Work email on phone



  • We just changed to Office 365 here at work, and they finished the email migration over the weekend. So, basically, my Galaxy SII no longer receives work email or links to my calender or contacts. Not a huge problem, they sent out directions on how to make it work... for the iPhone. Also, not a big problem, works fairly similar on Android.


    The old Outlook based system didn't really require any weird permissions to work, which was great. Just set the phone up and away you went. I liked that. The new system requires a few things that don't make me comfortable at all, especially considering this is my personal phone (if work gave me a phone for work, I'd not care). I'm wondering if this is normal stuff? Basically they want:

    • Erase all Data - Erase the phone's data without warning.
    • Set Password Rules - Control the length and characters in the unlock screen password (forces a character password)
    • Monitor Screen unlock attempts - Monitor number of incorrect password
    • Lock the screen - Control how and when the screen locks
    • Set lock-screen password expiration - Control how frequently the lock screen password expires
    • Set storage encryption - Requires that the stored app data be encrypted
    • Disable cameras - Prevent the use of all device cameras
    • Disable Keyguard features - Prevent the use of Keyguard features


    So, yeah, at the moment I'm not configuring my phone to get work emails. Mostly because I don't want to be on vacation, have my phone lock screen password expire, and get stuck with a dead phone until I can log into my work computer to change the password. Also the whole, 'wipe the phone data' thing is a bit concerning, since they haven't said when or under what circumstances they would do that. Is this kind of thing normal? I am TRWTF here?


  • I'm assuming this is an app. I'd be uncomfortable with those permissions as well. It sounds as though the app is designed for work phone (so the admin can junk the phone if it's stolen for security purposes).

    Perhaps there is a personal phone version.


  • Discourse touched me in a no-no place

    @CodeNinja said:

    Is this kind of thing normal?
    Not IME. We use 365, but I have personal GMail account configured to use my work account. And my phone goes gets mail from my GMail account. Yes, it introduces an extra step and some more delay, but it sounds a lot better than what you're being asked to do.





    Alternatively, you could use this as an excuse to not answer mails out of hours and/or force them to supply you with a sacrificial phone so that you can get emails.



  • Yeah, i had the same response to the same situation. My biggest concern was 'wipe the phone' though.

    I was going to go with refusing permission to wipe my phone, so they can either 1) give me a work phone and have whatever control they wish over it, or 2) accept that I'm out of contact when mobile. Then I realised I could get imap access without any of that shite.



  •  this is normal, android trys to obey the security rules set down by exchange.  I think iPhone ignores some.

    the work-around on android is to use an email client that ignores the security rules.



  • Seems more like your admins have finally setup these features in ActiveSync, or its Office 365 equivalent. If you were using ActiveSync as your "old Outlook based system", these features were available, but they must be enabled.

    Regardless, those particular options seem rather draconian. I believe ours are just the Remote Wipe option and enable lock screen with at least a 4 digit pin.



  • Consider MailDroid. I don't know for sure if it works on Office 365, but when our system folks changed our Exchange policies to allow them to wipe my phone at will, I definitely looked into other clients. I liked MailDroid enough to buy the full version when they had a sale. It also doesn't use Android 2.3's buggy-as-hell account settings storage (oh, you lost my Exchange account settings again? How convenient.).

    I like our systems people, but there's no way in hell I'm trusting them with that kind of access to my personal phone. There have been just enough "whoops, I didn't mean to do that" screwups that I'm not allowing this access. Besides, I don't have access to any company data on my phone that is of value to anyone else, and changing my Active Directory password would simply take care of any potential problems.



  • @CodeNinja said:

    Erase all Data - Erase the phone's data without warning.

    Normal.

    @CodeNinja said:

    Set Password Rules - Control the length and characters in the unlock screen password (forces a character password)

    Hm. Normal. I'd actually prefer that to what my work does, which is to expire the unlock password every month and require unique ones. My work does not force a character password, but I don't see that as a big deal.

    @CodeNinja said:

    Monitor Screen unlock attempts - Monitor number of incorrect password

    Normal.

    @CodeNinja said:

    Lock the screen - Control how and when the screen locks

    Normal unless they have a crazy rule, like it locks after 25 seconds or something.

    @CodeNinja said:

    Set lock-screen password expiration - Control how frequently the lock screen password expires

    My workplace does it, I find it extremely annoying. I've used the same ATM password at my bank for 15 years, but the one on my phone I have to change monthly? Feh.

    @CodeNinja said:

    Set storage encryption - Requires that the stored app data be encrypted

    Normal.

    @CodeNinja said:

    Disable cameras - Prevent the use of all device cameras

    Abnormal. WTF? Tell your IT guy you use the camera on your phone to take photos of whiteboard discussions at work, see how he reacts.

    @CodeNinja said:

    Disable Keyguard features - Prevent the use of Keyguard features

    I don't know what "keyguard features" are.

    @CodeNinja said:

    So, yeah, at the moment I'm not configuring my phone to get work emails.

    No problem. It's not their phone, so they don't get the right to tell you what to put on it-- as you said, if they bought the phone and paid for the data, then they'd get to decide what settings it uses.

    I put my work mail on my (personal) phone, but my work pays for 100% of my phone bill, so I consider that a fair trade.


  • Trolleybus Mechanic

    @blakeyrat said:

    @CodeNinja said:
    Disable cameras - Prevent the use of all device cameras

    Abnormal. WTF? Tell your IT guy you use the camera on your phone to take photos of whiteboard discussions at work, see how he reacts.

     

    Reaction: You can take pictures of WHITEBOARDS? Where we keep all our COMPANY SECRETS?!?!?!?!

    Next day, all whiteboards are removed as security risks.



  • @Lorne Kates said:

    Reaction: You can take pictures of WHITEBOARDS? Where we keep all our COMPANY SECRETS?!?!?!?!

    Next day, all whiteboards are removed as security risks.

    Either that or the sane reaction. I wanna see which one you get.


  • ♿ (Parody)

    TRWTF is getting your work emails on your personal phone to begin with (unless, like blakeyrat, they're paying for the phone). If you need to have mobile access to email, they should procure the tools for you to do so.



  • The fact that Android would allow an app to disable phone features or ERASE EVERYTHING WITHOUT WARNING is a WTF on its own...



  • @PJH said:

    Alternatively, you could use this as an excuse to not answer mails out of hours and/or force them to supply you with a sacrificial phone so that you can get emails.



    I'm thinking this is going to be what I do. They strongly suggest linking our personal phones, but I kind of like the idea of not seeing build statuses on the weekend.


    @blakeyrat said:
    @CodeNinja said:
    Disable Keyguard features - Prevent the use of Keyguard features


    I don't know what "keyguard features" are.



    Oh good, I'm not the only one.



    @Lorne Kates said:

    @blakeyrat said:

    @CodeNinja said:
    Disable cameras - Prevent the use of all device cameras

    Abnormal. WTF? Tell your IT guy you use the camera on your phone to take photos of whiteboard discussions at work, see how he reacts.

     

    Reaction: You can take pictures of WHITEBOARDS? Where we keep all our COMPANY SECRETS?!?!?!?!

    Next day, all whiteboards are removed as security risks.




    This is probably why, we tend to take a lot of photos of whiteboards. Originally our conference rooms were all going to have digital ones, but only one room ended up with it, and the computer in that room is ancient/crashy so no one uses it.



    @boomzilla said:


    TRWTF is getting your work emails on your personal phone to begin with (unless, like blakeyrat, they're paying for the phone). If you need to have mobile access to email, they should procure the tools for you to do so.

    Well, it's highly recommended by management to have it set up, but I can get away with not doing it. If they really need me, they can call me, so I can ignore it when it comes up on CallerID while I'm at the bar.


  • @Ben L. said:

    The fact that Android would allow an app to disable phone features or ERASE EVERYTHING WITHOUT WARNING is a WTF on its own...

    Ahem.

    And this for good measure.


  • ♿ (Parody)

    @CodeNinja said:

    @boomzilla said:
    TRWTF is getting your work emails on your personal phone to begin with (unless, like blakeyrat, they're paying for the phone). If you need to have mobile access to email, they should procure the tools for you to do so.

    Well, it's highly recommended by management to have it set up, but I can get away with not doing it. If they really need me, they can call me, so I can ignore it when it comes up on CallerID while I'm at the bar.

    Everyone wants something for nothing. I understand their imposition of enterprise security safeguards on devices that are going to access enterprise IT resources. I might simply tell them that I couldn't implement their required policies on my phone, so I decided to take the more secure route.

    I'd be worried about getting in trouble by ignoring the policies and using a nonconforming client (as several advocated up-thread). So I'd firstly want a written waiver on all of that. Most likely, you'd never get in trouble, but you never know when some proprietary information could be compromised, followed quickly by your job. If they really care about you having access and being secure, then they'll have to get their head wrapped around you not having mobile email access.

    I'm with dhromed...I don't have a smartphone, so it wouldn't make any difference to me. My company doesn't have a problem getting smart phones for employees who need them, though, so there's really no expectation for me to be checking email all the time.


  • Discourse touched me in a no-no place

    @CodeNinja said:

    @blakeyrat said:
    @CodeNinja said:
    Disable Keyguard features - Prevent the use of Keyguard features


    I don't know what "keyguard features" are.



    Oh good, I'm not the only one.
    It's the facility to lock the keyboard so you don't inadvertantly active the phone when it's in your pocket. Nokias used to have the "Menu-*" combination, Android have a tap of the Off button to activate the 'swipe to unlock.'



    I'm guessing the 'prevent the use' means forcing you to use a PIN to unlock the phone rather than just the swipe.



  • @PJH said:

    It's the facility to lock the keyboard so you don't inadvertantly active the phone when it's in your pocket.

    Isn't that the... lock screen? How do those two things relate?



  • @Nexzus said:

    Ahem.

    And this for good measure.

     

     

    The real WTF being that Apple require me to allow Javascript to see a fucking help section. Why do thoses sites (and Apple is extremely far from being the only one) need to execute code on my side to display text with link ?

     



  • @blakeyrat said:

    @PJH said:
    It's the facility to lock the keyboard so you don't inadvertantly active the phone when it's in your pocket.
    Isn't that the... lock screen? How do those two things relate?
    On Android, you can have all kinds of widgets and things on the lock screen (which they call the keyguard screen for some reason) and this makes it so that all you can see is your wallpaper and a clock.


  • Discourse touched me in a no-no place

    @blakeyrat said:

    @PJH said:
    It's the facility to lock the keyboard so you don't inadvertantly active the phone when it's in your pocket.

    Isn't that the... lock screen?

    Which one? The one that you swipe to unlock, the one you enter a PIN, the one were you enter a password or the one where you enter a pattern? To the general untutored user who knows nothing about computers, I can see how they would presume that these features are identical, but in fact they aren't, and this option either stops you using the swipe one, or stops you using all but the PIN and/or password ones (since you can't encrypt the phone if you use the pattern one.)



  • @TwelveBaud said:

    On Android, you can have all kinds of widgets and things on the lock screen (which they call the keyguard screen for some reason) and this makes it so that all you can see is your wallpaper and a clock.

    If he had just typed "unable to configure the lock screen" in the first place, nobody would have been confused. "Keyguard features" indeed.



  • @Ben L. said:

    The fact that Android would allow an app to disable phone features or ERASE EVERYTHING WITHOUT WARNING is a WTF on its own...
     

    Well, it's not exactly an app. It's a root level builtin feature.

    But if you root your phone, you'll be able to install an app that does that.



  • @Mcoder said:

    @Ben L. said:

    The fact that Android would allow an app to disable phone features or ERASE EVERYTHING WITHOUT WARNING is a WTF on its own...
     

    Well, it's not exactly an app. It's a root level builtin feature.

    But if you root your phone, you'll be able to install an app that does that.

    Why should an app have access to such a root level builtin feature, though?



  • @ekolis said:

    Why should an app have access to such a root level builtin feature, though?

    An app doesn't. An account does.

    Basically, if you add an account, the account administrator, i.e. the Exchange server, can request access to a few security features or deny you access to the account without them. It seems that the OP's company has set their servers to request access to everything - that doesn't mean they're actually used, mind you, just that the admin can, at a whim, decide to use them. Which is bad enough.



  • Welcome to the world of BYOD.

    Enterprizes all over the world are scrambling to find ways to allow this while still managing risks. Expect the same kind of rules to be prevalent in a few months or so.

    @blakeyrat said:

    Set lock-screen password expiration - Control how frequently the lock screen password expires

    My workplace does it, I find it extremely annoying. I've used the same ATM password at my bank for 15 years, but the one on my phone I have to change monthly? Feh.

    Yes but the context is different. Forcing an ATM password change would make no sense: as soon as someone knows your password he will use it for getting as much money as he can. You will notice but it will be too late. Now suppose a family member or coworker has physical access to your phone, knows your lock-screen password and uses it daily to browse your mail, docs, pictures. You will probably never notice and he may keep doing it for years.



  • Have you considered something like this ?

    I have no idea if it works with accounts and not apps, i presume exchange/email works differently from a normal app.



  • I had the exact same issue with my employer... this was our solution -- there is an app called "Touchdown" which supports Exchange ActiveSync and honors all the security policies... except it ONLY enforces them within the app itself. So a remote wipe ONLY wipes that app; the pin policies only apply to accessing your work email; etc... It has worked out well.



  • When I joined my current company I found I really don't like their password policy, so on my first day I created a Google account (on my Google Apps domain), and setup forwarding and sending as my work account. Problem solved, except I don't have contacts so I have to check coworkers' email addresses when sending something the first time.



  • @CodeNinja said:

    Is this kind of thing normal?
    Yes, pretty much, as already noted. At our place of work, we have the same restrictions.

    We used to get company phones (up to a certain budget); these days we get a discount voucher that we can use in our own shops (we are a mobile telephony provider), so I got a Galaxy S3. They pay the phone bill as well, because it's all internal anyway.

    Because of the restrictions, I don't receive my work e-mail on there, but since I'm not into anything operational, just development, it's not an issue either. Sometimes, when going abroad, I enable work e-mail, but it's not really worth the trouble.

     



  • @Severity One said:

    @CodeNinja said:

    Is this kind of thing normal?
    Yes, pretty much, as already noted. At our place of work, we have the same restrictions.

    We used to get company phones (up to a certain budget); these days we get a discount voucher that we can use in our own shops (we are a mobile telephony provider), so I got a Galaxy S3. They pay the phone bill as well, because it's all internal anyway.

    Because of the restrictions, I don't receive my work e-mail on there, but since I'm not into anything operational, just development, it's not an issue either. Sometimes, when going abroad, I enable work e-mail, but it's not really worth the trouble.

     

    Man, I wished they paid my phone bill. That'd be awesome. Or some kinda discount.

    After showing the screen to the head of IT, his response was, 'Whoa...' in a Keannu Reeves voice. They assured us that it's just defaults for Office 2010, and they have no intention of doing any of that. Except enforcing the password requirement, which I'm OK with... and, you know, maybe wiping your phone if you loose the phone, or quit, or are fired.

    I ended up accepting it, mostly because I don't have anything on my phone that's not backed up elsewhere and I really liked being able to pull up which meeting room my next meeting was in, since some idiots love to stack them (what? I have a meeting 1-2, then 2-3, then 3:30-5? On different ends of the building?).


  • Discourse touched me in a no-no place

    @Ben L. said:

    The fact that Android would allow an app to disable phone features or ERASE EVERYTHING WITHOUT WARNING is a WTF on its own...

    Not particularly; Blackberries have always had that capability. It's so if you lose the phone or it gets stolen, and there's sensitive information on it, you notify IT, and they kill it.



  • @Ben L. said:

    The fact that Android would allow an app to disable phone features or ERASE EVERYTHING WITHOUT WARNING is a WTF on its own...

    According to one of our IT guys, they can do the same thing with the iPhones... the difference? The Android phone asks for permission to allow them to do it, the iPhone just gives it to them and doesn't let the user know. Of course, I haven't verified that, as I don't have an iPhone.



  • @CodeNinja said:

    According to one of our IT guys, they can do the same thing with the iPhones...

    It's a requirement of Microsoft ActiveSync. I believe any mobile device that syncs with Exchange has to have remote wipe ability, or MS won't certify it. It's also a feature people ask for-- Apple devices can be remotely wiped at the user's request too, even if there's no ActiveSync accounts on it.


Log in to reply