Pointsec Mobile Pocket PC Administrator’s Guide

Pointsec Mobile Pocket PC 3.4

Administrator’s Guide

January 30, 2009

© 2003-2009 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks.

For third party notices, see: http://www.checkpoint.com/3rd_party_copyright.html.

http://www.checkpoint.com/copyright.html

http://www.checkpoint.com/3rd_party_copyright.html

Table of Contents i

Contents

Preface About This Guide............................................................................................... 1Who Should Read This Guide? ....................................................................... 2

Other Documentation ......................................................................................... 3

Chapter 1 Overview of Pointsec Mobile Introduction to Pointsec Mobile Encryption .......................................................... 6

Temporary Encryption ................................................................................... 6Pointsec Mobile Replaces Ordinary Lock Function................................................. 7Starting Pointsec Administration Console ............................................................. 7Installation Set Settings ..................................................................................... 9

Overview of System Settings ........................................................................ 10Miscellaneous ............................................................................................ 11Authentication............................................................................................ 14PIN/PicturePIN/Password Policy ................................................................... 17PIN/PicturePIN/Password Properties ............................................................. 18Screen Lock ............................................................................................... 21Info Screen ................................................................................................ 22Encryption ................................................................................................. 23Removable Media Encryption ....................................................................... 25Removable Media PIN/PicturePIN/Password Properties................................... 28File Transfer............................................................................................... 28Remote Help .............................................................................................. 29

Managing Screen Lock Inhibit Applications ........................................................ 31Adding a Screen Lock Inhibit Application...................................................... 31Deleting a Screen Lock Inhibit Application .................................................... 32

Chapter 2 Working With Lists Terms............................................................................................................. 35Exclusion List Versus Inclusion List ................................................................... 38Examples of Inclusion and Exclusion List Interaction .......................................... 40Accessing Lists................................................................................................ 43

Accessing the Device Inclusion List .............................................................. 43Accessing the Device Exclusion List.............................................................. 44Accessing Removable Media Inclusion and Exclusion Lists ............................. 44

Predefined Set Lists for Devices ........................................................................ 45Relaxed ..................................................................................................... 45Typical....................................................................................................... 45Strict ......................................................................................................... 46

Viewing Items on the Relaxed, Typical, and Strict Lists ....................................... 46Editing Device Inclusion and Exclusion Lists ...................................................... 47

Adding to Device Lists................................................................................. 47Deleting from Device Lists ........................................................................... 47

ii

Resetting Device Lists ................................................................................. 48Editing Removable Media Inclusion and Exclusion Lists ...................................... 49

Adding to Removable Media Lists................................................................. 49Deleting from Removable Media Lists ........................................................... 50

Chapter 3 Deploying Pointsec Mobile About Security Software on Devices................................................................... 52Overview of Pointsec Mobile Deployment ........................................................... 52Creating Installation Sets.................................................................................. 52

Naming Convention for the .cab File ............................................................. 54Deploying Multiple Files Simultaneously ....................................................... 54

Before Installing Pointsec Mobile on Devices...................................................... 54Installing Pointsec Mobile on Devices ................................................................ 55Configuring Pointsec Mobile on Devices ............................................................. 56Transferring the Recovery File from a Device ...................................................... 59Update Profiles for Pointsec Mobile................................................................... 60

About Update Profiles ................................................................................. 60Creating an Update Profile for Pointsec Mobile .............................................. 61Deploying Update Profiles ........................................................................... 62

Upgrading Pointsec Mobile Software.................................................................. 62Before Upgrading........................................................................................ 62Upgrading Pointsec Mobile Software on Administrator Workstations................. 63Upgrading Pointsec Mobile Software on Devices ............................................ 63Effective Removable Media Settings ............................................................. 64

Chapter 4 Pointsec Mobile for Users Placing Phone Calls When Pointsec Mobile is Locked.......................................... 66

Using Contacts and Call History when Pointsec Mobile Is locked ..................... 66Incoming Calls ........................................................................................... 68Calling Your Remote Help Administrator ....................................................... 68

Accessing Information on a Device .................................................................... 69Locking Pointsec Mobile................................................................................... 71

Activating Pointsec Mobile Security Lock ...................................................... 71Key-Locking Pointsec Mobile ....................................................................... 71

Accessing Pointsec Properties........................................................................... 73Changing Your Device PIN/PicturePIN/ Password ................................................ 74Synchronizing the Device with a Workstation ...................................................... 77

After Synchronizing..................................................................................... 77Removable Media ............................................................................................ 78

Removable Media Basics ............................................................................. 79Single Sign-On ........................................................................................... 80Password Protection for Removable Media..................................................... 81Removable Media Encryption Policy ............................................................. 81Protecting Information on Removable Media.................................................. 83Locking Removable Media ........................................................................... 84Accessing Removable Media Properties......................................................... 84Viewing Removable Media Status ................................................................. 85Changing the PIN/PicturePIN/password for Removable Media.......................... 88

Table of Contents iii

If You Forget Your Removable Media Password .............................................. 89Editing SSO Entries on Removable Media ..................................................... 90Applying the Security Policy of the Current Device ......................................... 91Decrypting Removable Media ....................................................................... 92Moving Removable Media Between Devices ................................................... 93Using Removable Media on Pointsec Mobile and Pointsec Media Encryption .... 95

Chapter 5 Managing Removable Media Defining an Authentication Policy...................................................................... 97Defining an Encryption Policy ........................................................................... 99Defining a Decryption Policy ........................................................................... 101Effective Removable Media Settings ................................................................ 102

Chapter 6 Remote Help Using webRH to Provide Remote Help ............................................................. 104Recommended Methods of Verifying Users ....................................................... 104Remote Help Settings Overview....................................................................... 105Recovery File Naming Convention.................................................................... 106Remote Help for Removable Media.................................................................. 106Providing Remote Help – an Example .............................................................. 107

Chapter 7 Removing Pointsec Mobile from a Device Using webRH to Remove Pointsec Mobile ........................................................ 111Removal Procedure ........................................................................................ 112

Appendix A Pointsec Mobile Keypads Picture Set 1 Keypad ......................................................................................... 2Picture Set 2 Keypad ......................................................................................... 2Alphanumeric Keypad ........................................................................................ 3Numeric Keypad................................................................................................ 3Customized Picture Set Keypad........................................................................... 4Customizing a Picture Set................................................................................... 4

Appendix B Event Logging Event Logging in Pointsec Administration Console................................................. 1Event Logging on a Device .................................................................................. 2

Limitations................................................................................................... 4Example of a Log File.................................................................................... 4Example of a Registry Log File ....................................................................... 5List of Logged Events .................................................................................... 6

Index...........................................................................................................13

iv

1

PrefaceP

Preface

In This Chapter

Welcome to Pointsec Mobile Pocket PC, a top-of-the-range security product which combines mandatory access control, automatic data encryption, central administration, Remote Help and user-friendly Pointsec PicturePIN to protect confidential information stored on Pocket PC devices running Windows Mobile 5 or Windows Mobile 6 Classic or Professional, and the removable media they use.

Throughout this guide, the product is referred to as Pointsec Mobile.

About This GuideThis guide explains how to:

• Use Pointsec Administration Console to create installation sets and update profiles

• Find out how Pointsec Mobile functions on devices

• Use encryption on removable media

• Provide Remote Help using Pointsec Administration Console if a device becomes locked

Apart from this chapter, this guide contains:

• chapter 1, “Overview of Pointsec Mobile” on page 5, which reviews the settings available for creating installation sets and update profiles

About This Guide page 1

Other Documentation page 3

Who Should Read This Guide?

2

• chapter 2, “Working With Lists” on page 35, which explains the function of inclusion and exclusion lists when encrypting data on Pointsec Mobile-protected devices and removable media

• chapter 3, “Deploying Pointsec Mobile” on page 51, which explains how to install, update and upgrade Pointsec Mobile on a Pocket PC device

• chapter 4, “Pointsec Mobile for Users” on page 65, which explains how users can change their passwords and, if allowed, other Pointsec Mobile settings

• chapter 5, “Managing Removable Media” on page 97, which documents how to configure a removable media policy for implementation on devices used in your organization

• chapter 6, “Remote Help” on page 103, which explains how Remote Help works for both administrators using Pointsec Administration Console and end-users

• chapter 7, “Removing Pointsec Mobile from a Device” on page 111, which explains how to remove Pointsec Mobile from a device

• Appendix A, “Pointsec Mobile Keypads”, which documents the pictures, characters and numbers used on Pointsec Mobile keypads and how to customize the pictures used by PicturePIN

• Appendix B, “Event Logging”, which documents event logging in Pointsec Administration Console and on the device

Who Should Read This Guide?Administrators who deploy and administer Pointsec Mobile and provide Remote Help within their organization should read this guide.

Other Documentation

Preface 3

Other DocumentationThe following documentation provides more information on Pointsec Mobile and related products:

Table 1-1 Other Documentation

Documentation Contents

Pointsec Mobile Pocket PC Release Notes Latest information on Pointsec Mobile

Pointsec Mobile Pocket PC Installation Guide Information on how to install Pointsec Mobile

Pointsec Mobile Pocket PC Advanced Administrator’s Guide

In depth information on managing Pointsec Mobile

Pointsec Mobile Pocket PC Online Device Help Information on using Pointsec Mobile on a device

Pointsec Administration Console Installation Guide and Administrator’s Guide

Information on how to install and use Pointsec Administration Console

Endpoint Security webRH Pointsec Mobile Module Installation Guide and Administrator’s Guide

Information on how to install and use Endpoint Security webRH

Other Documentation

4

5

Chapter 1Overview of Pointsec Mobile

In This Chapter

This chapter provides an overview of working with Pointsec Mobile and explains how to access it and the settings for creating installation sets and update profiles in Pointsec Administration Console.

For information on Pointsec Administration Console, see the Pointsec Administration Console Administrator’s Guide.

Pointsec Mobile Pocket PC is comprised of two components:

• Pointsec Mobile Pocket PC Client, which is installed on the administrator’s PC. The Client is where the administrator configures security settings for the Pointsec Mobile Pocket PC security software.

• Pointsec Mobile Pocket PC, the security software you deploy to supported Pocket PC devices.

As soon as Pointsec Mobile is installed and available from Pointsec Administration Console, you can access Pointsec Mobile settings to create an installation set or update profile to deploy on Pocket PC devices manually or via a 3rd-party distribution tool.

Introduction to Pointsec Mobile Encryption page 6

Pointsec Mobile Replaces Ordinary Lock Function page 7

Starting Pointsec Administration Console page 7

Installation Set Settings page 9

Managing Screen Lock Inhibit Applications page 31

Introduction to Pointsec Mobile Encryption

6

For more information on deployment, see chapter 3, “Deploying Pointsec Mobile” on page 51.

Introduction to Pointsec Mobile EncryptionPointsec Mobile encrypts information on your device according to what is specified in the inclusion/exclusion lists of the security profile deployed on the device. While Pointsec Mobile is installing on your device, the files on the inclusion list are encrypted. After this initial encryption, new information is encrypted whenever it is written to the device. For more information about inclusion/exclusion lists, please see “Working With Lists” on page 35.

When you want to access encrypted information, you authenticate yourself by entering your PIN/PicturePIN/password, and the information is immediately and seamlessly decrypted. However, it is only decrypted in the application where you access the information; it remains encrypted on the disk where it is stored.

Pointsec Mobile also encrypts removable media according to removable media inclusion/exclusion lists in the security profile. For more information, see “Editing Removable Media Inclusion and Exclusion Lists” on page 49.

Temporary EncryptionWhen you are not authenticated to Pointsec Mobile, new information written to the device is temporarily encrypted with a different encryption key. Information encrypted with this encryption key can be read only by certain trusted applications that are specified in the security profile deployed on your device. See “Encryption” on page 23 for more information.

When you authenticate to Pointsec Mobile, any temporarily encrypted information is decrypted and then encrypted with the ordinary encryption key. After that, the information is available to all applications as usual.

Note - If a large amount of information has been encrypted temporarily, it may take some time to access the device when the user authenticates to Pointsec Mobile.

Pointsec Mobile Replaces Ordinary Lock Function

Chapter 1 Overview of Pointsec Mobile 7

Pointsec Mobile Replaces Ordinary Lock Function

Pointsec Mobile replaces the ordinary Pocket PC lock on the device, normally a key icon labeled Lock found under Settings on the Personal tab.

When a user taps the Pocket PC Lock icon, Pointsec Mobile’s authentication screen opens, giving the user the option of changing the PIN/PicturePIN/password.

Starting Pointsec Administration Console You must start Pointsec Administration Console before you can access Pointsec Mobile settings. There are several ways to start it, depending on the authentication method selected for your account. In this document, only token authentication is described. For other authentication methods, see the Pointsec Administration Console Administrator’s Guide.

To start Pointsec Administration Console:

1. Click Start, navigate to the Pointsec program group, and select Pointsec Administration Console.

The following dialog box opens:

2. Enter the name of the account you want to use and click OK.

Note - In Pointsec Account Manager, ensure that the account you use has the rights needed to work with Pointsec Mobile Pocket PC in Pointsec Administration Console. See the Pointsec Administration Console Administrator’s Guide for more information.

Starting Pointsec Administration Console

8

The Select Token dialog box opens and displays a list of the tokens you have registered previously, for example:

3. Select a token and click OK.


Pointsec Administration Console displays a dynamic challenge that you must respond to using the dynamic token you selected.

4. Enter the challenge into the token and generate a response.

5. Enter the response in the Response field and click OK.

Pointsec Administration Console starts:

Installation Set Settings


6. In the security module tree, double-click Pointsec Mobile Pocket PC and select Create Installation Set to display the settings available:

The following sections describe the Pointsec Mobile settings.

Installation Set SettingsThis section contains an overview of the security settings for Pointsec Mobile, followed by detailed descriptions of the settings.

Note - For security reasons, Pointsec Administration Console automatically shuts down if you have not used it for two hours. You must re-authenticate yourself before you can work with it again.

Overview of System Settings

10

Overview of System SettingsThe following groups of system security settings are available:

• Miscellaneous – these settings determine license and user settings, for example license number, and whether or not to allow access to contacts when Pointsec Mobile is locked. For more information see “Miscellaneous” on page 11.

• Authentication – these settings determine type, number of attempts allowed and whether to shuffle the icons on the device. For more information see “Authentication” on page 14.

• PIN/PicturePIN/Password Policy – these settings determine the password policy, for example, you can specify the minimum and maximum usage time and how many new passwords must be used before an old one can be re-used. For more information see “PIN/PicturePIN/Password Policy” on page 17.

• PIN/PicturePIN/Password Properties – these settings determine the password properties required, for example, length of the PIN/PicturePIN/password, number of characters etc. For more information see “PIN/PicturePIN/Password Properties” on page 18.

• Screen Lock – these settings specify if Pointsec Mobile should lock a device after it has been inactive for a specific length of time. For more information see “Screen Lock” on page 21.

• Info Screen – these settings determines the text to be displayed in the Pointsec Mobile info screen on the device and when to show it. For more information see “Info Screen” on page 22.

• Encryption – these settings are where you specify trusted applications and determine which information stored on a device is encrypted. For more information see “Encryption” on page 23.

• Removable Media Encryption– these settings determine whether removable media can be used on a device, PIN/PicturePIN/password protection, and whether a single sign-on policy is used. For more information see “Removable Media Encryption” on page 25.

• Removable Media PIN/PicturePIN/Password Properties– these settings determine the length of the removable media PIN/PicturePIN/password, number of characters required, etc. For more information see “Removable Media PIN/PicturePIN/Password Properties” on page 28.

• File Transfer – these settings manage recovery file transfer in devices that use 3rd-party distribution software with recovery file transfer capability. For more information see “File Transfer” on page 28.

Miscellaneous


• Remote Help – this setting determines silent uninstall and Remote Help direct dial settings. For more information see “Remote Help” on page 29.

MiscellaneousHere you configure license and user settings.

Table 1-1 Miscellaneous Settings

Miscellaneous Settings

Explanation

Show advanced settings Select Yes to view all settings available. Select No to hide the following settings:

In Miscellaneous settings section:

--Customize picture set, see page 12

--Event Log Levels, see page 13

--Event Log Size (kb), see page 13

--Accept old update profiles, see page 13

In Authentication settings section:

--Shuffle icons, see page 14

--Unlimited number of attempts, see page 15

--Authentication delay (sec), see page 16

--Authenticate at ActiveSync, see page 17

In Screen Lock settings section:

--Type, see page 14

--Screen lock inhibit applications, see page 21

--Timeout 2 (min), see page 22

--In Encryption settings section:

--Inclusion list, see page 23

--Exclusion list, see page 23

--Trusted applications, see page 23

Miscellaneous

12



Explanation

Show advanced settings In File Transfer settings section:

--Wait until device recovery file transferred, see page 28

--Device recovery file timeout (sec), see page 28

In Remote Help settings section:

--Encrypt shared secret, see page 30

--Silent Uninstall, see page 30

License number This is where you enter the license number for your Pointsec Mobile installation.

Customize picture set Click ... to specify the graphics you want to use in a customized picture set instead of the default graphics included in Pointsec Mobile.

For more information, see “Customizing a Picture Set” on page 4.

Allow reminder popup Select Yes to enable calendar reminders to be shown on top of the authentication window.

Select No if reminders should not be shown when the user is not authenticated to Pointsec Mobile.

Show incoming call

information

Select Yes to display caller information (name, number) for an incoming call when the user is not authenticated to Pointsec Mobile.

Select No to hide incoming call information when Pointsec Mobile is locked.

Access Contacts and

Call History

Select Yes to enable users to access contacts and call history from the phone application when the device is locked. See Chapter 4, “Using Contacts and Call History when Pointsec Mobile Is locked” on page 66.

After soft resetting the device, contacts and call history are not available until after the first authentication.

Note - On some devices, it may not be possible to access contacts and call history, even if this option is set to Yes. See the Pointsec Mobile Pocket PC Release Notes for information on the limitations of this setting.

Miscellaneous


Event Log Levels Here you select whether to log important events and which events to log.

The following options are available:

• Disabled (nothing is logged)

• Errors

• Errors, Warnings

• Errors, Warnings, InformationFor more information on event logging, see Appendix B, “Event Logging”.

Event Log Size (kb) This setting specifies the maximum size in kilobytes of each event log file.

Minimum = 1 Maximum = 9999

For more information on event logging, see Appendix B, “Event Logging”.

Accept old update

profiles

Select No if you do not want Pointsec Mobile to accept a profile that is older than the currently deployed profile. Profile age is determined by a timestamp that is given when the profile is created in Pointsec Administration Console.

Select Yes, if you want Pointsec Mobile to use a profile that is older (created earlier) than the currently deployed profile.

If one or more update profiles are found, not counting the current profile, one of them is applied. Which one is undefined. All others profiles, including the current profile, are deleted.

Note - Consider the following before you select Yes:

A user can save a copy of the current profile and then replace any new profiles you send out with the copy. This is not possible if you select No.

Do not send out more than one update profile at a time because it is not possible to determine which profile will be applied on the device.



(continued)

Explanation

Authentication

14

AuthenticationThis is where you specify authentication settings for users when accessing a Pointsec Mobile-protected device.

Table 1-3 Authentication Settings

Authentication Settings

Explanation

Type user selectable Select Yes to allow the user to decide which PIN/PicturePIN/password keypad to use.

Type Here you can select which PIN/PicturePIN/password keypad to use. If Type user selectable is set to Yes, the type selected here is the default keypad on the device. For a list of available keypads, see Appendix A, “Pointsec Mobile Keypads”.

• Alphanumeric The default alphanumeric characters is used for the password.

• Customized Select this option to use a customized keypad or the alternative keypad. For more information, see “Customizing a Picture Set” on page 4.

• Numeric Numbers are used for the password.

• Picture Set 1 Pointsec Mobile’s picture set 1 is used for the PicturePIN.


Shuffle icons Select Yes if you want the PIN/PicturePIN icons to change places each time the user is prompted to authenticate and before confirming a new PIN/PicturePIN.

Note - Selecting No results in a lower security level, as the icons are always displayed in the same place on the device screen. This makes it easier for shoulder surfers to find out the PIN/PicturePIN, and it may be possible to deduce the PIN/PicturePIN from scratches on the screen.

Authentication


Unlimited number of

attempts

We recommend that you accept No, the default setting.

Note - Selecting Yes results in a lower security level, as an unauthorized person can attempt repeatedly to crack the password. In addition, Pointsec Mobile’s lockout feature and Remote Help are disabled, and information on a device cannot be recovered if the device becomes locked and the PIN/PicturePIN/password is lost.

Number of attempts This setting specifies the number of consecutive failed authentication attempts the user is allowed to make on the device.

If this number is exceeded, the user must use Remote Help to access information stored on the device.


See chapter 6, “Remote Help” on page 103 for more information.

QuickPIN length A QuickPIN is a short version of a PIN/PicturePIN/password. By default it is the first two pictures/alphanumeric characters in the PIN/PicturePIN/password.

QuickPIN length specifies the minimum length of the QuickPIN.

Users can use their QuickPINs to authenticate to Pointsec Mobile on the device during a short, specified period of time. After the specified interval, the user must use the full PIN/PicturePIN/password to access the device.




(continued)

Explanation

Authentication

16

QuickPIN timeout (min) This sets the time, in minutes, during which a QuickPIN can be used for authentication. This time begins counting after the device enters sleep mode, is switched off, or when the screen lock is activated.

After the timeout has passed, the full PIN/PicturePIN/password is required for authentication.

Minimum = 0, this disables the setting

Maximum = 240 minutes

To disable the QuickPIN, set timeout period to zero (0) seconds.

Note - QuickPIN is not available immediately after a device has been soft-reset. It is available the second time the authentication screen is displayed after a soft-reset.

Authentication delay

(sec)

Authentication delay is an interval, in seconds, during which users are not required to authenticate themselves when trying to access the device after it has entered sleep mode or was switched off.

Minimum = 0, this disables the setting Maximum = 60 minutes

After the authentication delay interval, if QuickPIN is activated on the device, the QuickPIN timeout takes effect and is required for authentication.

Note - The device is unprotected during the authentication delay interval.



(continued)

Explanation

PIN/PicturePIN/Password Policy


PIN/PicturePIN/Password PolicyThis is where you specify the password policy to deploy on the device.

Authenticate at

ActiveSync

Select Yes to require users to enter the correct PIN/PicturePIN/password before they can synchronize their devices with a workstation or network.

If a user enters an incorrect PIN/PicturePIN/password, Pointsec Mobile enforces the number of authentication attempts specified, see “Number of attempts” on page 15, and then gives the user access to the device again. The user cannot synchronize the device with a workstation or network until the correct PIN/PicturePIN/password is entered.

Note - If No is selected, the device can be synchronized with a workstation or network without any additional authentication.



(continued)

Explanation

Table 1-4 PIN/PicturePIN/password Policy Settings

PIN/PicturePIN/Pass

word Policy Settings

Explanation

Active Select Yes to activate the PIN/PicturePIN/password policy settings.

If you select No, the other PIN/PicturePIN/password policy settings are disabled.

Min password age

(days)

Enter the minimum length of time, in days, that a user must use the same PIN/PicturePIN/password.

Minimum = 0

Maximum = 14

Max password age

(days)

Enter the maximum length of time, in days, that a user can use the same PIN/PicturePIN/password.

Minimum = 1

Maximum = 180

PIN/PicturePIN/Password Properties

18

PIN/PicturePIN/Password PropertiesThis is where you specify the password properties to deploy on the device.

Enforce password

history

Enter the number of unique new passwords that a user must use before an old password can be re-used.

Minimum = 0

Maximum = 13

Table 1-4 PIN/PicturePIN/password Policy Settings

PIN/PicturePIN/Pass

word Policy Settings

Explanation

Table 1-5 PIN/PicturePIN/Password Properties Settings

PIN/PicturePIN/Pass

word Properties

Settings

Explanation

Min length The minimum number of characters or pictures allowed for the PIN/PicturePIN/password.

Minimum = 4

Maximum = 13

Max identical

characters

The maximum number of occurrences of any character/picture in the PIN/PicturePIN/password.

Minimum = 1

Maximum = 9999

Max identical

consecutive

characters

The maximum number of identical consecutive characters/pictures in the PIN/PicturePIN/password.

Example: If the setting is 2, then aah382 and epj722 are possible passwords, each having a maximum of two identical consecutive characters.

Minimum = 1

Maximum = 9999



Max number of

characters in ordered

sequence

The maximum number of consecutive characters in an ordered sequence in the password.

Example: If the setting is 3, then abc123 and cba321 are possible passwords, each consisting of two ordered sequences with three characters.

Minimum = 1

Maximum = 9999

Min number of

special characters

The minimum number of special characters required in the password.

This setting applies only to the alphanumeric authentication type.

Example: If the setting is 3, then <b!14£ and y+c;/1 are possible passwords, each having a minimum of three special characters.

The special characters that can be used are the following:

! ? “ @ # £ ¤ $ % & / \ { } ( ) [ ] < > = + - ~ ‘ * _ : . ; ,

Minimum = 0

Maximum = Sum of Min number of special characters, Min number of letters, and Min number of digits cannot exceed the value of Min length.

Min number of letters The minimum number of letters required in the password.

This setting applies only to the alphanumeric authentication type.

Example: If the setting is 4, then g1k2w3p4 is a possible password, because it contains four letters.

Minimum = 0



PIN/PicturePIN/Pass

word Properties

Settings (continued)

Explanation


20

Min number of digits The minimum number of digits required in the password.

This setting is available only if authentication type has been set to “alphanumeric”.

Example: If the setting is 4, then a8b3c9d4 is a possible password, because it contains four digits.

Minimum = 0


Require upper and

lower case

Select Yes to require passwords to contain both upper and lower case characters.

Example: If the setting is set to Yes, then A1u2r3D4 is a possible password, because it contains both upper and lower case characters.

Allow digit

prefix/suffix

Select Yes to allow passwords to start and end with a digit.

Example: If the setting is set to Yes, then a password such as 2mndkj9, which starts and ends with a digit, is allowed.


PIN/PicturePIN/Pass

word Properties

Settings (continued)

Explanation

Screen Lock


Screen LockHere you can specify if Pointsec Mobile should lock a device after it has been inactive for a specific length of time.

Table 1-6 Screen Lock Settings

Screen Lock

Settings

Explanation

Type None

Select None to disable automatic screen locking of the device. Manual screen locking is still possible.

Basic

Select this setting to enable screen locking after the specified period of idle time. All connections the device has with a computer or network are kept open.

Escalated

Select this setting to enable escalated screen locking after the specified period of idle time. The ActiveSync connection is closed when the screen lock is activated. No other connections the device has with a computer or network are affected by this setting.

On devices with GPRS connectivity, the escalated screen lock may block certain 3rd-party distribution tool functionality.

Timeout 1 (min) Enter the length of time in minutes that the device should be inactive before Pointsec Mobile locks it. See also Screen lock inhibit applications.

Minimum = 1 minute

Maximum = Less than timeout 2

Screen lock inhibit

applications

Here you can define applications that should inhibit screen lock Timeout 1. When such an application is running in the foreground on the device, Timeout 1 is disregarded. Instead, Timeout 2 deterines when the device should be locked.

This is useful for applications which are used mainly for viewing information on the screen without interacting with the device, such as GPS applications.

See “Managing Screen Lock Inhibit Applications” on page 31.

Info Screen

22

Info ScreenHere you can enter information you want to store on the device, for example your organization’s name and address.

Timeout 2 (min) Enter the length of time in minutes that the device should be inactive before Pointsec Mobile locks it, regardless of what applications are running.

This setting takes effect only if an application defined as a screen lock inhibit application is running in the foreground on the device.

Minimum = Greater than the value for Timeout 1

Maximum = 240 minutes

Table 1-6 Screen Lock Settings

Screen Lock

Settings(continued)

Explanation

Table 1-7 Info Screen Settings

Info Screen

Settings

Explanation

Text Click … to enter text to be shown on the Pointsec Mobile information screen.

Show first If you select Yes, Pointsec Mobile displays the information you entered in the Text field whenever the device is switched on.

Tip - Displaying this information means that a lost device may be returned to an owner/organization.

Encryption


EncryptionThis is where you specify which information stored on a device will be encrypted.

Table 1-8 Encryption Settings

Encryption Settings

Explanation

Inclusion list Here you define which items on your device will be encrypted. See “Working With Lists” on page 35.

The exclusion list has priority over the inclusion list. This means that you can, for example, include a folder but exclude certain files in it from encryption.

Exclusion list Here you define which items on your device will not be encrypted. See “Working With Lists” on page 35.

Trusted applications Here you specify executables for trusted applications that are to be allowed to access temporarily encrypted files when the user is not authenticated to Pointsec Mobile. See “Temporary Encryption” on page 6 for more information.

Example: You might want to let a synchronization application access the encrypted data even when the user is not authenticated. For each such application, you may need to specify several executables.

If you are not sure which files you need to specify, please contact your Check Point representative.

Note - When you create a new profile, all third-party products that Pointsec Mobile supports are automatically included in the Trusted Applications list, Inclusion list, and Exclusion (“typical” predefined set) list to allow Pointsec Mobile and the third-party software to function together without additional configuration.

If you load an existing profile, however, you must add these applications manually to the inclusion or exclusion lists as needed.

Encryption

24

Trusted applications To specify trusted applications:

1. Click .... . The following window opens:

2. Enter the full path and filename for a trusted executable and click Add. The new executable is shown in the Trusted applications list.

Tip - To make the path to \Program Files\ valid regardless of what language is used on the device, you can type %PROGRAM FILES%\ instead of \Program Files\ when you specify the path.

To specify all applications in a certain folder as trusted, enter *.

3. Repeat step 2 for each executable you want to specify. Click OK to close the window.

Table 1-8 Encryption Settings

Encryption Settings

(continued)

Explanation

Removable Media Encryption


Removable Media EncryptionThis is where you specify whether removable media is allowed and which information stored on removable media will be encrypted.

Table 1-9 Removable Media Encryption

Removable

Media

Encryption

Settings

Explanation

Allow

Removable

Media

Select Allow cards to allow mounting of removable media on the device.

Select Forbid cards to disallow mounting of removable media on the device.

Mounting of removable media occurs when the removable media is inserted or when the device is restarted.


26

Encryption

Policy

This is where you specify the encryption policy for removable media. The following are the available choices and how the user is affected by each choice:

Disabled

• Users cannot encrypt removable media.

• Users can read already encrypted removable media.

Optional

• Users can choose to encrypt removable media.

• When unencrypted removable media is inserted, users are prompted to set a password but are not required to do so and may select Cancel.

• If no password is set, the removable media remains unencrypted.

• When users insert encrypted removable media that contains unencrypted files which should be encrypted according to the inclusion list on the device, Pointsec Mobile asks if the files should be encrypted.

Optional, No Query

• This is the same as the Optional setting, except the users are not asked if they want to encrypt existing files.

Required

• Users are required to encrypt the removable media before it can be used.

Decryption

Policy

The choices for this setting are

• Allowed: Users can decrypt removable media.

• Disallowed: Users cannot decrypt removable media.


Removable

Media

Encryption

Settings

Explanation



Authentication

type user

selectable

Select Yes to allow users to decide which PIN/PicturePIN/password keypad to use to access removable media.

Authentication

type

Here you can select which authentication method to use for the removable media.

• Alphanumeric The alphanumeric characters available on the keyboard are used for the password.

• Numeric Pointsec Mobile’s numbers keypad is used for the password.



If you choose numeric authentication type or one of the picture sets, a keypad is shown on the screen whenever users are prompted to enter their PIN/PicturePIN/passwords. To see which keypads you can choose from, see Appendix A, “Pointsec Mobile Keypads”.

Enable

Removable

Media Password

Select Yes to allow users to set a password for the removable media.

If you select No, the user cannot set a password for the removable media, and the media can be used only on devices with SSO enabled. In this case, the setting Enable SSO is set to Enabled automatically.

For more information, see chapter 5, “Managing Removable Media” on page 97.

Enable Single

Sign-On (SSO)

Select Enabled to allow users who log on to a device or inserts removable media to be logged on to the removable media automatically after the first authentication to the media.

If you select Disabled, users must log on separately to the removable media each time it is inserted. In this case, Removable media password is set to Yes automatically.

For more information, see chapter 5, “Managing Removable Media” on page 97.


Removable

Media

Encryption

Settings

Explanation

Removable Media PIN/PicturePIN/Password Properties

28

Removable Media PIN/PicturePIN/Password Properties

The PIN/PicturePIN/password properties that can be deployed on removable media are the same as those for the device. See “PIN/PicturePIN/Password Properties” on page 18 for an explanation of these settings.

File TransferThis is where you specify how recovery files for Pointsec Mobile-protected devices are managed. These settings are applicable only if you are using 3rd-party distribution software that has recovery file management capability.

Inclusion/

Exclusion list

Here you define which items on removable media will be encrypted or unencrypted. See “Working With Lists” on page 35.


Removable

Media

Encryption

Settings

Explanation

Table 1-10 File Transfer Settings

Transfer Settings

Explanation

Wait until device

recovery file

transferred

Select Yes to ensure the recovery file is transferred before the installation is completed.

Device recovery

file timeout (sec)

Enter the number of seconds that you want Pointsec Mobile to wait for a successful recovery file transferal before completing the installation.

Minimum = 0 Maximum = 240 seconds

Tip - To be certain that the recovery file is transferred, we recommend that you set the timeout to at least 60 seconds.

Remote Help


Remote HelpThis is where you specify Remote Help settings for Pointsec Mobile.

Table 1-11 Remote Help Settings

Remote Help

Settings

Setting

Use webRH Select Yes to use End Point Security webRH instead of ordinary Remote Help to unlock or remove Pointsec Mobile from a device.

When Yes is selected

• The settings Import webRH profile and Encrypt shared secret become available.

• You cannot provide Remote Help to users via the Pointsec Administration Console.

Import webRH

profile

If Use webRH is set to Yes, you must import a webRH profile.

To import a webRH profile:

1. Select Import webRH profile and click ... . The Import webRH profile window opens:

2. Click Open. Browse to and select the webRH profile you want to use. The name of the selected file is displayed in the File name field.

3. In the Password field, enter the profile’s password. This password was set when the profile was created in End Point Security webRH.

4. Click OK. The webRH profile is imported.

To remove a webRH profile:

Click Clear profile. The webRH profile is removed from the dialog.

Remote Help

30

Encrypt shared

secret

When you use End Point Security webRH to supply help to users of Pointsec Mobile, a shared secret is used to convey encrypted information. Select Yes if you want the shared secret included in your profile to be encrypted.

If you choose to encrypt the shared secret, you are asked to set a password for the shared secret when you save the profile. The user must enter this password on the device when first deploying the profile, and when deploying an update profile where the shared secret in the webRH profile has been modified.

Note - The shared secret password you set when you save the profile is called profile password on the device. See “Configuring Pointsec Mobile on Devices” on page 56 to see the prompt for this password on the device.

If you select Yes here, you must ensure that all users who deploy the profile on their devices know the password.

Silent Uninstall Select Yes here if you want to enable the administrator to initiate an automatic removal of Pointsec Mobile from devices without performing a Remote Help challenge/response procedure.

This setting is relevant only if you use a device management (DM) tool that is integrated with Pointsec Mobile. Contact your Check Point representative for information on integrated DM systems.

Tip - We recommend that you select No, the default setting, unless you will be using the remote removal function.

Enable Remote Help

direct dial

Select Yes to enable a user to tap just one button to call the helpdesk for Remote Help from a locked out device.

Remote Help direct

dial number

Enter the number to the helpdesk that provides Remote Help.

Tip - Always include the country code when entering this number to ensure Remote Help direct dial is available when the user is abroad.


Remote Help

Settings

(continued)

Setting

Managing Screen Lock Inhibit Applications


Managing Screen Lock Inhibit ApplicationsYou can use the Screen lock inhibit application setting to define applications which inhibit screen lock Timeout 1. When such an application is running in the foreground on the device, Timeout 1 is disregarded. Instead, Timeout 2 determines when the device should be locked.

This is useful for applications which are used mainly for viewing information on the screen without interacting with the device, such as GPS.

Adding a Screen Lock Inhibit ApplicationTo add a Screen lock inhibit application:

1. In Pointsec Administration Console, under Pointsec Mobile Pocket PC, select Create Installation Set.

2. In the Properties window, select Screen lock inhibit applications and click ... .

The Manage Screen Lock Inhibit Applications dialog box opens, for example:

3. Enter the full path and file name of the application that will inhibit triggering of screen lock at the time when Timeout 1 usually takes effect.

Example: \Program Files\Company\app.exe

Note - To make the path to \Program Files\ valid regardless of what language is used, type %PROGRAM FILES%\ instead of \Program Files\ when you specify the path.

Deleting a Screen Lock Inhibit Application

32

4. Click Add. The path is added to the list of screen lock inhibit applications, for example:

5. Click OK.

The new setting is used in the profile you are editing, and the window is closed.

Deleting a Screen Lock Inhibit ApplicationTo delete a Screen Lock Inhibit Application from the list:


2. In the Properties window, select Screen lock inhibit applications and click ... .

The Manage Screen Lock Inhibit Applications dialog box opens, for example:



3. Select the application you want to remove, and click Delete.

The application is removed from the list.

4. To close the window, click OK.


34

35

Chapter 2Working With Lists

In This Chapter

Inclusion and exclusion lists define what information to encrypt and what not to encrypt on Pointsec Mobile-protected devices and removable media.

TermsThe following are the terms you need to know to work with inclusion and exclusion lists:

Inclusion list – Pointsec Mobile encrypts information of the types which you place on the inclusion list. There are separate inclusion lists for the device and removable media.

Terms page 35

Exclusion List Versus Inclusion List page 38

Examples of Inclusion and Exclusion List Interaction page 40

Accessing Lists page 43

Predefined Set Lists for Devices page 45

Viewing Items on the Relaxed, Typical, and Strict Lists page 46

Editing Device Inclusion and Exclusion Lists page 47

Editing Removable Media Inclusion and Exclusion Lists page 49

Terms

36

Figure 2-1 Device Inclusion List

Figure 2-2 Removable Media Inclusion List

Exclusion list – Pointsec Mobile does not encrypt information of the types which you place on the exclusion list. There are separate exclusion lists for the device and removable media.

Terms

Chapter 2 Working With Lists 37

Figure 2-3 Device Exclusion List

Figure 2-4 Removable Media Exclusion List

Gray text information types – Pointsec Mobile places the items that appear in gray text on the correct list to ensure Pointsec Mobile operates as it should. You cannot edit or remove gray text items.

Black text information types – The items that appear in black text are editable and removable.

Information types on the lists are identified by:

• File name – for example, you can specify that the file \My Directory\my_super_secrets.txt must be encrypted by placing it on the inclusion list.

Exclusion List Versus Inclusion List

38

• Folder – for example, you can place the \My Directory directory on the inclusion list and the information stored there is encrypted.

• Extension – for example, you can place all files with the extension .dll on the exclusion list so that programs do not stop working because someone encrypts a vital .dll needed by a program running on the device.

Exclusion List Versus Inclusion ListIn most situations, Pointsec Mobile encrypts information if it is on the inclusion list and is not on the exclusion list.

The following table shows how the lists interact:

Note - Always use the full path when placing file names and folders on the inclusion and exclusion lists.

Table 2-1 Inclusion and Exclusion List Interaction

On the exclusion list:

On the inclusion

list:

File name Folder Extension

File name Pointsec Mobile does not allow you to add the same file name to both the inclusion list and the exclusion list.

The contents of the folder are excluded, i.e. not encrypted, except for the specifically named file in the inclusion list.

See “Folder on exclusion list, file name on inclusion list”

The files using the specified extension are excluded, i.e not encrypted.

However, a specifically named file in the inclusion list is encrypted even if it uses the excluded extension.

See “Extension on exclusion list, file name on inclusion list”

Exclusion List Versus Inclusion List


Folder If a specifically named file is in the included directory, the file is excluded, i.e. not encrypted.

The rest of the contents of the included folder are encrypted.

See “File name on exclusion list, folder on inclusion list”

Pointsec Mobile does not allow you to add the same folder to both the inclusion list and the exclusion list.

Subdirectories in a given folder can be placed on different lists.

See “Subdirectories of a single folder placed on exclusion and inclusion lists”

Any files in the included folder that use the specified extension are excluded, i.e not encrypted.

The rest of the contents of the included folder are encrypted.

See “Extension on exclusion list, folder on inclusion list”



On the inclusion

list:


Examples of Inclusion and Exclusion List Interaction

40


Folder on exclusion list, file name on inclusion listYou place the folder \My Documents on the exclusion list. The folder contains the files

• public_information.pdf

• non_sensitive_information.pdf

Extension The specifically named file is not encrypted.

Other files with the same extension are encrypted.

Extensions on the inclusion list have the lowest priority. The only time an extension on the inclusion list has any effect is when there is nothing related to it on the exclusion list.

See “File name on exclusion list, extension on inclusion list”

The folder contents are not encrypted.

See “Folder on exclusion list, extension on inclusion list”

Pointsec Mobile does not allow you to add the same extension to both the inclusion list and the exclusion list.



On the inclusion

list:




• my_super_secrets.pdf

You place the file my_super_secrets.pdf on the inclusion list.

Result: The document my_super_secrets.pdf is the only file in the folder that is encrypted. The rest of the contents of \My Documents are unencrypted.

Extension on exclusion list, file name on inclusion listYou place the extension .pdf on the exclusion list, and you place the file named my_super_secrets.pdf on the inclusion list.

Result: All files with the extension .pdf are not encrypted, except for the specifically named file my_super_secrets.pdf, which is encrypted.

File name on exclusion list, folder on inclusion listYou place the folder \My Documents on the inclusion list. The folder contains the files




• You place the files named public_information.pdf and non_sensitive_information.pdf on the exclusion list.

• Result: The files named public_information.pdf and non_sensitive_information.pdf are not encrypted. The remaining file in \My Documents, namely my_super_secrets.pdf, is encrypted.

Subdirectories of a single folder placed on exclusion and inclusion listsThe folder \My Documents contains subfolders named

• \My Documents\My secret documents

You cannot place the folder \My Documents on the exclusion and inclusion lists at the same time, however, you can

• Place the subfolder \My Documents\My secret documents on the inclusion list to encrypt its contents.

• Place the folder \My Documents on the exclusion list to leave the contents unencrypted.


42

Extension on exclusion list, folder on inclusion listThe folder \My Documents contains files with the following extensions:

• .pdf

• .txt

• .doc

You place the extension .txt on the exclusion list, and the folder \My Documents on the inclusion list.

Result: All files in \My Documents with extension .txt are not encrypted. All other contents of \My Documents are encrypted.

File name on exclusion list, extension on inclusion listYou have three files:




You place the file name public_information.pdf on the exclusion list, and you place the extension .pdf on the inclusion list.

Result: The file public_information.pdf is not encrypted. The other .pdf files are encrypted.

Folder on exclusion list, extension on inclusion listThe folder \My Directory contains files with extensions

• .wav

• .dll

• .pdf

You place the folder \My Directory on the exclusion list, and you place the extension .dll on the inclusion list.

Result: None of the contents of \My Directory is encrypted. This means that the extension .dll is not encrypted, even though it is on the inclusion list. This is to ensure that putting an extension on the inclusion list does not have a detrimental effect on applications.

Accessing Lists


Accessing ListsYou access inclusion and exclusion lists on the Create Installation Set property sheet or the Update Profile property sheet.

• The inclusion and exclusion lists for the device are located under the heading Encryption.

• The inclusion and exclusion lists for removable media are located under the heading Removable Media Encryption.

Accessing the Device Inclusion ListTo access the device inclusion list:


2. In the Properties window, set Show advanced settings to Yes, and under the heading Encryption, select Inclusion list and click ... .

The Manage Inclusion List dialog box opens, for example:

The Manage Inclusion List dialog box contains tabs on which you can add file extensions, folders and file names to the list of what Pointsec Mobile decrypts on a device.

Accessing the Device Exclusion List

44

Accessing the Device Exclusion ListTo access the device exclusion list:


2. In the Properties window, set Show advanced settings to Yes, and under the heading Encryption, select Exclusion list and click ... .

The Manage Exclusion List dialog box opens, for example:

The Manage Exclusion List dialog box contains tabs on which you can add file extensions, folders and file names to the list of what Pointsec Mobile does not encrypt a device.

Accessing Removable Media Inclusion and Exclusion Lists

You access inclusion and exclusion lists for removable media on the Create Installation Set property sheet or the Update Profile property sheet under the heading Removable Media.

To access the removable media inclusion or exclusion list:

1. In Pointsec Administration Console, under Pointsec Mobile, select Create Installation Set.

2. In the Properties window, set Show advanced settings to Yes, and select Removable Media Encryption: Inclusion/Exclusion list.

Predefined Set Lists for Devices


3. Click ... .

The Inclusion/Exclusion Lists dialog box opens:

4. Click the Inclusion List tab to access the inclusion list, or click the Exclusion List tab to access the exclusion list.

Predefined Set Lists for DevicesA quick way of implementing encryption settings on the device is to use a predefined list. There are three lists from which to choose: Relaxed, Typical, and Strict. Each list contains the same set of default items, plus other items that differentiate them. See “Viewing Items on the Relaxed, Typical, and Strict Lists” on page 46 for instructions on how to view these lists.

RelaxedChoose this predefined set to achieve maximum compatibility with third-party applications that, for example, might modify files when Pointsec Mobile is locked. In addition to the default set of items, this list contains the following:

Include: Folder %MY DOCUMENTS%\

TypicalChoose this predefined set to achieve a good balance between security and interoperability with third party applications. In addition to the default set of items, this list contains the following:

Strict

46

Include: Folder “\”

Exclude: Folder “%PROGRAM FILES%\”

Exclude: Folder “\temp\”

Exclude: Folder “\Application Data\”

StrictChoose this predefined set to maximize security at the cost of lower interoperability with third party applications. In addition to the default set of items, this list contains the following:

Include: Folder “\”

You can view the contents of the lists in the Pointsec Administration Console.

Viewing Items on the Relaxed, Typical, and Strict Lists

To view the items on the relaxed, typical and strict lists:

1. In Pointsec Administration Console, under Pointsec Mobile, select Create Installation Set.

2. In the Properties window, set Show advanced settings to Yes.

3. Under Encryption, select the list you want to view (Inclusion list or Exclusion list), and click ... to open the Inclusion or Exclusion List dialog box.

4. Select the Predefined Sets tab, and select the list (Relaxed, Typical, or Strict) you want to view by clicking the radio button next to the list name.

5. Click Cancel to return to the Pointsec Administration Console.

Note - Information types listed in gray cannot be removed from a list.

%Program Files% is a variable used to make your lists work on all devices, regardless of language.

Editing Device Inclusion and Exclusion Lists


Editing Device Inclusion and Exclusion Lists

You can add to, delete from, and reset lists.

Adding to Device ListsYou use the extension, folder and file tabs to add information to the inclusion and exclusion lists.

To add to a device list:

1. Open the list you want to add to and click the tab you want to work on:

– To add an extension, click the Extension tab. In the extension field, enter the extension and click Add. Pointsec Mobile adds the extension to the list.

– To add a folder to a list, click on the Folder tab. In the folder field, enter the name of the folder and click Add. Pointsec Mobile adds the folder to the list.

– To add a file to a list, click on the File tab. In the file field, enter the name of the file and click Add. Pointsec Mobile adds the file to the list.

Deleting from Device ListsThe delete option is available for both inclusion and exclusion lists.

Note - When you create a new profile, all third-party products that Pointsec Mobile supports are automatically included in the appropriate device inclusion/exclusion lists to allow Pointsec Mobile and the third-party software to function together without additional configuration.

If you load an existing profile, you must add these applications manually to the inclusion or exclusion lists as needed.

Note - Certain types of information cannot be deleted from lists. This information, displayed in gray text, must be safeguarded so that it is either always encrypted or never encrypted. For example, the Windows folder is always excluded from encryption because encrypting files there could cause problems on a Pocket PC device. However, the Messaging folder in the Windows folder is always encrypted as it usually contains sensitive information.

Resetting Device Lists

48

To delete from a device list:

Open the list, select the information type and click Delete.

Resetting Device ListsYou can use predefined lists to reset inclusion and exclusion lists. For more information on list contents, see “Predefined Set Lists for Devices” on page 45.

To reset a device list:

1. On the Predefined Sets tab:

2. Select one of the settings: Relaxed, Typical or Strict.

3. Click Apply. You are warned that this will reset both the inclusion and exclusion lists to the selected set:

4. Click OK to apply the list.

Editing Removable Media Inclusion and Exclusion Lists


Editing Removable Media Inclusion and Exclusion Lists

You can add to and delete from removable media lists, as well as add default values.

Adding to Removable Media ListsYou use the extension, folder, and file tabs to add information to the inclusion and exclusion lists.

To add to a list:

1. Open the list you want to add to and click the Add button. The following dialog box opens:

2. In the Value field, enter the name of the information. For example, \My Directory\my_super_secrets.txt, or .dll.

3. Select the information type that corresponds to the information name you entered in step 5. For example, select Folder for \My Directory, File for \My Documents\my_super_secrets.txt, and Extension for .dll.

4. Click OK.

Note - When you load a profile from an earlier Pointsec Mobile version, you should always add the default values by clicking the Add Defaults button on the removable media inclusion and exclusion lists. This ensures that your profile has the default values contained in the old profile, plus any new defaults that may have been added, for example, to support new third-party applications.

Note - Enter the path relative to the root of the removable media, not that of the device.

Deleting from Removable Media Lists

50

The information is added to the list.

5. Repeat this procedure for each information item you want to add to the list.

Deleting from Removable Media ListsThe delete option is available for both inclusion and exclusion lists.

To delete from a removable media list:

Open the list, select the information and click Remove.

Note - Information in gray text cannot be deleted from lists. This information must be safeguarded so that it is either always encrypted or never encrypted.

51

Chapter 3Deploying Pointsec Mobile

In This Chapter

Pointsec Mobile directly supports the following methods of deploying and updating security on Pocket PC devices:

• Manual Deployment: This is the deployment method described in this guide. See “Overview of Pointsec Mobile Deployment” on page 52.

• 3rd-party distribution software: The ability to use 3rd-party distribution software depends upon the capabilities of the software and is not covered in this manual. Consult the documentation provided with the software.

About Security Software on Devices page 52

Overview of Pointsec Mobile Deployment page 52

Creating Installation Sets page 52

Before Installing Pointsec Mobile on Devices page 54

Installing Pointsec Mobile on Devices page 55

Configuring Pointsec Mobile on Devices page 56

Transferring the Recovery File from a Device page 56

Update Profiles for Pointsec Mobile page 60

Upgrading Pointsec Mobile Software page 62

About Security Software on Devices

52

About Security Software on DevicesPointsec Mobile takes control of the device’s startup process and disables any other Pocket PC password application. Therefore, you must disable Microsoft’s password functionality, if activated.

Overview of Pointsec Mobile DeploymentDeploying Pointsec Mobile on Pocket PC devices within an organization can be divided into the following steps:

• Creating and saving an installation set that contains the pointsec_mobile_PPC_<x.x.x>_<yy>.cab file and the installation profile containing the security settings to be deployed to the device. See “Creating Installation Sets” on page 52.

• Transferring the installation profile and the pointsec_mobile_PPC_<x.x.x>_<yy>.cab file to the device. See “Before Installing Pointsec Mobile on Devices” on page 54.

• Configuring Pointsec Mobile settings on the device, see “Configuring Pointsec Mobile on Devices” on page 56.

Creating Installation SetsAn installation set contains the software and security profile needed to install Pointsec Mobile on a Pocket PC device.

To create an installation set:

1. On a secure workstation, create a directory in which to store the installation set.

Note - Pointsec Mobile may not be interoperable with third-party security applications that provide file encryption or screen lock functionality.

Note - To deploy Pointsec Mobile in a language other than English, you must install the appropriate language package on the workstation where you installed Pointsec Mobile before you create an installation set. For instructions on installing a language package, see the Pointsec Mobile Pocket PC Installation Guide.

Creating Installation Sets

Chapter 3 Deploying Pointsec Mobile 53

2. In Pointsec Administration Console, under Pointsec Mobile Pocket PC, select Create Installation Set:

3. Configure the security settings you want to deploy on the Pocket PC devices in your organization. See chapter 1, “Overview of Pointsec Mobile” on page 9 for details on the settings available.

4. Click the Create Installation Set button. Browse to the directory you created in step 1 and click OK:

5. If you set the option Encrypt shared secret to Yes, you are prompted to set a password for the shared secret and confirm it.

6. Click OK.

Pointsec Administration Console creates the installation set.

7. Click OK.

To see what has been created, browse to and open the directory in Windows Explorer that contains the installation set, for example:

– InstProf.ppp

– pointsec_mobile_PPC_x.x.x_en.cab

– pointsec_mobile_PPC_x.x.x_ja.cab

You are now ready to install Pointsec Mobile on a device.

Naming Convention for the .cab File

54

Naming Convention for the .cab FileThe .cab file available in the installation set depend upon which Pointsec Mobile language package(s) you installed on your workstation. For more information, see the Pointsec Mobile Pocket PC Installation Guide.

In the .cab file name, ‘yy’ denotes the language in which Pointsec Mobile will be installed. For example, in the English version of the files, ‘yy’ is replaced with ‘en’, and in the Japanese version, ‘yy’ is replaced with ‘ja’.

Deploying Multiple Files SimultaneouslyIf you are sending out several files simultaneously, including Pointsec Mobile files, to be installed on a device, you may need to configure Pointsec Mobile so that additional time is allowed before soft resetting the device during the installation.

To configure soft reset delay on devices:

1. Before installing Pointsec Mobile, create the key HKEY_LOCAL_MACHINE\Software\Pointsec Mobile Tech\Pointsec

on the device.

2. In this key, create one or more of the DWORD values below to customize the install reset behavior.

– InstallResetNotWnd - This window receives a notification message when Pointsec Mobile is installed.

– InstallResetNotMsg - This is the message that is sent. Default value = 0.

– InstallResetDelay - Specifies the time (seconds) that Pointsec Mobile waits before the device is reset during installation. Default value = 5. Maximum value = 30.

Before Installing Pointsec Mobile on Devices

After you create an installation set, you can install Pointsec Mobile on Pocket PC devices running Windows Mobile 5 or Windows Mobile 6.

Consider the following information before you begin to install Pointsec Mobile on devices.

Installing Pointsec Mobile on Devices


• Always back up the information stored on your device before installing any program on it.

• We strongly recommend that you follow the instructions in this guide when installing Pointsec Mobile. If you do not, you may not be able to remove Pointsec Mobile from the device, receive Remote Help or perform recovery.

• Before you begin the installation on the device, ensure that the battery is sufficiently charged so that installation can be completed without interruption. Do not manually interrupt the installation in any way, for example, by performing a soft reset or removing the battery.

• If a large amount of information is stored in the My documents folder on the device, the initial encryption after installing Pointsec Mobile may take several minutes.

• You cannot cancel installation of Pointsec Mobile after it is started on the device.

• Pointsec Mobile may not be interoperable with third-party security applications that provide file encryption or screen lock functionality.

Installing Pointsec Mobile on DevicesTo install Pointsec Mobile on a device:

1. Transfer the installation profile and the pointsec_mobile_PPC_<x.x.x>_<yy>.cab file to the device. For example, you can transfer the profile and the .cab file to the root directory.

2. Execute the .cab file.

The following screen is displayed on the device:

3. Save any work in progress, then tap OK.

Pointsec Mobile is now ready to be configured. See “Configuring Pointsec Mobile on Devices” on page 56.

Configuring Pointsec Mobile on Devices

56

For information on how to remove Pointsec Mobile from a device, see chapter 7, “Removing Pointsec Mobile from a Device” on page 111.

Configuring Pointsec Mobile on DevicesBefore Pointsec Mobile can protect information on your device, you must complete its installation and configuration.

When Pointsec Mobile is installed on a device, it generates

• An encryption key used to protect your data.

• A recovery file, which you must upload from the device to a secure location that you can access from the Pointsec Administration Console when you provide Remote Help or remove Pointsec Mobile from the device.

To configure Pointsec Mobile on a device:

1. After Pointsec Mobile is installed on devices, Tap OK.

If the shared secret included in the profile is password protected, the following screen opens:

Note - The shared secret password is the same as the profile password.

If the Enter profile password screen opens, your administrator has configured Endpoint Security webRH as the Remote Help method. The password requested here protects information conveyed when you receive Remote Help via SmartCenter webRH.

If you do not know the password, please contact your Pointsec Mobile administrator.



2. Enter the profile password and tap OK.

The PIN/PicturePIN/password keypad screen opens:

3. Enter the following information:

Table 3-1 PicturePIN Information

Field Explanation

Type Select the type of PicturePIN or password to be used when being authenticated by Pointsec Mobile.

The options available depend on the settings in the profile. See chapter 1, “Overview of Pointsec Mobile” on page 14 for more information on profile settings. See also Appendix A, “Pointsec Mobile Keypads”.

PIN Enter the PIN/PicturePIN/password you want to use and tap OK to move to the next field.

Remember the PIN/PicturePIN/password you specify. Pictures and numbers may be shuffled.

Confirm Re-enter the PIN/PicturePIN/password you want to use.

After you have specified the PIN/PicturePIN/password, you must use it to access the device.


58

4. If the device has a Microsoft password, a message is displayed that tells you to deactivate it.

5. Click OK.

The following screen is displayed.

6. Clear the checkbox Prompt if device unused for to deactivate the Microsoft password, and click OK.

Pointsec Mobile transfers the recovery file to its proper location and encrypts the information on the device as specified in the profile.

Note - You cannot continue configuring Pointsec Mobile on the device until you deactivate the Microsoft password.

Note - The device is locked during the encryption process.

Transferring the Recovery File from a Device


A message displays informing you that the device will restart. After restart, the Today screen opens, for example:

Pointsec Mobile is now installed on the device and the Pointsec Mobile icon is displayed in the bottom right corner.

Transferring the Recovery File from a DeviceThe recovery file must be transferred from the device to a secure network location in order for the administrator to provide Remote Help or remove Pointsec Mobile via the Pointsec Administration Console.

You can transfer the file either using standard synchronization tools or 3rd-party distribution tools.

If you intend to use Endpoint Security webRH to supply Remote Help or remove Pointsec Mobile, there is no need to transfer the recovery file.

To transfer the recovery file from the device to the PC:

1. Ensure that you have a functioning connection between the device and the PC.

2. Locate the <ID>.rec file on the device by browsing to Program files\Pointsec for Pocket PC. See “Recovery File Naming Convention” on page 106 for information on the naming convention for device recovery files.

Note - The directory Program files may have a different name depending upon the language used on the device, for example, Programme (German) and/or Program (Swedish).

Update Profiles for Pointsec Mobile

60

3. Copy the <ID>.rec file from the device to a suitable folder on the secure network, for instance \Pointsec_Mobile\Recovery.

You can now supply Remote Help or assist device users in removing Pointsec Mobile.

Update Profiles for Pointsec MobileWhenever you need to update a security profile on a Pointsec Mobile-protected device, you can easily do so by editing the settings in the profile and either

• Saving the update profile directly to the device in the \temp folder,

• or

• Saving the update profile directly to the device in the folder \Program Files\Pointsec for Pocket PC\Profiles.

About Update ProfilesThe following sections explain how update profiles work.

Timestamps for Update ProfilesPointsec Mobile will not accept an update profile that is older than the currently deployed profile, unless allowed by the Accept old update profiles setting.

To reuse an old profile, open the profile in Pointsec Administration Console, click Create Update Profile and save the profile.

Pointsec Administration Console updates the profile’s timestamp, and Pointsec Mobile accepts it as a new profile.

What Users NoticeUsers notices that security has been updated on their devices if:

• Any PIN/PicturePIN/password properties have been made more strict.

Note - You can only deploy update profiles created with the same version of Pointsec Mobile that is installed on the device. If you want to deploy a profile created with a newer or an older version, see “Upgrading Pointsec Mobile Software” on page 62.

Creating an Update Profile for Pointsec Mobile


• The device has been updated to use an authentication method or picture set other than the one currently deployed on the device.

• The Type user selectable option has been changed.

When such changes are made, Pointsec Mobile prompts users to change their device PIN/PicturePIN/passwords.

Users also notice if:

• The option Encrypt shared secret is set to Yes in the update profile, but not the old profile.

• The option Encrypt shared secret is set to Yes in the old profile and the update profile, and the shared secret included in the webRH profile has been changed in the update profile.

When such changes are made, users must enter the shared secret password, which is called the profile password on the device, before deploying the update profile.

• The inclusion/exclusion lists have changed. Users must log in to Pointsec Mobile to implement the updated settings on the device. The device restarts automatically when the profile is deployed.

Creating an Update Profile for Pointsec MobileTo update the security profile:

1. In Pointsec Administration Console, select and double-click Create Update Profile.

2. Right-click Create Update Profile, then select Load Profile. The Open dialog box opens.

3. Browse to and open the profile. If the profile is password protected, you must enter the password before the profile is opened.

Pointsec Administration Console displays the profile settings.

Note - Users are not prompted to change their removable media passwords. However, the next time the user selects a new password for the removable media or initiates encryption of the removable media, the new PIN/PicturePIN/password rules apply.

Note - You cannot load a profile that was created in a version earlier than Pointsec for Pocket PC (Windows Mobile 5) 3.0.

Deploying Update Profiles

62

4. Make the changes you require to the profile. See “Installation Set Settings” on page 9 for more information on the settings available. See “Upgrading Pointsec Mobile Software” on page 62 if you are changing the inclusion/exclusion lists in the profile.

5. Click the Save Update Profile button. The Save As dialog box opens:

6. Select a location, give the update profile a suitable name, and click Save.

7. If you have set the option Encrypt shared secret to Yes, you are prompted to set a password for the shared secret. Enter a password for the shared secret and confirm it. Click OK. Pointsec Administration Console saves the profile.

Deploying Update ProfilesTo deploy the update profile:

1. Save the update profile directly to the device in the \temp folder, or save it directly to the device in the folder \Program Files\Pointsec for Pocket PC\Profiles

2. The new update profile is applied after the user’s next authentication.

If the inclusion/exclusion lists or encryption policy for removable media have been changed, the device restarts automatically after the profile is deployed.

Upgrading Pointsec Mobile SoftwareThe following sections explain how to upgrade Pointsec Mobile software. This entails upgrading:

• Pointsec Mobile module (in Pointsec Administration Console)

• Pointsec Mobile software on devices.

Before UpgradingKeep the following in mind when upgrading Pointsec Mobile:

Note - Remember the password you set here. If the shared secret included in the Endpoint Security webRH profile was modified since the last update, the password must be entered on every device where this profile is deployed in order to install the profile.

Upgrading Pointsec Mobile Software on Administrator Workstations


• The 3.x series of Pointsec Mobile is designed for Windows Mobile 5 or later, whereas the 2.x series is designed for Windows Mobile 2003. Therefore, it is only possible to upgrade to this version from an earlier version of Pointsec Mobile in the 3.x series.

• It is not possible to downgrade the Pointsec Mobile plug-in. If you wish to use an older version, remove the installed version first, and then install the desired version. Please see the Pointsec Mobile Installation Guide for information on how to remove and install the software.

• If you are upgrading from a Pointsec for Pocket PC version that was released after September 19, 2006, that is, versions 3.1.0 through 3.1.3, as well as versions 3.2.0 and 3.2.1, all encrypted files are scanned for potential corruption and adjusted if necessary.

After upgrading from one of these versions, you must ensure that the new recovery file was transferred, as the old recovery file will no longer work for providing Remote Help or removing Pointsec Mobile. The creation date of the new recovery file should be the same as the date you installed the new release.

Upgrading Pointsec Mobile Software on Administrator Workstations

You start the software upgrade process by upgrading Pointsec Mobile module on the administrator’s workstation.

To upgrade the Pointsec Mobile module:

Upgrade your installation of the Pointsec Mobile module to the latest version. See the Pointsec Mobile Pocket PC Installation Guide for more information.

Upgrading Pointsec Mobile Software on DevicesThe next and final step is to upgrade Pointsec Mobile software on devices. You can perform an upgrade on a device even if it is locked.

To upgrade Pointsec Mobile software on devices:

1. Using the Pointsec Mobile module, create and save a new installation set. See “Creating Installation Sets” on page 52 for more information.

2. From the installation set, copy the pointsec_mobile_PPC_<x.x.x>_<yy>.cab file to, for example, the root directory on the device.

Effective Removable Media Settings

64

3. Tap OK to install the software upgrade. A dialog informs you that the device will be soft-reset, which gives you a moment to save any current work. After the soft-reset, the upgrade is complete. Any new settings imposed by the upgrade are set at the default values of the new software. To change the new settings, you must create and deploy an update profile. For instructions, see “Update Profiles for Pointsec Mobile” on page 60.

Effective Removable Media SettingsWhen you upgrade to Pointsec Mobile Pocket PC 3.4 or later, the new removable media settings are not automatically deployed on the device. If you want to use the removable media settings available in the 3.4 release, you must create and deploy an update profile with the new settings after upgrading Pointsec Mobile on the device. For more information, see “Effective Removable Media Settings” on page 102.

65

Chapter 4Pointsec Mobile for Users

In This Chapter

After Pointsec Mobile is installed on a device, users can securely access and protect information stored on the device and change their PIN/PicturePIN/passwords.

Placing Phone Calls When Pointsec Mobile is Locked page 66

Accessing Information on a Device page 69

Locking Pointsec Mobile page 71

Accessing Pointsec Properties page 73

Changing Your Device PIN/PicturePIN/ Password page 74

Synchronizing the Device with a Workstation page 77

Removable Media page 78

Moving Removable Media Between Devices page 93

Note - Online help for Pointsec Mobile users is installed on a Pocket PC device when Pointsec Mobile is installed.

To access the online help, on the Today screen, tap Start and Help. Tap Contents, and select Help for Added Programs followed by Pointsec Mobile Pocket PC from the list of online help topics.

Placing Phone Calls When Pointsec Mobile is Locked

66

Placing Phone Calls When Pointsec Mobile is Locked

When Pointsec Mobile is locked and the authentication screen or Remote Help challenge screen is shown, you can still place and receive phone calls as usual. However, you will notice a few differences:

When Pointsec Mobile is locked, the following phone buttons are disabled:

• Speed dial

• Note

• Menu

Depending on how Pointsec Mobile is configured:

• Contacts and Call History- these buttons may be disabled if the security profile deployed on the device does not allow users to access contacts and call history when the device is locked. See “Using Contacts and Call History when Pointsec Mobile Is locked” on page 66.

• Incoming call information is displayed when Pointsec Mobile is locked. See “Incoming Calls” on page 68.

• You can call your Remote Help administrator by tapping just one button on the challenge screen. See “Calling Your Remote Help Administrator” on page 68.

To place or receive a phone call when Pointsec Mobile is locked:

Tap the green telephone button on the device. The authentication or Remote Help challenge screen is hidden, and the phone application is brought to the front. You can then make or receive phone calls as usual.

Using Contacts and Call History when Pointsec Mobile Is locked

Depending on the Access Contacts and Call History setting and the model of your device, you may be able to access the contacts and call history stored on your device even if Pointsec Mobile is locked. See “Access Contacts and Call History” on page 12.

The Contacts and Call History buttons are visible but disabled if the Access Contacts and Call History setting is set to No.

Using Contacts and Call History when Pointsec Mobile Is locked

Chapter 4 Pointsec Mobile for Users 67

LimitationsRegardless of the Access Contacts and Call History setting and the model of your device, there are some limitations as to when contacts and call history are available:

• After soft resetting the device, contacts and call history are not available until after the first authentication.

• When Pointsec Mobile is locked, only the phone numbers of the contact are accessible. No other contact information can be viewed or edited.

Accessing a ContactWhen you access a contact while the device is locked, you will notice a different behavior than usual. This table shows what happens when you tap a contact in the list:

Table 4-1 Accessing a Contact

If the contact has This happens:

One phone number only The contact is called immediately. No page with contact information is displayed before the call is placed.

Two or more phone numbers

A page with all the phone numbers of the contact is displayed, allowing the user to select the appropriate number.

Incoming Calls

68

Incoming CallsWhen configured to show incoming call information, Pointsec Mobile displays caller information (name and number) in a message on the device when a call is received, for example:

To answer an incoming call:

Tap Answer or press the green telephone button on the device. The authentication or Remote Help screen is hidden, and the phone application is brought to the front.

For more information, see “Show incoming call information” on page 12.

Calling Your Remote Help AdministratorWhen a user has exceeded the maximum number of authentication attempts on the device, Pointsec Mobile locks the device and displays the challenge screen, for example:

Accessing Information on a Device


You can make and receive ordinary phone calls when this screen is shown, or call your Remote Help administrator by tapping the Remote Help Dial button.

To call the administrator directly from the challenge screen:

Tap the Remote Help Dial button. Your designated Remote Help phone number is dialed.

Accessing Information on a DeviceAfter Pointsec Mobile has been installed and configured on your device, Pointsec Mobile prompts you to authenticate yourself whenever you start your device.

In the following example, you want to access your device. It is switched off and not in its cradle.

To access information on the device:

1. Switch the device on. The Pointsec Mobile information screen is displayed, for example:

2. Tap the screen.

Note - The Remote Help Dial button is available only if this option is enabled in the security profile deployed on your device. If it is not available, you can place an ordinary phone call to your Remote Help administrator.

Note - Even when you are not authenticated to Pointsec Mobile, you can make and receive telephone calls. See “Placing Phone Calls When Pointsec Mobile is Locked” on page 66 for more information.

Accessing Information on a Device

70

Pointsec Mobile’s authentication screen opens:

3. Enter your PIN/PicturePIN/password and tap OK.

The Today screen is displayed, for example:

You now have access to your device. Whenever you access encrypted information, it is immediately and transparently decrypted. Whenever you write new information to the device, it is automatically and transparently encrypted.

Note - You must enter your full PIN/PicturePIN/password after switching your device on.

Note - If a large amount of information has been temporarily encrypted, it may take some time to access the device after you have authenticated yourself. For more information on temporary encryption, see “Temporary Encryption” on page 6.

Locking Pointsec Mobile


Locking Pointsec MobilePointsec Mobile has both device lock and key lock functions.

Activating Pointsec Mobile Security LockTo protect the information on your device and removable media, you can lock the device instantly whenever necessary.

To lock your device:

1. Tap the Pointsec Mobile icon located in the lower right corner of the Today screen, for example:

2. Tap Lock.

Pointsec Mobile locks your device immediately. To regain access, enter your QuickPIN, PicturePIN or password.

Key-Locking Pointsec MobileThe purpose of key lock, which may appear on the Today screen, is to prevent the keys and screen from being pressed inadvertently.

If key lock is already activated when Pointsec Mobile locks, then the Pointsec Mobile authentication screen is also key locked.

Key-Locking Pointsec Mobile

72

To lock and unlock device keys and screen:

1. You can lock the device keys and screen by tapping the Lock icon on the lower left of the Pointsec Mobile authentication screen:

2. To unlock the device keys and screen, tap the Unlock button:

Accessing Pointsec Properties


3. Tap the Unlock button again to confirm:

The device keys and screen are now unlocked.

Accessing Pointsec PropertiesDepending on how Pointsec Mobile is configured, you may be able to change some security settings, such as which authentication method is used. You access Pointsec Properties to make such changes.

To access Pointsec Properties:

Tap the Pointsec Mobile icon located in the lower right corner of the Today screen and tap Properties. Or, browse to Programs and tap Pointsec Mobile. The Properties screen opens:

Changing Your Device PIN/PicturePIN/ Password

74

The following information is displayed:


Pointsec Mobile replaces the ordinary Pocket PC security lock on the device, normally found under Settings on the Personal tab, with the Pointsec Mobile authentication screen that requires a PIN/PicturePIN/password to access the device.

To ensure a high level of security, you should change your PIN/PicturePIN/password often.

Table 4-2 Pointsec Properties

Field/Button/Area Explanation

Set device PPIN Tap this button to change the current device PIN/PicturePIN/password.

Info Tap this button to display the license number and information that was set in the Check Point profile deployed on the device.

Cards The Cards area displays information on the removable media attached to the device. Tap and hold removable media in the Cards field to perform the following tasks:

• Authenticate to removable media

• Set removable media PINs/PicturePINs/passwords

• Obtain Remote Help for removable media

• Apply current security policy to removable media

• Decrypt removable mediaSee chapter 5, “Managing Removable Media” on page 97 for more information.

Note - Your administrator may have set a minimum length of time that must elapse before you can change your PIN/PicturePIN/password.



To change your device PIN/PicturePIN/password:

1. Tap the Pointsec Mobile icon located in the lower right corner of the Today screen and tap Properties.

The Properties screen opens.

2. Tap Set device PPIN.

(Alternatively, you can tap Settings > Personal > Lock and the Pointsec Mobile authentication screen shown in step 2 opens).

3. The Pointsec Mobile authentication screen opens.

4. Enter your current PIN/PicturePIN/password and tap OK.


76

The following screen opens:

5. To see the rules to which your new password must conform, tap the Rules button.

The rules that display are dependent upon how Pointsec Mobile is configured, for example:

6. After you read the rules, tap OK, and then tap the Type arrow.

7. Select a new method.

8. In the PIN field enter your new PIN/PicturePIN/password.

9. Tap OK to move to the Confirm field.

10. Re-enter your new PIN/PicturePIN/password to confirm it and tap OK.

Note - You may not always have access to alternative authentication methods. However, in this example, you are allowed to change the method used.

Synchronizing the Device with a Workstation


Pointsec Mobile changes your PIN/PicturePIN/password and returns you to the Properties screen.

Synchronizing the Device with a Workstation

Before synchronizing your device with your workstation, ensure they have an ActiveSync partnership.

In the following example, Pointsec Mobile is configured to require users to authenticate to the device before allowing synchronization with the workstation. See “Authenticate at ActiveSync” on page 17 for more information.

To synchronize the device:

1. Place the device in its cradle.

The Pointsec Mobile authentication screen opens.

2. Enter your PIN/PicturePIN/password and tap OK.

3. Pointsec Mobile allows the device to connect to and synchronize with the workstation.

After SynchronizingIf an updated Pointsec Mobile profile has been transferred to your device, you may be notified of this after you turn your device off and on again after synchronizing. This happens if:

• Any PIN/PicturePIN/password properties were made more strict.

Note - Keep the following in mind when you synchronize your device:

– If the device locks, the ActiveSync connection is broken. Unlock the device to re-establish the ActiveSync connection. (Note that if basic screen locking is configured in your profile, all connections the device has with a computer or network are kept open if the screen locks.)

– To cancel the synchronization and access the device, tap Cancel.

Removable Media

78

• The device was updated to use an authentication method or picture set other than the one currently deployed on the device.

• The Type user selectable option was changed.

When such changes are made, Pointsec Mobile prompts you to change your device PIN/PicturePINs/passwords.

You will also notice if:

• The option Encrypt shared secret is set to Yes in the update profile, but not the old profile.

• The option Encrypt shared secret is set to Yes in the old profile and the update profile, and the shared secret included in the webRH profile was changed in the update profile.

When such changes are made, the user must enter the shared secret password, which is called the profile password on the device, before deploying the update profile.

Removable MediaRemovable media is a collective term for different types of removable storage devices, such as memory cards and other similar devices, used with Pocket PC devices. In this document, the term removable media is used as both singular and plural.

After Pointsec Mobile has encrypted removable media, it can be read only on Pointsec Mobile Pocket PC, Pointsec Mobile Smartphone, or on a PC running Pointsec Media Encryption (PME). For information on Pointsec Mobile and PME interoperability, see “Using Removable Media on Pointsec Mobile and Pointsec Media Encryption” on page 95.

Note - You are not prompted to change your removable media password. However, the next time you select a new password for the removable media, or initiate encryption of the removable media, the new PIN/PicturePIN/password rules will apply.

Note - If you do not know the profile password, you must contact your Check Point administrator before you can access the device.

Removable Media Basics


Pointsec Mobile manages removable media on devices that have multiple removable media slots or an internal drive and a removable media slot. Each removable media is managed individually according to the removable media policy deployed on the device. For example, if the profile allows passwords to be set on removable media, then users can set a separate password for each removable media. Each password must conform to the password policy set in the profile deployed on the device.

Removable Media BasicsThe administrator determines if and how removable media can be used on your device. The following table shows the different possibilities:

Note - Pointsec Mobile’s removable media encryption is compatible with Microsoft’s “Encrypt files placed on storage cards” functionality.

This means that you can use Pointsec Mobile removable media encryption to encrypt a card that has Microsoft-encrypted files on it. This is useful, for example, when switching from Microsoft encryption to Pointsec Mobile encryption because files remain encrypted during the entire transition.

Using both Microsoft encryption and Pointsec Mobile’s removable media encryption causes the removable media to be readable only on the device on which it was encrypted.

Table 4-3 Removable Media Configurations

Removable Media Configuration Explanation

Allowed or not allowed If removable media is not allowed on your device, then you cannot use removable media on that device.

Note - No information is given to the user; the removable media is simply not visible.

Single Sign-On

80

Single Sign-OnThe following table describes what happens when SSO is enabled for removable media. The information is presented under the assumption that the device is unlocked, that is, you are already authenticated to the device.

Enable Single Sign-On (SSO) When Single Sign-On (SSO) is enabled, you are authenticated automatically to the removable media when you authenticate to the device. See “Single Sign-On” on page 80.

When you authenticate to removable media for the first time, an SSO entry is made in the removable media. You may want to delete entries made by devices you no longer use. For instructions, see “Editing SSO Entries on Removable Media” on page 90.

Enable Removable Media

Password

A password separate from that of the device may be required to access the removable media. See “Password Protection for Removable Media” on page 81.

Encryption may be required, or

encryption may be optional

See “Removable Media Encryption Policy” on page 81.

Note - If single sign-on (SSO) is disabled, then password protection is automatically enabled. If password protection is disabled, then SSO is automatically enabled.

Table 4-3 Removable Media Configurations

Removable Media Configuration Explanation

Table 4-4 What Happens When SSO is Enabled

SSO is Enabled What Happens...

You are accessing

removable media for

the first time on the

device

When you insert the removable media, you are required to enter its password.

You must enter the removable media password to allow the SSO function to register it. The next time you log on to your device, you are logged on automatically to the removable media.

Password Protection for Removable Media


Password Protection for Removable MediaWhen password protection is enabled, you are required to enter the removable media password after you log on to the device:

• If removable media is already present in the device.

• Each time you insert removable media into the device.

The following is true when encryption is required and you cannot provide the password:

• You cannot create any new files that would normally be encrypted (files on the inclusion list).

• You can only read and write to files on the exclusion list (that is, unencrypted files).

Removable Media Encryption PolicyAdministrators allow or prevent the use of non-encrypted removable media by implementing a removable media policy. For example, if the policy says that only encrypted removable media can be used, then information is always encrypted and cannot be read by an unprotected device, such as MP3 players and other devices.

You are accessing

removable media that

has been used before

on the device

You are automatically authenticated to the removable media.

You are accessing new

or newly formatted

removable media

If the removable media password is disabled and you insert removable media, the SSO function registers it and the removable media becomes linked to that device. Other devices cannot access the encrypted information.

Table 4-4 What Happens When SSO is Enabled

SSO is Enabled What Happens...

Removable Media Encryption Policy

82

The following table shows the different ways an administrator can deploy removable media encryption on your device and how you can expect your device to behave in each instance.

Table 4-5 Settings for Removable Media Encryption

Removable

Media

Encryption

is...

How you are affected...

Disabled • You cannot encrypt any files on removable media.

• You can read already encrypted data on removable media if you are authenticated to it.

Optional After you select a PIN/PicturePIN/password for removable media or authenticate to removable media, a message displays informing you that Pointsec has found files that should be encrypted according to the inclusion/exclusion lists.

You can...

• Tap OK to encrypt non-encrypted files on the inclusion list

• Tap Cancel to leave the files unencrypted

Optional,

with no

query

After you select a PIN/PicturePIN/password or authenticate to removable media, you can choose to encrypt currently non-encrypted files on the inclusion list via Pointsec Properties. See “Accessing Removable Media Properties” on page 84.

Any new files you place on the removable media are encrypted automatically according to the inclusion list.

Required After you select a PIN/PicturePIN/password for removable media or authenticate to removable media, a message displays informing you that Pointsec has found files that should be encrypted according to the inclusion/exclusion lists.

• You must encrypt non-encrypted files on the inclusion list before you are allowed to use the removable media. If you do not, the card is locked.

Protecting Information on Removable Media


Protecting Information on Removable MediaThe files that are encrypted on removable media depends upon which paths and filenames are listed in the inclusion/exclusion lists in Pointsec Mobile. Items listed in the inclusion list are encrypted, while items listed in the exclusion list remain unencrypted.

Pointsec Mobile immediately detects whenever you insert removable media into a Pointsec Mobile-protected device and, depending on the policy deployed on the device, prompts you to specify how the removable media should be managed.

In the following example, the encryption policy Encryption Required is deployed on the device, and Enable Removable Media Password is set to Yes.

To encrypt removable media:

1. Insert the removable media into the device.

2. Enter the removable media PIN/PicturePIN/password and tap OK.

The following dialog box displays:

3. Tap OK to encrypt the removable media according to the inclusion/exclusion list.

The files are encrypted in the background. The device may operate somewhat slower during this process. A message then displays informing you that the encryption process is complete.

Note - Always back up removable media before encrypting it.

Interrupting the encryption process may result in corrupted files or data loss. Therefore:

Do not upgrade Pointsec Mobile while encrypting/decrypting removable media.

Do not remove the removable media from the device while encryption is in progress.

Do not attempt to lock Pointsec Mobile or turn the device off while encrypting/decrypting removable media.

Locking Removable Media

84

4. Tap OK to acknowledge the message.

Locking Removable MediaTo protect the information on your removable media, you can encrypt the information instantly by locking the device. See “Activating Pointsec Mobile Security Lock” on page 71 for instructions.

You cannot access encrypted files on removable media when the device is locked. If you attempt to access an encrypted file or to edit a file on the inclusion list, Pointsec Mobile asks you to authenticate to the device.

After you authenticate to the device, you may also need to authenticate to the removable media if single sign-on is not activated.

Accessing Removable Media PropertiesUsing Pointsec Properties, you can perform tasks for removable media, such as authenticating, changing the password, getting Remote Help, managing SSO entries, and protecting information by encrypting it immediately.

To access properties for removable media in Pointsec Mobile Properties:

1. From Start, browse to Pointsec Mobile. Select a storage card, and tap and hold it:

Note - If you tap Cancel, Pointsec Mobile locks the removable media because the removable media policy in this example requires encryption.

Viewing Removable Media Status


2. The following properties are displayed:

Viewing Removable Media StatusRemovable media can have one of three statuses: Unencrypted, Not Authenticated, and Authenticated. The status of the removable media is shown in the Pointsec Properties screen in the Status field and by an icon that displays to the left of the removable media in the Cards area.

Unencrypted: In the following example, Pointsec Mobile is not managing encryption of the removable media. See “Applying the Security Policy of the Current Device” on page 91 for instructions on how to enable Pointsec Mobile to do so.

Table 4-6

Removable Media Property For more information, see...

Authenticate “Authenticating to Removable Media”

Change password “Changing the PIN/PicturePIN/password for Removable Media”

Forgot password “If You Forget Your Removable Media Password”

Edit SSO entries “Editing SSO Entries on Removable Media”

Apply security policy “Applying the Security Policy of the Current Device”

Decrypt “Decrypting Removable Media”


86

Not Authenticated: In the following example, Pointsec Mobile is managing encryption of the removable media. Because the user is not authenticated to the removable media, encrypted files are inaccessible. See “Authenticating to Removable Media” on page 87 for instructions on how to log in to removable media.

Authenticated: In the following example, Pointsec Mobile is managing encryption of the removable media. The user is authenticated to the removable media and can access encrypted files and create files to be encrypted.

To view removable media status:

1. From Start, browse to Pointsec Mobile. Select a storage card, and tap and hold it.

2. The Status field and the icon that displays to the left of the removable media indicates the status.



Authenticating to Removable MediaTo authenticate to removable media:

1. From Start, browse to Pointsec Mobile. Select a storage card, tap and hold it, and then tap Authenticate:

The Removable Media PIN dialog box opens, for example:

2. Enter your removable media PIN/PicturePIN/Password and tap OK.

You are authenticated to the removable media.

Changing the PIN/PicturePIN/password for Removable Media

88

Changing the PIN/PicturePIN/password for Removable Media

To change the PIN/PicturePIN/password for removable media:

1. From Start, browse to Pointsec Mobile. Select a storage card, tap and hold it, and then tap Change password:

2. The Removable Media PIN dialog box opens, for example:

3. Enter the current PIN/PicturePIN/password for the removable media and tap OK.

Note - If the removable media password was previously disabled and was then enabled by an update profile, no current password is required because a current password does not exist.

If You Forget Your Removable Media Password



4. Select authentication type.

5. Enter your new PIN/PicturePIN/password for the removable media.

6. Tap OK to move to the Confirm screen.

7. Re-enter your new PIN/PicturePIN/password to confirm it and tap OK.

Pointsec Mobile changes your PIN/PicturePIN/password for the removable media and returns you to the Pointsec Properties screen.

If You Forget Your Removable Media Password1. If you cannot remember your PIN/PicturePIN/password, from Start, browse to

Pointsec Mobile.

Note - You may not always have access to alternative authentication types. However, in this example, you are allowed to change the type used.

Editing SSO Entries on Removable Media

90

2. Select a storage card, tap and hold it and then tap Forgot password:

The Remote Help screen is displayed. You can either dial Remote Help to unlock the removable media, or cancel the operation without unlocking the removable media.

See chapter 6, “Remote Help” on page 103 for complete instructions on obtaining Remote Help from your administrator.

Editing SSO Entries on Removable MediaIf single sign-on (SSO) is enabled on your device, Pointsec Mobile makes an entry on your removable media. This entry allows you to access the removable media after authenticating to the device, without requiring you to authenticate separately to the removable media (as long as SSO is enabled on your device).

You may want to remove entries, for example, for a device you no longer possess.

To remove an SSO entry:

1. From Start, browse to Pointsec Mobile.

Note - Removable media can be unlocked only on the device where the most recent successful authentication to the removable media took place.

Applying the Security Policy of the Current Device


2. Select a storage card, tap and hold it, and then tap Edit SSO entries:

The following dialog box opens. The entries for handheld devices are identified by the IMEI, ESN, or device ID. Entries for PCs are identified with the computer name.

3. Select the entry you want to remove, and tap Delete.

Applying the Security Policy of the Current DeviceYou may move removable media from one device to another device that does not have the same encryption policy, that is, the same entries on the inclusion/exclusion lists.

Note - You cannot delete the entry for the device in which your removable media is inserted.

SSO entries must be removed one at a time. To remove multiple entries, repeat the removal procedure for each entry.

Decrypting Removable Media

92

To apply the encryption settings of the current device, you can choose the Apply security policy setting from Pointsec Properties. This setting applies the inclusion/exclusion list on the current device to the removable media. This ensures that non-encrypted files on the inclusion list are encrypted and encrypted files on the exclusion list are decrypted.

To apply the encryption policy of the currently used device:

1. From Start, browse to Pointsec Mobile.

2. Select a storage card, tap and hold it, and then tap Apply security policy:

3. Enter the removable media PIN/PicturePIN/password and tap OK, then tap OK again to confirm that you want to apply the security policy to the removable media.

The inclusion/exclusion list of the current device is applied to the removable media.

Decrypting Removable MediaDepending on the policy deployed on your device, you may be able to decrypt removable media.

Before decrypting information stored on removable media, consider the following:

• Always back up removable media before decrypting it.

• Do not remove removable media from the device while decryption is in progress. Interrupting the encryption process may result in corrupt files.

• Do not attempt to lock Pointsec Mobile while encrypting/decrypting removable media.

Moving Removable Media Between Devices


To decrypt removable media:

1. From Start, browse to Pointsec Mobile. Select a storage card, tap and hold it, and then tap Decrypt:

2. Enter the removable media PIN/PicturePIN/password and tap OK, then tap OK again to confirm that you want to decrypt the removable media.

Pointsec Mobile decrypts the information stored on the removable media.

Moving Removable Media Between DevicesThe examples in this section illustrate scenarios that you may encounter when you use the same removable media on different devices.

Moving Removable Media Between Devices

94

Moving Removable Media Between Devices With Different Encryption SettingsYou may need to move removable media from one device to another device that has different encryption settings. The following shows a typical scenario:

Table 4-7 Moving Removable Media Between Devices

Device A

Encryption Policy

Device B

Encryption Policy

From Device A

To Device B

From Device B

Back to Device A

• Directories are on the exclusion list (not encrypted).

• Encryption is required.

• Directories are on the inclusion list (encrypted).

• Encryption is required.

You must encrypt the contents of the directories according to Device B’s inclusion list.

• No files are decrypted.

• Any non-encrypted files on Device A’s inclusion list are encrypted.

Note - The active policy for removable media encryption is the policy on the device in which the removable media is inserted.

When removable media is inserted in Device A, it is Device A’s encryption policy that is active.

When you move the removable media to Device B, it is Device B’s encryption policy that is active.

Using Removable Media on Pointsec Mobile and Pointsec Media Encryption


Moving Removable Media Between Devices When Password Is DisabledThe following scenario shows what happens when removable media is moved from a device with password disabled (and SSO enabled) to another device.


Pointsec Mobile and Pointsec Media Encryption (PME), a separate Check Point product, are interoperable, which allows removable media you encrypt on Pointsec Mobile to be used on your PC with PME installed, and vice versa.

Table 4-8 Moving Removable Media Between Devices Without Password

About Device A What Happens When Removable Media is Moved

From Device A to Device B

• Single sign-on (SSO) is configured for devices A and B.

• Newly formatted removable media was inserted into device A and encrypted (SSO entry created).

• Encrypted files were placed on the removable media while in Device A.

• Device B cannot find the SSO entry or a password entry.

• Result: Access to encrypted files is denied. Users can access and create non-encrypted files specified on the exclusion list of Device B.


96

If you are using the same removable media on both of these products, ensure you do the following:

See the documentation provided with Pointsec Media Encryption for more information.

Table 4-9 Requirements for Pointsec Mobile and PME Interoperability

If you want to... Then you must...

Move removable media encrypted with a Pointsec Mobile-protected device to a PC with PME installed...

Set an alphanumeric password for the removable media before moving it to the PC.

In addition, PME asks for a user name. When prompted, enter the word mobile. This is the user name that Pointsec Mobile automatically sets for removable media.

Move removable media encrypted on a PC with PME installed to a Pointsec Mobile-protected device...

You must set a shared password for the removable media before moving it to a Pointsec Mobile-protected device.

97

Chapter 5Managing Removable Media

In This Chapter

Pointsec Mobile protects removable media such as MicroDrives, MultiMediaCards (MMC), Secure Digital (SD) cards and the Compact Flash (CF) card standard. Internal memory drives are also treated as removable media by Pointsec Mobile.

Defining an Authentication PolicyWhen a user attempts to authenticate to removable media, Pointsec Mobile checks the password against the authentication policy you created. If the PIN/PicturePIN/password does not comply to the policy, the user is forced to change the PIN/PicturePIN/password before the removable media can be used.

The following are the steps for defining a removable media authentication policy:

Defining an Authentication Policy page 97

Defining an Encryption Policy page 99

Defining a Decryption Policy page 101

Effective Removable Media Settings page 102

Table 5-1 Steps for Defining a Removable Media Authentication Policy

Step Comment

Decide whether you want to

allow users to use removable

media on the device.

If you do not allow removable media, you can skip this chapter.

Defining an Authentication Policy

98

After you decide how you want the removable media authentication policy to work, you can configure it in the installation settings. See “Removable Media Encryption” on page 25 and “Removable Media PIN/PicturePIN/Password Properties” on page 28 for more information.

Decide whether to enable single sign-on (SSO).

When SSO is enabled, users authenticate once on the device and are then automatically authenticated to the removable media as well.

If you disable SSO, users must authenticate to the removable media each time they try to access encrypted information on it, or whenever it is inserted into the device.

See “Single Sign-On” on page 80 for more information.

Decide whether users can set a password for the removable media.

If you do not allow users to set a password for removable media, then single sign-on is automatically enabled. This means that newly-formatted removable media placed in the device is linked to that device, and the removable media is not accessible in any other device. See “Password Protection for Removable Media” on page 81 for more information.

If you allow users to set a password for the removable media, you must decide whether they can select the authentication type.

If you do not allow users to select the authentication type, they must use the one you configure in the installation set settings.

Decide the password properties to be applied to the removable media password.

The same password properties that are available for the device are available for removable media.

See “PIN/PicturePIN/Password Properties” on page 18 for a complete list of password property settings.

Table 5-1 Steps for Defining a Removable Media Authentication Policy

Step Comment

Defining an Encryption Policy

Chapter 5 Managing Removable Media 99

Defining an Encryption PolicyWhen creating an installation set or updating a Pointsec profile, you have several options for defining a removable media encryption policy.

Table 5-2 Removable Media Encryption Settings

Setting How Users are Affected Implications

Disabled • Users cannot encrypt removable media.

• Users can read already encrypted removable media if they are authenticated to it.

Optional • Users can choose to encrypt removable media.

• Users are prompted to set a password when removable media is inserted, but are not required to do so and may select Cancel.

• If no password is set, the removable media remains unencrypted.

• If users set a password and inserts removable media containing unencrypted files, Pointsec Mobile asks if the files should be encrypted.

• If a password was set for the removable media, and the user is authenticated to it, any new files placed on the removable media are encrypted automatically according to the inclusion list.

The number of encrypted files on the removable media increases if it is moved between devices with different encryption policies and the user chooses to encrypt files.

You can configure Pointsec Mobile so users can encrypt or decrypt files according to the encryption policy of the current device. See “Applying the Security Policy of the Current Device” on page 91.

Defining an Encryption Policy

100

Optional,

No Query

• Users can choose to encrypt removable media.

• Users are prompted to set a password when removable media is inserted, but is not required to do so and may select Cancel.

• If no password was set, the removable media remains unencrypted.

• If a password was set for the removable media, users are not asked if they want to encrypt existing files.

• If a password was set for the removable media, and a user is authenticated to it, any new files are encrypted automatically according to the inclusion list.

You can configure Pointsec Mobile so users can encrypt or decrypt files according to the encryption policy of the current device. See “Applying the Security Policy of the Current Device” on page 91.



Defining a Decryption Policy

Chapter 5 Managing Removable Media 101

For instructions on how to encrypt removable media, see “Protecting Information on Removable Media” on page 83.

Defining a Decryption PolicyYou define whether users are allowed to decrypt removable media. The Pointsec Mobile installation settings are

• Allowed: Users can decrypt removable media, making the information on it accessible to any user.

• Disallowed: Users cannot decrypt removable media. Users can access information on the exclusion list, but not on the inclusion list.

For instructions on how to decrypt removable media, see “Decrypting Removable Media” on page 92.

Required After users select a password for or authenticate to removable media, Pointsec Mobile asks if the files should be encrypted.

Users are required to encrypt non-encrypted files on the inclusion list before they are allowed to use the removable media.

The number of encrypted files on the removable media increases if the card is moved between devices with different encryption policies and the user chooses to the encrypt files.

You can configure Pointsec Mobile so that users can apply the encryption policy of the current device via Pointsec Properties. This causes files to be encrypted or unencrypted according to the encryption policy of the current device. See “Applying the Security Policy of the Current Device” on page 91.



Effective Removable Media Settings

102

Effective Removable Media SettingsWhen you upgrade to Pointsec Mobile Pocket PC 3.4 or later, the new removable media settings are not automatically deployed on the device. If you want to use the removable media settings available in the 3.4 release, you must create and deploy an update profile with the new settings after upgrading Pointsec Mobile on the device.

If you do not deploy an update profile, Pointsec Mobile translates the old Card Policy settings to new effective settings as shown in the following table:

Note that the setting Allow Removable Media always defaults to Allow cards unless a new profile specifies otherwise.

Table 5-3 Effective Removable Media Settings

Old Settings Effective Settings in 3.4 and later

No restrictions Optional Allowed

Disable decryption Optional Disallowed

Require encryption Required Disallowed

No Restriction, No Query Optional, No Query Allowed

Disable encryption and decryption

Disabled Disallowed

103

Chapter 6Remote Help

In This Chapter

Pointsec Mobile provides access control to encrypted information by locking users out of their devices after a predetermined number failed login attempts.

Pointsec Mobile denies access to removable media if users fails to authenticate to it. There is no set number of authentication attempts for removable media.

This chapter explains how authorized users who have inadvertently locked themselves out of devices or cannot access removable media can regain access. It also discusses methods for verifying users who request Remote Help.

You can also use Remote Help to:

• Recover encrypted information if the PIN/PicturePIN/password is not known, for example if a user no longer works for your organization.

Using webRH to Provide Remote Help page 104

Recommended Methods of Verifying Users page 104

Remote Help Settings Overview page 105

Recovery File Naming Convention page 106

Remote Help for Removable Media page 106

Providing Remote Help – an Example page 107

Note - If Unlimited number of attempts is set to Yes, Remote Help will not be available. See chapter 1, “Overview of Pointsec Mobile” on page 15 for more information.

Using webRH to Provide Remote Help

104

• Remove Pointsec Mobile from a device. See chapter 7, “Removing Pointsec Mobile from a Device” on page 111 for more information.

Pointsec Mobile’s Remote Help uses a challenge/response mechanism between the user and administrator (or helpdesk personnel). Remote Help generates a temporary password for the user. After access is regained, the user must specify a new PIN/PicturePIN/password.

Using webRH to Provide Remote HelpDepending on how Pointsec Mobile is configured, it may be possible to provide users with Remote Help using Endpoint Security webRH.

This document describes how to use Pointsec Administration Console to provide users with Remote Help and to help them remove Pointsec Mobile. For information on using Endpoint Security webRH instead, see the Endpoint Security webRH Pointsec for Handhelds Extension Administrator’s Guide.

Recommended Methods of Verifying UsersBefore you provide Remote Help, you must ensure that the user is authorized to access the device.

You can do this in a number of ways, for example:

• Use predetermined questions and answers that only legitimate users have access to

Keep a list of sample questions, such as the user’s name and favorite color, partner’s middle name, brand of car, etc. Some of the questions could have randomized, fixed answers, for example, when asked about his/her favorite pet, the user could answer clouds, not cat.

• Store the questions and answers in separate database that is accessible to all Remote Help administrators.

• Use voice verification software

Use security software to extract unique vocal characteristics of the caller and compare them with the Pointsec Mobile user’s reference voiceprint.

Remote Help Settings Overview

Chapter 6 Remote Help 105

Remote Help Settings OverviewThe Remote Help properties sheet contains the settings you need to help users to securely reset their PIN/PicturePINs/passwords on their Pocket PC devices or encrypted removable media. You also use these settings to remove Pointsec Mobile from a device.

To access Remote Help:

1. In Pointsec Administration Console, under Pointsec Mobile, click Remote Help:

The following settings are available:


Setting Explanation

Action Type Select whether you want to provide Remote Help or remove Pointsec Mobile from a device.

Selecting the incorrect option results in a failed challenge and response procedure.

Unlock Device/Card

Select this option to help a user access a locked out device or removable media for which the PIN/PicturePIN/password has been forgotten.

Remove Pointsec Mobile

Select this option to remove Pointsec Mobile from a device.

Recovery File Naming Convention

106

Recovery File Naming ConventionTo perform Remote Help, you must retrieve the correct device recovery file.

There is no separate recovery file for removable media. Removable media can be unlocked on the device where the most recent authentication to the removable media occurred.

The recovery file naming convention for device recovery files is as follows:

<ID>.rec

Where ‘ID’ is one of the following:

• IMEI number (for GSM devices)

• ESN number (for CDMA devices)

• Windows CE device number (non-cellular devices)

• Non-GSM/CDMA device number (for example, Japanese devices)

The device serial number is also displayed on the challenge screen.

Remote Help for Removable MediaWhen users forget their removable media PIN/PicturePIN/password, they can request Remote Help to regain access.

Recovery

File

Enter the path to the recovery file. You can also click the browse button and navigate to the recovery file. See “Recovery File Naming Convention” on page 106 for information on how recovery files are named.

Challenge Here you enter the challenge generated by Pointsec Mobile on the device.

Response Generate Response

Click this button to generate a response to a challenge.

The response is entered into the device.


Setting Explanation

Providing Remote Help – an Example


The following table describes how Remote Help for removable media works:

Providing Remote Help – an ExampleThe following example explains how to help a legitimate user when Pointsec Mobile denies access to encrypted information because the PIN/PicturePIN/password was forgotten for the device or removable media. For Remote Help for removable media, start reading at step 2.

Table 6-2 Remote Help for Removable Media

Fact Examples

Users have an unlimited number of attempts to authenticate to removable media. Users decide themselves when to call for Remote Help.

A user forgets the password.

The user selects Pointsec Mobile > Properties > Storage Card > Forgot password on the Pointsec Mobile Properties screen to access the Challenge/Response screen and Remote Help call button.

There is no separate recovery file for removable media. To receive Remote Help, the removable media must be inserted in the same device where the most recent successful authentication to the removable media took place.

A user selects Forgot password.

The device checks if the most recently successful authentication to the card took place on this same device.

• If yes, the Challenge screen is displayed and a normal Remote Help session can take place. A new PIN/PicturePIN/password must be set for the removable media if this option is configured in the installation settings.

• If no, a message is displayed that Remote Help cannot be carried out for the removable media.


108

1. When attempting to authenticate to a device - A user exceeds the maximum number of authentication attempts on the device. Pointsec Mobile locks the device and displays the challenge screen. Go to step 3 to continue.

2. When attempting to authenticate to removable media- A user has an unlimited number of attempts to authenticate to the removable media. The user decides that Remote Help is needed, and selects Pointsec Mobile. The user then selects a storage card and taps and holds it, and then taps Forgot password:

Pointsec Mobile displays the Remote Help screen for removable media. The user calls the administrator for Remote Help.

3. Verify that the user is legitimate. See “Recommended Methods of Verifying Users” on page 104 and then start Pointsec Administration Console, authenticate yourself, and open the Remote Help tab.

4. Enter the challenge that the user reads to you into the Challenge field.

5. Click Browse to go to where the device’s recovery file is stored.



6. Identify the recovery file by the device ID (IMEI, ESN, or Windows CE device ID). See “Recovery File Naming Convention” on page 106 for information on how recovery files are named.

7. Click Open. Pointsec Administration Console retrieves the necessary information from the file.

8. Click Generate Response. Pointsec Administration Console generates a response.

9. Read the response to the user.

10. The user enters the response, taps OK, and gains access to the device or removable media.

11. Pointsec Mobile makes the user set a new PIN/PicturePIN/password.

The user has normal access to the device or removable media again.


110

111

Chapter 7Removing Pointsec Mobile from a Device

In This Chapter

Pointsec Mobile ensures that users cannot compromise security by removing Pointsec Mobile from their devices by themselves. In order to remove Pointsec Mobile, an administrator who has access to Pointsec Administration Console or to Endpoint Security webRH must either

• Complete a secure challenge/response procedure by using Pointsec Administration Console or Endpoint Security webRH. See “Removal Procedure” on page 112.

or

• Initiate a remote removal. See “Silent Uninstall” on page 30.

Using webRH to Remove Pointsec MobileDepending on how Pointsec Mobile is configured, it may be possible to help users remove Pointsec Mobile using Endpoint Security webRH.

Using webRH to Remove Pointsec Mobile page 112

Removal Procedure page 112

Removal Procedure

112

This document describes how to use Pointsec Administration Console to provide users with Remote Help and to help them remove Pointsec Mobile. For information on using Endpoint Security webRH instead, see the Endpoint Security webRH Pointsec for Handhelds Extension Administrator’s Guide.

Removal ProcedureThe examples in this section describe how to use Pointsec Administration Console to carry out the administrator’s tasks when removing Pointsec Mobile. For information on how to use Endpoint Security webRH instead, please see the Endpoint Security webRH Pointsec for Handhelds Extension Administrator’s Guide.

The removal process can be divided into the following steps:

• The device user initiates the removal from the device

• The device user and administrator carry out a challenge/response procedure to complete the removal.

To initiate removal on the device (to be performed by device user):

1. If the device powers down during removal, another Remote Help procedure is required to continue removal. Therefore, do the following to prevent the device from powering down during the removal process:

– Ensure that the device is configured NOT to turn itself off after a very short time if unused

– Connect the device to external power

2. Ensure any removable media encrypted on the device is decrypted before you remove Pointsec Mobile from the device.

3. Tap Start, browse to Settings, and open the System tab.

4. Tap Remove Programs.

Removal Procedure

Chapter 7 Removing Pointsec Mobile from a Device 113

The following screen opens:

5. Select Pointsec Mobile, and tap Remove.

6. Tap Yes.

A message displays asking you to confirm that you want to continue removing Pointsec Mobile using Remote Help.

7. Save any work you have in progress and tap Yes.

Pointsec Mobile informs you that in order to complete removal of the program, you must be authenticated using a Remote Help challenge/response procedure.

8. Pointsec Mobile displays a challenge.

9. Read the challenge to the administrator.

Removal Procedure

114

This section describes the last part of the removal process. These instructions are intended for the administrator.

To complete the removal:

1. In Pointsec Administration Console, under Pointsec Mobile, click Remote Help:

2. Select Remove Pointsec Mobile.

3. In the Challenge field, enter the challenge displayed on the device.

4. Click Browse and locate the device’s recovery file. The recovery file can be identified by the device ID (IMEI, ESN, or Windows CE device ID). See “Recovery File Naming Convention” on page 106 for information on how recovery files are named.

5. Click Generate Response.

6. Ask the device user to enter the response into the device and tap OK.

7. If the device detects encrypted removable media, the user receives a dialog box asking if the card should be decrypted before continuing removal. This question appears regardless of the removable media encryption policy in place at the time of removal.

8. Tap No if you want to remove Pointsec Mobile without decrypting the removable media. Tap Yes to decrypt the removable media, and follow the normal removable media decryption procedure. For instructions, see “Decrypting Removable Media” on page 92.

9. The device restarts.

Note - If you do not decrypt encrypted removable media before removing Pointsec Mobile, you cannot read the removable media on that device. It is readable only on a device with Pointsec Mobile installed.

Removal Procedure

Chapter 7 Removing Pointsec Mobile from a Device 115

Pointsec Mobile decrypts the information on the device and removes itself from the device. The device then restarts again.

Note - Occasionally, after removing Pointsec Mobile from a device that is in its cradle, the user may need to take the device out of its cradle and put it back again in order to reconnect to the workstation.

Removal Procedure

116

1

Appendix APointsec Mobile Keypads

In This Appendix

This appendix describes the picture set, alphanumeric and numeric keypads included with Pointsec Mobile and how to customize the picture set on keypads.

Whatever keypad is used, the pictures, characters or numbers can be configured to be shuffled each time users authenticate themselves.

This is to ensure that no ‘shoulder-surfers’ can gain access to the PIN/PicturePIN/password and that no scratches or fingerprints on the device’s screen reveal the PIN/PicturePIN/password.

Picture Set 1 Keypad page 2

Picture Set 2 Keypad page 2

Alphanumeric Keypad page 3

Numeric Keypad page 3

Customized Picture Set Keypad page 4

Customizing a Picture Set page 4

Picture Set 1 Keypad

2

Picture Set 1 KeypadThe following pictures are included on the picture set 1 keypad:

Picture Set 2 KeypadThe following pictures are included on the picture set 2 keypad:

Alphanumeric Keypad

Chapter A Pointsec Mobile Keypads 3

Alphanumeric KeypadThe following characters and numbers are included on the alphanumeric keypad:

Numeric KeypadThe following numbers are included on the numeric keypad:

Customized Picture Set Keypad

4

Customized Picture Set KeypadThe following pictures are included on the customized picture set keypad:

For more information, see “Customizing a Picture Set” on page 4.

Customizing a Picture SetYou can use customized pictures so that Pointsec Mobile reflects your organization's graphical profile.

Before you can customize a picture set, you must create the graphics you want to use. You can do so by using the graphics program of your choice.

Requirements for graphics:

• The graphics you create must be in the BMP file format and 32 x 32 pixels in size.

• The graphics must be saved in a location that Pointsec Administration Console can access.

Tip - We recommend that you verify that the customized picture set is displayed correctly on one device before deploying it on a larger scale.

Note - Custom picture sets cannot be used when setting a PicturePIN for removable media.

Customizing a Picture Set

Chapter A Pointsec Mobile Keypads 5

After you have the graphics you want to use, you are ready to create a customized picture set.

To create a customized picture set:

1. In Pointsec Administration Console, in the Customize picture set field, click ... .

The Customize button dialog box opens and displays the alternative picture set keypad graphics:

2. Double-click on a picture to customize it.

3. Browse to and open the folder containing the graphics you want to use.

4. Select a file and click Open.

Pointsec Administration Console replaces the graphic in the Customize buttons dialog box.

Note - The top left pixel of the picture defines the transparent color, which means that any part of the picture that uses the same color will be transparent.

Customizing a Picture Set

6

5. Continue by double-clicking on the other pictures to customize them. For example:

6. After you have customized all the pictures, click OK.

You are returned to Pointsec Administration Console.

7. From the Authentication Type drop-down list, select Customized. See chapter 1, “Overview of Pointsec Mobile” on page 14 for more information on setting picture set options. The customized picture set is used in the Pointsec profile you are creating.

Note - Remember to select a unique picture for each button.

1

Appendix BEvent Logging

In This Appendix

You can view various logged events in Pointsec Administration Console and on the device.

Event Logging in Pointsec Administration Console

The following list shows the Pointsec Mobile events that are logged on the Pointsec Administration Console:

Event Logging in Pointsec Administration Console page 1

Event Logging on a Device page 6

Table B-1 Logged Events

Event Explanation

Installation set created Logs when an installation set was created in Pointsec Administration Console.

Event Logging on a Device

2

For more information on logging in the Pointsec Administration Console, see the Pointsec Administration Console Administrator’s Guide.

Event Logging on a DeviceYou configure whether to log events when you create an installation set or update a security profile. Event logs are viewed via Internet Explorer or other browser and can be transferred to a server via external transfer software. For more information on creating an installation set, see “Overview of System Settings” on page 10. For information on updating a security profile, see “Update Profiles for Pointsec Mobile” on page 60.

An event log file generated by Pointsec Mobile has the following characteristics:

Profile loaded Logs when an installation set or update profile was loaded in Pointsec Administration Console.

Update profile created Logs when an update profile was created in Pointsec Administration Console.

Remote Help performed Logs when either Pointsec Mobile was removed from a device or when a user received Remote Help to unlock a locked device.

Table B-1 Logged Events

Event Explanation

Table B-2 Characteristics of Event Log File

Characteristic

Description

Log File Format XML

Storage Directory \Windows\Pointsec

Event Logging on a Device

Appendix B Event Logging 3

Log File Categories Events are divided into categories, and each category is logged to a separate file. The categories are:

• Installation

• Uninstallation

• Card Encryption

• Card Decryption

• Pointsec Registry

• General Events

Naming Convention General Events: <id>_pslog.xml

Specific Events: <id>[_<cat>]_pslog.xml

Where:

<id> is the IMEI or ESN number, if found. Otherwise, the device ID is used.

<cat> is the event category, “install”, “uninstall”, “card_enc”, “card_dec”, “registry”, or nothing if it is a general event.

All events, regardless of category, are logged in the general event log. Depending upon the log level, events belonging to a specific category are also logged in the event log for that category.

Maximum Size When the log file size exceeds 100 kilobytes, the oldest events are removed and the file is truncated to approximately 75 kilobytes.


Characteristic

(continued)

Description

Limitations

4

LimitationsThe Pointsec Mobile event logging feature has the following limitations:

• The log file is not encrypted.

• Unauthorized modification, removal, or replacement of the log file is not detected or prevented.

• If a log entry cannot be written because of a lack of disk space or other problem, that entry is dropped without warning.

Example of a Log FilePointsec Mobile event log files are produced in XML format. The following is an example of how a log file appears:<?xml version="1.0" encoding="UTF-8"?>

Information

included in log file

• Date expressed in yyyy/mm/dd format

• Time in UTC

• Event ID. Each event has a unique event ID. For a list of all events and their corresponding event IDs, see “List of Logged Events” on page 6.

• Type. This can be I for information, W for warning, or E for error.

• Some events contain one or two pieces of additional dynamic information, for example, a file name or a reason for failure. This information appears in the Info1 and Info2 fields in the log file. To see where this information appears in the log file, refer to “Example of a Log File” on page 4.

Log File Life span The log file remains on the device after Pointsec Mobile is removed to preserve events logged during uninstallation.

Log File viewer Internet Explorer or other external viewer.

Method of transfer

to server

External transfer software


Characteristic

(continued)

Description

Example of a Registry Log File


<event_log version="1.0"><event><date><y>2006</y><m>5</m><d>10</d></date><time><h>4</h><m>38</m><s>48</s></time><type>I</type><id>100</id><info1>3.2.0</info1></event><event><date><y>2006</y><m>5</m><d>10</d></date><time><h>4</h><m>40</m><s>54</s></time><type>I</type><id>101</id></event><event><date><y>2006</y><m>5</m><d>10</d></date><time><h>4</h><m>40</m><s>57</s></time><type>I</type><id>102</id></event><event><date><y>2006</y><m>5</m><d>10</d></date><time><h>4</h><m>40</m><s>58</s></time><type>I</type><id>1900</id><info1>\My Documents\Eigene Bilder\Waterfall.jpg</info1></event><event><date><y>2006</y><m>5</m><d>10</d></date><time><h>4</h><m>41</m><s>16</s></time><type>I</type><id>1901</id><info1>\pim.vol</info1><info2>Could not open file for reading, the file is in use</info2></event><event><date><y>2006</y><m>5</m><d>10</d></date><time><h>4</h><m>41</m><s>16</s></time><type>I</type><id>103</id></event><event><date><y>2006</y><m>5</m><d>10</d></date><time><h>4</h><m>41</m><s>38</s></time><type>I</type><id>1900</id><info1>\pim.vol</info1></event><event><date><y>2006</y><m>5</m><d>10</d></date><time><h>4</h><m>42</m><s>11</s></time><type>I</type><id>104</id><info1>3.2.0</info1></event></event_log>

Example of a Registry Log FileWhen you install, update a profile, or upgrade Pointsec Mobile, the Pointsec registry key data associated with the event is logged in XML format (see “Registry Event” on page 11). The following is an example of how a log file of a registry event appears:<?xml version="1.0" encoding="UTF-8"?><event_log version="1.0"><event><date><y>2006</y><m>5</m><d>10</d></date><time><h>4</h><m>42</m><s>11</s></time><type>I</type><id>2100</id><info1>Installation completed</info1><info2><reg_entry><name>Notification</name><type>DWORD</type><value>4026575744</value></reg_entry><reg_entry><name>Installed</name><type>MULTI_SZ</type><value><val><![CDATA[Pointsec_for_PPC_3.2.0_en.arm.cab]]></val></value></reg_entry><reg_entry><name>RecoveryPath</name><type>SZ</type><value><![CDATA[c:\<illegal path>]]></value></reg_entry><reg_entry><name>UpdatePath</name><type>SZ</type><value><![CDATA[c:\<illegal path>]]></value></reg_entry><reg_entry><name>AppName</name><type>SZ</type><value><![CDATA[for Pocket PC]]></value></reg_entry><reg_entry><name>Provider</name><type>SZ</type><value><![CDATA[Pointsec]]></value></reg_entry><reg_entry><name>CabFileName</name><type>SZ</type><value><![CDATA[Pointsec_for_PPC_3.2.0_en.arm.cab]]></value></reg_entry><reg_entry><name>VersionName</name><type>SZ</type><value><![CDATA[3.2.0]]></value></reg_entry><reg_entry><name>Version</name><type>DWORD</type><value>197120</value></reg_entry>

List of Logged Events

6

<reg_entry><name>StartUp</name><type>SZ</type><value><![CDATA[\Windows\AutoStart]]></value></reg_entry><reg_entry><name>MyDocuments</name><type>SZ</type><value><![CDATA[\My Documents]]></value></reg_entry><reg_entry><name>ApplicationPath</name><type>SZ</type><value><![CDATA[\Programme\Pointsec Mobile Pocket PC]]></value></reg_entry></info2></event></event_log>

List of Logged EventsThe following are the events that Pointsec Mobile logs on the device separated into their respective categories:

General Events

Table B-3 General Events

Event ID

Type Description Info1 Info2

200 Info Device recovery file created File name

300 Info Upgrade started From version

To version

301 Info Upgrade completed To version

302 Error Upgrade failed, installation profile is missing

303 Error Upgrade failed, the supplied installation profile has wrong version or is corrupt

400 Warning Device authentication failed

500 Info Device has been locked due to too many failed attempts

600 Warning Wrong response (device remote help)

Occurrence (device locked/ uninstall)

601 Info Device password changed (remote help)



602 Info Device remote help completed (unlock)

700 Info Device password changed (forced change)

701 Info Device authentication failed (password change)

702 Info Device password changed (user initiated change)

800 Info ActiveSync authentication failed

900 Info Profile update completed File name

901 Error Profile update failed, wrong profile version or file corrupt

File name

902 Info Profile update started File name

1100 Info Card recovery file created Card serial number

File name

1300 Warning Card authentication failed Card serial number

1400 Info Card has been locked due to too many failed attempts

Card serial number

1500 Warning Wrong response (card remote help)

Card serial number

1501 Info Card password changed (remote help)

Card serial number

1502 Info Card remote help completed Card serial number

1600 Info Card authentication failed (password change)

Card serial number

1601 Info Card password changed (user initiated change)

Card serial number

1701 Info Event logging disabled

1702 Info Event logging enabled: Errors


Event ID

(continued)



8

Installation Events

1703 Info Event logging enabled: Errors, Warnings

1704 Info Event logging enabled: Errors, Warnings, Info

1900 Info File was encrypted

This event is logged in the installation log if it occurs during installation.

File name

1901 Info Encryption of file failed

This event is logged in the installation log if it occurs during installation.

File name Reason

2000 Info File was decrypted

This event is logged in the uninstallation log if it occurs during uninstallation.

File name

2001 Info Decryption of file failed

This event is logged in the uninstallation log if it occurs during uninstallation.

File name Reason

Table B-4 Installation Events

Event ID


100 Info Installation started Version

101 Info First successful authentication

102 Info Initial encryption started

103 Info Initial encryption completed


Event ID

(continued)




Uninstallation Events

104 Info Installation completed Version

106 Error Installation profile corrupt

107 Error Installation profile is wrong version

108 Error Profile product code does not match that of the .cab file.

File name Profile product code

109 Error Profile software version does not match that of the .cab

File name Profile version

110 Warning Installation profile not found

111 Warning A file was skipped during the scan for an installation profile.

File name

Table B-5 Uninstallation Events

Event ID


1800 Info Uninstallation started

1801 Info Uninstallation aborted, user didn’t authenticate

1802 Info Device remote help completed (uninstall)

1803 Info Decrypting files due to uninstallation

1804 Info Decryption of files due to uninstallation completed

1805 Info Uninstallation completed

Table B-4 Installation Events

Event ID

(continued)



10

Card Encryption Events

Card Decryption Events

Table B-6 Card Encryption Events

Event ID


1001 Info Encryption of card has started Card serial number

1002 Info Card encryption completed Card serial number

1004 Error Card encryption failed Card serial number

Reason

Table B-7 Card Decryption Events

Event

ID


1202 Info Decryption of card has started Card serial number

1203 Info Card decryption completed Card serial number

1205 Error Card decryption failed Card serial number

Reason



Registry Event

Table B-8 Registry Event

Event ID


2100 Info Pointsec registry key Occurrence (install/ profile update/ upgrade)

Registry data in XML format


12

13

Index

Aaccept old update profiles 13access contacts and call

history 12accessing information on

device 69accessing removable media

properties 84action type, Remote Help 105active password policy setting 17ActiveSync 54advanced settings 12allow reminder popup 12Alphanumeric 27alphanumeric 3alphanumeric keypad 14, 27authentication

at ActiveSync 17delay 16number of attempts 15QuickPIN length 15QuickPIN timeout 16shuffle PIN/PicturePIN

icons 14to removable media 87type 14

alphanumeric 14, 27customized 14numeric 14, 27picture set 1 14, 27picture set 2 14, 27user selectable 14

unlimited attempts 15

Ccalling

Remote Help administrator 68

calling when Pointsec Mobile is locked 66

calls

incoming 68contacts and call history 66customize picture set 12customized keypad 14

Ddeploying 51

3rd-party software 51, 54device

lock 71

EEnable 30encrypting

removable media 83shared secret 30

encryptionapplying security policy to

removable media 91exclusion list 23inclusion list 23policy for removable

media 81settings 23temporary 6with Pointsec Mobile -

introduction to 6enforce password history 18event log levels 13event log size 13event logging

installation set created 1profile loaded 2remote help performed 2update profile created 2

event logging on a device 1examples

exclusion and inclusion lists 40

exclusion and inclusion list examples 40

exclusion list 23, 35exclusion v inclusion 38, 45

Ffile transfer 28

device recovery file timeout 28

wait until device recovery file transferred 28

foldersupdate 60

Iinclusion and exclusion list

examples 40inclusion list 23, 35incoming calls 68info screen 22

show first 22text 22

informationaccessing 69

installation set 52, 53creating 52using software distribution

tools with 54

Kkey lock function 71keypads 57

alphanumeric 3customized 4picture set 1 2picture set 2 2

14

Llicense number 12lists

accessing 43, 44editing 47, 49information types 35

extension 38file name 37folder 38

predefined 45, 49lock 71

Mmax password age 17media key file 90min password age 17miscellaneous

accept old update profiles 13

access contacts and call history 12

allow reminder popup 12customize picture set 12event log levels 13event log size 13license number 12show advanced settings 12show incoming call

information 12trusted applications 23

miscellaneous settings 11

Nnumeric 27numeric keypad 14

Ooverview

settings 9

Ppassword

profile 30password policy 17, 18

active 17enforce password history 18max password age 17min password age 17

password propertiesallow digit prefix/suffix 20max identical characters 18max identical consecutive

characters 18max number of characters in

ordered sequence 19min length 18min number of digits 20min number of letters 19min number of special

characters 19require upper and lower

case 20password protection for removable

media 81password rules button 76phone

Remote Help direct dial 30phone calls 66picture set

customizing 12, 4format 4size 4

picture set 1 14picture set 2 14

picture set 1 27, 2picture set 2 27, 2Pointsec Administration Console

create install set 9starting 7

Pointsec Mobileconfiguring 56deploying 51installing on devices 54overview 52removing 30, 111updating 60upgrading 62

predefined listsrelaxed 47

profile 52

password 30timestamp 60update 60

profile password 56protecting information on

removable media 84

QQuickPIN

length 15timeout 16

Rrec file

transferring from device to PC 59

recovery files 108, 109Remote Help 68, 103

enable Remote Help direct dial 30

encrypt shared secret 30for removable media 89identity

recovery file 106import webRH profile 29installation set settings 29number of PicturePIN

attempts 103providing 107recovery file 108Remote Help direct dial

number 30silent uninstall 30type 105

device 105memory card 105

unlockchallenge 106generate 106response 106

use webRH 29verifying users 104

Remote Help action type 105Remote Help direct dial 30

number 30removable media

15

accessing properties 84applying security policy 91authenticating to 87changing the PIN/PicturePIN/

password for 88encrypting 83encryption policy 81encryption settings 25forgot password 89media key file 90password protection 81protecting information on 84remote help 89settings 25single sign-on 80using 78viewing status 85

removable media encryption settings

allow removable media 25authentication type 27authentication type user

selectable 27decryption policy 26enable removable media

password 27enable Single Sign-On

(SSO) 27encryption policy 26inclusion/exclusion list 28

removable media PIN/PicturePIN/password properties 28

removing 111silently 30

response 109ring signals 78rules button 76

Sscreen lock 21

basic 21escalated 21none 21screen lock inhibit

applications 21timeout 21type 21

screen lock inhibit applications 21

adding 31

deleting 32settings

authentication 14encryption 23file transfer 28info screen 22license number 12miscellaneous 11password policy 17, 18Remote Help 29removable media 25removable media

encryption 25screen lock 21show advanced settings 12

shared secret password 56shared secret, encrypt 30show incoming call

information 12shuffle icons on device screen 14shuffle PIN/PicturePIN icons 14silent uninstall 30single sign-on 80status of removable media 85

Ttemporary encryption 6timeout 21timestamps 60

Uupdate folder 60updating

security settings 60upgrading

software 62

Vverifying users 104

16

Worldwide Headquarters

Check Point Software Technologies, Ltd.5 Ha’Solelim Street

Tel Aviv 67897, IsraelTel: 972-3-753-4555Fax: 972-3-624-1100

email: [email protected]

U.S. Headquarters

Check Point Software Technologies, Inc.800 Bridge ParkwayRedwood City, CA 94065Tel: 800-429-4391; 650-628-2000Fax: 650-654-4233

www.checkpoint.com

Date post:	02-Feb-2022
Category:	Documents
Upload:	others
View:	5 times
Download:	0 times