Re: device security and email using activesync

["Patria, Patricia" <PPatria () BENTLEY EDU>]

Hi Bob,

We also have a BES Server and require Blackberries for any devices that the institution purchases for employees (VPs, 
Directors, select IT and Facilities staff, etc.). We also require employees with personal Blackberries to connect to 
our BES server, as that provides additional controls and security.

However, we also  have an Active Sync server and allow users with Windows Mobile and iPhones to connect to that to sync 
contacts, calendar and e-mail and do offer support to help get those devices connected. We have similar controls set on 
both the BES and Active Sync servers for required passwords, timeouts and maximum amount of mail on the phones; the 
caveat is that users can override the technical controls on certain versions of the iPhone and windows mobile phones. 
To attempt to prevent that, we also have a Cell Phone and PDA Policy<http://info-privacy.bentley.edu/node/50> and a 
Data Classification 
Policy<http://info-privacy.bentley.edu/sites/info-privacy.bentley.edu/files/u21/Bentley%20Data%20Classification%20and%20Usage%20Policyv6.pdf>
 that prevents sensitive information from being sent via e-mail (knowing that people will read it on phones). Lastly, 
we require all employees to digitally sign our Acceptable Usage Policy<http://www.bentley.edu/computing-use/index.cfm> 
on a yearly basis, and also require staff to take mandatory Information Security Training (which reinforces the concept 
of the BES server and the Cell Phone/PDA policy).

So far, the combination of policy, training and technical controls seems to be working. Feel free to contact me if you 
have additional questions.

Patty

Patty Patria
Chief Information Security Administrator | Bentley University
175 Forest Street, Waltham, MA 02452 |781.891.2364



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Smith, 
Bob
Sent: Thursday, November 04, 2010 6:32 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] device security and email using activesync

In our current setup we only allow the use of a Blackberry device, either university or personally owned, connected to 
our BES for integration with our Exchange system.  All devices must conform to the same set of security policies.  This 
current setup has served us well, but recently the desire to integrate/sync the now large numbers of iPads on campus 
with Exchange has started some research regarding how ActiveSync may play a role in achieving an acceptable level of 
security (remote wipe, lockout, PIN, etc.) for this and other devices.

As part of this research, we are now testing various other devices (iPhone, Droid, iPad, etc.) to see what the actual 
results are and in doing so I was asked to query this group to see what other institutions are doing or have done with 
regard to leveraging ActiveSync for security and access to your email system.

Do you:

 *   offer support for all devices or just specific devices and what level of support?
 *   allow both institutionally owned and personally owned devices?  Why or why not?
 *   require different/same/no security policies for institutionally owned versus personally owned devices?
 *   enforce any security policies using ActiveSync or require/encourage the user to manually set them?
 *   have any "lessons learned" you would care to share?

Your feedback is greatly appreciated.

Bob Smith
AVP IITS & Information Security Officer
Longwood University