[Mobile Security] Help with Un-managed Devices

[Chris Davis <cdlists () gmail com>]

We just finished an audit of our mobile device infrastructure and I'd
like to throw a question out to you guys. Think benchmark.

We have concerns about un-managed devices such as someones personal HP
Smartphone or latest Palm device. How do you handle this? I would love
to know how other companies approach this. We are a large, well-known
company (50k+ employees and 200+ locations worldwide). Are there
others on the list that struggle with the same issue?

We lobby managed solutions using Goodlink and Blackberry Enterprise
Server to our users. A managed solution has features to remotely lock
or wipe the device and forces the user to use a password. Users are
given 10 attempts before the device is wiped. We only require 4
characters with moderate filtering for things like 1111 or aaaa. The
premise behind this is the mitigating control of 10 attempts till the
device wipes itself. A managed solution has a software client that
installs on the mobile device and allows for centralized control.

Un-managed devices do not have a client, and come into the company and
leave at will. I was a mobile hardware security engineer a few years
ago and worked a lot with software developers. Basically in both cases
BES and Goodlink disables ports (using software - yes) till the
password is entered. This makes tools like Paraben Cell and PDA
Seizure useless. Not perfect - but effective.

At my company we have strong policies, but we're not using technology
to stop users from bringing smart mobile devices into work. We're not
using tools to stop users from loading software on their desktop that
use the devices. We don't stop users from connecting to the network.
Are loose mobile devices an issue? We think so.

So bottom line - How are you guys handling un-managed mobile devices?
Thanks in advance,

Best regards,

Chris