Security Technical Overview

Local Navigation

Preventing a user from compromising work data on a device

A BlackBerry® device is designed to separate work data from personal data so that you can help prevent a BlackBerry device user from compromising your organization’s data by using personal channels to unintentionally send work data. You can configure several features to help prevent a user from compromising your organization’s data on a device:
  • prevent a user from pasting work data into a personal application
  • prevent a user from forwarding work data using a personal channel
  • prevent a user from using the work contact list in personal email accounts and personal calendars
  • prevent a user from backing up work data
  • control the browser traffic in BlackBerry® Browser
  • protect the work data that a user stores on a media card

Preventing a user from pasting work data into a personal application

To help prevent a BlackBerry® device user from pasting work data into a personal application, you can set the Enable Separation of Work Content IT policy rule to Yes so that the following guidelines apply to the user:
  • a user can cut, copy, and paste work data from a work application to another work application
  • a user cannot cut, copy, and paste work data from a work application to a personal application
  • a user can cut, copy, and paste personal data from a personal application to a work application or another personal application

If a user tries to paste work data to a personal application, the BlackBerry device displays a warning message.

By default, the Enable Separation of Work Content IT policy rule is set to No. The device does not distinguish between work data and personal data.

If you set the Enable Separation of Work Content IT policy rule to Yes, a user can select a work email account in the Send Using field of a draft email message, paste work data into the body of the email message, and then change the selected work email account in the Send Using field to a personal email account before the user sends the email message. If you would like to prevent the user from changing the work email account to a personal email account, you should also set the Require Work Resources For Conducting Work Activities IT policy rule to Yes. By default, the Require Work Resources For Conducting Work Activities IT policy rule is set to No.

Back To Top

Preventing a user from forwarding work data using personal channels

To help prevent a BlackBerry® device user from forwarding work data using personal channels, you can set the Disable Forwarding of Work Content Using Personal Channels IT policy rule to Yes. Personal channels include the BlackBerry® Internet Service, SMS text messages, MMS messages, PIN messages, and BlackBerry® Messenger. When you set the Disable Forwarding of Work Content Using Personal Channels IT policy rule to Yes, the device permits the user to follow these guidelines:
  • a user can forward work email messages, contacts, calendar entries, tasks, or memos using a work email account
  • a user cannot forward work email messages, contacts, calendar entries, tasks, or memos using personal channels

If the user tries to forward work email messages, contacts, calendar entries, tasks, or memos using personal channels, the device is designed to display a warning message and does not permit the user to complete the task.

By default, the Disable Forwarding of Work Content Using Personal Channels IT policy rule is set to No. The device does not distinguish between work data and personal data when users forward data.

Back To Top

Prevent a user from using the work contact list in personal email accounts and personal calendars

By default, a BlackBerry® device does not prevent a BlackBerry device user from using personal email accounts or personal calendars to send email messages or calendar appointments to email addresses in the work contact list. For example, a user can send email messages to work email addresses using a personal email account and create meetings with work email addresses in a personal calendar.

To help prevent a user from using personal email accounts or personal calendars to send email messages or calendar appointments to email addresses in the work contact list, you can set the Require Work Resources For Conducting Work Activities IT policy rule to Yes. When you set this rule to Yes, a user must use the work email account to send email messages to work email addresses and the work calendar to send calendar invites to work email addresses.

Back To Top

Controlling the browsing traffic in the BlackBerry Browser

A BlackBerry® device user can use the BlackBerry® Browser to browse the Internet and your organization’s intranet. The device does not consider the BlackBerry Browser to be a work application. You can change the behavior of the BlackBerry Browser depending on the IT policies that you configure in your organization's environment:
  • If you do not want users to browse using the Internet Browser, set the Allow IBS Browser IT policy rule to No.
  • If you do not want users to browse using Wi-Fi® hotspots, set the Allow Hotspot Browser IT policy rule to No.
  • If you do not want users to browse using WAP, set the Enable WAP Config IT policy rule to No.
  • If you want users to browse using only the BlackBerry® Enterprise Server, set the Allow Other Browser Services IT policy rule to No.
  • If you do not want users to browse using the BlackBerry Enterprise Server, set the Allow Browser IT policy rule to No.

You can also configure pull rules to prevent a user from accessing specific web servers using the BlackBerry Browser. For more information about configuring pull rules, see the BlackBerry Enterprise Server Administration Guide.

BlackBerry® 6 permits you to control the browser transport selection for the BlackBerry Browser. For more information about browser transport selection, see the Selecting Browser Transport Technical Note.

Back To Top

Preventing a user from backing up work data that is stored on a device

By default, if your organization's environment includes BlackBerry® Enterprise Server for Microsoft® Exchange (5.0 SP3 or later) or BlackBerry® Enterprise Server for IBM® Lotus® Domino® (5.0 SP3 or later), a BlackBerry® device user can back up both work data and personal data on a computer using the BlackBerry® Desktop Software and BlackBerry® Web Desktop Manager. The user can restore the data to the device that the user backed up after the BlackBerry® Device Software is updated or when issues occur that require the user to restore the information.

In rare circumstances, when a user restores work data, a device might not be able to recognize the data as work data and might treat it as personal data. For example, if a user restores data from an existing device to a new device that the user did not activate on the BlackBerry® Enterprise Server and that has the radio turned off, the new device might not recognize the data as work data.

If you want to prevent the user from backing up work data, you can change the value of the Desktop Backup IT policy rule to No organizational databases. When you set the rule to No organizational databases, the device does not back up the following information:
  • organizer data such as tasks or memos
  • work contacts
  • work calendar entries
Back To Top

Protecting work data on a media card

By default, a BlackBerry® device stores all data in unencrypted format on a media card. When you set the Enable Separation of Work Content IT policy rule to Yes, the device automatically encrypts all work data on a media card using a device key.

You can perform any of the following actions to further protect the work data on a media card:
  • Prevent a user from storing any data on media cards by setting the Disable External Memory IT policy rule to Yes.
  • Prevent a user from transferring data to a media card over a USB connection by setting the Disable USB Mass Storage IT policy rule to Yes.
  • Permit the user to store data on media cards, but specify that the device must encrypt all data and not just work data. To configure this option, set the External File System Encryption Level IT policy rule to one of the following values:
    • Encrypt to User Password (excluding multi-media directories)
    • Encrypt to User Password (including multi-media directories)
    • Encrypt to Device Key (excluding multi-media directories)
    • Encrypt to Device Key (including multi-media directories)
    • Encrypt to User Password and Device Key (excluding multi-media directories)
    • Encrypt to User Password and Device Key (including multi-media directories)
Back To Top

Was this information helpful? Send us your comments.