Chapter 1 – Introduction

Overview

Thank you for trying TealLock. This program password protects your handheld device, insuring the security of your personal and company data.

This manual supports the following versions of TealLock:

· TealLock Lite Edition

· TealLock Standard Edition

· TealLock Corporate Edition

· TealLock Enterprise Edition

Contents

This archive contains the following files:

Program files:

TEALLOCK.PRC The TealLock program file

QUIKLOCK.PRC Optional “quick-lock” stub launcher icon

TPSETUP.EXE Easy-installer program (Windows)

BG_CASH.JPG.PDB Sample background image in Palm Public Jpeg format

BG_GOLF.JPG.PDB Sample background image in Palm Public Jpeg format

BG_SNOW.JPG.PDB Sample background image in Palm Public Jpeg format

BG_STAR.JPG.PDB Sample background image in Palm Public Jpeg format

BG_TREE.JPG.PDB Sample background image in Palm Public Jpeg format

Document files:

LOCKDOC.PDF Program manual in Adobe Acrobat (PDF) format

LOCKDOC.HTM Program manual in HTML format (sans images)

LOCKDOC.PRC Program manual in TealDoc format

REGISTER.HTM TealPoint Registration form in HTML format

REGISTER.TXT TealPoint Registration form in text format

Chapter 2 – Installing

Installing to one handheld

Windows:

Double-click on TPSETUP.EXE to install the necessary files.

All Operating Systems:

You may also use the Palm Installer to install TealLock. After installing the program file, TEALLOCK.PRC, the program will appear on your device after the next HotSync. You may also want to install the optional background images and LOCKDOC.PRC, the TealLock manual as a Palm OS document. The latter can be read with our application TealDoc and similar document readers.

The PalmOS Installer (sometimes named “quick install”) appears as in icon in the Palm Desktop program on your desktop computer. Instructions on how to use the Palm installer should come in the documentation that comes with your handheld.

Installing to multiple handhelds (Site License)

When licensing TealLock Corporate Edition or TealLock Enterprise Edition, a custom .PRC file will be delivered upon completion of a Site License Agreement. Use the Palm Installer to install this file onto a single administrator handheld.

After configuring the desired security settings and Administrator Password on the initial device, follow the instructions in the Installation File section of this manual to transfer those settings to all other handhelds covered in the site license.

Upgrading from older versions

When upgrading TealLock from older versions of the program, you may safely HotSync the new version over the old, but you must turn off the previous version before HotSyncing the new one. If you don’t, HotSync will not be able to copy the new version over. If significant features have been added in the new version, you may need to re-enter your password, settings and registration information.

Backing up your data

Due to the security nature of this program, you are strongly advised to back up your organizer with a HotSync or other means before activating TealLock and setting a password. If you forget your password or run a downloaded application that interferes with TealLock, you may not be able to regain control of your handheld without performing a hard reset and erasing all its data.

Chapter 3 – Overview

Every year, some 20,000 handheld organizers are lost or stolen, many loaded with sensitive private or personal information. Most of these units have no protection against unauthorized use. TealLock fills this need by automatically locking a PalmOS handheld, hiding private records according to customized settings, encrypting sensitive data in memory or external storage cards, and requiring a password for continued use.

PalmOS Standard Security

Most PalmOS handhelds come equipped basic security features such as a system password, private record support, and a system-locking screen.

However, the default system is cumbersome, as one usually has to manually start the system security application to change the state of hidden records or to lock the device. Furthermore, its interface is inflexible; it features few activation, or customization options, and it supports no administrator features to make it suitable for deployment in a multi-user corporate environment.

In addition, the default system is largely insecure, including no encryption features to prevent unauthorized access to sensitive data. Even worse, the standard security features are often too clumsy to use, so they go ignored, leaving most handhelds with no security whatsoever.

TealLock Enhanced Security

TealLock replaces the standard security application. It offers greater flexibility in order to meet individual and corporate security needs. TealLock supports:

· 128-bit hashed passwords

· encryption of files in both memory and external cards

· password entry by hardware buttons or screen keypads

· customized locking screens with text and images

· shortcut activation by graffiti, screen swipes, or buttons

· automatic timed lockout with numerous options

· administrator password with adjustable user access privileges

· self destruct mode to deter password guessing

· detailed history log for access audit

· remote unlock and self destruct by SMS message

· and much more…

TealLock Versions (comparison chart)

TealLock is available in four different versions for consumer and corporate use:

TealLock is so powerful that it has been adopted by Palm itself, appearing in ROM on select Palm handhelds such as the Tungsten T2 and Tungsten C. TealLock incorporates all the features present in this enhanced TealLock Security application, with additional customizations and encryption options available nowhere else.

TealLock Lite Edition

TealLock Lite Edition features a streamlined interface designed for ease of use. It supports the most used security and customization options, but removes options that may be confusing or require advanced system knowledge to properly configure. It is recommended for novice to average customers wishing to upgrade their device security.

TealLock Standard Edition

TealLock Standard Edition is a security solution for more advanced users. It supports powerful features and configuration abilities not available in TealLock Lite Edition.

TealLock Corporate Edition

TealLock Corporate Edition expands on TealLock Standard Edition, providing features especially useful in a corporate environment, including a separate administrator password. The administrator password allows a company’s IT department to access a handheld or issue a time-sensitive emergency password should an employee forget his or her password. More importantly, when an administrator password is active, the user is required to continue using the program; an employee cannot turn off or delete TealLock, and may only change selected configuration settings. The administrator can also:

· unlock employee devices, using a time-sensitive temporary password

· set a minimum length for user passwords

· require use of both numbers and letters in user passwords

· require both upper and lower case letters in passwords

· lock out the User Password after too many failed attempts (bit wipe)

· install identical settings on multiple devices using an install file

· update settings using a combination of install and uninstall files

TealLock Enterprise Edition

For maximum security, TealLock Enterprise Edition adds features that make ideally suitable for use in large organizations demanding top-notch protection:

· Adds 128-bit AES encryption.

· Adds support for a Settings Policy File that can upgrade security policy on employee handhelds in a single step. A Policy File lets existing users keep their User Passwords, and eases deployment of new settings to many employees.

With its full set of features, TealLock Enterprise Edition is an ideal component in a health care organization’s HIPAA compliance program. See the Appendix in this document: “Using TealLock in a HIPAA Compliance Program” for more information.

QuickLock

Included in the TealLock zip file is QuickLock, an optional launcher icon you can run to lock your handheld. QuickLock appears as a separate app with the name “QL”.

When started, QuickLock simply looks for the TealLock application and calls it to lock the handheld. Use TealLock to add “Lock Immediately” functionality to third party popup launchers button mapping programs, and any other applications that can run specified apps.

QuickLock also appears as a nondescript icon on the launcher (called “QL”), so if someone unfamiliar with TealLock starts snooping around your device, they will likely lock the handheld unwittingly when they try to open QuickLock.

Chapter 4 – Getting Started

Once installed, start TealLock by tapping on the TealLock icon in the Palm applications launcher screen. The TealLock Main Screen will appear. Here you can set a password, show or hide private records, or turn on or off TealLock protection.

TealLock Status

The TealLock Status indicator shows whether TealLock has been activated. Activation is necessary before TealLock can respond to shortcut macros or automatically lock or hide private records.

Select the ON box to activate TealLock protection.

If a User Password or Admin Password has been set, it will be requested before TealLock can be enabled, and will be needed again before TealLock can be turned back off. An Admin Password is only supported in TealLock Corporate Edition and TealLock Enterprise Edition.

NOTE: Some versions of the standard Security App support basic automatic locking features. Do not use any of these automatic features when TealLock is running. To avoid conflicts, use TealLock automatic locking instead.

Setting a User Password

The User Password indicator on the main screen shows if a User Password has been set.

Tap on the User box to set a User Password.

Choose a password you can remember, but not one that can be easily guessed. You’ll be asked to enter it twice to make sure you haven’t made a mistake.

TealLock maintains its own User Password, which is independent from the system password set in the standard Security app.

NOTE: A standard Security password is needed to keep PalmOS itself secure, so you should not leave the standard Security password blank even if one has already been set inside TealLock. We recommend making the two passwords the same to avoid confusion. Do this automatically by enabling the Sync User Password to System option, which changes the system password whenever the user password is entered in TealLock. This options is turned on by default.

Setting a Quick Password

The Quick Password is similar to the User Password, but is only accepted if entered correctly on the first try.

Tap on the Quick box to set a Quick Password. You will be asked to enter your User Password first.

The Quick Password is usually shorter than the User Password, and is often made up of key-mapped characters so it can be entered quickly (See Password Entry settings).

A Quick Password is recognized as soon as it has been entered; selecting “OK” is unnecessary. You cannot make any mistakes in the process, however, and may have a limited amount of time to enter it, depending on the Quick Password settings. If you make an error while entering a Quick Password, you have to stop and use your User Password instead.

NOTE: A user can normally set a Quick Password on the TealLock Main Screen. In TealLock Corporate Edition and TealLock Enterprise Edition, however, this ability can be disabled in User Password Settings if the administrator considers it a security risk.

Changing Private Records

Palm OS supports a global private record state that used by applications to hide or show sensitive files, entries, or data records. TealLock can manipulate this state, either automatically or under manual control.

The Private Records indicator displays the current private records state:

· Shown

· Masked

· Hidden

Select a button to change the current setting. If a password has been set, you will be asked to enter it in order to show private records that have previously been hidden. While this is an inconvenient way of changing private records, the coming chapters will cover how to set up TealLock to automatically change them or allow you to set them manually from a pen, keyboard, or button shortcut.

NOTE: TealLock changes the system global private record state, but does not modify any application data itself.

Under the PalmOS private record system, it is up to individual applications to actually read the current private record state and hide or mask private records and files accordingly. Some applications may hide private records instead of showing them, while others do not support private records at all.

Locking the Handheld

The Lock and Off button on the main screen lets you quickly secure the handheld from within TealLock.

Tap on Lock and Off to lock the handheld.

You can also lock the handheld either automatically or using a Graffiti-, screen-, keyboard-, or button shortcut from inside another program. Configure these options from within the program Change Settings screens, described below.

Changing Settings

TealLock settings are organized into six functional categories, described in the following chapters.

Select Change Settings to visit the TealLock settings screen. If you’ve selected a password, you’ll be asked to enter it to continue.

When a User Password or Admin Password has been set, it will be required to see all settings on the settings screen.

If another password is entered, such as a Guest Password, Quick Password, or User Password (when an Admin Password is active), then the number of settings available will depend on password permissions. If none are available, the password will not be accepted.

Chapter 5 – Activation Settings

The Activation Settings screens adjust when and how TealLock engages to automatically lock the device or change private records. There are four activation settings screens:

• Automatic Hide/Mask
• Automatic Lock
• Locking Options
• Unlocking Options

Automatic Hide/Mask

Use the Automatic Hide/Mask screen to set when private records are automatically hidden or masked. The following options are available:

Enabled between specified hours

Specifies a time range when automatic activation is active. This option does not by itself hide private records. Instead, it just specifies times when the other automatic options are applicable.

TIP: Setting the first time earlier than the second time (e.g. 8:00 am to 6:00 pm) will enable automatic activation for the times in between. Setting the first time later than the second time, however, (e.g. 6:00 pm to 8:00 am) will enable automatic activation to all times before the first time or after the second time on any given day. The times are inclusive, setting both times to the same value will DISABLE automatic activation at all times. Set them to 12:00am – 11:59pm to enable them at all times.

Enabled on specified days

Sets the days of the week when activation options are active. On the days that are not highlighted, automatic activation will not occur until the next valid day.

Minutes after power off

Activates a specified number of minutes after turning off the handheld. Set to “0” to activate immediately on power off.

Minutes after password entry

Activates a specified number of minutes after the last valid password entry. When using this setting, your password acts “logged on” for only the specified period of time before it needs to be re-entered.

NOTE: The unit must either be powered down or idle for one minute before actual hiding or locking takes place, as the program will not forcibly take control on the unit while it is still being used.

Minutes after last activity

Activates a specified number of minutes after the last user pen tap, button press, keyboard character entry, or other user activity.

NOTE: The unit must either be powered down or idle for one minute before actual hiding or locking takes place, as the program will not forcibly take control on the unit while it is still being used.

Daily, at time

Activates at a specified time of day.

If powered up between specified hours

Activates if the handheld is powered up during specified hours.

On card removal

Activates if an SD/MMC card is removed.

On reset

Activates if the unit is reset either by a system crash, by software control, or by the pinhole reset button in the back of the handheld.

NOTE:
If the handheld is locked or if “protected” apps have been selected, the standard Security application will pop up first after a soft reset. This is the normal system behavior that is hard coded in PalmOS.

Automatic Locking

Use the Automatic Locking screen to set the same options described above, but for automatic locking.

Locking Options

Use the Locking Options screen to adjusting how TealLock locks the device or what items are secured when locking does occur.

Allow auto-lock while on if inactive xxx secs

The handheld will auto-lock while the device is on only if it has been idle longer than the specified amount of time. If unchecked, auto-locking will only occur when the handheld is allowed to power off.

Power off if auto-lock while on

When this option is checked, the handheld will turn off if automatic locking kicks in while the handheld is on. This can occur from the Lock after password entry, Lock after activity or Lock at time options.

Power off if manual-lock

When this option is checked, the handheld turns off after being manually locked from a manual shortcut or main screen lock button.

Wake up handheld to lock/hide

Time-dependent automatic locking conditions—such as Lock after elapsed minutes or Lock daily at time—may require TealLock to lock the handheld while it is still off. When the Wake up to lock option is checked, TealLock uses a system timer to briefly wake the handheld and lock the unit. This insures that the handheld is already locked and records have been encrypted by the time the handheld is manually awoken later.

If this option is unchecked, TealLock will instead check the elapsed time after waking up. This can be slightly less secure, as the handheld will not be locked until after power up. Because of this, it’s not generally advisable to turn off this option unless a specific application conflict or other issue necessitates it.

Blank screen before switching current app to TealLock

When TealLock automatically hides private records or locks the device, a flash of the previous screen might be seen during the transition. With this option enabled, TealLock erases the current screen upon power off, and only redraws on power up if an automatic lock or hide condition is not satisfied.

TIP: Some applications automatically redraw themselves upon power-up and thus will not be affected by this option. If you encounter unexpected blank screens or other conflicts, disable screen blanking.

Lock out system popup windows

When this option is checked, TealLock calls a PalmOS system function that blocks most system popup windows, such as those used to respond to network or wireless events. Uncheck this option to allow system pop-ups if required for a particular need. The usefulness and functionality of this option will vary from device to device depending on third party add-ons and system software.

Lock out silkscreen buttons

If checked, this option blocks pen taps on the silkscreen buttons surrounding the Graffiti writing area of handhelds with Graffiti support.

Lock out Infrared port

When checked, this option opens up the PalmOS infrared library upon locking to prevent files from being beamed to the device. Uncheck option you encounter error messages due to another IR-based application or non-existent IR port.

Lock out serial port

When checked, this option opens up the serial port upon locking. This can prevent the unlikely scenario of someone using the Palm OS serial debugger or other program to access data on the unit, and is primarily useful when running PalmOS 3 devices. Handhelds running PalmOS 4 or later already do not allow the serial debugger to run when the system is locked.

Using this option can consume power more quickly on some devices, and you should not use this option when connected to an external modem another device that might automatically turn on when the port is left open.

Unlocking Options

Use Unlocking Options settings to adjust what TealLock does after unlocking the handheld.

Call TealGlance on Unlock

This option tells TealGlance to bring up its information screen after unlocking. TealGlance normally appears on power-up, but won’t do so if the device is locked. This option provides for a delayed activation of that program.

Launch specified app on unlock

This option lets you specify a program to run after unlocking. Any application can be specified here, including the system launcher.

When this option is unchecked, TealLock tries to instead return to the program originally running before locking was requested. If the previous app was run from a card, however, then the system launcher is run instead.

Requeue unmappable or ignored wake-up keys pressed while locked and asleep

When this option is checked, hardware button presses that wake up the handheld are remembered and re-queued into the system event queue after unlocking. This has the effect of launching any apps mapped to those buttons after unlocking.

In order to use this option, the relevant button press cannot be remapped to another function. This means that either the button is a new button that does not support a mapping in Password Entry settings, or is unmapped because the Ignore initial wake-up key press option is enabled.

Chapter 6 – Display Settings

Display Settings let you adjust the appearance, contents, and functionality of the TealLock locking screen.

There are eight display settings screens:

• Background Image
• Launcher Buttons
• Lock Screen Call
• Lock Screen Colors
• Lock Screen Keypad
• Lock Screen Text
• Lock Screen Window
• Other Controls

Lock Screen Placement

On most display settings screens you can use the Lock Screen Placement window to preview changes you’ve made to the lock screen layout, contents, or colors. Do so by tapping on the “Preview” button, which is also called “Place” in some settings screens.

Move elements around the screen by dragging them with the pen, or use the sizing box in the lower right. When done, tap on the close button in the upper right corner to return to the previous settings screen.

Background Image

Use the Background Image screen to select a picture to be used as a backdrop for the lock screen. The image must already be loaded onto your handheld, and can be in TealPaint, GIF, BMP, or JPEG format.

Choosing an Image Source

Tap on the image name box at the top of the screen to select an image. You’ll be presented with a file selection window. Highlight an appropriate image and select Preview to view the image, or OK to import it into TealLock.

TIP 1: Under PalmOS, image viewers sometime store images in custom formats or placement in a hidden file volume where they are not generally accessible. Because of this, try copying images to an external storage card if you have trouble finding them in TealLock.

TIP 2: If an imported image is larger than the current screen, it will be resized down to fit. On handhelds with variable displays, if you will primarily be viewing the lock screen in landscape or full-screen mode you may wish to already be in that mode when importing the image.

Cache background image for speed

When this option is checked, TealLock will allocate a temporary drawing buffer to speed up drawing of the lock screen. There is rarely a reason to uncheck this option, but it may be helpful should a device be too low on graphics memory to run with the buffer enabled..

Clear text backgrounds

Normally, text item on the lock screen are drawn with both a foreground and background color. They appear as letters on top of rectangles of a contrasting color. When this option is checked, however, no background appears, and a background image “behind” the text can show through.

Scale to fill window area

If an imported image is smaller or larger than the current display, it is normally letterboxed or cropped and centered in the lock screen window. When this option is checked, however, the image is stretched or compressed to fill the whole window. The image can be stretched taller or wider, distorting the proportions of the original picture, so this is most suitable to abstract designs and landscapes where stretching is okay.

Force grayscale

When this option is checked, monochrome handhelds running PalmOS 3.3 or higher wil show background images in 16-shade grayscale instead of the default black and white mode.

Force 16-bit mode

When this option is checked, color handhelds switch to 16-bit mode for better looking color photos.

Image number

TealPaint image databases can contain more than one image. To select a specific picture in a multi-image TealPaint database, enter the image number here, or enter “0” to randomly select a different image every time you enter the lock screen.

Animation

Check this option to treat a multi-image TealPaint database as a single animation or slideshow. To adjust the animation speed, select a time to pause between frames, expressed in milliseconds.

For best results, make sure the source image used matches the current display mode of the handheld. Most monochrome devices run applications by default in 1-bit mode, while color apps are typically run in 8-bit mode, unless you’ve overridden these values with the Force grayscale or Force 16-bit mode options.

Launcher Buttons

Use the Launcher Buttons screen to add buttons to the launch screen to run selected apps.

This adds a way to launch application that, unlike phone dialers and backup apps, may not have a way to launch themselves from a timer for dedicated hardware button.

TIP: When using this option be sure to enable the applications to your “Allowed Apps” list, described in the Security Settings chapter.

Lock Screen Call

Use the Lock Screen Call feature to add a button to the lock screen that can be pressed to call a predetermined number. Use it as an emergency calling feature or a way to encourage return of lost handheld.

NOTE: When enabling this feature, you will probably need to add your phone’s dialing application to your Allowed Apps List, and may wish to specify a return call time to relock the handheld after initiating the call. See Security Settings for more information on using allowed apps.

Lock Screen Colors

Use the Lock Screen Colors screen to adjust the color of buttons, controls, and text on the lock screen. To change an element, tap on the colored box next to its name. You can see a quick preview at the top of the screen, or select the Preview button for a full size preview of the actual lock screen.

Lock Screen Keypad

Use the Lock Screen Keypad screen to select a password input keypad. You can choose either large or small keypads in either phone layout (123 on top) or numeric layout (789 on top) or a full alphanumeric on-screen keyboard.

Using the Alpha Keyboard

In addition to the normal Alphanumeric keys, the Alpha Keyboard provides four special-purpose buttons:

Backspace (Left arrow)

Erases last character entered

Caps Lock (Up arrow with gap)

Locks keyboard in shift mode

Caps Shift (Up arrow)

Shift keyboard to enter capital letters and symbols (may combine with symbol shift)

Symbol Shift (Dot)

Shift keyboard to enter international characters and additional symbols

Randomize button order

Check this option to prevent someone from guessing your password from watching your pen movements. It shuffles the order of buttons every time you lock your handheld.

Lock Screen Text

Use the Lock Screen Text settings to adjust the two optional screens of text you may add:

· Owner Text, which appears as text on the lock screen

· Help Text, which appears in a separate popup window when a help button is tapped.

Edit Button

Select the Edit button to edit or create text.

Font Button

Select the Font button to change the font used to draw the text.

Sync with system owner text

If this option is checked, the selected text is synchronized with with the owner text in system Prefs. If both owner and help text are synchronized to the system text, they will be the same.

Left/Center/Right

Adjusts how the owner text is aligned in its bounding box.

Lock Screen Window

Use the Lock Screen Window settings adjust the appearance of the lock screen window frame and title bar:

Window title

Sets the contents of the title bar

Window forder frame

Draws a border around the lock screen.

Show phone status in title bar

Adds icons in the title bar for voicemail and signal strength.

Left handed

Swaps the OK button to the left side of the password entry line.

Other Controls

Use the Other Controls screen to add or adjust several miscellaneous elements for the locking screen:

Battery level indicator

Adds a battery level indicator to the lock screen.

Entry attempt count

Shows a count of password attempts (tries) entered into the lock screen.

Date display

Adds the current date in either short format (2 digit year) or long format (4 digit year), or “no year” format.

Time display

Adds a time indicator to the lock screen. If PalmOS system Prefs are set to a 12-hour time format, a “long” time display will add “am” or “pm” to the 12-hour time.

Private record boxes

Adds boxes to the lock screen that select the state of private records before unlocking the device. The initial state of the boxes can be set to match its last value (“Prev”), or specifically to “Show”, “Mask”, or “Hide”.

Leave card encrypted icon

Adds a disk icon to the lock screen that can override decryption of encrypted card files. The icon has two states:

Checkmark – Decrypt card files on unlock

Blocked (X) – Do no decrypt card files on unlock

When you leave files encrypted, they will be inaccessible and will appear missing to any programs looking for them until you relock your handheld and unlock it with decryption enabled.

The default state of the card icon can be set to “Prev” (restore last setting), “Yes” (leave files encrypted), or “No” (don’t leave them decrypted).

Chapter 7 – Input Settings

TealLock Input Settings adjust how passwords are entered and how shortcuts activate TealLock functions from within other applications. Input Settings include:

• Password Entry
• Shortcuts – Buttons
• Shortcuts – Graffiti
• Shortcuts – Keyboard
• Shortcuts – Screen

Password Entry

Use the Password Entry to map characters and functions to the four application buttons, the Palm 5-way controller, and the auxiliary voice/jog buttons on various handhelds.

If a password is set to mapped characters, you can enter that password pen-free in all TealLock password entry screens.

Tap on the box next to a mapping to change its value:

Act normally

Perform no mapping.

Enter the password

Simulate press of the OK button.

Clear the password

Erase all entered text.

Backspace

Backspace.

Show/Mask/Hide private records

Set private record boxes on the lock screen to “Show”, “Mask”, or “Hide”.

Insert letter/number

Append the specified character to the text entry line.

NOTE: The following AUX button mappings are currently supported. Other and future devices may or may not use compatible key codes.

AUX1: PalmOS 5.2 jog button, CLIE jog wheel, Treo jog button, HandEra jog wheel, and PalmV contrast button.

AUX2: PalmOS 5.2 back button, CLIE back button, Treo voice record, Tungsten T3 voice record/favorites button

Two additional options are also available:

Ignore initial wake-up key press

When this option is checked, buttons pressed while the handheld is off are not mapped.

Enable G2 write anywhere

When this option is checked, the write-anywhere function of Graffiti-2 or TealScript (if present) is automatically enabled when on the lock screen.

Button Shortcuts

Use Button Shortcuts settings to perform lock, show, hide, or mask actions with the press of a special hardware button:

· Jog dial (CLIE, Treo, HandEra, OS5.2)

· Back button (CLIE, Treo, OS5.2)

· Record/favorites button (T3)

· Contrast button (PalmV)

Custom Button

To support other buttons, you can map an action to a user-defined a custom key.

Simply tap on the box next to “Custom Key” and press the button you wish to map. If that button generates a unique Palm key code, it will be recorded and saved as a custom mapping.

Graffiti Shortcuts

Use Graffiti Shortcuts settings to hide or show private records or lock the handheld with a special Graffiti stroke. To enter a shortcut stroke, write a cursive 'l' (lower case ‘L’) followed by the specified letter or number.

Shortcut stroke support requires a device with Graffiti, Graffiti-2, or TealScript, which adds Graffiti support to handhelds like the Treo 650 or Treo 700p.

NOTE: Capitalization is ignored and these shortcuts override any standard graffiti shortcut macros, so you should set your TealLock shortcuts to letters that are not used as the first letter of any PalmOS macros specified in Preferences.

Keyboard Shortcuts

Use the Keyboard Shortcuts screen to map actions to keyboard combinations on a Treo keyboard. Each entry consists of a press of one of the four main application buttons (labeled “dial”, “calendar”, “mail”, and “hang-up” on a Treo 650) while holding down the blue/gray option-shift button.

NOTE: On aTreo, an Option+1 combination generates the same key code as the “favorites” button on other handhelds; so don’t map the Record/Fav button in Button Shortcuts when also mapping the Option+1 keyboard combination.

Screen Shortcuts

Use Screen Shortcuts to activate TealLock with pen swipes between corners of the active display screen.

Select the drop down pick list to map each action to a different stroke from any screen corner (upper-left, lower-left, upper-right, lower-right) to another.

Also supported is a “ron-a-matic” stroke from the Graffiti/Graffiti-2 writing area to the top of the screen. If this stroke is mapped to an action here, TealLock overrides any action specified in PalmOS system prefs.

Chapter 8 – Passwords Settings

TealLock Password Settings let you adjust how passwords are chosen and used in TealLock. Password Settings include:

• Admin Password
• Guest Password
• Quick Password
• User Password
• Password Controls
• Password Expiration
• Password Options
• Password Permissions

Admin Password

Use the Admin Password screen to set a password that can be used to unlock the device, deactivate TealLock, or access TealLock settings. When an Admin Password is active, the User Password has only the limited access specified in the Password Permissions screen (described below).

An Admin Password is generally only useful in a multi-user environment where individuals set their own User Passwords but a common password is needed for technical support personnel. The Admin Password is only available in TealLock Corporate Edition and TealLock Enterprise Edition.

Guest Password

Use the Guest Password settings to grant limited access to the handheld with a secondary password. This feature is useful when loaning the handheld to friends or family members but wanting to restrict the features or applications available. For instance, one might want to allow a guest to unlock the handheld, but not have access to show private records.

The Guest Password can be granted different access privileges in the Password Permissions screen.

Quick Password

Use the Quick Password setting to define a special short password for fast entry. When enabled, you have only one chance to enter the Quick Password correctly. If an incorrect password is entered, or if it is not entered fast enough, the full password is then required.

Typically, the Quick Password is set to a combination of letters or numbers mapped to the hardware buttons or on-screen keypad. When the password request first appears, a timer begins counting down the remaining time. If the correct password is entered (tapping OK is not required), the password is immediately accepted. If time elapses or an incorrect character is entered, the Quick Password is no longer accepted.

Options:

Time limit

Specifies how many seconds the user has to enter the quick password.

Hold countdown until first key

When this option is checked, the countdown begins only after the first character is entered.

Hide countdown indicator

When this option is checked, the countdown progress bar is not drawn.

Restart timeout if app launched

When this option is checked, running an “Allowed” application will cause the quick password countdown to restart if no characters have been entered and the handheld is re-locked. This can be used to prevent, say, the reception of a phone call from invalidating the ability to enter a Quick Password.

:

Power off if timeout

When this option is checked, TealLock functions as a phone-style key guard. The handheld will shut off if the Quick Password timer expires before a valid password has been entered. Any entered characters will be cleared and the timer resets so it will start counting down again the next time the handheld is woken up.

User Password

Use the User Password settings when an Admin Password has been set. They are only available in TealLock Corporate Edition or TealLock Enterprise Edition.

Allow Users to change or set a quick password

If unchecked, this option hides the “Quick” password box on the TealLock main screen, effectively preventing users from setting or changing a Quick Password unless granted password permissions to do so from within Settings.

Lockout User Password

Specifies how many incorrect passwords can be entered in the locking screen before the Admin Password has to be entered instead.

Automatically show device Remote ID Code after lockout

After a lockout, this option shows the device identification code that is needed for Remote Unlocking with a temporary unlock code.

Password Controls

Use Password Controls to insure insecure passwords are never selected. Options include specifying a minimum password length and requirements to contain numerical digits, letters, and both upper and lower case characters.

TIP: Most experts normally recommend passwords at least 8 characters long. Other requirements further increase security, though it is particularly important not to use common words or names as passwords.

Password Expiration

Use Password Expiration settings to guarantee that passwords are changed regularly. You can specify how often a User Password or Quick Password needs to be changed, and how many times the password must be changed before an older password can be re-used.

TIP: Experts recommend changing passwords regularly to reduce damage done when a password is inadvertently overseen or guessed.

Password Options

Use the Password Options screen to set the following password entry settings:

Mask passwords during entry

When this option is checked, passwords are displayed using asterisks so that prying eyes cannot read the password as it is entered.

Sync user password to system password

When this option is checked, the system Security password is changed to match the TealLock User Password whenever the latter is entered.

NOTE: The synchronization is one-way only. If you subsequently change the system password using the standard Security application, it will not by synchronized back to TealLock. To keep both passwords in sync, only change passwords in TealLock. Do NOT leave the system password blank and un-synced, as one must be set to keep PalmOS itself secure.

Enable emergency password

When TealLock is registered, it is assigned an emergency password based on its HotSync user name and registration information, which accompanies a registration confirmation and key. This key exists as a way for our support personnel to help customers who inevitably forget their passwords after setting them.

Uncheck this option if you are sure you can remember your password. Remember that we have no ability to unlock a handheld when this option is unchecked.

NOTE: The Emergency Password is automatically disabled when an Admin Password has been set. Also, an Emergency Password, cannot decrypt encrypted data.

Permit remote unlocking via SMS

When this option is checked on a Treo smart phone, it allows unlocking passwords to be sent to the handheld via SMS message.

Be assured that it does not allow an easy way to unlock the handheld, as a correct password must still be sent. It only provides a way for an administrator to enter an Admin or Remote Unlock Password without having physical possession of the phone. To prevent this feature from being used to “brute force” many password guesses, the “incorrect password” popup must still be dismissed manually every time an incorrect entry is entered.

To deliver an unlock message, send an SMS text message to the locked phone with the following text, replacing “xxx” below with the password to enter.

ENTER PASSWORD (xxx)

Note that there must be a single space both before and after “PASSWORD” in the text above, and the password must be enclosed in parentheses.

Password Permissions

Use the Password Permissions screen to specify where Guest, User, or Quick passwords are accepted, and what capabilities they can access.

NOTE: User Password permissions are only available in TealLock Corporate Edition and TealLock Enterprise Edition and apply only when an Admin Password has been set.

Unlock handheld

Permits the password to unlock the handheld.

Show private records

Permits the password to change the private record state.

Run protected apps

Permits the password to run apps in the Protected Apps List.

Modify Settings

Permits the password to enter the Change Settings screen. If only some of the “Modify” permissions are checked, the Change Settings screen will open, but only permitted settings screens will be shown.

Chapter 9 – Security Settings

TealLock Security Settings let you configure additional security and functional features such as encryption and bit wipe. Password Settings include:

• Apps – Alarms
• Apps – Allowed
• Apps – Excluded
• Apps – Protected
• Encryption – Card
• Encryption – Files
• Encryption – Apps
• Encryption Options
• Files – Protected
• Self Destruct Mode

Apps – Alarms

Use the Application Alarm screen to block alarms and system timers when the handheld is locked. Use this feature to keep certain applications from auto-launching or putting up alarm windows with potentially sensitive information.

Select Add to select an application to block, or Remove to take it off the list of blocked apps.

TIP: System timers are used by apps to wake up the handheld from sleep. They perform many different operations, including sounding audible alarms, putting up popup reminders, and performing silent maintenance and backup functions. It’s sometimes difficult to guess how a timer is being used, but you can tell which apps are using timers because they are drawn with an alarm clock icon next to their name in the app selection list.

Popup generic alarm dialog

Pops up an info window when a blocked alarm goes off.

Play alarm sound

Play a system alarm sound when a blocked alarm goes off.

Apps – Allowed

Use the Allowed Apps screen to run specified apps even when the handheld is locked. When an unauthorized application tries to run, control is returned to TealLock.

This option can be used to allow phone dialers or backup programs to temporarily run even when the handheld is locked.

When running an app in “allowed” mode, normal automatic locking settings do not apply because the handheld is still “locked”. You can force a return to the lock screen, however, using the following options:

Auto-return after xx minutes when left idle for yy secs

Returns to the lock screen after the specified amount of time, but only if no user activity has been detected for the specified “idle” interval.

Auto-return after calling

Returns to the lock screen after a phone call has been completed (Treo only)

Power off after auto-return

Turns off the handheld after an automatic return

TIP: When allowing, you must still provide a way to launch the specified apps. Some applications, like timed backup programs, can be set up to automatically launch themselves at specified times. Others, like phone dialers, are mapped to hardware buttons and can still be run if you turn off Password Entry button-mapping for the corresponding button. For any other apps, you can add Launcher Buttons (see Display Options) to start them.

NOTE: The device must already be on the locking screen before it releases control, so when allowing apps that run themselves at a specified time, the wake up device to lock handheld option should be set to insure that the handheld will not still be trying to transition to the locking screen when the timed event wakes up the device.

Additional Allowed-Mode Usage Notes:

Compatibility

This feature may not work with all devices, configurations, and third-party apps. As the device is partially unlocked to allow an app to run, any configuration must be tested to insure that the allowed app does not do anything to jeopardize security.

Security

When allowing any apps, you may wish to eliminate extra launching mechanisms that can start unwanted apps. On the lock screen, you can block hardware buttons by mapping them to other functions. If an unwanted app starts up, you may see a brief flash of its startup screen before TealLock re-locks the handheld.

Backup Programs

The Allowed Apps option can be used to allow a timed backup app to run. In order to work, the backup app must still try to run even if it detects that the handheld is locked. TealBackup supports running in this way, but the current version of some competing apps (BackupBuddyVFS) currently do not.

PalmOS-powered phones

The Allowed Apps option can be used to allow phone dialing and/or receiving on Treo phones and Kyocera Smartphones. Please test this feature to insure it is functional and secure with your handheld configuration.

See the chapter Enabling PalmOS Phones for more information on using this function to allow you to dial and/or receive calls when locked.

Encryption

Do not encrypt any data that may be needed by apps you allow to run in “allowed” mode. If you do, those apps will not be able to find the data they need, and may misbehave or recreate a conflicting copy of the missing database.

Restricted Use Mode

It is sometimes useful to restrict users to running only a few specific programs. For instance, a Palm handheld can be used, say, as a secure aide for a closed-book exam, or to encourage devices passed out for marketing surveys to be returned. It can even be used to, say, let your kids play games without messing up your address book.

To accomplish this, simply enable the Allowed Apps function in conjunction with corresponding Launcher Buttons. See the chapter Restricted Use Mode for step-by-step instructions on how to set this up.

Apps – Excluded

Use Excluded Apps settings to specify apps that shouldn’t be interrupted by automatic locking. When a listed app is running, automatic locking and hiding is disabled until that program exits.

Use this feature to keep automatic locking from interrupting programs such as music and movie players.

Apps – Protected

Use Protected Apps settings to password-protect applications when the handheld is unlocked.

When a listed application is launched, you must enter your password to continue. If an incorrect password is entered, TealLock will run the default applications launcher.

NOTE: When Protect mode is enabled for any app, TealLock sets the global system lock flag

to prevent someone from bypassing protection with a warm reset. Some applications or communications functions might disable themselves if they detect the handheld is in this “locked” state. Please test specific apps for compatibility. BackupBuddy and hiLauncher are known to purposefully disable themselves when PalmOS is in a locked state.

Encryption – Card

Use Card Encryption settings to specify individual files that should be encrypted on external flash cards whenever the handheld is locked.

Select Add to choose files to encrypt.

Select Recurse sub-folders if you want to encrypt the contents of any subfolders inside selected folders. If unchecked, only files within selected folders are encrypted. (New in 6.62)

Select individual files to encrypt, or choose Add All to automatically encrypt any files placed into the selected folder.

TIP: The hardware read/write speed to external cards is much slower than internal memory, so be conservative when choosing which files to encrypt, as large files can take a very long time to encrypt.

After choosing files, select the encryption box to select an encryption method:

XOR

A custom fast encryption method that adds basic protection with minimum added encryption and decryption time.

128-bit MDC

A more secure 128-bit MDC encryption based on an industry-standard MD5-Hash

128-bit Blowfish

Industry-standard strong protection with good encryption speed

128-bit AES

Available in TealLock Enterprise Edition only, the AES algorithm provides the strongest protection available.

128-bit RSA RC4 (PalmOS)

RSA RC4 is a government-approved encryption method provided by PalmOS on the Tungsten C. On other devices, PalmOS provides different encryption methods. These appear enclosed in square brackets, such as “[Base Cryptographic Provider]”, but only device manufacturers know what algorithms they use internally.

HINT:
If a leave card encrypted icon is enabled and activated on the lock screen, files will stay encrypted after unlock and will only be decrypted if the handheld is locked again and unlocked with the leave card encrypted icon disabled.

Encryption – Files

Use File Encryption settings to select individual data files in memory to encrypt.

Files are left encrypted only when the device is locked, securing them from being directly read off the memory chips using specialized hardware. Unlike card-based files, they cannot be left encrypted on an unlocked handheld, as most applications expect their RAM-based files to always be present, and may react unpredictably if files were left encrypted.

Memory-resident database files are organized into records, some of which may be marked “private” by many applications. Both private and non-private records can be protected, and their encryption types can be individually set or turned off. By setting different encryption types for different records, maximum protection can be achieved with minimum encryption time.

Encryption Conflicts

Any files you select for encryption will not be accessible when the handheld is locked. Because of this, it is important not to run any applications that will try to access encrypted files because they will not be able to find them.

If you allow an app to run in “allowed” mode that needs an encrypted database, that app may create a new default copy of that database when it cannot find the original. This will cause a conflict during decryption when TealLock tries to restore the original file. This can also sometime happen if you soft reset while the handheld is locked.

When this happens, you’ll be allow to choose what to keep: “Existing” (delete the encrypted copy), “Encrypted” (overwrite the unencrypted copy) or “Skip” do nothing and try decrypting again the next time you unlock. Most of the time, you’ll want to keep the “encrypted” file.

Encryption – Apps

Instead of selecting files individually, you can use the Application Encryption screen to select data files by application.

When an application is listed, all .PDB database files in memory “owned” by that application will be encrypted when the handheld is locked.

Encryption Options

Use Encryption Options settings to set whether individual file names are listed during the encryption or decryption process. You can also allow files to be manually aborted either during encryption or decryption.

Allowing encryption-abort is recommended to prevent long delays from inadvertently selecting too much data to encrypt. Use care during decryption, however, as aborting it will leave memory-based files encrypted, which could confuse applications looking for their files.

To save on encryption time, you may check the Encrypt only after xx failed unlock attempt(s) or the Encrypt only after quick password timeout options, which skip encryption for quick lock/unlock cycles until the specified number of unlock attempts has been attempted or until the quick password has been entered, whichever is first.

Files – Protected

The Protected File feature lets you prevent other applications from accessing specified data files when the handheld is locked.

When used carefully, this special function can be used to disable specific functionality in other applications that either run in the background when the handheld is locked or run because you’ve added them to your “allowed apps” list.

The TealLock Protected File feature works by exclusively opening any files you specify, thereby preventing any other apps from accessing those same files when the handheld is locked. This allows you to hide data files from other apps without the time or complication of encrypting them.

For example, if you protect the contact database, then any other apps trying to access the database won’t be able to find contacts as long as the handheld is locked. This can be used, say, to prevent popup alarm reminders or phone dialers from displaying or changing your contacts, even if you’ve “allowed” them to run from the lock screen.

NOTE: When this feature is enabled, other applications will be able to find the specified databases but simply won’t be able to open or read them. Some apps may show blank data when they try, while others may show an error or close instead. In a few cases, very poorly written applications may even crash if they try to open the database and don’t check to see if they were successful. Consequently, please fully test this feature for compatibility and desired behavior with other programs.

Self Destruct Mode

Use Self Destruct Mode to configure TealLock’s last line of defense against unauthorized access to sensitive data. This feature can be used to destroy data if an attempt at unauthorized access is detected.

When destructing, databases are first overwritten (bit wipe) and then deleted. Once the data is wiped, all writable databases are deleted and the device must be hard-reset before it can be used again.

Options:

Destroy data booby trap password

A booby trap password can be set to destroy data if a particular password is entered. This can be used to keep someone from guessing passwords. For instance, many people try using “password” as a guess when they are asked for a password they don’t know. With this in mind, you can set your booby trap to “password” knowing there is a good chance someone would enter it if you lost your handheld.

Being even more devious, a help screen can be set to purposely mislead someone. For instance, one might set the locking screen help text to: “Hint: my favorite color”, and set a booby trap to “blue”.

TIP:
Never choose a booby trap password you might accidentally confuse with your real password.

Destroy data after too many failed tries

This option prevents brute force attacks by destructing after too many failed unlock attempts. Be careful when using feature, as a forgotten password or text entry problem (like leaving the caps shift on) could otherwise cause you to lose your data. Always fully back up all data and verify password functionality before enabling this option.

NOTE: When used in conjunction with the User Password lockout option in TealLock Corporate Edition or TealLock Enterprise Edition, this self-destruct mechanism will activate based on the number of failed attempts to unlock the device *after* the User Password has already been locked out.

Destroy external card data too

When this option is selected, files on external storage cards are destroyed as well. This can be a very slow process, so card destruction occurs only after memory files have already been erased. Card files are first deleted, then all space on the card is bit wiped to erase any trace of the original data.

Chapter 10 – Other Settings

TealLock’s Other Settings include options for managing TealLock installation, administration and special functions. Other Settings include:

• History Log
• Remote Locking
• Remote Unlocking
• Remote Self Destruct
• Make Fallback File
• Make Install File
• Make Policy File
• Make Uninstall File
• Special Options

History Log

Use History Log settings to maintain and view a detailed log of TealLock activation, logins, and access for access auditing and debugging purposes.

Select entries in the checklist for items you want to monitor.

Login failures

Records unsuccessful password entry attempts

Login successes

Records successful password entry attempts

Automatic hiding/masking

Records automatic activation to hide or mask private records

Automatic locking

Records when the handheld is locked automatically

Manual locking

Records locking from the manual lock button

Private record change

Records private record state change from buttons on main screen

Shortcut activation

Records locking or hiding activation from shortcut entry

Running allowed app

Records successful or unsuccessful attempts to run an app in “allowed” mode

Running protected app

Records successful or unsuccessful attempts to run an app in “protected” mode

Password changes

Records changes made to passwords

Settings changes

Records visits to individual settings screens

Debugging info

Records detailed system internal workings for diagnosing activation problems

Debugging trace

Records low level user activity including keystrokes and button presses. This option is for system debugging only. Do not enable this option routinely, as it will also record password entry into your log file.

View log

Select View to see the current log. You may then export the current log to the MemoPad as an easy way transfer to transfer it to the PC. Just HotSync afterwards and open the memo in the Palm Desktop.

Remote Locking

Use Remote Locking settings to let your phone lock from an SMS text message. Simply enter a unique pass phrase that only you know and enable the option.

Later, should you lose your handheld, you can secure it by sending it an SMS text message from another phone with the selected text imbedded somewhere in the message.

HINT: Be sure to choose only common characters (such as upper case letters) that can be sent with the phone you might be using and select text that would not ordinarily show up in a text message.

Remote Unlocking

Use Remote Unlocking to send an unlocking passkey to another phone, or to generate a one-time use password to unlock an employee handheld in a multi-user site license installation.

Temporary Unlocking Key

One of TealLock Corporate Edition and TealLock Enterprise Edition’s extremely useful and exclusive features is the ability for an Administrator to generate a temporary unlocking password. This can be used to unlock an employee’s handheld from another location, either by reading the Remote Unlocking password over the phone or transmitting it over SMS to the individual user’s phone.

Valid for only one hour, the remote passkey is no longer valid after expiration and is secured by 128-bit encryption. It cannot be used to calculate a passkey valid at a later date or derive the administrator passkey.

The Remote Unlock feature can only be used on handheld units with identical installation settings to the Administrator’s handheld. Settings will be identical if…

1) The remote handheld was installed using an Install File generated on the Administrator’s handheld, or

2) If both units were set up using the same Install File.

Remote Unlock will not function on handhelds installed with differing administrator passwords or in the Standard Edition or Lite Edition of TealLock.

Example – Using a Temporary Unlocking Key

1)
Display Remote ID Code

If one is not already shown, the administrator instructs the employee to enter the text ‘REMOTECODE’ (no space, not case-sensitive, no quotes) as the unlocking password on the locked-out device:

2) Retrieve Remote ID Code

The employee’s handheld will return a 15 digit numerical Remote ID Code which encodes the date-stamp and identity hash of the device. This code is reported back to the administrator:

3)
Enter Remote ID Code in admin handheld

Using their own handheld, the administrator enters the Remote ID Code on the Remote Unlocking screen, and generates a temporary unlocking code keyed to the employee device that is valid for one hour from the ‘Valid at’ time.

The validity of the code is verified by the time on the remote unit, so if the time on that device is set incorrectly or if the employee is in another time zone, the remote time should be used when making the code.

NOTE: To prevent an employee from requesting a passkey which may be valid at a future date, TealLock will show a warning if the Remote ID reflects either 1) a future time relative to the time on the Administrator’s handheld, or 2) if the install time on the remote handheld precedes the last time the administrator key was set on the administrator’s handheld. If time differences are due to time zone discrepancies or if the administrator passkey has been adjusted (and restored) after initial installation, the warnings can be ignored.

4)
Generate Unlocking Code

The administrator taps ‘Generate Code’ to generate a 28-digit temporary unlocking key valid for the specified time. Unlike the numerical Remote ID code, the Unlocking Code will consist of both numbers and letters.

NOTE: The letters i,