Security policy group
Content Protection Strength IT policy rule
This rule specifies the cryptography strength that a BlackBerry® device uses to encrypt content that it receives while it is locked. When you specify a value, the content protection feature is turned on.
Configure this rule to Strong to use a 160-bit ECC public key. This key provides good security and good performance and is adequate for most situations.
Configure this rule to Stronger to use a 283-bit ECC public key. This key provides better security but slower performance than the Strong setting.
Configure this rule to Strongest to use a 571-bit ECC public key. This key provides the highest level of security but the slowest performance of the three settings.
For BlackBerry devices that are running BlackBerry® Device Software 5.0 and later, if on-board device memory exists on the BlackBerry device when you configure this rule, the rule also encrypts the on-board device memory (embedded MC) to the BlackBerry device user password and a device-generated key.
For BlackBerry devices that are running BlackBerry Device Software versions that are earlier than 5.0, you can configure the External File System Encryption Level IT policy rule. The External File System Encryption Level IT policy rule also encrypts the media card.
If you configure this rule to Strong or Stronger, configure the Minimum Password Length IT policy rule to 12 characters. If you configure the content protection strength to Strongest, instruct the user to create a password of at least 21 characters. These password lengths maximize the encryption strength that the longer ECC keys are designed to provide.
Disable External Memory IT policy rule
Disable IP Modem IT policy rule
Disallow Third Party Application Downloads IT policy rule
This rule prevents a user from installing an unsigned third-party application that is sent over a wireless network or installed using the BlackBerry® Desktop Manager or application loader tool. This rule applies to any unsigned applications that the BlackBerry® Enterprise Server Express or another party sends to a BlackBerry device.
Encryption on On-Board Device Memory Media Files IT policy rule
If a BlackBerry® device user inserts a media card in the BlackBerry device, this rule specifies whether the media files that are located on the media card are encrypted to the user password and the device-generated key.
External File System Encryption Level IT policy rule
You can use this rule to require that a BlackBerry device encrypt a media card, either including or excluding media card files. You cannot use this rule to encrypt files that a BlackBerry device user transfers to the media card manually (for example, from a USB mass storage device).
The master keys for the media card are stored on the media card. A BlackBerry device is designed to use the master keys to decrypt and encrypt the files on the media card. A BlackBerry device is designed to use the BlackBerry device key, a password that a BlackBerry device user provides, or both to encrypt the master keys.
Change this rule to Encrypt to User Password (excluding multimedia directories) if the media card requires encryption with a password that the user provides.
Change this rule to Encrypt to User Password (including multimedia directories) if the media card requires encryption with a password that the user provides.
Change this rule to Encrypt to User Password and Device Key (excluding multimedia directories) if the media card requires encryption with a password that the user provides and a BlackBerry device key.
Change this rule to Encrypt to User Password and Device Key (including multimedia directories) if the media card requires encryption with a password that the user provides and the BlackBerry device key.
Force Lock When Holstered IT policy rule
Required Password Pattern IT policy rule
Passwords can contain Latin-1 characters only.
Use the following characters in the password pattern to specify the character type that is permitted and its position in the password:
- a: Permits any letter.
- A: Permits an uppercase letter only.
- c: Permits any consonant.
- C: Permits an uppercase consonant only.
- v: Permits any vowel.
- V: Permits an uppercase vowel only.
- N, n, or #: Permits a number only.
- S, s, or @: Permits a symbol only.
- ?: Permits any letter, number, or symbol.
If you configure this rule, the user can create a password that is greater than or equal to the length of the pattern on a BlackBerry device. Password characters that exceed the pattern length can be any letters, numbers, or symbols.