Stanford Mobile Device Security Project


Mobile device usage — smartphones and tablets — is rapidly growing on the Stanford campus and throughout the world. Mobile devices are expected to outsell traditional personal computers this year. As these devices become ubiquitous on campus, their inherent risks become more apparent.

Security features common on desktop and laptop computers are inconsistently applied across mobile device platforms. On a laptop, we rely on anti-virus software to safeguard our system, but few mobile devices have such software. While most personal computers on campus are password-protected, few of us configure our mobile phones with a password or PIN to protect it against unauthorized use. And the potential for unauthorized use increases because mobile devices are easily (and frequently) misplaced. While most of us pay attention to system updates and security patches for our computers, mobile device owners focus more on the latest app or features.

The Mobile Device Security project seeks to set a new policy (or set of policies) for mobile device security. These will be implemented as procedural guidelines with corresponding technical solutions to provide security to users accessing Prohibited, Restricted, or Confidential data at Stanford University. This project seeks to:

In the first phase of the project, IT Services plans to build a Mobile Device Management (MDM) application for iOS devices. The MDM will grant the device owner remote, web-based access to reset the passcode, lock the device, wipe Stanford data, or wipe all data from the device if it's lost or stolen. The MDM also will monitor the set of applications on the device and notify the owner if there are any apps that may harm the device or divulge personal information. Additionally, the MDM will ensure that data on the phone is encrypted and that a passcode is in use. The MDM application will be available in late summer 2011.

Later phases of the project will explore the availability of commercial MDM products for use at Stanford. (Currently, commercial MDMs are not well suited to Stanford’s needs, but they are likely to improve and evolve over time.) Tools for Android and Blackberrys that don’t use a BES service will be considered as well.


At the end of phase one of the project, Stanford University will be able to provide more secure access to Prohibited, Restricted, and Confidential data over mobile devices such as iPhones, Blackberrys, and iPads.  The university will have access to audit information regarding what devices are being used so that risk can be reduced.

Client Impact

Client impact will vary based on the type of data the client wants to access via a mobile device. For most mobile users, annual review and acknowledgement of the mobile device security policy will be the extent of the requirements. This is similar to the requirements for the computer usage policy today. (See Admin Guide, Chapter 6.)

Clients who access Prohibited, Restricted, or Confidential data via an iOS device (iPhone, iPad, or iPod Touch) are required to install the MDM application. This enforces sufficient security to allow access to the information required to do their job. Because this solution requires installation of an application on devices that may or may not be university-owned, there is likely to be a mix of positive and negative reactions. The project team is focusing on educating users on the vulnerabilities and risks unique to the use of their mobile devices and the need for compliance with the new policy governing mobile device use.

Project Team

Role Name
University Business Owner Tina Darmohray
Project Sponsor Kim Seidler
Project Manager Larry Ebert

Team Leads
  Security Policy
  Strategy and Architecture

  BES Server
  Help Desk

Mark Mellis
Bruce Vincent
Scotty Logan

Adam Lewenberg
Yue Lu
Leroy Altman

William Mingle
Jason Cowart
Robin McClish

Campus Readiness Ammy Hill
Documentation Cary Norsworthy

Advisory Groups

Stanford Mobile Steering Committee

A cross-departmental team to provide advice to the project on design approach and impact to the business units.