[Q] Set password for certificate in ICS? - General Questions and Answers

I've followed the instructions from the official Google Nexus guide and installed my personal certificate stored in a pfx file (PKCS#12) in my Google Nexus (ICS 4.0.4). A little problem here is that the certificate is not listed in "User" tab in "Credentials". It works anyway.
But the big problem IMHO, is the way Android protects your certificates. It requests the user to set a pattern, PIN, or password to unlock the screen as the only (?) security measure. I'm missing a password-protected access to my credentials like IE does in Windows for instance every time your certificate is requested by a site.
Is there a method to enhance security of your certificates in ICS and set a password that Android requests everytime an app attempts to access the certificate?
Thank you

Related

Local credentials and activesync with client certificates

Hi.
I want to use Active sync on WM5 AKU2.0 with client certificates and local stored username, password and domain on our devices.
I have until now not been able to do this.
When using client certificates for device authentication and local credentials, synchronisation only works until first reboot of the device.
When trying to sync after first reboot, active sync tells me that client certificates are used for authentication instead of username and password.
Does anyone knows about a fix or setting that forces the devices to use username and password for authentication even when client certificates are used for device authentication ?
Thanks
Best regards
Kalimaro

android alternative to Zenyee StayUnlock?

Hi
our company exchange server enforces us to use password which is kinda annoying. On my windows mobile phones I have previously used Zenyee StayUnlock 2.0 to prevent the exchange server from forcing password on me.
Is there a similar application for android? if not, is there then any way to get rid or the password without having to remove the settings for the exchange server?
Bump..also interested for the same reason
I use this one for my Milestone with Android 2.1: http://forum.xda-developers.com/showthread.php?t=655649 works good for me but needs root access.
There is also Lockpicker in the Market but that didn't work for me.
Lockpicker works very well with unrooted Legend
Lockpicker worked for me too on the Desire. Only problem now is to remove the 20min screen-timeout limit that still exists in the system after lockpicker have removed the lockscreen.

[Q] Exchange Account

Hello,
first time Android user here. I know people in my company that use Android phones and I was told that anything over 2.1 would work for our exchange. When I try to set up the account, it tells me that the server requires security features the phone doesn't have. No one at my IT department, TMO support, Samsung Support, or anyone else could get it working. I know it has something to do with the password protection and remote wipe security that my companies exchange server requires. Can someone help me or will i have to go back to the blackberry ? I don't want to go back to that berry.
Try installing K9 and see if it works with your company's exchange system.
bsage said:
Hello,
first time Android user here. I know people in my company that use Android phones and I was told that anything over 2.1 would work for our exchange. When I try to set up the account, it tells me that the server requires security features the phone doesn't have. No one at my IT department, TMO support, Samsung Support, or anyone else could get it working. I know it has something to do with the password protection and remote wipe security that my companies exchange server requires. Can someone help me or will i have to go back to the blackberry ? I don't want to go back to that berry.
Click to expand...
Click to collapse
Touchdown works well with exchange as well (although it's not free). There is a free trial.
I was using touchdown untill android 2.2 came out then it started supporting remote wipe.
http://developer.android.com/sdk/android-2.2-highlights.html
Once you setup your phone it should force you to password lock it from the home screen. Don't know what else they would require other than remote wipe in the event you left the company. I need to make sure I use ssl as well.
Could be a problem with the SSL cert
I use exchange with no problems on all my android projects.
I still have not gotten this to work. N1kkI6, that is exactly what i need on this. I would assume that 2.3 would have this if 2.2 has it right?
from the link you provided:
Exchange support
Improved security with the addition of numeric pin or alpha-numeric password options to unlock device. Exchange administrators can enforce password policy across devices.
Remote wipe: Exchange administrators can remotely reset the device to factory defaults to secure data in case device is lost or stolen.
Exchange Calendars are now supported in the Calendar application.
Auto-discovery: you just need to know your user-name and password to easily set up and sync an Exchange account (available for Exchange 2007 and higher).
Global Address Lists look-up is now available in the Email application, enabling users to auto-complete recipient names from the directory.
bsage said:
I still have not gotten this to work. N1kkI6, that is exactly what i need on this. I would assume that 2.3 would have this if 2.2 has it right?
from the link you provided:
Exchange support
Improved security with the addition of numeric pin or alpha-numeric password options to unlock device. Exchange administrators can enforce password policy across devices.
Remote wipe: Exchange administrators can remotely reset the device to factory defaults to secure data in case device is lost or stolen.
Exchange Calendars are now supported in the Calendar application.
Auto-discovery: you just need to know your user-name and password to easily set up and sync an Exchange account (available for Exchange 2007 and higher).
Global Address Lists look-up is now available in the Email application, enabling users to auto-complete recipient names from the directory.
Click to expand...
Click to collapse
It should work fine. It could possibly be ssl certificate related, or maybe they don't have ActiveSync enabled on your account.. who knows. What sort of error do you get if any? I use Android on Exchange. Is it Exchange 2003/2007/2010?
PLEASE - HELP TESTING on exchange account - birthday
i know, that the nexus have some small problems on using excahnge account
(bday, aniversary, etc..)
i would like to fix it, but therefore i need YOUR HELP !
i would need to see, how the nexus send the birthday to exchange server.
if someone wants to test an exchange account - please send me a PM, and i will create an exchange account on my server, so that i can see how nexus send it.
(maybe you have skype or icq, please add it on the PM)
thanks cu camel

Can't get corporate email after upgrade to Nougat (insists on full disk encryption)

I have a personal Honor 8 device I use to access my company email. They use Duo Mobile software to authenticate before allowing this.
After upgrading to Nougat 7.0, I am unable to access email (using the Outlook app). I get a message saying that I need full disk encryption turned on. I don't see this as an option anywhere in my Settings. I do have a strong password set to be used.
Do I need to enable File Based encryption at this stage? I am trying to do this and do not see the option to convert to File Based encryption even after turning on Developer Options by the way.
Has anybody else run into this issue? Any guidance - I am dead in the water without being able to access my email.
Thx
AK
I remember I had a problem with my e-mail but I'm not 100% certain that it was the same issue. But try to remove all your screen locks including finger print and try again.
Ihaveatattoo said:
I remember I had a problem with my e-mail but I'm not 100% certain that it was the same issue. But try to remove all your screen locks including finger print and try again.
Click to expand...
Click to collapse
Thanks for the response. However in order to enable Corporate Email, Outlook asks for a password to be in place. Therefore I cannot remove all screen locks.
The problem seems to be that the authenticating software (Duo Mobile) is looking for two things on the device. One is that full disk encryption is explicitly enabled. The other is that the setting to "Require password at Startup" is enabled. Neither of these options are availalble on the Honor 8. Their support says that encryption is on by default and therefore there is no setting for it.
akatti said:
Thanks for the response. However in order to enable Corporate Email, Outlook asks for a password to be in place. Therefore I cannot remove all screen locks.
The problem seems to be that the authenticating software (Duo Mobile) is looking for two things on the device. One is that full disk encryption is explicitly enabled. The other is that the setting to "Require password at Startup" is enabled. Neither of these options are availalble on the Honor 8. Their support says that encryption is on by default and therefore there is no setting for it.
Click to expand...
Click to collapse
Further, I looked at turning on the new File Based Encryption that is part of Nougat. There are how-to's that discuss this, where you have to turn on Developer Options to do so. However, on the Honor 8, even after turnin on Developer Options, there is no option to "Convert to File Based encryption" available. If you search in Settings, it shows this option, but upon clicking on that option from the Settings Search results, it just takes you into Developer Options and there is no setting to enable File Based encryption.
Nvm this, poor reading comprehension on my part
I have no issues using Gmail's Exchange client to connect to my corporate email. It sounds like it's not a Nougat or Android problem, it's a Duo Mobile problem
I had the same problem.
Switched to the app Nine. It is a one-time purchase and its security model is app-wide instead of device-wide.
Have you tried it yet?
Telperion said:
I have no issues using Gmail's Exchange client to connect to my corporate email. It sounds like it's not a Nougat or Android problem, it's a Duo Mobile problem
Click to expand...
Click to collapse
The company whose email I need to get to has only enabled Outlook as a client - therefore using other email clients (such as the Gmail app) is not an option unfortunately.
akatti said:
The company whose email I need to get to has only enabled Outlook as a client - therefore using other email clients (such as the Gmail app) is not an option unfortunately.
Click to expand...
Click to collapse
To the best of my knowledge as long as you have the correct server credentials, you can use any client. For example, my credentials:
Server: subdomain.website.com
Domain\Username: test\Telperion
Port: 443
Security type: SSL/TLS
I can connect using Gmail's Exchange client, Outlook for Android, Nine, native Huawei email client, etc. While everyone's setup is different, if you're able to log in using the Outlook client, theoretically there's nothing to prevent you from using the same credentials in a different client.
That was my not my experience.
My company's Outlook server is configured to require device-level encryption for mobile devices with complex passwords. On my Nexus 6p, Outlook for Android did not work, with the error that it "did not support the encryption required". Also, I could not use fingerprint authentication on the device, and required a 8-digit unlock code. Not just for Outlook, mind you -- any time I wanted to unlock the phone.
OWA (Outlook Web App) for Android worked fine, but it supports neither push nor notifications, rendering it utterly useless. OWA is, as far as I can tell, just a shell containing an HTML rendering engine that reflows the web app.
The only reason CloudMagic (and potentially Nine) worked for me is that CloudMagic (and I think Nine) have device-level encryption on their server (?). The end-user provides credentials for their server to log in, download the email, and act as an intermediary.
Telperion said:
To the best of my knowledge as long as you have the correct server credentials, you can use any client. For example, my credentials:
Server: webmail.website.com
Domain\Username: test\Telperion
Port: 443
Security type: SSL/TLS
I can connect using Gmail's Exchange client, Outlook for Android, Nine, native Huawei email client, etc. While everyone's setup is different, if you're able to log in using the Outlook client, theoretically there's nothing to prevent you from using the same credentials in a different client.
Click to expand...
Click to collapse
biogon said:
That was my not my experience.
My company's Outlook server is configured to require device-level encryption for mobile devices with complex passwords. On my Nexus 6p, Outlook for Android did not work, with the error that it "did not support the encryption required". Also, I could not use fingerprint authentication on the device, and required a 8-digit unlock code. Not just for Outlook, mind you -- any time I wanted to unlock the phone.
OWA (Outlook Web App) for Android worked fine, but it supports neither push nor notifications, rendering it utterly useless. OWA is, as far as I can tell, just a shell containing an HTML rendering engine that reflows the web app.
The only reason CloudMagic (and potentially Nine) worked for me is that CloudMagic (and I think Nine) have device-level encryption on their server (?). The end-user provides credentials for their server to log in, download the email, and act as an intermediary.
Click to expand...
Click to collapse
When adding my corporate exchange email to Gmail, Gmail is activated as a device administrator with permissions to:
Erase all data
Set password rules
Monitor screen-unlock attempts
Lock the screen
Set lock-screen password expiration
Set storage encryption
Disable cameras
I'm not using webmail, I'm using Exchange ActiveSync. Device policy forces me to have a lock screen pin or password, but I can still fingerprint unlock it. It sounds as if your respective Exchange servers aren't configured properly, because all of the security that they're requiring can be mandated through ActiveSync and Gmail's device administration service.
t
Telperion said:
It sounds as if your respective Exchange servers aren't configured properly, because all of the security that they're requiring can be mandated through ActiveSync and Gmail's device administration service.
Click to expand...
Click to collapse
Is Exchange ActiveSync different from Office 365's Exchange?
When I asked IT about local ActiveSync, they said that they don't support it, just Office 365 on Shibboleth.
Then again, I couldn't get a Chromebook to connect to the WiFi network here due to some misconfiguration in their Cisco router's PEAP setup, so I wouldn't be surprised.
biogon said:
Is Exchange ActiveSync different from Office 365's Exchange?
When I asked IT about local ActiveSync, they said that they don't support it, just Office 365 on Shibboleth.
Click to expand...
Click to collapse
Different back end, same capabilities. Exchange ActiveSync is a site-hosted server, Office 365 is a cloud-hosted version. On a local Exchange server, your IT department will have set up a local domain and you will have a user account in Active Directory (domain\Telperion). In Office 365, your user account is your email address ([email protected]) and there is no domain mapped that you have to configure. Once you know this, you can piece together the way to configure it.
The biggest challenge is that IT typically won't mess around with supporting mobile device configuration ("I don't know Android"), and Microsoft tutorials don't give clear instructions ("I don't know Android"). Android tutorials say "I don't know Microsoft" so you end up having to piece things together from multiple sources online.
See attached tutorial, it's very easy once you know what to do.
Add new account from device Accounts menu
Choose 'Exchange' with the Gmail logo
Enter your corporate email address, don't hit next, hit "Manual Setup"
Choose 'Exchange' as the account type
Make sure your email is entered in "domain\username" field
Enter password
Server for Office 365 is "outlook.office365.com"
Port 443
Set security to "SSL/TLS"
From there it should handle all the rest of the configuration.
biogon said:
I had the same problem.
Switched to the app Nine. It is a one-time purchase and its security model is app-wide instead of device-wide.
Have you tried it yet?
Click to expand...
Click to collapse
Thanks. Tried Nine. Works the same way as Outlook so far. In other words, setting its policy to only apply to the app doesn't make a difference in how Duo Mobile (the two factor authentication checker) continues to insist the device be encrypted and have the setting "Require password on startup" be turned on.
Telperion said:
Different back end, same capabilities. Exchange ActiveSync is a site-hosted server, Office 365 is a cloud-hosted version. On a local Exchange server, your IT department will have set up a local domain and you will have a user account in Active Directory (domain\Telperion). In Office 365, your user account is your email address ([email protected]) and there is no domain mapped that you have to configure. Once you know this, you can piece together the way to configure it.
The biggest challenge is that IT typically won't mess around with supporting mobile device configuration ("I don't know Android"), and Microsoft tutorials don't give clear instructions ("I don't know Android"). Android tutorials say "I don't know Microsoft" so you end up having to piece things together from multiple sources online.
See attached tutorial, it's very easy once you know what to do.
Add new account from device Accounts menu
Choose 'Exchange' with the Gmail logo
Enter your corporate email address, don't hit next, hit "Manual Setup"
Choose 'Exchange' as the account type
Make sure your email is entered in "domain\username" field
Enter password
Server for Office 365 is "outlook.office365.com"
Port 443
Set security to "SSL/TLS"
From there it should handle all the rest of the configuration.
Click to expand...
Click to collapse
Thanks for the detailed message. Tried the above.
When I left the server be the default server name (derived from my email address), I got a "Certificate is not valid" error. I had "None" as the certificate.
After I changed the server name to be outlook.office365.com as mentioned in your instructions above, I now get a "Can't connect to server" message.
I did recheck my steps. Not sure why Gmail fails to connect. Any suggestions on where to look?
akatti said:
Thanks for the detailed message. Tried the above.
When I left the server be the default server name (derived from my email address), I got a "Certificate is not valid" error. I had "None" as the certificate.
After I changed the server name to be outlook.office365.com as mentioned in your instructions above, I now get a "Can't connect to server" message.
I did recheck my steps. Not sure why Gmail fails to connect. Any suggestions on where to look?
Click to expand...
Click to collapse
Those instructions are for Office 365, it sounds like yours is hosted.
Telperion said:
Those instructions are for Office 365, it sounds like yours is hosted.
Click to expand...
Click to collapse
I checked the settings for Outlook Web on my PC and it is an Office 365 account. I updated by Gmail settings to match (Server: outlook.office365.com, Port: 993 and Security: SSL/TLS although on the PC it was just TLS). Get a message saying "Couldn't open connection to server".

Samsung Stock Email App, S/MIME Certificates

I have a Comodo Personal email certificate, which I use for signing and encrypting emails using the S/MIME protocol, over MS Exchange.
The Samsung stock Email application supposedly allows the use of such certificates natively. However I am running into problems when I attempt to install my key.
I'm using a PFX file exported from Windows Certificate Manager. When I generate the file using the standard wizard, I have the option of exporting my key and user certificate either with or without the other certificates in the chain of trust.
The complete certificate chain, by the way, is as follows: Private key/Personal Cert --> Intermediate CA (Comodo RSA Client Authentication and Secure Email CA) --> Root CA (COMODO RSA Certification Authority, included in default store)
When I omit the other certificates in the signing chain when exporting, the PFX just installs my key and my user cert in credential storage. But then everytime I use it to sign or encrypt something in the Email app, I get a nag from the Email app warning me that it could not validate my credentials. That is, Samsung Email app is unable to verify my cert's trust unless the intermediate CA is provided to it.
But frustratingly, when I export the PFX file so that it includes the intermediate CA's in the chain and install, Android places the Intermediate CA in User folder in the keystore, and treats it as a root CA. That is to say, instead of inheriting trust from the COMODO RSA Certification Authority (which is in the default keystore) Android assigns trust to the intermediate CA *explicitly*. And so, despite the fact it's a valid certificate signed by a trusted root authority in the default keystore, Android gives me nearly constant nags about my phone being "monitored by a 3rd party" until I delete the intermediate CA from User Trust. Which of course, breaks the Samsung Email app's ability to verify the certificate chain and yields a nag everytime I send an email.
Anyone else encounter this issue/know of a solution?
Bump.
I've scoured the internet for months and I cannot find a single thread anywhere on exactly this issue. It's a pretty straightforward question, I think. So I'm surprised I can't find any insights anywhere.
[deleted]

Categories

Resources