[Q] question for those who use activesync with exchange server. - Nexus One Q&A, Help & Troubleshooting

Up until recently, the corporation I work for only authorized blackberry devices to sync with the exchange servers. They've just recently started allowing iPhones and certain android devices to do the same.
On the corp intranet page that deals with this it explains that once you setup activesync a phone lock passcode is required, screen timeout of less than 15min is required, and 5 incorrect passcode attempts, lost/stolen, or something like leaving the company will result in a wipe that will affect non work related data loss as well. The next sentence then says that if it can't be wiped remotely it is the employee's responsibility to do so.
I don't know if some of that wording is from the blackberry only days or what.
If I were to go ahead and get authorization for this, would setting up an activesync with the corporation exchange server really allow them to wipe my phone, including personal data? Would it really make my phone require a passcode and limit my screen timeout all by just syncing?
I just don't know what kind of control simply setting up an activesync account is really possible.
I hate using our web access bc it requires and id and 2 passwords and even though I can use lastpass to make that easier its still slow/inconvenient.
I don't want to ask IT about all this bc I don't want them to think I'm trying to get around the system or give me an incorrect answer (fortune 100 company, they deal with a lot and don't know everything about everything ).

One of the features introduced in Froyo with Exchange/ActiveSync support was remote wipe. I believe they'll have no problem wiping your phone, unless you disconnect that account first.

Jack_R1 said:
One of the features introduced in Froyo with Exchange/ActiveSync support was remote wipe. I believe they'll have no problem wiping your phone, unless you disconnect that account first.
Click to expand...
Click to collapse
I'm actually less concerned with wiping than I am with being forced (by that I mean them somehow enforcing my settings such that I can't make my screen timeout longer than 15min or have to use a passcode to come out of sleep). I've never lost a phone and am willing to deal with consequences of not having a damn unlock code. I just don't want my phone to be locked into particular settings. Hope that makes sense.

Related

Problems with BBC on the Tilt

Hi everybody,
I'm really struggling with the BBC for the Tilt. I would MUCH rather use ActiveSync, but it's against company policy so I'm SOL on that. I'm forced to either buy a Blackberry and give up my Tilt or install BBC. I chose the later.
I've been having problems with it ever since and I've had trouble finding resources to help out (mainly because most people don't use BBC on Tilt).
Here are the problems:
1. BBC often will randomly say "suspended by user" (even though I haven't), which prevents me from getting new messages, and unless I'm always looking to see if the service is running, I'll never know if I'm not getting email or if it suspended itself
2. BBC will just as often randomly say, "blocked - radio in use".
3. I can't get any integration going with the calendar at all. And when I receive calendar/meeting requests, it comes to the Tilt as email messages, not as meeting requests, so I can't accept them and add it to my calendar
Now, the limited amount of information I was able to find suggests that problem #2 may have something to do with interference with ActiveSync. I've tried the technique where I add a fake server source then make the schedule manual, but ActiveSync still won't go away permanently. I use it to access my Tilt files through Windows, so I can't uninstall it altogether. Also, when I tried to uninstall it before, it deleted all of my non-SIM contacts from the Tilt along with it, because all of my contacts were imported from Outlook.
Anybody have any ideas or solutions?
I think these are common issues, especially if you are using the Tilt on AT&T.
1) I'll go days without losing connection to blackberry services then it seems like it will lose it every night for 2 or 3 days. It may be related to activesync or it may be related to network issues. I always check the blackberry icon. If there's a "!" there, I know I need to reconnect.
2) At least with AT&T, you can only have one active data connection. Either it's the blackberry service or it's something else. The something else is active and keeping the blackberry service from connecting.
3) Check your pim options screen and make sure the calendar box is checked. If I remember correctly, when I first installed it was not checked by default. Contacts, tasks and notes are also configured in this screen.
You may have a point about activesync. I always kill it when I can but it auto starts. If I understand correctly, it is checking or setting the network time?
mitchrl said:
I think these are common issues, especially if you are using the Tilt on AT&T.
1) I'll go days without losing connection to blackberry services then it seems like it will lose it every night for 2 or 3 days. It may be related to activesync or it may be related to network issues. I always check the blackberry icon. If there's a "!" there, I know I need to reconnect.
Click to expand...
Click to collapse
Yeah, that's what I usually have to do, but I hate that I have to do it - it defeats the purpose of push email if you have to always check to see if it's still pushing, lol.
People have recommended uninstalling ActiveSync when using BBC, but I can't possibly see how that's practical because I use ActiveSync to maintain my contacts and to add music and files to my Tilt. Is there some other way of doing this without using ActiveSync?
2) At least with AT&T, you can only have one active data connection. Either it's the blackberry service or it's something else. The something else is active and keeping the blackberry service from connecting.
Click to expand...
Click to collapse
That's what I've read. But there have been times when I've done a Stop All on all services, and I still got a radio in use message. Strangely, there have been times when both ActiveSync and IE were running and I was able to get BBC running no problem. The inconsistency is maddening because it becomes impossible to isolate and cause and solve it.
3) Check your pim options screen and make sure the calendar box is checked. If I remember correctly, when I first installed it was not checked by default. Contacts, tasks and notes are also configured in this screen.
Click to expand...
Click to collapse
Whatever is being maintained by ActiveSync (contacts) is greyed out on my Tilt, but everything else (calendar, notes and tasks) is checked, so I should be OK. But calendard items are still arriving in my inbox as regular email.
You may have a point about activesync. I always kill it when I can but it auto starts. If I understand correctly, it is checking or setting the network time?
Click to expand...
Click to collapse
Interesting. I thought I was doing something wrong since people swear by that technique as a way to get ActiveSync to go away permanently. But it always comes back for me.
It says "radio in use" when Media.Net is active possibly through a IE or weather type program.
Some of the NEWER ROMS allow dual connections for BBConnect & Media.net. I saw a thread yesterday that showed the precise registry entry to make to allow this without burning a new ROM.
What thread was this? And when you say "newer ROMS" are you referring to official ROMs like the one on the HTC website or the XDA ROMs?
Demigawd,
Make sure the wireless calendar service (cical) is running properly. What version of bbc are you running? I'm running 4.0.0.97. It's behavior is a bit different than previous versions. It seems to block other data connections instead of bb getting blocked.
The only other suggestion I have is to remove and reinstall bbc. I would also have bes sync everything including contacts until you are sure calendaring is running correctly. If it's still not working correctly, maybe check your bes for a non-standard it policy.
I think the registry entry for multiple data apns is volatile and gets overwritten after every soft reset. A custom rom is probably the only way around that.

Microsoft Exchange FORCED Password Lock

Hey Guys,
I have an issue (not really an issue, but would like some information)
I currently have my phone setup with my work email via microsoft exchange setup through the phone. Now i'm assuming that the certificate that my company uses, requires me to have a password lock on my phone for security purposes. It initiates the password when the phone is not in use for more than 20 minutes. This drives me INSANE! i always have to type in a 4 digit "simple pin" to unlock my phone if i haven't touched it for 20 minutes.
How can i disable this? The menu which i have to setup the pin # doesn't allow me to uncheck enable.
Is there another certificate i can use which doesn't require me to lock the phone?
My friend works for a different company, and uses the same method for email, and i guess their company isn't secure as she doesn't have to use a security pin at all.
Any help would definitely be appreciated!
Thank Guys!/Girls!
I know that having a password forced on you, when you didn't have one before, can be really annoying at first. However, after a bit of time it just becomes normal and isn't really an issue. You are talking a trade off of 2-3 seconds vs. free access to confidential company data/files.
When you first connect to an Exchange 2007 (guessing this is what's being used) system it prompts the phone to make the changes (accept), you don' t have a choice. As you mentioned, having the password feature is "secure" compared to your friends company that "isn't secure". Enterprise users should have passwords enabled. Wanting to bypass it kinda smacks of not caring about your employers rules/policies, security and ultimately others who work at your company.
I know in our environment it would be a violation of company policy and a clear and deliberate breach of it, turning off a security feature. You would be speaking to the IT Manager and Human Resources as soon as caught about your future or lack thereof.
Damn.... i guess your right!
Thanks for the input!
If you do a search you will find a fix which will essentially push the timeout to 24 hours versus the 5-10 minutes that is given normally. This ensures the lock is still present (especially for rebooting and activesynch connect) but you only get bugged to do it every once in a while.
Just search around - you'll find it (I recently changed my registry to have a 24 hr time out.) This is something that Exchange does not check when you synch. If the password is removed then you will get dinged by your admin sooner or later.
jessiethe3rd said:
If you do a search you will find a fix which will essentially push the timeout to 24 hours versus the 5-10 minutes that is given normally. This ensures the lock is still present (especially for rebooting and activesynch connect) but you only get bugged to do it every once in a while.
Just search around - you'll find it (I recently changed my registry to have a 24 hr time out.) This is something that Exchange does not check when you synch. If the password is removed then you will get dinged by your admin sooner or later.
Click to expand...
Click to collapse
agh... wtf do i search? lol
oh boy, the adventure begins! wish me luck!
ok i think i got it!
the only stuff i could find was to disable it permanantly... nothing regarding changing it to 24 hours.
mightymike84 said:
ok i think i got it!
the only stuff i could find was to disable it permanantly... nothing regarding changing it to 24 hours.
Click to expand...
Click to collapse
nevermind.
i did the following:
HKLM/Security/Policies/Policies/00001023 to value 1
changed that reg entry, and instead of disabling the lock, it actually displayed a 24 hour option, so i chose that instead of disabling it.
thanks for the help guys!
Keep in mind that you really dismiss your company's policy. This might be the cause of serious legal problems.
Furthermore, the device will recheck the policy after some hours, iirc the standard is to check every 24hours
Have fun!
mightymike84 said:
nevermind.
i did the following:
HKLM/Security/Policies/Policies/00001023 to value 1
changed that reg entry, and instead of disabling the lock, it actually displayed a 24 hour option, so i chose that instead of disabling it.
thanks for the help guys!
Click to expand...
Click to collapse
Just what I was looking for The other option was to turn on the phone regularly before the Password timeout
tugboat said:
Just what I was looking for The other option was to turn on the phone regularly before the Password timeout
Click to expand...
Click to collapse
And should your problem return (as your server will probably reinforce it´s policy), have a look at this page: http://www.zenyee.com/?s=stay+unlock
This great tool has been working fine for me on all my WM5/6/6.1 devices....

Exchange Settings Disabling my Camera, and ability to see Storage Card!!!

. So this is the deal, I originally had an ATT Tilt. I had no problems! I synched though active sync, via bluetooth and over air with no issues. Two days ago I got a Fuze, I was ecstatic, but then my camera became disabled and I consistently could not access my storage card. The message actually came up saying that my "camera has been diabled for security reasons". WTF is that? I have hard reset the phone about ten times now and everytime before I set up exchange everything works beautifully, but after I have no camera and no sd card. Is this a known problem or is my Fuze busted? Please help!!!!!!!!!!!!!
Is it possible that this is a policy in your company being enforced by your IT dept via your exchange server?
Believe me, I've discussed this extensively with my IT department and they haven't made any changes to their exchange server policies. They have the same question I have! If the companies Tilts are all working with the same OS what hardware changes in the Fuze could create such an issue relative to their existent server policies?
Update! I also tested this on a co-worker's Sprint HTC Touch Pro and got the same results. He had to hard reset his phone to get full functionality again! My IT dept says that our server links to an https site if thats relevant to anyone. I'm not technically versed in that area. Hopefully someone has had a similar issue, and potential workaround?????
Its almost going to have to be coming from a setting on your Exchange server at work. See the attached screen shot. All of those settings are configurable on the server. Once you connect, it automatically downloads whatever policies are in effect. This screen shot is from an Exchange 2007 server. I no longer have a 2003 server but it is similar.
Hmmmm....
Man, your awesome! I think IT was BS-ing me a bit, or they haven't bothered to check the settings themselves. I'm gonna break some necks and find out if these settings are the issue. Either way I'll report back my findings.
GarethD said:
Man, your awesome! I think IT was BS-ing me a bit, or they haven't bothered to check the settings themselves. I'm gonna break some necks and find out if these settings are the issue. Either way I'll report back my findings.
Click to expand...
Click to collapse
They probably weren't BSing you. They probably haven't touched those settings since configuring the server. The Tilt has a different version of mobile office which probably wasn't compatible with and subsequently ignored those settings.
zenyaa stayunlock cab -- search for it, install it, THEN sync w/exchange (may require hard reset to kill existing settings)
I installed zenyaa stay unlock before syncing accidentally after a hard reset and i never even got prompted for pin's.. hopefully it'll ignore the other restrictions too...
Keep in mind, this may be against the law for some companies, use responsibly.
zenyaa!
I like the potential. For now however, I have flexed some executive privilege and got my settings changed. I got everything enabled except wi-fi. , but they are paying for my media plan so no real worries there. I will look into zenya though, it seems ridiculous to ask for normal features on a smart phone, but I guess my IT department is restriction crazy. Thank you all for your input, this issue is technically resolved for me.
GarethD said:
I like the potential. For now however, I have flexed some executive privilege and got my settings changed. I got everything enabled except wi-fi. , but they are paying for my media plan so no real worries there. I will look into zenya though, it seems ridiculous to ask for normal features on a smart phone, but I guess my IT department is restriction crazy. Thank you all for your input, this issue is technically resolved for me.
Click to expand...
Click to collapse
From an IT view, it's a huge security risk having a device that you cannot regulate on your network. Not allowing removable storage might be a little much though, especially if they allow you to have usb flash drives. I wouldn't allow wireless at all though, regardless of who requested it.
To an extent, I agree with you.
In this specific case however, I think my IT could/should have been more forthcoming about their mobile polices. That would have made me more specific in my search for a new business phone. I could have gotten something with less features based on policy. That being said, I think it was more a reluctance to hear criticism from a non-IT person than it was to adjust the default settings. With the exception of Wi-Fi (for probably the reasons you stated!), there was no real issue in changing my settings.

Security of the Data Plans?

Just curious, can someone hack your phone via your data connection? What security does one have?
I'm not concerned by it, but it was a question posed to me and I did not know the answer.
Do you mean if you are tethering your internet? The only way that I can see that happening is if you have wireless tether for root users. If you leave it open, they can access your data that way, and it could lead to potential security risks. However, that app also has a way to encrypt your settings and have it password protected, like any other router would. Through just data alone without tethering, I don't see how anyone would be able to access your phone any other way.
Yeah, the person was questioning buying stuff from a site using his phone, fearing that his info would be out there for someone to obtain. I assume all data via t mo is encrypted some how?
I'm not sure if there is encryption through tmobile, but if you are buying things from the phone, the website itself usually has the security for it, like it would if you buy it from your pc. I have bought things from my phone and have not had any problems with it.
Anyone else know about encryption with the data plans, if there is any?
s15274n said:
Anyone else know about encryption with the data plans, if there is any?
Click to expand...
Click to collapse
You should assume that there is NO ENCRYPTION on the carrier data network. Even if there was, it would only be over the air and switch back to unencrypted as soon as the signal hits land. Basically, your carrier CAN'T encrypt data once it leaves THEIR NETWORK.
Purchase security is delivered via encryption between your web browser and the web server to which you are connecting. This has nothing at all to do with your carrier.
You should NEVER send sensitive information like credit cards over unsecured HTTP. Only over HTTPS (or other guaranteed encrypted tunnel).
When you look in your browser's address bar and see "https://", you know that it is encrypted because "s" == "secure".
Also be sure that you only use https servers that YOU TRUST. The host could themselves screw up the security, so being encrypted is no absolute guarantee (i.e. that nobody has stolen the decryption key from the server or otherwise compromised the system).
In other words, stick with major vendors -- don't trust websites that have a Jolly Roger icon at the bottom of the page, etc.
^ okay, makes sense... so makes me ask then. My credit card is saved for buying apps in the market. I assume that is secure/encrypted obviously... but when I am literally SENDING my info via the the data plan is it possible for that to be obtained?
Probably my last question because I do not want to sound any more whiny than I have.... especially when I'm not the one asking the questions.
s15274n said:
^ okay, makes sense... so makes me ask then. My credit card is saved for buying apps in the market. I assume that is secure/encrypted obviously... but when I am literally SENDING my info via the the data plan is it possible for that to be obtained?
Probably my last question because I do not want to sound any more whiny than I have.... especially when I'm not the one asking the questions.
Click to expand...
Click to collapse
1) it is stored on google's servers, not your phone.
2) the market uses encryption.

[REQ] Password protected boot/fastboot/recovery

Even if one has installed some kind of lockdown/tracking software + lock pattern there is always the possibility that a thief would know how to reflash and/or wipe the phone or be able to use Google to find out how.
Has anyone worked on adding the possibility of locking access to fastboot, recovery and OS boot? (Password protecting adb would also be a nice addition.)
There is not much these forums about it. Here is a thread that died: http://forum.xda-developers.com/showthread.php?t=531225
I would be fine with compiling my own recovery image if that is what it takes to get my own password, but I guess fastboot is the biggest concern.
I hope some smart developers will take their time to read this and think about it. Let's hear some input on how big of a task this is. I am sure it can be done, so take the challenge and show us some love.
wow this is an awesome idea. ya because apps like mobiledefense or wavesecure would be useless if the thief knows how to wipe the phone. this would be great and i would love to see it work. i dont know crap about making my own recovery or else i would do it if thats what it means to make my own password protected recovery. but like u said, fastboot is a greater challenge.
I could see recovery maybe having this but the bootloader you are out of luck unless you have a dev or holiday version of the nexus. We currently cant flash custom SPL's because they are sig checked.
What happens when you forget your password? Brick?
MatMew said:
What happens when you forget your password? Brick?
Click to expand...
Click to collapse
Damn if you forget it than you are just too stupid, lol Jk
but good question, however i don't think any development on this will be done anytime soon, id definitely support it though if it ever starts.
Locking the SPL would require us to be able to write/flash one, which is currently impossible
Maybe a petition to google to set forth this new option then?
Because I was thinking the same thing...our laptops can do it, because duh, if someone steals your lappy they could just wipe to get the hardware so we can put a BIOS password so even thats impossible.
Our so 'open' phones should follow suit...please google, read this. It would be a fantastic option, that way its rendered completely useless to anyone that steals it and is smart with them (aka anyone reading these forums ).
THANKS
I want it
I've been thinking of how to 'secure' my phone's data again since I unlocked the bootloader... but this would be the way.
The feature request goes like this: Password protect the bootloader both for fastboot and getting into recovery (the option to start recovery should be password protected). A wipe is required in order to reset the password.
An additional and optional theft lock (along the lines of what the OP wants) would disable the password reset/wipe feature altogether, essentially bricking the phone if the password is unknown. Not exactly what I want (I just want my data to be safe), but should be easy enough to add both options if we have the code and can flash the SPL.
Obviously this is going nowhere if we can't flash the SPL, but there's no harm in putting this out there for Google to include in the next signed SPL.
Everyone should realize that unlocking the bootloader essentially puts all the data on your phone out there for anyone to grab without a password, given that they know a few things about fastboot/recovery. This is likely why Google forces a wipe when you originally unlock. We 'unlockers' should be given a way to get that security back.
We'd also need to find a way to 'type' a password (for the recovery option) while in the bootloader, since there's no keyboard. You could use the volume toggle to cycle through letters or numbers, but this puts this option far past a 'trivial' change to the SPL code. This may be why Google didn't include the option in the beginning.
theslam08 said:
Maybe a petition to google to set forth this new option then?
Because I was thinking the same thing...our laptops can do it, because duh, if someone steals your lappy they could just wipe to get the hardware so we can put a BIOS password so even thats impossible.
Our so 'open' phones should follow suit...please google, read this. It would be a fantastic option, that way its rendered completely useless to anyone that steals it and is smart with them (aka anyone reading these forums ).
THANKS
Click to expand...
Click to collapse
A computer bios password only keeps people from changing bios settings. They can still format the hard drive.
bubbahump said:
I've been thinking of how to 'secure' my phone's data again since I unlocked the bootloader... but this would be the way.
The feature request goes like this: Password protect the bootloader both for fastboot and getting into recovery (the option to start recovery should be password protected). A wipe is required in order to reset the password.
An additional and optional theft lock (along the lines of what the OP wants) would disable the password reset/wipe feature altogether, essentially bricking the phone if the password is unknown. Not exactly what I want (I just want my data to be safe), but should be easy enough to add both options if we have the code and can flash the SPL.
Obviously this is going nowhere if we can't flash the SPL, but there's no harm in putting this out there for Google to include in the next signed SPL.
Everyone should realize that unlocking the bootloader essentially puts all the data on your phone out there for anyone to grab without a password, given that they know a few things about fastboot/recovery. This is likely why Google forces a wipe when you originally unlock. We 'unlockers' should be given a way to get that security back.
Click to expand...
Click to collapse
This would be really great... an idea, if ever possible, to overcome the bricking phone by password being lost, is somehow emailing it to the registered google account... or maybe sending an sms to a known phone number that was registered before...
dalingrin said:
A computer bios password only keeps people from changing bios settings. They can still format the hard drive.
Click to expand...
Click to collapse
Actually you can set an ON-BOOT password, which will prevent it from being booted at all without the password. Unfortunately, it is not that great a security measure, since you can just reset the BIOS using the jumper on the motherboard. Also, every BIOS manufacturer leaves a backdoor in case of forgotten passwords, just do a Google search for BIOS DEFAULT PASSWORDS.
But, the main thing to remember here is that we do not have a keyboard, and very limited buttons to use. So, what are you thinking of using? A combination of buttons (similar to the quick-reboot)? Or, cycling through with the volume/trackball, kind of like on a briefcase/suitcase (argh, imagine the frustration).
The next thing would be the implementation of such an idea.
If the SPL is to be modified to be password protected, we would need to source code - which I don't think is available.
If the recovery is to be password protected, it would need to have immediate access to a rewriteable portion of the internal memory for storage/retrieval of said password (as would the SPL, but first things first - gotta have the source).
A simple qwerty on-screen keyboard and using the trackball to select characters would work fine. Up and down with volume keys or whatever to type in characters is not a viable option for long passwords.
It seems all this would be of no use without the possibility of flashing our own SPL, so I guess this is a bigger task than I thought at first. We all know SPL's have been hacked many times before, so I believe it can be done on the Nexus One too. But, because of the already unlocked SPL opening up flashing heaven, I am not so sure anyone is going to use any time on figuring it out.
This is what we are left with:
1. Find a way to flash a custom SPL. Piece of cake right?
2. Create an SPL with the possibility of adding password protected fastboot/recovery. Protecting boot will probably not be necessary, as it would make it impossible to trace a stolen phone.
Let me comment on the privacy issue: I am not really very concerned about the data on my phone. Of course I would not want all the pictures and videos I have shot to fall into the hands of complete strangers, but I try not to keep secret/sensitive data on my phone. It is not really very difficult to take the sdcard and put it in any other device or card reader to get all the data off of it. All the password protection in the world will never get us around some physical security. (Maybe I should make another request for encrypting the sdcard?)
What I want is to be able to somehow find the bastard(s) that took my mobile and get it back without it being wiped first. Though there is always the risk that they would not get past the unlock pattern and just throw it away right away. Let's just hope they left it powered on within network coverage.
How does Android store Gmail login credentials? Are the information cookie-like (only session information) or is there an actuall password (encrypted or not, doesn't matter) stored somewhere? If the latter than that would be very bad for the security of the Gmail account (most critical apps there are Mail and Checkout). It would probably be a good idea to change the Gmail password as soon as one starts missing his Android phone.
--
One way of increasing the odds to get a stolen phone back would be to flash a custom ROM with an embeded and preconfigured security application that installs automatically and silently after a wipe. Not perfect because a thief could just flash another ROM but there's a greater chance of a device getting wiped than not getting wiped, right?
I guess a password in recovery would add an extra percentage to those odds too.
So much for this request. Someone moved us to Q&A, so I guess this is doomed for now. We'll just have to keep our phone safe.
maedox said:
So much for this request. Someone moved us to Q&A, so I guess this is doomed for now. We'll just have to keep our phone safe.
Click to expand...
Click to collapse
Sorry for the bump. But seriously this is a must.
Any Nexus with unlocked bootloader leaves the internal memory unprotected (All your photos in DCIM folder, etc).
You just need to enter fastboot and flash a custom recovery.
Hello
Well i have a phone that has exactly what was being mentioned in this thread and i have literally tried everything everyone is saying about flashing, etc.

Categories

Resources