Overview
Using an IT policy to manage BlackBerry Enterprise Solution security
- encryption (for example, encryption of user data and messages that the BlackBerry® Enterprise Server forwards to message recipients) and encryption strength
- use of a password or pass phrase
- connections that use Bluetooth® wireless technology
- protection of user data and device transport keys on the device
- control of device resources, such as the camera or GPS, that are available to third-party applications
The BlackBerry Enterprise Server includes preconfigured IT policies that you can use to manage the security of the BlackBerry Enterprise Solution. The Default IT policy includes IT policy rules that are configured to indicate the default behavior of the device or BlackBerry Desktop Software.
After a device user activates a device, the BlackBerry Enterprise Server automatically sends to the device the IT policy that you assigned to the user account or group. By default, if you do not assign an IT policy to the user account or group, the BlackBerry Enterprise Server sends the Default IT policy. If you delete an IT policy that you assigned to the user account or group, the BlackBerry Enterprise Server automatically re-assigns the Default IT policy to the user account and resends the Default IT policy to the device.
For more information, see the BlackBerry Enterprise Server Policy Reference Guide.
Using IT policy rules to manage BlackBerry Enterprise Solution security
You can use IT policy rules to customize and control the actions that the BlackBerry® Enterprise Solution can perform.
To use an IT policy rule on a BlackBerry device, you must verify that the BlackBerry® Device Software version supports the IT policy rule. For example, you cannot use the Disable Camera IT policy rule to control whether a BlackBerry device user can access the camera on the device if the BlackBerry Device Software version does not support the IT policy rule. For information about the BlackBerry Device Software version that is required for a specific IT policy rule, see the BlackBerry Enterprise Server Policy Reference Guide.
If you create a custom IT policy that does not permit users to change their user information on their devices, you can only apply this custom IT policy to devices running BlackBerry Device Software 5.0 or later.
The BlackBerry Administration Service groups the IT policy rules by common properties or by application. Most IT policy rules are designed so that you can assign them to multiple user accounts and groups.
Preconfigured IT policies
The BlackBerry® Enterprise Server includes the following preconfigured IT policies that you can change to create IT policies that meet the requirements of your organization.
|
Preconfigured IT policy |
Description |
|---|---|
|
Default |
This policy includes all the standard IT policy rules that are set on the BlackBerry Enterprise Server. |
|
Individual-Liable Devices |
Similar to the Default IT policy, this policy prevents BlackBerry device users from accessing organizer data from within the social networking applications on their BlackBerry devices. This policy permits users to access their personal calendar services and email messaging services (for example, their BlackBerry® Internet Service accounts), update the BlackBerry® Device Software using methods that exist outside your organization, make calls when devices are locked, and cut, copy, and paste text. Users cannot forward email messages from one email messaging service to another. You can use the Individual-Liable Devices IT policy if your organization includes users who purchase their own devices and connect the devices to a BlackBerry Enterprise Server instance in your organization's environment. |
|
Basic Password Security |
Similar to the Default IT policy, this policy also requires a basic password that users can use to unlock their devices. Users must change the passwords regularly. The IT policy includes a password timeout that locks devices. |
|
Medium Password Security |
Similar to the Default IT policy, this policy also requires a complex password that users can use to unlock their devices. Users must change the passwords regularly. This policy includes a maximum password history and turns off Bluetooth® technology on devices. |
|
Medium Security with No 3rd Party Applications |
Similar to the Medium Password Security, this policy requires a complex password that a user must change frequently, a security timeout, and a maximum password history. This policy prevents users from making their devices discoverable by other Bluetooth enabled devices and prevents devices from downloading third-party applications. |
|
Advanced Security |
Similar to the Default IT policy, this IT policy also requires a complex password that users must change frequently, a password timeout that locks devices, and a maximum password history. This policy restricts Bluetooth technology on devices, turns on strong content protection, turns off USB mass storage, and requires devices to encrypt external file systems. |
|
Advanced Security with No 3rd Party Applications |
Similar to the Advanced Security IT policy, this IT policy requires a complex password that users must change frequently, a password timeout that locks devices, and a maximum password history. This policy restricts Bluetooth technology on devices, turns on strong content protection, turns off USB mass storage, requires devices to encrypt external file systems, and prevents devices from downloading third-party applications. |
Default values for preconfigured IT policies
You can configure additional IT policy rules in the preconfigured IT policies or change any of the following values:
|
IT policy rule |
Default IT policy |
Individual-Liable Device IT policy |
Basic Password Security IT policy |
Medium Password Security IT policy |
Medium Password Security with No 3rd Party Applications IT policy |
Advanced Security IT policy |
Advanced Security with No 3rd Party Applications IT policy |
|---|---|---|---|---|---|---|---|
|
Device-Only Items |
|||||||
|
Enable Long-Term Timeout |
— |
— |
— |
Yes |
Yes |
Yes |
Yes |
|
Maximum Security Timeout |
— |
— |
30 minutes |
10 minutes |
10 minutes |
10 minutes |
10 minutes |
|
Maximum Password Age |
— |
— |
60 days |
30 days |
30 days |
30 days |
30 days |
|
Password Pattern Checks |
no restriction |
— |
no restriction |
at least 1 alpha and 1 numeric character |
at least 1 alpha and 1 numeric character |
at least 1 alpha and 1 numeric character |
at least 1 alpha and 1 numeric character |
|
Password Required |
No |
— |
Yes |
Yes |
Yes |
Yes |
Yes |
|
User Can Change Timeout |
Yes |
— |
Yes |
Yes |
Yes |
Yes |
Yes |
|
User Can Disable Password |
Yes |
— |
No |
No |
No |
No |
No |
|
Password policy group |
|||||||
|
Maximum Password History |
— |
— |
— |
6 |
6 |
6 |
6 |
|
RIM Value-Added Applications policy group |
|||||||
|
Disable Organizer Data Access for Social Networking Applications |
Yes |
Yes |
— |
— |
— |
— |
— |
|
Security policy group |
|||||||
|
Allow Outgoing Call When Locked |
No |
Yes |
— |
— |
— |
— |
— |
|
Content Protection Strength |
— |
— |
— |
— |
— |
Strong |
Strong |
|
Disable Cut/Copy/Paste |
No |
No |
— |
— |
— |
— |
— |
|
Disable Forwarding Between Services |
No |
Yes |
— |
— |
— |
— |
— |
|
Disable USB Mass Storage |
No |
— |
— |
— |
— |
Yes |
Yes |
|
Disallow Third Party Application Download |
No |
— |
— |
— |
Yes |
— |
Yes |
|
External File System Encryption level |
Not required |
— |
— |
— |
— |
Encrypt to user password (excluding multimedia directories) |
Encrypt to user password (excluding multimedia directories) |
|
Force Lock When Holstered |
No |
— |
— |
Yes |
Yes |
Yes |
Yes |
|
Reset to Factory Defaults on Wipe |
No |
Yes |
— |
— |
— |
— |
— |
|
Service Exclusivity policy group |
|||||||
|
Allow Other Calendar Services |
Yes |
Yes |
— |
— |
— |
— |
— |
|
Allow Other Message Services |
Yes |
Yes |
— |
— |
— |
— |
— |
|
Bluetooth® policy group |
|||||||
|
Disable Address Book Transfer |
No |
— |
— |
— |
— |
Yes |
Yes |
|
Disable Discoverable Mode |
No |
— |
— |
Yes |
Yes |
Yes |
Yes |
|
Disable File Transfer |
No |
— |
— |
— |
— |
Yes |
Yes |
|
Disable Serial Port Profile |
No |
— |
— |
— |
— |
Yes |
Yes |
|
Require LED Connection Indicator |
No |
— |
— |
— |
— |
Yes |
Yes |
|
Wi-Fi® policy group |
|||||||
|
Wi-Fi Allow Handheld Changes |
Yes |
— |
No |
No |
No |
No |
No |
|
Wireless Software Upgrades policy group |
|||||||
|
Allow Non Enterprise Upgrade |
No |
Yes |
— |
— |
— |
— |
— |