Blogs

Security permission was insufficient to update your device error on Motorola Q Devices

  • Comments 6
  • Likes

[Today's tip comes to us courtesy of James Frederickson]

So you got a new Motorola Q phone from Verizon Wireless and you are trying to install a Certificate and you are getting the following error:

Security permission was insufficient to update your device

 Here is some information that will help you connect your Motorola Q to Exchange Server 2003 using OMA, providing your server is set up for Windows Mobile devices.

The phone needs a root CA to access your Exchange server when using SSL. The Motorola Q phone has some certified certificates already built into the phone.

To view them on the Q -- go to:

[START]-->[Settings]-->{more}-->[Security]-->[Certificates]-->{root}

If the listed certificates are not the current certificate that you use on your exchange, then you need a Root CA from your exchanger server to add to your Q phone. Self signed Root CAs are ok.  {See below for information on certificates}

 

To install the certificate  (cert)

Download VZW_spaddcert.exe from: 

http://www.microsoft.com/downloads/details.aspx?familyid=5D7E27EE-4654-480C-876D-442AED8F47AE&displaylang=en 

Knowledgebase Article:

http://support.microsoft.com/kb/841060/en-us

 

Instructions:

  1. Create a "Storage" folder in the root directory. (Must be called Storage)
  2. Copy VZW_spaddcert.exe file to the Q.
  3. Copy your root <xxx>.cer to the storage folder.
  4. Execute VZW_spaddcert.exe and select the cert.
  5. Soft reset (reboot) the phone.

 Setting up the Motorola Q phone

 

Click on [START]-->ActiveSync--Menu-->[Configure Server OR Add Server Source] Server Address is the name of you mail server or IP Address that is seen from the Internet.

 

example--> mail.contoso.com

[x] If using SSL port 443 or another one that has been defined as the

SSL port

[NEXT]

Username:[] Password: Domain:[]  [x] Save password

 

The Domain can be checked by doing a (control-alt-del) on your computer and checking Logon information username and domain. This information must be the same as what will be used on the Q phone.

Choose the data that you want to synchronize: contact--calendar--email--tasks

[Finished]

[SYNC]

Done

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Comments
  • Indeed, this works fine. I've been looking for a solution to these troubles for a while, funny enough, there's no other article on the net yet that tells you you need the certificate in place. I just figured it out myselve a few days ago.

    Some things i'lld like to add:
    - If your server isued an certificate to itsself (so not through a third party certificate manager), you should export the root certificate. In some occasions i noticed that IIS uses a sub-certificate, so make realy sure you got the root certificate or it wont work!.
    - To export the root certificate, open 'Certification Authority' (under administrative tools, or add the snapin into a new mmc) on your server. Right click on the root certificate and choose 'properties'. On the genral tab, you can see the root certificate, just select it and click on 'view certificate'.
    In the newly opend window you can double check you selected the root certificate if you take a look at the 3 tab. Now that you are sure, go back to the second tab, and click on 'copy to file'. the wizard for exporting the certificate will open. Click Next. Select 'der encoded binary x.509 (.CER)' and click next. enter a filename where you want the store the certificate in., click next and click finish.

    Testing the exported file (to make sure you wont have isues with it). Take any pc that hasnt got the certificate installed yet. (to verify you can open owa through https, if you get prompted to accept the certificate, its not installed yet)
    Ok, now to verify you successfuly exported the certificate, you can double click on it. to install the certificate on the local machine, click 'install certificate'. In the wizzard click next. Select 'Place all certificates in the following store'. Click 'browse'. Select 'show physical stores'. Under 'trusted root certificate autothorities' select 'local computer' (this way you install it in the right place). click 'ok', click 'next', click 'finish'. A popup will apear stating that the import worked (hopefully ;) )

    Now, to make sure the certificate worked, close the browser, and reopen it (to be sure). Surf to the https site of your OWA. Now IE wont prompt you to accept the certificate. If IE still prompts you, you exported the wrong certificate.

    - Another thigh i'lld like to suggest, is not to select the 'require secure channel (SSL)' option in IIS manager under 'default web site', properties on 'exchange', directory security tab, 'secure communications', 'edit'. Why, internaly IIS communicates throughout its virtual folders. that's done using http, and not https. so if you enable that option, loads off other stuff might fail to work. (like RPC over HTTPS fi)

    Also, exporting and importing the certificate  is something you'll need to do aswell if you want to use RPC over HTTPS.

    Hope this helped anyone trying to figure out why it doesn't work.

  • Nico,

    Excellent points, all.  Thank you so much for taking the time to post this!

    ---Mark

  • My pleasure. After reading it all over I see I made quite alot of typo's. English aint my native language, but i should have done better.

    You dont have to allow this to be posted publicaly though.

    Maybe I can send you some articles by mail sometime. So, if you would like to post it, you could fix the typo's for me. TBH, i cant be arsed to start my own blog. I aint got that much time on my hands.

    Drop me an e-mail if you are interested: Nico@noid.Be

    Again, please just delete this post ;)

    Nico.

  • There is an alternate method to install the self signed SBS certificate. Take a look at this article - http://www.stevereno.net/weblog/sbs/index.php?/sbs/verizons_motorola_q_smartphone_installing_sbs_self_signed_certificate/

  • PingBack from http://www.keyongtech.com/4215002-motorola-q-activesync-problems

  • PingBack from http://www.keyongtech.com/5016618-certifcate-reset-error-cannot-get/2