Help Center

Local Navigation

BlackBerry Manuals & Help   Administrator Documentation   BlackBerry Enterprise Server 5 Security   Security Technical Overview BlackBerry Enterprise Server - 5.0.2

Using IT administration commands to protect a lost or stolen BlackBerry device

The BlackBerry® Enterprise Server includes IT administration commands that you can send over the wireless network to protect sensitive data on a BlackBerry device. You can use these commands to lock the BlackBerry device, permanently delete user information and application data, and return the BlackBerry device settings to the default values.

IT administration command

Description

Specify new device password and lock device

This command creates a new password and locks a BlackBerry device over the wireless network. You can communicate the new password to the user verbally when the BlackBerry device user locates the BlackBerry device. When the BlackBerry device user unlocks the BlackBerry device, the BlackBerry device prompts the user to accept or reject the new password.

You can use this command if the BlackBerry device is lost. If you or a user turned on content protection and a BlackBerry device is running BlackBerry® Device Software version 4.3.1 or earlier, you cannot use this command.

Delete all device data and disable device
This command permanently deletes all user information and application data that the BlackBerry device stores. You can configure the following options when you use this command:
  • specify a delay, in hours, before the BlackBerry device starts to delete all the user information and application data
  • require the BlackBerry device to return to its factory default settings when it receives this command
  • specify whether to permit the BlackBerry device user to stop permanently deleting data from the BlackBerry device and making the BlackBerry device unavailable during the delay period

You can send this command to a BlackBerry device that you want to distribute to another BlackBerry device user in your organization, or to a BlackBerry device that is lost and that the BlackBerry device user might recover.

Process flow: Sending the Specify new device password and lock device IT administration command when content protection is turned on

  1. The BlackBerry® Enterprise Server sends the Specify new device password and lock device IT administration command and the new BlackBerry device password to the BlackBerry device.
  2. The BlackBerry device performs the following actions:
    1. selects r randomly
    2. stores r in RAM
    3. calculates D' = rD = rdP
    4. calculates h = SHA-1( B )
    5. sends D' and h to the BlackBerry Enterprise Server
  3. The BlackBerry Enterprise Server performs the following actions:
    1. uses h to determine which B the BlackBerry device used and which b to use
    2. verifies that D' is a valid public key
    3. calculates K' = bD' = brdP = rdB = rK (the BlackBerry Enterprise Server knows only rK and cannot calculate K without r)
    4. calculates h = SHA-1( D' )
    5. sends the new BlackBerry device password, K', and h to the BlackBerry device
  4. The BlackBerry device performs the following actions:
    1. uses h to verify that K' is associated with D' and r
    2. verifies that K' is a valid public key
    3. calculates r-1K' = r-1rK = K
    4. permanently deletes r
    5. uses K to decrypt the content protection key
    6. permanently deletes K
  5. The BlackBerry device performs the following actions:
    1. selects d randomly
    2. calculates D = dP
    3. stores D in flash memory
    4. calculates K = dB
    5. uses K to encrypt the new BlackBerry device password
    6. uses the encrypted new password to encrypt the content protection key
Next topic: Managing BlackBerry device access to the BlackBerry Enterprise Server
Previous topic: Reconciliation rules for conflicting IT policies when you apply multiple IT policies to a user account

Was this information helpful? Send us your comments.