If the mobile devices on your network run Windows Mobile 6.x, they can benefit from the security mechanisms built in, which include the following:
- Password protection: Windows Mobile devices give you the option of using a simple 4 digit numerical PIN or an alphanumeric password up to 20 characters in length, which can be comprised of upper and lower case letters, numbers and symbols. The device should be set to lock after a reasonable period of time following power-down (you can set a Windows Mobile device for a password prompt after 0 minutes to 24 hours). You can even configure the local device-wipe feature to do a hard reset and remove all the user data if the wrong PIN or password is entered more than a specified number of times.
- Support for digital certificates: Windows Mobile can use digital certificates to control which applications are allowed to run based on the digital signature.
- Certificate based authentication: For better security, Windows Mobile supports authentication using Transport Layer Security (TLS) with an encryption key up to 2048 bits. Desktop Enrollment is performed by connecting the Windows Mobile device to a PC in the domain where the certificate server resides. The certificate is installed on the mobile device through the PC
- Local data encryption:
- You have even more control over mobile device security if your network runs Exchange Server 2007. Here’s how this combination can address the issues raised above:
- Password protection: With Windows Mobile 6, Local Authentication Plug-ins can be used to allow Exchange Server to enforce password policies such as length, strength and history. For example, if you allow 4 digit PINs, you can enable pattern recognition that will prevent users from using simple PINs such as “1234.” Or you can prevent the use of PINs and require passwords of a specified length and strength. You can set expiration periods for passwords and you can prohibit reusing previous passwords.
- Digital certificates: Windows Mobile can use digital certificates for network authentication, whereby the Exchange server checks the mobile device’s root certificate in order to create an SSL connection so that communications between the server and device are encrypted.
- Remote wipe: You can perform a remote wipe of the Windows Mobile device via Exchange synchronization or Outlook Web Access (OWA). All user data, keys and passwords and configuration settings are overwritten.
- Storage card protection: With Windows Mobile 6, you can encrypt the data on the storage card. When you do so, it can be read only on the device that encrypted it. This can be done via Exchange Server 2007 policies so that it can be controlled by the administrator, not left up to the user. Exchange Server 2007 can also perform a remote wipe of the storage card.
- Propagation of policies: Enterprise policies can be delivered to Windows Mobile devices when they synchronize with the Exchange server. Devices that do not comply with policies will not be allowed to synchronize with Exchange.
Microsoft’s System Center Mobile Device Manager can make it much easier to manage a large number of Windows Mobile 6.1 devices. It is integrated to work with Active Directory/Group Policy and can provide secure always-on VPN access from mobile devices. Administrators have control over the devices and can disable Bluetooth, Infrared, WLAN, POP/IMAP email and built-in cameras for better security. You can also enable full file encryption, track inventory data for all devices, and perform immediate remote wipes if a device is lost or stolen (without waiting for the device to sync with the server).