Securing Your Mobile Devices
General Best Practices
- Use a passcode/passphrase/pattern to lock the device after inactivity — typically no more than 10 minutes of inactivity should trigger this.
- Encrypt the device if the option is available, using the highest encryption possible (minimum 128‐bit). If encryption is unavailable, never store highly confidential data on the device.
- When choosing between unsecured Wi-Fi and cellular data service, always opt for the cellular data service, as it is typically significantly more secure than unsecured Wi‐Fi. If accessing sensitive/protected data, never use unsecured Wi‐Fi unless you have access to a VPN client.
- Use FortiClient VPN if the device will support it.
- Report stolen/lost devices as soon as possible. Note your device serial number, electronic serial number (e.g., IMEI, MEID or ESN), and other identifying information for your own records and to facilitate law enforcement or other recovery. Marquette tracks this for university-supported devices.
- Utilize remote wipe capabilities if possible.
- Carefully select applications to install on the device, taking into account the type of data the application will access, whether or not the application is believed to be secure, and whether or not the vendor typically collects information from users through the application (leading to possible data leakage).
- Avoid use of Remote Desktop programs via a mobile device.
- Disable options and applications that you do not use.
- If Bluetooth is enabled, do not allow the device to be discovered automatically, and secure it with a password to prevent unauthorized access.
- Never leave the mobile device unattended.
- Use anti‐malware software if supported.
- Regularly back‐up data — preferably in an encrypted fashion.
- Update the device’s software per the manufacturer’s instructions. Typically updates tend to fix security holes and improve device functionality.
- Limit use of the device by third parties to protect your personal data and facilitate accountability for potential misuse.
- If the device is no longer in use, ensure that all of the data on it is wiped, and it is disposed of properly.
iPad/iPhone Specific Best Practices
In addition to/in conjunction with the above practices:
- Use of a passcode (strength dependent on the potential data the device may contain).
- Allow device wipe if 10 failed passcode attempts.
- Use FortiClient VPN app.
- Use Microsoft Outlook app for email and calendar.
- Encryption of device configuration profile.
- Forced encryption of device backups.
- If multiple users will be accessing the device, the native email program should not be used, to protect the primary user's email account. Outlook on the Web is the suggested alternative.