Walmart Analysis

Security as a niche industry is starting to get noticed. There are a number of organisations that have written and published security applications of one sort or another for the PDA world with the enterprise in mind. Of these Credant has one of the best reputations in the market. They have got years of experience and a solid product with several offerings to cover both enterprises and medium sized businesses.

The Credant Mobile Guardian (CMG) is sold in three forms. The personal edition is marketed through OEMs and is the software that is available now on the HP iPAQ business devices (including the iPAQ hx4700 series). Personally, I’d love to see this available through retail channels such as Handango and PocketGear, but this is not the case at the moment. The group edition is the one reviewed here and is aimed at organisations that want to apply security policies consistently to the devices in their organizations. Finally there is the enterprise edition which is considerably more expensive and provides remote destruction and a number of other features that may appeal to the enterprise organization.

Features

No two Windows Mobile security applications are created equal. If you look at the feature sets of the security applications on the market today, you’ll find disparate feature sets between the applications. Some have built in firewall, some don’t, some enforce restrictions on storage card, infrared and Bluetooth, others don’t and so on.

This article will be looking at the following features and how Credant Mobile Guardian helps defining and applying them:

Policies

Authentication

Device Lockdown

Encryption

Logon/Logoff

Device deployment

On the device

Policies

Credant have created their device security software based on policies. This approach allows you to take your organisation’s security policy and create an installer that ensures the device complies with the security policy.

The software itself is delivered as a desktop installer that places the policy editor and components onto your laptop or desktop computer. Nothing is installed to the Pocket PC at all at this time.

Once installed, you need to start the policy editor and create a policy file. The policy file is saved as an XML file and can be used to build an installer for the target platform. The target platform can be Windows Mobile Pocket PC, Windows Mobile Smartphone or Palm OS. I’ve used a HP iPAQ h6365 Pocket PC Phone Edition device for my tests.

Creating a policy file is a simple matter of working through the available options in the editor. The list is quite extensive and allows for a tightly configured device.

Policy Editor (click for a larger image)

Policy Editor (click for a larger image)

Authentication

One of the critical areas of device security is authentication onto the device. That is how the user gains access to the applications and data on the device. CMG gives the option of PIN based or password based authentication.

PIN based authentication uses a numeric keypad similar to the default Windows Mobile PIN to allow users to enter a four digit PIN in order to log on. CMG allows considerably more control over the user’s PIN than the default authentication. CMG can be configured to force the user to change their PIN at a configurable period as well as remember a number of previous pins to prevent the user from reusing them. CMG can also enforce PIN complexity, preventing sequential numbers or repetition of numbers in a pin making the pin more secure.

If you feel that a PIN does not offer strong enough protection, you can use a password. The password can be configured to ensure complexity and remember previous passwords. In addition you can set how much of the password must be unique, preventing users from using passwords with an incremental number in it.

CMG also gives a number of options for how to manage invalid logon attempts. For instance, you can have CMG simply wait a configurable (and optionally incremental) period of time between sets of logon attempts. For example you can set the device to pause for 30 seconds after three invalid attempts. After a further three attempts, you can set this cool down period to increment by 30 seconds before allowing further