Warning to happy Exchange Users: FRG22D & Device Administrators

[Deofol]

Looks like the OTA update I got on my phone this morning enabled a new feature to allow remote Administrators on my phone.

Namely my work exchange account.

Now, if I want to check my work email, I have to allow my company access to;

• Erase all data - Perform a factory reset, deleting all your data without any confirmation.
• Limit password - Restrict the types of passwords you are allowed to use.
• Watch login attempts - Monitor failed attempts to login to the device, to perform some action.
• Force lock - Control when device locks, requiring you re-enter its password.

Is there any way to bypass/disable this behavior? Apparently I was able to access exchange fine without "Device Administrators" prior to this update.

I check my work email on my mobile phone purely as a convenience to my employer. Being this is my personal phone, I have some reservations about giving anyone this level of access to my hardware.

 

[dcreed]

Thanks. Good to know.

My Droid is also my personal phone, and I don't have corporate e-mail on it.

I figure if the company wants me to be that connected, they can buy me another phone for that purpose and pay the bill.

 

[Deofol]

I somewhat agree, but I also don't want to carry around 2 phones.

 

[dcreed]

I somewhat agree, but I also don't want to carry around 2 phones.

Who ever said anything about actually carrying it if the company gives me one?

 

[Deofol]

Right... However I do not want a blackberry.

 

[juager]

Got this message today as well once I updated the phone. I am in the same boat that I have a personal phone that I check work e-mail on. I would like to be able to keep up with work e-mail but am not willing to give the ability to erase all data from my personal phone to the IT guys at my workplace.

 

[Cory Streater]

You might be able to use Touchdown instead of the built in mail client to circumvent this. Not totally positive about that though.

 

[PJnc284]

Some people are overly paranoid. I highly doubt anyone's IT dept is going to go around wiping devices for the heck of it. It's more of a security feature should the phone get stolen.

 

[dcreed]

Some people are overly paranoid. I highly doubt anyone's IT dept is going to go around wiping devices for the heck of it. It's more of a security feature should the phone get stolen.

You're assuming that the IT folks actually know what they're doing. I know some of them...I'm not willing to make that leap of faith.

 

[anthonyzul]

I updated to 2.2 and flash manually a while ago, and I use Exchange for my work email on my personal phone. I didn't see anything telling me about this though. I will have to check it out. Not receiving work email on my phone is really not an option for me so this is concerning..

 

[john strz]

IT Exchange Access

I got the same warnings upon upgrading to FRG22D and was puzzled by them. I kept on hitting 'cancel' until I was able to talk to some people in IT. What they said made perfect sense. If my phone was lost or stolen, they would be able to wipe it so no one would have access to my information, corporate or personal.

While I don't like giving anyone access to my information, I tend to trust our IT people more than any nefarious persons who may get my phone.

John

 

[Flipper2220]

I'm also not a fan of NEEDING a pin or password to unlock my phone if I want to check my work email. Didn't use one before, (although I guess I should, huh) I too only do so as a convenience, but I agree that giving your admin powers isn't a huge deal

 

[juager]

I think it is a bigger deal for me since it is a personal phone. The ability to wipe makes since on a work phone. But, the ability to wipe does not make sense on a personal phone, especially since others using a personal phone on a different OS do not have to abide by the same permissions. Other in my workplace using blackberry OS or IOS or even Symbian do not have to accept the same permissions. I understand AndroidOS trying to be more exchange friendly, but allowing permissions that do not carry across other devices and not notifying people it was in the update seems a bit much.

 

[takeshi]

I work in my IT department and know and trust the admins responsible. Even if we could connect our personal Android devices, I wouldn't. It's worth it IMO to have a dedicated work device.

 

[mnc24]

All Google did was make Android more Activesync compliant. These security features are supposed to be in every Activesync client. I know for a fact that iOS does support these features and will be turned on if the Exchange server is configured that way. Blackberrys do not use activesync to connect to the server so that point is irrelevant. However, if there is a Blackberry server connected to the Exchange server, these policies can be forced as well.

Exchange can be configured in several ways. If turned on, these security features can be either forced and any device that does not comply will not be able to connect to Exchange, or the policies can be turned on for devices that support them and still allow devices that do not to connect anyway or they can be turned off completely and allow any device to connect and not force any security policies.

If you are connecting to your work email, technically your company owns that email and has a right to protect it. Plus I'm sure a case could be made that if you lost your phone with company information on it and it was used against the company that you could be held liable, so it really is for your own protection as well.

In any case, if you don't feel comfortable with the security policies being on your phone then just don't access company email on your personal phone.

 

[sniffs]

Looks like the OTA update I got on my phone this morning enabled a new feature to allow remote Administrators on my phone.

Namely my work exchange account.

Now, if I want to check my work email, I have to allow my company access to;

• Erase all data - Perform a factory reset, deleting all your data without any confirmation.
• Limit password - Restrict the types of passwords you are allowed to use.
• Watch login attempts - Monitor failed attempts to login to the device, to perform some action.
• Force lock - Control when device locks, requiring you re-enter its password.

Is there any way to bypass/disable this behavior? Apparently I was able to access exchange fine without "Device Administrators" prior to this update.

I check my work email on my mobile phone purely as a convenience to my employer. Being this is my personal phone, I have some reservations about giving anyone this level of access to my hardware.

This "behavior" ? You mean as making the COMPANY owned property secure?

That's right, all those emails you send/receive from your personal device, are not your property. Every single one of them, regardless if you sent to a loved one, or a side business, you used a company email address which sent through company exchange servers.

I'm sorry for the rant, but I'm a BES admin who manages exchange and seeing this makes me not want to support personal devices. Either live with it, or remove the account and don't have emails.

PS. All HTC and Motorola devices have this built in, just less noticible. It just was not on stock experience devices such as the Moto Droid and the Nexus One because Google didn't put it into the OS. HTC/Motorola built it into their software afterwards for 2.1 on up.

 

[MrSmith317]

My advice, scrub the exchange email setup email forwarding to a personal pop account and let them kick rocks if you don't see the email. I used to connect my personal phone to corporate email until things like this and device/information ownership came up. Then I switched to the model I just laid out. If they really want me connected 24/7 they can spring for a corporate phone.

 

[sniffs]

Email forwards can be removed by the exchange admin. They can also be blocked.

 

[HK_Money]

There was an app for this in 2.1 called lockpicker. I just hope that developer creates something that works with 2.2. That will get around the password part at least.

 

[Jet300]

There was an app for this in 2.1 called lockpicker. I just hope that developer creates something that works with 2.2. That will get around the password part at least.

Posted the following in another thread on this subject. Was a neat little work around for me that made it bearable ... Just cost $ though

Yup, this was one of this first things to greet me when I setup my Droid after leaving BB. It was almost back to BB for me because it was THAT annoying.

Like someone mentioned before there is "no app for that" to fix in Froyo. The work around was given to me by someone on Crackberry.com, which was to use an app called Touchdown Exchange from the market. Once installed it will handle all your exchange mail functions. The brilliance of the app is that it only asks for the password to be entered upon first run of the app after a reboot .. After that no password required after unlocking.

Bad thing is after 30 days you have to buy the full version (unlock key) for $19.99. The only thing different between paid and free is that in the free version you cant edit your signature. Good thing is you get a VASTLY better exchange email program that to me beats what I had on the Blackberry Enterprise Service I previously used.

To me it was a small price to pay to enjoy all Android offers without the annoyance of the exchange password...