We received some report of user mobile phones wiped and bring to factory conditions after in-place upgrade from ZCS 8.8.15 to ZCS 10.0.5 /.6
We investigated the issue and found that the good'ole zimbraFeatureMobilePolicyEnabled was TRUE.
For those who knew only the NG Mobile, that parameter enables by cos or by account the Mobile Policies, that by default force strong authentication on devices when provisioned in ActiveSync.
If on the device was not set some other strong authentication, the sim PIN is elected as method and enabled.
By default too, the limit to wrong authentication is set to 4, and after that the device is locked/wiped based on the policies. Zimbra Admin Courses based on 8.6 and 8.7 used to warn about that danger.
On 8.8.15/9.0.0 the zimbraFeatureMobilePolicyEnabled being TRUE or FALSE is irrelevant, because the NG Mobile manages that.
It is a cos/account parameter, so an upgrade doesn't change a previous state.
Well, after we found that parameter TRUE and searched immediately all the other upgraded infrastructures, and that's what we deduct:
- Servers born with legacy mobile (<8.8.15), then upgraded to 8.8.15 or 9.0.0, have high probability to have zimbraFeatureMobilePolicyEnabled set to FALSE are generally safe when upgraded to 10.0.x.
- Servers born 8.8.15 or 9.0.0 with NG mobile have zimbraFeatureMobilePolicyEnabled set to TRUE, then are generally at risk when upgraded to 10.0.x
- Servers born 10.0.x have zimbraFeatureMobilePolicyEnabled set to TRUE, then are at risk them too
Be careful with that parameter when upgrading, or at least review deeply all the Mobile Policies under every cos.
We investigated the issue and found that the good'ole zimbraFeatureMobilePolicyEnabled was TRUE.
For those who knew only the NG Mobile, that parameter enables by cos or by account the Mobile Policies, that by default force strong authentication on devices when provisioned in ActiveSync.
If on the device was not set some other strong authentication, the sim PIN is elected as method and enabled.
By default too, the limit to wrong authentication is set to 4, and after that the device is locked/wiped based on the policies. Zimbra Admin Courses based on 8.6 and 8.7 used to warn about that danger.
On 8.8.15/9.0.0 the zimbraFeatureMobilePolicyEnabled being TRUE or FALSE is irrelevant, because the NG Mobile manages that.
It is a cos/account parameter, so an upgrade doesn't change a previous state.
Well, after we found that parameter TRUE and searched immediately all the other upgraded infrastructures, and that's what we deduct:
- Servers born with legacy mobile (<8.8.15), then upgraded to 8.8.15 or 9.0.0, have high probability to have zimbraFeatureMobilePolicyEnabled set to FALSE are generally safe when upgraded to 10.0.x.
- Servers born 8.8.15 or 9.0.0 with NG mobile have zimbraFeatureMobilePolicyEnabled set to TRUE, then are generally at risk when upgraded to 10.0.x
- Servers born 10.0.x have zimbraFeatureMobilePolicyEnabled set to TRUE, then are at risk them too
Be careful with that parameter when upgrading, or at least review deeply all the Mobile Policies under every cos.
Statistics: Posted by gabrieles — Thu Jan 11, 2024 11:00 am