These are interesting times for mobile device security. The current threat level from mobile malware is so miniscule—only a handful of malicious programs target Windows Mobile—that IT administrators couldn’t be faulted for ignoring the problem.

However, the best time to fix a hole in the roof is before it rains. Enterprises that want to get ahead—way ahead—of the mobile device threat have many choices.

F-Secure, McAfee and Trend Micro all offer software to protect mobile devices from infection.

Now Symantec is raising the bar with the introduction of its Mobile Security Suite 5.0. In addition to antivirus and firewall features, Symantec has added data protection, anti-SMS spam and some of the best control over device hardware we’ve seen. When Symantec’s VPN client is thrown in, admins get NAC (network access control)?features to ensure endpoint compliance.

However, the overall management features need work, and the NAC capabilities aren’t well integrated. So do you actually need this software? If you think you do, Symantec has made a positive step toward providing more advanced security features for mobile users.

GOING MOBILE

We tested a beta version of Mobile Security Suite 5.0. It comprises the Symantec Mobile Security Manager, which handles the configuration and distribution of security policies, and the company’s client suite (anti-virus, firewall, intrusion detection and anti-SMS spam).

The distribution of Symantec’s client suite is best handled through a third-party mobile device-management system. After the client installation is completed, a separate configuration file that defines the server address for the mobile agent, which retrieves policies and other information from an enterprise’s Mobile Security Manager, must be loaded onto the mobile device. Ideally, Symantec should let you load the client software and the configuration file at the same time.

SYSTEM LOCKDOWN

The most noteworthy enterprise feature in the new suite is NAC, which works in conjunction with Symantec’s mobile VPN client, sold separately. Admins can check a variety of settings using Symantec’s NAC policy editor, including whether anti-virus or firewall software is running or a virus-definition file is out of date. A polling interval can be set so that if an endpoint falls out of compliance, the client is immediately disconnected. Unfortunately, though the client says which policy has been violated, Symantec doesn’t include any automatic remediation capabilities—a significant oversight, particularly if users are denied access to business applications. How­ever, Symantec says remediation is on its road map. Another downside: NAC policies aren’t defined in Mobile Security Manager, which means admins must switch consoles.

Symantec’s mobile NAC support is clearly in its infancy. Wait until the product matures before attempting to enforce compliance through NAC.

On the plus side, Mobile Security Manager lets you lock down device hardware on Windows Mobile, which is the first time we’ve seen such an option. Administrators can disable features like Bluetooth, onboard cameras or the use of ActiveSync.

In our tests we successfully disabled cameras, but after switching off SMS on our HTC, we were still able to send and received SMS messages. Symantec is working to resolve the kinks around lockdown policies by the time Mobile Security Suite ships.

Symantec also lets you track when documents on mobile devices were accessed. If a device was lost or stolen, you could determine if any data was compromised, an important capability given regulations regarding confidential data breaches. The mobile security client also gives admins an option to wipe a mobile device.

Symantec Mobile Security Suite 5.0 starts at $69.95 per device; the Mobile VPN client (which adds NAC policies) starts at $79.95. Discounts are available if both are purchased in tandem.