About

This is an opt-in secure policy for Activesync devices. As Activesync is licensed but not identical across all devices, some devices may function slightly differently with different OS versions.

Goals

The goal of this secure policy is to increase the chances that a stolen or lost phone is wiped either by the person in possession of the phone, or by either the end user (through OWA) or Exchange Administrator if needed.

From a security perspective the best option (which we cannot offer today) is whole disk encryption for the mobile device. It is the desire that by implementing these minimum barriers we are able to better protect university and personal data that may be accessible from an unlocked mobile device by encouraging people who steal or find devices to simply factory reset them which is the desired behavior for a device that has been lost.

Why Opt-In?

Much thought went into the creation of the Secure Mobile Device Policy. Security breaches on mobile devices are the fastest growing segment of cybercrime. Because cybercrime continues to shift from the more protected desktop environment to mobile devices, organizations that house sensitive data must take precautions to protect their information. We feel this policy enhances the university’s ability to protect the personal information of our students, faculty and staff.

How to Opt-In

A ticket to ESS for now will suffice: ESS-Ticket

Summary of the Policy

• Enforces a password of minimum length 4 on a mobile device that mounts Exchange.
  • Password complexity is not a requirement, nor password age, or password reset frequency. These items are security deterrents but unnecessary to attain the Goals stated above.
• Many Devices (such as iPhones) institute their own time lockouts between password entries

iPhone 4s, running iOS 6.1.3 (latest)
*ATTEMPT – OUTCOME*
* 1-5: bad password
* 6: 1min lockout (emergency calls allowed)
* 7: 5min lockout (emergency calls allowed)
* 8: 15min lockout (emergency calls allowed)
* 9: 60min lockout (emergency calls allowed)
* 10: tether device and connect to iTunes

Nokia Lumia 822, running Windows Mobile 8
*ATTEMPT - OUTCOME*
* 1-4: bad password
* 5: 1 min lockout
* 6: 2 min lockout
* 7: 4 min lockout
* 8: 8 min lockout
* 9: 16 min lockout
* 10: 32 min lockout
etc.

HTC Rezoud, running Android 4.0.3
*ATTEMPT - OUTCOME*
* 1-4: bad password
* 5: 30 second lockout
* 6-9: bad password
* 10: 30 second lockout
* 11: bad password
etc.

• The Device is instructed to compare its local policy to the server every hour. Changes in the server policy will appear on the device within 1h:59minutes.
• The device policy does not allow "Unsigned Applications" (those not approved by the OS provider, or sanctioned App store
• The device policy does not otherwise restrict options on the device, in order to observe the BYOD environment at Tufts.
• The policy will not allow a device that cannot accept the policy (due to incompatibilities in OS) to connect to Exchange over ActiveSync
• Removing the policy will not return settings to their previous settings before the policy was enabled.

Known Issues

• Some OSes have non-PIN based passwords such as geometric passwords (Android) or picture passwords (Windows 8) This policy enforces a pin-type password.
• This policy only pertains to Activesync devices. Connecting to Exchange over IMAP or HTTP protocols is not impacted by this
• Without a formal/regular method to back-up the mobile device anytime the device is wiped personal data WILL be lost, so it is important to use back-up options like iCloud, etc.
• Samsung Galaxy devices which were configured with a PIN prior to being included in the policy are presented with a message "Security settings need to be updated." After clicking "Continue," either nothing would happen or screen would dim. User had to remove ActiveSync account, remove PIN, then re-add account (which prompted them to set a PIN).

Specifics of the policy (and other options available)

Other Security Measures

Where is my Droid
Find my iPhone