• No results found

Symantec Mobile Security Suite for Windows Mobile Implementation Guide

N/A
N/A
Protected

Academic year: 2021

Share "Symantec Mobile Security Suite for Windows Mobile Implementation Guide"

Copied!
90
0
0

Loading.... (view fulltext now)

Full text

(1)

Symantec™ Mobile Security

Suite for Windows Mobile

Implementation Guide

(2)

Symantec

TM

Mobile Security Suite for Windows Mobile

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

Documentation version: 5.0

Legal Notice

Copyright © 2007 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, LiveUpdate, Symantec AntiVirus, Symantec Client Firewall, and Symantec Security Response are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,

PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 http://www.symantec.com

(3)

Technical Support

Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.

Symantec’s maintenance offerings include the following:

■ A range of support options that give you the flexibility to select the right amount of service for any size organization

■ A telephone and web-based support that provides rapid response and up-to-the-minute information

■ Upgrade insurance that delivers automatic software upgrade protection

■ Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program

■ Advanced features, including Technical Account Management

For information about Symantec’s Maintenance Programs, you can visit our Web site at the following URL:

www.symantec.com/techsupp/

Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you are using.

Contacting Technical Support

Customers with a current maintenance agreement may access Technical Support information at the following URL:

www.symantec.com/techsupp/

Select your region or language under Global Support.

Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.

(4)

When you contact Technical Support, please have the following information available:

■ Product release level

■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:

www.symantec.com/techsupp/

Select your region or language under Global Support, and then select the Licensing and Registration page.

Customer service

Customer service information is available at the following URL: www.symantec.com/techsupp/

Select your country or language under Global Support.

Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade insurance and maintenance contracts

(5)

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs or manuals

Maintenance agreement resources

If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows:

■ Asia-Pacific and Japan: contractsadmin@symantec.com

■ Europe, Middle-East, and Africa: semea@symantec.com

■ North America and Latin America: supportsolutions@symantec.com

Additional Enterprise services

Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following:

These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Symantec Early Warning Solutions

These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.

Managed Security Services

Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources.

Consulting Services

Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. Educational Services

(6)

To access more information about Enterprise services, please visit our Web site at the following URL:

www.symantec.com

(7)

Technical Support

Chapter 1

Introducing Symantec Mobile Security Suite

About Symantec Mobile Security Suite ... 11

Chapter 2

Installing Symantec Mobile Security Suite

Before you install ... 13

Symantec Mobile Security Manager installation checklist ... 14

System requirements ... 18

Installing Symantec Mobile Security Suite ... 19

Installing Symantec Mobile Security Suite ... 19

Testing the installation ... 26

About the device owner's email ... 26

Upgrading the Agent ... 27

Before upgrading ... 27

Installing the upgrade ... 27

Uninstalling the Agent ... 28

Chapter 3

Protecting devices with Symantec Mobile Security

Suite

Using Symantec Mobile Security Suite ... 30

Mobile Connect ... 30

About the device clock ... 33

About the license ... 33

About Auto-Registration with Symantec Mobile Security Manager ... 33

About the firewall ... 34

Setting the firewall level on Smartphones ... 34

Setting firewall levels on Pocket PCs ... 35

About ActiveSync ... 37

About device feature blocking ... 37

Event statistics ... 38

Device authentication ... 39

Changing the password ... 40

(8)

About authentication settings ... 41

Resetting a forgotten password ... 41

Phone service ... 42

Data wipe ... 42

About encryption ... 43

Creating secure folders ... 43

Creating shared secure folders ... 44

Accessing shared secure folders ... 45

Modifying shared secure folders ... 45

Deleting secure folders ... 46

Encrypting and decrypting files ... 46

Logout and encrypt ... 47

Device Quarantine ... 48 Quarantine Override ... 48 Event logging ... 49 Event Summary ... 49 Event List ... 50 Event Detail ... 50

About scanning for and responding to threats ... 50

About Auto-Protect scans ... 50

About compressed file scans ... 51

About scan configuration options ... 51

About the Activity Log ... 52

When the log is full ... 52

About the SMS AntiSpam feature ... 52

Configuring AntiSpam ... 53

Numbers and number matching ... 53

Chapter 4

Updating devices

Updating devices ... 55

About LiveUpdate Wireless ... 56

About updating devices by using LiveUpdate Repackager ... 57

About LiveUpdate Repackager command-line syntax ... 58

Checking product version numbers ... 59

Checking the version numbers of the products on devices ... 60

Using LiveUpdate Repackager ... 60

About updates using multiple versions of a product ... 61

Scheduling updates or reminders ... 61

About transferring update files ... 62

Contents 8

(9)

Chapter 5

Initiating scans and updates remotely

About the Short Message Service (SMS) Listener ... 63

SMS message format ... 64

SMS message payload fields ... 64

Authenticating and sending SMS messages ... 65

About the command-line program ... 67

Initiating remote operations by using SMS or the command-line program ... 67

Chapter 6

Configuring Symantec Mobile Security Suite

About configuring Symantec Mobile Security Suite ... 69

About the sample configuration file ... 70

Configuring devices by using Symantec Settings Builder ... 70

About configuring antivirus and LiveUpdate Wireless ... 71

Enabling event logging ... 72

Configuring devices using Symantec System Center ... 76

Configuring Symantec AntiVirus settings ... 76

Configuring LiveUpdate Wireless settings ... 77

About transferring configuration files to the devices ... 78

About testing a new configuration ... 79

Chapter 7

Working with Histories and Event Logs

Configuring event log forwarding ... 81

Viewing Histories and Event Logs in Symantec System Center ... 82

Chapter 8

Using the Symantec Network Access Control Policy

Editor

About the Symantec Network Access Control Policy Editor ... 83

Network Access Control verification ... 84

Checking that security components are installed and running ... 84

Check for version number of security components ... 84

Check that the security components are properly configured ... 84

About using the Symantec Network Access Control Policy Editor ... 85

Import/Export Policy tab ... 85

General tab ... 86

Version tab ... 86

Configuration tab ... 87

Reviewing selections before exporting and saving ... 87

9 Contents

(10)

Index

Contents 10

(11)

Introducing Symantec

Mobile Security Suite

This chapter includes the following topics:

■ About Symantec Mobile Security Suite

About Symantec Mobile Security Suite

Symantec Mobile Security Suite combines mobile security with data protection in a comprehensive security suite. Symantec Mobile Security Suite offers protection for devices against malicious threats and unauthorized access to sensitive corporate information by using antivirus, firewall, password enforcement, device feature control, and encryption. This ensures both protection of mobile assets and maintenance of regulatory compliance requirements. In addition, Symantec Mobile Security Suite is integrated with Symantec LiveUpdate to ensure timely updates of the product and security content.

When used with Symantec Mobile VPN, Symantec Mobile Security Suite also ensures that only secure, policy-compliant devices can access the corporate network via the VPN.

Symantec Mobile Security Manager is the central console for managing the devices in your organization. From the Symantec Mobile Security Manager you can manage the user groups, users, and the devices that are connected to your network; create Policy Packages with customized rules and policies based on the specific security needs of your organization; assign and deploy the Policy Packages to a broad range of devices simultaneously or to specific devices; and monitor and report on security related issues of all the devices in your organization.

The Agent is the client software that runs on the device. The Agent is always active on the device and enforces the policies in the current Policy Package.

1

(12)

Symantec Mobile Security Suite components and features include the following:

■ Antivirus: Provides users with effective and efficient protection against mobile threats with negligible impact on the device.

■ AntiSpam for SMS: SMS spam messages are automatically placed in Spam folder or deleted, and users can configure which messages should be treated as spam.

■ Firewall: Prevent intruders from entering and exporting data from the device.

■ Data Protection/Loss Mitigation: All files in the most common data folder are protected against unauthorized access, especially in the event that the device is lost or stolen.

■ Tamper Protection: Administrators are assured that the password protection and other security components can not be removed to circumvent the security of the device.

■ Device Feature Control: Limits security vulnerabilities, potential attack vectors, and phone misuse by allowing the administrator to only allow those features which are required for business.

■ Network Access Control: When used with the Symantec Mobile VPN (sold separately), prevents out-of-compliant, potentially infected, or unauthorized devices from connecting to the corporate network via the VPN and potentially infecting other devices and placing information on the corporate network at risk.

■ Password Protection: Devices are password-protected against unauthorized access to personal data on the device

Introducing Symantec Mobile Security Suite About Symantec Mobile Security Suite 12

(13)

Installing Symantec Mobile

Security Suite

This chapter includes the following topics:

■ Before you install

■ System requirements

■ Installing Symantec Mobile Security Suite

■ Testing the installation

■ About the device owner's email

■ Upgrading the Agent

■ Uninstalling the Agent

Before you install

If you're planning on setting up an internal LiveUpdate server, you will need to produce update files for the devices using the LiveUpdate Administration Utility. You use the files that are produced by the LiveUpdate Administration Utility as the input to LiveUpdate Repackager. The files that LiveUpdate Repackager creates are then transferred to the devices to update them.

LiveUpdate Repackager requires that you have LiveUpdate and the LiveUpdate Administration Utility installed on a computer. If you're using Symantec System Center as your mobile device management system, LiveUpdate is already installed as part of Symantec Client Security or Symantec AntiVirus Corporate Edition.

2

(14)

Note: LiveUpdate is not the same as the LiveUpdate Wireless component that is part of Symantec Mobile Security Suite.

The LiveUpdate Administration Utility (LUAU.exe) is available on the Symantec AntiVirus 10.1 Corporate Edition CD and the Symantec Client Security 3.0 CD in the Tools\LiveUpdate folder.

The latest version of the LiveUpdate Administration Utility, and supporting documentation are available by searching on LU Admin in the Symantec Knowledge Base at the following URL:

http://www.symantec.com/search/

Symantec Mobile Security Manager installation checklist

Before installing the Symantec Mobile Security Manager software, do the following:

■ Know the IP address, or the domain name that resolves to the IP address, of the Symantec Mobile Security Manager. This information is required during setup for the Agent Configuration file.

■ Review system requirements for the server that will host the Symantec Mobile Security Manager console and the Enterprise database.

■ Review system requirements for devices that will host the Agent software.

■ Know the port that you will be using for the Enterprise web server. Configure and test the network connection for the Symantec Mobile Security Manager server. Note that the default SSL port is set to 443, but this can be customized during installation or changed following installation from the Admin Tools window’s Configuration Files tab.

If you are installing the Enterprise database and the Enterprise server on separate machines:

■ If the computer hosting the Symantec Mobile Security Manager console does not have either SQL Server 2000 or SQL Server 2005 installed locally, then the Microsoft SQL Server 2000 Desktop Engine (MSDE 2000 SP4) must be installed on that computer. Symantec will provide the MSDE redistributable with special installation instructions.

■ Installing MSDE before installing the Symantec Mobile Security Manager is highly recommended. SQL Server 2005 Express Edition may not be substituted for MSDE.

■ Know the path to the database files on the install machine.

Installing Symantec Mobile Security Suite Before you install

(15)

■ If using TCP/IP with SQL Server and a non-default port, know the port number over which SQL Server will be communicating. Test connectivity to the remote db server.

■ Set up domain accounts and SQL Server logins for those domain accounts for each Symantec Mobile Security Manager user. After the database is installed and attached, a SQL Server SysAdmin must permit database access for the Symantec Enterprise Security Manager database for each login with a database role of db_owner.

Symantec Mobile Security Manager system requirements

As of Release 4.0, the Database server can be hosted on a computer other than the Symantec Mobile Security Manager console. Either SQL Server named instances or the default instance can be used with the Symantec Mobile Security Manager database.

Intel Pentium or compatible processor, 400 megahertz (MHz), or higher, recommended for both the database server and the machine that hosts the Enterprise console.

Processor

Database Server and Enterprise Server hosts: minimum 256 MB RAM required; additional memory strongly recommended for optimum performance.

Memory

100 MB free disk space required for Symantec Mobile Security software plus additional space for user data on the database server. 250 MB is a typical requirement for the required SQL Server database components.

Storage

Database Server Host: Supported version of Windows for the Database Server.

Symantec Mobile Security Manager Server: Windows 2000 with Service Pack 2 (Service Pack 4 recommended), Windows XP, Windows 2003 Server (Standard or Enterprise).

Latest security updates strongly recommended. Operating System

NTFS on the database server. NTFS recommended on the Enterprise Console host.

File System

SQL Server 2000 Enterprise or Standard edition. Service Pack 4 is recommended. SQL Server 2005 Enterprise, Standard and Workgroup editions are also supported. For current detailed information about the system requirements for these versions of SQL Server, consult SQL Server 2005 BOL.

Database Server

Ethernet connection Network

15 Installing Symantec Mobile Security Suite

(16)

Internet Explorer 5.5 or greater. Browser

Important notes

Any firewall located between the Symantec Mobile Security Manager and devices connecting via Mobile Connect must be configured to permit communication via the designated communication port.

A static IP address, or server name that can be resolved to a DNS, is required for the Symantec Mobile Security Manager to ensure consistent communication with other components on the network.

SQL Server Data Transformation Services (DTS) are required by the Symantec Mobile Security Manager. SQL Server 2005 does not automatically install DTS. If DTS is missing from the Symantec Mobile Security Manager computer you will receive a message to that effect upon startup. Current instructions on how to resolve the problem can be found online at the following BOL chapter headings: SQL Server 2005 Books Online > Installing SQL Server > Installing SQL Server 2005 Components > Installing SQL Server Components How-to Topics > Integration Services Installation How-to Topics > How to: Ensure Support for Data

Transformation Services Packages

SQL Server 2005 Books Online > Installing SQL Server > Upgrading to SQL Server 2005 > Backward Compatibility > SQL Server 2005 Integration Services Backward Compatibility: Installing run-time support for DTS packages

Symantec Mobile Security Manager permission requirements

An account with Windows administrator privileges is required to install, upgrade or uninstall Symantec Mobile Security Manager.

SQL Server sysadmin privileges are not required to install or upgrade the software, however, these privileges are required to upgrade, attach, and detach the database, or to change the SQL Server Instance.

The individual who will login and use the Symantec Mobile Security Manager must have database owner privileges for the Enterprise database.

Table 2-1 Symantec Mobile Security Manager User Accounts

SQL Server- Database Roles SQL Server Server Roles Windows Group Membership Symantec Mobile Security

Manager Operations

N/A N/A

Windows Administrator Install Symantec Mobile Security

Manager Features

Installing Symantec Mobile Security Suite Before you install

(17)

Table 2-1 Symantec Mobile Security Manager User Accounts (continued) SQL Server- Database Roles SQL Server Server Roles Windows Group Membership Symantec Mobile Security

Manager Operations

N/A sysadmin or dbcreator N/A

Post-installation configuration Attach Symantec Enterprise Security Manager database

Symantec Enterprise Security Manager db_owner N/A

Windows Administrator Upgrade Symantec Mobile Security

Manager and database

Symantec Enterprise Security Manager db_owner N/A

User Upgrade Symantec Enterprise

Security Manager database only

N/A sysadmin to detach from old instancesysadmin or dbcreator to attach to new instance N/A

Relocate the Symantec Enterprise Security Manager database to a new SQL Server instance Symantec Enterprise Security Manager db_owner N/A Power User(Domain account for remote db) Mobile Security Services

N/A N/A

Power User Starting & Stopping Mobile Security

Services

Symantec Mobile Security Manager db_owner N/A

User(Domain account for remote db)

Other Symantec Mobile Security Manager operations

N/A N/A

Windows Administrator Uninstall Symantec Mobile Security

Manager

Note: Upgrading the Symantec Mobile Security Manager software automatically initiates an upgrade of the database. If the database upgrade is unsuccessful for any reason, including insufficient permissions, run the DatabaseUpdater.exe after resolving the failure condition.

Note: In a remote database setup, DatabaseUpgrade.exe must be run from the Symantec Mobile Security Manager server.

17 Installing Symantec Mobile Security Suite

(18)

Note: Importing users from Active Directory requires the logged in user to have the necessary permissions.

Note: Contact your sales engineering representative for more information about User account permissions required for using Symantec Mobile Security Manager.

System requirements

You can install the wireless administration tools on an administrator's computer or a computer that hosts a mobile device management system.

Table 2-2describes the wireless administration tools system requirements. Table 2-2 Wireless administration tools system requirements

Minimum requirements Operating system or software

■ Intel Pentium or compatible processor, 400 MHz or greater

■ 256 MB of RAM

■ 120 MB of hard disk space for the software; 250 MB for the required SQL. Windows 2000 ServerTM/Advanced

Server/Professional with Service Pack 2 Windows® XP Home/Professional with Service Pack 2

Windows 2003 .NET Server

Must be installed to provide input to LiveUpdate Repackager tool.

Refer to your LiveUpdate Administrator's

Guide for these system requirements.

LiveUpdate and the LiveUpdate Administration Utility

Table 2-3lists the Symantec System Center tools requirements. Table 2-3 Symantec System Center tools requirements

Requirements Symantec System Center tool

Symantec System Center installed with either Symantec AntiVirus 10.1, Symantec AntiVirus 10.1 Corporate Edition, or Symantec Client Security 3.0. Symantec System Center Plugin

Symantec AntiVirus 10.1, Symantec AntiVirus 10.1 Corporate Edition, or Symantec Client Security 3.0. Symantec System Center Client

Table 2-4lists the supported devices and their system requirements.

Installing Symantec Mobile Security Suite System requirements

(19)

Table 2-4 Device requirements

Minimum requirements Operating system or component

■ Pocket PC: 4.6 MB

■ Smartphone: 4.2 MB

■ Optional software: Microsoft® ActiveSync® 4.1 or later

Windows Mobile 5.0

Wireless Internet hardware support using the regular TCP/IP stack.

LiveUpdate Wireless

Installing Symantec Mobile Security Suite

Your Symantec Mobile Security Manager administrator should tell you which of the following installation methods is preferred by your organization:

■ The Agent software can be installed from the Symantec Mobile Security Manager server via a secure Internet or Intranet connection.

■ The Agent can be installed by placing the Agent cab file in the device's default directory and selecting it from that location.

■ Third-party software distribution tools can be used to install the software. Before installing Symantec Mobile Security Suite to a device, you must do the following:

■ Set the device clock to the current date and time.

■ Close all files.

■ Exit all applications.

■ Restart the device to ensure that previously installed applications are fully installed and data is saved.

Installation to the default directory in RAM is the only supported installation configuration.

Installing Symantec Mobile Security Suite

To install Symantec Mobile Security Suite, you need to perform the following tasks:

■ If you're using Settings Builder with your MDM system, install the wireless administration tools.

See“Installing the wireless administration tools”on page 20.

19 Installing Symantec Mobile Security Suite Installing Symantec Mobile Security Suite

(20)

■ If you're using Symantec System Center, install the Symantec System Center tools.

See“Installing the Symantec System Center tools”on page 20.

■ Install Symantec Mobile Security Suite on the devices.

See“Installing Symantec Mobile Security Suite on the devices”on page 21.

Installing the wireless administration tools

You need to copy the administration tools files to an administrator's computer or to the computer that hosts your MDM system.

Although LiveUpdate and the LiveUpdate Administration Utility can reside on a different computer than LiveUpdate Repackager, it is convenient to have all of these tools on the same computer so that you do not need to move files or type long paths when you use the tools.

To install the wireless administration tools

1

Insert the Symantec Mobile Security Suite CD into the CD-ROM drive.

2

Click Browse CD.

3

Open the TOOLS folder.

4

Copy the following files to any directory on your computer:

■ lur.exe

■ ssb.exe

■ sb.ini

Installing the Symantec System Center tools

You install the plugin tool on the computer that hosts Symantec System Center. You install the client tool on the Symantec AntiVirus server or client (managed or unmanaged) computer with which the devices synchronize.

To install the Symantec System Center plugin

1

Insert the Symantec Mobile Security Suite CD into the CD-ROM drive.

2

Click Symantec System Center Plugin for Mobile AntiVirus.

3

In the welcome panel, click Next.

4

In the license panel, click I accept the license agreement, and then click Next.

5

In the destination panel, to accept the default location, click Next.

6

In the ready to install panel, click Next.

7

To complete installation, click Finish.

Installing Symantec Mobile Security Suite Installing Symantec Mobile Security Suite 20

(21)

To install the Symantec System Center client

1

Insert the Symantec Mobile Security Suite CD into the CD-ROM drive.

2

Click Symantec System Center Client for Mobile AntiVirus.

3

In the welcome panel, click Next.

4

In the license panel, click I accept the license agreement, and then click Next.

5

In the destination panel, to accept the default location, click Next.

6

In the ready to install panel, click Next.

7

To complete installation, click Finish.

Installing Symantec Mobile Security Suite on the devices

You have the following choices when installing Symantec Mobile Security Suite on the devices:

■ You can have your users install by using the installation wizard on the CD, and then synchronizing the devices with their desktop computers.

See“Installing Symantec Mobile Security Suite by using the installation wizard”

on page 21.

■ If you're using Symantec System Center, you can install to devices by using the ClientRemote Install Tool.

See“Installing Symantec Mobile Security Suite to devices by using Symantec System Center”on page 22.

■ You can install by copying the installation files to a computer, and then transferring the files by using your MDM software, or any TCP/IP-based network connection in your existing infrastructure.

See“Installing Symantec Mobile Security Suite by copying and transferring installation files”on page 23.

Note: When you install Symantec Mobile Security Suite to Windows Mobile 5.0 devices, an unknown publisher message may appear. Tap Yes to continue with installation.

Installing Symantec Mobile Security Suite by using the installation wizard

Appropriate synchronization software must be installed on the computer that you are using for installation. You must also have administrator privileges on the computer.

21 Installing Symantec Mobile Security Suite Installing Symantec Mobile Security Suite

(22)

Symantec Mobile Security Suite installation software determines whether you have appropriate synchronization software installed, and installs Symantec Mobile Security Suite for your devices.

To install to devices by using the installation wizard

1

Launch the Symantec Mobile Security Suite installer from your computer by double-clicking Start.exe.

2

Follow the on-screen instructions to install to your device.

3

After installation completes, ensure that the following folders appear on the device:

■ ..\Program Files\Symantec\ AntiVirus\...

■ ..\Program Files\Symantec\ LiveUpdate\...

■ ..\Program Files\Symantec\ Security\...

■ ..\Program Files\Symantec SymEvent\...

■ ..\Program Files\Openbit\...

On the device, the Programs > Symantec Security folder contains the software for this suite: Symantec Mobile AntiVirus, Firewall, Secure Folders, and LiveUpdate Wireless.

Installing Symantec Mobile Security Suite to devices by using Symantec

System Center

If you're using Symantec System Center, you can install Symantec Mobile Security Suite to devices by using the ClientRemote Install tool.

To install Symantec Mobile Security Suite to devices by using Symantec System Center

1

In Symantec System Center, on the Tools menu, click ClientRemote Install.

2

In the welcome panel, click Next.

3

In the location panel, click Browse.

Do not use the default location, which points to Symantec Client Security file locations.

Installing Symantec Mobile Security Suite Installing Symantec Mobile Security Suite 22

(23)

4

Navigate to the Symantec Mobile Security Suite folder, and then click Next. For example:

C:\Program Files\Symantec\Symantile System Center Plugin for Mobile AntiVirus\Client Install

5

In the Select Computers panel, in the left pane, select the Symantec AntiVirus client computer to which you want to install Symantec Mobile Security Suite. In the right pane, select the Symantec AntiVirus server that you want to act as the parent server for Symantec Mobile Security Suite, and then click Finish.

Installing Symantec Mobile Security Suite by copying and transferring

installation files

You can copy the installation files, and then push them to the devices by using MDM software, or transfer them by using some other TCP/IP-based network connection in your existing infrastructure.

To copy the Symantec Mobile Security Suite installation files for your devices

1

Insert the Symantec Mobile Security Suite CD into the CD-ROM drive.

2

Click Browse CD.

3

Open the INSTALL folder.

4

Copy SymMSS.cab to the location from which you usually push files to your devices.

5

Right-click the SymMSS.cab file after you have copied it, and then click

Properties.

6

Under Attributes, ensure that Read-only is unchecked, and then click OK.

7

Configure your MDM system or other mechanism to put the SymMSS.cab and bfp.bfp files in any location on the devices. Or, if you plan to have users install Symantec Mobile Security Suite on their own devices, you can email the file to users or have them pick up the file from a central server.

After SymMSS.cab is placed in any location on the devices, you or your users must open it on the device to install it.

Once installed, an icon for Symantec Mobile Security Suite appears on the device's Programs screen.

Installing via the Symantec Mobile Security Manager Web

server

The installation files can be downloaded to a device from the Symantec Mobile Security Manager Web server. Follow the guidelines in this section if your administrator instructs you to install the software via this method.

23 Installing Symantec Mobile Security Suite Installing Symantec Mobile Security Suite

(24)

Appendix A contains templates for administators to provide to device users. It includes instructions for downloading files from an Internet connection and links that can be easily edited.

When installing the Agent software to a Smartphone device via Symantec Mobile Security Manager, depending on your device, two or more files are necessary to complete the installation. The bfp.bfp file installs the Default Policy Package that contains the policies that protect the device. The bfptype.cab file allows the bfp.bfp file to be downloaded to the My Documents folder. The SymMSS.cab file installs the application. Installing via the web server requires the files be downloaded separately and in a specific order.

To download the Agent installation files from the Symantec Mobile Security Manager web server

1

Establish an Internet connection on the device and download the following files:

Download the following files in order:

■ Copy bfp.bfp from C:\Symantec Data\Download\Common to C:\Symantec Data\Download\Public\Install\agent\<WM5>\ You need to copy this file from one directory to the other each time there is a configuration change.

■ https://<IP address or Server

Name>:<port>/public/install/agent/<WM5>/SymMSS.cab In both URLs, <IP address> is the address of the Symantec Mobile Security Manager server. Your administrator should provide you with this information.

The port number is required only if the default SSL port of 443 was modified on the Symantec Mobile Security Manager. Pocket PC

Installing Symantec Mobile Security Suite Installing Symantec Mobile Security Suite 24

(25)

Download the following files in order:

■ https://<IP address or Server

Name>:<port>/public/install/bfptype.cab

Once this file is downloaded, you must locate and select it before attempting to download the bfp.bfp file.

■ Copy bfp.bfp from C:\Symantec Data\Download\Common to C:\Symantec Data\Download\Public\Install\agent\<WM5SP>\ You need to copy this file from one directory to the other each time there is a configuration change.

■ https://<IP address or Server

Name>:<port>/public/install/agent/WM5SP/SymMSS.cab In all URLs, <IP address> is the address of the Symantec Mobile Security Manager server. Your administrator should provide you with this information.

The port number is required only if the default SSL port of 443 was modified on the Symantec Mobile Security Manager. Smartphone

2

If a Security Certificate displays, select Yes to accept it.

3

In the Download window, select Yes to download the file to the default My Documents folder.

Changing the installation directory is not supported at this time. When downloading SymMSS.cab, if Open file after download is checked, installation begins immediately as long as the files were downloaded in the correct order. If Open file after download is unchecked, you must manually run SymMSS.cab to begin installation.

4

Follow the on-screen instructions to complete the installation.

Do not cancel or interrupt the installation process. After the installation successful message displays, the device automatically restarts.

Gaining access to the device after installation

The security policy included with the Agent installation requires a password be set on the device as soon as the installation is complete. You may also be required to answer a challenge question for the Password Reset feature, if enabled. Your administrator should provide you with these requirements.

25 Installing Symantec Mobile Security Suite Installing Symantec Mobile Security Suite

(26)

To gain access to the device after installation

1

After the device restarts, unlock it, if necessary.

2

If a native password was set on the device prior to installation, you are prompted to enter it.

If no password was set, the Password Settings screen appears.

3

In the Password Settings screen, enter a new password in the New Password and Confirm fields, and then select Done.

4

If the Self Service Password Reset feature is enabled, answer the question, and then select Done.

About secure folders

During installation, the Secure Folders feature automatically sets a default Main Password to protect all secure folders. After the authentication password settings are complete, a message will display prompting you to change the Secure Folders Main Password. Selecting OK in this message will display the Secure Folders password screen. You can choose not to modify the password by selecting Cancel. However, until the password is changed, this message will display each time the Secure Folders feature is accessed.

Testing the installation

You can verify that Symantec Mobile Security Suite is active by downloading the standard European Institute for Computer Anti-Virus Research (EICAR) test file, and copying it to the device.

To test the installation

1

Download the EICAR test file from www.eicar.org

You may need to temporarily disable threat scanning on your computer to access the EICAR test file. Make sure that you re-enable threat scanning on your computer after you are finished.

2

Copy the EICAR file to the device.

A successful installation of Symantec Mobile Security Suite displays a dialog box when the EICAR test file is copied to the device.

About the device owner's email

The device owner’s email is used for auto-linking a device to an existing User in Symantec Mobile Security Manager. If no email was set on the device prior to

Installing Symantec Mobile Security Suite Testing the installation

(27)

installation a dialog for entering this information will display during the install process. You have the option of entering your email, or skipping the screen altogether. However, if you choose to skip this step but still want to take advantage of the Auto-linking feature, you will need to enter an email in the device owner's email field at a later date.

Upgrading the Agent

When upgrading, you should decrypt all encrypted data on the device and all storage cards before beginning the upgrade.

Warning: If this procedure is not followed, all encrypted data on the device and storage cards will be permanently lost.

Before upgrading

Do the following before upgrading:

■ Set the device clock to the current date and time

■ Close all files

■ Exit all applications including applications in Secure Folders

■ Exit all Secure Folders

■ Decrypt all encrypted files

■ Backup your data

■ Restart the device to ensure that previously installed applications are fully installed and data is saved

Installing the upgrade

The installation files necessary to upgrade the Agent can be placed on the device via the Symantec Mobile Security Manager web server, or with third-party distribution software.

To install the upgrade

1

Run SymMSS.cab file.

2

Follow the on-screen instructions to complete the installation.

27 Installing Symantec Mobile Security Suite

(28)

3

If you receive a message saying that the upgrade is unable to remove the previous version of the software, select OK to continue.

Do not cancel or interrupt the installation process.

4

Do one of the following:

■ After the device restarts, enter your new password, and then select OK.

■ Unlock the device and enter the existing password that was established prior to the upgrade, and then select OK.

Uninstalling the Agent

The Agent can be uninstalled from the device at the Remove Programs screen. To uninstall the Agent on Smartphones

1

Select Start > Settings > Remove Programs.

2

Select Symantec Mobile Security Suite.

3

Select Menu > Remove.

4

Select Yes when the confirmation message displays.

5

Enter your current password, and then select Done. When the software is uninstalled, the device restarts.

6

The password resets to 1234. Enter this value to gain access to the device. To uninstall the Agent on Pocket PCs

1

Select Start > Settings.

2

Select the System tab.

3

Select Remove Programs.

4

Select Symantec Mobile Security Suite > Remove.

5

Select Yes when the confirmation message displays.

6

Enter your current password, and then select Done. When the software is uninstalled, the device restarts.

7

The password resets to 1234. Enter this value to gain access to the device.

Installing Symantec Mobile Security Suite Uninstalling the Agent

(29)

Protecting devices with

Symantec Mobile Security

Suite

This chapter includes the following topics:

■ Using Symantec Mobile Security Suite

■ About the firewall

■ Device authentication

■ About encryption

■ Device Quarantine

■ Event logging

■ About scanning for and responding to threats

■ About Auto-Protect scans

■ About compressed file scans

■ About scan configuration options

■ About the Activity Log

■ About the SMS AntiSpam feature

3

(30)

Using Symantec Mobile Security Suite

A Policy Package contains policies created by the administrator. A new Policy Package can be deployed to your device by the administrator at any time. The device receives the new Policy Package when it connects to Symantec Mobile Security Manager via Mobile Connect. Once installed, the new rules within the Policy Package are enforced. No intervention is required from the device user for this to occur.

Symantec Mobile Security Suite also manages the logging process that records device events. Log files that record these events are uploaded to Symantec Mobile Security Manager when the device connects via Mobile Connect.

The Agent manages the logging process that records device events.

The Agent resides on the device and ensures that all of the following layers of security are enforced on the device:

■ Firewall

■ Device Authentication

■ Encryption

■ Intrusion Detection

■ Security Management

■ Device Feature Blocking

The layers of security on Pocket PC devices include:

■ Set firewall security levels.

■ View the number of Recent Events.

■ Set the device password.

■ Dial phone numbers without logging into the device.

■ Define and delete encrypted Secure Folders.

■ Logout and encrypt PIM data, files, and email.

Mobile Connect

The Mobile Connect feature allows devices to communicate directly with Symantec Mobile Security Manager.

To implement the Mobile Connect feature, devices must have the Agent software installed.

Protecting devices with Symantec Mobile Security Suite Using Symantec Mobile Security Suite

(31)

A Configuration File defined in Symantec Mobile Security Manager establishes parameters for how and when the Agent communicates with the Security Manager. The Configuration File provides settings to enable or disable the Mobile Connect feature.

Mobile Connect can be used over any of the following connection types:

■ WIFI

■ GPRS/GSM

■ CDMA

■ Ethernet or Serial dial-up connection

■ Partnership or Guest ActiveSync connection over InfraRed, COM or USB ports All Mobile Connect connections from the device to Symantec Mobile Security Manager are made over a secure SSL connection, ensuring that all logs and Policy Packages are encrypted in transit.

Transferring files with Mobile Connect

When a device enabled with the Mobile Connect feature connects to Symantec Mobile Security Manager through any of the above connection methods, the Agent software does the following:

■ Check Symantec Mobile Security Manager for a new Policy Package file at the specified interval. If available, the Agent downloads the package and activate the new policies.

■ Upload log files collected on the device to Symantec Mobile Security Manager. If your administrator creates a Configuration File that is set to Do Not Allow Mobile Connect, third-party software must be used in order for devices to receive Policy Packages or upload log files.

If you are using Mobile Connect, and you receive a Configuration File that is set to Do Not Allow Mobile Connect, your device will not be able to communicate with Symantec Mobile Security Manager. This means that your device will not be able to download Policy Packages or upload log files. Your administrator may need to create a new configuration file that allows Mobile Connect.

Testing the Agent to Symantec Mobile Security Manager

connection

Agent installation includes two utilities for testing the Agent to Symantec Mobile Security Manager connection. Both utilities attempt to connect to Symantec Mobile Security Manager server to test the upload and download processes. NetTest runs diagnostic tests and then automatically writes the resulting information to a text

31 Protecting devices with Symantec Mobile Security Suite

(32)

file. NetTest_GUI provides an interface that lets you view and edit connection parameters, view test results, and save the results to a text file.

Using the NetTest utility

NetTest runs the diagnostic tests on your device, and then writes the results to a text file without further intervention.

To run the NetTest utility

1

Locate the NetTest utility on the device by navigating to Start > Symantec

Security > Symantec Tools.

2

Select NetTest.

The results of the test are written to a file named nettest_result, located in the root directory.

Using the NetTest_GUI utility

NetTest_GUI lets you view and edit connection parameters before running the test. This lets you modify connection settings without the need to download a new Configuration File from Symantec Mobile Security Manager.

To run the NetTest_GUI utility

1

Locate the NetTest_GUI utility on the device by navigating to Start >

Symantec Security > Symantec Tools.

2

Select the NetTest_GUI icon.

3

In the Net Test window, on the View/Edit Parameters tab, select Menu > Run

Tests to run the diagnostics test.

Displayed values reflect the settings that are contained in the current Configuration File.

4

To edit the parameters, select Menu > Edit Parameters.

5

To refresh the values from the current Configuration File, select Menu > Edit

Parameters > Reload.

The test results display in the window.

6

Select Clear Results to remove the test results, or select Save Results to save the results to a text file.

The results of the test are written to a file named NetTest_Win_result, located in the root directory.

Protecting devices with Symantec Mobile Security Suite Using Symantec Mobile Security Suite

(33)

About the device clock

If the device clock was not set to the current date and time before installing Symantec Mobile Security Suite, the software may change the date and time for you. Since the software cannot determine the exact date and time of the installation, the new date and time may not reflect the actual, current date and time. In this situation you will need to manually reset the date and time.

About the license

The license file can be distributed to devices as part of a Policy Package, or manually placed on the device.

Note: If you do not deploy licenses to device users, they will receive warning messages.

The firewall About screen displays the trial period remaining, or an expiration notice for unlicensed installs.

If a license expires and a new license file is installed, the firewall security level on the device can change. After a new license file has been installed, verify the firewall security level is set to the desired level.

About Auto-Registration with Symantec Mobile Security Manager

The Auto-Registration feature allows devices to be added to the Security Manager database automatically. In addition, if the device owner’s email matches the email address of an existing user, the device will automatically link to that user. The value on a device used for Auto-Linking is extracted from the email field in Owner Information. Your administrator should inform you what to enter in this field. If you did not set the value during installation, you can change this value at any time. The Auto-Linking feature continuously reads this value until it detects a link to a user on Symantec Mobile Security Manager.

To set or change the Owner Information on the device

1

Select Start > Settings > Owner Information.

2

Enter your email address into the E-mail field.

3

Select OK or Done.

33 Protecting devices with Symantec Mobile Security Suite

(34)

About the firewall

On Smartphones, the firewall feature lets you activate and deactivate the Firewall, and view and refresh Event Statistics.

On Pocket PCs, the firewall feature lets you do the following:

■ On the Security Level screen, view and set the security level for the Firewall policies. The four security levels are Trust No One, Paranoid, Cautious, and Trust All.

■ On the Event Summary screen, view statistics that track the number of events that have been detected within the last minute, hour, and day. Events are categorized by severity and by category.

■ On the Event List screen, view all the events that are contained in the active Event Log. The event list displays the date, time, type of event, and a brief description of the event.

■ On the Event Detail screen, view detailed data about individual events.

Setting the firewall level on Smartphones

The Agent software includes two firewall levels: Active and Inactive. Typically the Active setting limits network traffic into the device and the Inactive setting allows all traffic into the device. Your administrator can deploy a new policy at any time that can change these settings. Therefore, if the firewall is not behaving as you expect, contact your administrator.

The Inactive firewall setting allows all network traffic into the device. To use the firewall

1

Open the Firewall icon.

2

Select Menu > Activate Firewall or Deactivate Firewall.

About the firewall levels

The Firewall User Interface allows you to activate and deactivate the Firewall, view and refresh Event Statistics, and access the About screen.

The Agent for Smartphones includes a firewall with two firewall security levels:

■ Active: Lets you dynamically receive an address by DHCP, perform DNS name resolution and browse the web both via HTTP and HTTPS. The Paranoid level also supports IPSec VPN traffic. All other network traffic is blocked.

■ Inactive: Allows all network traffic into the device.

Table 3-1describes the Paranoid policy rules.

Protecting devices with Symantec Mobile Security Suite About the firewall

(35)

Table 3-1 Paranoid policy rules Destination Port Source Port Protocol Rule Name 68 67 UDP Allow DHCP Client In * 53 UDP Allow DNS Query In * 80 TCP Allow HTTP In * 8080 TCP Allow HTTP Web Proxy 8080 In

* 8008 TCP Allow HTTP Alternate 8008 In * 443 TCP Allow HTTPS TCP In 10000 10000 UDP Allow IPSec Nat-T 10000 In

500 500 UDP Allow IKE In 4500 4500 UDP Allow IPSec Nat-T 4500 In

4502 4502

UDP Allow IPSec Nat-T 4502 In

1701 1701

UDP Allow L2TP/IPSec In

Setting firewall levels on Pocket PCs

The following Firewall levels are available:

■ Trust No One: This policy prevents all network traffic from entering the device.

■ Paranoid: This policy allows you to dynamically receive an address by DHCP, perform DNS name resolution and browse the Web both via HTTP and HTTPS. The Paranoid level also supports IPSec VPN traffic. All other network traffic is blocked.

SeeTable 3-2on page 36.

■ Cautious: This policy allows you to dynamically receive an address by DHCP, perform DNS name resolution, browse the Web both via HTTP and HTTPS, receive mail using POP3, send mail using SMTP, and validate connections on the network by using ping. The Cautious level also supports IPSec VPN traffic. All other network traffic is blocked.

SeeTable 3-3on page 36.

■ Trust All: This policy allows all network traffic into the device.

35 Protecting devices with Symantec Mobile Security Suite

(36)

To use the firewall

1

Select Start > Programs > Symantec Security > Symantec Firewall.

2

Tap the firewall security level that you want.

The policy rules that are associated with that firewall security level are enforced.

About the firewall levels

Table 3-2describes the Paranoid policy rules. Table 3-2 Paranoid policy rules

Destination Port Source Port Protocol Rule Name 68 67 UDP Allow DHCP Client In * 53 UDP Allow DNS Query In * 80 TCP Allow HTTP In * 8080 TCP Allow HTTP Web Proxy 8080 In

* 8008 TCP Allow HTTP Alternate 8008 In * 443 TCP Allow HTTPS TCP In 10000 10000 UDP Allow IPSec Nat-T 10000 In

500 500 UDP Allow IKE In 4500 4500 UDP Allow IPSec Nat-T 4500 In

4502 4502

UDP Allow IPSec Nat-T 4502 In

1701 1701

UDP Allow L2TP/IPSec In

Table 3-3describes the Cautious policy rules Table 3-3 Cautious policy rules

Destination Port Source Port Protocol Rule Name 68 67 UDP Allow DHCP Client In * 53 UDP Allow DNS Query In * 80 TCP Allow HTTP In

Protecting devices with Symantec Mobile Security Suite About the firewall

(37)

Table 3-3 Cautious policy rules (continued) Destination Port Source Port Protocol Rule Name * 8080 TCP Allow HTTP Web Proxy 8080 In

* 8008 TCP Allow HTTP Alternate 8008 In * 443 TCP Allow HTTPS TCP In * 110 TCP Allow POP 3 In * 25 TCP Allow SMTP In * * ICMP Allow Ping In 10000 10000 UDP Allow IPSec Nat-T 10000 In

500 500 UDP Allow IKE In 4500 4500 UDP Allow IPSec Nat-T 4500 In

4502 4502

UDP Allow IPSec Nat-T 4502 In

1701 1701

UDP Allow L2TP/IPSec In

About ActiveSync

On Smartphones, by default, the firewall blocks all ActiveSync traffic to a device except for the Inactive firewall setting. If you plan to use ActiveSync to connect your device to a computer, you must change the firewall level to Inactive before synchronizing.

On Pocket PCs, by default, the firewall blocks all ActiveSync traffic to a device except for the Trust All firewall setting. If you plan to use ActiveSync to connect your device to a computer, you must change the firewall level to Trust All before synchronizing.

About device feature blocking

Symantec Mobile Security Suite can block many of the features included on your device. Feature Blocking policies are created and deployed to your device by your administrator. If you lose functionality in any of the following features, contact your administrator to determine if the behavior is expected.

Any combination of the following features can be blocked:

■ Speaker and Wired Headphones

37 Protecting devices with Symantec Mobile Security Suite

(38)

■ Microphone

■ Infrared (IR)

■ USB

■ Camera

■ Bluetooth

■ Add-on Storage Cards

■ ActiveSync

■ Block SMS/MMS

■ Soft Reset Policy options:

■ Reset immediately after blocking policy is applied

■ Warn user, reset after delay (delay interval is also specified)

■ Inform user, but do not reset

If you receive a new Policy Package with any features blocked, a message may display indicating the device will automatically restart, or prompting you to manually restart the device.

Event statistics

Logging provides an audit of device events. When an event is detected, it is written to the log. Event Logs are placed in a queue to be uploaded to Symantec Mobile Security Manager. Event Logs are grouped by type. Firewall events are maintained in a separate log from other event types. Recent events for the last minute, hour, and day can be viewed on the device.

The active firewall log will be deleted after it reaches 500 records and a new log will begin recording events. The active security log will be deleted after it reaches 500 records and a new log will begin recording events.

To view recent events

1

Open Start > Symantec Security > Symantec Firewall.

2

Select Menu > Refresh.

Event Summary (Pocket PC)

The Event Summary screen displays the number of events detected within the last minute, hour, and day. The Event Summary presents two views of Events: Events by Severity and Events by Category.

Protecting devices with Symantec Mobile Security Suite About the firewall

(39)

Events by severity displays event statistics for three severity levels: High, Medium, and Low.

Events by category displays event statistics for Firewall and Security events only. Informational events are counted within these statistics.

To access the Event Summary screen

1

Navigate to the Firewall Security Levels screen.

2

Select Options > Event Summary.

Event List (Pocket PC)

The Event List screen displays a list of all the events that are contained in the active Event Logs. The Event List displays the date, time, type of event, and a brief description of the event. The Event List displays all active Event Log entries in chronological order, with the most recent events listed first. The events can be sorted by clicking the column heading.

To access the Event List screen

1

Navigate to the Firewall Security Levels screen.

2

Select Options > Event List.

Event Detail (Pocket PC)

The Event Detail screen is accessed by selecting an event in the Event List screen. Additional information about the event is recorded in the log. The type of information recorded varies depending on the type of event.

Device authentication

Symantec Mobile Security Suite adds an authentication layer to protect devices from unauthorized access. The Symantec Mobile Security Manager administrator sets authentication policies, including type, length, composition, and expiration. The authentication layer is also set to wipe the device with the Data Wipe feature after the maximum number of consecutive failed login attempts has been exceeded. Options are available for modifying the password, and for recovering a lost or forgotten password.

Devices with phone service can access an emergency phone dialer from the Password screen without logging into the device.

39 Protecting devices with Symantec Mobile Security Suite

(40)

Changing the password

The password can be changed by the user at any time through the Password Settings screen, but must comply with the rules of the current policy. Your administrator should provide you with these requirements.

To change the password

1

Open Start > Settings > Security > Password.

2

In the Password screen, enter the current password, and then select Done.

3

In the Password Settings screen, enter the new password into the New Password and Confirm fields, and then select Done.

4

Confirm the change by selecting Yes.

Password history remembers the last eight passwords used. If a message displays indicating the password you entered is already in history, select OK and enter a different password.

5

(Pocket PC only) In the Prompt if device unused for field, select a time interval.

6

(Pocket PC only) If you check Force authentication on power-up, select a Grace period, and then select Done.

7

(Pocket PC only) Confirm the change by selecting Yes.

Password History remembers the last eight PINs that you used. If a message displays indicating that the PIN that you entered is already in history, select OK and enter a different PIN.

Note: If a Policy Package is deployed to the device with authentication rules different than the previously deployed Policy Package, the new authentication rules are enforced the next time the device turns on.

To change the challenge question or answer

1

In the Password Settings screen, select Options > Setup Password Reset.

2

Do one of the following:

■ Enter a new answer in the Answer field.

■ Select a different question from the Question list, and then answer the question.

3

Select Done.

4

Select Yes when asked if you want to save the answer.

5

In the Password Settings screen, select Done.

Protecting devices with Symantec Mobile Security Suite Device authentication

(41)

About authentication settings

Prompt if device unused for and Force authentication on power-up are separate features and work independently from each other. You must authenticate if the time interval for either of these settings is exceeded.

By default, the Prompt if device unused for and Force authentication on power-up sections are disabled. If your administrator creates a Policy Package that enables these features, you may need to modify these settings.

The following describes each of the settings and how they effect authentication:

■ Prompt if device unused for: Determines how long the device can sit idle, in either the on or off state, before you must re-authenticate to continue using the device.

■ (Pocket PC only) Force authentication on power-up: If this is checked you must authenticate each time the device is turned on. The Grace period determines how long you have to turn the device off and on again without

re-authenticating.

If this is not checked you do not have to authenticate to gain access to the device after the device turns on unless the Prompt if device unused for time interval requires it, or the device was shut down using the Logout and Encrypt feature.

Restarting the device always requires you to authenticate to gain access to the device.

Note: All authentication dialogs have a 45-second idle timeout and cancel themselves based on user inactivity.

Resetting a forgotten password

Two options are available for resetting a forgotten password. Self Service Password Reset is an optional feature that your administrator may or may not have implemented on your device. This feature allows you to reset the password without contacting support personnel and is the preferred method if enabled.

Password Override requires you to call support to receive a password.

If enabled, the Self Service Password Reset feature can be used to regain access to your device if you forget your current password.

41 Protecting devices with Symantec Mobile Security Suite

(42)

To reset a forgotten password

1

Turn the device off and then on again and select Unlock to display the Password screen.

2

Select Options > I Forgot.

3

Enter the correct answer to the challenge question and select Done.

4

Reset the Password.

If the Self Service Password Reset feature is not enabled on your device, or if you forget the answer to your challenge question, you can use the Password Override feature to gain access.

To use Password Override

1

In the main password screen, select I Forgot.

2

Call the support.

You will need the three line challenge code that appears on the device.

3

Enter the sixteen-digit access code provided by support into the dialog box and select Done.

4

Reset the password.

Phone service

Devices with phone service can dial phone numbers without logging into the device.

To use the phone service

1

Select Unlock, if necessary.

2

Select Send.

3

In the Emergency Dialer screen, enter the phone number to dial.

4

Select Dial.

5

If necessary, in the confirmation message, select OK.

Data wipe

All authentication Security policies are set by default to perform a Data Wipe of the device after the maximum number of consecutive failed login attempts is reached.

After the limit for login failures is reached, Data Wipe does the following:

■ Erases all files in the My Documents folder.

Protecting devices with Symantec Mobile Security Suite Device authentication

(43)

■ Deletes mail messages and attachments saved to a device or storage card folder.

■ Erases all databases including the PIM database.

■ Resets the device.

Some devices can only be reset by the software. In this case, you are prompted to perform a reset per the manufacturer's instructions and you are locked out of the device until you do so.

When attempting to log in to a device if you enter the wrong password, a warning message will display and you will be given the opportunity to reenter the correct password. After half of the maximum number of allowed failures is reached, a new warning message appears indicating the number of attempts left before the device is wiped and all data erased.

A screen then appears, requiring you to enter the word 'symantec' to continue. To prevent loss of data, use the Password Override feature to gain access to the device.

Currently the Data Wipe feature does not wipe storage cards except for the above noted email messages and attachments.

About encryption

The Encryption feature protects important data stored on the device. Symantec Mobile Security Suite uses AES-256 FIPS 140-2-validated encryption algorithms to encrypt your data.

Logout and Encrypt provides PIM, My Documents, and Email encryption. Always-on encryption allows you to encrypt files by saving or moving them to Secure Folders. A default Secure Folder is automatically created when the software is installed and you can create additional Secure Folders.

During installation, the Secure Folders feature automatically sets a default Main Password to protect all secure folders. Immediately after installation you are prompted to change this password. Your administrator should provide you with the password requirements.

Files are encrypted when they are saved or moved into the designated Secure Folder. Files are decrypted when they are opened.

Creating secure folders

Secure Folders can be created on the device, backup storage facility or removable storage cards. The folders will appear in the root directory of the device, i.e., under

43 Protecting devices with Symantec Mobile Security Suite

References

Related documents

Introducing Symantec Event Collector for Microsoft Windows Running LiveUpdate for

1 In Symantec Management Console, navigate to Home &gt; Mobile Management &gt; Settings &gt; Mobile Management Server Settings and click the Profile Security tab. 2 Optionally enter

Roaming Mobile) Threat protection Policy enforced Encryption Compression In Network Symantec Traffic Manager 25 ST B03 - Mobile Security and Management. Symantec

Symantec Antivirus, Symantec Client Security, Sygate or WholeSecurity, or if they use a basic antivirus/anti-spyware solution and are looking for a more complete protection

• Global organizations should consider Symantec Endpoint Protection if they use Symantec Antivirus, Symantec Client Security, Sygate or WholeSecurity, or if they use a

The Entity Manager: grid view window allows you to view and manage entities in a grid format, displaying records in list form for each entity type (User Groups, Users, and Linked

Refer to the Symantec AntiVirus for Network Attached Storage Integration Guide for instructions on configuring Symantec Scan Engine to work with a specific NAS device.. About

This document provides information regarding the implementation of a managed mode deployment of Microsoft security updates, Symantec antivirus definition files, and DeltaV