Policy Reference Guide

Local Navigation

TLS Application policy group

TLS Device Side Only IT policy rule

Description

This rule specifies whether a BlackBerry® device and the BlackBerry® Enterprise Server can use proxy mode TLS or proxy mode HTTPS. If you change this rule and TLS is not available on the device, an exception occurs.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 4.0

Rule introduction

  • BlackBerry Enterprise Server 4.0

TLS Disable Invalid Connection IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device from permitting TLS connections to servers that have invalid certificates.

Possible values

  • Prompt user on BlackBerry device
  • Disable invalid connections
  • Allow invalid connections

Default value

  • Prompt user on BlackBerry device

Minimum requirements

  • BlackBerry® Device Software 3.6.1

Rule introduction

  • BlackBerry® Enterprise Server 3.6

TLS Disable Untrusted Connection IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device from permitting TLS connections to untrusted servers.

Possible values

  • Prompt user on BlackBerry device
  • Disable untrusted connections
  • Allow untrusted connections

Default value

  • Prompt user on BlackBerry device

Minimum requirements

  • BlackBerry® Device Software 3.6.1

Rule introduction

  • BlackBerry® Enterprise Server 3.6

TLS Disable Weak Ciphers IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device from using weak algorithms over TLS connections.

Possible values

  • Prompt user on BlackBerry device
  • Disable weak ciphers
  • Allow weak ciphers

Default value

  • Prompt user on BlackBerry device

Minimum requirements

  • BlackBerry® Device Software 3.6.1

Rule introduction

  • BlackBerry® Enterprise Server 3.6

TLS Disable Weak Digests IT policy rule

Description

This rule specifies whether a BlackBerry® device can use weak digests during TLS connections.

Possible values

  • Prompt user on BlackBerry device
  • Disable weak digests
  • Allow weak digests

Default value

  • Allow weak digests for devices that are running BlackBerry® Device Software 4.7 or earlier
  • Disable weak digests for devices that are running BlackBerry Device Software 5.0 and later

Minimum requirements

  • BlackBerry Device Software 4.7.1

Rule introduction

  • BlackBerry® Enterprise Server 5.0 SP1

TLS Minimum Strong DH Key Length IT policy rule

Description

This rule specifies the minimum DH key size the a BlackBerry® device uses over TLS connections. If you configure the minimum key size on the BlackBerry® Enterprise Server to be greater than the minimum key size on the device, the device prompts aBlackBerry device user to trust every highly secure website that uses a key size in its certificate that is less than the minimum key size on the BlackBerry Enterprise Server. For example, if the user browses to a highly secure website that uses a 512-bit DH key in its certificate, the device prompts the user to trust the website. If the user trusts the website and selects the Don't Ask Again option, the minimum key size on the device is configured to 512 bits. If you set the minimum key size on the BlackBerry Enterprise Server to 2048 bits, the device prompts the user to trust every highly secure website that uses a key size in its certificate that is less than 2048 bits.

Possible values

  • 512 to 4096 bits

Default value

  • 1024 bits on the BlackBerry device
  • 512 bits on the BlackBerry Enterprise Server

Minimum requirements

  • BlackBerry® Device Software 3.6.1

Rule introduction

  • BlackBerry Enterprise Server 3.6

TLS Minimum Strong DSA Key Length IT policy rule

Description

This rule specifies the minimum DSA key size that a BlackBerry® device uses over TLS connections. If you configure the minimum key size on the BlackBerry® Enterprise Server to be greater than the minimum key size on the device, the device prompts a BlackBerry device user to trust every highly secure website that uses a key size in its certificate that is less than the minimum key size on the BlackBerry Enterprise Server. For example, if the user browses to a highly secure website that uses a 512-bit DSA key in its certificate, the device prompts the user to trust the website. If the user trusts the website and selects the Don't Ask Again option, the minimum key size on the device is configured to 512 bits. If you configure the minimum key size on the BlackBerry Enterprise Server to 1024 bits, the device prompts the user to trust every highly secure website that uses a key size in its certificate that is less than 1024 bits.

Possible values

  • 512 to 1024 bits

Default value

  • 1024 bits on the BlackBerry device
  • 512 bits on the BlackBerry Enterprise Server

Minimum requirements

  • BlackBerry® Device Software 3.6.1

Rule introduction

  • BlackBerry Enterprise Server 3.6 SP1

TLS Minimum Strong ECC Key Length IT policy rule

Description

This rule specifies the minimum ECC key size that a BlackBerry® device uses over TLS connections. If you configure the minimum key size on the BlackBerry® Enterprise Server to be greater than the minimum key size on the device, the device prompts a BlackBerry device user to trust every highly secure website that uses a key size in its certificate that is less than the minimum key size on the BlackBerry Enterprise Server. For example, if the user browses to a highly secure website that uses a 160-bit ECC key in its certificate, the device prompts the user to trust the website. If the user trusts the website and selects the Don't Ask Again option, the minimum key size on the device is configured to 160 bits. If you configure the minimum key size on the BlackBerry Enterprise Server to 233 bits, the device prompts the user to trust every highly secure website that uses a key size in its certificate that is less than 233 bits.

Possible values

  • 160 to 571 bits

Default value

  • 163 bits on the BlackBerry device
  • 160 bits on the BlackBerry Enterprise Server

Minimum requirements

  • BlackBerry® Device Software 3.6.1

Rule introduction

  • BlackBerry Enterprise Server 3.6

TLS Minimum Strong RSA Key Length IT policy rule

Description

This rule specifies the minimum RSA® key size that a BlackBerry® device uses over TLS connections. If you configure the minimum key size on the BlackBerry® Enterprise Server to be greater than the minimum key size on the device, the device prompts a BlackBerry device user to trust every highly secure website that uses a key size in its certificate that is less than the minimum key size on the BlackBerry Enterprise Server. For example, if the user browses to a highly secure website that uses a 512-bit RSA key in its certificate, the device prompts the user to trust the website. If the user trusts the website and selects the Don't Ask Again option, the minimum key size on the device is configured to 512 bits. If you configure the minimum key size on the BlackBerry Enterprise Server to 2048 bits, the device prompts the user to trust every highly secure website that uses a key size in its certificate that is less than 2048 bits.

Possible values

  • 512 to 4096 bits

Default value

  • 1000 bits on the BlackBerry device
  • 512 bits on the BlackBerry Enterprise Server

Minimum requirements

  • BlackBerry® Device Software 3.6.1

Rule introduction

  • BlackBerry Enterprise Server 3.6

TLS Prevent Unmatched Domain Name IT policy rule

Description

This rule specifies whether to prevent a BlackBerry® device from opening a TLS connection to a server that has a domain name that does not match any domain names in the server's certificate.

Possible values

  • Prompt user on BlackBerry device
  • Prevent unmatched domain name
  • Allow unmatched domain name

Default value

  • Prompt user on BlackBerry device

Minimum requirements

  • BlackBerry® Device Software 5.0

Rule introduction

  • BlackBerry® Enterprise Server 5.0 SP1

TLS Restrict FIPS Ciphers IT policy rule

Description

This rule specifies whether a BlackBerry® device can use an algorithm with TLS that is not FIPS-compliant.

Possible values

  • Yes
  • No

Default value

  • No

Minimum requirements

  • BlackBerry® Device Software 3.6.1

Rule introduction

  • BlackBerry® Enterprise Server 3.6

Was this information helpful? Send us your comments.