Log in

View Full Version : Corporate Password Policy Blows


DancherBoi
03-08-2007, 04:37 AM
This topic decribes how to disable the password protection on your WM5 device that has been applied by a corporate security policy, usually on devices configured with Microsoft Exchange's push technology. Skip to the bottom to learn how to remove this without performing a hard reset, but keep reading if you want to hear my story.

I have an HP iPAQ 6945 after converging a Dell Axim x30, Nextel POS phone, and a bluetooth GPS receiver. I tell you, convergence is the way to go. I love not having to preplan when I might need my GPS, and also being able to carry one device to do all things.

When I learned about the push technology that WM5 and exchange has, I had to sign up. I was the beta tester for this setup at my company and I was in heaven. Instant e-mail notification is da bomb. But more than that, having my work calendar on my hip and chiming at me when a reminder is activated is "hot". I never missed a meeting.

But then, my corporate security guy had to earn his paycheck. He enabled password protection on my device. In and of itself, that's not a bad thing. Here is the problem. Microsoft allows only a maximum of 15 minutes of inactivity before the device requires a password. What a PITA! I use my device a lot, but obviously not every 15 minutes. Every time I go to do something on it, I have to enter a password. Even worse, when I am driving, the GPS activity is not considered, so the password screen blocks the GPS display every 15 minutes and I have to type my password in while I am driving.

I tell you, I have given up on that and decided it's not worth the hassle. I tried pleading with my security officer, but he says he's only enforcing corporate decisions made higher than him. So, I decided to remove the push from my device. Easier said than done. There is absolutely no documentation provided by Microsoft on how to do this, and no instructions on the web either. I knew that a hard reset would set things right, but there had to be a better way. So here is my post to share my experience in removing "the man" from my PPC.


Step 1, enter your damn password into the PPC.

Remove the partnership you have with your Exchange server on your PPC. To do this, launch ActiveSync on the PPC. Select MENU > OPTIONS. Highlight the Exchange Server in the list and then press DELETE. You will get a confirmation message telling you that your data will not be deleted. Accept the message and your partnership will be removed.

Now go ahead and delete your calendar items, e-mails, To-Do tasks and contacts which were sync'd with your exchange server unless you plan on keeping them. This should not take very long since the PPC defaults to only keeping 2 weeks worth of calendar entries and a few days worth of e-mails.

The next step may be a little tricky for some. Be very careful performing this step. You must edit your PPC registry to disable the lock that the corporate policy put in place which disables your option to turn password protection on/off. Download and install a registry editor app. I used PHM RegEdit (do a Google search). Find the registry key HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001023 and change the value data to 1. Perform a soft reset.

Enter your password into the PPC for the last time.

On your PPC, go to START > SETTINGS > LOCK. Uncheck the "Prompt if device unused for" checkbox. Close the window and you are password free.

There are other ways around this if you are willing to deal with their little nuances. Google for a utility called IBE Keep Alive. This is an app that fakes your PPC into thinking that you have been active with it within the 15 minutes inactivity period, thus keeping it alive. Another is a free utility that disables password protection while the device is cradled only, which is good for those who use their PPCs as GPS devices. That utility is called "Disable Password On External Power". I have a link for that one: http://handheld.softpedia.com/get/System-Utilities/Disable-Password-On-External-Power-22349.shtml. I must emphasize that using such utilities is a breach of corporate security policy and you could be terminated from your employer if you are caught using them. That being said, I do not condone such techniques which is why I removed the access altogether. I strongly suggest you work with your security administrator to attempt to relax your corporate policies instead. (I was not successful in that endeavor)

Happy hacking.