Secure Mobile Device Policy with Exchange

Owned by Lee Raymond
Last updated: Jun 06, 2013 by George Moore (Deactivated)Version comment

About

This is an opt-in secure policy for Activesync devices. As Activesync is licensed but not identical across all devices, some devices may function slightly differently with different OS versions. The policy will only be applied to devices that users have elected to configure their Tufts emails and calendar items.

Goals

Much thought went into the creation of the Secure Mobile Device Policy. Security breaches on mobile devices are the fastest growing segment of cybercrime. Because cybercrime continues to shift from the more protected desktop environment to mobile devices, organizations that house sensitive data must take precautions to protect their information. We feel this policy enhances the university’s ability to protect the personal information of our students, faculty and staff.

From a security perspective the best option (which we cannot offer today) is whole disk encryption for the mobile device. It is the desire that by implementing these minimum barriers we are able to better protect university and personal data that may be accessible from an unlocked mobile device.

Summary of the Policy

  • Enforces a password of minimum length 4 on a mobile device that mounts Exchange.
    • Password complexity is not a requirement, nor password age, or password reset frequency. These items are security deterrents but unnecessary to attain the Goals stated above.
  • Many Devices (such as iPhones) institute their own time lockouts between password entries
iPhone 4s, running iOS 6.1.3 (latest)
*ATTEMPT – OUTCOME*
* 1-5: bad password
* 6: 1min lockout (emergency calls allowed)
* 7: 5min lockout (emergency calls allowed)
* 8: 15min lockout (emergency calls allowed)
* 9: 60min lockout (emergency calls allowed)
* 10: tether device and connect to iTunes

Nokia Lumia 822, running Windows Mobile 8
*ATTEMPT - OUTCOME*
* 1-4: bad password
* 5: 1 min lockout
* 6: 2 min lockout
* 7: 4 min lockout
* 8: 8 min lockout
* 9: 16 min lockout
* 10: 32 min lockout
etc.

HTC Rezoud, running Android 4.0.3
*ATTEMPT - OUTCOME*
* 1-4: bad password
* 5: 30 second lockout
* 6-9: bad password
* 10: 30 second lockout
* 11: bad password
etc.
  • The Device is instructed to compare its local policy to the server every hour. Changes in the server policy will appear on the device within 1h:59minutes.
  • The device policy does not otherwise restrict options on the device, in order to observe the BYOD environment at Tufts.
  • The policy will not allow a device that cannot accept the policy (due to incompatibilities in OS) to connect to Exchange over ActiveSync
  • Removing the policy will not return settings to their previous settings before the policy was enabled.

Known Issues

  • Some OSes have non-PIN based passwords such as geometric passwords (Android) or picture passwords (Windows 8) This policy enforces a pin-type password.
  • This policy only pertains to Activesync devices. Connecting to Exchange over IMAP or HTTP protocols is not impacted by this
  • Without a formal/regular method to back-up the mobile device anytime the device is wiped personal data WILL be lost, so it is important to use back-up options like iCloud, etc.
  • Samsung Galaxy devices which were configured with a PIN prior to being included in the policy are presented with a message "Security settings need to be updated." After clicking "Continue," either nothing would happen or screen would dim. User had to remove ActiveSync account, remove PIN, then re-add account (which prompted them to set a PIN).

Specifics of the policy (and other options available)

 Click to see screenshots of all policy options





Other Security Measures

Where is my Droid
Find my iPhone

Information on the Tufts IT Knowledgebase is intended for IT Professionals at Tufts.
If you have a question about a Tufts IT service or computer/account support, please contact your IT support group.