Mobile Device Guidelines

ed-mdm-01

1.0 Overview

Mobile devices, including but not limited to, phones, tablets, and laptop computers, are becoming increasingly powerful and affordable. Their small size and functionality are making these devices ever more desirable to replace or supplement traditional desktop devices in a wide number of applications. However, the portability offered by these devices increases the risk that information stored or transmitted on them will be exposed. Penn State University and the College of Education allow personal mobile computing devices to be used for business purposes as long as those devices adhere to the guidelines as stated below.

2.0 Purpose

The purpose of this Penn State University, College of Education (CoE), and Mobile Device Policy is to establish best practices in the use of mobile computing devices. This process is necessary to preserve the integrity, availability and confidentiality of Penn State University College of Education data. Any questions or comments about this document should be directed to the Office of Associate Dean for Research, Outreach, and Technology

3.0 Scope

This policy applies to all mobile devices used to host any Academic and institutional data for the purpose and conduct of meeting some business obligation or need associated with Penn State.

3.0a Scope: College Owned

This policy applies to all CoE faculty, staff, and students and staff and individuals external to CoE who own or operate a college owned mobile device that communicate with Penn State University equipment and networks or stores data in any way.

3.0b Scope: Personally Owned

This policy applies to all CoE faculty, staff, and students and staff and individuals external to CoE who own or operate a personal device that holds Penn State data (such as email, files in Box) and is used to communicate with Penn State University equipment and networks or stores data in any way.

4.0 Policy

Listed below are the minimum guidelines when using a mobile device.

4.0a Policy: College Owned

Restricted data. Penn State University and CoE restricted data should NOT be stored on portable computing devices if it can be avoided. However, in the event that data can only be stored on a mobile device, the Penn State University Data Categorizationrequires that all "restricted" data must be encrypted using approved encryption techniques and password protected. All Penn State owned mobile devices will be registered so the device can be locked or wiped if lost or stolen. This is based on the best practice and resources currently provided by Penn State. In regard to data it’s recommended mobile device users use box.psu.edu as the primary secure data storage service. 

Configure mobile devices securely. Users will be required to register your mobile device with our Penn State Mobile Device Management (MDM) and Enrollment Service. All CoE new purchased mobile devices will automatically be enrolled. The enrollment service provides the following benefits:

  • It enables auto-lock with pin or passcode
  • It enables the use of a complex password (Recommended)
  • It avoids using auto-complete features that remember user names or passwords
  • It ensures that browser security settings are configured appropriately.
  • It enables remote wipe and lock in the event of loss or theft
  • It ensures that *SSL protection is enabled, if available.
  • It will provide VPP services. The Volume Purchase Program (VPP) provides application request and management on mobile apple devices purchased and owned by Penn State University. (See definitions)

4.0b Policy: Personally Owned

Mobile systems NOT owned by Penn State and CoE that require network connectivity must conform to Penn State and CoEs’ information security policies and procedures. See policy at: http://www.ed.psu.edu/for-current-faculty-and-staff/outreach-office/outreach-office-page

Restricted data:

The Penn State University and Data Categorizationrequires that all "restricted" data must be encrypted if on a mobile device. Once encrypted, a best practice in these cases is to use box.psu.edu as your secure data storage service. 

Configure mobile devices securely. Owners of mobile devices must passcode protect all devices that hold Penn State data (such as email, files in Box). Those who would like their personal mobile systems secured in the same manner as CoE owned devices can submit a request for this service at help.educ.psu.edu. 

The recommended enrollment service provides the following benefits:

  • It enables auto-lock with pin or passcode
  • It enables the use of a complex password (Recommended)
  • It avoids using auto-complete features that remember user names or passwords
  • It ensures that browser security settings are configured appropriately.
  • It enables remote wipe and lock in the event of loss or theft
  • It ensures that *SSL protection is enabled, if available.

Take appropriate physical security measures to prevent theft or enable recovery of mobile devices.

Purchase and enable tracing and tracking software (MobileMe, Computrace, FindMyMac, etc.).

Report lost or stolen devices immediately to the CoE Information Technology Help Desk. Remember to back up data on your mobile device on a regular basis.

5.0 Definitions 

VPN – Virtual Private Network is a way to securely transmit private data over a public network (wired or wireless Internet) using an encryption solution. Connecting to Penn State University, CoE network includes the following:

    • If you have a network capable device (ex. laptop) plugged into a Penn State University CoE wired network, and you are a “registered user” then you can connect to the “EDUC” LAN (local area network) and use our services.
    • If you connect from a remote location using a different SSID, with a network capable device, through the Penn State University VPN (virtual private network), using the option “ISPtoPSU” you can connect to the CoE “EDUC” LAN (local area network) services.
    • If you have a network capable device and connect using Penn State wireless SSID “psu” you can connect to PSU network services.

VPP - The Apple Deployment Programs consist of three programs.  The Volume Purchase Program (VPP) lets you purchase Apps store apps and books in volume.  The Device Enrollment Program (DEP) gets your institutionally-owned devices automatically enrolled in mobile device management (MDM) during activation without touching the device.  Finally, the Apple ID for Students creates Apple ID accounts for students under 13.

MDM – Mobile Device Management (mdm.psu.edu) There are many different aspects to mobile device management. The features of MDM vary based on the operating system of the mobile device. MDM primarily focuses on two components:

The automation of linking a mobile device with an MDM server

The management of installed applications and other settings via an MDM Server

SSID - An SSID is the name of a wireless local area network (WLAN). Wireless devices on a WLAN must employ the same SSID in order to communicate with each other.

SSL - (Secure Socket Layer) when enabled it allows for encrypted connections to be used.

BYOD - Bring Your Own Device (Normally called a “personal system” not owned or purchased by the organization for which you work.)

WLAN - A WLAN typically extends an existing wired LAN (local area network). WLANs are built by attaching a device called the access point (AP) to the edge of the wired network.

Data Categorization and Related Policies – AD71 Data Categorization; ADG07 Data Categorization Examples; ADG02 Computer Security and others. (See Guru.psu.edu)

References: http://smo.psu.edu/documents. Additional and supplemental policies are provided online at: IT Guidelines and Policies, Information Technology Guidelines and Policies. OIS - Office of Information Security (security.psu.edu) Travel Policy (http://guru.psu.edu/policies/TravelPolicySINGLEDOC.html) Please note sections regarding Export Controls and Compliance.