mrsyeltzin

One thing I did not like about the Pre was the password timeout of "whenever the screen goes off." I liked having a timeout period on my previous phones - 30 minutes or 1 hour or so. Since I control my exchange server, I had never worried about password policies, but I felt it would be a good way to leverage the forced lock since you can set the password lock interval.

Unfortunately this attempt has pretty much turned into a huge annoyance for me, and this should be a warning to anyone who will now be playing with these policies or attempting to sync to their work exchange servers. Basically this is a halfway complete implementation because of 3 glaring mistakes: 1, you cant set the timeout (its still when the screen turns off) 2, the number of PIN unlock attempts isnt shows (it says "times remaining" without a number), and 3, by far WORST of all, is that once you remove these policies YOU CANT TURN THE PIN UNLOCK OFF. Also, if the policies change (i had turned it on, said screw this PIN stuff, and turned it off) your pre's exchange account is hosed until you remove and reload the account (by deleting the exchange account and readding it). See my notes below for the chronological order of disappointment:

before password policy: sync with Exchange works

enable security policies (enforce PW, inactivity @ 35 min, wipe after 20 fails, refresh policy every 48 hours):
works - PIN enforced (got a notification that i had to set a password so i did)
- does not wait for timeout period on server - instead tries to change the screen timeout to 3 minutes (the max the screen can stay on)
- if you enter an incorrect PIN, the screen says "times remaining." not "x number of times remaining"

disable password policy on server
- does not turn off on pre
- option to turn off PIN not available
- pre warns that exchange account is disabled because security policies dont match
- turning passwords back on and trying to sync (including sending emails, etc) does not work
- have to remove account

reestablish account
- pin removal STILL not an option.
- reboot and no luck

remove account
- reboot and nothing

If you haven't been syncing your Pre with exchange because of security policies, you may want to rethink getting it hooked up tomorrow because of these issues. I'm hoping this gets addressed in an update ASAP, because right now I'm stuck with a PIN every time the screen shuts off - and there's nothing I can do about it. I almost enforced a complicated alphanumeric password - that would have REALLY killed me!

PS - if the security policies change on the server, that may also cause the account to be disabled (because the Pre apparently doesn't handle security policy updates well). But that most likely is pretty static for many organizations.



EDIT: i see that the password enforcing on screen timeout is listed in the official changelog.

mrsyeltzin

As I tried to add the Exchange account for a 3rd time (and 4th and 5th after reboots) it is no longer letting me and instead giving me an error stating "you can only sync to one exchange account that enforces policies" which seems to indicate that the Pre is not letting go of the security policy relationship with that exchange server. I guess that's why the PIN unlock hasn't changed?

UPDATE: I was able to reboot, remove the security policy from the exchange server, and then add the account back succssfully. I still have the PIN lock forced on, but I havent seen the timeout for the screen change from 30 seconds to 3 minutes since the last time I added the account back. I'm going to see if I can enable the security policy on the server once more and leave everything blank (no password policy, no timeout period, etc).

unclegeek

I've been bit by the security policy screen lock bug!! AHHHHH
I've been using the Pre for work EAS access to Outlook since I got the phone, but the company enable security policies this week.. all of a sudden I get the "set a pin" screen when I woke up the phone. I don't want this crap on my Pre forcing me to unlock with a pin, so I deleted the email account assuming the policy would go with it. Nope. I've rebooted, pulled the battery, etc. Still get the screen lock and when I go to the "Screen & Lock" tool the Secure Unlock option is no longer optional.. (the little toggle switch is missing) and all I can do is change the pin #. No way to disable Secure Unlock. Called Sprint, who in turn called Palm, and they want me to do a hard reset.
Crap. I hate that.

scottf624

I just set up the Exchange Security setting on our Server, I wish I would have read this before, all of our users of WM 6.1 it allows Pin entry once every 24 hours, the 3 minutes sucks butt.

latino11

You guys I ****ing hate this issue! I'm with the 3 of you but im not sure about whether or not my company "coincidentally" changed a security setting at the same time i downloaded/this was released???

Could you guys give some input? How do I find out? I looked in my OWA settings for something, but did not see anything relevant?

For now I am about to remove and re add the account....

snafu2dj

I just did the download of the update and installed. As soon as it was done installing, I came back up to my Pre (after walking away for awhile to let it finish) and it now required that I make a password for the secure unlock. It was the first screen I saw and could not do anything else w/o setting a password. It won't let me shut it off at all, so now every single time that the screen goes off, I HAVE to enter an alpha numeric password that I set up (w/o a choice of course). It seems to be irreversible and also seems to be the same or similar issue as in posts above. The main difference is that this was initiated solely by installing the update. Nothing on my work's server end was changed at all. I've been syncing with my work EAS account fine w/o having to use any type of password other that the one I set up in the account settings with the server name, email, and user name when i first added the account to my Pre. The only option I have is to change the password, although it still has to have letters and numbers. This is a major pain and I need some help ASAP! I refuse to deal with a phone where I have to enter some complicated password EVERY SINGLE TIME I pick it up. There is no longer a drop down under "SECURE UNLOCK" in the "Screen & Lock" menu that gives me the option of OFF, SIMPLE PIN, or PASSWORD. It ONLY gives me the option to change the password and that is IT! This really SUCKS!!!

latino11

me too!!!!
****!!!

sushi

Has anyone looked at

/usr/palm/applications/com.palm.app.screenlock/app/controllers/securityconfig-assistant.js

- specifically lines 260-327? I'm not having troubles with the PIN (it's enforced from our company, and frankly, I was surprised I was able to avoid it for this long), but wonder if someone wanted to experiment to see if the EAS could be bypassed by removing the PIN functionality. Additionally, one can auto enter the pin, if you are willing to have the number in clear text, by following these instructions:

Patch WebOS Bypassing Lock Screen - WebOS Internals

mrsyeltzin

This problem is fixed in 1.2. I just downloaded it and was still connected to exchange and have the option to turn off the PIN unlock. Now I dont know if the setting will stay - it may update the next time my phone updates the exchange security policy, but for now, at least we have the option. I've forgotten what settings I had on exchange so I dont know if my policy still enforced the PIN. I'll find out soon.

snafu2dj

Im having the exact opposite results. It was installing 1.2 that initiated the problem for me. Until now, my EAS has been working no problem at all.

And thanks sushi. I'll check that out when I have a few minutes.

mrsyeltzin

Does your exchange server have a PIN policy? If you remove the account, can you take it off? That will be let us know if it's truly fixed. There are too many variables in my current scenario to really tell if it's completely fixed, but I only noticed the option to turn the PIN off after 1.2.

snafu2dj

I have no idea if we have a PIN policy. no one was even available to help me set it up on my phone in the first place. I just figured it out on my own, All I needed was the email address, secure exchange server, (domain left blank), username (first part of email address before the @), and password (email password). Then it just worked and synced everything. No one at my company is available to help. We don't have any real IT support unfortunately.

tsmeltzer

Prior to 1.2, the Pre would not recognize/accept the EAS security policy that forces the PIN lock. So, if your Exchange admin had it turned on, and you had 1.1, you would never see it. With 1.2, WebOS now recognizes the EAS security policy and enforces it. Your Exchange admin didn't change anything. This is something new on the client side.

mrsyeltzin

My Pre recognized it fine on 1.1, see the original post. You are thinking prior to 1.1, I believe.

snafu2dj

So what can I do in my situation???

And just to clarify... It's not a PIN it is asking me for, but rather a password it forced me to set up as soon as the update was done installing and the phone restarted. The drop down options used to be... off, simple PIN, and password (See my post above. My gf has the same phone and hasn't done the update yet, so I was able to see her phone and what it shows). It is not giving me any option now, just stuck specifically on password. And what does having to set up a password for my phone and having to enter that every time I wake my phone from a black screen have to do with my EAS email from work? It isn't asking for anything related to the exchange, just that I enter this stupid alpha numeric password every time I pick up my phone.

mrsyeltzin

Remove the exchange account. The PIN enforcement (or in your case, it sounds like the stronger alphanumeric password) is a requirement of some Exchange security policies. The problem I posted originally in this thread was that the password enforcement never went away - meaning even if you removed the exchange account you would still be bound by the PIN or password policies.

If this really is fixed in 1.2 (like it appears to be on my phone), you should be able to remove the account and the policy will also be removed, allowing you to turn off any passwords to access the device.

I'm not sure why this didn't happen for you with 1.1 (unless you were running a much older code - but that's likely not the case), but either way your Pre is working properly and it is following the policies put in place by your IT department. Alternately, you can make a request (which I can guarantee your IT department will deny) to be entered as an exception to the policy (they can do that on a per user basis) which will remove the PIN, or you can try the hack that others have mentioned.

ChriSeeger

I think we need a tweak to fix this. I dont like entering my pw every time I shuit or sleep my device. Its annoying.

tsmeltzer

Were you running against an Exchange 2010 back end?

mrsyeltzin

No I am not. Exchange 2003. Was the Pre not accepting the PIN enforcement with 2007/2010 deployments in 1.1?

mrsyeltzin

I agree - which is why I wanted to get rid of the PIN policy in the first place, and my phone got stuck on it. I don't know of any other EAS capable device that suffers from locking immediately when the screen times out.