FIPS compliance

It is a best practice to make your 
BlackBerry Dynamics
 apps compliant with U.S. Federal Information Processing Standards (FIPS) 140-2.The 
BlackBerry Dynamics SDK
 distribution contains FIPS canisters and tools.
The 
BlackBerry UEM
 or standalone 
Good Control
 administrator enables FIPS compliance using a 
BlackBerry Dynamics
 profile (
UEM
) or security policy (
Good Control
). If enabled, 
BlackBerry Dynamics
 apps must start in FIPS-compliant mode. The SDK determines whether a service is running in FIPS mode when the app communicates with the server to receive policies.
FIPS compliance enforces the following constraints:
  • The use of MD4 and MD5 are prohibited. As a result, access to NTLM-protected or NTLM2-protected web pages and files is blocked.
  • In secure socket key exchanges with ephemeral keys, with servers that are not configured to use Diffie-Hellman keys of sufficient length, 
    BlackBerry Dynamics
     retries with static RSA cipher suites. 
  • When you enable FIPS compliance, user certificates must use encryption that meets FIPS standards. If a user tries to import a certificate with encryption that is not compliant, the user receives an error message indicating that the certificate is not allowed and cannot be imported.
  • For 
    iOS
    , when you build for testing with the x86 64-bit simulator, FIPS mode is not enforced. As a result, you might see a difference in behavior with the simulator compared to actual operation. 
    BlackBerry
     recommends that you always test your app on actual 
    iOS
     hardware and not rely exclusively on the simulation.