Guidelines for Compliant Access to High Risk Data

android ios high-risk mobile compliance

Overview

This guide outlines the policies and standards which must be met in order for users to have access to data which has been classified as High Risk under APM 30.11. In an increasingly flexible and work-from-home environment, this compliance enables users to access to the most sensitive U of I data while still ensuring needs for data security and compliance are met. ITS is enabling access to high risk data through Microsoft Intune Application Protection on iOS and Android, JAMF management on macOS, and Microsoft Endpoint Manager (with Intune and Configuration Manager) on Windows. These technologies are already enabled and in place, but additional settings or configuration may be required on your device once you have access to High Risk data.

Users with access to High Risk data may be referenced as "High Assurance" users.

If users in the High Risk data access group wish to access U of I data from that personal device they may be required to install a management agent on their personal devices, e.g., the Microsoft Company Portal.

Expected Impact

Users will be required to set an authentication method (PIN or biometric) on their mobile device in order to access to many U of I applications that access U of I data (including any High Risk data) from their mobile device
Users may be required to encrypt their device in order to access to U of I data (including High Risk data) from their device
Some user may opt not to use their non-compliant device to access U of I data

Device Compliance Requirements for Operating Systems

	Windows	macOS	Android	iOS
Ownership	U of I owned or operated device¹	U of I owned or operated device¹	Personal or U of I	Personal or U of I
Management	ITS-managed with ConfigMgr+Intune	ITS-managed with JAMF	U of I applications	U of I applications
Encryption	ITS-managed Bitlocker	ITS-managed Filevault	Required	Required
Firewall	Host-based firewall enabled, no unapproved services open	Host-based firewall enabled, no unapproved services open	N/A	N/A
Versions	Current Windows 10, 8.1	Current macOS 10.14 or 10.15	Current Android 8.0+	Current iOS 13 or 14
Patching³	ITS-managed with ConfigMgr+Intune (10 business days)	Current supported macOS, or as managed through JAMF (10 business days)	Must receive current patches in a timely fashion from vendor, and patched within 60 days ²	Current versions within 10 business days
Local Device Authentication	Windows Hello, 6+ digit PIN, or current UI password standards	12 characters or more consistent with UI standards, Biometrics	6+ digits Screen Lock (and optionally Biometrics)	6+ digits Passcode (and optionally Biometrics)
Screen Lock	5 minute timeout	5 minute timeout	No more than 5 minute timeout	No more than 5 minute timeout
Antivirus	ITS-managed Sophos Antivirus	ITS-managed Sophos Antivirus	N/A	N/A
Application Protection	N/A	N/A	Required for all Microsoft or approved apps	Required for all Microsoft or approved apps
Data disposal / wipe	Through U of I IT personnel	Through U of I IT personnel	Automatic or ITS-enforced app data protection/removal	Automatic or ITS-enforced app data protection/removal
Third party file storage	Not allowed	Not allowed	Not allowed; save or copy/paste limited to managed apps	Not allowed; save or copy/paste limited to managed apps
Network access	May be denied from unapproved VPN or Tor	May be denied from unapproved VPN or Tor	May be denied from unapproved VPN or Tor	May be denied from unapproved VPN or Tor
Backups	N/A	N/A	No third party data backup	No third party data backup
Jailbroken/Rooted devices	N/A	N/A	Blocked	Blocked

References

APM 30.12 Acceptable Use Policy https://www.uidaho.edu/apm/30/12
APM 30.11 Data Classifications https://www.uidaho.edu/apm/30/11
- Data Classifications and Standards https://www.uidaho.edu/its/standards/data-security/data-classification
APM 30.15 Password and Authentication Pollicy https://www.uidaho.edu/apm/30/15
- Password Standards https://www.uidaho.edu/its/standards/accounts-groups-passwords/passwords
APM 20.13 Mobile Communication Devices and Services https://www.uidaho.edu/governance/policy/policies/apm/20/13

Footnotes

U of I operated device includes devices purchased by the university as part of any grant funding or provided to the university for facilitation of any official program or project.
60 days of patching delay for Android is a deviation from current U of I 10 day patching requirements and is subject to change.
Some patching may be enforced through Duo Health or manual audits, when not supported by App Protection.

0 reviews

Details

Article ID: 1746

Created

Tue 10/13/20 11:49 AM

Modified

Tue 3/19/24 4:12 PM

Updating...