Work's Exchange 2007 Security Policies.. my touch pro 2.. no fun

[HeXeD]

Ok.. I have searched high and low and cannot find the answer.

I have a Sprint Touch Pro 2 I just received today for work. It is replacing my HTC Mogul. My work now has an Exchange 2007 server that they are able to lock down pretty much anything. I was able to get around these security measures with just a reg hack on my Mogul which had WM 6.0.

Now that I have my Touch Pro 2 I am unable to find out how to work around the issues. Here they are in no particular order:

1. I cannot install any CAB files or programs through active sync if the program does not have a trusted certificate.

2. I cannot launch Remote Desktop Client. It says I have been blocked from doing this.

3. I cannot make registry edits

I have hard reset the phone and then I am able to install anything and do anything. The second after I sync my phone to my work's exchange 2007, I cannot do anything listed above.

Here is what I have done:

http://www.etenblog.com/2008/01/21/d...obile-devices/

Everyone else with earlier versions of phones have reported some success with this, and the ones that did not received no advice. When I go to my registry, that specific key located at "HKLM\Security\Policies\Policies\00001023" Already has a value of 1, which would lead me to believe it is disabled. It is the same way when I freshly hard reset it. I would assume after the Exchange 2007 sync, that reg key would change to a value of 0 but it doesn't.

So this leads me hear, asking if any of you have encountered the same problem. Does my company have me beat? I just wouldn't see why when my Mogul was reg hacked to not load their policy for the password.. which leads me to one last point that is very odd..

When resynced my Mogul to my company's Exchange, it specifically had me set up some sort of PIN to unlock the phone every time I wanted to use it. When I sync my Touch Pro 2, it does not ask me to set up a PIN and it doesn't even ask me for a previous PIN that I would have used on my Mogul. Any thoughts to all of this?

[stevedusa]

All I can say is there are reasons why these policies are forced onto any domain resources (yes that include your TP2): Security & Safety.

See if you can talk with your Exchange Administrator and have him change some policies that are by default, limited on mobile devices.

As for registry hacks, eventually Microsoft finds them out and patches them in newer releases. After all Microsoft doesn't do Windows Update on WM devices like they do with the desktop OSes.

I'd have a little talk with the Exchange Admin if I was you.

[GoodThings2Life]

As an Exchange administrator, I can tell you that violating your company's security policies on a work-issued phone is grounds for disciplinary action including potential for dismissal. There is probably a very good reason they have the policy in effect.

Proceed at your own peril.

[8notime]

Quote:

Originally Posted by GoodThings2Life

As an Exchange administrator, I can tell you that violating your company's security policies on a work-issued phone is grounds for disciplinary action including potential for dismissal. There is probably a very good reason they have the policy in effect.

Proceed at your own peril.

Does Exchange 2007 server even have the device management capability the OP describes? I believe what he's describing to be true but I thought there had to be something more on the backend (like Afaria or SOTI) to enforce these kinds of things.

[HeXeD]

Quote:

Originally Posted by GoodThings2Life

As an Exchange administrator, I can tell you that violating your company's security policies on a work-issued phone is grounds for disciplinary action including potential for dismissal. There is probably a very good reason they have the policy in effect.

Proceed at your own peril.

Congrats on being an Exchange admin.. but you don't know jack squat about my company. Not like I even need to go into my work's policy with some dude I don't know, but this phone was purchased with my money. My company only purchases Blackberries for people, and if they want an iphone or a winmo device, they have to pay for it themselves. When they do, they are also given a form to sign saying that their phone is going to be password protected, and will be remotely wiped if the user leaves the company. It also says that the admins have the capability to see what is on our phones. Other than that, there is no mention of prohibited software, or any disciplinary actions for people who do install things on their phone. Also to throw another wrench into your spokes, I have not signed the agreement.. so even if there was a clause in there for installing programs I would still "technically" be ok.

Another thing is, I am the manager of our company's help desk. I do not have those types of rules against me besides the password lock. On my previous phone (Mogul), I was able to use remote desktop client, install any of my 3rd party apps, and pretty much do what I wanted to.

With that said, I already contacted our Exchange admin who knows me very well and he said they had the ability to do what I am talking about but those types of policies should not be set for me and is not set for anyone else. He said he was going to look at the server and figure out what was going on and let me know. He also knows that I completely hack up my windows mobile phones and he is completely cool with that.

And yes.. I am completely aware that my company has those policies for a reason, but they do not have THAT strict of a policy and even if they did I should be excluded since they know I'm not an idiot with my phone.

So any ideas on what could be happening on the Exchange side to be causing this?

[Gene_SD]

Sounds like you need that administrator to give you a copy of the company certificate to install on the TP2 and that should solve you exchange issues.

[stevedusa]

Quote:

Originally Posted by HeXeD

Congrats on being an Exchange admin.. but you don't know jack squat about my company. Not like I even need to go into my work's policy with some dude I don't know, but this phone was purchased with my money. My company only purchases Blackberries for people, and if they want an iphone or a winmo device, they have to pay for it themselves. When they do, they are also given a form to sign saying that their phone is going to be password protected, and will be remotely wiped if the user leaves the company. It also says that the admins have the capability to see what is on our phones. Other than that, there is no mention of prohibited software, or any disciplinary actions for people who do install things on their phone. Also to throw another wrench into your spokes, I have not signed the agreement.. so even if there was a clause in there for installing programs I would still "technically" be ok.

Another thing is, I am the manager of our company's help desk. I do not have those types of rules against me besides the password lock. On my previous phone (Mogul), I was able to use remote desktop client, install any of my 3rd party apps, and pretty much do what I wanted to.

With that said, I already contacted our Exchange admin who knows me very well and he said they had the ability to do what I am talking about but those types of policies should not be set for me and is not set for anyone else. He said he was going to look at the server and figure out what was going on and let me know. He also knows that I completely hack up my windows mobile phones and he is completely cool with that.

And yes.. I am completely aware that my company has those policies for a reason, but they do not have THAT strict of a policy and even if they did I should be excluded since they know I'm not an idiot with my phone.

So any ideas on what could be happening on the Exchange side to be causing this?

Well man nothing against anybody here, but the thing is it's better to understand this freedom vs. security issue from both sides.

I am a system admin for a small business with many AD resources such as Exchange (oh headache lol). Although there are no sensitive information in any of the domain resources, but my job is to make sure that no security flaws would compromise anyone either from an internal or external source.

Microsoft kept that in mind and they understand that everybody is a different cup of soup so, by default they limit regular, everyday-Joe users/resource on what they can do. Yes it is very frustrating for the users when they need elevated rights to accomplish something, on their own computers! But under the AD policy and safety, I can't simply assign everyone into Domain Admins, nor I have the time to be in front of their desk every time it asks for an elevated, and not using AD is not an option (Exchange).

Of course the users just think that we the IT people are butt-holes by limiting what they can do, even on their own computers. Like I said earlier it's just frustrating for both the end user and admins. It's always a fight between freedom and safety. It's obviously that to Microsoft, safety is top priority.

In your case, since your Exchange Admin has no objections of you pimping out your WM devices in the past, changing some policies in Exchange regarding mobile devices and rights, which by default limits what you can do on it, can help on this subject matter.

So yeah, good luck, I am sure it won't take your Exchange admin more than 5 minutes to set it up.

[8notime]

Well it must have something to do with how this is setup:

http://technet.microsoft.com/en-us/l.../bb123756.aspx

[HeXeD]

Thanks StevedUSA and 8notime... I'm not going to bother him on this labor day weekend... Once Tuesday rolls around I'm sure I will get my answer. I'll let you guys know how it turned out.

[GoodThings2Life]

Quote:

Originally Posted by 8notime

Does Exchange 2007 server even have the device management capability the OP describes? I believe what he's describing to be true but I thought there had to be something more on the backend (like Afaria or SOTI) to enforce these kinds of things.

Yes. You can disable just about every aspect of Windows Mobile via Exchange ActiveSync policies, and they refresh themselves with every sync. Administrators can even remote wipe the device if necessary.

Quote:

Originally Posted by HeXeD

Congrats on being an Exchange admin... but you don't know jack squat about my company.

I don't really CARE what your company's policies are either... but my point is perfectly valid. If your company has security policies in effect, it means they have a corporate policy to back it. Violating it is grounds for disciplinary action especially if it's a company issued phone. Since it's personal, I'm thrilled your admin agreed to ease up a bit, and he's right, it takes about 3-4 minutes to create a new policy for you.

Next time though, don't be a friggen jackass and go off on some tirade against me or someone else just because we point out some cold hard facts.