I use the same setup and it works perfectly. Using keys, Oauth and Keepass where possible/appropriate sure simplifies and secures the daily life.
A bit in the wrong forum (it doesn't really have anything to do with this device) though.
Can use keepass2android and skip the dropsync step.
kodochax said:
Can use keepass2android and skip the dropsync step.
Click to expand...
Click to collapse
Exactly. This is what I've been using for a long time, works perfectly and has built-in Dropbox support.
Stopped reading after the first Dropbox... Nice gift for the US government!
Astagar said:
Stopped reading after the first Dropbox... Nice gift for the US government!
Click to expand...
Click to collapse
1. I think they will find you out anyway, using Android, iPhone or any hardware, 2. It's pretty well encrypted just use a good key ?
Good guide. I wish guides like these weren't buried in device specific forums though. this is a general technique that any user can use and deserves more visibility.

Company wants to wipe my phone

I currently have an assignment at a company that takes security seriously, and rightfully so. One of the disadvantages is that, to access the Exchange server to sync my calendar & read my mail, I need to give them the rights to wipe my phone from a distance and such niceties.
I was wondering if something like MultiROM could be helpful in this case? Set up one ROM for limited use that they can wipe if necessary, and another ROM for real use. The question now is: is the data partition shared? If yes and they wipe my data, then I still lose everything.
What would you advise? I'm currently doing a "manual sync" but that's no fun & very error prone.
If you want to pay for it; use Nine mail application.
You can set a full device wipe or just application wipe.
So if your company decides to wipe it, only the mail gets wiped.
what kind of wipe? if your mean is factory reset or something like that. therefore yes. I mean factory reset wipe just own partition and won't touch of other partitions(I'm sorry for my bad English language. I hope you got what I mean) so, obviously you should sync your info between all roms yourself before wipe.
but if your mean is kind of wipe from recovery or flash with Windows P.C or something like that, don't count on multirom or anything else! ?
فرستاده شده از Nexus 6Pِ من با Tapatalk
Personally, if a company would remote wipe my phone if it gets lost or stolen because it contains company related info in it, I don't see the problem of letting them do so. I would even thank them for having my personal info wiped along with it. If I have issues with the company's terms regarding wiping data on MY phone (maybe like remote wiping without letting me know beforehand, even when my phone is not lost), I would use a secondary phone as a work phone.
The company should provide a work ? for you to use.
stankyou said:
I would use a secondary phone as a work phone.
Click to expand...
Click to collapse
I just realised the Samsung Galaxy S2 with its broken screen that my Nexus 6p will replace, will be perfect for this. No SIM card, just sync everything over Wi-Fi, done. Thanks for the creative thinking, all!
dratsablive said:
The company should provide a work for you to use.
Click to expand...
Click to collapse
I agree. If they want permission, they should provide the device.
Generally, companies that want your phone wiped any second are against rooting, unlocked bootloaders and custom roms. The best thing to do is to ask them about it first, so that you won't end up getting fired or sued.
Bluemail
PeterJP said:
I currently have an assignment at a company that takes security seriously, and rightfully so. One of the disadvantages is that, to access the Exchange server to sync my calendar & read my mail, I need to give them the rights to wipe my phone from a distance and such niceties.
I was wondering if something like MultiROM could be helpful in this case? Set up one ROM for limited use that they can wipe if necessary, and another ROM for real use. The question now is: is the data partition shared? If yes and they wipe my data, then I still lose everything.
What would you advise? I'm currently doing a "manual sync" but that's no fun & very error prone.
Click to expand...
Click to collapse
Ok, so to do this they need to install an MDM agent (Mobile Iron, AirWatch, etc.), a piece of software/application which is granted device administrator rights on your phone. These agents usually manage the security certificates and all the other things needed to authenticate the device with their systems and create a secure connection. If they configured their environment correctly, devices without this agent shouldn't be allowed to connect, which essentially makes the agent required. This is good as only secured and managed devices can connect.
However, as this is a personally owned device, you're allowing them a metric crap ton of access to your personal phone. As a device administrator, the agent can be used to:
* Browse / view / edit files on your phone
* View messages sent or received
* Use GPS to determine the device's location, or even map where the device goes 24/7.
* Change the lock code / pin for the device.
* Lock the device at will.
* Detect rooted devices and disallow service.
* All kinds of other Big Brother-ish type of things.
Your company should have some kind of mobile device policy. Ask to view it. This policy should define acceptable use of mobile devices for employees, and it should also define the acceptable use of the MDM solution for IT staff and management. It should define specifically what steps they will take if the device is lost/stolen, if you get terminated, or any other circumstance where they would want to wipe the device. If they don't have a mobile device policy, or if it does not clearly define these things, demand they provide you with a mobile device and do not grant them permission to use your personal devices. Why? If they don't have their **** together enough to have a policy protecting both them and you, it's just not worth giving them access to your phone.
Furthermore - They should have the ability to perform 2 types of wipes. An enterprise wipe, and a device wipe. The enterprise wipe will remove email, corporate data, corporate applications pushed through the MDM, and finally the MDM agent itself. It shouldn't remove any personal files or wipe the OS. It is often the practice to do an enterprise wipe for personally owned devices in a BYOD environment, but you should check.
So, is all of this MDM stuff bad? No. Your business has a right to protect their systems, networks, and information. MDMs allow them to do this. That being said, if they are making it a job requirement for you to access email 24/7 (or even for just a limited window of time which is outside of your normal shift hours) then the burden of providing you with the appropriate means of doing so rests with them as well. This often means they have to provide you with a mobile phone. If accessing email outside of your working hours is NOT a requirement - then don't! For goodness sake, take a break from the job man!
So... it is often better to carry 2 phones than to put a corporate MDM on your personal device. That's my opinion.
I know this didn't specifically address the OP, but I've had a fair bit of experience with this (both good and bad) and thought I'd chime in. I hope it helped.
how about the reverse, what can a person do to prevent them from wiping your phone?
Elnrik said:
So... it is often better to carry 2 phones than to put a corporate MDM on your personal device. That's my opinion.
Click to expand...
Click to collapse
Nice write-up!! I totally agree with you, 2 phones is the way to go.
https://play.google.com/store/apps/details?id=com.cloudmagic.mail
Access your exchange email without changing security settings on your phone.
ycats said:
how about the reverse, what can a person do to prevent them from wiping your phone?
Click to expand...
Click to collapse
Once their agent is installed and made a device administrator... Nothing.
Ergo - to prevent it, don't install the MDM agent.
---------- Post added at 07:00 AM ---------- Previous post was at 06:46 AM ----------
mikexda said:
Nice write-up!! I totally agree with you, 2 phones is the way to go.
Click to expand...
Click to collapse
Thanks.
I've had some companies tell me "hey, we will pay for your service" and what they wanted was to transfer my line into their business account. Great, I don't have to pay the bill anymore, but I just lost control over when I upgrade (or am eligible for upgrades, as business accounts are still largely based on 2 year contracts), what device I can upgrade to, what plan I get, etc. And here is the scary part of that scenario... Legally the phone number is theirs from that point on. They don't have to release it back to me if either one of use terminates employment. Damn slippery slope, that.
So, unless they are going to cut you a check for your service every month, and you are ensured to retain ownership of the account, best to avoid that altogether.
In fact, any company high on BYOD is doing it wrong IMO. It sounds good, but it can be a nightmare.
Do you actually have to have work email on your phone?
Firms usually offer a corporate device, you can have your email on that, should be a cheap month to month contract.
my personal android phone has 9 email for receiving work email..........MDM agent isn't installed. I believe my coworkers who have iphones do have that installed.
Interesting discussion. Let me first point out that I am not an employee there. I'm an external contractor. So they won't provide me with a phone.
Second, their company policy is to provide iPhones for employees who need it. Not Android. There's a short FAQ with details on how to connect to their Exchange server, but that's when my phone pops up that the server wants access to wipe the phone. I haven't written down the details of the message, though. It could be just the Exchange part, which would be ok. Last thing I want is another party to have any form of control over my personal phone after my assignment ends.
Bluemail looks cool, I'll try it out. I'm curious to see how it reacts to the demands of the Exchange server. In any case, I still have my old phone which will do to stay in the loop when off-site and access my calendar. I might want to have an app that actually copies the calendar to a Google calendar, but I'll look for that when I get my new Nexus 6P & start setting up my Galaxy Sii for the plain purpose of accessing that wretched Exchange server.
ycats said:
my personal android phone has 9 email for receiving work email..........MDM agent isn't installed. I believe my coworkers who have iphones do have that installed.
Click to expand...
Click to collapse
Depends on your workplace. Some are more relaxed about it. Personally I avoid it and use a dedicated device.
---------- Post added at 04:49 PM ---------- Previous post was at 04:46 PM ----------
PeterJP said:
Interesting discussion. Let me first point out that I am not an employee there. I'm an external contractor. So they won't provide me with a phone.
Second, their company policy is to provide iPhones for employees who need it. Not Android. to a Google calendar, but I'll look for that when I get my new Nexus 6P & start setting up my Galaxy Sii for the plain purpose of accessing that wretched Exchange server.
Click to expand...
Click to collapse
I know a firm who does exactly that, iphones. If it were me I'd avoid it and get out your s2. But that's me. Are you rooted? How does the MDM play with root? If reported would that provoke a wipe? Surely that can be blocked.
What about the exchange hack? Would that be of any use?
Touchdown in the store.
tech_head said:
Touchdown in the store.
Click to expand...
Click to collapse
Was just about to say it has its own secure app container so wiping only wipes company info. Used it for years.

How to "lockdown" a phone for users.

Hi, I'm new to XDA. I'm an android developer, but this is a bit outside my wheelhouse. My company is providing no-cost phones to low-income disadvantaged families for health care and health monitoring purposes in conjunction with a local hospital and local health departments. We developed the app in conjunction with local health departments, and we are procuring the devices ( LG G2 (VS980) ) from a wholeseller of refurb phones. We would like to "lock down" the device to prevent abuse and eliminate company liability. The devices remain company property and will (hopefully) be recovered and re-used for other patients when a patient leaves the program. These devices are solely for the purposes of the program and general purpose smartphone functions are only permitted when not affecting the data/voice/sms service plan. (i.e. Calculator)
While I am capable of using Google, I keep finding information about parental locks. I am looking for information specific to:
1. Restricted dialing to a few numbers that we specify (We might have to provide a custom dialer, 911 service ok)
2. In-bound only SMS, No outbound SMS AT ALL (We might have to provide a one-way only SMS app, replacing the default - How to remove the default app?)
3. No ability to install other apps, no google play
4. Auto-update of our app with no google play account needed
5. Restricted web browsing to servers we list (i.e. only patient web portal)
Many thanks in advance.

Corporate AirWatch On Multiple User Accounts on Android

I feel confident my employer sniffs end user traffic and is in our personal lives a lot more than I want. We have a BYOD device policy, but I have to have AirWatch on to get corporate email, contacts, and calendar. I gotta give a little to get a little. I don't feel comfortable with the "unknown" that our IT department isn't educated enough to elaborate on. So... I'm here to speak so some wizards who can run circles around my IT department.
I am using nexus 6P so I can take advantage of Guest Mode (give my phone to my toddler, he can't damage anything); I have a personal account where I jump to when I want to do personal things. I have a corporate profile, where I have AirWatch configured where I only use the user space for work related surfing, and etc. I own this phone and the phone number.
Being that AirWatch is installed on my device, how private is the user space when I'm using my phone with a profile where AirWatch is not configured; e.g., my personal profile?
I would like to know what situations to be aware of before I start making irrational decisions about my employment. Information is power and I'm seeking such. How much can they see on profiles?
I appreciate serious conversations about this. Thank you.

Will installing Outlook in Secure Folder prevent IT admin from remote wiping my S8?

I'm currently using my private Note Edge also for work. I'm using Outlook from within KNOX and am under the (possibly false) impression that my company's IT admin won't be able to wipe my entire phone, only the KNOX container. This is obviously a very unlikely scenario, but still one that concerns me enough to use KNOX.
In a couple of weeks my employer will give me an S8, which lacks KNOX. The question is -
will I be able to achieve the same protection against remote wipe if I insist that IT will install Outlook within Secure Folder?
No. Remote wipe wipes everything on the device, especially the secure folder, as in almost all cases that is the most sensitive information on the device which would be the most damaging if attackers got ahold of it.
That's disappointing. Not much of a sandbox if applications can reach outside from within it...
OH! I apologize, I missunderstood your question!
I thought you were asking if data inside secure folder was safe from erasure by factory reset, which the answer is most definitely no. But you have outlock installed inside the container, and want to know if your device can be factory reset through the Outlook connection via the secure container, correct?
I suppose that would depend on what access you gave Outlook to communicate with the rest of your phone. For example, without administrative access, even a natively installed app can't factory reset. I don't know much about Outlook or exchange, but do you have the exchange account added as an account on your device, or is it just setup inside Outlook?
Yes, I'm talking about Exchange configuration of Outlook installed in Secure Folder. Specifically the screen linked below*. I don't think when I did it in KNOX there where any additional steps required outside the container, but I haven't used Secure Folder yet so don't know how similar it is.
* http://kb.mit.edu/confluence/pages/viewpage.action?pageId=152588344
Edit: should have read original question more carefully.
No idea what will happen, sorry. But ultimately it's their phone.
The question you should be asking is why they'd choose to deliberately disable the only bit of the phone that makes it genuinely valuable for an employer with confidential data stored on it.
Taking a step back, why are you trying to prevent the remote-wipe by the IT folks? Is it that you think they may go rogue? If not, the reason to initiate a remote wipe would be if your device is tagged as lost, etc, right? You did state that they are providing you the new S8, so it is really their phone isn't it? In many companies, if you try to circumvent IT policies, it can be accounted as wilful misconduct and termination of your employment. Is losing your job and paychecks that you get from it worth the risk?
My two cents:
1. Let them do their part the way they want to. If you are allowed and also using the phone for personal use, then have backup mechanisms to backup your "personal" photos, etc (aka in-home wifi sync with MyPhoneExplorer, automatic backups to Samsung Cloud, camera upload to OneDrive, etc.). Make sure any backup/cloud syncs of your personal data are allowed by IT policies, and is only limited to your own personal files (aka excludes company Outlook/Exchange data).
2. See if they have instructions or if they would be OK with using a non-native containerized Exchange client. With those apps, a remote-wipe is received by the containerized app and only wipes the app's encrypted datastore. TouchDown used to be the one to use years ago, but I have heard they got acquired by Norton, it has been put to rest by the new owner. However I suspect there are other apps that may have filled the gap.
It's actually not specific only to remote wipe, but to the extensive permissions my employer has over my phone (see the link I posted below). Even if they provided the phone, I expect them to have control only on what's related to my work, which is basically only work email.
It's similar situation to a company provided car. I wouldn't want my company to install a tracking device and have visibility into where I am at with the car at any time of the day.
In any case, thanks for the notes about backup. I definitely should do more to make sure my files and data are not gone if my phone gets stolen or wiped.
oren_b said:
Admin Note: This is a special Q&A-formatted thread. Please follow this link to view it in your browser: http://xda.tv/post75004977
Click to expand...
Click to collapse
Depends on whether the MDM/EMM thinks your device is Personal or Corporate.
If Personal, you're at risk of an "Enterprise Wipe" (of just corporate content, possibly including corporate contacts/calendar/email).
If Corporate, they can wipe the device, like a factory reset.
Do you know which MDM/EMM is to be used?
Might make more sense to have the corporate content in the Secure Folder.

Categories

Resources