Versions Compared

Version Old Version 25 New Version Current
Changes made by

Michael McNulty

George Moore

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

This is an opt-in secure policy for Activesync devices. As Activesync is licensed but not identical across all devices, some devices may function slightly differently with different OS versions.

Goals

The goal of this secure policy is to increase the chances that a stolen or lost phone is wiped either by the person in possession of the phone, or by either the end user (through OWA) or Exchange Administrator if needed.

From a security perspective the best option (which we cannot offer today) is whole disk encryption for the mobile device. It is the desire that by implementing these minimum barriers we are able to better protect university and personal data that may be accessible from an unlocked mobile device by encouraging people who steal or find devices to simply factory reset them which is the desired behavior for a device that has been lost.

...

policy will only be applied to devices that users have elected to configure their Tufts emails and calendar items.

Goals

Much thought went into the creation of the Secure Mobile Device Policy. Security breaches on mobile devices are the fastest growing segment of cybercrime. Because cybercrime continues to shift from the more protected desktop environment to mobile devices, organizations that house sensitive data must take precautions to protect their information. We feel this policy enhances the university’s ability to protect the personal information of our students, faculty and staff.

How to Opt-In

A ticket to ESS for now will suffice: ESS-TicketFrom a security perspective the best option (which we cannot offer today) is whole disk encryption for the mobile device. It is the desire that by implementing these minimum barriers we are able to better protect university and personal data that may be accessible from an unlocked mobile device.

Summary of the Policy

  • Enforces a password of minimum length 4 on a mobile device that mounts Exchange.
    • Password complexity is not a requirement, nor password age, or password reset frequency. These items are security deterrents but unnecessary to attain the Goals stated above.
  • Many Devices (such as iPhones) institute their own time lockouts between password entries

...

  • The Device is instructed to compare its local policy to the server every hour. Changes in the server policy will appear on the device within 1h:59minutes.The device policy does not allow "Unsigned Applications" (those not approved by the OS provider, or sanctioned App store
  • The device policy does not otherwise restrict options on the device, in order to observe the BYOD environment at Tufts.
  • The policy will not allow a device that cannot accept the policy (due to incompatibilities in OS) to connect to Exchange over ActiveSync
  • Removing the policy will not return settings to their previous settings before the policy was enabled.

...