My company, a rather large financial organization has decided to ban personal PDA's from the office. Very simply, they're extemely dedicated to the protection of personal information. As such, they've made the decision to ban personal PDA's from the office.

They're main concern is the possibility of information theft that is contained in the e-mails that PPC's (and Palms) sync and store.

I have to say, that I do agree with this decision. The average PDA user that I help has no interest or desire to secure their PDA the way it needs to be.

So...after discussing options with our CIO, he's tasked me with see if there is an easy way to disable activesync from syncing to the inbox. Can this be done by tweaking a registry setting?

It would need to be something I can deployed via a script (which I can make the user's PC run at boot time), or via someother automated alternative.

Thanks!!!!!

It's done inside AS on the desktop. Go to Options and the Sync Options tab, where you will see listed the items to sync for the active partnership. Uncheck anything you don't want to sync with the connected partner device. It's an honor system in that the user who knows how can restart the disabled sync items by turning the selections back on, but I am guessing that would not be an issue.

I'm far from an expert, but this looks to be the key you want: HKEY_CURRENT_USER\Software\Microsoft\Windows CE Services\Partners\7b8234fe\Services\Synchronization\Objects\Merlin Mail\Disabled (make it a 1 to disable Inbox sync).

Unfortunately, I'm betting that the key between "Partners" and "Services" is unique for each partnership.

It's done inside AS on the desktop. Go to Options and the Sync Options tab, where you will see listed the items to sync for the active partnership. Uncheck anything you don't want to sync with the connected partner device. It's an honor system in that the user who knows how can restart the disabled sync items by turning the selections back on, but I am guessing that would not be an issue.

2 Problems. First off, the honor system. The honor system doesn't work from a corporate security standpoint.

Second, it needs to be something at a deeper (read: hidden, protected) permanent change, something the user can't change, or override.

Thanks, but I need a more secure solution than 'trust the users'.

I know this won't help but it's a good discussion for IT staff...

so what keeps the employee from just printing out the sensitive data and taking home the printout? same difference right?

It's just as easy for the employee to stuff a piece of paper in their wallet or purse. In fact, even easier in most cases....

Likewise, I do NOT know of any email filter is going to be able to detect whether certain data is suppose to be secure or not, so what keeps the employee from sending the data via email or fax?

Banning PDAs isn't going to stop the theft of secure data, nor is it going to reduce it, because there are 100 other ways to get the data outside the doors of the office...

Unfortunately, I don't think you will find a secure solution with ActiveSync. You might want to look at AS replacements listed in the pocketpcmag.com software encyclopedia's synchronization section and see if there is a solution offering more administrative control.

Here's your answers:

http://www.iqmax.com/content/downloads/whitepapers/WindowsMobileBasedDevices-Security.pdf

A security white paper with all the answers.

As a side note, if your users are USERS, not ADMINISTRATORS, cant you just lock the registry keys using a security policy and disallow any change after you disable e-mail syncing? You could disable it once and then prevent any further change to that registry branch, and no script to run on every boot.

Surur

I know this won't help but it's a good discussion for IT staff...

so what keeps the employee from just printing out the sensitive data and taking home the printout? same difference right?

It's just as easy for the employee to stuff a piece of paper in their wallet or purse. In fact, even easier in most cases....

Likewise, I do NOT know of any email filter is going to be able to detect whether certain data is suppose to be secure or not, so what keeps the employee from sending the data via email or fax?

Banning PDAs isn't going to stop the theft of secure data, nor is it going to reduce it, because there are 100 other ways to get the data outside the doors of the office...

Good thoughts....here's the deal from my company's perspective..

PDA's can store thousands of e-mail easily, quickly, etc...(Kinda the point eh?)...paper, sure you can steal stuff, but it takes a lot of work to do the same.

I think its important to note, we're not attempting to prevent people with malicious intent here...its the theft & accidental loss we're trying to cope with. I think we can all agree an employee who wishes to do harm to a company probably can....however the deterrent to that is jail.

All PDA's aren't banned, the company does allow Blackberry's in house, however they have a remote data wipe option obviously other PDA's don't.

E-Mail & Fax are all monitored (or have tracking logs in place). Just what's on your PDA ? We don't know.

Yes, there are 100 ways to steal info...basically, they have to start somewhere.

Its also important to note that since PDA's are owned by the employee, a corporation doesn't have as much 'control, power, etc' over the equipment as they do a corporately purchased PDA such as a Blackberry.

I'm drawing a blank when it comes to the name of this software, but there's a program for Pocket PCs that locks down the device. It takes security to the next level, and can be set to hard reset the device if a password is incorrectly entered X number of times. Hopefully someone else has a better memory of that program and you can suggest that to your company.

Export your email to a PST file and copy it to a thumbdrive or burn it to a CD.

Sorry I hate to say it but no matter how locked down you make anything its going to happen (by the ones who can do the most harm). Starting somewhere is nice but I really hate to say that disabeling the major functions of what a PPC is for kind of defeats the purpose of having it in the workplace don't you think?

Why not just do a company wide ban on PPC's and only allow Blackberries that the company pays for?

The company I left did the same thing (email lockdowns) for their employees (with plams though) and I'll tell you right now of the 300 employees we had about 35 devices in use when they did this lockdown the employee usage went down to 2. Most of the employees actually came back handed them to me (most had been department purchase not individual) and told me that it was only good to keep track of a few appointments but they needed the email far more as most of them used it on weekends and brought them in to sync up and didn't go on many appointments during the weekend.

Just want to forwarn you of some of the consequences of locking something like this down especially when you have had a user base that had the functionality to begin with.

I'm drawing a blank when it comes to the name of this software, but there's a program for Pocket PCs that locks down the device. It takes security to the next level, and can be set to hard reset the device if a password is incorrectly entered X number of times. Hopefully someone else has a better memory of that program and you can suggest that to your company.

Yeah...there lies the problem...the company has a 'solution', and its Blackberry's.

Since the company has chosen & deployed Blackberry's, they're willing to go along with allowing PPC's/Palms IF a low-cost solution can be found. So, I doubt a site license is in the cards.

Thanks!

Export your email to a PST file and copy it to a thumbdrive or burn it to a CD.

Sorry I hate to say it but no matter how locked down you make anything its going to happen (by the ones who can do the most harm). Starting somewhere is nice but I really hate to say that disabeling the major functions of what a PPC is for kind of defeats the purpose of having it in the workplace don't you think?

Why not just do a company wide ban on PPC's and only allow Blackberries that the company pays for?

The company I left did the same thing (email lockdowns) for their employees (with plams though) and I'll tell you right now of the 300 employees we had about 35 devices in use when they did this lockdown the employee usage went down to 2. Most of the employees actually came back handed them to me (most had been department purchase not individual) and told me that it was only good to keep track of a few appointments but they needed the email far more as most of them used it on weekends and brought them in to sync up and didn't go on many appointments during the weekend.

Just want to forwarn you of some of the consequences of locking something like this down especially when you have had a user base that had the functionality to begin with.

Again, people that really want to do harm and steal info can, I'm not denying that. Its accidental loss, or theft of the device that I'm trying to mitigate. If the device is lost or stolen little to no information is lost with just Calendar & Contacts, yes File sync could be another issue (one thing at a time please).


All of our internal polls show that 90% of our PPC/Palm user base really only wants contact & calendar syncing, and complementing that fact is that the security folks don't want e-mail sycing, but are ok with Contacts & Calendar...so really, that's the agreed upon functionality we're going to allow.

I do not see why personal Pdas need to sync to the work network at all?

If an employee has a genuine need to use a pda for work then you have a solution with the blackberrys the company owns.

If they wish to use their rown then they simply cannot sync with the work computers (this is how i work and still use my pda without syning, although this is because i cant not because they wont let me)

Corporate security policies have become ridiculous. It makes no sense to ban PDAs, but not Blackberries and laptops.