Smart Device Policy FAQ

Why is Emory implementing this policy?

Where can I read the policy?

What is sensitive data?

What exactly is happening and what will change on my device?

What should I do to prepare?

Are there any requirements for the PIN that I choose?

What is 'encryption' and how will it affect my device?

I own my device, does this policy apply to me?

I have more than one smart device (such as a phone and tablet). Will the policy apply to both?

What if I don't check my Emory email on my device?

I use Android's pattern lock feature. Does that meet the PIN requirement?

What if I used TouchDown for Android instead of the Android mail application?

Will Emory be able to access data on my device or monitor my activities?

I have an Android device and when I receive the "device administrator" prompt it says something about disabling the camera. Is my camera really going to be disabled?

What if I need to make an emergency call and my phone is locked?

Why will my device be wiped after ten incorrect passcode attempts?

If my device is wiped, will I lose all my personal data?

What will happen when the policy is applied to my device?

What if I have already configured some of these settings myself?

I've heard that there are some technologies that will keep my Emory and personal data separate. Why isn't that technology being used?

A note on Jailbroken/Rooted devices

Why is Emory implementing this policy?

Smart Devices, such as smartphones and tablets, have exploded in popularity over the last several years. More and more we are using these devices for our daily work: checking email, taking notes in meetings, creating, reviewing, and sharing documents, reviewing x-rays, and many other uses. Along with these uses comes added risk that sensitive institutional data (email, documents, etc) may be compromised if your device is lost or stolen. In fact, more than two million of these devices are lost or stolen each year. In addition to Emory's data, anyone in possession of your device would have access to your text messages, pictures, contacts, and any financial information you've saved. Our goal is to enable a minimum set of security safeguards to prevent access to data on lost or stolen devices while inconveniencing legitimate users as little as possible.

Where can I read the policy?

You can find the policy on Emory's policy website: http://policies.emory.edu/5.14

What is sensitive data?

Emory defines sensitive data as the following:

Confidential data: Any information that requires (by contract, law, ethical guidelines, or data owner mandate) controlled access to a select group of individuals or, any information that could cause harm to individuals or Emory if used inappropriately or disclosed, but is not considered restricted data. In the case of non-directory student records (as defined by Emory FERPA guidelines), aggregated data containing records for fewer than 500 individuals are considered confidential data. Examples: employee records that do not contain restricted data, Emory-owned proprietary information, a class roster, a spreadsheet of names and addresses of financial donors to Emory, an internal audit report.

Restricted data: Any information that, if used inappropriately or disclosed, could cause significant harm to individuals or Emory. This includes information that could be used for identity theft, or information that carries significant penalties if disclosed. Below is a list of items included in this definition. For all items, if the content only references the corresponding computer user then the content can be considered confidential data (e.g. Brad’s computer has a file containing Brad’s name, address, and social security number).

  • Electronic patient health information (ePHI) that has not been de-identified. 
  • Combinations of Personally Identifiable Information that could readily be used for identity theft:
    • Social security numbers, when combined with any form of the corresponding name
    • Driver’s license numbers, when combined with any form of the corresponding name
  • Credit/Debit card numbers
  • Financial records that could lead to identity theft or fraud (e.g. bank account numbers)
  • Non-directory student records for 500 or more individuals
  • Human subject research data containing personally identifiable information
  • Any data deemed to be restricted by the data owner
  • Any data that, if acquired by unauthorized individuals would require notification of affected parties
  • Any data that Emory is legally, contractually, or ethically obligated to encrypt
  • Passwords to computer accounts with access to internal, confidential, or restricted information.

What exactly is happening and what will change on my device?

The security safeguards required by the smart device security policy will be enforced as a condition of access for any smart devices that connect to Emory Exchange to check email and calendar items. If you do not check Emory Exchange email on your device the policy will not be applied to it.

If you check your Emory email on your smart device, the only visible change will be that a four digit PIN will be required to unlock your device after a period of no more than 15 minutes of inactivity. When the policy is applied to your device, you will be prompted to configure this PIN if you have not configured one already. If your device is not already encrypted, it will be encrypted after you create your PIN.

The following specific settings will be enforced:

  •  
  • A four digit PIN will be required to unlock your device
  • Your device will automatically lock (require your PIN to be entered) after a maximum of no more than 15 minutes of inactivity
  • If someone enters your PIN incorrectly 10 times, the device will erase itself (most devices have a protection mechanism that will prevent you from doing this accidentally).
  • If your device supports it, the data stored on it will be encrypted.

What should I do to prepare?

There are three main things that you should do to prepare for the smart device security policy:

  • Update your device
    • Check to see if your device manufacturer has any available software updates
  • Backup your device
    • While it's unlikely that you'll have any problems, it's better to be safe than sorry. Backup any important information that you have on your device.
  • Choose a PIN you can remember
    • It's very important that you choose a PIN you can remember. Decide on one before the policy is applied to your device.

Are there any requirements for the PIN that I choose?

Your PIN must be at least four digits long, and cannot be simple (i.e. 1234, 4321, 0000, etc.). You may also choose a more complex PIN, such as one that includes more characters or alpha and special characters. It is very important that you chose a PIN that you can remember. Emory does not keep track of the PIN that you assign to your device and will not be able to help in the event that you forget your PIN.

What is 'encryption' and how will it affect my device?

Encryption is a way of changing data such that it cannot be read unless you have the proper 'key' to unlock it. Think of using a secret decoder ring. In this case the key is the PIN that you choose. In practical terms this means that without your PIN someone who steals your device will not be able to read any data stored on it (email, pictures, text messages, etc.) Some devices, such as iPhones and iPads, are already encrypted by default. Other devices will have to go through a one-time process to encrypt the data stored on them.

I own my device, does this policy apply to me?

Yes, the policy applies to personally owned devices that are used to access Emory e-mail.

I have more than one smart device (such as a phone and tablet). Will the policy apply to both?

Yes. The policy is applied to your Exchange e-mail account and not to specific devices. Any device that has your Emory Exchange account configured on it will receive the policy.

What if I don't check my Emory email on my device?

If you do not check Emory email on your device, then the policy will not be automatically enforced on your device. However, if you store sensitive Emory non-email data on your device you are still required to manually apply the security settings. If you choose to add your Emory email account to your device in the future the policy settings will be enforced at the time you add your account.

I use Android's pattern lock feature. Does that meet the PIN requirement?

Unfortunately Android does not allow the pattern lock feature to be used when an ActiveSync policy requires that a PIN be enabled. You will be prompted to configure a PIN instead when the policy is applied to your device. There's nothing less secure about the pattern lock feature, it just isn't supported when a PIN is required.

What if I used TouchDown for Android instead of the Android mail application?

If you use the TouchDown application instead of the built-in mail application on your device, TouchDown will require that you configure a PIN to open the application. Unless you have also configured your email in the Android mail application, your phone will not prompt you to create a PIN. If your device is lost or stolen and you issue a wipe command, only the data within the TouchDown application will be erased and the data on your device will remain intact.

Will Emory be able to access data on my device or monitor my activities?

No, Emory cannot access data on your device or monitor your activities. The only motive behind this policy is to ensure that data is secured in the event that a device is lost or stolen.

I have an Android device and when I receive the "device administrator" prompt it says something about disabling the camera. Is my camera really going to be disabled?

No, your camera will not be disabled. The message that you're seeing is static and reflects what the policy could be set to do, but does not reflect what is actually being done.

What if I need to make an emergency call and my phone is locked?

Nearly all phones have an "Emergency Call" feature that you can access from the lock screen. You can choose this option to call 911 or other phone numbers that you have memorized.

Why will my device be wiped after ten incorrect passcode attempts?

After ten attempts at typing in an incorrect PIN we assume that the device has been stolen and someone is trying to guess the PIN that you assigned to the device. In order to protect sensitive Emory data, the device must be wiped and restored to factory defaults.

If my device is wiped, will I lose all my personal data?

Yes, all data on a device is lost when it is wiped. It's always a best practice to regularly backup data stored on your smart device. In the event that your device is lost or stolen, or suffers a hardware failure, you will lose important data unless you have a current backup available. Most devices have built-in mechanisms which will prevent your device from being accidentally wiped by entering the incorrect PIN too many times.

What will happen when the policy is applied to my device?

When the policy is applied to your device it will prompt you to create a PIN. Depending on the device, you may not be prompted at all if you already have a PIN set. For more detail, including screenshots, choose the type of device that you have from this link 

What if I have already configured some of these settings myself?

If you have already configured some of these settings manually, such as a passcode lock, you may not notice when the policy is applied. If you are using Android's pattern unlock feature you will now have to enter a passcode instead. If your device is configured to lock after a period shorter than 15 minutes you will be able to retain this setting.

I've heard that there are some technologies that will keep my Emory and personal data separate. Why isn't that technology being used?

There are some technologies like this that are starting to emerge which will allow you to keep personal and institutional data separate and require will require different security controls for each. Emory is not using these technologies at this time for several reasons. First, these solutions are not free and are more difficult and time consuming to implement, requiring you to install additional software on your device. Second, these solutions often require that you use another mail client and not the native mail client available on the device. Many people have found these other mail clients to be cumbersome and prefer the native mail client instead. Lastly, this is a very new market with lots of different competitors, and the technology is still in its infancy. This technology may be something that we pursue in the future, but not at this time.

A note on Jailbroken/Rooted devices

If you have jailbroken or rooted your smart device, you may experience unpredictable results when the policy is applied. Jailbroken/Rooted devices often represent an unsupported configuration by both the manufacturer of the device and the wireless carrier. Jailbroken/Rooted devices are also often more susceptible to attack. Our recommendation is to reset your device to factory defaults if it is jailbroken or rooted before the policy is applied to your device.