Security Technical Overview

Local Navigation

Using IT administration commands to protect a lost or stolen device

The BlackBerry® Enterprise Server includes IT administration commands that you can send over the wireless network to protect sensitive data on a BlackBerry device. You can use the commands to lock the device, permanently delete work data, permanently delete user information and application data, and return the device settings to the default values.

IT administration command

Description

Specify new device password and lock device

This command creates a new password and locks a device over the wireless network. You can communicate the new password to the user verbally when the BlackBerry device user locates the device. When the user unlocks the device, the device prompts the user to accept or reject the new password.

You can use this command if the device is lost. If you or a user turned on content protection and a device is running BlackBerry® Device Software 4.3.0 or later, you can use this command. If you or a user turned on two-factor content protection, you cannot use this command.

Delete only the organization data and remove device

This command permanently deletes all work data that the device stores and removes the device from the BlackBerry Enterprise Server. All personal data remains on the device.

You can send this command to a personal device when a user no longer works at your organization and you want to delete work data from the device.

You can also specify whether you want to delete or disable a user account from the BlackBerry Enterprise Server after the device deletes all work data.

Delete all device data and remove device

This command permanently deletes all user information and application data that the device stores. You can configure the following options when you use this command:
  • specify a delay, in hours, that must occur before the device starts to delete all the user information and application data
  • require the device to return to its factory default settings when it receives this command
  • specify whether to permit the user to stop permanently deleting data from the device and making the device unavailable during the delay period

You can send this command to a device that you want to distribute to another user in your organization, or to a device that is lost and that the user might not recover.

You can also specify whether you want to delete or disable a user account from the BlackBerry Enterprise Server after the device deletes all user information and application data.

Process flow: Sending the Specify new device password and lock device IT administration command when content protection is turned on

  1. The BlackBerry® Enterprise Server sends the Specify new device password and lock device IT administration command and the new BlackBerry device password to the BlackBerry device.
  2. The device performs the following actions:
    1. selects r randomly
    2. stores r in RAM
    3. calculates D' = rD = rdP
    4. calculates h = SHA-1( B )
    5. sends D' and h to the BlackBerry Enterprise Server
  3. The BlackBerry Enterprise Server performs the following actions:
    1. uses h to determine which B the device used and which b to use
    2. verifies that D' is a valid public key
    3. calculates K' = bD' = brdP = rdB = rK (the BlackBerry Enterprise Server knows only rK and cannot calculate K without r)
    4. calculates h = SHA-1( D' )
    5. sends the new BlackBerry device password, K', and h to the device
  4. The device performs the following actions:
    1. uses h to verify that K' is associated with D' and r
    2. verifies that K' is a valid public key
    3. calculates r-1K' = r-1rK = K
    4. permanently deletes r
    5. uses K to decrypt the content protection key
    6. permanently deletes K
  5. The device performs the following actions:
    1. selects d randomly
    2. calculates D = dP
    3. stores D in flash memory
    4. calculates K = dB
    5. uses K to encrypt the new BlackBerry device password
    6. uses the encrypted new password to encrypt the content protection key
Back To Top

Was this information helpful? Send us your comments.