Answer the common queries about FDE for Windows Mobile.
Currently, the only capability we have is to encrypt the SD card so that any data put on it from the device is encrypted. The required policies for setting this action are located at Full Disk Encryption > PPC > Encryption > PPCEncryptDevice. This policy is used to specify that all external media and internal storage on a PPC device is encrypted.
One way to test this is to set the above policy, install FDE for Windows to the device and insert an SD card. After inserting the SD card you will receive a warning that the card will be reformatted so it becomes encrypted. Now if you pull a file from the device into the SD card and take the SD card to another device without FDE, you will notice that the file is in encrypted and unreadable on the new device. Through this way, even if a card is lost or stolen, your data is fully protected.
This behavior is how the Blackjacks and other Windows-based smartphones work and is a feature of the operating system. The idea is that if a phone is at the password screen, it may be running an application in the background and the OS will not allow the phone to be powered off unless the user has a valid authentication.
To see this outside of our software, one can enable the default built-in password application on the phone (supplied by Microsoft), go to the login screen and see that it behaves the same way.
If you are using FDE and Microsoft Direct Push, encrypted data appears in your Outlook clients. This occurs because the smartphone and Exchange have setup a schedule to automatically sync on set intervals. This can occur when the phone is in the "Locked State". When the phone is in the "Locked State", FDE encrypts the databases that exchange syncs with contacts, appointments, email, and tasks. If Auto Sync happens when the device is locked, the encrypted values will be pushed to the Exchange server. If you do a manual sync when the device is unlocked, this corrects the problem.
As a workaround:
- Configure FDE to prevent encrypting the local databases when the session is closed.
- Change the local sync policy (in ActiveSync on the device) to "Manual Sync" so that the device syncs when a user is signed on. This way, the sync is not done automatically when there is no way of knowing if the data is encrypted or not.
The Moto Q9h has the Opera browser set as default for opening text message URLs. You cannot install Endpoint Encryption software with Opera as our server does not currently recognize Opera. Attempting to install with Opera generates the following error:
Cannot initiate install
To resolve the issue, browse the installation URL with Internet Explorer on any phone we support.
Alternatively, force IE to be your default browser before you install:
- Select opera/tools/settings/misc/ and then untick Set Opera as default browser.
- Open the SMS message and click the link. The link should open in IE, not Opera, and then installation should work fine.