2.2 "Enforce Password on Device" not being enforced

[JTSystems]

I was under the impression that droid 2.2 (FRG01B) was going to enforce "Enforce password on device" through Exchange Active Sync security policies.

Our policy on our exchange server forces mobile devices connecting to use a PIN for the device before it starts to sync emails. (Works perfectly on WinMo 5,6 and iPhone devices). You are prompted to set up a PIN.

I just received 2.2 OTA this morning and installed it. When adding my exchange account I am not forced to enable a PIN for the device.

Does anybody have this working on their Motorola Droid 2.2 yet?

I know that a newer build (FRG022) will be pushed OTA soon but from what I have read that build does not address Exchange issues.

Also - The remote wipe feature wasn't what I expected. It appears to just break the connection between the client and the server. Nothing is wiped. Any messages already synced to the phone stay on the phone.

 

[StrifeJester]

They claim FRG22 is security related. This tidbit may be left out since VZW is email a lot of known corporate account holders to tell them there are 2 updates. I would wait until FRG22 hits the wild and see if that takes care of it. If not after that I would do some more digging, Currently we do not enforce PINs but it is something we are considering. I would be interested in seeing if FRG22 does contain this fix.

 

[aioka]

I am running into this same issue and we are unfortunately looking at another product as it seems that even with this update Google is only partially supporting Exchange ActiveSync protocols. I found this and it seems that password recovery policy when enabled interferes with the EAS policies. ( How do I use the new ActiveSync enterprise settings (remote wipe, PIN) when Mail app not updated? - Android Help )

The password recovery policy is what was causing the holdup.

I had to create a custom policy for Android devices that didn't include this and everything worked as designed.

The next time I attempted to sync I had to confirm the Email app as functioning with a Device Administrator (which explains the odd Location & Security/Select Device Administrators button that nobody really knew what it did.). After allowing that, a PIN was enforced and a remote wipe was successful.

The only concern was that I was able to go in and remove Email as functioning with a Device Administrator. This prevented me from sending or receiving any new mail, but any already-synchronized email remained visible and readable.

Unfortunately I have not been able to test this myself as my manager will not allow me to disable this policy on our exchange server even with OTA 2.2. You might test this and see if it resolves your issue if your company policies will allow you to disable that policy in EAS. If you are able to test that I would be interested to hear about your results!

Otherwise we are currently looking into www.good.com as a security resolution for mobile security, however it would be really nice if Google would just fix the EAS issues that we all want so we can move our enterprise phones to android OS.

Hopefully this helps!

 

[JTSystems]

@StrifeJester - Thank you. I was unaware that FRG022 (the new build) had any security items in it. I will sit tight and wait for this update.

@aioka - Unless I am mistaken the password recovery policy is only available in Exchange 2007. We are running Exchange 2003 SP2.

I have also noticed that in my Mobile administration screen I see two entries for my Droid.
One entry states Droid with my device ID [Droidxxxxxxxxxxxx]. The other says "validate". Any idea what this validate is? Both have recent sync times.

 

[JJMorgan]

It appears that as of today, 8-17, even with the 2.2 upgrade that the "Require Password" in Exchange 2010 still does not force Android to use a password, pin, or pattern.

Previous to the 2.2 upgrade only Pattern was available to lock your Android on the Motorola Droid but with the patch we are able to use a pin or password.

Still digging for answers...

EDIT: I am running Android 2.2, build FRG01B

 

[JTSystems]

Thanks. Its nice to know that its not because I am running Exchange 2003 SP2.

I am waiting for the FRG022 OTA update to see if that additional patch resolves the issue.

 

[JJMorgan]

Tested on a Droid X - Firmware 2.1-Update and the require password works as should with Exchange 2010.

 

[im_corny]

I'm assuming that if you ever used/tested this before 2.2, you probably had to put in some exceptions in Exchange 2003 to allow access to devices that don't fully support password settings and to enable access to unsupported devices.

Did you try disabling those in ESM? I just tested this in my lab with my Droid/Exchange 2003 and it asked me to create a PIN upon syncing. One thing I had to do was restart IIS after removing those exceptions however.

Just something to double check...

 

[JJMorgan]

im_corny, you hit the nail on the head. I did have the check box to allow unprovisionable devices checked. This did not matter for the Droid X, the require password still took effect. When I unchecked the allow unprovisionable device it enforced the password policy.

Thanks for the tip.

 

[markdmac]

The DroidX wasn't an "unprovisionable device" and that is why it worked from the start. It natively supported the Exchange policies where the Droid had to be upgraded to support them. I just wish Motorola had implemented them uniformly. I am told the X can use a pattern lock with Exchange where the Droid cannot.

 

[baron112]

This FYI may be useful for someone

I'm on Exchange 2010. 2 weeks ago I upgrade to 2.2 from 2.1 on a Droid Incredible where character password was being enforced. Upgrading to 2.2 manually because OTA was available yet per this instructions How to manually install Froyo on your Droid Incredible – Android and Me and afterwards there was no enforcement of mail security at all.

Deleting and readding the account made no difference. I did a remote wipe which did resolve the problem. Deleted the phone from owa and readded it on my device which did resolve the problem.

 

[MKE Badger]

forgive me as there is more technical speak here than i can relate to. but i have an orginal Droid and am being asked to "Update security settings" which is then telling me to "Activate decive administrator" which says it will Erase All data. Motorala has told me that this will erase all my apps. In simple terms can someone help me with what i should. BTW this happened after my Droid receive the new update a week ago. Corporate email was working jsut fine prior to the update.

 

[aioka]

forgive me as there is more technical speak here than i can relate to. but i have an orginal Droid and am being asked to "Update security settings" which is then telling me to "Activate decive administrator" which says it will Erase All data. Motorala has told me that this will erase all my apps. In simple terms can someone help me with what i should. BTW this happened after my Droid receive the new update a week ago. Corporate email was working jsut fine prior to the update.

This is from the new FRG22D update to your phone. Motorola is correct to a point. It CAN erase all your data and apps off the phone if its told to. When you setup the exchange work email on your phone it has to enable security protocals your work IT admins have in place to protect company data. AndroidOS on the Droid 1 before 2.2 FRG22D did not know how to handle these security functions so it completely ignored them and allowed your phone to sync anyways. The "Erase All Data" is used by IT admins (a.k.a "Activate decive administrator") in the case that your phone is lost, stolen or you leave the company without removing your account, they can then remotely wipe your phone so company data is not compromised. You shouldnt have to worry about it erasing your apps or information as long as none of those happen or you dont piss off your IT admin

I hope that helps, if not let us know and we can try to help again!

 

[JTSystems]

i'm-corny - Do you have the original Motorola Droid? Not DroidX, not Droid Incredible.

My thoughts are that this problem is specific to the original Motorola Droid using Exchange 2003.

 

[JTSystems]

forgive me as there is more technical speak here than i can relate to. but i have an orginal Droid and am being asked to "Update security settings" which is then telling me to "Activate decive administrator" which says it will Erase All data. Motorala has told me that this will erase all my apps. In simple terms can someone help me with what i should. BTW this happened after my Droid receive the new update a week ago. Corporate email was working jsut fine prior to the update.

MKE Badger - Are you running your original DROID with Exchange 2003?

 

[markdmac]

JTSystems- not sure who you were replying to, but I am using the original Droid with Android 2.2 non-root from Verizon. My corp email is Exchange 2007 with password pin policy enabled. Company requires some form of password being mandatory but is OK with the use of pattern lock if we can get it to work. Droid Incredible user on our network is able to use pattern lock without issue.

 

[JTSystems]

JTSystems- not sure who you were replying to, but I am using the original Droid with Android 2.2 non-root from Verizon. My corp email is Exchange 2007 with password pin policy enabled. Company requires some form of password being mandatory but is OK with the use of pattern lock if we can get it to work. Droid Incredible user on our network is able to use pattern lock without issue.

markdmac -I have Exchange 2003. I'm starting to think this issue pops up when you have this combination (Original Droid using Exchange 2003)

 

[markdmac]

The issue (no access to pattern lock) happens when an Exchange policy is applied. Doesn't really matter if it is an Exchange 2003 or 2007 server. The issue is that the policy requires a password pin and the Droid SHOULD be smart enough to let you use a pattern for that as it could potentially have even more complexity to it than a pin.

 

[JTSystems]

The issue (no access to pattern lock) happens when an Exchange policy is applied. Doesn't really matter if it is an Exchange 2003 or 2007 server. The issue is that the policy requires a password pin and the Droid SHOULD be smart enough to let you use a pattern for that as it could potentially have even more complexity to it than a pin.

I understand that. The issue here is that on my original Droid (not incredible, not X, Not 2, not Eris) is that I do NOT receive the password/security prompt. I am not receiving the security policies that are enforced by my exchange server.

I believe there is still a problem with the native mail client for this configuration (Original Droid using Exchange 2003).

I found a email client in the market that enhances the native client. It is called "Improved Email". Using this client when I connect to my exchange mail I am prompted for the security policy (which is what it should do). For some reason it does not do this with the native client (for my original Droid and Exchange 2003 configuration).

I'm sure if I had a Droid X or Incredible I would receive the security policies using the native mail client. Or if I had Exchange 2007 or Exchange 2010 this would not be a problem but that is not my setup.

Does anybody here have the original droid using Exchange 2003 that actually is having the security policies enforced?

(I know about touchdown and that is not an option)

 

[gtshouse]

Does anybody here have the original droid using Exchange 2003 that actually is having the security policies enforced?

Yes. We have Exchange 2003. When I got the FRG22D update on my Droid, it immediately had me set a pin to get into my corporate email.

 

[JTSystems]

Yes. We have Exchange 2003. When I got the FRG22D update on my Droid, it immediately had me set a pin to get into my corporate email.

Are you using the native client on the droid? Would you be willing to share what your security policy settings are so i can compare with mine?

The native client Force Closes on me during email setup for an Exchange account since FRG22D

 

[gndmepyon]

The native client Force Closes on me during email setup for an Exchange account since FRG22D

if you haven't already tried this, do a factory reset. Then setup the Exchange mail.

 

[JTSystems]

if you haven't already tried this, do a factory reset. Then setup the Exchange mail.

Same issue after the hard factory reset. The native client force closes upon setting up Exchange email.

 

[im_corny]

i'm-corny - Do you have the original Motorola Droid? Not DroidX, not Droid Incredible.

My thoughts are that this problem is specific to the original Motorola Droid using Exchange 2003.

JTSystems: I have the original droid, non rooted. Exchange 2003 SP2. I think our setup is probably very similar. Is this a problem only on your phone or on all droids within your organization? I'm pretty sure my coworker tried this on his phone and it worked fine as well. everyone here uses touchdown however.

Exchange mobile services config:
Everything checked except "enable unsupported devices"

Device Security settings:
Enforce password on device
Minimum password length
Wipe device after failed attempts