OUHSC Information Technology Department


Home  |  Online Help  |  Policies  |  Forms  |  Tier Ones

"Secure Mobile" for OUHSC Exchange

Frequently Asked Questions (FAQ)

Introduction

These Frequently Asked Questions (FAQs) are designed to address general questions from faculty, staff and students about membership in "Secure Mobile" for OUHSC Exchange.

General Questions
  1. What does membership in “Secure Mobile” for Exchange provide?

  2. Do I have to enroll in Secure Mobile?
  3. What are the "Secure Mobile" baseline security settings for mobile devices connecting to Exchange?
  4. How can the baseline security settings protect information on my mobile device?
  5. Why should I encrypt my mobile device?
  6. What type of mobile device and operating system should I use to meet the government standard for encryption to "secure" data?
  7. What can I do if I have a device which is not validated to meet the government standard for encryption?
  8. How much does it cost to encrypt my mobile device?
Enrollment Questions
  1. How do I enroll in "Secure Mobile"?
  2. What should I do to prepare my device for "Secure Mobile?
  3. How will I know my Exchange account is a member of "Secure Mobile"?
Password Questions
  1. Can I chose my own device password?

  2. What if I want a longer or more complex passcode on my device?
  3. What happens if I forget my password?
  4. What happens when your OUHSC network/email password has to be changed?
Technical Questions
  1. How long does it take to encrypt my mobile device?
  2. Will my mobile act differently after it has been encrypted?
Screen Saver (Autolock) Questions
  1. What if I want a shorter “Autolock” than 15 minutes on my device?
Privacy Questions
  1. Will "Secure Mobile" Exchange ActiveSync settings allow an IT administrator to view activity on my device?

  2. Will "Secure Mobile" Exchange ActiveSync settings allow IT to track the location of my device?
Remote Wipe Questions
  1. What about the remote wipe capability?  Should I remote wipe my device if it is lost or stolen?

Removing Security Setting Questions
  1. How can I remove the security settings from my device when I leave the University?
Android Specific Questions
  1. Is the SD card in the android devices encrypted when the EAS policy is pushed to the device? If so, how do you use that card on other devices i.e. computers, TVs, etc.? 
iPhone Specific Questions
  1. Will the TouchID function continue to work on the iPhone with Secure Mobile policies?
Application Specific Questions
  1. If we use our personal phone for University business and move forward with this level of protection will it affect the way any of our personal apps (Facebook etc.) perform?

 

General Questions

Q1: What does membership in “Secure Mobile” for Exchange provide?

A1: Membership in “Secure Mobile” provides automated configuration of baseline security settings on mobile devices (iPhones, iPads, Androids, etc.) that synchronize with the OUHSC Exchange server.  These security safeguards applied to a Federal Information Processing Standards validated (FIPS 140-2) device provide the enhanced data privacy and security required to “secure” data stored on the device.  “Secure” data is protected against unauthorized access when the device is lost or stolen.  All these safeguards can combine to provide a safe harbor from breach notification laws and associated penalties.

Q2: Do I have to enroll in Secure Mobile?

A: Smartphones and mobile devices used for University business must be enrolled in Secure Mobile.  Secure Mobile enrollment is automated on mobile devices by establishing an ActiveSync connection with the OUHSC Exchange server (webmail.ouhsc.edu) for email synchronization.

Q3: What are the "Secure Mobile" baseline security settings for mobile devices connecting to Exchange?

A: Baseline Device Security Settings are listed below.

  • Device Passcode – A passcode setting of at least four (4) numbers or letters will be set. Smartphone users will be responsible for setting and remembering their device passcode. OUHSC technical support will not be able to recover a forgotten passcode on a Smartphone.  The user may have to reset their device to factory defaults and lose all locally stored data if they forget their passcode and have not backed up their data.
  • Encryption of data stored on the device- An industry standard encryption mechanism must be implemented for all data stored locally on the device including removable media and backups. 
  • Password-Protected Screen Saver - Password-protected screen saver will be configured to automatically lock the screen after a maximum of fifteen (15) minutes of inactivity and will require a passcode to unlock the device.
  • Local data wipe for failed login attempts– A setting which implements a local data wipe after 10 failed authentication attempts.

Q4: How can the baseline security settings protect information on my mobile device?

A: Baseline security settings such as a device passcode and encryption protect information on your mobile device by preventing unauthorized access when your device is lost or stolen.

When your device is locked and your password is secret no one else is able to access your information or applications. Only the individual who knows the device passcode is able to access locally stored data and applications on your locked device.

This measure is necessary to ensure the highest level of protection for University information, including but not limited to patient information, and to meet regulatory requirements for mitigating the risks to the University and its employees, should a mobile device be lost or stolen.

Many people receive sensitive or protected information in their University e-mail and that information will be copied to their mobile device if it synchronized with Exchange. That is why baseline security settings are required for mobile devices that synchronize University data with Exchange.

Q5: Why should I encrypt my device?

Baseline security settings such as encryption can protect you or your department from a data breach with potential fines of $1.5 million per incident, criminal jail time of up to 10 years as well as civil liability.  State and Federal laws (Data breach notification, HIPAA, HITECH, etc.) require the protection of certain data and holds individuals as well as organizations responsible for implementing security to protect data from unauthorized access in the event of theft or loss of a device containing certain classes of sensitive data.  

The Federal government and State of Oklahoma considers properly encrypted data as “secure”. Encryption is a safeguard that prevents a reportable data breach when an encrypted mobile device is lost or stolen.

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html and Federal Register/Vol. 74, No. 79/Monday, April 27, 2009/Rules.

Q6: What type of mobile device and operating system should I use to meet the government standard to "secure" data?

A: Several popular smartphone and tablet device cryptographic modules are validated to comply with the Federal Information Processing Standard (FIPS 140-2) for encryption. See the table below: 

Platform

Device

Software

Apple

iPhone, Touch, iPad

IOS 8.0 and above

   
     

RIM

Blackberry devices

Blackberry OS 10.3 and above

     

Samsung

Galaxy Phones;
Galaxy Tablet (single-user mode);
Galaxy Note (single-user mode)

Android 4.1 and above
Android KitKat 4.4.1 and above

     
Windows Phone (single-user mode) Microsoft Windows Phone (ARMv7 Thumb-2);
Surface
Microsoft Windows Phone 8.1 BitLocker® and above

 

Q7: What can I do if I have a device which is not validated to meet the government standard for encryption?

A: Make sure you update your device and the operating system so that both are validated to comply with the government standard for encryption. See Q. 6 above.

Q8: How much does it cost to be a member of Secure Mobile?

A: Membership in "Secure Mobile" is free to faculty, staff and students at OUHSC.

Enrollment Questions

Q9: How do I enroll in "Secure Mobile"?

A: As of August 4, 2015 all OUHSC Exchange email user accounts were enrolled in "Secure Mobile". "Secure Mobile" policies are applied to mobile devices when the user configures their device to synchronize with the OUHSC Exchange email server. If you are configuring a new device to synchronize with Exchange see Q10 below.

Q10: What should I do to prepare my device for "Secure Mobile?

  • Backup your device so that you will be able to restore any locally stored data if a factory reset is required.
    • How should I backup my iPhone?
      • See http://support.apple.com/kb/ht1766 and choose the iTunes backup method with encryption. See note below.
      • Note: OUHSC does not recommend using iCloud for backups.  It is possible that you have sensitive University data on your phone, such as HIPAA “Protected Health Information” or student data that requires special protection and should NOT be stored on iCloud.  Additionally iCloud Backup does not back up music, movies, and TV shows that you did not purchase from the iTunes Store, or any podcasts, audio books, or photos that you originally synced from your computer.
    • For other types of mobile devices follow the owner's manual instructions on how to backup your device.
  • Upgrade your device operating system to the latest version. (This is currently a recommendation, not a requirement).
  • For Androids make sure your device is fully charged and you plug it into a power source during the encryption process.

Q11: How will I know my Exchange account is a member of "Secure Mobile"?

A: When your Exchange account is made a member of the "Secure Mobile" group then the next time your mobile device synchronizes with Exchange the new baseline security settings will be applied. If your device has a missing security setting, such as a passcode, you will be prompted to set up a passcode on your device. You will have a window of 60 minutes to cancel the dialog and do other things. After that 60 minutes is up, the only thing you will be able to do on the device is set a new passcode. Once this setting is in place you will notice the option to turn off the setting is not available (greyed out).

Password Questions

Q12: Can I chose my own device password/passcode?

A: Smartphone users will be responsible for setting and remembering their device passcode. Exchange does not have the capability of recovering forgotten passcodes for mobile devices.

Q13: What if I want a longer or more complex passcode on my device?

A: You can choose any passcode length or complexity that your mobile device supports.

Q14: What happens if I forget my password?

A: If you forget your mobile device passcode follow the manufacturers instructions to reset the device to the original factory settings. Resetting to factory settings deletes all locally stored data and will require restoring from a previously made backup to recover the data.

Q15: What happens when your OUHSC network/email password has to be changed?

A: If you change your OUHSC network/email password then your mobile device should prompt you to the change the Exchange account password to match your new password.  You can perform this manually through your device email settings.  The “Secure Mobile” group membership does not affect Exchange email password settings.

Technical Questions

Q16: How long does it take to encrypt my mobile device?

A: For iOS devices like iPhone and iPads the encryption process occurs immediately once the password and baseline security policies are applied.  For other device types it usually takes about 1-3 hours to encrypt the device depending upon the size of the storage.  Be sure you have your Android device fully charged or plugged into the charger during the encryption process.

Q17: Will my mobile act differently after it has been encrypted?

A: On most devices which have been manufactured since 2012 you should not notice any differences after encryption is applied.   Older devices may run slower after encryption is applied. Some iPhones users have reported that personal ringtones associated with contacts will need to be re-enabled after the baseline Exchange security settings are applied.

Screen Saver (Autolock) Questions

Q18: What if I want a shorter “Autolock” than 15 minutes on my device?

A: Apple has set the maximum timeout for “Autolock” on an iPhone to 5 minutes while an iPad can be set to 15 minutes. This is an Apple setting that cannot be changed by Exchange settings.

Privacy Questions

Q19: Will these Exchange ActiveSync policies allow an IT administrator to view activity on my device?

A: No, security settings from Exchange do not provide additional monitoring features or capabilities for an IT administor. In fact, since the settings enable device encryption, only the individual who knows the device passcode is able to access locally stored data. So your locally stored data is protected from unauthorized access if the device is locked.

Q20: Will "Secure Mobile" Exchange ActiveSync settings allow IT to track the location of my device?

A: No, "Secure Mobile" ActiveSync settings do not enable GPS or other options which can be used to track the location of a mobile device. Users may choose to enable GPS and applications such as "Find My iPhone" that use GPS to track device location. GPS location data and tracking applications are not available to nor supported by OUHSC IT.

Remote Wipe Questions

Q21: What about the remote wipe capability?  Should I remote wipe my device if it is lost or stolen?

A: Remote wiping a device after it is lost or stolen does not meet the government requirement to “secure” data on the device.  There is no guarantee that the remote wipe command will be successful in wiping the data.  Issuing the remote wipe command is up to the individual user. 

Removing Security Setting Questions

Q22: How can I remove the security settings from my device when I leave the University?

A: After you delete the OUHSC Exchange email account from your device you can change any of the security settings and can decrypt your device.  Removing the OUHSC Exchange account from your device will also delete the Exchange data such as email, calendar, contacts, notes, tasks etc.  Be sure you remove any manually stored University data from your device when you leave the University.

Android Specific Questions

Q23: Is the SD card in the android devices encrypted when the EAS policy is pushed to the device? If so, how do you use that card on other devices i.e. computers, TVs, etc.? 

A: At this time external media such as an SD card is not encrypted.

iPhone Specific Questions

Q24 Will the TouchID function continue to work on the iPhone with Secure Mobile policies?

A: Yes, the TouchID function will continue to work on the iPhone after Secure Mobile policies are applied.

Application Specific Questions

Q25: If we use our personal phone for University business and move forward with this level of protection will it affect the way any of our personal apps (Facebook etc.) perform?

A: Exchange ActiveSync security settings for "Secure Mobile" do not affect device application settings.