I wanted to use my brand spanking new One Plus 6 for access to work email. To do this, I had to go through a setup process through which I get access to my employer's enterprise G-Suite. As part of this process, I had to;
Download mobileron and register my details with our BYOD server
Mobileiron installs the various work versions of G-Suite as well as the digital certificates I need
To finish, I have to create a VPN, using Pulse Secure, as it sets up the initial handshake with my office network
Once the VPN handshake has completed, I use Gmail to select my work email address and hey presto.
However, when I get to the VPN bit, I receive the message "Pulse Secure needs to initialize its access to Android's Credential Storage. To proceed, please allow the selected certificate on the next screen."
When I click on "OK", something tries to load and then craps out. Are there any known issues with OP6 restricting access to the Certificate Store? Any help would be much appreciated. For further info, the exact same process works for my Pixel C. Looking about the only difference I can see is the Kernel used by OP6 (Ubuntu) and Pixel C and I am wondering if the certificate stores for each are in different locations.
Any help/insight much appreciated as it's ruining an otherwise great phone.
Related
Anybody could please give me an advice about this strange issue we have with Android in our company recently?
Our configuration for Exchange worked for months perfectly on our Galaxy Tab and then on Galaxy Note with the new Exchange 2010 server and very recently probably the company IT installed a service pack or restricted the security policies.
The crazy result is that the standard mail client for Exchange on Galaxy Note (the same on the Tab) can connect and sync only if connected with the company WiFi
When connected through 3G or public WiFi they cannot connect to the Exchange server anymore! "Impossible to connect to the server" is the temporary message displayed by the device.
I tryed using the Aventail Connect client for Android (trying to simulate to be connected to the company network) but it doesn't work anyway
Connecting in the office makes the Exchange connection and sync (mail, calendar, contacts) working again!
I cannot ask our IT Department because in our company Android is not yet officially accepted neither supported and being a large company they could not make any exception and they would not listen to me, worst would claim to HR I'm not compliant with the company policies!!!!
Any advice?? Many thanks!
Best way is to befriend an IT person at your company & bribe them. That's what I tell to new hires when I'm introduced as their local IT support. While this doesn't fix your issue but it will be very helpful down the road.
RMXO said:
Best way is to befriend an IT person at your company & bribe them. That's what I tell to new hires when I'm introduced as their local IT support. While this doesn't fix your issue but it will be very helpful down the road.
Click to expand...
Click to collapse
My friend, these are wise words!
At the same time the HQ of our company is in the U.S. (with very rigid policies) and I am in Italy with difficulties in dealing in person with them... so I'm afraid that without a good hint from some guys here I cannot sort out my issue!
I can't search xda just now but in the SGSII forum there is an email app with exchange security disabled
You could try installing it. Hopefully it will display correctly on the Note.
Sent from my TITAN X310e using XDA Windows Phone 7 App
I have try it it works good, only some box and txt a little smaller on some place and not the "extended" landscape view that the note has, but works good. (also with the email widget)
the original thread
http://forum.xda-developers.com/showthread.php?t=1117452
have try the apk itself not yet try to apply the patch to our apk
jayGGjay said:
I have try it it works good, only some box and txt a little smaller on some place and not the "extended" landscape view that the note has, but works good. (also with the email widget)
the original thread
http://forum.xda-developers.com/showthread.php?t=1117452
have try the apk itself not yet try to apply the patch to our apk
Click to expand...
Click to collapse
Thanks nobnut and jayGGjay for your advice.
I don't think this could be my solution, simply because
1) to me is the access to the Exchange server that is not working, instead the modified client has "simply" the ability to skip the pin request, a typical client implication, not server wise
2) calendar and contacts are impacted by the same issue: they are not synchronized if I'm not on the local company WiFi! So even if I would sort out the mail, I would not be in sync with the rest of the Exchange resources
Basically the fact that all the Exchange/Outlook suite does not work makes me understand that this is not a matter of the mail.apk! Under the company WiFi all the suite is working perfectly, so I guess it's something related to the Exchange common access.
If it would be simple to try the alternative mail.apk I would give anyway a try, but it's complex and I'm not sure it's clear to me how to revert the patch if it is not working at 90% probabilities, ad I described above
Nobody knows Aventail Connect or NextExtender? I guess my solution would be there, having the stock mail.apk (and the rest of the suite) working under a VPN, so that Exchange server feels as it is working under the company WiFi
But, as I sayed, I cannot have NetExtender connected nor having mail.apk working through Aventail Connect (that works, "per se")
jayGGjay said:
I have try it it works good, only some box and txt a little smaller on some place and not the "extended" landscape view that the note has, but works good. (also with the email widget)
the original thread
http://forum.xda-developers.com/showthread.php?t=1117452
have try the apk itself not yet try to apply the patch to our apk
Click to expand...
Click to collapse
I have read and read again the thread and apparently it says this patch override all the security limitations vs Exchange, so it might make sense having a check, even if unfortunately the application seems to not become identical in terms of user interface....
anyway, if I would like to check it, does it mean that:
1) the patch has to be executed on a windows pc having the rooted Galaxy Note connected to it?
2) I guess the "restore.backup.cmd" should be one to revert the patch if not working, correct?
3) what the "QR Code" function is? Is that for a sort of signature to be created? If so, how should I apply that?
Sorry for the trivial questions, but I have not experiences in applying patches!
OK, some feedback
The patch itself did not work on my pc ( I am root and the patch give error "whoami suid 0") or somethings, so I have done it by hands (smali,Notepad++ basmali, and replace de classes.dex file) BUT IT DOES NOT WORKS with the note apk for some reason (have apply the 2 methods of security patch:
http://forum.xda-developers.com/showthread.php?p=14577188#post14577188
and
http://forum.xda-developers.com/showthread.php?t=1185749
The only time it has been working was if I replace my email.apk with this one from SGSII:
"Email.apk-SGS2-v2.3.5.exchange-policy-patch.zip"
Have a look for it.
But I seems that with the standard apk:
- even when configure in IMAP some policies still apply so no GO with some exchange server
- Your company (if no other imap client like thunderbird), has closed outside access to IMAP (only when you are connacted in the LAN or WIFI, it could works).
So 1st things is to know if imap works outside with some IMAP client wihout VPN, else no way it will works for your note wihout a VPN.
BTW: QR code is just a code that our phone can "capture/read" with info inside (a url or some contacts infos or such) in this case probably a DL link , You can read it with barcode scanner or shopsavvy or such free from market, so once you have one QR code reader in your phone you can just point it to the QRCode (your screen) and dl/open the link directly in your mobile (no need to send or connect a cable to transfert the apk in your phone)
EDIT: The patch 1.1 is workings but the is still missing stuff because even if it apply correctly now I still does not have my exchange server serving any email even in IMAP so .... The only way for now is to use the "Email.apk-SGS2-v2.3.5.exchange-policy-patch.zip"
jayGGjay said:
EDIT: The patch 1.1 is workings but the is still missing stuff because even if it apply correctly now I still does not have my exchange server serving any email even in IMAP so .... The only way for now is to use the "Email.apk-SGS2-v2.3.5.exchange-policy-patch.zip"
Click to expand...
Click to collapse
Thanks a lot for tests and your feedbacks!
Should I have a try with this version of the apk on my Note, what would be the process to install it? Should I use CWM? I have not yet installed it but I might do that, having rooted the phone and installed Mobile Odin, so I may have CWM
But sorry, I never used CWM to flash an apk part of the system!
And what about the reverse to the stock version if this doesn't work? Should I flash again all the stock firmware to get back a "clean" installation or could I back-up the official mail.apk and re-install it if this doesn't work in my case?
Last but not least, if you have tryed it on a Galaxy Note: how different is in terms of graphics and user interface this SGS2 version of the mail apk?
MANY THANKS!!
In addition to the tests on the the mail.apk, is anybody here expert about VPN in order to try with Aventail Connect or NetExtender to bypass the problem and so simulate the office WiFi environment?
As I said Aventail client connects with my company server but the mail doesn't pass thorugh it (how to correlate the two applications??) and NetExtender cannot connect
Any experience here?? Many thanks!
So 1st things is to know is, if IMAP clients (like Tunderbird or Outlook or such from your computer at home for ex.) works outside without VPN, else no way it will works for your note without a VPN once you are outside your Office WIFI. (Your office have probably block outside access to the server)
For the SGS II email.apk, not sure which thread it was ... Find it a few weeks ago here on xda.
But I have attach it here some you and other can use it/have a look if needed.
To install, here are just 2 ways to do it :
A) use a soft like RootExplorer or Root Browser (free and from an xda user) to:
1. go to /system/app/ and mount r/w
2. Backup Email.apk - Rename it to Email.apkBAK
3. Copy the Email.apk attached to the /system/app
4. VERIFY PERMISSIONS (DUPLICATE THE SAME AS ORIGINAL)
5. Mount system r/o
OPTIONNAL DEPEND ON WICH KIND OF APK REPLACE
6. Reboot and clear cache
7. Clear Dalvik-cache in case 6. was not enough
If any thing happens or you want to you can rename to SGS Email.apk to Email.apkSGS and put back your original Email.apkBak to Email.apk
B) with adb through a shell with command line and usb mode debug enable from your computer .... But if you have to ask your are better with A)
Good luck
jayGGjay said:
So 1st things is to know is, if IMAP clients (like Tunderbird or Outlook or such from your computer at home for ex.) works outside without VPN, else no way it will works for your note without a VPN once you are outside your Office WIFI. (Your office have probably block outside access to the server)
Click to expand...
Click to collapse
Well the strange thing is that using an i-Phone/i-Pad or my old Windows Mobile 6.5 we can still access the Exchange Server outside the office net! Both of them use the Activesync protocol.
I don't understand why you talk of IMAP client, because Outlook does not use IMAP with Exchange, as far as I know, and instead uses a Microsoft proprietary protocol.
From a mobile device, the protocol used is Activesync, quite different by IMAP and strange thing is that, I repeat, the i-OS and Windows Mobile versions are working perfectly also outside the office WiFi.
So apparently Android does not implement the same type of Activesync security profile that i-OS implements. My bypass (to avoid to change the mail.apk) was to use a VPN, but I couldn't take to work properly the ones I tested, mentioned above (Aventail Connect and NetExtender). Don't you know how to configure those? If we knew, I guess I could avoid changing the mail.apk
OK, you can connect to exchange server a few different ways, ActiveSync or IMAP ... , here the issue, with exchange with both IMAP or ActiveSync, exchange enforce security policies from your devices. Android has been at first a bite behind with those proprietary things of MS (that why IT did not "support" officially android for email at first). In recent device/android wanting to be able to say they are corporate phone, they have enforce and verify if your devices comply (for ex.: it will only works outside if your device as a PIN/Password unlock compliant with your password security from what they have enforce, and/or if they can remotly wipe the device or such).
And if Win Mobile and I-OS (works now, at one time it wasn't), if for Win it is a windows product so if their proprietary Win could not handle their proprietary exchange protocole and things .... Anyway try the SGS II apk posted and see if it works first. My old exchange 2003 server that is only open for outside access without VPN for IMAP is also enforcing thoses security (with my other/old android Motora Milestone is was OK with Note stock KO)
BTW: Outlook can connect to email server through Exchange, IMAP or POP - just like our phone (depending what have been enable/open in the server side)
Back in my Blackberry BES Admin days we used to be able to enter & store Wifi profile information in BES and push it to the device. I for the life of me cannot find anything similar in Android or an app that claims to be able to do this. I realize there is an ability to backup your wifi networks entered on the device with El Goog but there's mixed reports of this working and I have personal mixed experiences with it working.
In short is there a way for me to populate a doc or program with the SSID and WPA2 passwords of 50+ networks and push it to the device? I'd even settle for knowing the exact method of putting it in a doc and dropping it into a system folder on the Android device... although the push management of this would be preferable.
Thoughts? Feelings? Anyone want to reminisce about BES features?
I too am looking for this as well.
WTS
As a stopgap in the meantime try using WTS, Citrix, Logmein or Teamview to get to your desktop. Logmein works great. I'm able to perform all my remote admin tasks anywhere.
Has any tried setting up the Email app on the N5? I'm getting getting "You don't have permission to sync with your server." error mgs. I have set up hundreds of these including my own Exchange account. I have looked on the Exchange server and security is all good. Hell, I can connect just fine with my Nexus 4 or any other phone. Thoughts? THX
Works for me.
Worked out of the box for me on exchange 2010. Maybe your setup is not set to allow the nexus 5. Check your activesync device policy.
Weird! Anyway, I got it to work. I ended up removing all devices associated with my account. The Exchange 2010 Server can allow 10 user device agents and I only had 4 devices linked. Technically, I should be able to add new devices without issues without removing old user agents. Maybe in this case, the server got confused or something... lol.
The Nexus 5 isn't encrypted, are you guys really allowed to connect unencrypted devices to corporate email?
That's blocked here.
I use touchdown which stores corporate email in an encrypted container.
"The Nexus 5 isn't encrypted"
I disagree with this. Android OS does have some level of basic encryption. I recalled that it was implemented back in the Gingerbread days. The argument is not whether it's effective or not, but some sort of "encryption" does exist in the Android platform.
By default it's not encrypted, but there is an option in Security section to encrypt your device.
xxxman999 said:
"The Nexus 5 isn't encrypted"
I disagree with this. Android OS does have some level of basic encryption. I recalled that it was implemented back in the Gingerbread days. The argument is not whether it's effective or not, but some sort of "encryption" does exist in the Android platform.
Click to expand...
Click to collapse
It's not hardware level encryption that's always on, and on by default like with blackberry or iPhones though.
It's a software based option that 99.999% of people have turned off.
.
Hello!
I just tried checking what URLs Amazon access to download software updates by a Firewall, and, ecstatic that my router supports HTTPS request blocking, I experimented them, one by one, on one of my older 3rd Gen devices.
What you need :-
1. A still bootable Fire tablet,
2. A way to get into your router's settings,
3. Username and password of your router;
(This is usually found on your router's packaging, or sticked into its side, if you can't get it, try continuing because some old routers don't ask for passwords, and if it asks for passwords try contacting the provider for help.)
4. Default Gateway address or a PC connected to router to get it.
5. Common sense of course
First step-
(Skip this if you know your default gateway address.)
Open up a command prompt and type 'ipconfig' and enter, and look for Default Gateway Address, and copy what's in front of it.)
Second step-
Open a web browser and type http://y.o.u.r.g.a.t.e.w.a.y, of course replace with what you copied, but keeping http://.
Third step-
You should see a prompt asking you for password, if not skip this, it may ask you later. Just input your password and username to proceed.
Fourth step-
This is the step that requires common sense. You will have to determine where's the setting that allows you to block domains. For me, it was on Security=>Domain name filter. As some suggestions look for Parental Controls, Blacklist, Security, Firewall, domain name filter, Webpage blacklist, etc.
Fifth step-
You can block the two below to stop downloading amazon updates for good, I tested this on my HD 8 (2017),
amzdigital-a.akamaihd.net
amzdigitaldownloads.edgesuite.net
(Note that the tablet will still determine if a software update is available, but it will fail to download it. If you want to stop checking for software updates, I think that the two below will do,
softwareupdates.amazon.com
updates.amazon.com)
Sixth step-
Remember to apply the settings of course, and then quit the router settings, and try visiting one of the sites above. If it stucks on loading then you are successful, if it shows something as Forbidden or Error then your router probably doesn't support HTTPS blocking.
YOU ARE DONE!
Note-
I tried this on my HD 8, with a freshly flashed stock ROM, and left it connected overnight, just I saw that 'Your device has not yet checked for updates.'
Please remember that if you connect this to an another network, updates will normally download. This is not device specific, just router specific.
I hope that you found this useful!
Thanks!
Just wanted to drop a note here that I blocked those domains using a Pi-Hole (locally hosted DNS-based blocker) but I was still updated yesterday to 5.6.1.0. Perhaps Amazon bypasses the connection's DNS and uses its own? I've now added the blocked domains to my router as well, so fingers crossed I suppose.
Vague Rant said:
Just wanted to drop a note here that I blocked those domains using a Pi-Hole (locally hosted DNS-based blocker) but I was still updated yesterday to 5.6.1.0. Perhaps Amazon bypasses the connection's DNS and uses its own? I've now added the blocked domains to my router as well, so fingers crossed I suppose.
Click to expand...
Click to collapse
Strange. I blocked the URLs above in the router the day I made the thread, and my device is not checked for updates ever since. It may be an issue in your blocker, maybe Amazon bypasses the connection's DNS. Good Luck, since you blocked in router now? :good:
Basically there's two things I'm trying to accomplish. The first thing is to be able to SAFELY access my pc when I'm not at home. The second is to be able to log onto my local network from the outside world and make it look as if the traffic originates from there.
At home on my local wifi I often access my PC using Remote Desktop. I'd like to safely be able to do the same thing from a phone or external PC. I'm under the impression that the best way to do this was with a VPN but the precise what and how eludes me. My best current guess is to setup a VPN Server on my wifi router but does that mean any generic VPN software I install on my phone can get through? I'm really just guessing but possibly this will accomplish both things I'm trying to do.
Additionally I could also setup a VPN Client on the wifi router which would provide VPN protection to any device logged onto my lan without having to install anything on every tablet in my household.
Added to this is that I've used Kaspersky antivirus for over 20 years on my pc's and VPN just became free with the package so I've used the 3 licenses I get on my PC and my and my wife's phones. Hopefully I can use my Kaspersky VPN to access the DDNS that I got free from ASUS to complete the circle.
It should be clear from this discussion that I'm grasping at straws, I've googled a bunch of confusing and potentially conflicting information along with everybody and his brother that wants to sell something VPN related.
I'm also posting this on the Windows 10 Help forum as here and there is where I get most of my technical advice.
Look inside here:
How to Build Your Own VPN (and Why You Might Want to)
Ever thought of creating a VPN from scratch but didn't know where to start? Get answers to all your questions in this comprehensive guide.
vpnoverview.com
As far as I know, there are many models of home router with built-in VPN server capabilities. Check your router's manual at first.
James_Watson said:
As far as I know, there are many models of home router with built-in VPN server capabilities. Check your router's manual at first.
Click to expand...
Click to collapse
I'm goimg forward on the basis that all I need to do what I want is the Router's built-in server, along with an Asus provided DDNS, to allow VPN connection from my outside devices and the Router's built-in VPN Client to give VPN protection to all devices within my local wifi. I bought the router with this capability in mind as well as speed improvements over my old router. It's the Asus RT-AC86U router and it "should" do the above as well as allow externally connected devices to act as if originating from my home system.
It may take me a bit to do this but I'll report back once I have an answer.
jwoegerbauer said:
Look inside here:
How to Build Your Own VPN (and Why You Might Want to)
Ever thought of creating a VPN from scratch but didn't know where to start? Get answers to all your questions in this comprehensive guide.
vpnoverview.com
Click to expand...
Click to collapse
Thanks for the response. I looked at a number of how to guides, the one I'm going forward with is how-to-easily-access-your-home-network-from-anywhere.
I have an issue with setting up the VPN Server Client on my router (Asus RT-AC86U) that I have a service call in with Asus for, so the VPN Client side is on hold for a bit.
I was able to successfully configure the VPN Server (at least the OpenVPN protocol section) and setup a DDNS. From what I read this should be sufficient to allow an external device to login to my home system but I've seen no guide that describes this final step.
Do I simply use Remote Desktop on the external device to logon to my PC through the DDNS while the VPN (in OpenVPN protocol in this case) is enabled?
That would mostly work but what I really would like would be for the external device appear to be on my local wifi and not on the local PC itself. How do I do that?
Can anyone point me in the correct direction?
I did just find another piece of information the may apply here. In one of the guides I read the following:
"save the OpenVPN configuration file which will be used by the remote device to access your router."
There was a client.ovpn file generated during the router's VPN Server setup. The above sentance implies that I need to somehow get the VPN software on the external device to use this file and then I'll be able to logon to my home system. Can anyone shed more light on this?
*** Update ***
I was able to setup the OpenVPN Server on my ASUS RT-AC86U router and it does allow me to safely access my home LAN from anywhere. I can login to my home router's user interface and use Remote Desktop to login to my PC. Also since the VPN changes my IP address to that of my home system everything works as it would if I was actually there.
The one thing I haven't been able to do is access my pc's shared drive.
Anyone have any clue how to fix that?
Finally I also tried to setup the VPN Client on the router to access the VPN Server. ASUS said you should be able to do that but it results in an IP conflict that their tech support hasn't yet solved.
The benefit of using the router's VPN client is that any device on my local wifi is automatically protected by a VPN without installing anything on the device. The point is somewhat moot since all each device needs is a free app and the config file created by the VPN Server.
I did look at setting up a VPN Server on my Win 10 PC, but it looked like too much work and too much chance of messing something up, to attempt.