Device Security

 

NotifyLink device security implements proactive features that can help deter security breaches.  It also includes reactive security options that can be implemented when a device is lost or stolen and therefore more vulnerable to a breach.

This section highlights NotifyLink’s core device security features.  For a more comprehensive listing of device security features, see the Device IT Policy Comparison chart.

 

Proactive Device Security Options

Device Data-at-Rest Encryption

Data-at-rest encryption for the email database on the device storage disk is supported by several device types.

ActiveSync Solution Devices

•      Android with TouchDown versions 5.1.0026 or higher

•      iPhone and iPad touch running iOS 4 – AES 256-bit

•      iPhone devices running iOS 3.x – AES 128-bit

•      webOS – AES 128-bit

•      Windows Mobile 6.1 and 6.5 – AES 128-bit

 

Device Rules: Lock Rules

Inactivity Timeout

•      BlackBerry, Symbian, and Windows Mobile Platforms
The NotifyLink Lock Timeout setting always respects the native timeout interval.  Turning off the device or letting the native inactivity timer turn off the device will not cause the password prompt when turning the device back on unless the NotifyLink timeout interval has expired.  Soft reset always triggers the password prompt to be displayed.

•      Palm OS Platforms
Lock interval is based on native lock interval, which as part of Palm OS 5.4 does not function correctly.  When the lock interval is set, the device will lock any time the screen is turned off then back on.  In addition, you can’t disable the inactivity timeout on the Treos and the maximum value is 3 minutes.

•      iPhone/ iPod touch/ iPad, Windows Mobile, Palm webOS, and Android with TouchDown^TM platforms using NotifyLink ActiveSync Solution
Lock interval is based on native lock interval and can be set on the device or can be enforced by security rules sent from the NotifyLink server.

Challenge Timeout

•      BlackBerry, Symbian, Palm OS and Windows Mobile Platforms
The NotifyLink Challenge Timeout lock is initiated regardless of inactivity and is intended to challenge the use of the device if it is lost or stolen.  It must be greater than the Inactivity Timeout.

•      iPhone/ iPod touch/ iPad, Windows Mobile, Palm webOS, and Android with TouchDown^TM platforms using NotifyLink ActiveSync Solution – Not supported

Duress Notification

•      BlackBerry, Symbian and Windows Mobile Platforms
If enabled, this option allows the user to activate the duress notification if he/she is forced to unlock the device under duress by entering the password in an altered format (shift all characters to the left).  EX: If lock password is “guarddog”, the duress password is “uarddogg”.

A high priority Email notification is sent to the specified Email address with the Subject: “NotifyLink Duress Notification.”  The notification is completely hidden from view.  It does not appear in the Outbox, Sent Items, or Deleted Items folders.

•      Palm OS Platforms – Not supported

•      iPhone/ iPod touch/ iPad, Windows Mobile, Palm webOS, and Android with TouchDown^TM platforms using NotifyLink ActiveSync Solution – Not supported

 

Device Rules: Password Rules

Device Password Expiration

•      BlackBerry, Symbian, Palm OS and Windows Mobile Platforms
If enabled, fifteen days prior to the expiration, user is reminded that the password will expire in 15 days.  When the password expires, the device locks.  The user must unlock it with the current password and then create a new password at the prompt.  Expiration can range from 30 to 365 days.

•      iPhone/ iPod touch/ iPad, Windows Mobile, Palm webOS, and Android with TouchDown^TM platforms using NotifyLink ActiveSync Solution – Supported on Android with TouchDown; Not supported, but planned for future release on iPhone OS, Windows Mobile, and webOS devices.

Device Password History

•      BlackBerry, Symbian, Palm OS and Windows Mobile Platforms
If enabled, this feature prevents users from reusing passwords too soon.  Can configure device to store anywhere from 10 to 100 passwords.  EX: If the number of stored passwords is 10, you will not be able to use the past ten passwords.  When you create the 11^th password, the oldest stored password becomes available for use again.

•      iPhone/ iPod touch/ iPad, Windows Mobile, Palm webOS, and Android with TouchDown^TM platforms using NotifyLink ActiveSync Solution – Not currently supported, but planned for future release

 

Device Rules: ActiveSync Rules

ActiveSync Rules allow administrators to enforce or disable security policies on ActiveSync devices. 

When enabled this rule will enforce security policies that are set on the NotifyLink server and are supported by ActiveSync devices.  The rule is enabled by default.

Security policies supported on ActiveSync devices vary by device platform, but may include:  Password Strength, Minimum Password Length, Inactivity Timeout, Wipe on Failed Unlock Attempts, Remote Wipe, and Password Expiration.

 

Reactive Device Security Options

NotifyLink supports remote WIPE and LOCK executions and local (device) WIPE executions (where applicable).  Remote WIPE and LOCK are controlled via the NotifyLink Administrative Web and work when wireless is on. 

Clear Device - The wipe trigger deletes Email and PIM and locks the device, enabling a password prompt.  (Where applicable, SD card wipe is an option as well.)

Lock Password - The LOCK trigger locks the device, enabling a password prompt, but does not delete Email/PIM.

Remove Mailbox - NotifyLink supports a third remote device security execution that removes the mailbox information from the device and puts NotifyLink into a pre-registration state.

Remote Wipe - This option appears instead of Clear Device and Remove Mailbox when the device associated with the user’s account is an ActiveSync device. 

 

 

Clear Device / Remote WIPE* (NotifyLink Administrator)

•      BlackBerry devices – Email and PIM are deleted

•      Palm OS devices – Email and PIM are deleted

•      Symbian S60,3^rd Edition OS devices – Email and PIM are deleted

•      Windows Mobile devices – Email and PIM are deleted

•      iPhone/ iPod touch/ iPad, Windows Mobile, Palm webOS, and Android with TouchDown^TM ActiveSync devices – Email, PIM and mailbox account are deleted and the device enters a pre-registration state.  The specifics of how Remote Wipe operates may vary by the model and operating system version of the device.  See device user guides for details.

*In versions 4.5 and later, where applicable, the SD card can be wiped as well (Clear Device and Cards)

 

Local WIPE, based on failed unlock attempts when Lock is on (device)

•      BlackBerry devices– When the password is entered incorrectly after 10 consecutive tries device issues the wipe, which deletes the Email and PIM.

•      Palm OS devices– Uses the native security measures and does not do a local wipe based on password attempts.

•      Symbian S60, 3^rd Edition OS devices – When the password in entered incorrectly after 10 consecutive tries the device issues the wipe, which deletes Email and PIM and removes the NotifyLink account.

•      Windows Mobile devices (NotifyLink and ActiveSync) – Uses the native security measures.   Native security may do a local wipe, but this depends on what security implementations the OEM customized into the firmware.

•      iPhone/ iPod touch/ iPad devices using NotifyLink ActiveSync Solution – Uses the native security measures and does a local wipe based on password attempts for iPhone OS version 3.0 or later.  Device settings reset to their defaults and all information and media is removed by overwriting the data stored in the device.  For iPhone OS version 2.2.1, the device does not actually wipe, but imposes time delays and eventually locks the device, requiring reauthorization through iTunes.

•      Palm webOS devices using NotifyLink ActiveSync Solution – Uses the native security measures and does a local wipe based on password attempts.  The wipe deletes all personal information, such as messages, contacts, calendar events and tasks, the Microsoft Exchange ActiveSync account, and any third party applications added. 

•      Android devices with TouchDown^TM using NotifyLink ActiveSync Solution – Uses the native security measures and does a local wipe based on password attempts.  The wipe deletes the NotifyLink account created via TouchDown and all data synchronized by TouchDown.

 

Remote Removal of NotifyLink Mailbox (NotifyLink Administrator)

•      BlackBerry devices– Email and account information are wiped from the device

•      Palm OS devices – Email and account information are wiped from the device

•      Symbian S60, 3^rd Edition OS devices– Email and account information are wiped from the device

•      Windows Mobile devices – Email and account information are wiped from the device

•      iPhone/ iPod touch/ iPad, Windows Mobile, Palm webOS, and Android with TouchDown^TM devices using the NotifyLink ActiveSync Solution – Mailbox removal is not a separate option.  The Remote Wipe option removes the mailbox account along with Email and PIM.

 

Remote LOCK (NotifyLink Administrator)

Device platforms which support remote lock use the password set in NotifyLink’s Device IT Policy: Lock Settings as the LOCK password.

•      BlackBerry devices – The entire device is locked by the NotifyLink application.  The native BlackBerry security is not used.

•      Palm OS devices – The entire device is locked integrated with the native Palm O/S security.

•      Symbian S60, 3^rd Edition OS devices – Only the NotifyLink application is locked.  The native Symbian OS security is not used.

•      Windows Mobile devices – The entire device is locked integrated with the native Windows Mobile O/S security.

•      iPhone/ iPod touch/ iPad, Windows Mobile, Palm webOS, and Android with TouchDown^TM devices using NotifyLink ActiveSync Solution – Not supported.

 

 

More:

Implementation Guidelines: Preventing/Managing Device Breaches