They say you don’t know what you got until it’s gone. I say “They” because after 5 minutes on google I still wasn’t sure who the original source was and I began to realize it’s not super important to the point of this post.
We’re here to talk about requiring your users to have a PIN on their phone’s lock screen. Adding a PIN to your phone is not going to be the silver bullet to making sure sensitive content is safe but it’s about as good of a start as you’ll find. Requiring that all mobile devices that connect to your Office 365 tenant have a lock screen PIN will help ensure that your user’s emails stay secure.
Fair warning before enforcing PINs, it’s been my experience that most users fall into two categories. The first is users who already have a PIN on their phone and won’t even care that you’re now requiring one. The second is users who will flip their lid and begin thinking you are the original author of Mein Kampf. I say this not to discourage what I’m about to show you but rather to prime you for the fallout.
To begin enforcing PINs for mobile devices you’ll first want to sign in to the Exchange Control Panel. Swing on down to the mobile tab on the left and move to the mobile device mailbox policies heading to view the default policy that Office 365 uses. After highlighting the default policy, click the pencil to open the settings dialog.
On the first tab you see you will want to uncheck the box highlighted below as doing so ensures only devices that can support the required security settings are allowed to sync content.
Moving onto the security tab you’ll uncover a wealth of options. Just how far beyond a basic PIN requirement you want to go is completely up to you. The settings shown below represent what suffices for 99% of the Office 365 tenants in my experience. They’re also a good balance between securing your tenant and not alienating your users. These settings will ensure your users have at least a 4 digit numeric PIN stronger than 1111, a phone that auto locks after 60 seconds of sitting on a bar stool, and if a thief or drunk user fails to enter the password 5 times in a row then the device will wipe.
Sadly these settings will boost your security but will severely reduce the number of butt dials, drunken emails from users too intoxicated to enter their PIN within 5 attempts, and thrilling panic attacks when your user’s significant others hear that they lost their cell phone and all the pictures on it.
Questions, love notes, or hate mail? Leave a comment below or if you prefer to confess your love in private then use the form to the right.