Security policy group
Allow External Connections IT policy rule
Allow Resetting of Idle Timer IT policy rule
Description
This rule specifies whether a BlackBerry® device permits third-party applications to reconfigure the inactivity timeout value on a device and bypass the timeout value for the device password.
The default value is No.
Usage
For more information about the inactivity timeout, visit www.blackberry.com/go/apiref to read the EventInjector class and Backlight.enable() method in the API reference for the BlackBerry® Java® Development Environment.
Allow Split-Pipe Connections IT policy rule
Description
This rule specifies whether applications, including third-party applications, can open internal and external connections on a BlackBerry® device simultaneously.
Allow Third Party Apps to Use Serial Port IT policy rule
Content Protection Strength IT policy rule
Description
This rule specifies the cryptography strength that a BlackBerry® device uses to encrypt content that it receives while it is locked. When you specify a value, the content protection feature is turned on.
Usage
Configure this rule to Strong to use a 160-bit ECC public key. This key provides good security and good performance and is adequate for most situations.
Configure this rule to Stronger to use a 283-bit ECC public key. This key provides better security but slower performance than the Strong setting.
Configure this rule to Strongest to use a 571-bit ECC public key. This key provides the highest level of security but the slowest performance of the three settings.
For BlackBerry devices that are running BlackBerry® Device Software 5.0 and later, if onboard device memory exists on the BlackBerry device when you configure this rule, the rule also encrypts the onboard device memory (embedded M.C.) to the user password and a device-generated key.
To encrypt the media files in the onboard device memory, configure the Encryption on On-Board Device Memory Media Files IT policy rule, or instruct the BlackBerry device user to configure file encryption.
For BlackBerry devices that are running BlackBerry Device Software versions that are earlier than version 5.0, you can configure the External File System Encryption Level IT policy rule. The External File System Encryption Level IT policy rule also encrypts the media card.
Dependencies
A BlackBerry device uses this rule only if you configure the Password Required IT policy rule to Yes.
If you configure this rule to Strong or Stronger, configure the Minimum Password Length IT policy rule to 12 characters. If you configure the content protection strength to Strongest, instruct the user to create a password of at least 21 characters. These password lengths maximize the encryption strength that the longer ECC keys are designed to provide.
Disable 3DES Transport Crypto IT policy rule
Description
This rule specifies whether to prevent a BlackBerry® device from using the Triple DES algorithm to encrypt and decrypt data sent between a BlackBerry device and the BlackBerry® Enterprise Server Express Express.
Default value
The default value is No. A BlackBerry device and the BlackBerry Enterprise Server Express Express can use the Triple DES algorithm and the AES algorithm to encrypt and decrypt data that they send between each other.
Disable External Memory IT policy rule
Disable GPS IT policy rule
Usage
Change this rule to Yes to turn off the GPS feature and prevent applications on a BlackBerry device from accessing it.
Disable IP Modem IT policy rule
Disable USB Mass Storage IT policy rule
Description
This rule specifies whether USB mass storage and the media transport protocol are turned on.
Usage
The media transport protocol permits a BlackBerry® device user to transfer media files from a computer or BlackBerry® Desktop Manager to a BlackBerry device or media card. If you change this rule to Yes, the device cannot access a media card that is connected to the USB port on the device. When you transfer files using the media transport protocol, the device does not protect the files using content protection and does not encrypt the data on the media card, even if you configure the External File System Encryption Level IT policy rule.
If you change this rule to No, the user cannot transfer media files from a Macintosh computer to the device. If you change this rule to No, the user can view the contents of a media card from the file explorer on the device and from applications on the device.
This feature is not available for BlackBerry Desktop Manager 4.2.2 because the Roxio® Media Manager uses the media transport protocol to transfer files.
For more information about protecting data that a device stores on a media card, see the BlackBerry Enterprise Solution Security Technical Overview.
Disallow Third Party Application Downloads IT policy rule
Description
This rule specifies whether a BlackBerry® user can install any application (whether created by RIM or by a third-party) on a BlackBerry device.
Usage
If you configure the value of this rule to Yes, a user cannot install third-party applications and a user can install only applications that RIM creates if you do not send the applications to the device using software configurations or if the user is not using the BlackBerry® Browser to install the applications (for example, the user can install applications that RIM creates using the BlackBerry® Device Manager).
If you change the value to Yes, this rule does not remove any existing third-party applications from a device.
Encryption on On-Board Device Memory Media Files IT policy rule
Description
If on-board device memory exists on the BlackBerry® device, this rule specifies whether the media files that are located in the on-board memory are encrypted to the user password and the device-generated key.
Default value
The default value is Allowed. If on-board device memory exists, encryption of the media files that are in the on-board device memory is allowed.
Usage
Change this rule to Required or Disallowed to prevent a user from changing this setting on the BlackBerry device.
External File System Encryption Level IT policy rule
Description
This rule specifies the level of encryption that a BlackBerry® device uses to encrypt files that it stores on a media card.
Usage
You can use this rule to require that a BlackBerry device encrypt a media card, either including or excluding media card files. You cannot use this rule to encrypt files that a BlackBerry device user transfers to the media card manually (for example, from a USB mass storage device).
The master keys for the media card are stored on the media card. A BlackBerry device is designed to use the master keys to decrypt and encrypt files on the media card. A BlackBerry device is designed to use the BlackBerry device key, a user-provided password, or both to encrypt the master keys.
Change this rule to Encrypt to User Password (excluding multimedia directories) if the media card requires encryption with a password that the user provides.
Change this rule to Encrypt to User Password (including multimedia directories) if the media card requires encryption with a password that the user provides.
Change this rule to Encrypt to Device Key (excluding multimedia directories) if the media card requires encryption with a BlackBerry device key.
Change this rule to Encrypt to Device Key (including multimedia directories) if the media card requires encryption with a BlackBerry device key.
Change this rule to Encrypt to User Password and Device Key (excluding multimedia directories) if the media card requires encryption with a password that the user provides and a BlackBerry device key.
Change this rule to Encrypt to User Password and Device Key (including multimedia directories) if the media card requires encryption with a password that the user provides and the BlackBerry device key.
Force Lock When Holstered IT policy rule
Required Password Pattern IT policy rule
Description
This rule specifies the permitted structure of a BlackBerry® device password.
Passwords can contain Latin-1 characters only.
Usage
Use the following characters in the password pattern to specify the character type that is permitted and its position in the password:
- a: Permits any letter.
- A: Permits an uppercase letter only.
- c: Permits any consonant letter.
- C: Permits an uppercase consonant letter only.
- v: Permits any vowel.
- V: Permits an uppercase vowel only.
- N, n, or #: Permits a number only.
- S, s, or @: Permits a symbol only.
- ?: Permits any letter, number, or symbol.
If you configure this rule, the user can create a password that is greater than or equal to the length of the pattern on a BlackBerry device. Password characters that exceed the pattern length can be any letters, numbers, or symbols.
Reset to Factory Defaults on Wipe IT policy rule
Description
This rule specifies whether a BlackBerry® device resets to the factory default settings when it receives the Delete all device data and disable device IT administration command over the wireless network.
The default value is No.
Change this rule to Yes to require a BlackBerry device to delete its stored IT policy permanently, delete all third-party applications, and delete all user data after it receives the IT administration command.
For BlackBerry devices that are running BlackBerry® Device Software version 5.0 and later, this rule is enforced both remotely (when an administrator erases the data on a BlackBerry device remotely) and locally (for example, when the user exceeds the maximum password attempts or erases all data on the BlackBerry device).
For BlackBerry devices that are running BlackBerry Device Software versions that are earlier than version 5.0, this rule is enforced only when an administrator erases the data remotely.