Configure Windows Mobile devices to local wipe after failed logons

Most security policies for Windows Mobile devices are what I call "scorched-earth" policies. Essentially, an Exchange administrator remote wipes a mobile device to mitigate a specific security risk, such as a lost or stolen device. All Exchange Server data is completely erased when a wireless device is "wiped clean."

You can trigger a remote wipe of a mobile device through Exchange Server 2007 and Outlook Web Access (OWA) 2007, but that presumes the wireless device will contact the Exchange server at some point.

It makes sense to allow mobile devices to wipe themselves when certain prerequisite conditions are met,

More information on securing Exchange mobile devices: The Exchange Server ActiveSync Web Administration Tool Mobile messaging enhancements in Exchange 2003 SP2 Exchange ActiveSync tips and tutorials Exchange Mobile Device Management Learning Guide How to secure mobile devices in Exchange Server 2007 Mobile Device Management Reference Center

such as a specified number of failed personal identification number (PIN) entries or incorrect password attempts. This mobile security feature is called a local wipe.

Windows Mobile 5 and 6 devices have provisions for performing local wipes. However, this setting is not enabled by default, and for good reason. Discovering that your Windows Mobile device has committed digital suicide after you messed up your fifth attempt to punch in your PIN can be aggravating -- especially if you didn't know such a policy was in place to begin with.

But if your organization wants to implement this additional layer of security around Windows Mobile devices, it can be done -- with a little work.

• First, the Password Required Policy (security policy ID 4131), a Windows Mobile security policy setting, must be enabled for the device in question.
• Next, a registry entry has to be set on the mobile device to enable this feature. In HKLM\Comm\Security\Policy\LASSD, create the decimal key DeviceWipeThreshold and set it to any positive number. This number will be the number of incorrect password logon attempts to allow before the device's memory is wiped. This setting is also available in the Device Security Settings dialog box in the Exchange Management Console.

NOTE: In Windows Mobile 4, this function did not erase any external memory on the device, such as an SD card or other plug-in memory device. However, Windows Mobile 6 devices will erase external memory cards as well.

About the author: Serdar Yegulalp is editor of Windows Insight, a newsletter devoted to hints, tips, tricks, news and goodies for all flavors of Windows users.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Mobile Devices Why Exchange ActiveSync fails with NAT firewalls Is it time to upgrade users' Windows Mobile devices? Deploying ISA Server as a firewall for Exchange Server mobile devices Adjust your firewall to avoid Exchange 2007 Direct Push failures How to solve common ActiveSync error messages How to configure ActiveSync and manage mobile devices in Exchange 2007 Use Exchange 2007 ActiveSync logs to track mobile device activity Moving mobile user mailboxes from Exchange 2003 to Exchange 2007 OWA and OMA failures on Small Business Server 2003 Two versions of MAPI32.DLL cause BlackBerry PIM sync issue User Authentication for Microsoft Outlook and OWA How to improve Outlook Web Access (OWA) security Alleviate Outlook Web Access (OWA) email attachment security issues How to customize OWA authentication logon in Exchange Server 2003 Automated redirects to OWA directories may fail when SSL is enforced How to set up an SSL certificate to encrypt OWA and ActiveSync traffic Error: 'The name of the security certificate is invalid or does not match the name of the site' Password authentication works for OWA but fails for Microsoft Outlook Adding self-signed root certificates to Windows mobile devices Eliminate username and password prompt when opening Microsoft Outlook Access public folder calendars published on the Internet without prompting for login Exchange Security Tips Create a global Safe Senders List in Exchange 2007 to filter spam Migrating antispam settings from Exchange 2003 to Exchange 2007 Deploying ISA Server as a firewall for Exchange Server mobile devices How to customize OWA authentication logon in Exchange Server 2003 Exchange 2007 out-of-office (OOF) feature adds usability and security How to set up Exchange 2007 message classifications Error: 'The name of the security certificate is invalid or does not match the name of the site' SMTP greylisting problem on Exchange Server 2003 SP2 Automatically download only Exchange IMF updates from Microsoft Update Firewall problems with Exchange Server 2007 email attachments RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Vouch by Reference (VBR)  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.