Help Center

Local Navigation

Using an IT policy to manage BlackBerry Enterprise Solution security

You can use an IT policy to control a BlackBerry® device, a BlackBerry enabled device, the BlackBerry® Desktop Software, and the BlackBerry® Web Desktop Manager in your organization's environment. An IT policy consists of multiple IT policy rules that manage the security and behavior of the BlackBerry® Enterprise Solution. For example, you can use IT policy rules to manage the following security features and behaviors of the BlackBerry device:
  • encryption (for example, encryption of user data and messages that the BlackBerry® Enterprise Server forwards to message recipients) and encryption strength
  • use of a password or pass phrase
  • connections that use Bluetooth® wireless technology
  • protection of user data and device transport keys on the BlackBerry device
  • control of BlackBerry device resources, such as the camera or GPS, that are available to third-party applications

The BlackBerry Enterprise Server includes preconfigured IT policies that you can use to manage the security of the BlackBerry Enterprise Solution. The Default IT policy includes IT policy rules that are configured to indicate the default behavior of the BlackBerry device or BlackBerry Desktop Software.

After a BlackBerry device user activates a BlackBerry device, the BlackBerry Enterprise Server automatically sends to the BlackBerry device the IT policy that you assigned to the user account or group. By default, if you do not assign an IT policy to the user account or group, the BlackBerry Enterprise Server sends the Default IT policy. If you delete an IT policy that you assigned to the user account or group, the BlackBerry Enterprise Server automatically re-assigns the Default IT policy to the user account and resends the Default IT policy to the BlackBerry device.

For more information, see the BlackBerry Enterprise Server Policy Reference Guide.

Preconfigured IT policies

The BlackBerry® Enterprise Server includes the following preconfigured IT policies that you can change to create IT policies that meet the requirements of your organization.

Preconfigured IT policy

Description

Default

This policy includes all the standard IT policy rules that are set on the BlackBerry Enterprise Server.

Individual-Liable Devices

Similar to the Default IT policy, this policy prevents BlackBerry device users from accessing organizer data from within the social networking applications on their BlackBerry devices.

This policy permits users to access their personal calendar services and email messaging services (for example, their BlackBerry® Internet Service accounts), update the BlackBerry® Device Software using methods that exist outside your organization, make calls when BlackBerry devices are locked, and cut, copy, and paste text. Users cannot forward email messages from one email messaging service to another.

You can use the Individual-Liable Devices IT policy if your organization includes users who purchase their own BlackBerry devices and connect the BlackBerry devices to a BlackBerry Enterprise Server instance in your organization's environment.

Basic Password Security

Similar to the Default IT policy, this policy also requires a basic password that users can use to unlock their BlackBerry devices. Users must change the passwords regularly. The IT policy includes a password timeout that locks BlackBerry devices.

Medium Password Security

Similar to the Default IT policy, this policy also requires a complex password that users can use to unlock their BlackBerry devices. Users must change the passwords regularly. This policy includes a maximum password history and turns off Bluetooth® technology on BlackBerry devices.

Medium Security with No 3rd Party Applications

Similar to the Medium Password Security, this policy requires a complex password that a user must change frequently, a security timeout, and a maximum password history. This policy prevents users from making their BlackBerry devices discoverable by other Bluetooth enabled devices and prevents BlackBerry devices from downloading third-party applications.

Advanced Security

Similar to the Default IT policy, this IT policy also requires a complex password that users must change frequently, a password timeout that locks BlackBerry devices, and a maximum password history. This policy restricts Bluetooth technology on BlackBerry devices, turns on strong content protection, turns off USB mass storage, and requires BlackBerry devices to encrypt external file systems.

Advanced Security with No 3rd Party Applications

Similar to the Advanced Security IT policy, this IT policy requires a complex password that users must change frequently, a password timeout that locks BlackBerry devices, and a maximum password history. This policy restricts Bluetooth technology on BlackBerry devices, turns on strong content protection, turns off USB mass storage, requires BlackBerry devices to encrypt external file systems, and prevents BlackBerry devices from downloading third-party applications.

Using IT policy rules to manage BlackBerry Enterprise Solution security

You can use IT policy rules to customize and control the actions that the BlackBerry® Enterprise Solution can perform.

To use an IT policy rule on a BlackBerry device, you must verify that the BlackBerry® Device Software version supports the IT policy rule. For example, you cannot use the Disable Camera IT policy rule to control whether a BlackBerry device user can access the camera on the device if the BlackBerry Device Software version does not support the IT policy rule. For information about the BlackBerry Device Software version that is required for a specific IT policy rule, see the BlackBerry Enterprise Server Policy Reference Guide.

If you create a custom IT policy that does not permit users to change their user information on their devices, you can only apply this custom IT policy to devices running BlackBerry Device Software 5.0 or later.

The BlackBerry Administration Service groups the IT policy rules by common properties or by application. Most IT policy rules are designed so that you can assign them to multiple user accounts and groups.

Sending an IT policy over the wireless network

If your organization's environment includes C++ based BlackBerry® devices that are running BlackBerry® Device Software version 2.5 or later or Java® based BlackBerry devices that are running BlackBerry Device Software version 3.6 or later, the BlackBerry® Enterprise Server can send changes to IT policies to a BlackBerry device over the wireless network automatically. When the BlackBerry device receives an updated IT policy or a new IT policy, the BlackBerry device, BlackBerry® Desktop Software, and BlackBerry® Web Desktop Manager apply the configuration changes immediately.

By default, the BlackBerry Enterprise Server is designed to resend an IT policy to the BlackBerry device within a short period of time after you update the IT policy using the BlackBerry Administration Service. You can also resend an IT policy to a specific BlackBerry device manually. You can configure the BlackBerry Enterprise Server to resend the IT policy to the BlackBerry device at scheduled intervals regardless of whether you changed the IT policy.

Assigning IT policies and resolving IT policy conflicts

You can assign IT policies directly to a user account, groups, or the BlackBerry® Domain. By default, if you do not assign an IT policy to a user account or a group that the user is a member of, the BlackBerry® Enterprise Server applies the IT policy that you assigned to the BlackBerry Domain to the user account. If you assign an IT policy to a group that a user account is a member of, the BlackBerry Enterprise Server applies the group IT policy to the user account. If you assign an IT policy to the user account directly, the BlackBerry Enterprise Server applies this IT policy to the user account instead of the group IT policy or domain IT policy.

If a user account is a member of multiple groups that have different IT policies, the BlackBerry Enterprise Server must determine which IT policy to apply to the user account. You must use one of the following reconciliation options:

Method

Description

Apply one IT policy to the user account

The BlackBerry Enterprise Server applies one of the group IT policies to the user account. You specify rankings for the available IT policies using the BlackBerry Administration Service and the BlackBerry Enterprise Server applies the IT policy with the highest ranking.

If you upgrade to BlackBerry Enterprise Server 5.0 SP2 or later from a previous version of the BlackBerry Enterprise Server, this is the default method for resolving IT policy conflicts.

Apply multiple IT policies to the user account

The BlackBerry Enterprise Server applies all of the group IT policies to the user account, resulting in a combined IT policy that has a unique ID. The BlackBerry Enterprise Server resolves conflicting IT policy rules using the ranking of the available IT policies that you specified using the BlackBerry Administration Service. If an IT policy rule is different in the multiple IT policies, the BlackBerry Enterprise Server applies the rule setting from the IT policy that you ranked the highest.

If you install BlackBerry Enterprise Server 5.0 SP2 or later, this is the default method for resolving IT policy conflicts.

Reconciliation rules for conflicting IT policies when you apply one IT policy to the user account

The BlackBerry® Enterprise Server can apply only one IT policy to a user account. Since you can assign IT policies to user accounts, groups, or the BlackBerry Domain, the BlackBerry Administration Service uses predefined rules to determine which IT policy it can apply to a user account.

The BlackBerry Administration Service might have to reconcile conflicting IT policies if you perform any of the following actions:

  • add an IT policy to or remove an IT policy from a user account or group
  • change an IT policy
  • change the ranking of IT policies
  • delete an IT policy

Scenario

Rule

You add a new user account to a BlackBerry Enterprise Server. You do not assign an IT policy directly to the user account and you do not add the user to a group.

The IT policy that you assigned to the BlackBerry Domain, or the Default IT policy that is assigned to the BlackBerry Domain, is assigned to the user account.

You assign an IT policy to a user account and a different IT policy to a group that the user account belongs to.

The IT policy that you assign to a user account takes precedence over an IT policy that you assign to a group. An IT policy that you assign to a group takes precedence over the IT policy that you assign to the BlackBerry Domain (or the Default IT policy).

A user account belongs to multiple groups. You assign multiple IT policies to the groups but do not assign an IT policy to the user account.

The BlackBerry Enterprise Server applies the IT policy that you ranked the highest in the BlackBerry Administration Service to the user account.

Reconciliation rules for conflicting IT policies when you apply multiple IT policies to a user account

The BlackBerry® Enterprise Server can apply multiple IT policies to a user account if the user account is a member of multiple groups that have different IT policies. Since you can assign IT policies to user accounts, groups, or the BlackBerry Domain, the BlackBerry Administration Service uses predefined rules to apply an IT policy to a user account.

The BlackBerry Administration Service might have to reconcile conflicting IT policies if you perform any of the following actions:

  • add an IT policy to or remove an IT policy from a user account or group
  • change an IT policy
  • change the ranking of IT policies
  • delete an IT policy

Scenario

Rule

You add a new user account to a BlackBerry Enterprise Server. You do not assign an IT policy directly to the user account and you do not add the user account to a group.

The IT policy that you assigned to the BlackBerry Domain, or the default IT policy for the BlackBerry Domain, is assigned to the user account.

You assign an IT policy to a user account and different IT policies to the groups that the user account belongs to.

The IT policy that you assign to a user account takes precedence over the IT policies that you assign to the groups that the user belongs to. An IT policy that you assign to a group takes precedence over the IT policy that you assigned to the BlackBerry Domain (or the Default IT policy).

A user account belongs to multiple groups. You assign multiple IT policies to the groups but you do not assign an IT policy to the user account.

If you assign multiple IT policies to the groups that the user account belongs to, the BlackBerry Enterprise Server resolves the IT policy rule settings in the multiple IT policies and assigns a combined IT policy that has a unique ID to the user account. The BlackBerry Enterprise Server resolves conflicting settings for IT policy rules by applying the rule setting from the IT policy that you ranked the highest in the BlackBerry Administration Service.

For example, you configure the Disable Photo Camera IT policy rule to Yes in IT policy A and to No in IT policy B. If you rank IT policy A higher than IT policy B, the Yes setting is applied for this rule.

A user account belongs to two groups. You assign the first group IT policy A, which has the Allow Browser IT policy rule as blank (which means that it uses the default value of Yes). You assign the second group IT policy B, which has the Allow Browser IT policy rule set to No. You ranked IT policy A higher than IT policy B in the BlackBerry Administration Service.

When the BlackBerry Enterprise Server resolves conflicting rule settings, any rule settings that have been explicitly configured to a value take precedence over IT policy rule settings that are blank (these rules revert to the default value).

For example, in this scenario, the Allow Browser IT policy rule setting from IT policy B, No, is applied to the user account even though IT policy A is ranked higher than IT policy B, because the Allow Browser IT policy rule is blank in IT policy A. If the Allower Browser IT policy rule was configured to Yes in IT policy A, the Yes value would be applied to the user account.


Was this information helpful? Send us your comments.