Results 1 to 20 of 20
  1.    #1  
    My company has been planning to allow WinMo, iPhone, and Pre users access to exchange EAS for sometime.
    It was supposed to happen sometime this week, just checking today I see that as of yesterday the Pre is now Not approved due to a recently discovered security flaw.
    See post #9 down below for why.
    I have done some searching around and can't find anything about this security flaw, anyone else hear of this?
    Hopefully this was at least part of the reason for 1.2's delay and this will be resolved with the next update.
    Last edited by rich_halvorson; 09/25/2009 at 03:22 PM. Reason: added See post #9 down below for why.
  2. JoeSam's Avatar
    Posts
    88 Posts
    Global Posts
    89 Global Posts
    #2  
    1.2 is not delayed because a release date has never been announced.
  3. #3  
    Agreed...never really announced, AND if its cause of security flaws you better have them take WinMo, IPhone off the list also as they ALL HAVE SECURITY FLAWS.
  4. dave75's Avatar
    Posts
    796 Posts
    Global Posts
    806 Global Posts
    #4  
    My IT department is waiting to hear if they will be allowed to use Exchange Activesync. They say that management is deciding about the risk vs reward as far as security and productivity. The IT guys say the problem is because it is pretty easy to hack into a smartphone (not specifically the Pre) because there is no firewall. Anybody with some expertise care to share any info on how big a risk this is? Thanks.
  5. #5  
    To the OP, I'd talk to your IT department and see if you can get details, that's the first I've heard of such a thing.

    To dave75, there is a very basic firewall on the Pre, part of setting up SSH is opening a port for it. I'm sure your IT people know about this already, but there are features like PIN support and remote wipe- the former keeps your data secure if someone else uses your device, and the latter lets them erase all of that data if you lose it.
  6. dave75's Avatar
    Posts
    796 Posts
    Global Posts
    806 Global Posts
    #6  
    I know there are security features with Exchange, like pin and remote wipe. They seem to be less worried about losing the phone and more worried about somebody hacking in through Sprint's network. No idea if they are being paranoid or not. I really want to use Active sync so I'd like to debunk anything that's not true.
  7. DittoBox's Avatar
    Posts
    10 Posts
    Global Posts
    12 Global Posts
    #7  
    My brother is the IT guy (and the one who convinced me to get a Pre) so I had Exchange setup before we had left the parking lot after I got the phone.

    I'm curious why they view devices like the iPhone or Pre as possible security threats. ActiveSync and Exchange Web Services are actually pretty secure protocols. The only possible problem would be remote intrusion on the devices themselves, and somehow getting a hold of log in credentials. If the users on your system aren't all root/admin privileged the worst that could happen here is that they get a hold of anything that user account has access to.

    If I wanted access like that I'd find a way into the complex and just start stealing post it notes from people's monitors. One of them is bound to have a password on it.

    Unless they're afraid of corporate espionage, most crackers/hackers go for larger targets that hold databases containing thousands of customer records, financial info etc. Unless your company uses the same login credentials for your CRM and/or book keeping software as it does for email/user accounts there's little to be worried about.

    Unless your IT guys are just avoiding the extra hassle of dealing with lots of mobile devices—and the people attached to them. That sounds more likely, but they could at least be honest about needing more man power to deal with mobile device problems.
  8. dave75's Avatar
    Posts
    796 Posts
    Global Posts
    806 Global Posts
    #8  
    Quote Originally Posted by DittoBox View Post
    The only possible problem would be remote intrusion on the devices themselves, and somehow getting a hold of log in credentials.
    I think that's exactly what they are worried about. Again, I'm not sure how valid the concern is. Intellectual property is how we make money so security is pretty important. If it were up to the IT guys, I'm sure we would have Activesync by now, it's not them, it's my boss trying to limit risk. The more you open your network, there's obviously more risk, it's just not clear to me how much easier it is to hack into a phone rather than a laptop.
  9.    #9  
    OK, Here is the reason why my exchange group is currently not allowing the Pre.

    My company and I would guess many others are forcing the use of PINs. My company in addition is forcing non simple PINs, ie you can't use: (1111, 1234, 1221 ....). What I was told was that WebOS currently does not enforce this. They have contacted Palm and they know of the issue but have not given an ETA when this would be fixed. I would hope soon as this seems like it would be an easy fix.
    I was told that my Exchange group was thinking of a workaround of not allowing PINs at all but forcing passwords, but personally I don't think I want to pop my keyboard out or pull up the virtual keyboard and type out a bunch of number and characters every three minutes to unlock my phone.
    I'm sure this is true as there is no reason why my exchange group would not allow this if it wasn't.
    But if any of you currently have Exchange access and know that your company doesn't allow 'Simple' PINs, you could try changing your PIN briefly to 1111, and see if you still have access to exchange.

    I wasn't trying to flame about WebOS not being secure, I just want my calendar on my phone. I would guess this should be fixed soon.
    Last edited by rich_halvorson; 09/25/2009 at 03:10 PM.
  10. #10  
    I'm also waiting for my IT dept to figure out to what extent they are going to control personal devices, require consent for remote wipe etc. I will not accept a pin lock however.
  11.    #11  
    If you won't accept a PIN lock you'll probably be out of luck. Leave your phone anywhere and your just inviting anyone to read your corporate email. Granted most email/calendar for most users probably isn't that important and sensitive, but I can't imagine an exchange group making a policy like that.

    Hopefully in a future update the screen can go off but not lock for 15 minutes or more (the max of whatever the company's exchange policy is would be nice). My colleague just showed me his iphone with his new exchange access. His screen goes dark after a minute or so, but doesn't lock until 15 minutes I believe.

    I found this thread and it looks like PIN's of anykind might not be be enforced right now:
    Pin Policy on 1.1 not being enforced - Synergy (webOS) - Palm Support Community
  12. #12  
    I am the IT guy at my company and my Pre "syncs" great with GroupWise. I'm just waiting until the end of the year when the native sync engine comes out, but in the mean time I'm using Companionlink. If you don't pay for the full version, once the trial ends it just prevents you from changing settings, but the program keeps working so as long as you don't need to change your password it still works. I also have all of my emails forwarding to the account that I set up for CL, with the automatic reply back to my work address. Makes it look like I'm syncing naively with my work system even though I'm not really syncing. Might not work for everyone, but works great for me.
  13. dr5150's Avatar
    Posts
    44 Posts
    Global Posts
    48 Global Posts
    #13  
    There are many reasons companies do not allow active sync, or even a personal device to access the company systems.

    I am the Email IT guy for a bank, we currently do not allow active sync or personal devices to connect to our systems. Pre & iPhone are possible candidates for testing, but are far behind the security of the BlackBerry & it's multitude of enforcable policies.

    Email contained in the corporate system belongs to the company & can contain private information. The company is responsible for that data.

    Only recently has an Exchange administrator been able to enforce the lock with a PIN & remote wipe capability to many different devices with a resonable chance of success. (Some devices have been able to do this for quite some time while others have not.)

    Many companies are not prepared for the updates & changes that have to be made to support these features. Others do not have a technical staff competent enough to ensure that the company data remains private & secure.

    Other risks come from the possiblity of data loss once the email & any attachments are delivered to a device.

    It is possible, however unlikely, that the computer in a hotel lobby used to charge a device could be infected with malware that could read the email it was charging.

    It is also possible that a user could accidentally forward an email using an unapproved 3rd party email system.

    It is also possible that a confidential document sent via email is saved, unencrypted, to a memory card that is promptly lost or forgotten. (Not an option with a Pre or iPhone, since neither have memory card capability.)
  14. #14  
    This is a CYA mentality. The list of what could possibly happen is endless but in the end the company is also hurting productivity; but productivity is hard to measure.

    People can print, forward emails and use portable storage devices, but IT doesn't want to deal with reality.
  15. dr5150's Avatar
    Posts
    44 Posts
    Global Posts
    48 Global Posts
    #15  
    I agree in most cases it truly is a CYA mentality, & justifiably so in a law suit happy world.
    In most cases, there is more justification for productivity than security.

    In my case there is a fine balance between CYA, Productivity, those pesky SEC government regulations & jail time to consider.
  16. #16  
    Actually a release date was dropped for the app store, and in order for us to make use of the new app store there has to be an update.
  17. #17  
    Quote Originally Posted by beerdini View Post
    I am the IT guy at my company and my Pre "syncs" great with GroupWise. I'm just waiting until the end of the year when the native sync engine comes out, but in the mean time I'm using Companionlink. If you don't pay for the full version, once the trial ends it just prevents you from changing settings, but the program keeps working so as long as you don't need to change your password it still works. I also have all of my emails forwarding to the account that I set up for CL, with the automatic reply back to my work address. Makes it look like I'm syncing naively with my work system even though I'm not really syncing. Might not work for everyone, but works great for me.
    My company has GroupWise. How are you synchronizing? I know my company doesn't want to support a lot of different phones, but I have some friends in IT, maybe I can convince them to help since it's still a palm and they previously supported synch of Palm.

    Currently they only support live Blackberry or RIM.
  18. #18  
    All I know is that they must have added a lot since it leaked out because its been about a month since that happened.
  19. #19  
    I wonder if they are trying to fix the app storage problem.We are all out of space without an app store already.How it was ever overlooked to begin with is simply wondersome.
  20.    #20  
    Just to update this thread if anyone comes by it. I have been told that this problem wasn't addressed in 1.2. The most I know is that Palm intends to fix this before the end of the year. Looks like no work calendar or email on my phone for a couple more months, from everything else I've read it seems that we're a long way away from a competent EAS Exchange solution.

Posting Permissions