Extending messaging security to a BlackBerry device

Administration Guide

Overview: BlackBerry Enterprise Server
Log in to the BlackBerry Administration Service for the first time
Creating administrator accounts
Using an IT policy to manage BlackBerry Enterprise Solution security
Configuring security options
- Encrypting data that the BlackBerry Enterprise Server and a BlackBerry device send to each other
- Controlling BlackBerry device access to the BlackBerry Enterprise Server
- Extending messaging security to a BlackBerry device
  - Extending messaging security using S/MIME encryption
    - Configure the BlackBerry Enterprise Solution to support S/MIME encryption
    - Configure encryption options for S/MIME-protected messages
- Enforcing secure messaging using classifications
- Generating organization-specific encryption keys for PIN message encryption
  - Generate a PIN encryption key
- Turn off BlackBerry services that the BlackBerry MDS Connection Service, BlackBerry Collaboration Service, and BlackBerry MVS provide
- When a BlackBerry device overwrites data in the BlackBerry device memory
  - Changing when a BlackBerry device cleans the BlackBerry device memory
  - Best practice: Configuring additional memory cleaner settings for BlackBerry devices
- Managing the BlackBerry MDS Integration Service certificate
  - Configuring the BlackBerry MDS Integration Service instances to use a trusted certificate
    - Create a CSR file for the BlackBerry MDS Integration Service trusted certificate
    - Import the trusted certificate into the BlackBerry MDS Integration Service key store
  - Generate a self-signed certificate for the BlackBerry MDS Integration Service
- Permit client authentication between the BlackBerry MDS Integration Service and web services that use self-signed certificates
- Configure support for notification messages over HTTPS for BlackBerry MDS Runtime Applications on BlackBerry devices
  - Import the X.509 certificate for the web service into the trust store of the BlackBerry MDS Integration Service
  - Import the X.509 certificate for the BlackBerry MDS Integration Service into the trust store of the JVM that runs the notification client
Configuring the BlackBerry Enterprise Server environment
Configuring user accounts
Assigning BlackBerry devices to users
Configuring BlackBerry Enterprise Server high availability
Configuring high availability for BlackBerry Enterprise Server components
Configuring BlackBerry Configuration Database high availability
Sending software and BlackBerry Java Applications to BlackBerry devices
Alternative methods for installing BlackBerry Java Applications on BlackBerry devices
Making BlackBerry MDS Runtime Applications and BlackBerry Browser Applications available to users
Configuring how users access enterprise applications and web content
Setting up the messaging environment
Configuring BlackBerry devices to enroll certificates over the wireless network
Making the BlackBerry Web Desktop Manager available to users
Configuring the BlackBerry Web Desktop Manager
Creating and configuring Wi-Fi profiles, VPN profiles, and VoIP profiles
Configuring encryption and authentication methods for Wi-Fi enabled BlackBerry devices
Configuring software tokens for BlackBerry devices
Changing the security settings of the BlackBerry Administration Service and BlackBerry Web Desktop Manager
Managing administrator accounts
Managing groups and user accounts
Using IT administration commands to protect a lost or stolen BlackBerry device
Managing the delivery of BlackBerry Java Applications, BlackBerry Device Software, and device settings to BlackBerry devices
Managing BlackBerry MDS Runtime Applications and BlackBerry Browser Applications
Managing how users access enterprise applications and web content
Managing organizer data synchronization
Managing your organization's messaging environment and attachment support
Managing instant messaging
Managing a BlackBerry Domain
BlackBerry Controller and BlackBerry Enterprise Server Component Monitoring
BlackBerry Enterprise Server log files
BlackBerry Enterprise Solution connection types and port numbers
Troubleshooting
Glossary
Provide feedback
Legal notice

Search This Document

Download PDF

If your organization's messaging environment supports highly secure messaging technology such as PGP® encryption or S/MIME encryption, you can configure the BlackBerry® Enterprise Solution to encrypt a message using PGP encryption or S/MIME encryption so that the message remains encrypted when the BlackBerry® Enterprise Server forwards the message to the email applications of recipients. To extend messaging security, the sender and recipient must install highly secure messaging technology on the computers that host the email applications and on their BlackBerry devices, and you must configure the BlackBerry devices to use the highly secure messaging technology.

Extending messaging security using S/MIME encryption

You can extend messaging security for the BlackBerry® Enterprise Solution and permit a BlackBerry device user to send and receive S/MIME-protected email messages and S/MIME-protected PIN messages on a BlackBerry device.

To extend messaging security, you or the BlackBerry device user must install the S/MIME Support Package for BlackBerry® smartphones on the BlackBerry device and transfer the S/MIME private key of the BlackBerry device user to the BlackBerry device. The S/MIME Support Package for BlackBerry smartphones is designed to work with email applications such as Microsoft® Outlook®, Microsoft Outlook Express, and IBM® Lotus Notes®, and with PKIs such as Netscape®, Entrust Authority™ Security Manager version 5 and later, and Microsoft certification authorities.

The BlackBerry device user uses the S/MIME private key to decrypt S/MIME-protected messages on the BlackBerry device and to sign, encrypt, and send S/MIME-protected messages from the BlackBerry device. If the BlackBerry® Enterprise Server receives an S/MIME-encrypted message but the BlackBerry device user did not install the S/MIME Support Package for BlackBerry smartphones, the BlackBerry Enterprise Server sends a message to the BlackBerry device to indicate that the BlackBerry device does not support S/MIME-encrypted messages.

After the BlackBerry device user installs the S/MIME Support Package for BlackBerry smartphones, the BlackBerry device user can synchronize and manage S/MIME certificates and S/MIME private keys using the certificate synchronization tool of the BlackBerry® Desktop Manager. The BlackBerry Enterprise Server does not apply an appended disclaimer to S/MIME-protected messages that the BlackBerry device user sends from the BlackBerry device. Digital signatures on S/MIME-protected messages that the BlackBerry device sends are not valid if disclaimers are appended to the messages.

To require the BlackBerry device user to use S/MIME encryption when forwarding or replying to messages, you can configure the S/MIME Force Digital Signature IT policy rule and the S/MIME Force Encrypted Messages IT policy rule.

The S/MIME Support Package for BlackBerry smartphones is also designed to support the following features:

encoding and decoding of Unicode messages
ability to use a password, which the sender and recipient each know, to encrypt S/MIME-protected email messages or PIN messages
ability to read S/MIME certificates that are stored on a smart card

Configure the BlackBerry Enterprise Solution to support S/MIME encryption

Configure S/MIME message processing on the BlackBerry® Enterprise Server.
Instruct users to install the S/MIME Support Package for BlackBerry® smartphones on BlackBerry devices.
Perform one of the following tasks:
- Instruct users to add the Certificate Synchronization Manager to the BlackBerry® Desktop Manager so that the BlackBerry Desktop Manager can manage certificates for the BlackBerry devices.
- Configure the BlackBerry Enterprise Server to permit users to enroll certificates over the wireless network.

Configure encryption options for S/MIME-protected messages

After you turn on processing for S/MIME-protected messages, you can configure encryption options using the BlackBerry® Administration Service. You can configure encryption options to control how the BlackBerry® Enterprise Server processes S/MIME-protected messages.

In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
In the Email section, click the instance that you want to change.
Click Edit host instance.
On the Messaging tab, in the Security settings section, perform any of the following actions:
- To require that the BlackBerry Enterprise Server encrypts messages with S/MIME encryption for a second time when the BlackBerry Enterprise Server processes S/MIME-protected messages that are weakly encrypted or are signed but unencrypted, in the S/MIME Encryption on Signed and Weakly Encrypted Messages turn on drop-down list, click True.
- To permit BlackBerry device users that have email applications that do not support S/MIME to read the text of an S/MIME-protected message, in the Send S/MIME Messages in Clear-Signed Format drop-down list, click True.
- To require that the BlackBerry Enterprise Server deletes attachment data from any signed-only S/MIME-protected messages that the BlackBerry Enterprise Server receives to conserve bandwidth, in the Remove Attachment Data from Signed S/MIME Messages drop-down list, click True.
- To require that the BlackBerry Enterprise Server sends encrypted S/MIME-protected messages using an updated MIME content-type that is in accordance with PKCS#7 instead of the default legacy MIME content-type, in the Use PKCS #7 MIME Type drop-down list, click True.
Click Save all.
Perform the following actions to restart the BlackBerry Messaging Agent:
1. On the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > BlackBerry Enterprise Server.
2. Click the BlackBerry Enterprise Server instance that includes the BlackBerry Messaging Agent.
3. Click Restart instance.

Turn on support for processing S/MIME-protected messages on the BlackBerry Enterprise Server

In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
In the Email section, click the instance that you want to change.
On the Messaging tab, click Edit instance.
In the Security settings section, in the Turn on S/MIME message processing drop-down list, click True.
Click Save All.

How S/MIME-protected messages on BlackBerry devices discard appended disclaimers

If a user installs and configures the S/MIME Support Package for BlackBerry® smartphones on a BlackBerry device, the BlackBerry® Enterprise Server does not apply an appended disclaimer to S/MIME-protected messages that the user sends from the BlackBerry device. Digital signatures on S/MIME-protected messages that the BlackBerry device sends are not valid if disclaimers are appended to the messages.

Define encryption options for S/MIME-protected messages

In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
In the Email section, click the instance that you want to change.
On the Messaging tab, click Edit host instance.
In the Security settings section, change S/MIME Message Processing turn on to True.
Click Save all.

Next topic: Enforcing secure messaging using classifications

Previous topic: Permit a user to override the Enterprise Service Policy

Was this information helpful? Send us your comments.

Global Navigation

Administration Guide

Local Navigation