Using IT administration commands to protect a lost or stolen device
The BlackBerry® Enterprise Server includes IT administration commands that you can send over the wireless network to protect sensitive data on a BlackBerry device. You can use the commands to lock the device, permanently delete work data, permanently delete user information and application data, and return the device settings to the default values.
IT administration command
|
Description
|
|---|
Specify new device password and lock device
|
This command creates a new password and locks
a device over the wireless network. You can communicate the new password
to the user verbally when the BlackBerry device
user locates the device.
When the user unlocks the device, the device
prompts the user to accept or reject the new password.
You can use this command if the device is lost. If you or a user turned on content protection and a device is running BlackBerry®
Device Software 4.3.0 or later, you can use this command. If you or a user turned on two-factor content protection, you cannot use this command.
|
Delete only the organization data and remove device
|
This command permanently deletes all work data that the device stores and removes the device from the BlackBerry Enterprise Server. All personal data remains on the device.
You can send this command to a personal device when a user no longer works at your organization and you want to delete work data from the device.
You can also specify whether you want to delete or disable a user account from the BlackBerry Enterprise Server after the device deletes all work data.
|
Delete all device data and remove device
|
This command permanently deletes all user
information and application data that the device stores.
You can configure the following options when you use this
command: - specify a delay, in hours, that must occur before the
device starts to delete all the user
information and application data
- require the device to return to
its factory default settings when it receives this command
- specify whether to permit the user to stop permanently deleting data from the device and making the
device unavailable during the delay period
You can send this command to a
device that you want to distribute to another user in your
organization, or to a device that is lost and that the user might not recover.
You can also specify whether you want to delete or disable a user account from the BlackBerry Enterprise Server after the device deletes all user information and application data.
|
Process flow: Sending the Specify new device password and lock device IT administration command when content protection is turned on
- The BlackBerry® Enterprise Server sends the Specify new device password and lock
device IT administration command and the new BlackBerry device
password to the BlackBerry device.
- The device performs the following
actions:
- selects r randomly
- stores r in RAM
- calculates D' = rD = rdP
- calculates h = SHA-1( B )
- sends D' and h to the BlackBerry Enterprise Server
- The BlackBerry Enterprise Server
performs the
following actions:
- uses h to determine which B the device used and which b to use
- verifies that D' is a valid
public key
- calculates K' = bD' = brdP = rdB = rK (the
BlackBerry Enterprise Server
knows only rK and
cannot calculate K without r)
- calculates h = SHA-1( D'
)
- sends the new BlackBerry device password, K', and h to the device
- The device performs the following
actions:
- uses h to verify that K' is associated with D' and r
- verifies that K' is a valid
public key
- calculates r-1K' =
r-1rK = K
- permanently deletes
r
- uses K to decrypt the content
protection key
- permanently deletes K
- The device performs the following
actions:
- selects d randomly
- calculates D = dP
- stores D in flash
memory
- calculates K = dB
- uses K to encrypt the new
BlackBerry device password
- uses the encrypted new password to encrypt the
content protection key
Was this information helpful? Send us your comments.
