WM Security Settings Policy

Top  Previous  Next


This section only applies to Windows Mobile 5.x/6.x devices that are using the mSuite Framework client.


Note: Please be sure to read the Notes relating to CommonTime encryption on WM5 and 6.0 devices below.


Editing an existing policy

You can edit an existing policy by expanding the navigation tree, under the node Policies, select Security Settings.  The action pane will display all of the security policies that are defined.  By default there is a single policy Default Security Policy.  Right mouse click the name of the policy that you want to modify in the action pane and then select Configuration Wizard...


Creating a new policy

To create a new policy, expand Policies and select Security Settings in the navigation tree then right mouse click an existing policy in action pane.  Select All Tasks > Copy settings to new policy... then enter the Name of the new policy and click OK.  The new policy is created as a clone of the existing policy - to change the settings in the new policy, follow the instructions for Editing an existing policy above.


Defining the Policy

In either case, the Policy Management Wizard will run to allow you to define the policy.


1.Press Next on the Welcome screen and again on the Policy Name screen.
2.On the Windows Mobile Policy Settings page of the wizard, set up the required policy elements.  To lock an element, right mouse on the node in the Security Policy window.  The icon in the tree will change to reflect the lock status.
3.Select Password Policy to set/change any of the following:
a)Security Module - you have the choice between the standard Microsoft or CommonTime Local Authentication Plugin (LAP).
For WM5 and 6.0 devices, choosing CommonTime will enable mail encryption for mSuite (Lotus Notes) mail accounts.  Mail will not be encrypted if Microsoft is selected.
For WM6.1 and later devices, do not choose CommonTime - it is not supported on these devices.  Instead choose Microsoft and use the Encryption Policy to encrypt mail and any other data on the device.
b)Min Password Length - this is the minimum length that a Password is allowed to be.  Only applies if Password Type is set to Strong Alphanumeric.  A Simple PIN is always a minimum of 4 digits.
c)Password Type - choose from Simple PIN or Strong Alphanumeric.
d)Inactivity Timeout - choose the required time, the device will lock and prompt the user provide the PIN or Password if the device is idle for this period of time.
e)Complex Elements - this only applies if the Password Type is set to Strong Alphanumeric.  This specifies the minimum number of different types of 'Complex elements' in the password. The different types of 'Complex elements' are: - uppercase letters - lowercase letters - numbers - punctuation.  So if you specify 4, the password must contain uppercase, lowercase, numbers and punctuation.
f)Codeword Frequency - the number of failed attempts before the user is prompted to enter the fixed codeword 'a1b2c3'.  This prevents the device being wiped as a result of a series of accidental key presses.
g)Device Wipe Threshold - this specifies the number of failed password/PIN attempts before the device is wiped.
h)Lock on Resume - set this you Yes if you want the device to security lock when you manually lock the device.


4.Select Encryption Policy to enable encryption for WM 6.1 and later devices.  This has no effect on WM6.0 or earlier devices:
a)Encrypt Storage Card - choose Yes to encrypt all new files added to a storage card.  Existing unencrypted files will not be encrypted.
b)Main Memory Encryption - choose Yes to encrypt all files in main memory.  This will enforce a password on the device.
5.Once the policy is configured, click Next.
6.Optionally configure the Symbian S60 Policy Settings then click Next.
7.Click Finish to complete the wizard.



Notes relating to CommonTime encryption on WM5 and 6.0 devices:


Only mNotes mail accounts will be encrypted. They are AES256 encrypted with the Bulk Encryption Key.
If the CommonTime LAP is NOT active then mail is NOT encrypted.
If the CommonTime LAP is active and the Password Policy is Not Set then the Bulk Encryption Key is 3DES encrypted with the local machine system master key. Mail is encrypted.
If the CommonTime LAP is active and and the Password Policy is Locked then the Bulk Encryption is 3DES encrypted with the local machine system master key and a SHA1 hash of the password.  Mail is encrypted.  This provides the highest level of security.


Deploying the Policy to a Group of Users or an Individual User

To deploy a new Security Settings policy or change the currently deployed policy, expand the Administration node in the navigation tree, expand Users and Groups until you can see the user or group that you want to apply the policy to.



Deploying to a Group

1.In the navigation tree, right mouse click the group that you want to deploy to and then select Properties.
2.Select the Policies tab and select the policy from the drop down list.
3.Click Apply then click OK.

Users in the group will receive the new/changed policy next time their device performs a device management session - by default, this is once a day.


Deploying to a User

1.In the action pane, right mouse click the user that you want to deploy the policy to and the select Properties.
2.Check Show Advanced to display the advanced properties - this is sticky, once you have checked this it will remain checked until you choose to hide the advanced properties again.
3.Select the Policies tab and select the policy from the drop down list.
4.Click Apply then click OK.



Page url: http://msuitehelp.commontime.com/index.html?ct_wm_device_security_policy.htm