PGP Mobile - 9.1 Administrator’s Guide

Download

PGP® Mobile 9.10

Administrator's Guide

Version Information

PGP Mobile Administrator's Guide. PGP Mobile Version 9.10.0. Released March 2010.

Copyright © 1991-2010 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.

Trademark Information

PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

Licensing and Patent Information

The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support ( may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents.

https://support.pgp.com). PGP Corporation

Acknowledgments

This product includes or may include:

-- The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation, developed by zlib ( the MIT License found at available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. -- Application server (

http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse HTML,

( developed by the Apache Software Foundation. The license is at framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group under an Apache 2.0-style license, available at Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software License, version 1.1, available at Protocol") used for communications between various PGP products is provided under the Apache license found at

http://www.apache.org/licenses/LICENSE-2.0.txt. -- mx4j, an open-source implementation of the Java Management Extensions (JMX), is released under

an Apache-style license, available at Independent JPEG Group. ( distributed under the MIT License distributed by University of Cambridge. ©1997-2006. The license agreement is at and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. ( implementation of daemon developed by The FreeBSD Project, © 1994-2006. -- Simple Network Management Protocol Library developed and copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd. © 2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license agreement for these is at by Network Time Protocol and copyrighted to various contributors. -- Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation. The license agreement is at OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. -- PC/SC Lite is a free implementation of PC/SC, a specification for

SmartCard integration is released under the BSD license. -- Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License

1.0, available at released under a BSD-style license, available at connect to a PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available at object-relational database management system, is released under a BSD-style license, available at

21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. -- JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL) available at Project. -- TAO (The ACE ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is available at

http://www.cs.wustl.edu/~schmidt/ACE-copying.html. -- libcURL, a library for downloading files via common network services, is open source software

provided under a MIT/X derivate license available at library used to generate unique identifiers, is released under a BSD-style license, available at

line options, is released under the terms of the GNU Free Documentation License available at 2000-2003 Free Software Foundation, Inc. -- gSOAP, a development tool for Windows clients to communicate with the Intel Corporation AMT chipset

http://www.zlib.net). -- Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted under

http://jakarta.apache.org/), web server

www.apache.org/licenses/LICENSE-2.0.txt. -- Castor, an open-source, data-binding

http://www.castor.org/license.html. -- Xalan, an open-source software library from the Apache Software

http://xml.apache.org/xalan-j/#license1.1. -- Apache Axis is an implementation of the SOAP ("Simple Object Access

http://mx4j.sourceforge.net/docs/ch01s06.html. -- jpeglib version 6a is based in part on the work of the

http://www.ijg.org/) -- libxslt the XSLT C library developed for the GNOME project and used for XML transformations is

http://www.opensource.org/licenses/mit-license.html. -- PCRE Perl regular expression compiler, copyrighted and

http://www.pcre.org/license.txt. -- BIND Balanced Binary Tree Library

http://www.isc.org) -- Free BSD

http://net-snmp.sourceforge.net/about/license.html. -- NTP version 4.2 developed

http://www.openldap.org/software/release/license.html. Secure shell OpenSSH developed by

http://www.opensource.org/licenses/ibmpl.php. -- PostgreSQL, a free software object-relational database management system, is

http://www.postgresql.org/about/licence. -- PostgreSQL JDBC driver, a free Java program used to

http://jdbc.postgresql.org/license.html. -- PostgreSQL Regular Expression Library, a free software

http://www.postgresql.org/about/licence. --

on a motherboard, is distributed under the gSOAP Public License version 1.3b, available at http://www.cs.fsu.edu/~engelen/license.html. -- Windows Template Library (WTL) is used for developing user interface components and is distributed under the Common Public License v1.0 found at

http://opensource.org/licenses/cpl1.0.php. -- The Perl Kit provides several independent utilities used to automate a variety of maintenance functions and

is provided under the Perl Artistic License, found at library for EFI, including image rendering, text rendering, and alpha blending, and is distributed under the license found at

-- Java Radius Client, used to authenticate PGP Universal Web Messenger users via Radius, is distributed under the Lesser General Public License (LGPL) found at Copyright (c) 2009, Yahoo! Inc. All rights reserved. Released under a BSD-style license, available at

JSON-lib version 2.2.1, a Java library used to convert Java objects to JSON (JavaScript Object Notation) objects for AJAX. Distributed under the Apache

2.0 license, available at

http://ezmorph.sourceforge.net/license.html. -- Apache Commons Lang, used by JSON-lib, is distributed under the Apache 2.0 license, available at

http://commons.apache.org/license.html. -- Apache Commons BeanUtils, used by JSON-lib, is distributed under the Apache 2.0 license, available at http://commons.apache.org/license.html. -- SimpleIni is an .ini format file parser and provides the ability to read and write .ini files, a common

configuration file format used on Windows, on other platforms. Distributed under the MIT License found at

Standard Template Library functions and data structures and is distributed under the MIT License found at

(protobuf), Google's data interchange format, are used to serialize structure data in the PGP SDK. Distributed under the BSD license found at

Additional acknowledgements and legal notices are included as part of the PGP Universal Server.

http://www.gnu.org/licenses/lgpl.html. -- Yahoo! User Interface (YUI) library version 2.5.2, a Web UI interface library for AJAX.

http://json-lib.sourceforge.net/license.html. -- EZMorph, used by JSON-lib, is distributed under the Apache 2.0 license, available

http://www.perl.com/pub/a/language/misc/Artistic.html. -- rEFIt - libeg, provides a graphical interface

http://developer.yahoo.com/yui/license.html. --

Export Information

Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.

Limitations

The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.

Unsupported Third Party Products

By utilizing third party products, software, drivers, or other components ("Unsupported Third Party Product") to interact with the PGP software and/or by utilizing any associated PGP command or code provided by to you by PGP at its sole discretion to interact with the Unsupported Third Party Product ("PGP Third Party Commands"), you acknowledge that the PGP software has not been designed for or formally tested with the Unsupported Third Party Product, and therefore PGP provides no support or warranties with respect to the PGP Third Party Commands or the PGP software's compatibility with Unsupported Third Party Products. THE PGP THIRD PARTY COMMANDS ARE PROVIDED "AS IS," WITH ALL FAULTS, AND THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PGP DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS, WHETHER EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NONINFRINGEMENT, QUIET ENJOYMENT, AND ACCURACY WITH RESPECT TO THE PGP THIRD PARTY COMMANDS OR THE PGP SOFTWARE'S COMPATIBILITY WITH THE UNSUPPORTED THIRD PARTY PRODUCT.

Contents

About PGP Mobile

Overview 2 Important Terms 2 PGP Mobile and the PGP Universal Server 2 Who Should Read This Guide 3 System Requirements 3 Getting Assistance 4

Available Documentation 4 Contact Information 4

Configuration and Installation

The PGP Mobile Installation File 7 The PGP Mobile Configuration File 8

Messaging 9

Using PGP Mobile with PGP Universal Server Version 2.x 9

Mail Policies 10 Configuring Internal User Policies for PGP Mobile 10

Using PGP Mobile with PGP Universal Server Version 3.0 14

Mail Policies 15 Configuring Consumer Policy Options for PGP Mobile 15

About PGP Mobile

Mobile devices such as Windows Mobile smartphones are popular tools for digital communications, both in the office and on the road. As more employees and executives begin to carry these wireless devices, the amount of sensitive and confidential information put at risk increases. Lacking the right protection, sensitive email that is stored or transmitted on mobile devices may be breached. The resulting damages can include lost revenue, regulatory penalties, and brand damage.

PGP Mobile enables enterprises to extend market-leading PGP® encryption security solutions for laptops and desktops to Windows Mobile devices, allowing users to encrypt emails, files, and entire storage volumes.

Built on proven encryption and key management services, PGP Mobile provides flexible encryption to meet the data protection and sharing needs of a mobile enterprise. With PGP Mobile, entire data volumes, archives, directories, or individual files can be encrypted. Incoming and outgoing email can be encrypted or decrypted, signed or verified.

Ready for the mobile enterprise, PGP Mobile can be deployed over-the-air, leveraging PGP Universal Server's trusted key management and provisioning services to reduce administrator setup time. When needed, PGP Mobile encrypted data can easily be shared with Windows users, even those without encryption software.

PGP Mobile is a PGP Encryption Platform-enabled application. The PGP Encryption Platform provides a strategic enterprise encryption framework for shared user management, policy, and provisioning, automated across multiple, integrated encryption applications. As a PGP Encryption Platform-enabled application, PGP Mobile is managed with PGP Universal Server to manage existing policies, users, keys, and configurations, expediting deployment and policy enforcement.

In This Chapter

Overview.................................................................................................... 2

Important Terms ........................................................................................ 2

PGP Mobile and the PGP Universal Server................................................ 2

Who Should Read This Guide ....................................................................3

System Requirements ............................................................................... 3

Getting Assistance.....................................................................................4

PGP® Mobile 9.10 About PGP Mobile

Overview

PGP Mobile is a security tool that uses cryptography to protect your data against unauthorized access.

PGP Mobile protects your data by encrypting email messages, individual files, entire data volumes, archives, or directories. Use PGP Mobile to put any combination of files and folders into an encrypted, compressed package for easy distribution or backup. Finally, use PGP Mobile to shred (securely delete) sensitive files—so that no one can retrieve them.

Important Terms

PGP Mobile: A software product from PGP Corporation that allows users to

secure emails, files, and entire storage volumes on their mobile devices.

PGP Universal Server: A software product from PGP Corporation used for configuration and management of PGP Corporation encryption applications, including PGP Mobile.

LDAP directory synchronization: An optional feature of PGP Universal Server that lets your PGP Universal Server query your organization's LDAP directory server (a Microsoft Active Directory server, for example), thus taking advantage of existing information about configured users and their authentication credentials.

enrollment: A process during installation of PGP Mobile where the PGP Mobile client synchronizes with the PGP Universal Server. The enrollment process establishes the relationship between the client and the server, binding the managed client to the specific PGP Universal Server. During enrollment, and at specific times afterwards, the PGP Mobile client receives policy and preference updates from the PGP Universal Server. SKM and GKM keys are also downloaded to PGP Mobile during enrollment (the private key portion of CKM and SCKM keys must be downloaded and imported manually; see the PGP Mobile User's Guide for more information).

PGP Mobile and the PGP Universal Server

PGP Mobile requires that users be in a PGP Universal Server-managed environment where the LDAP Directory Synchronization feature is enabled. You provide the information about which PGP Universal Server the PGP Mobile user enrolls with through a separate configuration file provided during client installation.

PGP® Mobile 9.10 About PGP Mobile

PGP Mobile users enroll with their PGP Universal Server using their LDAP credentials. PGP Mobile uses keys that are stored on the PGP Universal Server — PGP Mobile does not generate any keys on the device. This ensures that users can use the same key with PGP Mobile and PGP Desktop.

All key types are supported: SKM, GKM, CKM, and SCKM. For SKM and GKM keys, during setup and enrollment, the user's key is downloaded from the PGP Universal Server. For CKM and SCKM keys, the private key can not be downloaded from the PGP Universal Server; the user must perform a manual step to import the private key.

For secure messaging, policies and preferences are downloaded from the PGP Universal Server when the PGP Mobile user enrolls. Policies and preferences are refreshed on a regular basis.

Note: This release of PGP Mobile is compatible with PGP Universal Server

versions 2.9, 2.10, 2.12, or 3.0 only. To use PGP Mobile with later versions of PGP Universal Server, see PGP Support Home Page (https://support.pgp.com).

Who Should Read This Guide

This Guide assumes you are a PGP administrator responsible for:

 Getting mobile device users in your organization up and running with PGP

Mobile.

 Setting up your PGP Mobile users so that they can secure their email

messaging per organizational policy.

This Guide assumes you are familiar with your organization's PGP Universal Server and have read the PGP Universal Server Administrator's Guide.

System Requirements

To install PGP Mobile, you need:

 PGP Universal Server 2.9, 2.10, 2.12, 3.0

Note: This release of PGP Mobile is compatible with PGP Universal Server

versions listed above only. To use PGP Mobile with later versions of PGP Universal Server, see PGP Support Home Page (https://support.pgp.com).

 LDAP authentication (for enrolling users to the PGP Universal Server)

 Microsoft Exchange Server (required for messaging):

 Microsoft Exchange Server 2003 SP 2

 Microsoft Exchange Server 2007 SP 1

PGP® Mobile 9.10 About PGP Mobile

Note: Be sure you have applied the required service packs to your

Microsoft Exchange Server.

Getting Assistance

For additional resources, see these sections.

Available Documentation

PGP Mobile on-device help is installed onto your touchscreen mobile device during the installation process.

To view the help file on your touchscreen device, do one of the following:

 Launch PGP Mobile. To do this on your touchscreen device, select Start >

Programs, and then select PGP Mobile. Then select Start > Help.

 You can also navigate to the PGP Mobile help from your mobile device's

main help. In the device's help Table of Contents, select Help for Added

Programs > PGP Mobile.

The PGP Mobile User's Guide is available in an Adobe Acrobat Portable Document Format (PDF) files. You can view and print these files with Adobe Acrobat Reader, available on the Adobe Web site ( PGP Mobile User's Guide can be obtained from your PGP Universal Server administrator or from the PGP Corporation Knowledgebase.

Once PGP Mobile is released, additional information regarding the product is entered into the online Knowledge Base available on the PGP Corporation Support Portal (

Contact Information

Contacting Technical Support

 To learn about PGP support options and how to contact PGP Technical

 To access the PGP Support Knowledge Base or request PGP Technical

http://www.adobe.com). The

https://support.pgp.com).

Support, please visit the PGP Corporation Support Home Page

https://support.pgp.com).

(

Support, please visit PGP Support Portal Web Site (

https://support.pgp.com). Note that you may access portions of the PGP

Support Knowledge Base without a support agreement; however, you must have a valid support agreement to request Technical Support.

 To access the PGP Support forums, please visit PGP Support

http://forum.pgp.com). These are user community support forums hosted

( by PGP Corporation.

PGP® Mobile 9.10 About PGP Mobile

Contacting Customer Service

 For help with orders, downloads, and licensing, please visit PGP

Corporation Customer Service (

https://pgp.custhelp.com/app/cshome).

Contacting Other Departments

 For any other contacts at PGP Corporation, please visit the PGP Contacts

Page (

http://www.pgp.com/about_pgp_corporation/contact/index.html).

 For general information about PGP Corporation, please visit the PGP Web

http://www.pgp.com).

Site (

Configuration and

Installation

For your users to be able to install PGP Mobile on a mobile device, you must provide them with the .cab installation file as well as a .dat file that contains information on the PGP Universal Server.

When PGP Mobile is installed on a user's touchscreen device, on-device help is also installed (on-device help is not available on the non-touchscreen edition). Additional information is available in the PGP Mobile User's Guide (available in PDF format) as well as the release notes. You may decide you want to provide this information (which was provided when you downloaded the program from PGP Corporation) to your users. Be sure to distribute these files when you distribute the installation and configuration file.

In This Chapter

The PGP Mobile Installation File ................................................................ 7

The PGP Mobile Configuration File............................................................8

The PGP Mobile Installation File

The PGP Mobile installation file is a Microsoft Windows .cab file. This file can be transferred to your device using any of the following methods:

 Desktop synchronization

 Beaming (Bluetooth, infrared)

 Storage card transfer

 Email

 Web download

 Mobile Device Management (MDM) push

Be sure to provide the appropriate installation file for your users' devices:

 For touchscreen devices, the file name should be *Pro.cab.

Once the installation file is on the device, user's can start the installation process by selecting the .cab file.

PGP® Mobile 9.10 Configuration and Installation

The PGP Mobile Configuration File

In order to enroll, users will use their LDAP credentials and connect to the PGP Universal Server in your organization. During enrollment, the user's GKM or SKM key is downloaded to the mobile device. The configuration file, named PGPConfigure.dat, is used during the installation of PGP Mobile to specify the location of the PGP Universal Server.

This file must be located on the device before the user installs PGP Mobile. It does not matter where the file is located, although it may be easier to place it in the same location as the installation .cab file.

 To create the .dat file

1 Create a new text file and name it PGPConfigure.dat.

2 Edit the file and add the following single line:

ovid=[UniversalServerName]

For example, if your PGP Universal Server is named keys.mapi.example.com, the line in the .dat file would be ovid=keys.mapi.example.com.

3 Save the file.

4 Distribute the file to your users when you distribute the installation (.cab)

file.

Messaging

Your PGP Mobile users can sign, encrypt, or sign and encrypt outgoing email messages, and decrypt and verify incoming email messages.

PGP Mobile decodes all the encoding formats (Partitioned, PGP/MIME and S/MIME) generated by various PGP clients (MAPI, Lotus Notes, IMAP/POP, PGP Support Package for Blackberry).

As PGP Mobile administrator, you can:

 configure the messaging policies downloaded to your PGP Mobile users

and how often they are updated.

 establish settings for messaging preferences that apply to your PGP Mobile

users.

Refer to the following sections for information on how to configure policies and establish preferences for your PGP Mobile users using the version of PGP Universal Server you have deployed.

In This Chapter

Using PGP Mobile with PGP Universal Server Version 2.x .......................9

Using PGP Mobile with PGP Universal Server Version 3.0 ..................... 14

Using PGP Mobile with PGP Universal Server Version 2.x

Mail policies and preferences for your PGP Mobile users are automatically downloaded during installation of PGP Mobile and are updated periodically thereafter. If you add a preference or change an existing preference after PGP Mobile is installed on a mobile device, the new settings are automatically downloaded during the next update.

PGP Mobile users can force an update of preferences (and policies) by exiting PGP Mobile and then restarting it.

Mail policies and preferences for your PGP Mobile users are stored on your PGP Universal Server. To use the default settings for all PGP Mobile preferences, you do not have to do anything; they will be downloaded and implemented automatically.

To use settings for PGP Mobile preferences other than the default settings, you must specify the setting you want to use. Any PGP Mobile preference not specified will use the default setting.

PGP® Mobile 9.10 Messaging

Warning: Preferences should be edited with caution. A misconfiguration may

cause your PGP Mobile clients to stop functioning properly.

There are two kinds of preferences that apply to PGP Mobile:

 Preferences that apply to PGP Mobile and to PGP Desktop.

 Preferences that apply only to PGP Mobile.

Both kinds of preferences are described in this section.

Note: Some preferences on the PGP Universal Server apply only to PGP Desktop. While these are downloaded to your PGP Mobile users (because they are in the same file that gets downloaded to all PGP clients), they are ignored by PGP Mobile.

Mail Policies

Mail policies for your PGP Mobile users are created on your PGP Universal Server and then downloaded to your PGP Mobile users.

Refer to the PGP Universal Server Administrator's Guide for complete information about configuring mail policies.

Note: Not everything in the mail policy chains downloaded to your PGP Mobile users will apply to them; any mail policy settings that do not apply to PGP Mobile will be ignored.

Mail policies are downloaded automatically to mobile devices when PGP Mobile is installed and are updated at regular intervals thereafter based on preferences settings. If a connection to the PGP Universal Server is not available when mail policies are scheduled for updating, the update is postponed.

PGP Mobile users can force an update of mail policies (and preferences) by exiting from PGP Mobile and then restarting it.

Note: Automatic updates of mail polices and preferences only happen when PGP Mobile is running on the mobile device.

Configuring Internal User Policies for PGP Mobile

In PGP Universal Server version 2.x, use the Advanced Preferences Editor to create and apply Internal User policies. For information on how to change these preferences, see Changing the Default Values of Preferences (on page

13).

PGP Mobile Only Preferences

Some preferences on your PGP Universal Server apply only to PGP Mobile.

PGP® Mobile 9.10 Messaging

Integers take a numeric value; Booleans are true or false; Strings take a string of text.

The following preferences apply only to PGP Mobile:

 policyDownloadinterval (integer)—The default value is 10080 minutes

(one week, 168 hours). This preference controls when policy is automatically downloaded to the mobile device from the PGP Universal Server. The value is set in minutes. If the mobile device is suspended, that time does not count towards reaching the timeout value.

 policyWakeupFrequency (integer)—The default value is 56 times. This

preference controls how many times PGP Mobile will wake up to see if a policy download is needed while the device is suspended (when a device is suspended, the timer for policy download is also suspended).

 policyDownloadGracePeriod (integer)—The default value is 43200

minutes (30 days, 720 hours). This preference controls the length of time for which downloaded policy will be applied to outgoing messages. Before applying policy, PGP Mobile will check to see if the current policy is valid. If it is valid, the policy will be applied; if it has expired (the grace period is over), the policy will not be applied and outgoing messages will be blocked.

 expiredPolicyActionBlock (Boolean)—The default value is False. This

preference controls how PGP Mobile handles expired policies. When set to False, the default, messages will use expired policies. When set to True, messages will not use expired policies; instead, messages will be blocked.

 policyDownloadRetryInterval (integer)—The default value is 1440

minutes (one day, 24 hours). This preference controls how long PGP Mobile will wait before attempting again to download policies if a download was missed because a connection to the PGP Universal Server was not available.

 mailKeyCacheSize (integer)—The default value is 50 keys. This preference

controls the number of keys PGP Mobile will cache (key caching speeds up performance).

 enablePolicyDownload (Boolean)—The default value is True. This

preference controls policy download. When set to True, the default, policy downloads are initiated automatically per the setting of policyDownloadInterval. If set to False, automatic policy downloads do not occur. To reestablish automatic policy downloads if this value has been set to False, the value in the preferences must be reset to True and the user must be reenrolled from the mobile device.

 mailKeyCacheTime (integer)—The default value is 20160 minutes (two

weeks, 336 hours). This preference controls how long a key will stay cached on the mobile device for encoding outgoing messages. When the timeout is reached, PGP Mobile will look up the key on the PGP Universal Server and cached it again.

PGP® Mobile 9.10 Messaging

 mailBounceOnUnsupported (Boolean)—The default value is False. This

preference controls how PGP Mobile handles unsupported policy rules. When set to False, the default, PGP Mobile will ignore unsupported policy rules and instead use the default policy. When set to True, PGP Mobile will not send messages to which unsupported policy rules apply.

Preferences Shared with PGP Desktop

Some preferences on your PGP Universal Server apply both to PGP Mobile and to PGP Desktop.

Note: If you are creating PGP Desktop clients on the same PGP Universal Server hosting your PGP Mobile clients, make sure any preferences whose settings you modify get appropriate settings for both PGP Mobile and PGP Desktop.

Integers take a numeric value; a Boolean is true or false; a String takes a string of text.

The following preferences are shared by PGP Mobile and PGP Desktop:

 mobileAnnotateMessages (Boolean)—The default value is True. This

preference controls annotation of decoded messages. When set to True, the default, decoded messages are annotated (refer to the PGP Mobile User's Guide for more information about message annotation). When set to False, decoded messages are not annotated.

 mobileUseNotifier (Boolean)—The default value is False. This preference

whether controls PGP Mobile users will see messaging-related notifications on their mobile device. When set to False, the default, they will not see messaging-related notifications. When set to True, they will see messaging-related notifications.

 mobileSearchLocalKeyring (Boolean)—The default value is True. This

preference controls whether or not PGP Mobile will search the local keyring for the right key to encrypt an outgoing message or to verify a signature. When set to True, the default, the local keyring is searched. When set to False, the local keyring is not searched. The local keyring is not the same as the key cache; PGP Mobile will always search its key cache for an appropriate key.

 mobilePassphraseCacheType (Integer)—The default value is 1 (messaging

passphrases are cached for a specified number of seconds). This preference controls how PGP Mobile handles messaging passphrases (PGP Mobile handles messaging passphrases differently than it handles other passphrases). This preference can be set to values of 0, 1, or 2 only. When set to 0, messaging passphrases are not cached. When set the 1, the default, messaging passphrases are cached for the number of seconds specified in mobilePassphraseCacheSeconds. When set to 2, messaging passphrases are cached until PGP Mobile is shut down.

PGP® Mobile 9.10 Messaging

 mobilePassphraseCacheSeconds (Integer)—The default value is 300

seconds (five minutes). This preference controls how long message passphrases are cached if mobilePassphraseCacheType is set to 1.

 mobileDisableFeatureEmailMessaging (Boolean)—The default value is

False. This preference controls PGP Mobile messaging on a mobile device. When set to False, the default, messaging works normally. When set to True, PGP Mobile messaging is disabled for the device. If messaging had been working on the mobile device prior to it being disabled via this preference, messaging will be disabled when the preferences are next downloaded. If Outlook was being used on the device, it will need to be restarted to disable messaging.

Changing the Default Values of Preferences

If you want to use a setting for a PGP Mobile preference other than the default setting, you must add the preference (using the XML Preferences Editor on your PGP Universal Server) and then specify the desired setting.

Warning: Preferences should be edited with caution. A misconfiguration may cause your PGP Mobile clients to stop functioning properly.

 To add a PGP Mobile messaging preference and specify a setting

1 Log in to your PGP Universal Server.

2 Select Policy > Internal User Policy.

3 Select the policy you want to edit (the default policy is Internal Users:

Default).

4 Click the Advanced tab

PGP® Mobile 9.10 Messaging

5 Click Edit Preferences. The XML Preferences dialog box is displayed.

6 At the bottom of the dialog box, select Set.

7 Enter the Pref Name. Note that the name is case-sensitive.

8 Select the Type of preference: Boolean, String, Integer.

9 Enter the Value of the preference.

10 Click Save. The new messaging preference is added at the bottom of the

list of existing preferences.

Using PGP Mobile with PGP Universal Server Version 3.0

PGP Mobile users can force an update of preferences (and policies) by exiting PGP Mobile and then restarting it.

PGP® Mobile 9.10 Messaging

To use settings for PGP Mobile preferences other than the default settings, you must specify the setting you want to use. Any PGP Mobile preference not specified will use the default setting.

Warning: Preferences should be edited with caution. A misconfiguration may cause your PGP Mobile clients to stop functioning properly.

Use PGP Universal Server to manage mail and consumer policy for PGP Mobile. However, you cannot create the initial PGP Mobile installer from PGP Universal Server.

Mail Policies

Mail policies for your PGP Mobile users are created on your PGP Universal Server and then downloaded to your PGP Mobile users.

Refer to the PGP Universal Server Administrator's Guide for complete information about configuring mail policies.

Note: Not everything in the mail policy chains downloaded to your PGP Mobile users will apply to them; any mail policy settings that do not apply to PGP Mobile will be ignored.

PGP Mobile users can force an update of mail policies (and preferences) by exiting from PGP Mobile and then restarting it.

Note: Automatic updates of mail polices and preferences only happen when PGP Mobile is running on the mobile device.

Included in PGP Universal Server v3.x is the Default: Mobile mail policy chain from Mail > Mail Policy. This is the default mail policy that is downloaded to user's devices. You can edit this policy or create new policies if desired.

Configuring Consumer Policy Options for PGP Mobile

To specify policy options, in PGP Universal Server, select Consumers >

Consumer Policy > Consumer Policy Options (select any policy) > Mobile.

The following tables describe these options.

General

Option Definition

Allow conventional encryption and

When selected, lets your PGP Mobile users conventionally encrypt files using a passphrase

PGP® Mobile 9.10 Messaging

Option Definition

self-decrypting archives

instead of a key, or create self-decrypting archives (SDAs). Conventionally encrypted and self-decrypting files cannot be decrypted by your organization's ADK, which can conflict with your data recovery policy. Deselect to prevent users from conventionally encrypting files or creating SDAs.

Always encrypt to user's key

When selected, every message your PGP Mobile users send is encrypted to their key. This is in addition to any other user- or system-specified key; for example, the ADK. Deselect if you do not want messages to be automatically encrypted to the user's key. Users can still manually encrypt their messages to their key.

Download policy updates from PGP

Type in how often PGP mobile should download policy updates in days/hours/minutes.

Universal Server every

Messaging and Keys

Option Definition

Search for keys on local PGP keyrings when encrypting or verifying email

When selected, lets your PGP Mobile users import keys into their keyring so that they can encrypt or verify messages without needing to refer to the PGP Universal Server for key information. This allows your PGP Mobile users to operate as if they were not bound to the PGP Mobile, even if they are. Deselect to prevent them from searching for keys on their own keyring when encrypting or verifying email.

Mail Policy

If client fails to download policy for

Select which mail policy chain you want applied. For more information on mail policy, see Setting Mail Policy (in the PGP Universal Server Administrator's Guide).

Select what PGP Mobile should do if it fails to download policy updates for a specified amount of time:

Apply last downloaded policy. PGP Mobile

continues to send messages using the last downloaded policy settings if it cannot download a new policy update.

Block outbound message. PGP Mobile blocks

outgoing messages if it cannot download a new policy update.

PGP® Mobile 9.10 Messaging

Option Definition

Enable PGP Notifier

Controls whether users see messaging-related notifications on their screens. Notifications tell the user when incoming messages are being decrypted and when mail policy processes outgoing messages.

Enable email annotations

Controls whether users see annotations on messages. Annotations mark how messages are encoded.

File Encryption

Option Definition

Allow the user to create PGP Zip archives and SDAs

Allow the user to securely delete files

Deselect to disable the PGP Zip feature.

Deselect to disable the PGP Shredder feature.

PGP Mobile - 9.1 Administrator’s Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

About PGP Mobile

Overview

Important Terms

PGP Mobile and the PGP Universal Server

Who Should Read This Guide

System Requirements

Getting Assistance

Available Documentation

Contact Information

The PGP Mobile Installation File

The PGP Mobile Configuration File

Messaging

Using PGP Mobile with PGP Universal Server Version 2.x

Mail Policies

Configuring Internal User Policies for PGP Mobile

Using PGP Mobile with PGP Universal Server Version 3.0

Mail Policies

Configuring Consumer Policy Options for PGP Mobile