Mobile Device Security and Encryption
To match the new standard for computers because, as Chief Justice Roberts wrote in a Supreme Court ruling on June 30, 2014, cellphones are “minicomputers that also happen to have the capacity to be used as a telephone.”
What does the enhanced security upgrade include?
Chiefly, the changes will make your mobile device prompt for a 6-digit PIN to unlock it, re-lock itself after a 15 minute period of inactivity, encrypt its contents, and set it to erase itself if the PIN is mis-typed many times in a row (11-15, depending on model of phone or tablet).
To whom do the new requirements apply?
As of July 10, these requirements apply to everyone whose mobile device connects to the Exchange mail servers run by IT or the College of Medicine. Later this year, the program will be expanded to all mail servers for Drexel.
What if I my device can’t work with the enhanced security?
Through December 2014, users of older Android devices and certain Windows Phones will be able to request enrollment in a less stringent set of security requirements. In 2015, these devices will need to be upgraded or replaced to continue to access email from Drexel servers.
I’m the only user of my phone, but my whole family uses my tablet. Can I pick different PINs for different devices
Yes, because PINs are tied to devices rather than accounts. If you forget a PIN, you’ll likely need to reset the device, erasing its contents. (Drexel can’t help because the PIN is held on the device, not with the Drexel account.)
What happens if my kids or friends try to use my phone or tablet and key in the wrong PIN over and over?
If they make 15 failed attempts in a row, the device will erase itself. Fortunately, some phones take steps to warn you or slow the process down:
iPhone and iPad: adds delays between successive attempts, so invoking the auto-erase function takes over an hour and twenty minutes;
Android on HTC (tested with HTC One M8): adds 30-second delay after the fifth and tenth attempts and gives warnings after attempts 11, 12, 13, and 14;
Android on Samsung (tested with Galaxy S4): gives warnings after attempts 11, 12, 13, and 14;
Windows Phone: to ensure that a person is typing intentionally (as opposed to something bumping the screen while the phone is in a pocket or purse), requires that a specific code is typed before making the 15th attempt.
Apple and Microsoft offer backup services; some Android phones do, too. Depending on how much data is on your device, the backup service may even be free.
My phone or tablet has a storage card slot and I move my storage card among several devices I own. Will the new standards impact this?
By default, the new standards will encrypt the storage cards, preventing its use in other devices. However, at least through the end of 2014, you may request to use a security policy that exempts removable storage cards. Before the end of the year, a new permanent security policy will be set.
What if I don’t want to follow the new requirements on a mobile device?
If Drexel provides all or part of the monthly service fee, you’ll have to keep the Drexel email account on the device and follow the security requirements. For fully-personal devices and services (i.e., those that Drexel isn’t contributing to), you can follow the requirements to continue getting Drexel email on the device or remove the Drexel account to avoid the security requirements.
What happens when I leave Drexel? Will my home device be erased? How do I get it decrypted?
Typically, Drexel will recall the email, contacts, calendar items that your phone got from the Drexel servers, leaving the rest of the data intact. Once you remove Drexel accounts from your device, the special security settings needed by Drexel will be lifted.