Introduction
The Standard for ISU Email Security for Mobile Devices defines the centrally enforced security device policies required for use of ISU email on personal and ISU-owned mobile devices by ISU faculty, staff, and affiliates. These device policies are required in order for ISU to comply with both the Family Educational Rights and Privacy Act (FERPA) and Indiana Code (IC) 4-1-10.
Restricted or Highly Restricted Data should NEVER be downloaded to a personally owned device.
ActiveSync is a Microsoft synchronization protocol that lets ISU staff and faculty use mobile devices to access ISU’s email systems. Outlook is the recommended and supported mobile email appication for accessing ISU email. Many modern email applications support these features, however our integration with Microsoft tools ensure that a higher level of service can be provided for those who use the recommended application.
Outlook for iOS and Android supports the following mobile device mailbox protection policy settings for mobile devices:
- Minimum password length
- Password enabled
- Screen lock time-out enforcement
- Device encryption enabled
PIN and Screen Lock
This standard requires devices to be locked with a password/PIN or facial recognition allowing users to synchronize ISU email. Outlook will enforce this policy at the device level. This works differently between iOS devices and Android devices, based on the available controls provided by Apple and Google.
On iOS devices, such as iPhones, Outlook checks to make sure a passcode or PIN is properly set. In the event a passcode is not set, Outlook prompts users to create a passcode in iOS settings. Until the passcode is setup, the user will be unable to access Outlook for iOS.
Note: Screen/Pattern Swipe is not an acceptable security measure. It is the least secure mobile authentication protection, and can be easily bypassed.
On Android devices, Outlook will enforce screen lock rules.
Per best-practice, after a 15 minute period of inactivity, the normal device lockscreen will appear and prompt for the user PIN to unlock the device.
iOS and Android devices that do not support these password security settings will not be able to connect to a mailbox.
Device encryption
iOS devices are shipped with built-in encryption which Outlook uses once the passcode is enabled to encrypt all the data Outlook stores locally on the iOS device. Therefore, iOS devices with a PIN are encrypted whether or not this is required by an ActiveSync policy.
Outlook for Android supports device encryption via mobile device mailbox policies. However, prior to Android 7.0, the availability and implementation of this process varies by Android OS version and device manufacturer, which allow the user to cancel out during the encryption process. With changes that Google introduced to Android 7.0, Outlook for Android is now able to enforce encryption on devices running Android 7.0 or later. Device encryption is required for university email use on mobile devices that support it.
Even if an attacker is in possession of an encrypted device, as long as a device PIN is enabled, the Outlook database remains inaccessible. This is true even with USB debugging enabled and the Android SDK installed. If an attacker attempts to root the device to bypass the PIN to gain access to this information, the rooting process wipes all device storage and removes all Outlook data. If the device is unencrypted and rooted by the user prior to being stolen, it is possible for an attacker to gain access to the Outlook database by enabling USB debugging on the device and plugging the device into a computer with the Android SDK installed.
Device wipe with ActiveSync
ActiveSync enables administrators to remotely wipe devices, such as if they become compromised or lost/stolen. With Outlook for iOS and Android, a remote wipe only wipes data within the Outlook app itself and does not trigger a full device wipe.
The same is true if the screenlock PIN is entered too many times. Per best practice, 8 failed PIN entries will trigger a device wipe of the data with the Outlook app, but again does not trigger a full device wipe.
The User Experience
For ANDROID phones:
When Active-Sync Security is enabled on a user’s mobile device, the following appears:
Granting Outlook “device administrator” access is necessary to enhance the security configuration of the mobile device for accessing ISU email.
The security measures, as outlined by this KB, are summarized on-screen to the user. Select “Activate this device admin app.” to continue.
Outlook’s Device Admin will not erase “all the phone’s data”, as stated. The Outlook app will reset and all ISU Outlook email, calendar, contacts, and file data will be removed, but no other data is wiped from the device. This has been tested and verified. Other email accounts being sync'd to the device, such as Gmail, Yahoo, etc. will NOT be removed.
If this occurs, the device is left in a normal state, but the Outlook account must be setup again with your ISU credentials. Your emails WILL NOT be deleted from the ISU Email server.
For iPhones:
When Active-Sync Security is enabled on a user’s mobile device, if the device is already configured with a screenlock and PIN/Password/Biometric unlock, no behavior is noticeable.
If the screenlock and passcode is not set, or if it is disabled, this appears on the iPhone screen:
Follow the on-screen wizard to complete the setup of a passcode and connect to ISU's email system.