[Q] Exchange 2010 wipes devices remotly - Galaxy S II Q&A, Help & Troubleshooting

Hello
I have Galaxy S2 and synch with Exchange 2010. But i was checking on the device and under Location and security - Select device administrator, It has " Enable server-specified security Policies.
Which enables to wipe device remotly. Is there a way to stop that but keep synch.
I did a test and he not only wipes the email side but also wipes the entire device back to default.
Is there a way around this or not?
Thank You

Any update please
Sent from my GT-I9100 using XDA App

I believe the only way to change this is via a policy change at the Exchange Server end.
That said, I do remember seeing something on here about a utility that would bypass Exchange's policies.

Is there another client for the outlook so that the Exchange admin cannot wipe my device
Thank you

try using Enhanced Email, that's what i've been using since Exchange 2010 was implemented in my organisation.

NTOP said:
Hello
I have Galaxy S2 and synch with Exchange 2010. But i was checking on the device and under Location and security - Select device administrator, It has " Enable server-specified security Policies.
Which enables to wipe device remotly. Is there a way to stop that but keep synch.
I did a test and he not only wipes the email side but also wipes the entire device back to default.
Is there a way around this or not?
Thank You
Click to expand...
Click to collapse
This is a feature of Exchange just incase your device is lost the admin or you can remotely wipe all your secure information. Businesses of-course like this because they don't want their trade secrets in the back of some cab somewhere to be sold off to the highest bidder (imagine iPhone 4 but information instead of the physical device).
There are hacks out that removes the checks for security but the Server could then block those devices if they don't reply properly to requests for encryption and such.
There is however no need to try to circumvent this as you'd only ever use it in those cases, it's not like the admin is gonna just wipe your device one day because he is bored at work.

shotta35
I agree with you there if the device was given from the company but if the device is your personal and you are just synch email than i don't want the exchange admin wiping anything so that is my main reason for looking at another client
I think this is a feature of Exchange 2010
Thank You

Related

[Q] Help with Exchange email

Hey guys-
I had been using TouchDown Exchange to access my work email. When I first got android I asked my IT department if they could set it up for me but they replied that they "don't support Android, and because there are so many different android phones, they probably wouldn't ever support". Anyways, I found I could use the web-exchange server (http://xxx.xxxxxxxx.com/exchange/) as my domain on the android app and it would end up sync'ing my email to my phone.
I guess they eventually found out I was doing this somehow and they blocked it. They do support the iPhone, though, and through a coworker I was able to get the server and domain that they use.
Is there anyway I can trick the server into thinking I'm using an iPhone so it will allow me to connect and sync? I tried using the "ActiveSync Device String" and setting it to "iPhone" before connecting to the server, but that didn't work. I don't know much about exchange servers if you couldn't tell, but is there a way they can authorize only certain users to connect? Could I potentially borrow my girlfriends iphone, have them set it up on her device, and then once I get the login permissions, switch the info over to my fascinate?
Sorry to any IT administrators out there, I bet this post will annoy you haha. I just want to have email on my phone because I hate walking into work in the morning and getting blindsided by an email that was sent to me at 2am.
Thanks in advance for your help guys.
Our IT department also has a "no android" policy but I figured out that if I left the Domain blank and used the Webmail url as the Exchange server address everything would sync perfectly. I started out using Touchdown but dropped it for the stock email client.
They specifically denied your phone from syncing via ActiveSync? Even with Touchdown, which more fully supports the ActiveSync protocol than even the iPhone? Sounds like your IT guys are morons. I can fully understand not wanting to support Android phones because of all the variances. I know, because I work for an ASP hosting company that does just that. But really, if they wont support Touchdown, they're just shooting themselves in the foot, because that app will work the sane no matter what Android phone it's installed on, meaning you will have a standardized mail platform for Android that supports any and all necessary security features, including full encryption of the local mail database and any data it stores on the SD card.
I don't know if you'll get anywhere with it, but I would recommend showing the the feature list for Touchdown, including the security features, and ask them to support that one app. If you make the case that they only need to support one app for any Android phone, they should be willing to work with you on that.
Besides, every serious corporate user should be using Touchdown anyway. The stock mail client, no matter what Android phone you have, is lacking some of the most basic features, is buggy,and is essentially useless. And if days encryption is required, you're out of luck with the stock clients. Exchange syncing is really an afterthought by Google, and until they make enterprise features and data security a primary focus, things wont get any better.
Sent from XDA Premium on my Super Clean Fascinate
Oh, and btw, I'm not an expert on the matter, but I know that mobile device syncing can be disabled on a per-user basis. What I'm not sure about is if it can actually allow only certain devices to connect or not.
Sent from XDA Premium on my Super Clean Fascinate

Why does my email crash once per day?

So ive tried a bunch of different email clients and they all experience the same issue when connecting to a corporate exchange server. About once a day, at random times, they will crash and i have to force stop them and reopen the app to get it to receive exchange push email updates.
Clients I have tried are: Improved Email, Enhanced Email, K-9 and the Moxie trial. I cant find any common link as to why they all end up non-responsive. At first i thought it happened when i lose signal (such as when im in the subway) but I havent taken the subway the past few days and it still happens.
Is there something included with the atrix that kills these processes after a certain amount of time?
I manage our corporate exchange servers (2003 and 2010) and have had really good success with the built in Corporate Sync app for the atrix.
Is there something you are syncing that it can't hanfle? The calendar and contacts work great. I haven't tried tasks as I don't use them.
Aside from that, make sure on task manager that the mail clients aren't set to auto kill.
Sent from my MB860 using XDA Premium App
I wish I could get email from our exchange server, but unfortunately my company isn't going to allow that until Android becomes more secure.
beatphreek said:
I manage our corporate exchange servers (2003 and 2010) and have had really good success with the built in Corporate Sync app for the atrix.
Is there something you are syncing that it can't hanfle? The calendar and contacts work great. I haven't tried tasks as I don't use them.
Aside from that, make sure on task manager that the mail clients aren't set to auto kill.
Sent from my MB860 using XDA Premium App
Click to expand...
Click to collapse
I didnt think i had corporate sync, but i just took a look now and it seems like I do. I didnt think about trying to set it up as a new "account" in the phone.
On the bright side, enhanced email hasnt crashed in a while. I think one of the other email apps processes was killing it. I have uninstalled them all. If it crashes again, I will try the built in Corporate Sync.
Caelan, what doesnt your company like about android? All the exchange clients ive tried allow remote management which i know was a sticking point for a lot of companies when android was newer. Though I'll admit im not really up on the security issues of android... Im kind of lucky because my company lets us bring any device onto the network, and we get to admin our own computers. The benefits of working at a tech company staffed completely with geeks
albinojoe said:
Caelan, what doesnt your company like about android? All the exchange clients ive tried allow remote management which i know was a sticking point for a lot of companies when android was newer. Though I'll admit im not really up on the security issues of android... Im kind of lucky because my company lets us bring any device onto the network, and we get to admin our own computers. The benefits of working at a tech company staffed completely with geeks
Click to expand...
Click to collapse
I am not sure exactly what it is that is a security problem, but I work for a big R&D company. All our laptops, thumb drives, etc. are encrypted, and we use RSA secure tokens to connect to our network externally when OOO. As an example, if you want email access on your iPhone, the company installs security software requiring a lengthy password to even get past the lock screen, and also remote wipe ability so they can wipe your iPhone if you lose it. We have a lot of proprietary R&D documentation which they do not want to lose.
Apparently there are some security holes which should be fixed with 2.3.4, and they may already be testing this at corporate IT.
We also have full admin rights to our laptops, but they are also very secure with full HDD encryption.
Android does meet all the security requirements that Microsoft has in place for Activesync licensing, it forces a passcode to unlock, it encrypts the exchange data, and it does remote wipe.
The only thing I can think would be that due to the ability to easily root the device there are programs that get around the lock screen requirements. They may have other reasons though.

[Q] Exchange/ActiveSync on Android Options?

I've been debating configuring my personal phone to access my employer's Exchange server; I would be checking it on occasion-- more of a convenience thing to know what's up before I head in for the day.
Using the default Android Mail client and choosing ActiveSync and doing the setup, I inevitably reach a screen with the following:
Activate security policies?
Exchange security policies
Your IT administrator requires that you activate these security policies in order to sync with your Exchange Server.
Activating this administrator will allow the application Mail to perform the following operations:
! Erase all data
Perform a factory reset, which deletes all of your data without any confirmation.
! Set password rules
Restrict the types of passwords that you are allowed to use.
! Monitor screen-unlock attempts
Monitor failed attempts to log into your device.
! Lock the screen
Control when your device locks, requiring that you re-enter your password.
! Device function limitation
Restrict some function on device like Wifi, Bluetooth, Camera etc.
Click to expand...
Click to collapse
Needless to say, this is highly unappealing for my personal phone-- way too much power for the Mail application.
So my questions-- what are my options?
-would a different Exchange connectivity application like Touchdown request those same permissions for access?
-would I be better off setting up ActiveSync on an alternate ROM and booting into that when I want to check work mail (not as frequently as some other users)?
-How far does that remote wipe control extend? Could they wipe the entire phone, including bootloader? Or is it just reference to internal storage? Could they wipe the external SD card?
-is there a way to revoke those permissions from the Mail application while retaining the ability to connect to the Exchange server?
try this:
http://forum.xda-developers.com/showpost.php?p=14577188
Thanks for that! I checked it out and unfortunately, HTC uses a different email program which is incompatible with rustamabd 's script. When there are daily driver AOSP ROMs avail for my phone, I'll try it out.

[Q] Exchange/ActiveSync on Android Permissions -- Options?

I asked this in XDA Android Q&A; posting to this Rezound Q&A as well in case there are any Rezound specific options that can be explored:
I've been debating configuring my personal phone to access my employer's Exchange server; I would be checking it on occasion-- more of a convenience thing to know what's up before I head in for the day.
Using the default Android Mail client and choosing ActiveSync and doing the setup, I inevitably reach a screen with the following:
Activate security policies?
Exchange security policies
Your IT administrator requires that you activate these security policies in order to sync with your Exchange Server.
Activating this administrator will allow the application Mail to perform the following operations:
! Erase all data
Perform a factory reset, which deletes all of your data without any confirmation.
! Set password rules
Restrict the types of passwords that you are allowed to use.
! Monitor screen-unlock attempts
Monitor failed attempts to log into your device.
! Lock the screen
Control when your device locks, requiring that you re-enter your password.
! Device function limitation
Restrict some function on device like Wifi, Bluetooth, Camera etc.
Click to expand...
Click to collapse
Needless to say, this is highly unappealing for my personal phone-- way too much power for the Mail application.
So my questions-- what are my options?
-would a different Exchange connectivity application like Touchdown request those same permissions for access?
-would I be better off setting up ActiveSync on an alternate ROM and booting into that when I want to check work mail (not as frequently as some other users)?
-How far does that remote wipe control extend? Could they wipe the entire phone, including bootloader? Or is it just reference to internal storage? Could they wipe the external SD card?
-is there a way to revoke those permissions from the Mail application while retaining the ability to connect to the Exchange server?
vprasad1 said:
Needless to say, this is highly unappealing for my personal phone-- way too much power for the Mail application.
Click to expand...
Click to collapse
It is designed to protect corp data. If you don't want your personal phone under that control, then don't connect it. That is the choice you have.
So my questions-- what are my options?
-would a different Exchange connectivity application like Touchdown request those same permissions for access?
Click to expand...
Click to collapse
Nope. The policy is from the Exchange servers policies.
-would I be better off setting up ActiveSync on an alternate ROM and booting into that when I want to check work mail (not as frequently as some other users)?
Click to expand...
Click to collapse
Not sure how you would do this.
-How far does that remote wipe control extend? Could they wipe the entire phone, including bootloader? Or is it just reference to internal storage? Could they wipe the external SD card?
Click to expand...
Click to collapse
When you connect, if they have issued the wipe command, it wipes. Distance is not relative. Wipe is wipe.
-is there a way to revoke those permissions from the Mail application while retaining the ability to connect to the Exchange server?
Click to expand...
Click to collapse
No. they could have a different policy setup for different groups of users and have you into that group, but you would have to ask the administrator though.
The exchange policies are part of the requirements of connecting to that exchange server. The policies can be changed by the administrator by putting you into another group, but I doubt they will do that. They are there to protect corp data.
There are other ways that policies can be setup, but that needs to be done again by the administrator.
These types of policies are becoming more and more common as companies realize their contacts, email and attachments are valuable and need to be protected. A lot of people use two phones, one for corp and one for personal, not mixing the two.
Remote wipe and all is a feature of activesync, not necessarily exchange. So, according to what I'm reading, you can find an email client that supports exchange but not eactivesync and get around the permissions.
I am also interested in how far the wipe can extend. It says reset to factory, which would leave your SD card intact.
gthing said:
Remote wipe and all is a feature of activesync, not necessarily exchange. So, according to what I'm reading, you can find an email client that supports exchange but not eactivesync and get around the permissions.
I am also interested in how far the wipe can extend. It says reset to factory, which would leave your SD card intact.
Click to expand...
Click to collapse
As far as I am aware, the Exchange server CAN initiate a full wipe, if your company is on Exchange 2010. The wipe command can be found in OWA settings. The only way you can get around the permissions is to login to OWA via your browser. The security settings are there for a reason, as mentioned above.
Microsoft works very hard with its partners to provide the best security possible. I do not think using Touchdown or another email client will allow you to circumvent security policies enforced by the Exchange server.
Sent from my Dell Streak 7 using Tapatalk 2
vprasad1 said:
So my questions-- what are my options?
-would a different Exchange connectivity application like Touchdown request those same permissions for access?
-would I be better off setting up ActiveSync on an alternate ROM and booting into that when I want to check work mail (not as frequently as some other users)?
-How far does that remote wipe control extend? Could they wipe the entire phone, including bootloader? Or is it just reference to internal storage? Could they wipe the external SD card?
-is there a way to revoke those permissions from the Mail application while retaining the ability to connect to the Exchange server?
Click to expand...
Click to collapse
I use TouchDown for my work e-mail, and while I have never had any administrators use remote wipe, I will let you know my experiences:
-There is an option in the settings screen for "Clean SD card on remote wipe." It's unchecked by default. I assume a remote wipe will only clear TouchDown related data, but am not 100% sure of it. At the very least this option implies that it won't normally wipe your SD card as well.
-TouchDown will ask for the same permissions. However, unlike the default mail application, which will force your whole phone to be pin locked, TouchDown will only force you to enter a pin when you open the application. This feature is nice if you don't want to always enter in a pin to unlock your phone but also want Exchange e-mail.
-As the policies are set on the ActiveSync server, there's no way to get around revoking the permissions.
If you search for it enough, you can probably find a modified mail app that doesn't require these security permissions. I know I've seen one that works with CleanRom and I use it on ICS Business Sense. No lockscreen pin required either and no device administrator.
http://forum.xda-developers.com/showthread.php?t=1456425
Sent from my ADR6425LVW using XDA
Just created the account to reply to this thread.
I am too looking for a solution to avoid giving my employer the access rights to wipe my phone, and I just wanted to comment that IMO, theorically it is not because this setting is on server side that it can't be avoided.
Android can give whatever permissions the server asks for then totally ignore the commands when they eventually come. That would probably require some coding to simulate executing the command without actually doing it, and it would definitely require root access to do this, but I do not see how that would be impossible on Android or on one of its mods.
Now obviously this is not something I'm going to waste time on. if it can't be done, my pro account will not be on my phone. That was me trying to do something for my employer, but if they don't want me to see my mails on weekends, I won't be fool enough to complain.
I'm in a similar situation. With ICS, at least it gave me the ability to only have to enter a PIN after 15 minutes or something when your phone is locked. Prior to that with GB, every screen unlock required the PIN.
I do use a modified Mail.apk, but in a sense, I'm contributing to the problem of my company not allowing android phones on their network, because there are just so many workarounds like this.
LBE Security Guard may be able to inhibit the permissions, though I wouldn't want to have to depend on that as a last line of defense right before my device is potentially WIPED!
There has to be some better solutions to control it on the client side...
My admins at work say they will not change the exchange policy.
They said it comes with Exchange Server 2010 as the default settings, but they won't change it. They have actually tested the remote wipe and it works instantly. They claim they can remote 'unwipe' it as well, but I gave an analogy about formatting drives (quick format vs. full format) that they couldn't answer.
I told them I'm concerned about anyone having that much power over personal "BYOD" phones, and the possibility of someone accidentally or maliciously wiping my device.
They said the policy will not be changed.
Does anyone know of other 3rd party mail OR calendar programs that will update my calendar without allowing these INSANE permissions? Thanks.
I've recently bought a new phone and found these ridiculous permissions when I went to sync with my work exchange.
There must be apps available or possible to develop because the email app on my old phone doesn't ask for these permissions. Unfortunately it isn't available to download, just the default app with that phone.
worldheroes said:
I've recently bought a new phone and found these ridiculous permissions when I went to sync with my work exchange.
There must be apps available or possible to develop because the email app on my old phone doesn't ask for these permissions. Unfortunately it isn't available to download, just the default app with that phone.
Click to expand...
Click to collapse
There are several mail programs in the Google Play store, if you search for 'exchange email'
I saw:
k-9 mail
touchdown
exchange exmail
maildroid
and so on...
k-9 had the best ratings and is open source so I tried it, but it couldn't connect to my exchange server. I got an error during setup:
'Setup could not finish, cannot connect to server. (ioexception)'
Please let me know if you have better luck with any exchange program!
The best choice for you is to install OWA from the play store (outlook web) and that will get you contacts, push mail and calendars without having to accept the exchange policies. All you have to do is point it to your companies webmail page and login.
I searched for OWA in the Play store but didn't find the one you mentioned. (see attachment) Is it a free app?
I have the first one by WWO. It gets the job done. 5 bucks well spent. I'm sure it can be side loaded if you'd like to test the functionality first.
Daistaar said:
I have the first one by WWO. It gets the job done. 5 bucks well spent. I'm sure it can be side loaded if you'd like to test the functionality first.
Click to expand...
Click to collapse
At the risk of asking a silly question - how would I get it to test it?
might want to try this:
http://forum.xda-developers.com/showthread.php?t=1965468
Thanks - the link to the ICS Email APK with Exchange Security removed was exactly what I needed!
I wish that app would be maintained with the current version and be put in the google play store!
If I activate the device administration can I undo it? Can I deactivate it and go back to life as usual?
quarksurfer said:
If I activate the device administration can I undo it? Can I deactivate it and go back to life as usual?
Click to expand...
Click to collapse
Yes, delete the account in question.

[Q] Security: Exchange + device administrator + Nine ... but now..

Hi all,
I'm trying to figure out if it is possible to get around the new security requirements by our company regarding smartphone usage.
Previously, if we wanted to use exchange on our devices, I had three possibilities:
1. Add the exchange account to the default email client, accept all the security setting being pushed with the device administrator functionality
2. Add the exchange account to the default email client, and get around the security using Xposed
3. Add the exchange account to the Nine, and let it handle the security setting.
On my Nex5 however the second option vanished with Android 5. So I was using Nine for a while now without any problems.
Now the company is making new security requirements.
The problem is that they want us to install this app from vodafone:
https://play.google.com/store/apps/details?id=com.mobileiron.vodafone.MIClient
to handle all device security settings and device registration.
I don't mind having a device administrator managed by the company on the phone, I do however dislike using a PIN to unlock my device.
Anyone having any experience getting around this?

Categories

Resources