Policy Reference Guide

Local Navigation

Security policy group

Allow External Connections IT policy rule

Description

This rule specifies whether applications, including third-party applications, can initiate external connections (for example, to WAP gateways).

Possible values

  • Yes
  • No

Default value

  • Yes

Exceptions

  • BlackBerry® Enterprise Server for Novell® GroupWise® only with devices that are running BlackBerry® Device Software 4.0 or later

Minimum requirements

  • BlackBerry Device Software 3.6

Rule introduction

  • BlackBerry® Enterprise Server for Microsoft® Exchange 3.6
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® 4.0
  • BlackBerry Enterprise Server for Novell GroupWise 4.0

Allow Internal Connections IT policy rule

Description

This rule specifies whether applications, including third-party applications, can initiate internal connections (for example, to websites behind your organization's firewall using the BlackBerry® MDS Connection Service).

Possible values

  • Yes
  • No

Default value

  • Yes

Exceptions

  • BlackBerry® Enterprise Server for Novell® GroupWise® only with devices that are running BlackBerry® Device Software 4.0 or later

Minimum requirements

  • BlackBerry Device Software 3.6

Rule introduction

  • BlackBerry® Enterprise Server for Microsoft® Exchange 3.6
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® 4.0
  • BlackBerry Enterprise Server for Novell GroupWise 4.0

Allow Outgoing Call When Locked IT policy rule

Description

This rule specifies whether a BlackBerry® device user can make calls from a locked BlackBerry device.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry® Enterprise Server 4.0

Allow Resetting of Idle Timer IT policy rule

Description

This rule specifies whether a BlackBerry® device permits third-party applications to reconfigure the inactivity-timeout value on the device and bypass the timeout value for the device password.

For more information about the inactivity timeout, visit www.blackberry.com/go/apiref to read the EventInjector class and Backlight.enable() method in the API reference for the BlackBerry® Java® Development Environment.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.2.1

Rule introduction

  • BlackBerry® Enterprise Server 4.1 SP4

Allow Screen Shot Capture IT policy rule

Description

This rule specifies whether a BlackBerry® device permits applications, including third-party applications, to take screen shots.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.2.2

Rule introduction

  • BlackBerry® Enterprise Server 4.1 SP4

Allow Smart Card Password Caching IT policy rule

Description

This rule specifies whether a BlackBerry® device can cache the smart card password.

Related rules

This rule affects the Key Store Password Maximum Timeout IT policy rule. If you configure this rule, you should also configure the Key Store Password Maximum Timeout IT policy rule.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry® Enterprise Server 4.0

Allow Split-Pipe Connections IT policy rule

Description

This rule specifies whether applications, including third-party applications, can open internal and external connections on a BlackBerry® device at the same time. An application may create a security issue if it opens internal and external connections at the same time because the application can collect data from inside the firewall and send it outside the firewall.

Possible values

  • Yes
  • No

Default value

  • No

Exceptions

  • BlackBerry® Enterprise Server for Novell® GroupWise® only with devices that are running BlackBerry® Device Software 4.0 or later

Minimum requirements

  • BlackBerry Device Software 3.6

Rule introduction

  • BlackBerry® Enterprise Server for Microsoft® Exchange 3.6
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® 4.0
  • BlackBerry Enterprise Server for Novell GroupWise 4.0

Allow Third Party Apps to Use Persistent Store IT policy rule

Description

This rule specifies whether third-party applications can use the persistent store API on a BlackBerry® device. In later versions of the BlackBerry® Enterprise Server, use the Is access to the interprocess communication API allowed application control policy rule to specify whether applications can access the persistent store API.

This rule is obsolete in BlackBerry Enterprise Server 3.6 SP2.

Possible values

  • Yes
  • No

Default value

  • Yes

Minimum requirements

  • BlackBerry® Device Software 3.6

Rule introduction

  • BlackBerry Enterprise Server 3.6

Allow Third Party Apps to Use Serial Port IT policy rule

Description

This rule specifies whether third-party applications can use the serial port, IrDA® port, or USB port on a BlackBerry® device.

Possible values

  • Yes
  • No

Default value

  • Yes

Exceptions

  • BlackBerry® Enterprise Server for Novell® GroupWise® only on devices that are running BlackBerry® Device Software 4.0 or later

Minimum requirements

  • BlackBerry Device Software 3.6

Rule introduction

  • BlackBerry® Enterprise Server for Microsoft® Exchange 3.6
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® 4.0
  • BlackBerry Enterprise Server for Novell GroupWise 4.0

Allowed Authentication Mechanisms IT policy rule

Description

This rule specifies the types of authentication mechanisms that a BlackBerry® device user can turn on. Authentication mechanisms control the user's access to a BlackBerry device.

Related rules

This rule affects the Force Smart Card Two Factor Authentication IT policy rule. This rule takes priority over the Force Smart Card Two Factor Authentication IT policy rule. For example, if you configure this rule to prevent smart card authentication but the Force Smart Card Two Factor Authentication IT policy rule is configured to Yes, smart card authentication is not forced.

Possible values

  • Smartcard
  • Fingerprint
  • Smartcard and Fingerprint
  • Proximity
  • Other

Default value

  • Smartcard, Fingerprint, Smartcard and Fingerprint, Proximity, and Other

Minimum requirements

  • BlackBerry® Device Software 5.0

Rule introduction

  • BlackBerry® Enterprise Server 5.0

Certificate Status Cache Timeout IT policy rule

Description

This rule specifies the maximum number of days that a BlackBerry® device saves the certificate status.

This rule does not apply to any devices.

This rule is obsolete in BlackBerry® Enterprise Server 5.0.

Possible values

  • 1 to 365 days

Default value

  • 7 days

Rule introduction

  • BlackBerry Enterprise Server 4.0

Certificate Status Maximum Expiry Time IT policy rule

Description

This rule specifies the maximum amount of time that a certificate status can remain on a BlackBerry® device before it should be updated in the key store on the device and in the certificate synchronization tool of the BlackBerry® Desktop Manager.

Possible values

  • 1 to 4380 hours

Default value

  • Null value

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry® Enterprise Server 4.0

Content Protection of Contact List IT policy rule

Description

This rule specifies whether the contact list on a BlackBerry® device is included in content protection when content protection is turned on. If you set this rule to Allowed, the BlackBerry device user can choose to include the contact list in content protection. If you set this rule to Required, the contact list is include in content protection. If you set this rule to Disallowed, the contact list is not included in content protection and the user cannot choose to include the contact list in content protection. If the contact list is content-protected and the device is locked, the device does not permit call display and does not share contacts over a Bluetooth® connection.

Devices that are running BlackBerry® Device Software 4.7 and earlier process the Disallowed setting in the same way that as the Required setting.

The previous name of this rule was Force Include Address Book In Content Protection.

Possible values

  • Allowed
  • Required
  • Disallowed

Default value

  • Allowed

Minimum requirements

  • BlackBerry Device Software 4.2

Rule introduction

  • BlackBerry® Enterprise Server 4.0 SP6

Content Protection Strength IT policy rule

Description

This rule specifies the cryptographic strength that a BlackBerry® device uses for content protection of data that it receives when it is locked. When you specify a value for this rule, content protection is turned on. If you set this rule to Strong, the device uses a 160-bit ECC public key. If you set this rule to Stronger, the device uses a 283-bit ECC public key. If you set this rule to Strongest, the device uses a 571-bit ECC public key.

For devices that are running BlackBerry® Device Software 5.0 and later with onboard device memory, this rule also encrypts the onboard device memory using the BlackBerry device user password and a device-generated key. Media files in the onboard device memory are not encrypted unless you set the Encryption on On-Board Device Memory Media Files IT policy rule.

For devices that are running BlackBerry Device Software 4.7 and earlier, you can configure the External File System Encryption Level IT policy rule to encrypt media files on the media card.

Related rules

The Password Required IT policy rule affects this rule. A device uses this rule only if you set the Password Required IT policy rule to Yes.

This rule affects the Minimum Password Length IT policy rule. If you set this rule to Stronger, you should set the Minimum Password Length IT policy rule to 12 characters. If you set this rule to Strongest, you should set the Minimum Password Length IT policy rule to 21 characters.

Possible values

  • Strong
  • Stronger
  • Strongest

Default values

  • Strong in the Advanced security IT policy and Advanced security with No 3rd Applications IT policy
  • Null value in all other preconfigured IT policies

Minimum requirements

  • BlackBerry Device Software 4.0

Rule introduction

  • BlackBerry® Enterprise Server 4.0

Content Protection Usage IT policy rule

Description

This rule specifies whether content protection is available on a BlackBerry® device. If you set this rule to Allowed, a BlackBerry device user can turn on content protection on the device.

This rule does not turn on content protection. To turn on content protection, you must configure the Content Protection Strength IT policy rule or the user must configure content protection on the device in the device options.

For more information about content protection, see the BlackBerry Enterprise Solution Security Technical Overview.

Possible values

  • Allowed
  • Disallowed

Default value

  • Allowed

Minimum requirements

  • BlackBerry® 6

Rule introduction

  • BlackBerry® Enterprise Server 5.0 SP2

Desktop Backup IT policy rule

Description

This rule specifies which BlackBerry® device databases are backed up by the BlackBerry® Desktop Software.

Possible values

  • All databases
  • Minimal subset of databases
  • No databases
  • No organizational databases

Default value

  • All databases

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry® Enterprise Server 4.0

Disable 3DES Transport Crypto IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device from using the Triple DES algorithm to encrypt and decrypt data.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry Enterprise Server 4.0

Disable BlackBerry App World IT policy rule

Description

This rule specifies whether the BlackBerry App World™ storefront on a BlackBerry® device is turned off.

This rule is obsolete in BlackBerry® Enterprise Server 5.0 SP2 and later and BlackBerry App World 2.0 and later. In BlackBerry Enterprise Server 5.0 SP2 and later and BlackBerry App World 2.0 and later, configure the Disable App World IT policy rule in the BlackBerry App World policy group.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.2

Rule introduction

  • BlackBerry Enterprise Server 4.1 SP7

Disable Browsing Of Remote Shared Folders IT policy rule

Description

This rule specifies whether a BlackBerry® device user can browse shared folders and files located on the servers in your organization's network using the file browser on a BlackBerry device.

Possible values

  • Yes
  • No

Default values

  • No

Minimum requirements

  • BlackBerry® 6

Rule introduction

  • BlackBerry® Enterprise Server 5.0 SP2

Disable Certificate or Key Import From External Memory IT policy rule

Description

This rule specifies whether a BlackBerry® device can import certificates and PGP® keys, including private keys, from a media card.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 5.0

Rule introduction

  • BlackBerry® Enterprise Server 5.0 SP1

Disable Cut/Copy/Paste IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device user from cutting, copying, and pasting text on a BlackBerry device.

Possible value

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry® Enterprise Server 4.0

Disable External Memory IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device user from accessing the media card on a BlackBerry device.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.2

Rule introduction

  • BlackBerry® Enterprise Server 4.0 SP6

Disable Forwarding Between Services IT policy rule

Description

This rule specifies whether a BlackBerry® device user can reply to or forward an email message using an email account or messaging service (for example, the BlackBerry® Enterprise Server or BlackBerry® Internet Service) that is different from the email account or messaging service that user received the email message with.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry Enterprise Server 4.0

Disable Geo-Tagging of Photos IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device from adding geographical co-ordinates to the metadata of stored pictures.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.2

Rule introduction

  • BlackBerry® Enterprise Server 4.1 SP4

Disable GPS IT policy rule

Description

This rule specifies whether the GPS feature on a BlackBerry® device is turned on. If you set this rule to Yes, BlackBerry® Maps does not work and applications cannot access the GPS APIs for the device.

Related rules

This rule affects the "Is Access to the GPS API Allowed" application control policy rule setting. This rule overrides the "Is Access to the GPS API Allowed" application control policy rule setting.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.3

Rule introduction

  • BlackBerry® Enterprise Server 4.1 SP5

Disable Invalid Certificate Use IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device user from sending an email message from a BlackBerry device using an expired or invalid certificate.

Possible value

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 3.6
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® 4.0
  • BlackBerry® Enterprise Server for Novell® GroupWise® 4.0

Rule introduction

  • BlackBerry® Enterprise Server 3.6

Disable IP Modem IT policy rule

Description

This rule specifies whether the IP modem on a BlackBerry® device is available.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry® Enterprise Server 4.0

Disable Key Store Backup IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device user from backing up the certificates and private keys that are stored on a BlackBerry device.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry® Enterprise Server 4.0

Disable Key Store Low Security IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device user from setting the key store security level to Low. For BlackBerry devices that are running BlackBerry® Device Software 3.6, the next highest security level is High. For devices that are running BlackBerry Device Software 4.0 or later, the next highest security level is Medium.

Possible values

  • Yes
  • No

Default value

  • No

Exceptions

  • BlackBerry® Enterprise Server for Novell® GroupWise® only with devices that are running BlackBerry Device Software 4.0 or later

Minimum requirements

  • BlackBerry Device Software 3.6
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® 4.0
  • BlackBerry Enterprise Server for Novell GroupWise 4.0

Rule introduction

  • BlackBerry® Enterprise Server 3.6

Disable Media Manager FTP Access IT policy rule

Description

This rule specifies whether applications can access the FTP channel from the media manager tool in the BlackBerry® Desktop Manager. This rule controls whether a BlackBerry device can transfer files from the onboard device memory or media card using the FTP channel. When you permit the device to transfer files using FTP, the device does not protect the files using content protection. The device can encrypt the data on the media card if you configure the External File System Encryption Level IT policy rule.

This feature is not available for BlackBerry Desktop Manager 4.2.2 because the Roxio® Media Manager uses the media transport protocol to transfer files.

Possible values

  • Yes
  • No

Default value

  • No

Exceptions

  • BlackBerry Desktop Manager 4.2.2
  • BlackBerry® Enterprise Server for Novell® GroupWise®

Minimum requirements

  • BlackBerry® Device Software 4.2

Rule introduction

  • BlackBerry® Enterprise Server 4.0 SP6

Disable Message Normal Send IT policy rule

Description

This rule specifies whether to require a BlackBerry® device user to send encrypted or signed email messages.

For BlackBerry devices that are running BlackBerry® Device Software 5.0 and later, this rule applies only to email messages that a user sends through your organization's BlackBerry® Enterprise Server. To prevent a user from sending email messages that are not encrypted or signed from a different messaging service such as the BlackBerry® Internet Service, configure the Allow Other Message Services rule in the Service Exclusivity policy group.

For BlackBerry devices that are running BlackBerry Device Software 4.7 and earlier, this rule applies to all messaging services.

Possible values

  • Yes
  • No

Default value

  • No

Exceptions

  • BlackBerry® Enterprise Server for Novell® GroupWise® only with devices that are running BlackBerry Device Software 4.0 or later

Minimum requirements

  • BlackBerry Device Software 3.6
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® 4.0
  • BlackBerry Enterprise Server for Novell GroupWise 4.0

Rule introduction

  • BlackBerry Enterprise Server 3.6

Disable Peer-to-Peer Normal Send IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device user from sending PIN messages that are not encrypted when using the S/MIME Support Package for BlackBerry® smartphones or PGP® Support Package for BlackBerry® smartphones.

Possible values

  • Yes
  • No

Default value

  • No

Exceptions

  • BlackBerry® Enterprise Server for Novell® GroupWise® only with devices that are running BlackBerry® Device Software 4.0 or later

Minimum requirements

  • BlackBerry Device Software 3.6
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® 4.0
  • BlackBerry Enterprise Server for Novell GroupWise 4.0

Rule introduction

  • BlackBerry® Enterprise Server 3.6

Disable Persisted Plain Text IT policy rule

Description

This rule specifies whether to prevent applications from keeping the plain-text form of a content-protected object in the persistent store on a BlackBerry® device. Configure this rule only if you require that sensitive data does not persist in plain-text form on a device.

Attention: If you change this rule to Yes, applications on the device that do not use the content protection framework API to encrypt data might not work.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry® Enterprise Server 4.0

Disable Public Photo Sharing Applications IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device user from uploading pictures to the Internet using public photo sharing applications.

Possible values

  • Yes
  • No

Default value

  • No

Rule introduction

  • BlackBerry® Enterprise Server 4.1 SP4

Disable Public Social Networking Applications IT policy rule

Description

This rule specifies whether a BlackBerry® device user can install public social networking applications on a BlackBerry device to access public social networking services.

Possible values

  • Yes
  • No

Default value

  • No

Rule introduction

  • BlackBerry® Enterprise Server 4.1 SP5

Disable Radio When Cradled IT policy rule

Description

This rule specifies whether a BlackBerry® device turns off the wireless transceiver when it connects to a USB device.

Possible values

  • Radio disabled when USB device is connected
  • Radio not disabled when USB device is connected
  • Radio disabled when the connected USB device enumerates

Default value

  • Radio not disabled when USB device is connected

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry® Enterprise Server 4.0

Disable Revoked Certificate Use IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device user from sending email messages that are encrypted using revoked certificates.

Possible values

  • Yes
  • No

Default value

  • No

Exceptions

  • BlackBerry® Enterprise Server for Novell® GroupWise® only with devices running BlackBerry® Device Software 4.0 or later

Minimum requirements

  • BlackBerry Device Software 3.6
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® 4.0
  • BlackBerry Enterprise Server for Novell GroupWise 4.0

Rule introduction

  • BlackBerry® Enterprise Server for Microsoft® Exchange 3.6

Disable Smart Password Entry IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device user from using smart password entry with two-factor authentication. Smart password entry allows the user to enter numeric passwords on the BlackBerry device without pressing the Alt key.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.2

Rule introduction

  • BlackBerry® Enterprise Server 4.0 SP6

Disable Stale Certificate Status Checks IT policy rule

Description

This rule specifies whether a BlackBerry® device displays warnings and indicators if the BlackBerry device user receives an email message that includes a certificate with a stale status.

Related rules

This rule affects the Certificate Status Maximum Expiry Time IT policy rule. If you set this rule to Yes, the device ignores the Certificate Status Maximum Expiry Time IT policy rule and the status of certificates on the device never expires.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.2

Rule introduction

  • BlackBerry® Enterprise Server 4.0 SP6

Disable Stale Status Use IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device user from sending an email message that is encrypted using a certificate with a stale status.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry® Enterprise Server 4.0

Disable Untrusted Certificate Use IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device user from sending an email message that is encrypted with a certificate that the BlackBerry device does not trust.

Possible values

  • Yes
  • No

Default value

  • No

Exceptions

  • BlackBerry® Enterprise Server for Novell® GroupWise® only with devices that are running BlackBerry® Device Software 4.0 or later

Minimum requirements

  • BlackBerry Device Software 3.6
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® 4.0
  • BlackBerry Enterprise Server for Novell GroupWise 4.0

Rule introduction

  • BlackBerry® Enterprise Server 3.6

Disable Unverified Certificate Use IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device user from sending an email message that is encrypted with a certificate that the BlackBerry device cannot verify.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry® Enterprise Server 4.0

Disable Unverified CRLs IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device user from accepting CRLs that are not verified on the BlackBerry MDS Connection Service when checking the status of a certificate.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry® Enterprise Server 4.0

Disable USB Mass Storage IT policy rule

Description

This rule specifies whether USB mass storage and the media transport protocol are turned on. The media transport protocol permits a BlackBerry® device user to transfer media files from a computer or BlackBerry® Desktop Manager to a BlackBerry device or media card. When you transfer files using the media transport protocol, the device does not protect the files using content protection and does not encrypt the data on the media card, even if you configure the External File System Encryption Level IT policy rule.

This feature is not available for BlackBerry Desktop Manager 4.2.2 because the Roxio® Media Manager uses the media transport protocol to transfer files.

For more information about protecting data that a device stores on a media card, see the BlackBerry Enterprise Solution Security Technical Overview.

Possible values

  • Yes
  • No

Default values

  • Yes in the Advanced security IT policy and Advanced Security with No 3rd Party Applications IT policy
  • No in all other preconfigured IT policies

Minimum requirements

  • BlackBerry® Device Software 4.2

Rule introduction

  • BlackBerry® Enterprise Server 4.0 SP6

Disable Weak Certificate Use IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device user from sending an email message using a certificate that has a corresponding weak public key. Use the IT policy rules that are provided for the TLS application, WTLS application, S/MIME Support Package for BlackBerry® smartphones, or PGP® Support Package for BlackBerry® smartphones to configure the minimum strengths for the RSA®, DSA, ECC, and Diffie-Hellman algorithm key lengths.

Possible values

  • Yes
  • No

Default value

  • No

Exceptions

  • BlackBerry® Enterprise Server for Novell® GroupWise® only with devices that are running BlackBerry® Device Software 4.0 or later

Minimum requirements

  • BlackBerry Device Software 3.6
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® 4.0
  • BlackBerry Enterprise Server for Novell GroupWise 4.0

Rule introduction

  • BlackBerry® Enterprise Server 3.6

Disallow Third Party Application Downloads IT policy rule

Description

This rule specifies whether a BlackBerry® device user can install or update applications on a BlackBerry device using the BlackBerry® Browser or BlackBerry App World™.

If you set this rule to Yes, the user cannot install or update applications on the device using BlackBerry Browser or BlackBerry App World. The user can install or update an application that RIM creates using the BlackBerry® Desktop Manager. This rule does not apply to RIM Add-on applications in software configurations.

Related rules

This rule affects the Application Restriction Rule IT policy rule. If you set this rule to Yes, it takes precedence over the Application Restriction Rule IT policy rule.

This rule affects the Category Restriction Rule IT policy rule. If you set this rule to Yes, it takes precedence over the Category Restriction Rule IT policy rule.

Possible values

  • Yes
  • No

Default values

  • Yes in the Medium password security with No 3rd Party Applications IT policy rule and the Advanced security with No 3rd Party Applications IT policy rule
  • No in all other preconfigured IT policies

Exceptions

  • BlackBerry® Enterprise Server for Novell® GroupWise® only with devices that are running BlackBerry® Device Software 4.0 or later

Minimum requirements

  • BlackBerry Device Software 3.6

Rule introduction

  • BlackBerry® Enterprise Server for Microsoft® Exchange 3.6
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® 4.0
  • BlackBerry Enterprise Server for Novell GroupWise 4.0

Encryption on On-Board Device Memory Media Files IT policy rule

Description

This rule specifies whether the media files that are located in the on-board memory of a BlackBerry® device are encrypted to the BlackBerry device user password and the device-generated key.

Related rules

The Content Protection Strength IT policy rule affects this rule. The device uses this rule only if you configure the Content Protection Strength IT policy rule.

Possible values

  • Allowed
  • Required
  • Disallowed

Default value

  • Allowed

Minimum requirements

  • BlackBerry® Device Software 5.0

Rule introduction

  • BlackBerry® Enterprise Server 5.0 SP1

External File System Encryption Level IT policy rule

Description

This rule specifies the level of encryption that a BlackBerry® device uses to encrypt files that it stores on a media card. You can use this rule to require that the device encrypts a media card, either including or excluding media-card files. You cannot use this rule to encrypt files that a BlackBerry device user transfers to the media card manually (for example, from a USB mass storage device).

The master keys for the media card are stored on the media card. A device is designed to use the master keys to decrypt and encrypt files on the media card. A device is designed to use the device key, a user-provided password, or both to encrypt the master keys.

Possible values

  • Encrypt to User Password (excluding multimedia directories)
  • Encrypt to User Password (including multimedia directories)
  • Encrypt to Device Key (excluding multimedia directories)
  • Encrypt to Device Key (including multimedia directories)
  • Encrypt to User Password and Device Key (excluding multimedia directories)
  • Encrypt to User Password and Device Key (including multimedia directories)
  • Not required

Default values

  • Encrypt to User Password (excluding multimedia directories) in the Advanced Security IT policy and Advanced Security with No 3rd Party Applications IT policy
  • Null value in all other preconfigured IT policies

Minimum requirements

  • BlackBerry® Device Software 4.2

FIPS Level IT policy rule

Description

This rule specifies the level of FIPS compliance that your organization requires. If you change this rule to Level 2, a BlackBerry® device prevents WTLS from using an RC encryption algorithm, which can cause problems when using WTLS.

This rule is obsolete in BlackBerry® Enterprise Server 4.1 SP3 and later and BlackBerry® Device Software 4.2.1 and later.

Related rules

This rule affects the Password Required IT policy rule. If you change this rule to Level 2, the Password Required IT policy rule is configured to Yes.

This rule affects the Minimum Password Length IT policy rule. If you change this rule to Level 2, the Minimum Password Length IT policy rule is configured to 5.

This rule affects the Suppress Password Echo IT policy rule. If you change this rule to Level 2, the Suppress Password Echo IT policy rule is configured to Yes.

This rule affects the PGP® Allowed Content Ciphers IT policy rule. If you change this rule to Level 2, the PGP Allowed Content Ciphers IT policy rule is configured to AES (256-bit), AES (192-bit), AES (128-bit), Triple DES.

This rule affects the S/MIME Allowed Content Ciphers IT policy rule. If you change this rule to Level 2, the S/MIME Allowed Content Ciphers IT policy rule is configured to AES (256-bit), AES (192-bit), AES (128-bit), Triple DES.

This rule affects the TLS Restrict FIPS Ciphers IT policy rule. If you change this rule to Level 2, the TLS Restrict FIPS Ciphers IT policy rule is configured to Yes.

This rule affects the Disallow Third Party Application Download IT policy rule. If you change this rule to Level 2, the Disallow Third Party Application Download IT policy rule is configured to Yes.

Possible values

  • FIPS 140-2 Level 1 compliance
  • FIPS 140-2 Level 2 compliance

Default value

  • FIPS 140-2 Level 1 compliance

Exceptions

  • BlackBerry® Enterprise Server for Novell® GroupWise® only with devices that are running BlackBerry Device Software 4.0 to 4.2.1

Minimum requirements

  • For FIPS Level 1 compliance, BlackBerry Device Software 3.3
  • For FIPS Level 2 compliance, BlackBerry Device Software 4.0

Rule introduction

  • BlackBerry Enterprise Server 4.0

Firewall Block Incoming Messages IT policy rule

Description

This rule specifies whether the BlackBerry® device firewall prevents the device from processing specific types of incoming messages. If you configure this rule, the device blocks the incoming messages that you specify at the firewall and does not notify a BlackBerry device user that those messages were received.

The user can specify whether to block public PIN messages on a device. A user cannot specify whether to block organization-specific PIN messages on a device.

Possible values

  • SMS messages
  • MMS messages
  • BlackBerry Internet Service messages
  • PIN messages (Public)
  • PIN messages (Corporate)
  • Enterprise messages

Default value

  • Null value

Minimum requirements

  • BlackBerry® Device Software 4.2

Rule introduction

  • BlackBerry® Enterprise Server 4.0 SP6

Firewall Whitelist Addresses IT policy rule

Description

This rule specifies the list of email addresses that firewall on a BlackBerry® device allows. The device receives email messages from the email addresses even if the BlackBerry device user blocks all incoming email messages on the device. Specify email addresses using wildcard characters (for example, *@organization.com) to allow email messages from a specific domain.

Default value

  • Null value

Minimum requirements

  • BlackBerry® Device Software 4.5

Rule introduction

  • BlackBerry® Enterprise Server 4.1 SP5

Force Content Protection Of Master Keys IT policy rule

Description

This rule specifies whether content protection for device transport keys that a BlackBerry® device stores is turned on. Content protection is designed to encrypt the device transport keys on a device using 256-bit AES and store them in the device memory. To turn on content protection for device transport keys, you or a BlackBerry device user must turn on content protection on the device. You can turn on content protection on the device using the Content Protection Strength IT Policy Rule.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.1

Rule introduction

  • BlackBerry® Enterprise Server 4.0 SP3

Force Device Password Entry While User Authentication is Enabled IT policy rule

Description

This rule specifies whether a BlackBerry® device user must type the BlackBerry device password in addition to the user-authentication credentials for the second-factor authentication method to unlock the device.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 5.0

Rule introduction

  • BlackBerry® Enterprise Server 5.0 SP2

Force Display IT Policy Viewer Icon on Homescreen IT policy rule

Description

This rule specifies whether a BlackBerry® device displays the IT Policy Viewer icon in the Application folder on the device. The IT policy viewer permits a BlackBerry device user to view IT policy rules from the Security policy group and Password policy group that have values that you configured for the device. Only devices that you activate on a BlackBerry® Enterprise Server include the IT policy viewer.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 5.2

Rule introduction

  • BlackBerry Enterprise Server 5.0 SP2

Force LED Blinking When Microphone Is On IT policy rule

Description

This rule specifies whether a BlackBerry® device LED flashes while the microphone is on (for example, during a call or when recording a voice message).

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.1

Rule introduction

  • BlackBerry® Enterprise Server 4.0 SP3

Force Lock When Closed IT policy rule

Description

This rule specifies whether BlackBerry® Pearl™ Flip Series smartphones are security locked automatically when a BlackBerry device user closes the device.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry Pearl Flip Series smartphone
  • BlackBerry® Device Software 4.6

Rule introduction

  • BlackBerry® Enterprise Server 4.1 SP6

Force Lock When Holstered IT policy rule

Description

This rule specifies whether a BlackBerry® device locks when a BlackBerry device user inserts it in a holster.

Possible values

  • Yes
  • No

Default values

  • No in the Default IT policy and Basic password security IT policy
  • Yes in all other preconfigured IT policies

Exceptions

  • BlackBerry® Enterprise Server for Novell® GroupWise®only with devices that are running BlackBerry® Device Software 4.0 and later

Minimum requirements

  • BlackBerry Device Software 3.6

Rule introduction

  • BlackBerry® Enterprise Server 3.6

Force Multi Factor Authentication IT policy rule

Description

This rule specifies whether to force the use of multifactor authentication on a BlackBerry® device.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 5.0

Rule introduction

  • BlackBerry® Enterprise Server 5.0

Force Notifications for Keys with Medium Security Level IT policy rule

Description

This rule specifies whether a BlackBerry® device displays notifications for private keys with a medium security level during the lifetime of the cached key. If a BlackBerry device user opens an encrypted email message, the device accesses the key store to obtain the private key to decrypt the email message.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 5.0

Rule introduction

  • BlackBerry® Enterprise Server 5.0 SP1

Force Smart Card Reader Challenge Response while User Authentication is enabled IT policy rule

Description

This rule specifies whether a BlackBerry® device user must always use the same BlackBerry® Smart Card Reader or Advanced Security SD card to unlock a BlackBerry device.

Related rules

The Force Smart Card Two-Factor Authentication IT policy rule affects this rule. You must configure the Force Smart Card Two-Factor Authentication IT policy rule to Yes to use this rule.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 5.0
  • BlackBerry Smart Card Reader 2.0

Rule introduction

  • BlackBerry® Enterprise Server 5.0 SP2

Force Smart Card Two Factor Authentication IT policy rule

Description

This rule specifies whether a BlackBerry® device user must type a BlackBerry device password and the smart card password to unlock a device.

Related rules

This rule affects the Password Required IT policy rule. If you change this rule to Yes, the BlackBerry® Enterprise Server automatically configures the Password Required IT policy rule to Yes in the same IT policy. You must configure the Password Required IT policy rule to Yes manually for a device that is running BlackBerry® Device Software 4.2 and earlier.

Possible values

  • Yes
  • No

Default value

  • No

Exceptions

  • BlackBerry® Enterprise Server for Novell® GroupWise® only with devices that are running BlackBerry Device Software 4.0 or later

Minimum requirements

  • BlackBerry Device Software 3.6
  • BlackBerry® Smart Card Reader software 1.5
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® 4.0
  • BlackBerry Enterprise Server for Novell GroupWise 4.0

Rule introduction

  • BlackBerry Enterprise Server 3.6

Force Smart Card Two Factor Challenge Response IT policy rule

Description

This rule specifies whether aBlackBerry® device user must choose a smart card certificate to use with smart card two-factor authentication. This feature is designed to increase the security of smart card two-factor authentication, but when it is turned on, a BlackBerry device requires more time to unlock.

Related rules

The Password Required IT policy rule affects this rule. A device uses this rule only if you configure the Password Required IT policy rule to Yes.

The Force Smart Card Two Factor Authentication IT policy rule affects this rule. A device uses this rule only if you configure the Force Smart Card Two Factor Authentication IT policy rule to Yes.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.2
  • BlackBerry® Smart Card Reader software 1.5

Rule introduction

  • BlackBerry® Enterprise Server 4.0 SP6

Key Store Password Maximum Timeout IT policy rule

Description

This rule specifies the maximum number of minutes that can elapse before the timeout period expires for the cached key store password and a BlackBerry® device prompts a BlackBerry device user to type the password. The device key store is the database that stores the user's private keys. The key store uses a password to protect the user's private keys. By default, the device caches the key store password to minimize the number of key store password prompts. If you change this rule to 0, the device cannot cache the key store password and cannot reduce the number of password prompts.

Possible values

  • 0 to 60 minutes

Default value

  • 1 minute

Exceptions

  • BlackBerry® Enterprise Server for Novell® GroupWise® only with devices that are running BlackBerry® Device Software 4.0 or later

Minimum requirements

  • BlackBerry Device Software 3.6
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® 4.0
  • BlackBerry Enterprise Server for Novell GroupWise 4.0

Rule introduction

  • BlackBerry® Enterprise Server 3.6

Lock on Proximity Authenticator Disconnect IT policy rule

Description

This rule specifies whether a BlackBerry® device must lock either when a BlackBerry device user disconnects a proximity authenticator, such as the BlackBerry® Smart Card Reader, or when a proximity authenticator is out of range of the device.

This IT policy rule does not require the device to use a proximity authenticator. To require the device to use a proximity authenticator, you can configure the Force Multi Factor Authentication IT policy rule and Allowed Authentication Mechanisms IT policy rule.

Possible values

  • Yes
  • No

Default value

  • Yes in the Advanced security IT policy and Advanced security with No 3rd Party Applications IT policy
  • No in all other preconfigured IT policies

Minimum requirements

  • BlackBerry® Device Software 5.0

Rule introduction

  • BlackBerry® Enterprise Server 5.0 SP1

Lock on Smart Card Removal IT policy rule

Description

This rule specifies whether a BlackBerry® device locks when a BlackBerry device user removes the smart card from the BlackBerry® Smart Card Reader or disconnects the BlackBerry Smart Card Reader from a device. Not all smart card reader drivers support smart card removal detection.

Related rules

This rule affects the Password Required IT policy rule. If you change this rule to Yes, the BlackBerry® Enterprise Server configures the Password Required IT policy rule to Yes automatically in the same IT policy.

This rule affects the Force Smart Card Two Factor Authentication IT policy rule. If you change this rule to Yes, the BlackBerry Enterprise Server configures the Force Smart Card Two Factor Authentication IT policy rule to Yes automatically in the same IT policy.

Possible values

  • Yes
  • No

Default value

  • No

Exceptions

  • BlackBerry® Enterprise Server for Novell® GroupWise® only with devices that are running BlackBerry® Device Software 4.0 or later

Minimum requirements

  • BlackBerry Device Software 3.6
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® 4.0
  • BlackBerry Enterprise Server for Novell GroupWise 4.0

Rule introduction

  • BlackBerry Enterprise Server 3.6

Login Disclaimer IT policy rule

Description

This rule specifies the disclaimer that a BlackBerry® device can display before a BlackBerry device user unlocks the device for the first time after you or a user resets the device. The limit for the disclaimer is 512 characters.

Default value

  • Null value

Minimum requirements

  • BlackBerry® Device Software 5.0

Rule introduction

  • BlackBerry® Enterprise Server 5.0 SP1

Maximum Smart Card User Authenticator Certificate Status Check Period IT policy rule

Description

This rule specifies the maximum length of time (in minutes) that can elapse between status checks of the user authentication certificates that a BlackBerry® device uses with smart cards. During each period, the device requests the status of the certificate. If the certificate is revoked, the device locks and a BlackBerry device user is unable to unlock it unless the certificate status changes from On Hold to Good.

Related rules

The Password Required IT policy rule affects this rule. The device uses this rule only if you configure the Password Required IT policy rule to Yes.

The Force Smart Card User Authentication IT policy rule affects this rule. The device uses this rule only if you configure the Force Smart Card User Authentication IT policy rule to Yes.

The Force Smart Card Two Factor Challenge Response IT policy affects this rule. The device uses this rule only if you configure the Force Smart Card Two Factor Challenge Response IT policy rule to Yes.

Possible values

  • 240 to 40,320 minutes

Default value

  • Null value

Minimum requirements

  • BlackBerry® Device Software 4.5

Rule introduction

  • BlackBerry® Enterprise Server 4.1 SP5

Media Card Format on Device Wipe IT policy rule

Description

This rule specifies whether a BlackBerry® device formats a media card when a BlackBerry device user or administrator deletes all data on the device permanently.

Possible values

  • Allowed
  • Required
  • Disallowed

Default value

  • Allowed

Minimum requirements

  • BlackBerry® Device Software 5.0

Rule introduction

  • BlackBerry® Enterprise Server 5.0 SP1

Message Classification IT policy rule

Description

This rule specifies the set of message classifications that are available to apply to email messages that a BlackBerry® device user sends using the BlackBerry® Enterprise Server.

Default value

  • Null value

Minimum requirements

  • BlackBerry® Device Software 4.2

Rule introduction

  • BlackBerry Enterprise Server 4.1 SP2

Message Classification Title IT policy rule

Description

This rule specifies the title of the message classification that a BlackBerry® device includes when a BlackBerry device user applies the message classification to email messages.

Default value

  • Null value

Minimum requirements

  • BlackBerry® Device Software 4.3

Rule introduction

  • BlackBerry® Enterprise Server 4.1 SP4

Minimal Encryption Key Store Security Level IT policy rule

Description

This rule specifies the minimum security level of the private key that a BlackBerry® device uses to encrypt email messages. When you configure this rule, all keys must use the security level that you configure as the minimum, but a BlackBerry device user can configure a higher security level on the device.

Possible values

  • Low security
  • Medium security
  • High security

Default value

  • Low security

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry® Enterprise Server 4.0

Minimal Signing Key Store Security Level IT policy rule

Description

This rule specifies the minimum security level of the private key that a BlackBerry® device uses to sign email messages. When you configure this rule, keys must use the security level that you configure as the minimum, but a BlackBerry device user can configure a higher security level on the device.

Possible values

  • Low security
  • Medium security
  • High security

Default value

  • Low security

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry® Enterprise Server 4.0

Password Required for Application Download IT policy rule

Description

This rule specifies whether a BlackBerry® device prompts a BlackBerry device user for the device password when using the browser to download applications.

Related rules

The Password Required IT policy rule affects this rule. The device uses this rule only if you configure the Password Required IT policy rule to Yes.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.2.2

Rule introduction

  • BlackBerry® Enterprise Server 4.1 SP4

Require Secure APB Messages IT policy rule

Description

This rule specifies whether a BlackBerry® device can receive email messages that are not highly secure, including APB messages from a BlackBerry® Enterprise Server.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.2

Rule introduction

  • BlackBerry Enterprise Server 4.0 SP6

Required Password Pattern IT policy rule

Description

This rule specifies the required pattern for a BlackBerry® device password. A character in the password pattern specifies the character type permitted in its position in the password. Passwords can contain Latin-1 characters only. If you configure this rule, a BlackBerry device user can only create a password that is greater than or equal to the length of the pattern on the device. Password characters that exceed the pattern length can be letters, numbers, or symbols.

You can use the following characters to specify the password pattern:
  • a: Permits any letter
  • A: Permits an uppercase letter only
  • c: Permits any consonant letter
  • C: Permits an uppercase consonant letter only
  • v: Permits any vowel
  • V: Permits an uppercase vowel only
  • N, n, or #: Permits a number only
  • S, s, or @: Permits a symbol only
  • ?: Permits any letter, number, or symbol

Default value

  • Null value

Minimum requirements

  • BlackBerry® Device Software 4.2

Rule introduction

  • BlackBerry® Enterprise Server 4.0 SP6

Reset to Factory Defaults on Wipe IT policy rule

Description

This rule specifies whether a BlackBerry® device resets to the factory default settings when it receives the Delete all device data and disable device IT administration command over the wireless network.

The previous name of this rule was Remote Wipe Reset to Factory Defaults.

For devices that are running BlackBerry® Device Software 5.0 and later, this rule is enforced both remotely (when an administrator erases the data on a device remotely) and locally (for example, when a BlackBerry device user exceeds the maximum number of times that the user can try to type the password or erases all data on the device).

For devices that are running BlackBerry Device Software 4.7 and earlier, this rule is enforced only when an administrator erases the data remotely.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry Device Software 4.2.2

Rule introduction

  • BlackBerry® Enterprise Server 4.1 SP4

Secure Wipe Delay After IT Policy Received IT policy rule

Description

This rule specifies the length of time that can elapse after a BlackBerry® device receives an IT policy update or IT administration command that the device deletes all BlackBerry device user data. Use this rule to make the device delete the user data after a specific period of time if it cannot receive IT policy updates or IT administration commands.

If you set this IT policy rule, set the Policy Resend Interval on the BlackBerry® Enterprise Server to a value that is lower than this rule to prevent the device from deleting the user data unexpectedly.

Possible values

  • 2 to 8760 hours

Default value

  • Null value

Minimum requirements

  • BlackBerry® Device Software 4.2

Rule introduction

  • BlackBerry Enterprise Server 4.0 SP6

Secure Wipe Delay After Lock IT policy rule

Description

This rule specifies the length of time after a BlackBerry® device locks that the device deletes all BlackBerry device user data. Use this rule to require that a device delete the user data if the user has not unlocked the device within the specified period of time.

Possible values

  • 2 to 720 hours

Default setting

  • Null value

Minimum requirements

  • BlackBerry® Device Software 4.2

Rule introduction

  • BlackBerry® Enterprise Server 4.0 SP6

Secure Wipe if Low Battery IT policy rule

Description

This rule specifies whether a BlackBerry® device deletes the BlackBerry device user data if the battery power level is low enough to turn off the wireless transceiver. Use this rule to require that the device deletes the user data when the battery power level is too low to receive IT policy updates or IT administration commands.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.2

Rule introduction

  • BlackBerry® Enterprise Server 4.0 SP6

Security Service Colors IT policy rule

Description

This rule specifies two background colors that can display for email messages that a BlackBerry® device receives. Configure the colors in red-green-blue hexadecimal format. The first color represents the background color of email messages that a device receives from the same BlackBerry® Enterprise Server that sent the IT policy. The second color represents the background color of email messages that a device receives from other services (for example, the BlackBerry® Internet Service). Separate multiple values with a semicolon (;).

Possible values

  • 0xffffff: white
  • 0x000000: black
  • 0xff0000: red
  • 0x00ff00: green
  • 0x0000ff: blue

Default value

  • Null value

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry Enterprise Server 4.0

Security Transcoder Cod File Hashes IT policy rule

Description

This rule specifies the hashes for the .cod files of a transcoder that a BlackBerry® device needs to register the transcoder. Set each hash in hexadecimal format and separate multiple values with a comma (,).

Default value

  • Null value

Minimum requirements

  • BlackBerry® Device Software 4.5

Rule introduction

  • BlackBerry® Enterprise Server 4.1 SP5

Trusted Certificate Thumbprints IT policy rule

Description

This rule specifies the Hex-ASCII certificate thumbprints that are used on a BlackBerry® device and are generated using the SHA-1 algorithm, MD5 algorithm, SHA-256 algorithm, or SHA-512 algorithm. Separate multiple thumbprints with semi-colons (;). If you configure this rule, a BlackBerry device user can only add certificates to the trusted key store that use the thumbprints that you specify in this rule. The SHA-256 algorithm and SHA-512 algorithm require BlackBerry Device Software 5.0 or later.

Default value

  • Null value

Exceptions

  • BlackBerry® Enterprise Server for Novell® GroupWise® only with devices that are running BlackBerry® Device Software 4.0 or later

Minimum requirements

  • BlackBerry Device Software 3.6

Rule introduction

  • BlackBerry® Enterprise Server 3.6

Two Factor Content Protection Usage IT policy rule

Description

This rule specifies whether a BlackBerry® device user can turn on two-factor content protection on a BlackBerry device. Two-factor content protection on the device is designed to protect the decryption keys for content protection with both a private key that is stored on a smart card and the device password. When a user turns on two-factor content protection, the device requires more time to unlock than if two-factor content protection is not turned on. To unlock the device, the user must have the appropriate smart card driver and a supported driver for the smart card reader installed on the device. You cannot reset the device password after you or a user turns on two-factor content protection. To restore the decryption keys for content protection and unlock the device, the user must have the smart card and must know the device password and the PIN for the smart card.

Related rules

The Content Protection Strength IT policy rule affects this rule. If you change this rule to Required, the device can use this rule only if you also configure the Content Protection Strength IT policy rule to Yes.

The Force Smart Card Two Factor Authentication IT policy rule affects this rule. If you change this rule to Required, the device can use this rule only if you also change the value of the Force Smart Card Two Factor Authentication IT policy rule to Yes.

The Force Smart Card Two Factor Authentication IT policy rule affects this rule. Alternatively, instead of changing the value of the Force Smart Card Two Factor Authentication IT policy rule to Yes, you can change the value of the Force Multi Factor Authentication IT policy rule to Yes and change the Allowed Authentication Mechanisms IT policy rule to use only a smart card user authenticator.

Possible values

  • Allowed
  • Required
  • Disallowed

Default value

  • Allowed

Minimum requirements

  • BlackBerry® Device Software 5.0

Rule introduction

  • BlackBerry® Enterprise Server 5.0 SP1

Weak Digest Algorithms IT policy rule

Description

This rule specifies the digest algorithms that a BlackBerry® device considers weak. When a BlackBerry device user sends email messages, the device uses the algorithms that it considers strong to digitally sign the email messages. The device uses the list of weak digest algorithms to verify the following data:

  • Algorithms that are used to digitally sign email messages that the device receives are strong enough
  • Certificate chains for the certificates that are used to sign email messages that the device receives are strong enough

If you set this rule, you can prevent the user from sending an S/MIME-encrypted message or PGP® encrypted message using a certificate or key that has a corresponding public key that is weak. You cannot specify SHA-384 and SHA-512 as weak algorithms.

Possible values

  • MD2
  • MD4
  • MD5
  • RIPEMD128
  • RIPEMD16
  • SHA
  • SHA224
  • SHA256

Default value

  • Null value

Minimum requirements

  • BlackBerry® Device Software 4.3

Rule introduction

  • BlackBerry® Enterprise Server 4.1 SP5

Was this information helpful? Send us your comments.