Beware - 1&1 forced security policy ! - Exchange hosting

[Guest jchamier]

So I've been using the 4smartphone.net 15 day trial for Direct Push exchange email. Works well on the VarioII, but pretty sluggish when using OL2003, or OWA from my work (10meg COLT) or home (19mbps Bulldog DSL) connections.

Not surprising given they are in a Phoenix data centre, which pings at a minium of 170ms. So I locate a reasonably priced European exchange host, and 1and1.co.uk appears. I sign up....

First sync, I find my device has been "taken over" and they've pushed a forced policy requiring at least a 4 digit password on the device.

WTF? To get rid of this, I have to Hard Reset.

So now trying to close my (just 24hrs old) account, but had zero reply. Guess I'll have to call the credit card and put a stop on the payment...

[Guest chucky.egg]

First sync, I find my device has been "taken over" and they've pushed a forced policy requiring at least a 4 digit password on the device.

WTF?

I was surprised by it too, but it's hardly a big problem.

I've set mine to prompt for the password every 24 hours... effectively after a reboot or in the morning when i switch it on.

For me the bigger issue was the lack of Remove Wipe facilities.

[Guest Paul (MVP)]

I think it's a bit off tho, you should have the option...

P

[Guest chucky.egg]

I think it's a bit off tho, you should have the option...

P

Yeah, I see what you mean. Even being told about it in advance would be good!

One thing just occurred to me... you can't force a remote wipe without a policy in place. So maybe they do this so that THEY can do a wipe ...

I might have to read their T&C and ask a few questions.

[Guest chucky.egg]

I've been through their FAQs (cant find the T&Cs) and can't see any reference to the Security Policy or the PIN requirement.

I've emailed them to get more info

[Guest jchamier]

I've been through their FAQs (cant find the T&Cs) and can't see any reference to the Security Policy or the PIN requirement. I've emailed them to get more info

I bascially emailed them to say as it wasn't declared up front, the contract is null and void, and under the UK Distance Selling regulations I wanted my money back!

Whilst I don't mind providers having these options activated, I want to know in advance so I can chose my provider.

As an Exch 2k3 SP2 admin at work, remote wipe and security policy is a great tool. Very like blackberry ;-)

[Guest chucky.egg]

They have a 60 day cancellation policy which has worked for me in the past, so you don't need to quote the book

What's worrying me is that I can't see any other reason for the policy.

[Guest chucky.egg]

I got an email from 1&1 yesterday suggesting I talk to my network about the configuration of my smartphone.

Oh dear.

I've replied, explaining that this is an issue with the configuration of their servers, not my device.

I'll let you know when I get a proper answer.

[Guest chucky.egg]

OK, this is their latest reply (which you will see STILL doesn't fully answer my questions):

Dear Chucky, (Customer ID: 123456)

Thank you for contacting us.

The security policy is required due to you being on a shared Exchange

server.

1&1 would never remote wipe your phone.

If you have any further questions please do not hesitate to contact us.

--

Sincerely,

Brian Evan

Technical Support

1&1 Internet

> Thanks for your reply, but I'm afraid that doesn't answer any of my

> questions.

>

> The questions I have relate to the MS Exchange service from 1&1, and

> NOT to the handset itself or my mobile phone service provider.

>

> This is a serious issue to me, as the Security Policy enforced by 1&1

> (which I can not find in any documentation on your website) enables 1&1

> to completely wipe my device at any time. If you are not familiar with

> "remote wipe" you can read more here:

>

http://www.microsoft.com/technet/prodtechn...03/mobility_sp2.

mspx

>

> If you do not know the answers to these questions please escalate this

> to the next level of support. I need definitive answers to these

> questions.

>

> Could you answer these questions please:

> 1. Is there a way to sync my Windows Mobile 5 smartphone *without*

> having the 1&1 Security Policy applied to my device?

>

> 2. Can you please explain in writing (links to documents on your

> website would be good) under what circumstances 1&1 might "remote wipe"

> my smartphone (or any other Windows Mobile device I sync with my

> Exchange mailbox)

>

> 3. Can you please confirm that 1&1 will never, without my prior

> written consent, "remote wipe" my device

>

>

> Thanks

>

> Chucky

>

[Guest jchamier]

OK, this is their latest reply (which you will see STILL doesn't fully answer my questions):

Well I've been through the whole closedown, and "http://contract" website stuff, fingers crossed no money will be taken from my card.

I've signed up with 4smartphone, which is slow using OL2003 (I quite often get the balloon message about outlook trying to connect to the server) but instant on the Vario.

James

[Guest floepie]

This drives me nuts as well. It's even more bothersome for me, as my device has some sort of bug whereby the device turns itself on at times with this PIN lock enabled. If MS requires that a policy exists, it doesn't necessarily mean that a PIN should be required.

Thank you for contacting us.

In order to activate Wireless Sync/Push Services, we have to enforce Security Policies on the devices. Without this, these

Services cannot be activated on the Servers. The server (Microsoft

Exchange) enforces that a polisy HAS to exist, we can not stop this.

We use the least Possible Security Setting: The User has to set a PIN/Password for the device.

We do not enforce any further setting, we do not enforce complexity minimums for Passwords, nothing else.

Without this Setting Exchange Server Push Service is not functional.

If you have any further questions please do not hesitate to contact us.

--

Sincerely,

Pauline Taton

Technical Support

1&1 Internet

> Could you please explain then how a PIN on my own device affects your

> security?

>

> I don't need a PIN on my PC to connect to your servers with Outlook,

so

> why do you require my mobile device to have this PIN?

>

> No other hosted exchange providers require this for Windows Mobile

> devices.

>

> If I cannot have this PIN requirement removed on my device, then I

will

> have to look for another provider, as my device has a bug that makes

it

> very unstable and annoying with a PIN enabled.

>

> Thank you.