Mobile Device Security FAQ

The intent of the UF policy and standard is that all storage devices will be encrypted. There are two very narrow and limited exceptions. See Exceptions for encrypting portable storage devices for more information.

Other models are acceptable, but it must be verified that the drives are truly hardware encrypted. Many drives advertised as ‘secure’ just implement a password in software, but the data is not actually encrypted and thus is easily accessible even without the password. We have tested and verified the security of the following models:

The encryption and passcode requirements apply to any device used to store university data. If your device cannot comply, then you need to be certain that you do not use it to access or store university data. Next time you go to purchase a smartphone or tablet, be sure to choose a model that can meet UF’s requirements. Check the instructions for encrypting the different phone models to help find a compliant phone model.  Portable computers that are not capable of using a supported and UF-standards compliant encryption method may use another form of whole disk encryption. There are very specific requirements that must be followed.

This depends on the encryption method used. Please see the instructions for your particular computer. If you need assistance, please contact the UF Computing Help Desk.

The Mobile Computing and Storage Devices standard requires that portable storage devices such as flash drives and portable hard drives be fully encrypted. UF has tested and recommends the Kingston Data Traveler Vault Privacy and Kingston DataTraveler Locker+ G2. For more information, see USB Drives. There are very limited exceptions to this requirements, see Exceptions for encrypting portable storage devices for more information.

Encrypting your laptop’s hard drive or device’s storage only affects the data as stored on the device. This prevents someone who obtains your device without your password from being able to read the files directly from the hard drive. Individual files and emails are not encrypted, rather it is the complete disk. Files copied off the device, or emails that are sent from the device will not be encrypted, and thus need to be protected.

When you configure a phone or tablet to receive email via Exchange Active Sync, the email system will attempt to enforce some security controls, such as a passcode lock. However, because phones vary in the features they support, this cannot be counted on to apply all required security controls. Be sure to follow the steps outlined for your specific phone model on the Mobile Device Security website to make sure it is fully encrypted.

Small devices intended primarily for the access to or processing of data, which can be easily carried by a single person and provide persistent storage. New products with these characteristics appear frequently. Current examples include, but are not limited to, the following types of products:

All mobile computing devices that store University of Florida Data must be fully encrypted, regardless of ownership. For example, smartphones and tablets store University of Florida Data when they are configured to access UF email. This means that personally owned laptops, smartphones and tablets used for university business must be encrypted.

Mobile computing devices purchased with University of Florida funds, including, but not limited to contracts, grants, and gifts, must be recorded in the unit’s information assets inventory. Mobile storage devices, including USB flash drives and CD or DVD media, do not need to be inventoried.

There are two exceptions included in the Mobile Computing and Storage Devices Standard that have a very limited scope:

Specific uses where no Restricted Data will be stored and encryption would interfere with the device’s intended use. Devices used in this way must be clearly marked as not for use with Restricted Data.

This exception is intended only for situations such as SD cards used in digital cameras or bootable USB drives used to install operating systems. This does not include situations in which encryption is inconvenient or adds undesired complexity.

Specific uses in which devices are used for marketing and public relations, no Restricted Data will be stored, and the intended recipient is not a member of the UF Community. Devices used in this way must be clearly marked as not for use with Restricted Data.

This exception is limited to marketing activities such as if prospective students are provided publicly available materials in an electronic form, or when team rosters are submitted to organizers of athletic events.