Develop Bugs

Exchange Security Policy forcing password

Whenever I enabled my Exchange work email account, the phone forces me to set a password which drives me nuts, because I have to then set the screen timeout to at least 2 minutes so I don't go mad typing in the password every time I reach for the phone. I found a lock delay app which works great, but only after I disabled Exchange, so the screen times out after a minute but only locks out after about 10 minutes - MUCH better.
I just can't use this with Exchange as the 'security policy' over-rides everything and drops me back to password lock out with screen time out.
Any thoughts?

Lock Picker
Search Android Market for an app called Lock Picker by Jeroen Brosens. That should solve your problem.

And the Exchange Security Policy won't override this?

cosmicharade said:
And the Exchange Security Policy won't override this?
Click to expand...
Click to collapse
As far as I know, no. Lock Picker runs as a service which completely disables the policy. I.e. the phone will be locked no more. Works like a charm on my Desire. However, if you at some point have the need to remove and re-add the account remember to disable the service while doing so.

I found a few applications but no app by the name of 'lock picker' - I Lock Delay is great though as it sets a lock out different to the screen timeout.
Ideally one would be able to delay the lock past screen time out, I don't mind using a password (prefer in fact) but it's annoying to have to re-enter a password every two minutes, otherwise the screen is left on if I set the timeout for longer.

You could try this :
If your company is enforcing exchange security policy regarding password , but you want to use the lock pattern (Gesture) instead then you can do the following:
1. Delete your exchange Setup on the phone.
2. Go into Security and setup a lock pattern.
3. Once that is done and tested readd your exchange account.
4. Download the app called LockPicker from Market place.
5. Go into the program and enable the Override.
6. Enjoy the new way of unlocking your phone.
Click to expand...
Click to collapse

i also had this problem... when i setup my company mail account that the phone forced me to enter a password ...
so i just installed LockPicker and it worked ... no password entry screen anymore
great app !
- kr

Had the same problem too.
I made a new unlock pattern first, added my exchange account, installed LockPicker and then uninstalled it, works like a charm

Ok so I've installed lockpicker and removed the forced password. If I remove this app now, I can go back to before with the Lock Delay app? Can I also run custom lock screens on top too that display info on the lock screen?
The ideal set up is delayed password protection, say 20 minutes, with screen time out to 2 minutes.

Disable the lock code if needed (By-pass exchange policy)

TESTED ON MANGO, AND WORKED FINE
Gentlemen,
I have found the reg key in some posts to disable the lock code for the windows phone, if you have configured the exchange e-mail account in Phone.
I was unable to view the specific reg key in normal registry editor. So I have converted the reg key to an xap file by using provxml method. And you can apply the key even if you don't have the registry editor app installed on your device.
Steps:
1. Deploy the xap file to your developer unlocked device.
2. Launch the app.
3. Tap on the green button, it should gibe you a success message.
4. Uninstall the app.
5. It may require to restart the device, since this is a registry change.
5. U r done. Now u will be able to turn off your phone security code even if you have configured the exchange e-mail account in your phone.
I have tested on my chevron unlocked HTC HD7, and it is working fine.
Hope some one will be looking for this.
Note: it's recommended to keep your phone with lock code enabled, but sometimes we need to keep the phone unlocked for some reasons.
If you install this xap, it will enable another wonderful feature..
By default, the 10 invalid attempts will erase ur phone. But after you install this xap, the password will be locked out for 1 min after 5 invalid attempts. Then after each attempts, the lockout time will double. I have tried untill the phone lockedout for 64 minutes. Then I stopped trying with the invalid lock codes. It will help you to keep the data safe, if anyone play with the phone, especially kids.
Note: Please don't try after 5-6 attempts if the phone didn't get locked out, may be this not compatible on your device. You may lose your data. I applied this on my T-Mobile HD7, and it is working fine.
Hit thanks if you like my post..
Thanks
JAZEEL

So I just applied the registry change in your provxml, and it temporarily works,i.e. it enables the option in the lock and wallpaper screen to disable the password, but next time you sync email the policy is reenforced and you have to set a pin again.
Are you also changing the permissions to that reg key in your xap somehow? haven't got a machine with the dev tools handy to try the actual xap out.

benneh said:
So I just applied the registry change in your provxml, and it temporarily works,i.e. it enables the option in the lock and wallpaper screen to disable the password, but next time you sync email the policy is reenforced and you have to set a pin again.
Are you also changing the permissions to that reg key in your xap somehow? haven't got a machine with the dev tools handy to try the actual xap out.
Click to expand...
Click to collapse
I have tested myself, and it's a permanent solution. It's stays for ever. But I don't know what will happen if you reconfigure the exchange account..

Is there any way to keep a timeout for the lock? I find it very irritating to enter the unlock code every time the device wakes up

@OP, what is the reg key for the change? You must know that to make an XAP?

timmymarsh said:
@OP, what is the reg key for the change? You must know that to make an XAP?
Click to expand...
Click to collapse
This is the key which deploys through the xap..
[HKEY_LOCAL_MACHINE\Security\Policies\Policies]
"00001023"=dword:1

Doesn't Work ...
Hi I tried this unlocker but it is not working for me every time I connect to the computer (Zune and Windows Phone Device Manager) it relocks and have to chevron unlock again.
Any suggestions?

Hello OP,
I have a Sprint HTC Arrive, I got the following message just trying to launch the xap file:
(WARNING)
(The carrier doesn't exist in database. Please contact your carrier for connection setting and go to Setting>cellular>edit
APN for further configuration.)
Theres no APN in my settings that I see, any help would be great, thanks

Striving said:
Hi I tried this unlocker but it is not working for me every time I connect to the computer (Zune and Windows Phone Device Manager) it relocks and have to chevron unlock again.
Any suggestions?
Click to expand...
Click to collapse
This is to disable the lock code on the phone if you have enabled the exchange account which will force to put the lock code.
To permanent developer unlock, please search in xda, someone already posted it before and I have applied that on my HD7.

purian23 said:
Hello OP,
I have a Sprint HTC Arrive, I got the following message just trying to launch the xap file:
(WARNING)
(The carrier doesn't exist in database. Please contact your carrier for connection setting and go to Setting>cellular>edit
APN for further configuration.)
Theres no APN in my settings that I see, any help would be great, thanks
Click to expand...
Click to collapse
I have checked on my HTC HD7 T-Mobile unlocked.. It's working fine..
Search for the reg key for your specific device, and if you find I will help you to deploy it on your device..

jazeelkk said:
This is to disable the lock code on the phone if you have enabled the exchange account which will force to put the lock code.
To permanent developer unlock, please search in xda, someone already posted it before and I have applied that on my HD7.
Click to expand...
Click to collapse
Thanks for the response funny a little while after I realized that is was for something other than the dev unlock. And happily I have gotten have way there I am unlock but have to make sure I remember to put phone in flight mode before connecting it.

rhn said:
is there any way to keep a timeout for the lock? I find it very irritating to enter the unlock code every time the device wakes up
Click to expand...
Click to collapse
i 2nd that!

jazeelkk said:
I have checked on my HTC HD7 T-Mobile unlocked.. It's working fine..
Search for the reg key for your specific device, and if you find I will help you to deploy it on your device..
Click to expand...
Click to collapse
Thanks for your response, the only reg i've ever found to disable the lock on my device is the one you posted and built into your xap file. For some reason the reg doesn't exist in my phone and I can't create it either.
Most likely why you put this together for us. But on my end here, I now have to app to my phone, once I go to launch it I get the message from my previous post, it just wont deploy/launch. Any ideas up i'm for trying.!!
Thank you,

The reg key is protected, so you can't browse to it, but you can still use a tool like advanced explorer to set it by manually specifying the full path and value to change.
I was able to set the value manually like this, but like I mentioned the value is set back automatically next time your phone sync's with exchange. The policy must get checked on every sync with exchange, and gets set back if your exchange server requires a PIN policy.
From what I can ascertain this XAP simply sets that value, so you would have to run this xap after every sync which isn't a great solution.

barrychon said:
i 2nd that!
Click to expand...
Click to collapse
I have tried it as mentioed in some old posts. But it is not working. Only thing I could do is to activate the ON/OFF button with this reg key, so that I can disable the code at any time.

I presume you guys know this already, but just for the heck of it.
You're bypassing a policy. A policy that's most likely you companies' policy. If you do lose your phone and people are able to access files or e-mails that are highly important and/or confidential, you could take the blame for leaking this information.
This could mean the company would sue you for all kinds of things, and it would be very much possible they would fire you. There is a reason the policy is enforced.
I can see why you want to disable the policy, but, as said, there is a reason your company wants that policy on a device that connects to their Exchange server and it's not to annoy you.

EvilWhiteDragon said:
I presume you guys know this already, but just for the heck of it.
You're bypassing a policy. A policy that's most likely you companies' policy. If you do lose your phone and people are able to access files or e-mails that are highly important and/or confidential, you could take the blame for leaking this information.
This could mean the company would sue you for all kinds of things, and it would be very much possible they would fire you. There is a reason the policy is enforced.
I can see why you want to disable the policy, but, as said, there is a reason your company wants that policy on a device that connects to their Exchange server and it's not to annoy you.
Click to expand...
Click to collapse
You are right. I recommend to keep the phone locked always.
It meant for some situation, where we need the phone need to be stayed unlocked. Atleast we should have the option for it.

EvilWhiteDragon said:
I presume you guys know this already, but just for the heck of it.
You're bypassing a policy. A policy that's most likely you companies' policy. If you do lose your phone and people are able to access files or e-mails that are highly important and/or confidential, you could take the blame for leaking this information.
This could mean the company would sue you for all kinds of things, and it would be very much possible they would fire you. There is a reason the policy is enforced.
I can see why you want to disable the policy, but, as said, there is a reason your company wants that policy on a device that connects to their Exchange server and it's not to annoy you.
Click to expand...
Click to collapse
Thanks mum. But seriously...
I think this is a perfect example of a security policy being set which isn't realistic, so users find workarounds. Like when you mandate everyone has a 50 character password which has to be changed once a week, everyone simply ends up writing them down on post it notes.
The PIN code every time you want to use your phone is bloody annoying. It could improved to make it more useable, e.g.:
Only require a PIN if it's been more than 30 minutes since you last entered it.
Only require a PIN when accessing data in exchange like calendar/email.
Specify certain actions which don't require a PIN unlock, e.g. playing music or games.
Anyhow this is mostly irrelevant as this hack is only temporary and the setting reverts so that's a killjoy.

benneh said:
Thanks mum. But seriously...
I think this is a perfect example of a security policy being set which isn't realistic, so users find workarounds. Like when you mandate everyone has a 50 character password which has to be changed once a week, everyone simply ends up writing them down on post it notes.
The PIN code every time you want to use your phone is bloody annoying. It could improved to make it more useable, e.g.:
Only require a PIN if it's been more than 30 minutes since you last entered it.
Only require a PIN when accessing data in exchange like calendar/email.
Specify certain actions which don't require a PIN unlock, e.g. playing music or games.
Anyhow this is mostly irrelevant as this hack is only temporary and the setting reverts so that's a killjoy.
Click to expand...
Click to collapse
Lol, you have a point, but or colleague above is quite correct, the policy is enforced for a reason. At my company, such an offense can mean instant dismissal
(if you use exchange for just calendar and contacts, as i do, a pin is not required to unlock, the policy is only enforced for email strangely enough....)

I agree the Pin should be how it was in WM 6.5 where you could have it only ask after 2 hours or evey 24 in some cases. That way if was a good balance. This business of requiring the PIN every time you look at your phone is crap. I have removed it from my droid device and I am fornunate that my company will not hassle me over it. Still though its a bunch a crap to enter it every 5 minutes.

Disable PIN lock policy for an Exchange account

My company uses an Exchange server for email, and it works great....except for one thing:
Due to their arcane policies, I am only able to use a pin lock on my phone. All of the other lock options are disabled, even face unlock. Also, they have the screen set to time out at 1 minute, which sucks when trying to use pretty much any application.
Does anyone know of a way to override these policies since my device is rooted?

Try this:
http://forum.xda-developers.com/showthread.php?p=14577188
Sent from my Galaxy Nexus

You could also get Enhanced Email from the market. Although its pricey, it works great.

That is not arcane at all, those are good security practices. This is why Android still lags behind apple and rim at the enterprise level - too many easy hacks to bypass the security that businesses need. Faceunlock can be cracked by a polaroid and many swipe patterns can be guessed by looking at fingerprints on the screen.
Honestly, with all the personal information that resides on a smart phone I don't understand why everyone doesn't have a strong pin on their phones. Hope your buddies don't swipe your phone at the next party, unlock it with a facebook pic, and play some prank with your work email account.

for me I guess its the stupid 1 minute lockout period. For example, if I am trying to use my phone as a GPS, I only get to see the screen for 1 minute. BOOM...locked out.
Pandora... NOPE. locked out after 1 minute, sure the music still plays, but I have to unlock the stupid phone to change songs and what not.
Scold me all you want virtualcertainty, the minimum 6 character pin, and 1 minute lockout drives me nuts.

Wasn't trying to scold you, just explaining the risks involved and the reasons for the policies. I wouldn't recommend to any of my clients to set policies lower than that. And I know a bunch of people that want an android for work but the IT department won't issue one or even allow people to use their own because of the work arounds.
My work policy is a 4 character pin with 1 minute time out. I exceed that on my device - 5 character pin and 30 second time out. In no time you won't notice it at all.

I don't know if this is a bug, but I have been able to remove the pin lock policy on my exchange account EVERY time
This is what I do
Set up Account
When it tells me that it's going to disable face unlock ,etc , HIT THE BACK key
Voila, you're out of there and it lets you go forward.
Don't know if it's our exchange server but that works for me

BooDaddy said:
for me I guess its the stupid 1 minute lockout period. For example, if I am trying to use my phone as a GPS, I only get to see the screen for 1 minute. BOOM...locked out.
Pandora... NOPE. locked out after 1 minute, sure the music still plays, but I have to unlock the stupid phone to change songs and what not.
Scold me all you want virtualcertainty, the minimum 6 character pin, and 1 minute lockout drives me nuts.
Click to expand...
Click to collapse
Then you should probably talk to your employer about it. This is an extremely basic security practice, and like multiple people have already said the easy "hack" to get around the practices is the exact reason most employers don't allow Android users access to their Exchange servers.
My company doesn't allow any Android phones on their Exchange network, exactly for this reason.
BTW, just for reference, it is possible to implement monitoring tools in an Exchange server to notify the administrators of changes to security features. Most employers wouldn't even talk to an employee that's violating security practices...it's just "Here's your box and there's the door". Complain all you want about them, but they're there for a reason. I wouldn't risk it just to escape having to input a key combination.

BooDaddy said:
My company uses an Exchange server for email, and it works great....except for one thing:
Due to their arcane policies, I am only able to use a pin lock on my phone. All of the other lock options are disabled, even face unlock. Also, they have the screen set to time out at 1 minute, which sucks when trying to use pretty much any application.
Does anyone know of a way to override these policies since my device is rooted?
Click to expand...
Click to collapse
I lol'd.
How dare a company try to protect their IP with a password on your phone...

Samsuck said:
I don't know if this is a bug, but I have been able to remove the pin lock policy on my exchange account EVERY time
This is what I do
Set up Account
When it tells me that it's going to disable face unlock ,etc , HIT THE BACK key
Voila, you're out of there and it lets you go forward.
Don't know if it's our exchange server but that works for me
Click to expand...
Click to collapse
Maybe your admins didn't force device security. My company doesn't even allow pattern locks

martonikaj said:
I lol'd.
How dare a company try to protect their IP with a password on your phone...
Click to expand...
Click to collapse
Im totally aware of a company eanting to protect thier IP. I dont even mind having some sort of lock on my phone. But it would br nice to be able to at least bump the lockout time a bit to make the phone useable. Or at least let me do pattern lock.
Theres no sense in trying to make this a pissing contest on security policies.

soapbox,
I sign up to get company email on my own phone as a convenience to both of us. If their security policy was so strict that it made it difficult to use my phone, that convenience would go away and any after hour emails would have to wait until the morning. Obviously not everyone can get away with that, but luckily I can.
I second trying EE,
I picked up Enhanced Email from the amazon app store when it was the free app of the day and have been happy with it(It can disable exchange policies). I do have the lock feature on my phone enabled however because I also use Google Wallet, so I want a little extra protection.
So, you need my phone an also need two separate passwords to use Google Wallet. Hopefully by that time I will have wiped my phone and/or located it.

once on a custom rom, ive never had a problem with exchange security settings. unless i'm going out for a big night (and might lose my phone) i leave the security off.

versd said:
once on a custom rom, ive never had a problem with exchange security settings. unless i'm going out for a big night (and might lose my phone) i leave the security off.
Click to expand...
Click to collapse
If you are able to turn off the PIN lock while using corporate exchange mail then your exchange server does not have the required security policy.
Unless there's something else you've done which you didn't post.

Samsuck said:
I don't know if this is a bug, but I have been able to remove the pin lock policy on my exchange account EVERY time
This is what I do
Set up Account
When it tells me that it's going to disable face unlock ,etc , HIT THE BACK key
Voila, you're out of there and it lets you go forward.
Don't know if it's our exchange server but that works for me
Click to expand...
Click to collapse
Yep, that'll be the server as I get a security pop up and you can't dismiss it. Once setup all other lock options are off limits.
The annoyance for me was the inability to change the time out period, it made it unusable in certain situations.
Sent from my Galaxy Nexus

BooDaddy... I'm an IT Director for a large, publicly held company. We allow iPhones and Android devices to use our enterprise Exchange email with a 4-digit PIN, 1-minute lock AND the understanding that we can wipe the employee's phone if necessary. Installing software to circumvent this security would violate our security policies and would result in a disciplinary action.
Is this your personal phone or did your company provide it?

105437 said:
BooDaddy... I'm an IT Director for a large, publicly held company. We allow iPhones and Android devices to use our enterprise Exchange email with a 4-digit PIN, 1-minute lock AND the understanding that we can wipe the employee's phone if necessary. Installing software to circumvent this security would violate our security policies and would result in a disciplinary action.
Is this your personal phone or did your company provide it?
Click to expand...
Click to collapse
Not sure how the question is relevant to the thread topic but it is my personal phone.

Look here for solution: http://forum.xda-developers.com/showthread.php?p=19792676

BooDaddy said:
Not sure how the question is relevant to the thread topic but it is my personal phone.
Click to expand...
Click to collapse
Not really relevant, just curious because if the company bought it and pays the monthly costs then you really shouldn't have too much to complain about. So I guess it's your choice to connect to the Exchange server, I would never expect a company to mandate corporate email on an employee's personal phone.

105437 said:
Not really relevant, just curious because if the company bought it and pays the monthly costs then you really shouldn't have too much to complain about. So I guess it's your choice to connect to the Exchange server, I would never expect a company to mandate corporate email on an employee's personal phone.
Click to expand...
Click to collapse
Yeah, had it been their phone and plan, I wouldn't mind it. Their dime, their rules.
While its not mandatory for me to have it, it is very handy since I am a systems admin (Linux) and its nice to get alerted via logwatch emails when something bad happens.

Is it possible to bypass pin/security code in email app on stock rom?

Hi,
I'm trying to bypass the required pin/security code that my company's microsoft exchange email requires on a stock rom.
I installed the exchangen-no-pin hacked app that everyone uses on an AOSP rom, no problems.
But since I have decided that AOSP roms leave me with at least 1/3 less battery life than stock, I want to go back to stock. But I can't seem to get around the pin/security code policy b/c the hacked email apk doesn't work.
Anyone have any ideas?

Is google not working for you? A search with the keywords "exchange bypass" gives this as first result: http://repo.xposed.info/module/org.flacid.exchangebypass

zxz0O0 said:
Is google not working for you? A search with the keywords "exchange bypass" gives this as first result: http://repo.xposed.info/module/org.flacid.exchangebypass
Click to expand...
Click to collapse
I wish people like you would learn to research their answers before being rude to others. This Xposed mod does not work on Stock Rom. Is google not working for you?

lamenramen said:
I'm trying to bypass the required pin/security code that my company's microsoft exchange email requires on a stock rom.
Click to expand...
Click to collapse
Bypassing corporate security policies sounds like a good idea.

Use an email client such as Nine. That will allow you to satisfy the exchange server with an email app pin lock and wipe, instead of a device level admin lock and wipe.
Sent from my SGP512 using Tapatalk

Mailwise is another (free) email client that allows bypass exchange security if you enter a code you have to fetch from their website one time.
Although Nine is probably a better alternative because it does have the app level pin & wipe function rather than completely bypassing exchange security.

I can recommend NINE, it works great and their support is also pretty good, I received a reply almost instantly when I reported a minor bug and it was fixed within a day.

on stock, i don't think so. it is governed by the administrators of your email account. is it an exchange account?

Adding password to Owner mode?

From the lock screen there's an option to switch "accounts", at the upper right hand corner.
Is there a way to (or how do you) assign a password to access the Owner account?

Capataz said:
From the lock screen there's an option to switch "accounts", at the upper right hand corner.
Is there a way to (or how do you) assign a password to access the Owner account?
Click to expand...
Click to collapse
Pretty sure, haven't tried this myself on this device yet (as I have no need for guest mode), all you need to do si go to Lockscreen settings and set up a password/pin there.
IIRC, guest mode is multi-user in disguise, and this is how I set up a pin for normal functions on my tablet, and restricted access for the guest account.
Hope this helps.

joel.maxuel said:
Pretty sure, haven't tried this myself on this device yet (as I have no need for guest mode), all you need to do si go to Lockscreen settings and set up a password/pin there.
IIRC, guest mode is multi-user in disguise, and this is how I set up a pin for normal functions on my tablet, and restricted access for the guest account.
Hope this helps.
Click to expand...
Click to collapse
Ah it does work, albeit sort of indirectly. If I add a PIN/Password to my lock screen then the guest user will not be able to go beyond my lock screen even if he/she switches to Owner mode.
But doing so means that I would have to enter a PIN/Password too each time I want to get passed my lockscreen. What I was looking for is that the PIN/Password be asked when switching to Owner account from Guest account itself, not the lockscreen of each account (or to-and-fro other accounts, if there are others).

True but you can now use Smart Lock in Lollipop to add a bunch of stay unlocked scenarios such as whenever you are holding the phone, certain gps locations you choose, Bluetooth or NFC devices whenever they are attached. Then your lock screen stays pretty much unlocked all the time you use it normally. But it will still ask for password or unlock pattern you choose when switching accounts.
Sent from my ASUS_Z00A using XDA Free mobile app

texla said:
True but you can now use Smart Lock in Lollipop to add a bunch of stay unlocked scenarios such as whenever you are holding the phone, certain gps locations you choose, Bluetooth or NFC devices whenever they are attached. Then your lock screen stays pretty much unlocked all the time you use it normally. But it will still ask for password or unlock pattern you choose when switching accounts.
Sent from my ASUS_Z00A using XDA Free mobile app
Click to expand...
Click to collapse
Ah I see. I havent meddled around with the Smart Lock feature yet, as I really just prefer the swipe-to-unlock. I find any other way to unlock to be cumbersome as 90% of the time it's only me using this phone, the 9% being my SO, and the 1% being other people like friends and relatives.
While my SO uses this phone in Owner mode, I was hoping I could switch it to Guest mode each time a friend borrows it to send a text or call etc. and have the confidence the he/she cannot switch back to Owner mode easily.
Then 99% of the time I'd just have swipe-to-unlock and I wouldnt have to worry about Smart Lock or other privacy/lock settings.
I was just comparing it to a PC, because this is like having multiple accounts in one phone. But it seems to have very little application when I can just switch back to the administator account (the Owner account) without any password.