Passcode Setting on Enterprise Mobile Devices

By Rich Campagna, Subbu Iyer, Ashwin Krishnan, Mark Bauhaus

Setting passcodes on mobile devices is the most basic security requirement for any mobile device to be allowed into a work environment. Passcodes require the user to enter a passphrase to unlock the device. Devices can also be configured to lock automatically after a configurable timeout period. (Typically, five minutes is ideal.)

From a compliance perspective, take a look at the passcode policies that you may want to enforce on devices:

  • The device needs a passcode configured.

  • The passcode needs to be of a certain strength, incorporating at least one digit or complex character.

  • The passcode needs to expire after a certain time period.

  • The device should lock after a certain time period of inactivity.

  • Some sort of action should be taken if the threshold for failed attempts to enter the right password (such as ten consecutive bad passcodes entered) is reached.

For different organizations, the exact passcode requirements will vary. For many, it might suffice to simply require a passcode on each mobile device in the corporate network. For others, it might be necessary to enforce additional restrictions, such as the passcode strength and expiry time period. What you specify for your organization’s passcode requirements largely depends on your tolerance for risk and adherence to other corporate policies or restrictions.

At this time, you also need to decide whether to enforce the same set of passcode policies on both personal devices and corporate-owned devices. You have the liberty to define different compliance policies for corporate-owned and personal devices and establish different passcode policies for the two categories of devices.

Compliance Policies for Allowed Device Types
Personal Devices Corporate-Owned Devices
Android devices running version 2.1 or later BlackBerry (all models)
Symbian 3 devices
iPhone 3GS, iPhone 4, and iPad running iOS 4.0 or later
No jailbroken or rooted devices
Compliance Policies for Passcodes
Personal Devices Corporate-Owned Devices
Need a passcode Need a passcode
Passcode strength (for example, it should be at least 8
characters long and must include at least one digit)
Passcode strength (for example, it should be at least 8
characters long, and must include at least one digit)
Passcode expiry Passcode expiry
Time before autolock Time before autolock
Action taken upon 10 unsuccessful attempts Action taken upon 10 unsuccessful attempts