Two-factor content protection
Two-factor content protection on the BlackBerry® device is designed to protect the content protection decryption keys with both a private key that is stored on a smart card and the device password.
To store the private key, you can use either a smart card with the BlackBerry® Smart Card Reader or an Advanced Security SD card. The content protection key is not transferred from the device to the BlackBerry Smart Card Reader or Advanced Security SD card.
Two-factor content protection requires the device password, a smart card, and an authentication certificate that is stored on the device. The authentication certificate must contain the public key for the private key that is stored on the smart card. If the authentication certificate expires or is revoked, a user can continue to use it for two-factor content protection until the user creates and configures a new certificate to use with two-factor content protection.
You or a user can configure two-factor content protection. By default, if a user has a smart card and an authentication certificate on the device, the user can turn on two-factor content protection. To make two-factor content protection required or optional, or to prevent a user from configuring it, you can use the Two Factor Content Protection Usage IT policy rule. To unlock the device after you or a user turns on two-factor content protection, the user must type the device password and smart card PIN on the login screen in the appropriate fields.
If you or a user turns on two-factor content protection, you cannot change the device password using the BlackBerry Administration Service. Only the user can change the device password on the device.
BlackBerry® Device Software 5.0 and later and BlackBerry Smart Card Reader 2.0 and later support two-factor content protection. You must verify that the IT policies that you can use to manage two-factor content protection are available on your organization’s BlackBerry® Enterprise Server. BlackBerry Enterprise Server 5.0 SP1 and later include the IT policies that you require to manage two-factor content protection.