Feature and Technical Overview

BlackBerry Enterprise Solution security

if you use software tokens, contents of the .sdtid file seed that is stored in flash memory

all data that is associated with third-party applications that a user installs on the device

in the BlackBerry Browser, content that web sites or third-party applications push to the device, any web sites that the user saves on the device, and the browser cache

all text that replaces the text automatically that the user types on the device

You can change the Content Protection of Contact List IT policy rule to Required to prevent the user from turning off content protection for the contact list on the device. If you change the Content Protection of Contact List IT policy rule to Required, the device does not permit call display and does not share contacts over a Bluetooth connection when the device is locked.

Encrypting the device transport key on a locked device

If you turn on content protection for device transport keys, a BlackBerry device uses the principal encryption key to encrypt the device transport keys that are stored in flash memory. The device encrypts the principal encryption key using the content protection key. When a locked device receives data that is encrypted using the device transport key, it uses the decrypted principal encryption key to decrypt the device transport key in flash memory and then uses the decrypted device transport key to decrypt data.

When you, a user, or a password timeout locks the device, the wireless transceiver remains on and the device does not delete the memory that is associated with the principal encryption key or device transport key. The device is designed to prevent the decrypted principal encryption key and the decrypted device transport key from appearing in flash memory.

You can turn on content protection for device transport keys on the device when you configure the Force Content Protection of Master Keys IT policy rule. When you turn on content protection of device transport keys, the device uses the ECC key strength that you specified in the Content Protection Strength IT policy rule to encrypt the device transport keys.

Managing device access to the BlackBerry Enterprise Server

You can use the Enterprise Service Policy to control which BlackBerry devices can connect to a BlackBerry Enterprise Server. By default, after you turn on the Enterprise Service Policy, the BlackBerry Enterprise Server permits connections from any device that you previously associated with the BlackBerry Enterprise Server. The BlackBerry Enterprise Server also prevents connections from any device that you associate with the BlackBerry Enterprise Server after you turn on the Enterprise Service Policy.

52

Page 52
Image 52
Blackberry blackberry enterprise server for microsoft exchange Encrypting the device transport key on a locked device