|
|
|
date: Sun, 20 Apr 2008 16:00:24 -0700 (PDT),
group: microsoft.public.exchange.mobility
back
Correctly removing security policy from device?
I received a new WM6 phone late last week (was using WM5 for quite a
while with no issues)... when I went to sync it with Exchange over the
air, I had forgotten about the whole need to put a cert on the device
via a CAB file. I talked to our Exchange admin on the phone and he
said "turn off SSL and see if that works", so I did.
I was then able to connect, but it asked me to confirm that I was cool
with the server's security policy... little did I know what that
meant. I was able to fetch email, but since then I have to re-login to
my phone whenever it goes unused for 10 minutes. Not cool for a
personal phone and a guy whose domain password is convoluted... so I
called him back (Friday PM) and he said, "Oops. Ok, I turned it off
and that should go away the next time you sync."
But it hasn't.
I've been tinkering this weekend trying to get it to A) connect via
SSL (as the WM5 phone was configured to do) and B) not have that
security policy in place driving me up a wall.
I've found lots of options for registry hacks that will supposedly
remove the login prompt, but I'd prefer to go the correct/legit route
to get this taken care of.
Assuming we can get the SSL/cert stuff worked out (another pain yet to
be dealt with), is there any guidance I can point him to tomorrow at
the office that will help us correctly get the security policy stuff
removed? I know nothing of Exchange and, while he's great with day-to-
day stuff, he's not a full-time Exchange admin and the mobile stuff is
sort of new territory, I think.
Thanks,
Jeff
date: Sun, 20 Apr 2008 16:00:24 -0700 (PDT)
author: jdonnici
Re: Correctly removing security policy from device?
jdonnici wrote:
>I received a new WM6 phone late last week (was using WM5 for quite a
>while with no issues)... when I went to sync it with Exchange over the
>air, I had forgotten about the whole need to put a cert on the device
>via a CAB file. I talked to our Exchange admin on the phone and he
>said "turn off SSL and see if that works", so I did.
You don't necessarily need a cab to install the certificate. The
certificate in CER file format can be used, too.
>I was then able to connect, but it asked me to confirm that I was cool
>with the server's security policy... little did I know what that
>meant. I was able to fetch email, but since then I have to re-login to
>my phone whenever it goes unused for 10 minutes. Not cool for a
>personal phone and a guy whose domain password is convoluted... so I
>called him back (Friday PM) and he said, "Oops. Ok, I turned it off
>and that should go away the next time you sync."
Your device password (PIN) and your domain password are not the same
thing. The domain password is configured in ActiveSync. The PIN is set
in the Start -> Settings -> Lock. The complexity of the PIN can be
managed from the Exchange server ActiveSync policy (simple or strong
alphanumeric).
>But it hasn't.
>
>I've been tinkering this weekend trying to get it to A) connect via
>SSL (as the WM5 phone was configured to do) and B) not have that
>security policy in place driving me up a wall.
>
>I've found lots of options for registry hacks that will supposedly
>remove the login prompt, but I'd prefer to go the correct/legit route
>to get this taken care of.
A hard reset of the device will do that.
>Assuming we can get the SSL/cert stuff worked out (another pain yet to
>be dealt with), is there any guidance I can point him to tomorrow at
>the office that will help us correctly get the security policy stuff
>removed? I know nothing of Exchange and, while he's great with day-to-
>day stuff, he's not a full-time Exchange admin and the mobile stuff is
>sort of new territory, I think.
You don't say what release of Exchange. If it's 2003 the policy
(there's only one) applies to everyone that isn't excluded. With
Exchange 2007 there can be multiple policies.
However, the company's security policy will be what determines whether
you're allowed to use a simple PIN, a complex PIN, or no PIN at all.
If you want to sync your device with your mailbox you'll have to
accept the policy.
--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@getronics.com
Or to these, either: mailto:h.pott@pinkroccade.com mailto:melvin.mcphucknuckle@getronics.com mailto:melvin.mcphucknuckle@pinkroccade.com
date: Sun, 20 Apr 2008 21:03:37 -0400
author: Rich Matheisen [MVP]
Re: Correctly removing security policy from device?
jdonnici wrote:
>> A hard reset of the device will do that.
>
>Is a hard reset the only way to do that after the policy has been
>changed on the server?
No, you can alter the registry. But you said you didn't want to do
that.
>Am I correct in understanding that a hard reset
>will require that I re-install all of my apps, settings, etc -- in
>other words, back to factory defaults?
That's correct.
>> You don't say what release of Exchange. If it's 2003 the policy
>> (there's only one) applies to everyone that isn't excluded. With
>> Exchange 2007 there can be multiple policies.
>>
>> However, the company's security policy will be what determines whether
>> you're allowed to use a simple PIN, a complex PIN, or no PIN at all.
>> If you want to sync your device with your mailbox you'll have to
>> accept the policy.
>
>It's 2003... and the company's policy isn't the issue. I can manage
>that... it was that the Exchange admin had it set differently than the
>way we want it, so when I went to sync the new device it put the
>policy in place. The policy is now gone (from the server), but the
>device still requires the login.
Have him put another policy in place that doesn't require the use of a
PIN. Maybe set the inactivity timeout to 1440 minutes.
--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@getronics.com
Or to these, either: mailto:h.pott@pinkroccade.com mailto:melvin.mcphucknuckle@getronics.com mailto:melvin.mcphucknuckle@pinkroccade.com
date: Mon, 21 Apr 2008 22:38:48 -0400
author: Rich Matheisen [MVP]
Re: Correctly removing security policy from device?
Ok, thanks for the help.
On Apr 21, 8:38 pm, "Rich Matheisen [MVP]"
wrote:
> jdonnici wrote:
> >> A hard reset of the device will do that.
>
> >Is a hard reset the only way to do that after the policy has been
> >changed on the server?
>
> No, you can alter the registry. But you said you didn't want to do
> that.
>
> >Am I correct in understanding that a hard reset
> >will require that I re-install all of my apps, settings, etc -- in
> >other words, back to factory defaults?
>
> That's correct.
>
> >> You don't say what release of Exchange. If it's 2003 the policy
> >> (there's only one) applies to everyone that isn't excluded. With
> >> Exchange 2007 there can be multiple policies.
>
> >> However, the company's security policy will be what determines whether
> >> you're allowed to use a simple PIN, a complex PIN, or no PIN at all.
> >> If you want to sync your device with your mailbox you'll have to
> >> accept the policy.
>
> >It's 2003... and the company's policy isn't the issue. I can manage
> >that... it was that the Exchange admin had it set differently than the
> >way we want it, so when I went to sync the new device it put the
> >policy in place. The policy is now gone (from the server), but the
> >device still requires the login.
>
> Have him put another policy in place that doesn't require the use of a
> PIN. Maybe set the inactivity timeout to 1440 minutes.
>
> --
> Rich Matheisen
> MCSE+I, Exchange MVP
> MS Exchange FAQ athttp://www.swinc.com/resource/exch_faq.htm
> Don't send mail to this address mailto:h.p...@getronics.com
> Or to these, either: mailto:h.p...@pinkroccade.com mailto:melvin.mcphucknuc...@getronics.com mailto:melvin.mcphucknuc...@pinkroccade.com
date: Tue, 22 Apr 2008 16:42:14 -0700 (PDT)
author: jdonnici
|
|
