I currently have an assignment at a company that takes security seriously, and rightfully so. One of the disadvantages is that, to access the Exchange server to sync my calendar & read my mail, I need to give them the rights to wipe my phone from a distance and such niceties.
I was wondering if something like MultiROM could be helpful in this case? Set up one ROM for limited use that they can wipe if necessary, and another ROM for real use. The question now is: is the data partition shared? If yes and they wipe my data, then I still lose everything.
What would you advise? I'm currently doing a "manual sync" but that's no fun & very error prone.
If you want to pay for it; use Nine mail application.
You can set a full device wipe or just application wipe.
So if your company decides to wipe it, only the mail gets wiped.
what kind of wipe? if your mean is factory reset or something like that. therefore yes. I mean factory reset wipe just own partition and won't touch of other partitions(I'm sorry for my bad English language. I hope you got what I mean) so, obviously you should sync your info between all roms yourself before wipe.
but if your mean is kind of wipe from recovery or flash with Windows P.C or something like that, don't count on multirom or anything else! ?
فرستاده شده از Nexus 6Pِ من با Tapatalk
Personally, if a company would remote wipe my phone if it gets lost or stolen because it contains company related info in it, I don't see the problem of letting them do so. I would even thank them for having my personal info wiped along with it. If I have issues with the company's terms regarding wiping data on MY phone (maybe like remote wiping without letting me know beforehand, even when my phone is not lost), I would use a secondary phone as a work phone.
The company should provide a work ? for you to use.
stankyou said:
I would use a secondary phone as a work phone.
Click to expand...
Click to collapse
I just realised the Samsung Galaxy S2 with its broken screen that my Nexus 6p will replace, will be perfect for this. No SIM card, just sync everything over Wi-Fi, done. Thanks for the creative thinking, all!
dratsablive said:
The company should provide a work for you to use.
Click to expand...
Click to collapse
I agree. If they want permission, they should provide the device.
Generally, companies that want your phone wiped any second are against rooting, unlocked bootloaders and custom roms. The best thing to do is to ask them about it first, so that you won't end up getting fired or sued.
Bluemail
PeterJP said:
I currently have an assignment at a company that takes security seriously, and rightfully so. One of the disadvantages is that, to access the Exchange server to sync my calendar & read my mail, I need to give them the rights to wipe my phone from a distance and such niceties.
I was wondering if something like MultiROM could be helpful in this case? Set up one ROM for limited use that they can wipe if necessary, and another ROM for real use. The question now is: is the data partition shared? If yes and they wipe my data, then I still lose everything.
What would you advise? I'm currently doing a "manual sync" but that's no fun & very error prone.
Click to expand...
Click to collapse
Ok, so to do this they need to install an MDM agent (Mobile Iron, AirWatch, etc.), a piece of software/application which is granted device administrator rights on your phone. These agents usually manage the security certificates and all the other things needed to authenticate the device with their systems and create a secure connection. If they configured their environment correctly, devices without this agent shouldn't be allowed to connect, which essentially makes the agent required. This is good as only secured and managed devices can connect.
However, as this is a personally owned device, you're allowing them a metric crap ton of access to your personal phone. As a device administrator, the agent can be used to:
* Browse / view / edit files on your phone
* View messages sent or received
* Use GPS to determine the device's location, or even map where the device goes 24/7.
* Change the lock code / pin for the device.
* Lock the device at will.
* Detect rooted devices and disallow service.
* All kinds of other Big Brother-ish type of things.
Your company should have some kind of mobile device policy. Ask to view it. This policy should define acceptable use of mobile devices for employees, and it should also define the acceptable use of the MDM solution for IT staff and management. It should define specifically what steps they will take if the device is lost/stolen, if you get terminated, or any other circumstance where they would want to wipe the device. If they don't have a mobile device policy, or if it does not clearly define these things, demand they provide you with a mobile device and do not grant them permission to use your personal devices. Why? If they don't have their **** together enough to have a policy protecting both them and you, it's just not worth giving them access to your phone.
Furthermore - They should have the ability to perform 2 types of wipes. An enterprise wipe, and a device wipe. The enterprise wipe will remove email, corporate data, corporate applications pushed through the MDM, and finally the MDM agent itself. It shouldn't remove any personal files or wipe the OS. It is often the practice to do an enterprise wipe for personally owned devices in a BYOD environment, but you should check.
So, is all of this MDM stuff bad? No. Your business has a right to protect their systems, networks, and information. MDMs allow them to do this. That being said, if they are making it a job requirement for you to access email 24/7 (or even for just a limited window of time which is outside of your normal shift hours) then the burden of providing you with the appropriate means of doing so rests with them as well. This often means they have to provide you with a mobile phone. If accessing email outside of your working hours is NOT a requirement - then don't! For goodness sake, take a break from the job man!
So... it is often better to carry 2 phones than to put a corporate MDM on your personal device. That's my opinion.
I know this didn't specifically address the OP, but I've had a fair bit of experience with this (both good and bad) and thought I'd chime in. I hope it helped.
how about the reverse, what can a person do to prevent them from wiping your phone?
Elnrik said:
So... it is often better to carry 2 phones than to put a corporate MDM on your personal device. That's my opinion.
Click to expand...
Click to collapse
Nice write-up!! I totally agree with you, 2 phones is the way to go.
https://play.google.com/store/apps/details?id=com.cloudmagic.mail
Access your exchange email without changing security settings on your phone.
ycats said:
how about the reverse, what can a person do to prevent them from wiping your phone?
Click to expand...
Click to collapse
Once their agent is installed and made a device administrator... Nothing.
Ergo - to prevent it, don't install the MDM agent.
---------- Post added at 07:00 AM ---------- Previous post was at 06:46 AM ----------
mikexda said:
Nice write-up!! I totally agree with you, 2 phones is the way to go.
Click to expand...
Click to collapse
Thanks.
I've had some companies tell me "hey, we will pay for your service" and what they wanted was to transfer my line into their business account. Great, I don't have to pay the bill anymore, but I just lost control over when I upgrade (or am eligible for upgrades, as business accounts are still largely based on 2 year contracts), what device I can upgrade to, what plan I get, etc. And here is the scary part of that scenario... Legally the phone number is theirs from that point on. They don't have to release it back to me if either one of use terminates employment. Damn slippery slope, that.
So, unless they are going to cut you a check for your service every month, and you are ensured to retain ownership of the account, best to avoid that altogether.
In fact, any company high on BYOD is doing it wrong IMO. It sounds good, but it can be a nightmare.
Do you actually have to have work email on your phone?
Firms usually offer a corporate device, you can have your email on that, should be a cheap month to month contract.
my personal android phone has 9 email for receiving work email..........MDM agent isn't installed. I believe my coworkers who have iphones do have that installed.
Interesting discussion. Let me first point out that I am not an employee there. I'm an external contractor. So they won't provide me with a phone.
Second, their company policy is to provide iPhones for employees who need it. Not Android. There's a short FAQ with details on how to connect to their Exchange server, but that's when my phone pops up that the server wants access to wipe the phone. I haven't written down the details of the message, though. It could be just the Exchange part, which would be ok. Last thing I want is another party to have any form of control over my personal phone after my assignment ends.
Bluemail looks cool, I'll try it out. I'm curious to see how it reacts to the demands of the Exchange server. In any case, I still have my old phone which will do to stay in the loop when off-site and access my calendar. I might want to have an app that actually copies the calendar to a Google calendar, but I'll look for that when I get my new Nexus 6P & start setting up my Galaxy Sii for the plain purpose of accessing that wretched Exchange server.
ycats said:
my personal android phone has 9 email for receiving work email..........MDM agent isn't installed. I believe my coworkers who have iphones do have that installed.
Click to expand...
Click to collapse
Depends on your workplace. Some are more relaxed about it. Personally I avoid it and use a dedicated device.
---------- Post added at 04:49 PM ---------- Previous post was at 04:46 PM ----------
PeterJP said:
Interesting discussion. Let me first point out that I am not an employee there. I'm an external contractor. So they won't provide me with a phone.
Second, their company policy is to provide iPhones for employees who need it. Not Android. to a Google calendar, but I'll look for that when I get my new Nexus 6P & start setting up my Galaxy Sii for the plain purpose of accessing that wretched Exchange server.
Click to expand...
Click to collapse
I know a firm who does exactly that, iphones. If it were me I'd avoid it and get out your s2. But that's me. Are you rooted? How does the MDM play with root? If reported would that provoke a wipe? Surely that can be blocked.
What about the exchange hack? Would that be of any use?
Touchdown in the store.
tech_head said:
Touchdown in the store.
Click to expand...
Click to collapse
Was just about to say it has its own secure app container so wiping only wipes company info. Used it for years.
Related
In the Keynote, there was discussion of "over 20 new Enterprise features." From the Keynote, we know some of them were:
1. Auto discovery
2. Security Policies
3. GAL Lookup
4. Device Admin API's
5. Exchange Calendar support
From the Froyo test release I've see exchange signatures activated.
Does anyone know the rest? Any other discoveries that I missed? I'm really hoping that they enable folder push and the ability to transfer messages between folders in the final build.
Is there a list anywhere that you guys have seen?
gibosn6594 said:
In the Keynote, there was discussion of "over 20 new Enterprise features." From the Keynote, we know some of them were:
1. Auto discovery
2. Security Policies
3. GAL Lookup
4. Device Admin API's
5. Exchange Calendar support
From the Froyo test release I've see exchange signatures activated.
Does anyone know the rest? Any other discoveries that I missed? I'm really hoping that they enable folder push and the ability to transfer messages between folders in the final build.
Is there a list anywhere that you guys have seen?
Click to expand...
Click to collapse
For the GAL, if you compose an email and type the person's last name (provided that your GAL is "last, first") it'll autosearch the GAL. For the exchange calendar, this is supported out of the box and works well. It doesn't folder push unfortunately. I personally use rules that only work on my laptop (i.e. not server side rules) so that everything's in my inbox until I log in. Looks like the ability to move items into folders is also a no show.
Mi|enko said:
For the GAL, if you compose an email and type the person's last name (provided that your GAL is "last, first") it'll autosearch the GAL. For the exchange calendar, this is supported out of the box and works well. It doesn't folder push unfortunately. I personally use rules that only work on my laptop (i.e. not server side rules) so that everything's in my inbox until I log in. Looks like the ability to move items into folders is also a no show.
Click to expand...
Click to collapse
No, I know that those features are supported. I'm asking if anyone knows about the rest that don't seem to be so obvious. Perhaps they are something we will see in the final build?
Remote wipe
Devastatin said:
Remote wipe
Click to expand...
Click to collapse
Yea, that's another. That's puts us at about 7 out of 20. Any others?
yea i'll be honest i think folder pushing is a bit of an annoying oversight!
that's only other feature I could really do with!
Devastatin said:
Remote wipe
Click to expand...
Click to collapse
I haven't been able to get remote wipe to work on FroYo yet. Has anyone else?
http://www.zdnet.co.uk/news/mobile-...googles-android-into-the-enterprise-40089007/
http://phandroid.com/2010/05/20/and...-announced-with-ground-breaking-new-features/
We’ve added Exchange capabilities such as account auto-discovery and calendar sync. Device policy management APIs allow developers to write applications that can control security features of the device such as the remote wipe, minimum password, lockscreen timeout etc.
Click to expand...
Click to collapse
Looks like its there and no interface to use, or its not there and you have to wait for 'official'
Within Exchange, I can choose to Remote Wipe the device, the same way I can remote wipe an iPhone or WinMo phone. It just didn't do anything.
PIN enforcement is another. Because of our Exchange security policy, I get asked to set a Password or PIN while setting up activesync.
Another enhancement over 2.1 is Office 2007 files are supported (pptx,docx,xlsx) and quick office pinch-zoom works, so more consistent with rest of OS
I haven't been able to get my N1 set up for our Exchange environment. I'm coming off a 3GS and didn't have any issues. Our policy isn't set particularly stringent - don't allow non-provisionable devices, enforce simple passwords, password recovery and no encryption. Keep getting the "your device doesn't support the policies pushed by the server" message, or whatever it is.
I was wondering if certain elements of the EAS policy aren't supported yet? No clue.
satchmo_d said:
I haven't been able to get my N1 set up for our Exchange environment. I'm coming off a 3GS and didn't have any issues. Our policy isn't set particularly stringent - don't allow non-provisionable devices, enforce simple passwords, password recovery and no encryption. Keep getting the "your device doesn't support the policies pushed by the server" message, or whatever it is.
I was wondering if certain elements of the EAS policy aren't supported yet? No clue.
Click to expand...
Click to collapse
I had similar issues with 2.1. I had to purchase roadsync (trial is possible)
froyo addressed all that! Did you upgrade yet?
satchmo_d said:
I haven't been able to get my N1 set up for our Exchange environment. I'm coming off a 3GS and didn't have any issues. Our policy isn't set particularly stringent - don't allow non-provisionable devices, enforce simple passwords, password recovery and no encryption. Keep getting the "your device doesn't support the policies pushed by the server" message, or whatever it is.
I was wondering if certain elements of the EAS policy aren't supported yet? No clue.
Click to expand...
Click to collapse
I got that when my company switched over to 2007 exchange, until I let the IT department know that they needed to flip the switch for Android devices (they had done BB, WM, et al)...
In the short term I used TouchDown, it has a free trial period that you can use as many times as you want, you just have to set your account back up once a week.
pjcforpres said:
they needed to flip the switch for Android devices (they had done BB, WM, et al)...
Click to expand...
Click to collapse
Can you expand on that? I'm not familiar with changes that need to be made to allow Android via EAS. Am I missing something? Would rock if I could get it to work.
BTW, I did upgrade to Froyo.
satchmo_d said:
Can you expand on that? I'm not familiar with changes that need to be made to allow Android via EAS. Am I missing something? Would rock if I could get it to work.
BTW, I did upgrade to Froyo.
Click to expand...
Click to collapse
On my companies exchange 2007 server, they have the option to block or support mobile devices. Out of the box, it had no devices allowed to sync, so they had to turn on sync for different mobile devices. They had done Windows Mobile and BlackBerry, but forgot to do Android until I reminded them that some of use use Android devices, and would like to use our native exchange support.
I got the same error you do until they changed the security settings to allow Android devices to sync as well. I would assume this is your case as well, given that Android, even 2.1, supports more security protocol than iPhone's regarding exchange, and our exchange server is set up with high levels of security (uses SSL, etc).
Anyways, just email your IT department and ask them to enable Android devices for mobile sync... if they say it is already allowed, then ask them what the settings are supposed to be for your phone... I would bet $5 they just never turned on mobile sync for Android devices.
OK, so this is more exchange oriented than HD2, but perhaps somone might be able to help on this.
My IT dept. are being a bunch of douches. I pissed them off when I first started work having been in IT myself at one point in life ranging from desktop support up to MIS Director and let's just say I stupidly corrected some things and thwarted a few Draconian security efforts now and then on my new job. Very stupid of me as I know what happens when you piss off IT.
Anyway, I have been dying to set up push email, but they state that they are working on policies for this.
BS.
Is there a way to, through some discovery process, "discover" the exchange name so I can set up push email? This is killing me as one of the reasons (among many) that I waited to buy an MS superphone was specifically for this purpose!
Thanks in advance.
Dude, never piss IT off...
Dude, I work in IT. You have done something that most people mutter under their breath. Anyways, I will try to help as much as possible.
Now for the exchange server address do you by any chance have an Outlook Web Access address i.e. my company uses as the webaccess for outlook on the go.
https://webmail.acme.com/owa/auth/logon.aspx
so for my exchange setup I used "webmail.acme.com" in my activesync on my phone and checked the ssl thing.
Also the webaddress used above should have a proper SSL cert. and not a wlidcard one (google it).
Let me know if you have any more questions.
f_v_man said:
Dude, I work in IT. You have done something that most people mutter under their breath. Anyways, I will try to help as much as possible.
Now for the exchange server address do you by any chance have an Outlook Web Access address i.e. my company uses as the webaccess for outlook on the go.
https://webmail.acme.com/owa/auth/logon.aspx
so for my exchange setup I used "webmail.acme.com" in my activesync on my phone and checked the ssl thing.
Also the webaddress used above should have a proper SSL cert. and not a wlidcard one (google it).
Let me know if you have any more questions.
Click to expand...
Click to collapse
Trust me...I know. Having worked IT for 20+ years...I know.
So my company uses:
https://mail.xxxx.com/owa
As far as I am aware that is is.
I am not following the rest of what you have written though.
What do you mean by a "proper SSL thing?"
Camusa said:
OK, so this is more exchange oriented than HD2, but perhaps somone might be able to help on this.
My IT dept. are being a bunch of douches. I pissed them off when I first started work having been in IT myself at one point in life ranging from desktop support up to MIS Director and let's just say I stupidly corrected some things and thwarted a few Draconian security efforts now and then on my new job. Very stupid of me as I know what happens when you piss off IT.
Anyway, I have been dying to set up push email, but they state that they are working on policies for this.
BS.
Is there a way to, through some discovery process, "discover" the exchange name so I can set up push email? This is killing me as one of the reasons (among many) that I waited to buy an MS superphone was specifically for this purpose!
Thanks in advance.
Click to expand...
Click to collapse
Even if you figure out the proper address and domain name, there is a good chance you will need a security cert Cab to run to allow you access which must come from your IT dept.
Why not just take this to your boss and tell them you want work email on your phone and have he or she force them to set you up? If your boss isn't down with you having work email on your phone, then IT isn't going to let you anyhow...
I appreciate all the responses.
A couple of points to address:
1. I got it to work no problem.
2. I erased the profile and am going to wait for them to give me the green light/red light.
I am second in command for my satellite office.
I am the assistant program director for a FQHC (Federally Qualified Healthcare Center). We are JCAHO accredited and long-standing.
We have to play by some very serious rules according to the feds and HIPAA is always looming large.
When I put a small applet on my computer to stop the screensaver from engaging (since they took away our privs to be able to just change the setting) someone ratted me out and I was told that it was "HIPAA" policy.
Having been a privacy officer myself I assured them it was not HIPAA policy.
They then noted that it was company policy.
Long and short of it...I am going to have to wade through the BS.
Supervisor is here!
Gotta go!
Is there any reason why I should have so many Trusted Certificates under the System tab in Credential Storage? I have probably close to 100 in there and most of them I don't recognize; they seem to have some gibberish with an expiration date of a few years in the future. To my knowledge these are baked into the ROM and are not installed by the user so I'm guessing most of them relate to a stock app of some kind (WatchOn, ChatOn, etc.) Because I haven't seen a lot of discussion about it, I am asking if these Certificates are safe( I know it's from android or Samsung blah blah)?
I'm in the tedious process of disabling them just to see what happens but can anyone else shed any light on the matter? Thank-yew...
http://support.google.com/android/bin/answer.py?hl=en&answer=1649774
I'd like to know about this as well.
Sent from my SAMSUNG-SGH-I337
These are all root certificates. The certificate authorities that issue cents to web sites have their root certificates loaded on the phone so the phone can verify that an sisal cert from a web site is legitimate.
This is a lucrative business so there are quite a few CAs around the world. And big banks have become CAs too.
Theoretically they are all legitimate as it is a huge process (or it used to be) to get your root cert included in an OS or browser by default.
Can you remove them? Yes, but be careful. If you only use USA websites then you can probably remove most non-USA CAs. But why do you care? Older versions of android didn't let you remove any, and the only time you need to is if a CA has been compromised.
If you do remove one you need, you will get SSL warnings about visiting an untrusted site, but you should be able to add the root cert back.
HTH
alphadog00, I realize your post is from 2013, but I've been searching for answers to this as well. Why do we need these certificates on our phones? I have 156 on mine, and some of them aren't even in English. Some have the country in the company name, like China, Turkey, and Germany. Some companies have more than one certificate. VeriSign, Inc. has 7, all with different issue dates going back to 1996 but all expiring between 2029 and 2036. A couple of them look sketchy to me, with 'certificate' spelled 'cirtificate', and 'global' spelled 'globel'. They remind me of emails that I get from my dear friend, the widow of a former bank president in Kenya, who needs my help getting her money out of the country. Why do I need 156 trusted credentials from half a dozen countries? How many do I really need? There is a grey item at the bottom of the security page that says “Clear Credentials,” but it’s un-clickable on my phone. Why would that be an option if these certificates are necessary? Would I be safe disabling all the ones from outside of the US and Canada? Are all these certificates taking up space on my phone? What is a ‘fingerprint’? Thanks in advance for any help and advice you can offer me.
27 July 2017. "Turned Off" all but two CAs. Result is could not access Play Store as well as several other sites. One screen stated "No internet connection. Make sure WIFI or cellular data is turned on, then try again." Needless to write, turning off all the CAs has repercussions.
I was helping a friend which I had no idea what was going on until I got there...it's a huge huge ring of I'm not sure what?? Now my phone, my parents phone, there desktop and laptop are all under attack! I downloaded over 20 antivirus apps and could not allow permissions, nor can I get any recovery codes to any email because it keeps changing the password. Plus I found strange apps just installed, settings changed that were not and all countries in the world chamber of commerce trusted certificates and so much more. I'm pretty sure we are under attack! I would GREATLY APPRECIATE and thoughts or ideas of what i should do to our info safe!!!!! Thank You!! p.s. I'm now living every second in fear like her and very scared!
I had a situation where a friend's PASSWORD (singular) was hacked. He lost control of his email accounts, facebook, and several other things (luckily not his bank accounts). I wanted to share with you all, in case it is helpful for someone out there, how I manage my passwords in a secure way.
I use KeePass and Dropbox to manage my passwords.
I chose to do it this was because 1) Its free 2) I get multi-platform support 3) I control the encryption without having any other outside company holding the 'key' to my encryption [I'm not that paranoid, but it is an additional benefit worth noting].
I have a KeePass database (my 'password vault' as I call it) with a very strong password. I then have that database file on Dropbox (and in fact, I have the entire KeePass application in Dropbox as well as a Portable app so I can have my configuration settings, etc. synced as well.) This covers syncing my passwords in a secure and encrypted way to my PCs.
Then, I use KeePassDroid on my Android devices. I use DropSync (which acts like the 2-way syncing of the desktop Dropbox app) to sync the 'password vault' to my device. Whenever I update a password and save the password database, it then gets synced to my other PCs and my Android devices. The database is there but encrypted so I just have to enter my strong password each time I need one and then I get access to all of my passwords. On some of my devices that I don't use as regularly for things where I'll need passwords, I just use the Dropbox app to open the password database on an as-needed basis.
One of the nice features of KeePass, which I'm pretty sure some of the others have as well, is the ability to generate a random password for me. I can specify how 'complex' I want it to be, etc and it makes it for me. This way I don't ever have to remember my password and it makes it nearly impossible to guess what the password actually is.
You can also accomplish basically the same setup using Google Drive or Copy.com.
There are other companies out there, like LastPass, mSecure, etc, which offer great products as well (some of which cost money though). This is simply the route I chose to go. Like I said - a little more complex to get set up, but I'm very happy with the setup now that I've done the initial legwork.
The point of all of this is though - KEEP YOURSELF SAFE! Have STRONG passwords and NEVER, NEVER, NEVER use the SAME password for multiple things!
I use the same setup and it works perfectly. Using keys, Oauth and Keepass where possible/appropriate sure simplifies and secures the daily life.
A bit in the wrong forum (it doesn't really have anything to do with this device) though.
Can use keepass2android and skip the dropsync step.
kodochax said:
Can use keepass2android and skip the dropsync step.
Click to expand...
Click to collapse
Exactly. This is what I've been using for a long time, works perfectly and has built-in Dropbox support.
Stopped reading after the first Dropbox... Nice gift for the US government!
Astagar said:
Stopped reading after the first Dropbox... Nice gift for the US government!
Click to expand...
Click to collapse
1. I think they will find you out anyway, using Android, iPhone or any hardware, 2. It's pretty well encrypted just use a good key ?
Good guide. I wish guides like these weren't buried in device specific forums though. this is a general technique that any user can use and deserves more visibility.
I'm currently using my private Note Edge also for work. I'm using Outlook from within KNOX and am under the (possibly false) impression that my company's IT admin won't be able to wipe my entire phone, only the KNOX container. This is obviously a very unlikely scenario, but still one that concerns me enough to use KNOX.
In a couple of weeks my employer will give me an S8, which lacks KNOX. The question is -
will I be able to achieve the same protection against remote wipe if I insist that IT will install Outlook within Secure Folder?
No. Remote wipe wipes everything on the device, especially the secure folder, as in almost all cases that is the most sensitive information on the device which would be the most damaging if attackers got ahold of it.
That's disappointing. Not much of a sandbox if applications can reach outside from within it...
OH! I apologize, I missunderstood your question!
I thought you were asking if data inside secure folder was safe from erasure by factory reset, which the answer is most definitely no. But you have outlock installed inside the container, and want to know if your device can be factory reset through the Outlook connection via the secure container, correct?
I suppose that would depend on what access you gave Outlook to communicate with the rest of your phone. For example, without administrative access, even a natively installed app can't factory reset. I don't know much about Outlook or exchange, but do you have the exchange account added as an account on your device, or is it just setup inside Outlook?
Yes, I'm talking about Exchange configuration of Outlook installed in Secure Folder. Specifically the screen linked below*. I don't think when I did it in KNOX there where any additional steps required outside the container, but I haven't used Secure Folder yet so don't know how similar it is.
* http://kb.mit.edu/confluence/pages/viewpage.action?pageId=152588344
Edit: should have read original question more carefully.
No idea what will happen, sorry. But ultimately it's their phone.
The question you should be asking is why they'd choose to deliberately disable the only bit of the phone that makes it genuinely valuable for an employer with confidential data stored on it.
Taking a step back, why are you trying to prevent the remote-wipe by the IT folks? Is it that you think they may go rogue? If not, the reason to initiate a remote wipe would be if your device is tagged as lost, etc, right? You did state that they are providing you the new S8, so it is really their phone isn't it? In many companies, if you try to circumvent IT policies, it can be accounted as wilful misconduct and termination of your employment. Is losing your job and paychecks that you get from it worth the risk?
My two cents:
1. Let them do their part the way they want to. If you are allowed and also using the phone for personal use, then have backup mechanisms to backup your "personal" photos, etc (aka in-home wifi sync with MyPhoneExplorer, automatic backups to Samsung Cloud, camera upload to OneDrive, etc.). Make sure any backup/cloud syncs of your personal data are allowed by IT policies, and is only limited to your own personal files (aka excludes company Outlook/Exchange data).
2. See if they have instructions or if they would be OK with using a non-native containerized Exchange client. With those apps, a remote-wipe is received by the containerized app and only wipes the app's encrypted datastore. TouchDown used to be the one to use years ago, but I have heard they got acquired by Norton, it has been put to rest by the new owner. However I suspect there are other apps that may have filled the gap.
It's actually not specific only to remote wipe, but to the extensive permissions my employer has over my phone (see the link I posted below). Even if they provided the phone, I expect them to have control only on what's related to my work, which is basically only work email.
It's similar situation to a company provided car. I wouldn't want my company to install a tracking device and have visibility into where I am at with the car at any time of the day.
In any case, thanks for the notes about backup. I definitely should do more to make sure my files and data are not gone if my phone gets stolen or wiped.
oren_b said:
Admin Note: This is a special Q&A-formatted thread. Please follow this link to view it in your browser: http://xda.tv/post75004977
Click to expand...
Click to collapse
Depends on whether the MDM/EMM thinks your device is Personal or Corporate.
If Personal, you're at risk of an "Enterprise Wipe" (of just corporate content, possibly including corporate contacts/calendar/email).
If Corporate, they can wipe the device, like a factory reset.
Do you know which MDM/EMM is to be used?
Might make more sense to have the corporate content in the Secure Folder.