Help Center

Local Navigation

• Overview
  • BlackBerry Enterprise Solution security
  • Security features of the BlackBerry Enterprise Solution
  • Architecture: BlackBerry Enterprise Solution
• New in this release
• Keys on a device
  • Device transport keys
    • States for device transport keys
    • Where the BlackBerry Enterprise Solution stores device transport keys
      • Where the BlackBerry Enterprise Solution stores device transport keys in a Microsoft Exchange environment
      • Where the BlackBerry Enterprise Solution stores the device transport keys in an IBM Lotus Domino environment
    • Generating device transport keys
      • Generating the first device transport key for a BlackBerry device during the activation process
        • Security characteristics for generating the first device transport key
      • Generating subsequent device transport keys for a BlackBerry device
        • Security characteristics for generating subsequent device transport keys
      • Generating a device transport key manually
    • Process flow: Generating a device transport key using BlackBerry Desktop Software version 4.0 or later
    • Process flow: Generating a device transport key using a BlackBerry Desktop Software version or BlackBerry Enterprise Server version that is earlier than version 4.0
  • Message keys
    • Process flow: Generating a message key on a BlackBerry Enterprise Server
    • Process flow: Generating a message key on a BlackBerry device
  • Content protection keys
    • Process flow: Turning on content protection using a BlackBerry Enterprise Server
    • Process flow: Generating a content protection key on a BlackBerry device
    • Process flow: Deriving an ephemeral key that protects a content protection key and ECC private key
  • Principal encryption keys
    • Process flow: Generating a principal encryption key
  • PIN encryption keys
• Encrypting data that the BlackBerry Enterprise Server and a BlackBerry device send to each other
  • Algorithms that the BlackBerry Enterprise Solution uses to encrypt data
    • How the BlackBerry Enterprise Solution uses AES to encrypt data
      • How a BlackBerry device uses the AES algorithm to help protect user data and keys
        • Process flow: Running a masking operation during the first AES calculation when content protection is turned on
        • Process flow: Running a masking operation during subsequent AES calculations when content protection is turned on
        • Process flow: Running a masking operation when a BlackBerry device does not use content protection
        • How the AES algorithm creates S-Box tables and uses round keys and masks
    • How the BlackBerry Enterprise Solution uses Triple DES to encrypt data
  • Process flow: Sending an email message to a BlackBerry device using BlackBerry transport layer encryption
  • Process flow: Sending an email message from a BlackBerry device using BlackBerry transport layer encryption
• Managing BlackBerry Enterprise Solution security
  • Using an IT policy to manage BlackBerry Enterprise Solution security
    • Preconfigured IT policies
    • Using IT policy rules to manage BlackBerry Enterprise Solution security
    • Sending an IT policy over the wireless network
    • Assigning IT policies and resolving IT policy conflicts
      • Reconciliation rules for conflicting IT policies when you apply one IT policy to the user account
      • Reconciliation rules for conflicting IT policies when you apply multiple IT policies to a user account
  • Using IT administration commands to protect a lost or stolen BlackBerry device
    • Process flow: Sending the Specify new device password and lock device IT administration command when content protection is turned on
  • Managing BlackBerry device access to the BlackBerry Enterprise Server
  • Using a segmented network to prevent the spread of malware
  • Moving a BlackBerry device to a BlackBerry Enterprise Server that uses a different BlackBerry Configuration Database
  • Configuring the IT Policy Viewer icon on a device
  • Best practice: Controlling which applications can use the GPS feature on a BlackBerry device
• Device storage space
  • Changing when a BlackBerry device cleans the BlackBerry device memory
  • When a BlackBerry device overwrites data in the BlackBerry device memory
  • Deleting all device data from the device storage space
    • When a device deletes all device data
    • Using IT policy rules to specify when a device must delete device data
    • Resetting a device to factory default settings
    • Process flow: Deleting all device data from a device
  • Scrubbing the memory of a device when deleting all device data
    • Scrubbing the device heap in RAM when deleting all evice data
    • Scrubbing the flash memory on a device when deleting all device data
    • Scrubbing the user files on a device when deleting all device data
• Protecting data on a BlackBerry device
  • Encrypting user data on a locked BlackBerry device
    • Configuring the encryption of BlackBerry device data on a locked device
    • Process flow: Encrypting user data on a locked BlackBerry device
    • Process flow: Decrypting user data on an unlocked BlackBerry device
  • Encrypting the device transport key on a locked BlackBerry device
    • What happens when a user resets a BlackBerry device after you turn on content protection for the device transport key
  • Resetting a BlackBerry device password when content protection is turned on
    • Process flow: Resetting a BlackBerry device password when content protection is turned on
      • Cryptosystem parameters that the remote password reset cryptographic protocol uses
  • Protecting passwords that a BlackBerry device stores
  • Protecting data that a BlackBerry device stores on a media card
    • Process flow: Generating an encryption key for a media card
  • How the BlackBerry Attachment Service protects data on a BlackBerry device
    • Best practice: Protecting the BlackBerry Attachment Service
  • How a BlackBerry device protects its operating system and the BlackBerry Device Software
  • How a BlackBerry device authenticates the boot ROM code and binds the BlackBerry device processor when the BlackBerry device turns on
• Protecting the data that the BlackBerry Enterprise Solution stores in your organization's environment
  • Where the BlackBerry Enterprise Server stores messages and user data in the messaging environment
  • Data that the BlackBerry Configuration Database stores
    • Best practice: Protecting the data that the BlackBerry Configuration Database stores
  • How the BlackBerry Enterprise Solution protects IT policies
• Protecting communication with a BlackBerry device
  • Opening a direct connection between a device and a BlackBerry Router
    • Process flow: Authenticating a BlackBerry device with the BlackBerry Enterprise Server using the BlackBerry Router protocol
    • Closing a direct connection between a BlackBerry device and BlackBerry Router
    • Impersonation attacks that the BlackBerry Router protocol is designed to prevent
    • How the BlackBerry Router protocol uses the Schnorr identification scheme to open an authenticated connection
    • Process flow: Using the BlackBerry Router protocol to close an authenticated connection
    • Process flow: Using the BlackBerry Router protocol to open an authenticated connection
    • Cryptosystem parameters that the BlackBerry Router protocol uses
  • Best practice: Protecting plain text messages that a device sends over the wireless network
  • How the BlackBerry Enterprise Solution protects connections between a BlackBerry device and the Internet or intranet
  • Authenticating data that a BlackBerry device sends to the BlackBerry MDS Integration Service
    • Using SSL to connect to web services
    • Process flow: Registering a BlackBerry device with a BlackBerry MDS Integration Service
  • How a BlackBerry device protects a connection to a WAP gateway
  • Protecting HTTP connections from a BlackBerry device to content servers and application servers using HTTPS
  • What happens to data that is not delivered to a BlackBerry device
    • What happens to data that is not delivered because the connection between a BlackBerry Enterprise Server and the BlackBerry Infrastructure closes
    • What happens to data that is not delivered because a BlackBerry device is not available on the wireless network
• Protecting BlackBerry Enterprise Solution communications in your organization's environment
  • How a BlackBerry Enterprise Server and the BlackBerry Infrastructure authenticate with each other
    • What happens when a BlackBerry Enterprise Server and the BlackBerry Infrastructure open an initial connection
    • How the BlackBerry Enterprise Solution protects a TCP/IP connection between a BlackBerry Enterprise Server and the BlackBerry Infrastructure
    • Process flow: Authenticating a BlackBerry Enterprise Server with the BlackBerry Infrastructure
  • How a BlackBerry Enterprise Server and messaging server protect a connection to each other
  • How the BlackBerry Enterprise Server components and the BlackBerry MVS protect communication
  • How the BlackBerry Desktop Manager protects communication using the BlackBerry inter-process protocol
    • Process flow: Authenticating the application loader tool or Roxio Media Manager with the BlackBerry Desktop Software using the BlackBerry inter-process protocol
  • How the BlackBerry Collaboration Service connects to an instant messaging server and collaboration clients on devices
  • Protecting your organization’s resources when using BlackBerry MDS Connection Service integrated authentication
    • Architecture: BlackBerry MDS Connection Service integrated authentication
    • How the BlackBerry MDS Connection Service uses Kerberos to help protect your organization's resources
    • Identifying the resources that users can access using BlackBerry MDS Connection Service integrated authentication
    • Process flow: Retrieving a resource when using BlackBerry MDS Connection Service integrated authentication
  • Protecting your organization’s resources when you configure BlackBerry Administration Service single sign-on
    • Architecture: BlackBerry Administration Service single sign-on
    • How BlackBerry Administration Service single sign-on uses Kerberos to help protect your organization’s resources
    • How the BlackBerry Administration Service completes Kerberos authentication
    • Process flow: Accessing the BlackBerry Administration Service console and BlackBerry Web Desktop Manager when you configure BlackBerry Administration Service single sign-on
• Activating a BlackBerry device
  • Activating a BlackBerry device over the wireless network
  • Process flow: Activating a BlackBerry device over the wireless network
• Enrolling certificates on a BlackBerry device over the wireless network
  • Process flow: Enrolling a certificate when the certification authority approves certificate requests automatically
  • Process flow: Enrolling a certificate when a certification authority administrator approves certificate requests
  • Process flow: Enrolling a certificate using an RSA certification authority
• Protecting BlackBerry Device Software updates
  • Protecting BlackBerry Device Software updates over the wireless network
    • How the BlackBerry Enterprise Solution protects BlackBerry Device Software updates over the wireless network using encryption
    • How the BlackBerry Enterprise Solution protects BlackBerry Device Software updates over the wireless network using IT policies and content protection
    • Battery power requirements for BlackBerry Device Software updates over the wireless network
    • Process flow: Preparing to send a BlackBerry Device Software update over the wireless network
    • How a BlackBerry device validates a BlackBerry Device Software update over the wireless network
  • Updating the BlackBerry Device Software from an update web site
    • Protecting cryptographic services data when updating the BlackBerry Device Software from an update web site
    • Process flow: Generating a BlackBerry services key that protects cryptographic services data
    • Process flow: Backing up cryptographic services data using the BlackBerry Desktop Manager
    • Process flow: Restoring cryptographic services data using the BlackBerry Desktop Manager or BlackBerry Application Web Loader
• Extending messaging security to a BlackBerry device
  • Extending messaging security using PGP encryption
    • PGP public keys and PGP private keys
    • Retrieving PGP keys from a PGP Universal Server or LDAP servers
    • Encryption algorithms that the BlackBerry device supports for PGP encryption
    • Process flow: Sending an email message using PGP encryption
    • Process flow: Receiving a PGP encrypted message
  • Extending messaging security using S/MIME encryption
    • S/MIME certificates and S/MIME private keys
    • Retrieving S/MIME certificates and checking certificate status
    • S/MIME encryption algorithms
    • Process flow: Sending an email message using S/MIME encryption
    • Process flow: Receiving an S/MIME-encrypted email message
  • Extending messaging security using IBM Lotus Notes encryption
    • Protecting the password for an IBM Lotus Notes .id file
      • How a BlackBerry device protects the password for an IBM Lotus Notes .id file
      • How the BlackBerry Messaging Agent protects the password for an IBM Lotus Notes .id file
    • Process flow: Sending an email message using IBM Lotus Notes encryption
    • Process flow: Receiving an IBM Lotus Notes encrypted message
  • Extending messaging security to attachments
    • Process flow: Viewing an attachment in a PGP encrypted message or S/MIME-encrypted message
    • Process flow: Viewing an attachment that is encrypted using S/MIME encryption, PGP/MIME encryption, or OpenPGP encryption
• Configuring two-factor authentication and protecting Bluetooth connections
  • BlackBerry Smart Card Reader
  • Advanced Security SD cards
  • Two-factor authentication
    • Verifying that a BlackBerry device is bound to a smart card
    • Process flow: Turning on two-factor authentication using a smart card
    • Creating two-factor authentication methods
  • Two-factor content protection
  • Unbinding a smart card from a device
  • Protecting Bluetooth connections on a BlackBerry device
    • Using CHAP to open a Bluetooth connection between the BlackBerry Desktop Software and a BlackBerry device
• Wi-Fi enabled BlackBerry devices
  • Types of Wi-Fi networks
  • Security features of a Wi-Fi enabled BlackBerry device
  • Protecting a connection between a Wi-Fi enabled BlackBerry device and an enterprise Wi-Fi network
  • How a Wi-Fi enabled BlackBerry device can connect to the BlackBerry Infrastructure
    • How an SSL connection between a Wi-Fi enabled BlackBerry device and the BlackBerry Infrastructure protects data
    • Process flow: Opening an SSL connection between the BlackBerry Infrastructure and a Wi-Fi enabled BlackBerry device
    • Cipher suites that a Wi-Fi enabled BlackBerry device supports for opening SSL connections and TLS connections
  • Managing how a BlackBerry device connects to an enterprise Wi-Fi network
  • How the BlackBerry Enterprise Solution protects sensitive Wi-Fi information
  • Using a VPN with a Wi-Fi enabled BlackBerry device
    • Permitting a Wi-Fi enabled BlackBerry device to log in to a VPN concentrator
    • Using a segmented network to reduce the spread of malware on an enterprise Wi-Fi network that uses a VPN
  • Using a captive portal to connect to an enterprise Wi-Fi network or Wi-Fi hotspot
  • Protecting a connection between a Wi-Fi enabled BlackBerry device and an enterprise Wi-Fi network using RSA authentication
    • Process flow: Generating a token code for a software token
• Layer 2 security methods that a Wi-Fi enabled device supports
  • WEP encryption
  • PSK protocol
  • IEEE 802.1X standard
    • Caching a PMK when using the IEEE 802.1X standard
    • Process flow: Authenticating a Wi-Fi enabled BlackBerry device with an enterprise Wi-Fi network using the IEEE 802.1X standard
  • EAP authentication methods that a Wi-Fi enabled BlackBerry device supports
    • LEAP authentication
    • PEAP authentication
    • EAP-TLS authentication
    • EAP-TTLS authentication
    • EAP-FAST authentication
    • EAP-SIM authentication
  • Encryption keys that a Wi-Fi enabled device supports for use with layer 2 security methods
  • EAP authentication methods that a BlackBerry device supports the use of CCKM with
  • Using certificates with PEAP authentication, EAP-TLS authentication, or EAP-TTLS authentication
• Protecting a third-party application on a BlackBerry device
  • Creating a third-party application for a BlackBerry device
  • Specifying the resources third-party applications can access on a BlackBerry device
    • Managing third-party applications on a BlackBerry device using application control policy rules
    • Managing BlackBerry Java Applications on a BlackBerry device using code signing
  • Permitting a third-party application to encode data on a BlackBerry device
  • Removing third-party applications when a user deletes all BlackBerry device data
• RIM Cryptographic API
  • Cryptographic algorithms and cryptographic codes that the RIM Cryptographic API supports
    • Symmetric block algorithms that the RIM Cryptographic API supports
    • Stream encryption algorithms that the RIM Cryptographic API supports
    • Asymmetric encryption algorithms that the RIM Cryptographic API supports
    • Key agreement scheme algorithms that the RIM Cryptographic API supports
    • Signature scheme algorithms that the RIM Cryptographic API supports
    • Key generation algorithms that the RIM Cryptographic API supports
    • Message authentication codes that the RIM Cryptographic API supports
    • Message digest codes that the RIM Cryptographic API supports
  • TLS and WTLS protocols that the RIM Cryptographic API supports
    • Cipher suites for the key establishment algorithm that the RIM Cryptographic API supports
    • Symmetric algorithms that the RIM Cryptographic API supports
    • Hash algorithms that the RIM Cryptographic API supports
  • Limitations of RIM Cryptographic API support for cipher suites for the key establishment algorithm
• Related resources
• Glossary
• Provide feedback
• Legal notice