Educause Security Discussion mailing list archives

Re: Is anyone forcing active sync controls on their smart phone users?

From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Thu, 22 Apr 2010 15:08:20 -0700

John commented:

#We are currently considering our options for securing information on
#smartphones that include iPhones.
#
#Is anyone using the Active Sync controls in Exchange to push security
#controls to these devices?
#Some controls would include an automated timeout, required pin or
#password, and enabling remote wipe for lost or stolen devices.
#
#Are these controls applied to all university owned devices ?  Do
#controls apply to personally owned devices?

I just did a talk covering this area for the Educause Security Professionals
2010 Meeting in Atlanta a few weeks back, see
http://www.uoregon.edu/~joe/mobile-device-security/mobile-device-security.pdf
(or .ppt if you prefer). In particular, for iPhones, I'd be careful about
relying on either the "built in" hardware encryption available on 3GS's, or
the remote wipe option, for the reasons discussed in that talk.

Because the iPhone security architecture is heavily dependent on a
whitelisted application environment, I would urge institutions to
consider whether they want to adopt a formal policy on "jailbreaking"
phones, at least if those phones may be used for critical institutional
purposes (including PII data-related applications).

I would also encourage sites to consider security awareness/security
training on the issue of iPhone configuration data sources (e.g.,
users need to be trained not to download configs from email messages
or random web sites, since doing so has the potential to compromise
the confidentiality/integrity of the iPhone environment if a malicious
configuration is provided).

Let me also clarify that the above concerns do NOT mean that I'd
discourage folks from using or deploying iPhones, because that's
NOT my intent, I just think you want to understand the potential
issues and implement appropriate compensating controls as may be
necessary, etc.

Feel free to drop me a note if you have any questions about this.

Regards,

Joe St Sauver (joe () oregon uoregon edu)
http://www.uoregon.edu/~joe/
Disclaimer: all opinions expressed are strictly my own

Current thread:

Re: Is anyone forcing active sync controls on their smart phone users? Joe St Sauver (Apr 22)
- <Possible follow-ups>
- Re: Is anyone forcing active sync controls on their smart phone users? Matthew Giannetto (Apr 23)
- Re: Is anyone forcing active sync controls on their smart phone users? Patria, Patricia (Apr 23)