Device Management > Domain Policies > Data Protection > Encryption and Password Policy
You can set the password security and data encryption settings in the Encryption and Password Polices screen.
Enable Encryption and Password Policies: Select whether to enable or disable encryption and password for the domain. If disabled, all mobile devices in the selected domain will not be protected by encryption and password. You can configure other encryption and password settings only when encryption and password is enabled. Encryption and password is enabled by default.
When Mobile Device Agent is installed, each mobile device is associated with a user. The user must type the correct power-on password to log on to the mobile device. To unlock a device when a user has forgotten the power-on password or to access advanced Mobile Security management screens on a mobile device, you must type the administrator password. Thus, depending on the type of password (power-on or administrator password) provided at logon, the available Mobile Security management screens or fields vary.
You can configure settings on Windows Mobile tab in the Encryption and Password Policies screen to enhance password security. These settings include:
Password Settings
Password type: Specify the type of characters for passwords. Select PIN to use password with numbers (0-9) only. Select Keyword to enable users to type alphanumeric passwords (numbers and other characters on a standard US keyboard).
Minimum password length: Type the minimum number of characters required for a password.
Password complexity: For passwords entered on a keyboard, you can select the type of characters (Lower case, Upper case, Special characters, or Numbers) that must appear in a password.
Initial client password: Set the default password that enables users to log on for the first time after the Mobile Device Agent is installed on the mobile device. Type a password that is between the minimum number of characters assigned by the Administrator to a maximum of 17 characters. The default is "123456".
Admin password: Type the administrator password you want to use to unlock a mobile device when the user has forgotten the power-on password. Type a password that is between the minimum number of characters assigned by the Administrator to a maximum of 17 characters.
The default admin password is: "1234567890". You will receive a warning message to change the default password. For security reasons Trend Micro recommends not to use the default password.
For security reasons, the Initial client password and Admin password fields on Windows Mobile tab appear empty after saving the settings.
Password Security
Lock device after 'x' minute(s) of inactivity: Type the number of minutes a mobile device can be left idle before Mobile Device Agent locks the mobile device. After this, a user must type the power-on password to log in again.
Password expires after 'x' days: After the specified number of days, the power-on password becomes invalid and a user must provide a new power-on password. Clear the checkbox to disable this function, which makes the power-on password to never expire.
Limit logon attempts: Select this option to limit the number of times a user can type a wrong password. Once the maximum number of input attempts is reached, set one of the following actions in Action when exceeded:
restart the device (Soft reset)
allow only administrator logon (Admin access only)
reset the device back to the factory default policies (Hard reset)
reset the device back to the factory default policies and delete all data on the device and the inserted memory card (Clear all data)
After a Clear all data action, users need to reformat the memory card to use it again for storing data.
Request users to change the password after initial logon: Select this option to force a user to type a new password after the first logon. Trend Micro recommends selecting this feature to ensure better password protect on mobile devices after Mobile Device Agent is installed.
Allow users to reset the power-on password by answering these questions: If a user has forgotten the power-on password for a mobile device, this feature enables the user to reset the password by providing the right answer to the selected question. You can type more than one question separated with a semi-colon (;). The questions you typed here display on the mobile devices during initial logon when users can set the answer to the selected question.
For the root domain, select Apply changes to all domains after clicking 'Save'. This action copies policies to all sub-domains.
For the sub-domain, select Send notification messages to mobile devices after clicking 'Save'. This action sends an SMS notification to Mobile Device Agents about the configuration changes.
You can configure settings on iOS tab in the Encryption and Password Policies screen to enhance password security. These settings include:
Security and Password Settings
Allow simple value: Permit the use of repeating, ascending and descending character sequences
Require alphanumeric value: Require passcodes to contain at least one letter
Minimum passcode length: Smallest number of passcode characters allowed
Minimum number of complex characters: Smallest number of non-alphanumeric characters allowed
Maximum passcode age: Days after which passcode must be changed
Auto-Lock: Device automatically locks when time period elapses
Passcode history: The number of unique passcodes required before reuse
Grace period for device lock: Amount of time device can be locked without prompting for passcode on unlock
Maximum number of failed attempts: Number of passcode entry attempts allowed before all data on device will be erased
The Mobile Device Agent provides on-the-fly data encryption function to secure specific files stored on mobile devices.
You can specify the types of files to encrypt, the encryption algorithm to use, trusted applications that are allowed to access encrypted data, or apply data encryption on memory cards inserted on mobile devices.
Mobile Device Agent does not encrypt Dynamic Link Library files (files with .DLL extension).
Mobile Device Agent only encrypts files that a user has modified and saved. Opening a file does not result in the file being encrypted.
Mobile Security can only manage the encryption policies on Windows Mobile devices. Encryption module does not support Symbian devices.
Configure the following settings in the Encryption Policies section:
Encryption method: Select an encryption algorithm from the drop-down list box. You can select AES-128, AES-192, AES-256 or XTS-AES encryption keys.
Encrypt Contacts, Mail, Tasks, Calendar, SMS, MMS for Windows Mobile 5/6: Select this option to encrypt database files for the platforms.
Encrypt *.psw, *.pdf, *.doc, *.docx, *.txt, *.xls, *.ppt, *.pxl for Windows Mobile 5/6: Select this option to encrypt the specified file types for the platforms.
Allow more applications to access encrypted data: Specify the path and name of trusted applications allowed to access encrypted data on mobile devices. To specify more than one trusted application, separate entries with a comma ",", semi-colon ";", or a colon ":".
Encrypt data on memory cards: Select this option to encrypt data stored on memory cards.
For the root domain, select Apply changes to all domains after clicking 'Save'. This action copies policies to all sub-domains.
For the sub-domain, select Send notification messages to mobile devices after clicking 'Save'. This action sends an SMS notification to Mobile Device Agents about the configuration changes.
The administrator can use the Recovery Tool to recover data from storage card. This function is available for a specific domain and a recovery file is needed to complete the task. To get the recovery file, click: Device Management [select a Specific Sub-domain] > Domain Policies > Data Security Policies > Download Recovery File.
To use the Recovery Tool, a Recovery File is needed. The exported encryption file includes history of keys that are generated with administrator's password (the encryption policy administrator password, not the web console administrator password). Refer to theAdministrator's Guide for more information about the Recovery Tool.
You cannot use data recovery tool and recovery file in Mobile Security 7.1 to decrypt files that were encrypted with Mobile Security 5.0 or 5.1.