Tuesday, February 3, 2015

Corporate Security, Nexus 6, And Some Random Non-Beer Thoughts

I connected my Nexus 6 to my corporate account. I need my calendar, and sometimes email. Naturally, we've got security policies, but Lollipop being what it is, the Nexus 6 hits the requirements out of the gate. Things are going fine for maybe a week, and suddenly Monday morning I've got an alert telling me a need a security update. I read the alert. Alert says I need to encrypt my phone. Don't you know what kind of phone this is, you dumbass alert? Without rooting this phone does not come in an unencrypted flavor.

I gave the alert the benefit of the doubt, and clicked the "encrypt phone" button, but of course nothing really happened because this phone is encrypted. After doing a little research I found some issues with similar descriptions with a resolution of factory reset. Well, since Lollipop provides a really cool backup/restoration feature I only had maybe 20 minutes to lose by doing a reset, so I went for it. Restore, done, Exchange account configured again, things are going fine...for about an hour...and suddenly our security alert is back requesting to encrypt my phone. I poked around for a while, removed the Exchange account, recreated the Exchange account, repeat a few times, and no joy. The network doesn't seem to recognize the encryption. 

A while later, after calling the helpdesk to see if they knew anything, I gave in and did another factory reset. Same as before except that after a few delete/recreate the Exchange account cycles I suddenly got a different message. Instead of claiming I had to encrypt an encrypted phone the message stated that I had to enable "PIN required to start the phone." I followed the steps there to (re)enable the "PIN required to start the phone" setting, realizing that this was the initial setting, but apparently something shut it off. I entered a new PIN, and got one more interesting bit of information. As a quick aside, I use a tool called PasswordBox to track some of my personal passwords. If you're unfamiliar with it, it has a feature allowing auto-login to websites and, when used on a phone, apps. Anyway, the interesting bit of information - an alert telling me that by requiring "PIN required to start the phone" some features like PasswordBox auto-login may not be available. 

At this point I'm just guessing, but there is a very strong indication that enabling PasswordBox auto-login may very well turn off the "PIN required to start the phone" feature. This didn't happen on my G2, and it took about a week to manifest on my Nexus 6 which leads me to believe there may be something else in the mix around this ussue, but there it is. Encryption and a PIN are not quite sufficient to comply with my corporate security, and some aps under the right conditions can shut off the PIN being required to start the phone.