Mobile Device Security Guide

Mobile device with "hello" on the screen

Mobile devices are an integral part of life at Duke. We use many of the same applications on them that we do on our desktops and laptops and access the same sensitive data. In this guide, learn more about:

Device Configuration

We recommend the following to ensure that the data on these devices is secured to the greatest extent possible:

Configurations	iOS	Android OS
Screen Lock :	Enabled by default	Enabled by default
Update OS:	Settings > General > Software Update	Settings > About Phone > Software Updates
Set a passcode / screen lock:	How to: https://support.apple.com/en-us/HT204060 Current version of iOS require a PIN of at least 6 digits	How to: https://support.google.com/android/answer/9079129?hl=en
Encryption enabled by default:	iPhones	Android
Remote wipe a lost or stolen device:	Sign in to iCloud with your AppleID: https://www.icloud.com Choose Find My iPhone. Select the appropriate device. Click Erase iPhone from the device screen. *Requires iCloud configuration and the Find My iPhone app	Sign in to Google Find My Device: https://www.google.com/android/find Select the device in question. Choose Erase Device. Not all Android devices provide remote wipe capabilities by default. Check your mobile provider to see if they offer apps with this functionality. Alternatively, check the Play Store for third-party remote wipe products.

System Updates & Security Software

Mobile devices are susceptible to malware, viruses, and similar threats. Please ensure your software is always up-to-date and install security applications when available. If your device is no longer eligible for iOS or Android updates, then it's a security risk that cannot be mitigated, and we strongly encourage you to consider replacing it with a device running the most current OS.

Determine if your Apple device supports the newest release of iOS see: https://support.apple.com/guide/iphone/supported-models-iphe3fa5df43/ios
For Android devices update schedules vary by device, manufacturer, and mobile carrier

If you have a Pixel phone or Nexus device, learn when you’ll get updates.
If you have another Android device, contact your manufacturer or carrier for info.

Password Protection & Encryption

Ensure your device is password protected to prevent unauthorized access. Use passwords to help protect your privacy if your device is lost or stolen. For sensitive apps, enable the ability to require authentication each time the app is launched. For example on an iOS device you can require the use of FaceID or TouchID before launch apps like 1Password, Box, Microsoft Outlook, and others.

Password protect any important documents that are kept on your device. Your grocery list doesn't need a password, but you don't want confidential information in the hands of a thief. Various applications are available for each device that allow this type of security.

Lock notes on your iPhone, iPad, iPod touch, and Mac
Android does not have a native notes application that offers password protection. Applications like Microsoft OneNote and Evernote can offer this increased level of protection.
1Password has the ability to store secure notes as well as passwords.

Encryption helps to obfuscate critical data on the device if it's ever lost or stolen.

Never leave a smartphone unattended, even for just a minute. Make it a habit to keep your phone close at all times.

Keep only the documents you really need on your smartphone, and remove and archive older files you don't actively use anymore.

Trading your device in

Before you trade-in or donate your device, be sure that you have wiped all personal information from it. See specific factory reset links below for more information and instructions.

Remote Wipe & Factory Reset

Perform a remote wipe on any mobile device if the device is lost or stolen, and a factory reset prior to re-use, disposal, or trade-in. Mobile devices should be wiped to remove any Duke data on the device, and any connection to Duke data (such as Duke email) should be disconnected. This recommendation applies to Duke-owned devices and any personal devices that may be used to connect to Duke resources.

Note: Cell phones purchased or provided by Duke University should follow the policies issued by the Duke University Procurement Office. Duke University mobile devices should be returned to Procurement and may not be traded in.

If you have a Duke-owned device, consult with IT staff regarding options and configuration to remotely wipe data from the device in the event that it is lost or stolen.
For personal devices, consider the steps outlined in the above chart to allow for remotely wiping a device when needed. University Exchange accounts may also wipe a device using the Outlook Web App (mail.duke.edu). When viewing your account options, click "Phone" in the left hand. Devices configured to access your Exchange account will be displayed along with the option to wipe the device.
To Factory reset your device:

Apple device (iPhone, iPad, iPod Touch): https://support.apple.com/en-us/HT201351
Android device: https://www.digitaltrends.com/mobile/how-to-wipe-your-android-phone-or-tablet/

Device Tracking

To be prepared if the unfortunate circumstances of loss or theft arise you should enable device tracking for all of your mobile devices.

VPN

Avoid connections to Duke via the Internet from public wifi offerings, and only connect through the Duke VPN client. Some content at Duke requires the use of a VPN connection when off campus. You are also encouraged to use the VPN client when accessing any personally sensitive information from a public wifi offering. See the VPN FAQ page for more information on using a Virtual Private Network. At present there is only a VPN client for iOS.

Reminder

Remember to always contact the DUPD or other local law enforcement to report mobile device theft. DO NOT take matters into your own hands.

Contact DUPD