[horde] Problem with Android Horde Activesync - Can't add account - Gmail's security settings are more secure than those set by your IT admin

Heiko Schellhorn schell at iup.physik.uni-bremen.de
Tue Nov 12 10:18:40 UTC 2019 

Hi


> Quoting r.j.baart at prompt.nl:
> 
>> Perhaps the problem is described here: 
>> https://developers.google.com/android/work/device-admin-deprecation

Sorry it's a competetive software but not only Horde is affected from 
this. Same issue with Tine20 since some days.

Suddenly there was a message "You need to update your Exchange account"
What didn't work with the message mentioned before.

Cheers

Heiko

> This may very likely be the case.
> 
> I can't reproduce this on any of my devices, but I don't think the 
> latest GMail app has been pushed out to any of them yet.
> 
> Since this is because the device admin is being deprecated, you can 
> maybe try disabling provisioning on the Horde side. You can do this via 
> Admin->Permissions (Set provisioning to "disable" - be aware you'll lose 
> all of the security policy settings if you do this though). If you want 
> to get your hands a little dirtier, you can create a 
> activesync_provisioning_check hook (see horde/config/hooks.php.dist). 
> You can sniff the devices that are affected by maybe userAgent and 
> return Horde_ActiveSync::PROVISIONING_NONE for those devices. Be aware 
> that when doing either of these, you lose the ability to remote wipe a 
> lost device.
> 
> Without being able to reproduce this to test, I really have no idea if 
> this will help, since this actually makes things less secure in a way, 
> it might not,  but since it removes the use of the device admin service, 
> it's the best guess I have at the moment....other than using a different 
> ActiveSync client like Outlook or Nine Folders.
> 
> 
>> I can read it, but I don't understand it. If this is the problem, the 
>> solution will not come from Google.
>>
>>
>> On 9-11-2019 18:20, Ronny Forberger wrote:
>>> Hi Michael,
>>>
>>> thanks for your information.
>>>
>>> I am not sure if I have a second GMail account on the phone, I have a 
>>> google account on it though.
>>>
>>> I think the Gmail application itself is now requiring certain 
>>> security policies to be in place, as you said.
>>>
>>> I tried to set the permissions of ActiveSync to all permissions for 
>>> authenticated users, creators and even my username, but no success.
>>>
>>> The error message on the phone is still appearing.
>>>
>>> It worked before the Android upgrade though without the Horde 
>>> permissions.
>>>
>>> Any other ideas?
>>>
>>> Best regards,
>>>
>>> Ronny Forberger
>>>
>>>
>>> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>>>
>>>> Quoting Ronny Forberger <ronnyforberger at ronnyforberger.de>:
>>>>
>>>>> Hi Horde list,
>>>>>
>>>>> My brand new Android 9 phone has made an update to the OS and since 
>>>>> that I cannot access my Horde Active Sync interface anymore.
>>>>>
>>>>> I am getting the error message
>>>>>
>>>>> Can't add account - Gmail's security settings are more secure than 
>>>>> those set by your IT admin
>>>>>
>>>>> on Android.
>>>>>
>>>>> Any ideas what I have to set up on Horde / or the web server to 
>>>>> make this run again or where to look at least?
>>>>
>>>> This sounds like you either maybe have another account setup in the 
>>>> Gmail app on the Android device, whose provisioning policies are 
>>>> more secure than Horde's, or the Gmail application itself is now 
>>>> requiring certain security policies to be in place.  You can try 
>>>> looking at Horde -> Admin -> Permissions. Look at the permissions 
>>>> available under Horde -> ActiveSync (you might need to create them) 
>>>> and see if any of those look like a good candidate.
>>>>
>>>> For what it's worth, my Note has the same patchlevel, and I just 
>>>> successfully added my horde account to the device, after accepting 
>>>> the security policy.
>>>>
>>>>
>>>>>
>>>>> Android version: 9 PKQ1.181121.001
>>>>> Android security patchlevel: 2019-10-01
>>>>>
>>>>> Horde Version: 5.2.22
>>>>> Nginx Version: 1.16.1 (reverse proxy with mod_security)
>>>>> Apache httpd version: 2.4.41 (serving horde)
>>>>>
>>>>> Any help is appreciated.
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Ronny Forberger
>>>>> -- ___________________________________
>>>>> Ronny Forberger
>>>>> ronnyforberger at ronnyforberger.de
>>>>> PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
>>>>>
>>>>> -- Horde mailing list
>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>
>>>>
>>>>
>>>> -- mike
>>>> The Horde Project
>>>> http://www.horde.org
>>>> https://www.facebook.com/hordeproject
>>>> https://www.twitter.com/hordeproject
>>>
>>>
>> -- 
>>
>> Cordialement,
>>
>> R.J. Baart
>>
>> -- 
>> Horde mailing list
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
> 
> 
> 
> 


-- 
---------------------------------------------------------------------------

Dipl. Inf. Heiko Schellhorn

University of Bremen               Room:  NW1-U 2065
Inst. of Environmental Physics     Phone: +49(0)421 218 62091
P.O. Box 33 04 40                  Fax:   +49(0)421 218 62070
D-28334 Bremen                     Mail:  mailto:schell at physik.uni-bremen.de
Germany                            www:
                                    http://www.iup.uni-bremen.de/~schell
                                    http://www.sciamachy.de
                                    http://www.esa-ghg-cci.org

Wer die Wahrheit nicht weiß, der ist bloß ein Dummkopf. Aber wer
sie weiß und sie eine Lüge nennt, der ist ein Verbrecher.
( Berthold Brecht )

More information about the horde mailing list