Administration Guide

Local Navigation

Extending messaging security to a BlackBerry device

If your organization's messaging environment supports highly secure messaging technology such as PGP® encryption or S/MIME encryption, you can configure the BlackBerry® Enterprise Solution to encrypt a message using PGP encryption or S/MIME encryption so that the message remains encrypted when the BlackBerry® Enterprise Server forwards the message to the email applications of recipients. To extend messaging security, the sender and recipient must install highly secure messaging technology on the computers that host the email applications and on their BlackBerry devices, and you must configure the BlackBerry devices to use the highly secure messaging technology.

Extending messaging security using S/MIME encryption

You can extend messaging security for the BlackBerry® Enterprise Solution and permit a BlackBerry device user to send and receive S/MIME-protected email messages and S/MIME-protected PIN messages on a BlackBerry device.

To extend messaging security, you or the BlackBerry device user must install the S/MIME Support Package for BlackBerry® smartphones on the BlackBerry device and transfer the S/MIME private key of the BlackBerry device user to the BlackBerry device. The S/MIME Support Package for BlackBerry smartphones is designed to work with email applications such as Microsoft® Outlook®, Microsoft Outlook Express, and IBM® Lotus Notes®, and with PKIs such as Netscape®, Entrust Authority™ Security Manager version 5 and later, and Microsoft certification authorities.

The BlackBerry device user uses the S/MIME private key to decrypt S/MIME-protected messages on the BlackBerry device and to sign, encrypt, and send S/MIME-protected messages from the BlackBerry device. If the BlackBerry® Enterprise Server receives an S/MIME-encrypted message but the BlackBerry device user did not install the S/MIME Support Package for BlackBerry smartphones, the BlackBerry Enterprise Server sends a message to the BlackBerry device to indicate that the BlackBerry device does not support S/MIME-encrypted messages.

After the BlackBerry device user installs the S/MIME Support Package for BlackBerry smartphones, the BlackBerry device user can synchronize and manage S/MIME certificates and S/MIME private keys using the certificate synchronization tool of the BlackBerry® Desktop Manager. The BlackBerry Enterprise Server does not apply an appended disclaimer to S/MIME-protected messages that the BlackBerry device user sends from the BlackBerry device. Digital signatures on S/MIME-protected messages that the BlackBerry device sends are not valid if disclaimers are appended to the messages.

To require the BlackBerry device user to use S/MIME encryption when forwarding or replying to messages, you can configure the S/MIME Force Digital Signature IT policy rule and the S/MIME Force Encrypted Messages IT policy rule.

The S/MIME Support Package for BlackBerry smartphones is also designed to support the following features:
  • encoding and decoding of Unicode messages
  • ability to use a password, which the sender and recipient each know, to encrypt S/MIME-protected email messages or PIN messages
  • ability to read S/MIME certificates that are stored on a smart card

Configure the BlackBerry Enterprise Solution to support S/MIME encryption

  1. Configure S/MIME message processing on the BlackBerry® Enterprise Server.
  2. Instruct users to install the S/MIME Support Package for BlackBerry® smartphones on BlackBerry devices.
  3. Perform one of the following tasks:
    • Instruct users to add the Certificate Synchronization Manager to the BlackBerry® Desktop Manager so that the BlackBerry Desktop Manager can manage certificates for the BlackBerry devices.
    • Configure the BlackBerry Enterprise Server to permit users to enroll certificates over the wireless network.

Configure encryption options for S/MIME-protected messages

After you turn on processing for S/MIME-protected messages, you can configure encryption options using the BlackBerry® Administration Service. You can configure encryption options to control how the BlackBerry® Enterprise Server processes S/MIME-protected messages.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. In the Email section, click the instance that you want to change.
  3. Click Edit host instance.
  4. On the Messaging tab, in the Security settings section, perform any of the following actions:
    • To require that the BlackBerry Enterprise Server encrypts messages with S/MIME encryption for a second time when the BlackBerry Enterprise Server processes S/MIME-protected messages that are weakly encrypted or are signed but unencrypted, in the S/MIME Encryption on Signed and Weakly Encrypted Messages turn on drop-down list, click True.
    • To permit BlackBerry device users that have email applications that do not support S/MIME to read the text of an S/MIME-protected message, in the Send S/MIME Messages in Clear-Signed Format drop-down list, click True.
    • To require that the BlackBerry Enterprise Server deletes attachment data from any signed-only S/MIME-protected messages that the BlackBerry Enterprise Server receives to conserve bandwidth, in the Remove Attachment Data from Signed S/MIME Messages drop-down list, click True.
    • To require that the BlackBerry Enterprise Server sends encrypted S/MIME-protected messages using an updated MIME content-type that is in accordance with PKCS#7 instead of the default legacy MIME content-type, in the Use PKCS #7 MIME Type drop-down list, click True.
  5. Click Save all.
  6. Perform the following actions to restart the BlackBerry Messaging Agent:
    1. On the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > BlackBerry Enterprise Server.
    2. Click the BlackBerry Enterprise Server instance that includes the BlackBerry Messaging Agent.
    3. Click Restart instance.
Turn on support for processing S/MIME-protected messages on the BlackBerry Enterprise Server
  1. In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. In the Email section, click the instance that you want to change.
  3. On the Messaging tab, click Edit instance.
  4. In the Security settings section, in the Turn on S/MIME message processing drop-down list, click True.
  5. Click Save All.
How S/MIME-protected messages on BlackBerry devices discard appended disclaimers

If a user installs and configures the S/MIME Support Package for BlackBerry® smartphones on a BlackBerry device, the BlackBerry® Enterprise Server does not apply an appended disclaimer to S/MIME-protected messages that the user sends from the BlackBerry device. Digital signatures on S/MIME-protected messages that the BlackBerry device sends are not valid if disclaimers are appended to the messages.

Define encryption options for S/MIME-protected messages
  1. In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. In the Email section, click the instance that you want to change.
  3. On the Messaging tab, click Edit host instance.
  4. In the Security settings section, change S/MIME Message Processing turn on to True.
  5. Click Save all.

Was this information helpful? Send us your comments.