Versions Compared

Version Old Version 9 New Version 10
Changes made by

Lee Raymond

Lee Raymond

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This is an opt-in secure policy for Activesync devices. As Activesync is licensed but not identical across all devices, some devices may function slightly differently with different OS versions.

Testing OSes

iOS 6 - Working
iOS 5 - Working
Android 4.x - Working
Windows 8 - Need Testing

Goals

The goal of this secure policy is to increase the chances that a stolen or lost phone is wiped either by the person in possession of the phone, or by either the end user (through OWA) or Exchange Administrator if needed.

...

Why Opt-In?

Tufts is a BYOD (Bring Your Own Device) environment. It is our hope by piloting the Secure Pilot Plan we will be able to provide those legally responsible for Tufts data a way to determine if a secure policy is right to be enforced at a universal level if connecting a device to the Tufts environment.

...

A ticket to ESS for now will suffice: ESS-Ticket We will plan to add this functionality as part of administrative roles for TuftsTools in the future.

Summary of the Policy

  • Enforces a password of minimum length 4 on a mobile device that mounts Exchange.
    • Password complexity is not a requirement, nor password age, or password reset frequency. These items are security deterrents but unnecessary to attain the Goals stated above.
  • After 10 incorrect password entries, a wipe code is sent to the device. The user is warned of this.
    • Many Devices (such as iPhones) institute time lockouts between password entries
Code Block

iPhone 4s, running OS 6.1.3 (latest)
*ATTEMPT – OUTCOME*
* 1-5: bad password
* 6: 1min lockout (emergency calls allowed)
* 7: 5min lockout (emergency calls allowed)
* 8: 15min lockout (emergency calls allowed)
* 9: 60min lockout (emergency calls allowed)
* 10:
  • The Device is instructed to compare its local policy to the server every hour. Changes in the server policy will appear on the device within 1h:59minutes.
  • The device policy does not allow "Unsigned Applications" (those not approved by the OS provider, or sanctioned App store
  • The device policy does not otherwise restrict options on the device, in order to observe the BYOD environment at Tufts.
  • The policy will not allow a device that cannot accept the policy (due to incompatibilities in OS) to connect to Exchange over ActiveSync

...