Skip to main content

Protect Mobile Devices (Smartphone, iPad, or Other Tablet)


Best practices for everyone (students, faculty, and staff):
Although these are requirements for employees handling sensitive information, it is also good practice to configure all devices in this way for extra protection against loss or theft.

Definition of mobile handheld devices: Any handheld device that operates to hold, store, process, and access data, including smartphones, cellphones, tablets, or personal digital assistants (PDAs) used to conduct university business.

Note: All requirements and considerations relate to Policy 5.10, Information Security

Best Practices for All Mobile Handheld Devices

  • Avoid keeping confidential data or otherwise sensitive information mobile devices, because they are more likely to be lost or stolen and harder to encrypt.
  • Keep software updated, since mobile devices are vulnerable to direct attacks from both malware (viruses, etc.) and phishing.
    Warning: Antivirus and personal firewalls are currently unavailable for mobile phones.
  • Delete any text you receive with passwords or other sensitive information.
  • Only install apps from trusted resources. Apps can host malware that will expose your passwords, credit card numbers, or anything else you type into your mobile device.
  • Turn off Wi-Fi and Bluetooth if you aren't using them. Wireless features give remote access to hackers.
  • If you do use Wi-Fi, only do so on secure networks that require a password, such as eduroam.
  • Back up your data to minimize the chances of losing everything should your device be lost or stolen, or need to be wiped completely due to a virus or other security breach.
  • Avoid sharing mobile devices. Personal mobile devices are not designed to support multiple users and can't be set up to protect you from risk caused by other people's activities.
  • Cornell’s Office 365 service for faculty and staff makes it possible for some mobile devices to be wiped or disabled remotely.

Requirements for All Mobile Handheld Devices

Required:

Any handheld device that is used in conjunction with Cornell activities, including retrieval of email or calendar data must be configured so that it can be locked or erased if it is lost or stolen.

Recommended: 

  1. Configure the device to lock the console after a period of inactivity no greater than 30 minutes, with a password required to unlock the device. Use of the simple numeric code that is an option on some devices is discouraged.
  2. Configure the device to erase all data after not more than ten failed attempts to enter the password.

Requirements for Mobile Handheld Devices that Hold, Store, Process, or Access Confidential Data

Required:

  1. Any handheld device that is used in conjunction with Cornell activities, including retrieval of email or calendar data must be configured so that it can be locked or erased if it is lost or stolen. 
  2. Configure the device to erase all data after not more than ten failed attempts to enter the password.
  3. The password required to unlock the device must meet or exceed the password complexity requirements outlined for NetID passwords in University Policy 5.8, Authentication to Information Technology Resources.
  4. The window of inactivity after which the device must automatically lock becomes 15 minutes.
  5. The device, or the data in question, must be encrypted. If encryption is not supported, the device cannot store confidential data.

How-to Details for Device Types

Apple iOS

Description How To Required

Set a passcode

This also enables encryption on the iPhone 3G and newer hardware running iOS 4 or newer.

  1. Tap Settings.
  2. Tap General.
  3. Tap Passcode Lock.
  4. Tap in a passcode.  The passcode must be at least 4 characters in length.
  5. Tap in the same passcode.
Yes
Set automatic lock
  1. Tap Settings.
  2. Tap General.
  3. Tap Auto-lock.
  4. Tap 30 Minutes or select another value.
    Lower values are more secure.
Yes.
For confidential data, use 15 minutes or less.
Configure remote lock/wipe
  1. This is already enabled if your device is configured for Cornell email using ActiveSync. This can be executed using OWA in Options > Mobile Devices or by request from an Exchange administrator.
  2. Register for Apple iCloud at the iCloud website. This must be done before the device is lost or stolen.
Yes
Disable simple passcodes
  1. Tap Settings.
  2. Tap General.
  3. Tap Passcode Lock.
Yes, for confidential data
Disable lock grace period

The grace period allows the device to be unlocked after auto-locking without providing an unlock code.

  1. Tap Settings.
  2. Tap General.
  3. Tap Passcode Lock.
  4. Tap Require Passcode.
  5. Tap Immediately.
Yes, for confidential data
Erase data on excessive passcode failures

Will erase the device after 10 failed attempts

  1. Tap Settings.
  2. Tap General.
  3. Tap Passcode Lock.
  4. Turn on Erase Data.
Yes, for confidential data
Encrypt device backups through iTunes

In iTunes, with the device connected, check "Encrypt [devicetype] backup" under Options and select a strong password.  

Yes, for confidential data
Configure location services for lost/stolen devices Register for Apple iCloud at the iCloud website. This must be done before the device is lost or stolen. No, but recommended

Google Android

The exact process for activating security features will vary from device to device and between versions of the operating system. The instructions here are provided for reference only and will not be applicable to all devices. It is recommended that you follow the instructions contained in the operating manual for the device where possible.

Description How To Required
Set a passcode (screen lock)
  1. Press Menu.
  2. Tap Settings.
  3. Tap Security.
  4. Tap Screen Lock.
  5. Choose PIN or Password as the mechanism to unlock the device.
  6. Enter PIN or password of your choice.
Yes.
For confidential data, a password is required. Do not use a PIN.
Set automatic lock
  1. Press Menu.
  2. Tap Settings.
  3. Tap Security.
  4. Tap Automatically Lock.
  5. Tap 30 Minutes or select another value.
    Lower values are more secure.
Yes.
For confidential data, use 15 minutes or less.
Enable device encryption
  1. Press Menu.
  2. Tap Settings.
  3. Tap Security.
  4. Tap Encryption.
  5. Tap Encrypt Device.
Yes, for confidential data
Configure remote lock/wipe
  1. This is already enabled if your device is configured for Cornell email using ActiveSync. This can be set in Outlook for the Web in Options > Mobile Devices.
  2. Install a 3rd party app.
    Free applications with this functionality include Sophos Mobile Security and AVG AntiVirus.
Yes, for confidential data
Configure location services for lost/stolen devices There is no native functionality for this; therefore a 3rd party app must be installed.
Free applications with this functionality include Sophos Mobile Security and AVG AntiVirus.
No, but recommended

Windows Phone 8

Description How To Required
Set a passcode
  1. Tap Settings.
  2. Tap Lock Screen.
  3. Slide Password.
  4. Enter and confirm password.
Yes.
Set automatic lock
  1. Tap Settings.
  2. Tap Lock Screen.
  3. Tap Require a password after.
  4. Enter 30 Minutes or another value.
    Lower values are more secure.
Yes.
For confidential data, use 15 minutes or less.
Configure remote lock/wipe
  1. This is already enabled if your device is configured for Cornell email using ActiveSync. This can be set in Outlook for the Web in Options > Mobile Devices.
  2. Use the MyPhone menu in Windows Live.
    Windows Live is configured at time of activation.
Yes, for confidential data
Configure location services for lost/stolen devices Use the MyPhone menu in Windows Live.
Windows Live is configured at time of activation.
No, but recommended

Blackberry 10

Description How To Required
Set a passcode
  1. Tap Settings.
  2. Tap Security and Privacy.
  3. Tap Device Password.
  4. Swipe to On position.
Yes.
Set automatic lock
  1. Tap Settings.
  2. Tap Security and Privacy.
  3. Tap Device Password.
  4. Tap Lock Device after Screen Lock.
Yes, for confidential data
Configure remote lock/wipe

Requires a Blackberry ID.

  1. Tap Settings.
  2. Tap Blackberry Protect.
  3. Swipe to On position.
Yes, for confidential data
Enable device encryption
  1. Tap Settings.

  2. Tap Security.

  3. Tap Encryption.

  4. Swipe Device Encryption to the On position.

  5. Swipe Media Card Encryption to the On position.
    Decrypt or backup your media card files prior to a security wipe.  The contents will be unrecoverable after the encryption key is deleted.

Yes, for confidential data
Configure location services for lost/stolen devices Use Blackberry Protect. Requires a Blackberry ID. No, but recommended

Was this page helpful?

Your feedback helps improve the site.