Security known issues
After a BlackBerry® device user enrolls certificates successfully numerous times with a stand-alone CA, an enrollment process might fail while the device is waiting for an approved certificate, even though the certificate is approved. (DT 1140973)
After a user enrolls certificates successfully numerous times with an enterprise CA or stand-alone CA, an enrollment process might fail while the device is waiting for an approved certificate. (DT 1116098)
The BlackBerry Enterprise Server Express does not forward .msg attachments in email messages that are signed, encrypted, or signed and encrypted using S/MIME. (DT 1056505)
In an environment that includes the PGP® Support Package for BlackBerry® smartphones, if a user forwards an HTML message with an inline image to the device that is signed and encrypted using PGP/MIME, the recipient cannot open the attachment. The device displays the attachment as an unknown attachment. (DT 1048997)
If you send the "Delete all device data and remove device" IT administration command and set a one hour delay, the BlackBerry Enterprise Server Express deletes the device PIN after the hour passes. However, if the user cancels the process to delete all device data, the device loses its connection with the BlackBerry Enterprise Server Express. (DT 1043425)
By default, the standard unlisted optional application control policy requires users to respond to a prompt each time they want to run the applications. (DT 1040480)
If you send the "Delete only the organization data and remove device" command to a BlackBerry device, the device does not send an acknowledgment to the BlackBerry Enterprise Server Express so that the BlackBerry Administration Service can delete the user account. (DT 1034973)
Workaround: Delete the user account manually.
If you send the "Delete all device data and remove device" command to a BlackBerry® Curve™ 9300, the device does not send an acknowledgment to the BlackBerry Enterprise Server Express so that the BlackBerry Administration Service can delete the user account. (DT 1034949)
Workaround: Delete the user account manually.
If you send the "Delete all device data and disable device" IT administration command before you upgrade, and the BlackBerry Enterprise Server Express receives an acknowledgment from the device that it has received the IT administration command after you upgrade the BlackBerry Enterprise Server Express, the BlackBerry Enterprise Server Express writes a NullPointerException error message to its log file. (DT 1027898)
If a device that does not support PGP encryption receives a PGP/MIME encrypted message, the device displays an out-dated message to the user indicating that PGP is not supported.
If a device that does not support PGP encryption receives a PGP/MIME signed message, the BlackBerry Enterprise Server Express extracts the plaintext information from the message and sends it without indicating that the message is PGP signed. This means that the device does not display the status message to the user indicating that PGP is not supported. (DT 1026959)
In an environment that includes the PGP Support Package for BlackBerry smartphones, if a user sends a PGP partitioned encrypted message that includes Greek characters in the body from Microsoft® Outlook® to a recipient who is also a Microsoft Outlook user, the Greek characters are not displayed correctly on the recipient's device. (DT 1014751)
In an environment that includes the PGP Support Package for BlackBerry smartphones, if a user sends a PGP partitioned signed message that includes Arabic characters in the body from Microsoft Outlook, the Arabic characters are not displayed correctly on the recipient's device. (DT 1014465)
When you configure the BlackBerry Enterprise Server Express to support certificate enrollment over the wireless network, the device might not complete the enrollment process successfully because of HTTP client timeouts. The BlackBerry MDS Connection Service log file includes the following message: "Exception at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager.doGetConnection(MultiThreadedHttpConnectionManager.java:497". (DT 962708)
If a BlackBerry device user sends S/MIME encrypted email messages, the email messages are sent using the MS-TNEF MIME type instead of the X-PKCS7 MIME type. (DT 562356)
In an environment that includes the S/MIME Support Package for BlackBerry smartphones, when a user sends an encrypted, signed, or encrypted and signed message from the user's email application and adds a plaintext message attachment, the recipient's BlackBerry device displays the attachment as an unknown file. (DT 559298)
If you attempt to assign a BlackBerry device that has been deactivated with an IT administration command using the BlackBerry Administration Service, the BlackBerry Administration Service displays a message indicating the activation process is a success, when in fact the device is not activated. (DT 491663)
In an environment that includes the S/MIME Support Package for BlackBerry smartphones, if a user sends an encrypted message that includes the Euro symbol (€) from Microsoft Outlook 2003 SP2 or Microsoft Outlook Web Access, the BlackBerry device displays an error when it receives the message. (DT 403545)
Workaround: Configure users to use UTF-8 encoding in Microsoft Outlook.
If a user regenerates the encryption key on a BlackBerry device, and then pulls the battery a few seconds after receiving the "Encryption Verified" message, the BlackBerry Enterprise Server Express does not confirm with the device that the device received the KEY_CONFIRM_PROMOTE and messages are blocked at the firewall. (DT 402026)
Workaround: Generate the encryption key again.
When a user copies a large file (for example, a 746 KB file) from a microSD card to a shared location, the device does not finish copying the file. (DT 315882)
You cannot change the password for the key store file that permits the BlackBerry Administration Service to open HTTPS connections. (DT 224771)
Workaround: To change the web.keystore password, you must run the setup application again on the computer that hosts the BlackBerry Administration Service. When you need to regenerate the web.keystore file after you change the BlackBerry Administration Service, you need to copy the web.keystore file to all BlackBerry Administration Service instances. You can also copy the registry value that contains the password to other BlackBerry Administration Service instances. The registry setting is HKEY_CURRENT_USER\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Administration Service\Key Store.