For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.

Smartphone and Tablet Security

To ensure that sensitive information stored on mobile devices is kept safe and secure, Drexel has established security standards for devices that synchronize information with university services.

Implementation Schedule

Several organizations at Drexel operate email servers. Most faculty and professional staff use the Exchange Server operated by IRT; the next largest server is in the College of Medicine. These two servers are part of the initial mobile device security changes.

Effective July 10, mobile devices connecting to the IRT-run Exchange Server will receive the new security and encryption settings. Most devices will prompt you to accept the new settings, but typically don't enumerate the changes (they are described below). If you do not accept the changes, your device will stop synchronizing with the server.     

The servers run by the College of Medicine have had these (or similar) settings for some time. Later in 2014, other servers providing email to faculty and professional staff will adopt these same security settings.

PINs and Timeouts

The security settings require that smartphones and tablets require a Personal Identification Number (PIN) to turn on the display if the device hasn't be used for more than a few minutes. At Drexel, that PIN is a 6-digit number – it can be longer if you want more digits and your phone allows it – and simple patterns such as 111111 or 123456 cannot be used. The timeout is user-selectable, up to 15 minutes – you can and are encouraged to make it shorter.

To protect the data in a lost or stolen devices from being accessed by unauthorized people, the device will erase itself if the PIN is mis-typed 15 times in a row (12 times when used with the Good secure email app at the College of Medicine).

Most devices warn the user or add delays between PIN attempts as the number of bad PIN entries increases. There's more information about the auto-erase feature in the FAQ.

Encryption

As with the hard drives in computers, the storage in your smartphone or tablet will be encrypted once the new security settings are received by your device. Additionally, if your device has an add-in memory card, it, too, will be encrypted.

Some older phones do not know how to encrypt the built-in memory or the storage card. When the new encryption settings are received by your device, it may be unable to comply and thus may stop synchronizing data with the server. If you notice that this has happened to you, contact the IRT help desk (consult@drexel.edu or 215.895.2020). Technical accommodations can be made for such devices through December 2014.

FAQ

IRT has prepared the following frequently asked questions. If you still have questions about the smartphone and tablet security settings, please contact the IRT help desk by email at consult@drexel.edu.

Mobile Device Security and Encryption

Why is security being upgraded for mobile email?

To match the new standard for computers because, as Chief Justice Roberts wrote in a Supreme Court ruling on June 30, 2014, cellphones are “minicomputers that also happen to have the capacity to be used as a telephone.”

What does the enhanced security upgrade include?

Chiefly, the changes will make your mobile device prompt for a 6-digit PIN to unlock it, re-lock itself after a 15 minute period of inactivity, encrypt its contents, and set it to erase itself if the PIN is mis-typed many times in a row (11-15, depending on model of phone or tablet).

To whom do the new requirements apply?

As of July 10, these requirements apply to everyone whose mobile device connects to the Exchange mail servers run by IRT or the College of Medicine. Later this year, the program will be expanded to all mail servers for Drexel.

What if I my device can’t work with the enhanced security?

Through December 2014, users of older Android devices and certain Windows Phones will be able to request enrollment in a less stringent set of security requirements. In 2015, these devices will need to be upgraded or replaced to continue to access email from Drexel servers.

I’m the only user of my phone, but my whole family uses my tablet. Can I pick different PINs for different devices

Yes, because PINs are tied to devices rather than accounts. If you forget a PIN, you’ll likely need to reset the device, erasing its contents. (Drexel can’t help because the PIN is held on the device, not with the Drexel account.)

What happens if my kids or friends try to use my phone or tablet and key in the wrong PIN over and over?

If they make 15 failed attempts in a row, the device will erase itself. Fortunately, some phones take steps to warn you or slow the process down:
iPhone and iPad: adds delays between successive attempts, so invoking the auto-erase function takes over an hour and twenty minutes;
Android on HTC (tested with HTC One M8): adds 30-second delay after the fifth and tenth attempts and gives warnings after attempts 11, 12, 13, and 14;
Android on Samsung (tested with Galaxy S4): gives warnings after attempts 11, 12, 13, and 14;
Windows Phone: to ensure that a person is typing intentionally (as opposed to something bumping the screen while the phone is in a pocket or purse), requires that a specific code is typed before making the 15th attempt.

I’m worried about losing my personal photos and other information. What can I do?

Apple and Microsoft offer backup services; some Android phones do, too. Depending on how much data is on your device, the backup service may even be free.

My phone or tablet has a storage card slot and I move my storage card among several devices I own. Will the new standards impact this?

By default, the new standards will encrypt the storage cards, preventing its use in other devices. However, at least through the end of 2014, you may request to use a security policy that exempts removable storage cards. Before the end of the year, a new permanent security policy will be set.

What if I don’t want to follow the new requirements on a mobile device?

If Drexel provides all or part of the monthly service fee, you’ll have to keep the Drexel email account on the device and follow the security requirements. For fully-personal devices and services (i.e., those that Drexel isn’t contributing to), you can follow the requirements to continue getting Drexel email on the device or remove the Drexel account to avoid the security requirements.

What happens when I leave Drexel? Will my home device be erased? How do I get it decrypted?

Typically, Drexel will recall the email, contacts, calendar items that your phone got from the Drexel servers, leaving the rest of the data intact. Once you remove Drexel accounts from your device, the special security settings needed by Drexel will be lifted.