Skip Maine state header navigation
Maine State Government
Dept. of Administrative & Financial Services
Office of Information Technology
Mobile devices not supported by OIT, which are joined to the state network, must comply with this policy.
Subject to certain provisos, OIT allows non-OIT managed mobile devices (non-OIT mobiles for short) to join the state network. Non-OIT mobiles include both devices acquired by state agencies but not managed by OIT, as well as personal devices acquired by state personnel.
C. OIT: Assist with the configuration of the non-OIT mobile to access the state network.
A. Operating systems supported include currently supported versions (by the original equipment manufacturer) of Google Android and Apple iOS.
B. Non-OIT mobiles are allowed one of two means for accessing state email & calendar: direct connection via Juniper VPN (Junos) and the Outlook Web Access (OWA). Either method requires two-factor authentication via RSA SecurID token/pid, plus the employee’s state Active Directory credential. Managed non-OIT mobiles are provided direct connectivity to the state wireless network, where available, and remote access through the state’s Juniper VPN gateway.
C. OIT reminds all parties that all relevant State, Agency, and DAFS-OIT policies, including FOAA for State contents (Title 1, Chapter 13) and the Notice of Risk to Personal Data Act (Title 10, Chapter 210-B), continue to apply with respect to state I.T. resources, irrespective of whether such access is effected via an OIT device or a non-OIT device.
D. OIT further reminds all parties that State, Agency, and/or DAFS-OIT Acceptable Usage Policies apply while connected to the state network, irrespective of whether such access is effected via an OIT device or a non-OIT device. Consequently, even when the state network is accessed via a non-OIT device, H.R. Directors and Assistant Attorneys General may be allowed to initiate forensic audits on such devices, as well as to quarantine applications not relevant to state business from being operated while connected to the state network.
E. Should a device cease to be in the safe custody of the device holder (due to, but not limited to, loss or theft), device holders must notify OIT Customer Support as soon as possible to limit unauthorized access and data loss. Users are strongly urged to back up the contents of their mobile device, as lost devices used for state business are subject to being (remotely) wiped.
F. For security purposes, the following password requirements apply:
1. Device must be secured by a password, minimum eight characters long, with at least one character alpha and one numeric. A non-expiring password is acceptable.
2. The device must lock after a period of inactivity; fifteen minutes at a maximum.
3. Ten incorrect attempts at entering the device password will trigger a remote wipe.
G. Should the device store, even temporarily, Personally Identifiable Information, the device must be encrypted to the AES-256 standard.
H. Tampering with the original equipment manufacturer’s standard security configuration (rooting, jail breaking, etc.) summarily disqualifies a device from using the state network.
I. All client-side product licenses are provisioned by the agency and/or the device holder. (OIT currently only provides the Junos Pulse license.)
J. For the purpose of access audit to state I.T. assets, the assumption is that each device has one, and only one, designated user. Non-OIT device user/holders hereby vouch that devices are not shared with any other person (including family members).
K. Agencies must notify OIT Customer Support as soon as possible regarding any transition (transfers, terminations, etc.) of non-OIT mobile holders.
L. Since non-OIT mobiles are not maintained by OIT, OIT’s troubleshooting assistance can only be on a best-effort basis. Users will have to coordinate assistance from OIT and the wireless carrier, if applicable. The only OIT deliverable is access to the state network.
M. Should statutory restrictions forbid particular agency stakeholders from accessing specific state information assets from non-state devices, then this policy does not change that.
N. The state is held harmless for any damage to a personal device as a consequence of being used for state business and accessing the state network.
O. Failure to comply with any of the above provisos may lead to termination of access to the state network.
Non-OIT Managed Mobile Devices: Computing and/or communication devices, not managed by OIT, running a mobile operating system (such as Google Android, Apple iOS, Microsoft Windows RT, BlackBerry OS, etc.), as opposed to desktop-class operating system (such as Windows, Mac OS, Ubuntu, etc.).
Approved By: James R. Smith, Chief Information Officer, Office of Information Technology, 207-624-7568.
Legal Citation: 5 M.R.S.A. Chapter 163 Section 1973 paragraphs (1)B and (1)D, which read in part, “The Chief Information Officer shall:” “Set policies and standards for the implementation and use of information and telecommunications technologies…” and “Identify and implement information technology best business practices and project management.”