Security as a niche industry is starting to get noticed. There are a number of organisations that have written and published security applications of one sort or another for the PDA world with the enterprise in mind. Of these Credant has one of the best reputations in the market. They have got years of experience and a solid product with several offerings to cover both enterprises and medium sized businesses.
The Credant Mobile Guardian (CMG) is sold in three forms. The personal edition is marketed through OEMs and is the software that is available now on the HP iPAQ business devices (including the iPAQ hx4700 series). Personally, Iíd love to see this available through retail channels such as Handango and PocketGear, but this is not the case at the moment. The group edition is the one reviewed here and is aimed at organisations that want to apply security policies consistently to the devices in their organizations. Finally there is the enterprise edition which is considerably more expensive and provides remote destruction and a number of other features that may appeal to the enterprise organization.
No two Windows Mobile security applications are created equal. If you look at the feature sets of the security applications on the market today, youíll find disparate feature sets between the applications. Some have built in firewall, some donít, some enforce restrictions on storage card, infrared and Bluetooth, others donít and so on.
This article will be looking at the following features and how Credant Mobile Guardian helps defining and applying them:
On the device
Credant have created their device security software based on policies. This approach allows you to take your organisationís security policy and create an installer that ensures the device complies with the security policy.
The software itself is delivered as a desktop installer that places the policy editor and components onto your laptop or desktop computer. Nothing is installed to the Pocket PC at all at this time.
Once installed, you need to start the policy editor and create a policy file. The policy file is saved as an XML file and can be used to build an installer for the target platform. The target platform can be Windows Mobile Pocket PC, Windows Mobile Smartphone or Palm OS. Iíve used a HP iPAQ h6365 Pocket PC Phone Edition device for my tests.
Creating a policy file is a simple matter of working through the available options in the editor. The list is quite extensive and allows for a tightly configured device.
Policy Editor (click for a larger image)
Policy Editor (click for a larger image)
One of the critical areas of device security is authentication onto the device. That is how the user gains access to the applications and data on the device. CMG gives the option of PIN based or password based authentication.
PIN based authentication uses a numeric keypad similar to the default Windows Mobile PIN to allow users to enter a four digit PIN in order to log on. CMG allows considerably more control over the userís PIN than the default authentication. CMG can be configured to force the user to change their PIN at a configurable period as well as remember a number of previous pins to prevent the user from reusing them. CMG can also enforce PIN complexity, preventing sequential numbers or repetition of numbers in a pin making the pin more secure.
If you feel that a PIN does not offer strong enough protection, you can use a password. The password can be configured to ensure complexity and remember previous passwords. In addition you can set how much of the password must be unique, preventing users from using passwords with an incremental number in it.
CMG also gives a number of options for how to manage invalid logon attempts. For instance, you can have CMG simply wait a configurable (and optionally incremental) period of time between sets of logon attempts. For example you can set the device to pause for 30 seconds after three invalid attempts. After a further three attempts, you can set this cool down period to increment by 30 seconds before allowing further attempts. This system makes it very difficult for an unauthorised user to brute force their way onto the device.
Of course if you want to protect your data you really want to be able to remove the data from the device to completely eliminate the possibility of unauthorised access. CMG has an option to allow control over this option too. Rather than forcing the user to wait a specified period of time, you can force them to enter a master password that only an administrator knows. At this point a legitimate user will need to either return to base or call an administrator to obtain this password. This allows the administrator to then decide whether the user is authorised or not. If the administrator decides the user is authorised, the correct master password can be entered. Once the master password is entered the user is forced to change their password and then they have access again.
You can limit the attempts the user can have to enter the master password. Thus if the user can not get the master password, they can only attempt to enter the master password a pre-defined number of times. At the end of these attempts you can configure the device to perform a hard reset which sets the device back to the way it shipped from the manufacturer.
Even if you decide to hard reset the device, you can still retain the CMG software, meaning the data is removed, but the device is still protected by your policies.
If you would like your users to be able to reset their own passwords if they incorrectly enter their password repeatedly, CMG allows you to let the user enter a passphrase (such as their grandmotherís maiden name, favourite band growing up or similar) which they must answer correctly to reset their password when they forget. This may help lighten the administrative load from forgotten passwords.
CMG also allows for a number of methods of locking down the device. For instance, you can disable storage cards, infrared and/or Bluetooth. When the user tries to activate these things, CMG notifies them that the administrator has restricted access to this functionality.
In the CMG policy editor, you can also specify applications the user cannot run. However, I found this to be an unreliable method of reducing the functionality of the device. Further discussion of this with the developers revealed that this functionality is very simple and not designed for heavily locked down devices.
CMG provides a number of encryption options. For these options you can select one of four encryption algorithms: 3DES, Blowfish, Lite or AES128. The encryption selection applies to any encryption options chosen.
With CMG you can encrypt any device databases or the file system. The policy editor allows you to select which databases you want to encrypt. You can select the mail, calendar, tasks, notes and/or the contacts database or add any application specific database that may also be on the device. There is also the option the separately encrypt the mail attachments and media files.
I must say - I really like the file encryption functionality. CMG gives you two file encryption methods:
The first allows you to create an administrator defined secure folder. This folder is part of the deviceís storage memory and creates a folder in the root of the device that appears as another storage card. The folder is accessible to the user, but encrypts any files and folders created inside the secure folder. This is a really nice way of encrypting the file system while retaining an easy to understand method for users to use. When the administrator creates this policy, you can set the folder location, name and the size of the folder. Be aware that any space you give to this is deducted from the devices available memory allocation.
If you donít like this method, you can simply set the policy to encrypt the My Documents folder, in which case anything saved in \My Documents is encrypted automatically.
CMG provides two methods of locking the device. First there is the simple device lock. This method allows you to lock the device, leaving the device state the same as it was when the device was unlocked (i.e. all processes are left running, applications are active and connections are maintained) but the user must enter their pin number in order to regain access to the device.
The second method is Logoff. The logoff method shuts down the applications and closes any network connections the device has running and requires the user to enter their user name and password to regain access to the device. When the user enters their details to regain access to the device, the contents of the start up folder are run again, just like when the device is given a soft reset. In addition, when the device logs off, all the users encrypted data (if any is set to be encrypted) is encrypted. Therefore, when the user logs on the databases that are encrypted must be decrypted. This is fine, but if you have a large database (like a contacts database with over 1000 contacts) it can take a couple of minutes for the database to be decrypted Ė of course this may vary depending on the device processor that youíre running on.
This lock/logoff feature gives the administrator a number of options for configuration. For instance you may like to force the user to enter a password every time the device is powered off. You can also set it to lock or logoff automatically after a period of inactivity. If you combine the two methods, you can have the device lock on power off or after several minutes of inactivity and then if the device is left off for a period of time it can be configured to power back on and force a logoff Ė closing all applications, encrypting databases and closing network connections.
While the device is locked or logged off, the user can still receive phone calls and even make phone calls Ė provided they know the phone number or it is in their speed dial. The user canít open their contacts or take notes or use the hardware buttons when the device is locked Ė even from the phone screen.
If you want some applications to be running constantly Ė even when the device is logged off, you can set these. You can also set applications to be allowed to start while the device is logged off. These are called trusted applications.
Having configured all these settings, you need to build the policy into something that will take effect on the Pocket PC or other mobile device in use by the organisation.
This is done from the tools menu or by hitting CTRL+B on the keyboard. The build dialog allows you to configure the application to output either a full image or just an updated policy. This means that for devices in the field you can update the policy they are running without having to redeploy the device. The policy can be deployed via email or users can download them via HTTP or similar. Once they are downloaded to the device, they need to be stored in the Windows folder on the device being deployed to and the file must be named WGRPUCID.ctg.
Building for deployment
My personal opinion is that the policy update feature should be simpler. End users will probably find the update difficult to get applied using this manual system. In addition, if the administrator has disabled functions on the device such as file explorer, USB and Internet Explorer, the update will be impossible to implement. The user should be able to save the file anywhere and simply open the file for the policy to be applied or be able to import the update using the Credant applet that sits in the system tray on the device. Having said all this however, at least Credant had the presence of mind to provide a system for updating the policy on the go.
If you are building a full image, the application builds a device specific executable file that you install from on the device. This means the file must be copied to the device and run from there. Once the application has been executed, it leads you through a quick wizard that prompts you for the password to continue setup and then prompts you to enter your new password, followed by a reset. Once the reset is complete, the device is configured and the executable is deleted.
Once the application is installed, it cannot be removed from the device without the administrator password. Users who can access the Remove programs applet cannot see the application and have no way of uninstalling it.
On the device
Once installed, the user will notice no difference except a new applet in the system tray and a new shortcut in the start menu and settings panel. If the user attempts to use unauthorised functions, such as the storage card (if it has been restricted by policy) they will receive a warning message telling them that their administrator has restricted access to the specified function. This message can be customised in the policy editor and the user may be issued with a phone number to call or any other message the administrator deems appropriate.
The user has access to a control panel applet that also has a shortcut in the start menu and is started and placed in the system tray upon a reset. This control panel applet allows the user to perform some basic management tasks, such as changing their password and logging off the device manually.
As previously stated the user cannot remove the application from the device from the Remove Programs control panel applet, rather they must open the CMG applet, tap on the title bar and select Uninstall from the menu that pops up. Upon selecting uninstall, the user is prompted to enter the master password. Failure to enter the master password will disallow the user from removing the application.
Summary of features
The features offered by CMG are extremely solid, very flexible and provide a very robust security framework that is applied consistently and in a user friendly manner to the device. The policy driven approach gives the organization a familiar set of restrictions that can be very tight or quite loose depending on the requirements of the organization.
Care must be taken when putting together a policy for an organisation. Before you use the CMG policy editor, it is strongly recommended that you sit down and work out a policy that makes sense. If you donít do this, it is very easy with CMG to over configure the device simply to be secure, which will mean it will take some user testing to get the right balance between functionality and security. This is not the right way to put together an organisation security policy, and will cost considerably more than spending a couple of hours to get it right before you start. For more information see my previous article on creating a mobile security policy.
I have two complaints with CMG. The first is around application lockdown/restriction. While the capability is in the policy editor to manage applications, the execution of this on the device leaves a bit to be desired. This is perhaps something to work on in the future. The other complaint is that it was not able to lock down the WiFi connectivity of the iPAQ h6365. Iíve discussed this with Credant and it was due to the iPAQ not being on their device compatibility list, which I understand will be fixed in an upcoming version of CMG.
Credant Mobile Guardian group edition is aimed at the SME market and provides a smaller feature set than its larger enterprise sibling. However, I found that the features in the Group edition were robust and provided a great security base. If you are considering a security product for managing Windows Mobile (and other) devices, Credant Mobile Guardian sets the standard for other security products to match. I also appreciated that it did not attempt to provide functionality that is largely redundant on a standard device (such as firewalls), while protecting the user from outside influences such as storage cards, IR, Bluetooth, etc. The options and management of the user and the device is dramatically more effective than the default Windows Mobile security mechanisms and provides enough flexibility to suit most organizations security requirements.
Pricing and where to buy
Group edition pricing is AU$83 per device plus AU$16.60 per annum for maintenance. If you order more than 100 licenses you may qualify for a price break. In addition, one policy editor is required per organization and is not included by default. The policy editor is AU$1690 plus AU$338 for maintenance. These prices all exclude GST (sales tax) which may not apply depending on where you are.
For sales in Australia and New Zealand contact Eracom in Australia on +61 2 9906 2988, in the US and other countries, contact Credant via their website.