Mobile Device Security Guidelines
With more University business being done on mobile devices and smartphones, faculty and staff need to make sure that they are doing their best to secure their devices and protect the University’s interests. Please read over the following guidelines to make sure that your smartphones and tablets are properly secured, regardless of whether they are University-owned or personal.
Avoid Saving Passwords
The caching of passwords to University services should be avoided if at all possible. This means not selecting the “save password” check box on a website or app screen requesting your University Computing Account credentials. This practice is also good advice to protect access to personal credentials for such critical services such as online banking or health care apps.
Obviously, there are some instances where saving your credentials on your mobile device make sense. The nature of attaching to WIRELESS-PITTNET zones as you move in and out of coverage areas on campus requires that you save your username and password on your mobile device. Otherwise, you would be prompted for your password every time you briefly pass out of and then back into WIRELESS-PITTNET coverage. Many people also save their University Computing Account credentials in their email or Skype apps in order to maintain real-time access to new messages. These are reasonable situations where caching your password is acceptable. But you should avoid saving your passwords for other web-based tasks that require you to log in, such as authenticating to My Pitt, Box, Concur, or Office 365
If you do decide to cache a password to a University service on a mobile device, make sure that you protect the device with a passcode.
Protect Your Smartphone or Tablet With a Passcode
A "passcode" on a mobile device is a string of characters or just a multi-digit number that is entered in order to gain access to the device. This passcode must be entered in order to get past the login screen.
Enabling passcode protection is the most critical security requirement that must be followed if you use your smartphone or tablet to conduct University business. Passcode access also protects personal data such as photos, contacts, and personal email accounts. Enabling a passcode should also include a timeout setting for the device to lock (requiring a passcode again) after a prolonged period of no activity. Fifteen minutes is generally considered a good timeout period.
Setting up a passcode and inactivity timeout is easily accessible via your device’s “Settings” menu.
Protect Your Devices with Remote Device Location and Remote Wipe
All mobile devices that are used to conduct University business should have remote “find my device” functions enabled and running at all times. On Apple iOS devices (iPhone, iPad), you can enable this function in the system settings under iCloud. There is also a free Find My iPhone app that is available on the App Store that you can install and configure. Android users should enable remote device location accessible via the Android Device Manager settings.
When remote device location is running on your mobile device, you will also be able to remotely wipe all data from your device. You would enable remote wipe if it becomes clear that your device is lost or stolen and the likelihood of ever recovering it is very low. You have to register your iOS device with Apple's iCloud service in order to enable remote wipe functions. Remote wipe for Android devices can be set up by registering the device with a Google account. You can also remotely wipe a device from the Office 365 Outlook Online (My Pitt Email) interface if the mobile system has been synced with ActiveSync.
Attach a Label to your Devices
Consider attaching a label with your name and a secondary contact phone number to any mobile devices that you use to conduct University business. This will give you the best chance to recover your device with a minimum impact if your smartphone or tablet is lost. Obviously, the label should not feature the access code for the device or any other critical information such as a username or password. Just a name and secondary phone number.
Log Your Phone Data
Take a few minutes to document your mobile device’s serial number and wireless (Wi-Fi) MAC address and store it somewhere you could get to if the device were to go missing. Having this information handy may help recover or remotely wipe the device if it is ever lost or stolen.
Encrypt the Data on Your Device
Apple iOS systems automatically encrypt their contents when you configure them to use a passcode to gain entry. Android users need to turn on data encryption by going to the security section of the settings menu.
Also, make sure you encrypt any cloud-based backups of your mobile devices that you may create.
Use Pulse to Attach to University Resources on Public Wireless Networks
If you are in a public place such as a café or bookstore and wish to use public, shared wireless internet, enable the Pulse client to set up a secure remote access session before initiating any other business with University systems. Pulse will encrypt the transmission of data so that any snooping attempts will not intercept your unencrypted University credentials. If you don’t, be aware that any credentials you enter to log onto University services or other services such as online banking could be compromised by another system in the vicinity that is set up for sniffing unencrypted data.
The Pulse Secure mobile device app is available on the Pitt App Store as well as the Apple and Google (Google Play) online app stores.
Consider your Wireless Carrier’s Data Service for Especially Sensitive Communications
If you will be consistently doing University business on your mobile device from off campus, consider turning off your device’s wireless network functions and communicate exclusively using your cellular carrier’s data network. This is accomplished by going to your device’s settings menu and turning off access to Wi-Fi. This option is much more secure than using publicly-accessible Wi-Fi, but data charges from your carrier may apply.
Turn Off Bluetooth if You are Not Using it or on Public Wireless
Since Bluetooth is used to interact with mobile devices, hackers could use it as a communication conduit into your smartphone or tablet. If you aren’t actively using Bluetooth with your mobile device, be sure to turn it off. Even if you do occasionally use a Bluetooth peripheral, you should disable Bluetooth if you will be working in a public wireless space and attaching to University resources.
Be Aware of Social Engineering Attempts to Compromise Your Mobile Device
The term “social engineering” was originally defined as attempts by criminals to manipulate computer users into revealing passwords or installing malicious software, bypassing technological barriers to hacking. With more computing being done on the mobile device platform, Pitt users need to be aware that social engineering attempts can just as easily target mobile users. Be wary of anyone who calls and asks you to install anything on your smartphone or tablet. Be equally suspicious of any emails that require you to navigate to a website and enter credentials or download an app.
Know What to Do if You Lose a Device
If your smartphone or tablet is missing and you suspect that it may have fallen into someone else’s hands, there are steps you must take to protect the University’s interests:
- Notify law enforcement. If your device is stolen on campus, report the theft to the Pitt Police. If the theft occurs off campus, notify the local authorities as they may be tracking a pattern of thefts and your details may help them refine their search.
- Notify the Technology Help Desk to reset your University Computing Account immediately.
- Make sure to have your multifactor tokens reset as well.
- Change any passwords for web services that may have cached passwords stored on the missing device. These should include any passwords for services outside of the University such as online banking, Amazon.com, etc.
- Initiate a remote wipe of the missing device. The Technology Help Desk can assist with this task.