Versions Compared

Version Old Version 18 New Version Current
Changes made by

Michael McNulty

George Moore (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

This is an opt-in secure policy for Activesync devices. As Activesync is licensed but not identical across all devices, some devices may function slightly differently with different OS versions.

Goals

The goal of this secure policy is to increase the chances that a stolen or lost phone is wiped either by the person in possession of the phone, or by either the end user (through OWA) or Exchange Administrator if neededThe policy will only be applied to devices that users have elected to configure their Tufts emails and calendar items.

Goals

Much thought went into the creation of the Secure Mobile Device Policy. Security breaches on mobile devices are the fastest growing segment of cybercrime. Because cybercrime continues to shift from the more protected desktop environment to mobile devices, organizations that house sensitive data must take precautions to protect their information. We feel this policy enhances the university’s ability to protect the personal information of our students, faculty and staff.

From a security perspective the best option (which we cannot offer today) is whole disk encryption for the mobile device. It is the desire that by implementing these minimum barriers we are able to better protect university and personal data that may be accessible from an unlocked mobile device by encouraging people who steal or find devices to simply factory reset them which is the desired behavior for a device that has been lost.

Why Opt-In?

Tufts is a BYOD (Bring Your Own Device) environment. It is our hope by piloting the Secure Plan we will be able to provide those legally responsible for Tufts data a way to determine if a secure policy is right to be enforced at a universal level if connecting a device to the Tufts environment.

How to Opt-In

A ticket to ESS for now will suffice: ESS-Ticket

Summary of the Policy

  • Enforces a password of minimum length 4 on a mobile device that mounts Exchange.
    • Password complexity is not a requirement, nor password age, or password reset frequency. These items are security deterrents but unnecessary to attain the Goals stated above.
    After 10 incorrect password entries, a wipe code is sent to the device. The user is warned of this
    • .
  • Many Devices (such as iPhones) institute their own time lockouts between password entries
Code Block
iPhone 4s, running iOS 6.1.3 (latest)
*ATTEMPT – OUTCOME*
* 1-5: bad password
* 6: 1min lockout (emergency calls allowed)
* 7: 5min lockout (emergency calls allowed)
* 8: 15min lockout (emergency calls allowed)
* 9: 60min lockout (emergency calls allowed)
* 10: tether device and connect to iTunes

Nokia Lumia 822, running Windows Mobile 8
*ATTEMPT - OUTCOME*
* 1-4: bad password
* 5: 1 min lockout
* 6: 2 min lockout
* 7: 4 min lockout
* 8: 8 min lockout
* 9: 16 min lockout
* 10: 32 min lockout
etc.

HTC Rezoud, running Android 4.0.3
*ATTEMPT - OUTCOME*
* 1-4: bad password
* 5: 30 second lockout
* 6-9: bad password, with prompt each time warning that the device would wipe after 10 failed attempts
* 10: 30 second lockout
* 11: bad password
etc.
  • The Device is instructed to compare its local policy to the server every hour. Changes in the server policy will appear on the device within 1h:59minutes.The device policy does not allow "Unsigned Applications" (those not approved by the OS provider, or sanctioned App store
  • The device policy does not otherwise restrict options on the device, in order to observe the BYOD environment at Tufts.
  • The policy will not allow a device that cannot accept the policy (due to incompatibilities in OS) to connect to Exchange over ActiveSync
  • Removing the policy will not return settings to their previous settings before the policy was enabled.

...

  • Some OSes have non-PIN based passwords such as geometric passwords (Android) or picture passwords (Windows 8) This policy enforces a pin-type password.
  • This policy only pertains to Activesync devices. Connecting to Exchange over IMAP or HTTP protocols is not impacted by this
  • Without a formal/regular method to back-up the mobile device anytime the device is wiped personal data WILL be lost, so it is important to use back-up options like iCloud, etc.
  • Samsung Galaxy devices which were configured with a PIN prior to being included in the policy are presented with a message "Security settings need to be updated." After clicking "Continue," either nothing would happen or screen would dim. User had to remove ActiveSync account, remove PIN, then re-add account (which prompted them to set a PIN).

Specifics of the policy (and other options available)

...