SAFEGUARD® PDA ENTERPRISE EDITION 4.10.1

What's New In 4.10.1

The "Allow phone calls without logon" and "Allow notification messages in logon screen" features now also work for devices that use the Dutch, Finnish, Norwegian or Swedish language.
Autorun.exe can now be used for installation from all locations. The SGReboot tool is no longer needed for installation involving 3rd party tools.
On a Windows Mobile 5 device, "Phone without logon" now allows users to select a contact from the contacts list.
Windows Mobile 5.0 SG PDA now allows attachments to be redirected to a PrivateDisk. Other PIM encryption options are currently grayed out but will be available in the next version of the product.
Blocking Bluetooth can now be used "out of the box" for T-Mobile MDA Pro and Dell Axim X51 (no need to manage a driver name).
The user manual is now available in English, French and German. The administration manual and the first steps guide are available in English and German.
"Lock and Power off" now also work for devices that do not have a power switch.
Bugfix: Calendar application on some devices displayed an error message when calendar entries were encrypted.
Bugfix: Signature logon had a problem with the complex signature enforcment feature.
Bugfix: The Challenge/Response CAB file in the client MSI installation file was not signed. As a result, neither this option nor a full installation could be implemented on Windows Mobile 5 devices.
Bugfix: The software created a log file trace.txt when importing configuration files.
Bugfix: PrivateDisk full device encryption did not work on Windows Mobile 5 devices.
Bugfix: Encryption of PIM data sometimes caused the boot phase of Windows Mobile 2003 devices to hang.

Notes on Windows Mobile 5.0 restrictions

PIM Encryption for Windows Mobile 5.0 is not integrated in this release. Transparent PIM encryption for Windows Mobile will be shipped as a service release.
Windows Mobile 5.0 devices are no longer at risk of an accidental hard reset due to loss of battery power. This has been avoided by a new device design that no longer includes a flash filestore that is needed for SG PDA's "survive hard reset" feature. We are currently working on a solution for surviving intentional hard resets on some Windows Mobile 5 devices.

System Requirements

Windows Mobile device: Windows Mobile 2003, Windows Mobile 2003 SE, Windows Mobile 5.0 or corresponding Phone Edition
Desktop computer: Microsoft Windows NT, Microsoft Windows 2000 or Microsoft Windows XP

Installation

We recommend to make a backup copy of your device before you install SafeGuard PDA Enterprise Edition!

Please read the document SGPDA_EE_41_FirstSteps_ENG.pdf to inform yourself about the various installation options and preparation steps!

The initial Master Password for the SafeGuard PDA Enterprise Edition is: "SGPDA". Be sure to change it (with the SG PDA master password snap-in in the Microsoft Management Console) when starting to use the software in productive environments.

NOTE: If you installed a previous version of SG PDA Enterprise with using a special company key. Make sure you apply the same company key to this installation package before distribution. The new installation package will overwrite the old package during upgrade.

Product Overview

SafeGuard PDA protects your Pocket PC and Symbian smartphone by unique means of flexible and secure user authentication as well as encryption methods.

You have the option of authentication via password, symbol or even biometric handwritten signature (PocketPC only).

The encryption package features the up-to date algorithm AES ensuring confidentiality of your data.

On PocketPC the PrivateCrypto Module is an explicit file encryption tool that is ideal to send encrypted e-mail attachments without the need for a complex PKI infrastructure in the background. The PrivateDisk Module allows you to create virtual disks that transparently encrypt everything you store in them. You can "format" memory cards completely as PrivateDisks to keep their contents protected. The encryption formats of both modules are fully compatible to the PC versions of that software thus allowing you to exchange encrypted data between different platforms.

On Pocket PC phones you may configure a set of "emergency numbers" that can be dialled without having to authenticate. These functions automatically become available in SafeGuard PDA when the presence of a GSM chip is detected. (Please keep in mind, that numbers which are not official international emergency numbers like e.g. 112, the SIM chip must be active in order to allow to dial them.)

This software supports English, German and French user interface. On PocketPC the language shown depends on the regional settings of Windows CE (not the language of the operating system). Switching the language of SafeGuard PDA just requires a soft reset after having configured the proper regional settings on the PDA. On Symbian devices the language can be chosen at installation time.

SafeGuard PDA for PocketPC complies to the Microsoft "Designed for Windows Mobile" specification, ensuring compatibility with a broad range of Pocket PC hard-and software products.

SafeGuard PDA for Symbian is "Symbian Signed".

Known Restrictions

Windows Mobile

The HTC Universal (O2 XDA Exec, Qtek 9000, T-Mobile MDA Pro, Vodafone VPA IV) sometimes cannot load the PrivateDisk driver. On these occasions, an error message is shown when trying to mount a disk. In silent mode (creation of initial disks, full device encryption for storage cards) no error message is shown but also no disk is created when the error occurs. A soft reset sometimes solves the problem. We observed the problem to occur less often when no storage card was in the device during reboot. We also recommend to use the newest firmware version. After initial successful mount of a PrivateDisk the problem should not happen any longer. No data can be lost because of that problem.
In the Qtek 9100 firmware version 2.18.7.7 the device cannot be switched off by the software. The "Lock & Power OFF" option does not work in this firmware version.
The T-Mobile MDA Compact firmware has a difficulty with the grace period feature for authentication. This grace period does not work on these models: the login screen always appears after the device is switched on.
Since SafeGuard PDA takes control over operating system authentication, it typically cannot co-exist with other security applications of similar functionality. Always use only one authentication security product on your Pocket PC!
If you use a WLAN card and the logon method is "Signature", you have to wait on Power ON until the WLAN card is fully initialized (watch the LEDs) before you can enter the signature. Otherwise your signature will not be recognized during your first logon attempt, because the initialization of the WLAN consumes too much CPU.
If you use special input software like Calligrapher and you intend to use the biometric signature logon, be sure that you enroll your signature in the same mode, which you use later for logon. i.e. if Calligrapher is active during enrollment, it should also be active during signature logon. B.t.w. in case of password logon, SafeGuard PDA will always switch to the virtual keyboard, independent which method you have configured for your daily work. Experience has shown, that all other input methods are not well suited for password entry, since the recognition of the entered letters is too error prone.
Most of the current PDA backup programs are not able to save the current password. New passwords must be set after restoring such a backup. Please protect your backups against unauthorized access. One possible way is to use PrivateCrypto to encrypt your backups.
Only standard PCM WAV sound files can be used as alarm sounds. Please ensure that your sound file is in the correct format before using it as alarm sound.
In some rare cases on devices of certain vendors, especially on devices with only 32 MB of RAM, it may happen that the original operating system password dialog is shown for logon. You can use your SG PDA password to authenticate or perform a soft reset, which typically brings back the SG PDA authentication screen.
After the client installation via ActiveSync, the PDA will perform a soft-reset. After the reset, some devices will not automatically turn on again. Simply take the device from the cradle, power on the device manually and you will be prompted to set the user password. Afterwards the installation is completed.
To install the client software via Windows Installer, the user must have PowerUser rights or Windows Installer must be configured to run under enhanced rights. Users with normal user rights will not be able to de-install the software. To install the administration part of the software, you need administrative rights.
When performing a partial Firmware upgrade that does not erase the complete PDA (e.g. Updating the GPRS Stack of a Phone Edition PDA) it is recommended to deactivate the login before doing the upgrade and activate it again afterwards. This ensures that the upgrade can proceed uninterrupted.
When using the "Full Device Encryption" feature for PrivateDisk volumes on memory cards, you cannot configure the Inbox to save attachments on storage card, since the whole memory of the card is used for the PrivateDisk volume.

More Comments On SafeGuard PDA

Compatibility Of Encryption Modules

The PrivateCrypto module of SafeGuard PDA is compatible to version 2.0x of SafeGuard PrivateCrypto for Windows. Archives created using older versions can be decrypted without problems. When using SafeGuard PrivateCrypto 2.10, be user to create archives with the AES-128 encryption algorithm for compatibility with SafeGuard PDA.

By using SafeGuard PrivateCrypto for Windows it is possible to create archives containing several files. This is not possible with SafeGuard PrivateCrypto for Pocket PC. Archives created under Windows, which contain more than one file can be decrypted without restrictions on a Pocket PC.

The PrivateCrypto and PrivateDisk modules use the AES (Rijndael) algorithm for encryption. This algorithm is the successor of the standard DES algorithm and offers up-to-date performance and security. Both modules adhere to the international PKCS#5 standard on deriving strong encryption keys from the passwords you enter.

Compatibility Of PrivateDisk Volumes

The PrivateDisk module of SafeGuard PDA is compatible to version 1.x of SafeGuard PrivateDisk for Windows. Secure disks can be shared without problems between both platforms, if they are formatted internally as FAT and not NTFS.

Note that the size of flash storage is reported differently by the operating systems, e.g. a 128 MB SD card can be reported as 120.99 MB by PocketPC 2002 and as 122.24 MB by Windows Mobile 2003. So if you use a Windows Mobile 2003 device to create a PrivateDisk volume spanning the whole memory card, you might eventually not be able to mount the volume on an older PDA! Therefore you should format your memory cards on PocketPC 2002 devices if you intend to use them for PDA's with PocketPC 2002 and Windows Mobile 2003.

ATTENTION!

Self extracting executables created by PrivateCrypto only work on the processor platform where they were created, but are independent from the version of the operating system.
On low memory, undeletable files (parts of .uti archives) can remain on the machine. Please check your current archive if PrivateCrypto cancels an operation due to low memory. After resetting the PDA, these files can be deleted manually.<
Please note also, that files, that do not share the same format between normal and Pocket PCs (e.g. Pocket Word, Pocket Excel) are not converted by ActiveSync when transferred in encrypted form. If the target PC has ActiveSync and Microsoft Office installed, the Pocket format of these files can be opened on the PC without problems though.
If "Disable ActiveSync connections with foreign devices" is active and SGPDA will be uninstalled on the Desktop PC, then SGPDA will not be deinstalled on the PDA any more. Reason: PDA thinks Desktop PC is a foreign PC and refuses to connect. To uninstall SGPDA, deactivate "Disable ActiveSync connections with foreign devices" first and replicate with each PDA before de-installing the software.
PIM Encryption does not encrypt the sender address field of emails.

Demo-Version Restrictions

SafeGuard PDA Authentication Module

After logon a message box is shown which informs that a demo version of SafeGuard PDA is installed
No customer replaceable bitmap at logon screen (PocketPC only)
Logon screen and About box shows the word "DEMO" PrivateCrypto Encryption Module
The About box shows the word "DEMO"
After the program start the "About box" is shown during a short delay
All archives are marked as "encrypted with the demo version"
No customer replaceable appearance

PrivateDisk Encryption Module

The About box shows the word "DEMO"
Maximum PrivateDisk size is limited to 2 MB
No customer replaceable title bitmap

Download Links To Related Third Party Software

In order to take full advantage of this SafeGuard product, you may need some additional software, which is available for free download from third party vendors.

Adobe Acrobat Reader 6.0 or higher

Necessary for reading files in PDF format. E.g. The user manual of this product.

Download: http://www.adobe.com/products/acrobat/readstep2.html

Microsoft ActiveSync 3.7.1 or higher

Necessary for performing local data synchronization between Pocket PC and desktop PC.

Download: http://www.microsoft.com/downloads

Exact URL on English version at the time when this text was created:

http://www.microsoft.com/downloads/details.aspx?FamilyID=2eb5bd80-d52c-4560-ae11-da92f2b229fa&DisplayLang=en

Microsoft Management Console

The Microsoft Management Console is part of the Windows 2000 and XP Operating System and is used as central user interface for management tasks. If you use Windows NT, you need to download and install this component separately, in order to be able to use the management snap-ins of this SafeGuard product.

Download: http://www.microsoft.com/downloads

Exact URL on English version at the time when this text was created:

http://www.microsoft.com/downloads/details.aspx?FamilyID=3f620a07-c996-4a81-aad8-30134a43ec46&DisplayLang=en

Microsoft Windows Installer

The Microsoft Windows Installer is part of the Windows 2000 and XP Operating System and is used to process setup packages in MSI format. If you use Windows NT, you need to download and install this component separately, in order to be able to install this SafeGuard product.

Download: http://www.microsoft.com/downloads

Exact URL on English version at the time when this text was created:

http://www.microsoft.com/downloads/details.aspx?FamilyID=4b6140f9-2d36-4977-8fa1-6f8a0f5dca8f&DisplayLang=en

Microsoft XP Administration Pack for Windows 2000 Server

In order to take full advantage of Windows XP Clients in a Windows 2000 Server domain, you may want to download and install this XP administration package. This package is not mandatory for this SafeGuard product.

Download: http://www.microsoft.com/downloads

Exact URL on English version at the time when this text was created:

http://www.microsoft.com/downloads/details.aspx?FamilyID=d232481f-28ea-4ba6-919b-95a8d757eff9&DisplayLang=en

History Of Changes In Older Versions

What Has Been New In 4.10.0

PIM Encryption on Windows Mobile 2003 devices now works transparent, data is encrypted/decrypted on-the-fly (no delays in logon time, push-mail compatible).
Additionally supports Windows Mobile 5.0 devices (restrictions in this release: no PIM Encryption, no Hard Reset Survive).
New authentication method for logon with certificates on secure MMC cards.
Besides GSM phones, SafeGuard PDA now also supports CDMA phones which are typically used in USA and parts of Asia.
Navigation software awareness: SafeGuard PDA now can be configured not to lock the screen after a timeout period if navigation software is active.
Logon screen now also supports square screen devices.

What Has Been New In 3.00.5

Upgrade from older versions now also works when the setting "Disable ActiveSync connections with foreign PC's" is activated. In older versions this caused a hang during upgrade. In the same context the default for the ActiveSync connection timeout has been increased from 20 to 30 seconds.
SafeGuard PDA now works together with SpriteBackup. For security of the backups, they can be saved encrypted to and restored from a PrivateDisk volume on memory card.
A bug has been fixed that caused a system hang on some machines when leaving them in the cradle over night.
Multiple reminder messages are now handled correctly. Older versions of the software caused a hang when more than one reminder message were raised by the system and the option to block the messages was enabled.
The hard reset survive feature does not restore the ActiveSync partnership anymore. Restoring the partnership caused ActiveSync to clear all PIM data on groupware servers after surviving a hard reset.
ExtendedSystems OneBridge PIM Manager and OBCPush services are now temporarily disabled while the device is locked. This ensures that only changed data will be synchronized (for earlier versions all PIM data was sync'ed every time) and that no encrypted data will be sync'ed to the Groupware server.
A hang has been fixed where the OK button was not visible sometimes in the dialog that appears when trying to define a new password that does not follow all password rules.
Configuration files now contain also the settings specified in the Authentication / ActiveSync part of the administrative template. In earlier versions these settings could not be exported for use on a different administration machine.
PIM Encryption: There is now a flag in the administrative templates to power off the device after PIM encryption. The default (and also valid for versions up to 3.00.3) is to not switch off the device after PIM encryption unless it woke up only for that purpose. Version 3.00.4 per default did switch it off always which caused some confusion.
SafeGuard PDA now blocks activation of the HP Protect Tools software. A message is shown to a user when he tries to activate the HP software in case that SafeGuard PDA is installed.

What Has Been New In 3.00.4

PIM Encryption: The administrative template now allows specification of an additional PIM encryption timeout value. When the device is being turned off (or when it is turned off automatically through the idle timer) SafeGuard PDA waits for the specified number of seconds, then wakes the device, encrypts the PIM data and goes to sleep again. In earlier versions there was a fixed value of 60 seconds, now this time can be specified in the administrative template. Note that the minimum value is now 90 seconds which is necessary for some devices like the T-Mobile MDA.
PIM Encryption: Phone PDA’s are not switched off automatically after encryption if the phone is in use at that time.
PrivateDisk volumes can now additionally be protected with the company key. PrivateDisks then can only be used on PDA’s with the same company key. All other PDA’s (and the PC version of PrivateDisk) return ‘wrong password’ messages even if the correct password is tried. The setting can be activated in the PrivateDisk section of the administrative template.
The CD now contains an additional program_addons\samples\2577 directory that demonstrates the directory structure needed for distribution of the software via storage card, including the hard reset survive feature. NOTE: the files are for demonstration purposes only. CAB files, the company key file and the configuration file must be replaced by the correct files of your enterprise!
WLAN Blocking: this now works built-in for the HP iPaq hx2410 device. There has also been a fix for the case of entering driver names of currently unknown WLAN devices in the administrative template. What Has Been New In 3.00.3
In earlier versions the logon screen flickered in case of different languages of the operating system and the regional settings.
Usage of the phone while device is locked has been reworked. Contact detail windows are now being closed automatically. For calling a contact either press the green phone button or select a number in the contact's context menu.
PIM Encryption: The device will be automatically switched off after PIM encryption if the device is running on battery.
The CD contains an additional CAB file sgreboot.ppc30_arm.CAB in the directory \program_addons\cabs. This CAB file automatically starts the tool \Windows\sgreboot.exe with parameter /reboot. This is useful when installing SafeGuard PDA with help of Extended Systems OneBridge.

What Has Been New In 3.00.2

PIM Encryption: A bug "error en-/decrypting PIM data" has been fixed that happened on phone PDA's when synchronizing over the air and encrypting emails.
PIM Encryption: The today screen content now is disabled while en-/decrypting PIM data. This increases speed for the login process.
The SafeGuard PDA QuickAccess application security check introduced with version 3.00.1 (see below) can now be disabled in the administrative template (sometimes necessary to prevent conflicts with third party software).
The software now supports installation on new HP IPAQ 2xxx models. Previous versions of SafeGuard PDA had conflicts with the built-in fingerprint library from HP (although these devices don't have a fingerprint sensor, the corresponding library is included in the ROM image).
Installation via storage card now also allows installation of the hard-reset-survive feature. For that, additionally to the other needed files (see manual) copy the autorun.exe file from the product CD’s directory \program_addons\autorun\Hard_reset_survive to the storage card directory \2577\SGPDA. The presence of this autorun.exe tells the installation to copy the SGPDA files to the persistent file store when installing the SafeGuard PDA product. Note: 1. The autorun.exe in the storage card directory \2577 must be copied from the CD’s directory \Program_addons\autorun and is different to the autorun.exe in \2577\SGPDA. 2. On some devices autorun.exe is not started automatically when inserting a storage card for upgrading SafeGuard PDA. In this case autorun.exe must be started by hand, using the Explorer application.

What Has Been New In 3.00.1

PIM Encryption: Mails in the outbox will not be encrypted anymore per default. Because when using over-the-air synchronization while the device is locked, e.g. via WLAN or GPRS, encrypted data would otherwise be sent over the wire and to the mail recipients. To avoid that, we don't encrypt mails in the outbox anymore. This behavior can be configured in the administrative template. Encryption of mails in the outbox can be enabled if needed if above synchronization mode is not used.
PIM Encryption: There had been a problem where parts of the PIM data (some appointments, mails and calendar entries) have not been decrypted after logon to the device. The encrypted data then has been synchronized with the PC side and could cause loss of data. This bug is fixed in this version.
PIM Encryption: If decryption of PIM data fails, SafeGuard PDA now shows a warning message and automatically issues a device soft reset.
Deployment with CAB files on storage card: the autorun application now supports upgrading to the new version, if a PDA already contains an older version of SafeGuard PDA.
Support of new Windows Mobile 2003 SE screen orientations has been enhanced: When using landscape mode, the logon dialog now switches to portrait mode automatically. After logon, the device is reset to its original screen orientation.
High resolution displays (640x480) are now handled correctly.
A bug stalling the SafeGuard PDA QuickAccess application (the application controlling the small PDA icon in the lower-right corner of the screen) has been fixed.
For security reasons the state of the SafeGuard PDA QuickAccess application is now checked in short intervals. If the application does not respond for some seconds then a security alert is raised and the a device soft reset is done automatically! Note that this can cause security alert messages together with backup programs that don't restore all SafeGuard PDA files correctly!
Additional minor bugfixes.

What Has Been New In 3.00.0

PIM Encryption: Separately configurable encryption of calendar, contacts, to-do lists, e-mails and e-mail attachments
Configurable "Notification" behavior: Allows selection whether calendar alarm notifications or SMS shall be visible for the user without authentication (in SG PDA 2.10 this was always YES)
Secure Screensaver: PDA may be automatically locked now after a given time of user inactivity without requiring to turn the PDA off
Improved Biometric Signature Module: Configurable option in Enterprise Edition (sensitivity, invisible ink, ...)
Hard Reset Survive: Optional automatic re-installation of SG PDA after a hard reset including the most recent configuration and passwords
Bluetooth / WLAN blocking: In addition to infrared, now also these functions may be centrally disabled
Unrestricted Phone Function: Allows using the phone application without authentication (convenience)
Event Logging: Logging of relevant events e.g. "false logon try" on PDA
SafeGuard PDA API: Allows customer applications to make use of SG PDA functions e.g.: Create PrivateCrypto archives, mount PrivateDisks or create event logs.
Supports Windows Mobile 2003 and Windows Mobile 2003 Second Edition (new). Pocket PC 2002 devices are not supported anymore.
There is now a status bar in the authentication screens, showing time and battery information while the device is locked. What Has Been New In 2.10.1
SafeGuard PDA 2.10.1 contains the following improvements over version 2.10.0:
On iPaq 5x50 devices the Utimaco settings dialog is now started when a user tries to start the system's password control panel applet.
Minor bugfixes (French dialogs, better description of FlashStoreIdentifier setting, ...)

What Has Been New In 2.10.0

Support of Windows Mobile 2003 devices
A French user interface has been added to the existing English and German languages. The user interface language can now be chosen in the settings dialog.
PrivateDisk can now be configured to use the logon password for its disks, which allows a single-sign on to the SafeGuard logon and PrivateDisk devices.
Biometric fingerprint logon on iPaq 5x50 devices.
The SafeGuard PDA Management Console Snap-In can now be used to select custom bitmaps, sounds and the list of forbidden passwords. Files are transferred to the PDA automatically.
Symbolic names are supported for the PrivateDisk initial disk storage location. The list of supported names is documented in the manual.
PrivateDisk users can be forced to use all memory of storage cards for a PrivateDisk drive.
SafeGuard PDA can remember the account information for VPN products. If the defined product shows a logon dialog, SafeGuard PDA fills the account information edit fields in the dialog automatically. A list of supported products and versions can be found in the manual.
The CD contains installation scripts for Afaria 4.x and Afaria 5.0.
The CD also contains a tool "autorun.exe". If this tool and the SafeGuard PDA CAB files are put into an autorun folder on memory cards, the product will be automatically installed after inserting the card. This allows distribution of the software to PDA users via memory card. More information about the autorun tool can be found in the manual.

What Has Been New In 2.02.0

It was possible that the PDA hangs after a soft-reset if the creation of a PrivateDisk was not possible due to an error condition. The hang was fixed!
PrivateDisk now works with SPrintDB 1.7a from KaioneSoft.

What Has Been New In 2.01.0

Setup can now upgrade from previous (demo-) versions (Settings will be lost during upgrade and upgrade between Personal and Enterprise Edition or vice versa is not supported. If in doubt, please de-install the old version completely before installing the new one.) The current demo version must be de-installed before full version can be installed.
PrivateDisk can now dynamically detect memory card insertion/removal on a broader range of devices (e.g. did not work on FSC Loox and IPAQ 5450 in version 2.0)
Fixed a problem that caused PrivateDisk passwords not to be changed in certain enforced cases, although user tried to do so.
SafeGuard PDA now works with HP's IPAQ 5400 series.
Some other minor bugfixes and improvements.

Other Important Hints

You can order the licensed version from any authorized Utimaco reseller. The Personal Edition of SafeGuard PDA is also available online:

Utimaco: www.utimaco.com

Handango: www.handango.com

PocketGear: www.pocketgear.com

See http://www.utimaco.com/SG-PDA for more information on this product.

Oberursel, Germany, 2006-06-02