Security Guide. BlackBerry Enterprise Service 12. for BlackBerry. Version 12.0

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Security Guide. BlackBerry Enterprise Service 12. for BlackBerry. Version 12.0"

Transcription

1 Security Guide BlackBerry Enterprise Service 12 for BlackBerry Version 12.0

2 Published: SWD

3 Contents Introduction... 7 About this guide...8 What is BES12?...9 Key features of BES Security features Hardware and OS security Hardware root of trust for BlackBerry devices The BlackBerry 10 OS...13 The file system Sandboxing Device resources App permissions...14 Verifying software Preventing memory corruption...15 Activating and managing devices Activating devices...18 Activation passwords User registration with the BlackBerry Infrastructure Data flow: Activating a BlackBerry 10 device Using IT policies to manage security...22 Data in transit...23 How devices communicate with BES12 and your resources...24 How devices connect to your resources...24 Protecting connections to work networks...29 Connecting to a VPN...29 Protecting Wi-Fi connections Protecting data in transit over the BlackBerry Infrastructure How BES12 authenticates with the BlackBerry Infrastructure...33 How devices connect to the BlackBerry Infrastructure...35 How BES12 and the BlackBerry Infrastructure protect your data Protecting device management data sent between BES12 and devices... 40

4 Providing devices with single sign-on access to your organization's network...42 Using Kerberos to provide single sign-on from devices...42 Considerations for networks with a DMZ Protecting connections to BES12 with the BlackBerry Router Using the BlackBerry Router or a proxy server with BES Installing BES12 in a DMZ...44 Protecting communication with devices using certificates Providing client certificates to devices...46 Using SCEP to enroll client certificates to devices...46 Sending CA certificates to devices...49 Protecting messages Controlling which devices can use Exchange ActiveSync Extending security Data at rest...55 Activation options Securing BlackBerry Balance devices Securing regulated BlackBerry Balance devices...57 How work and personal spaces are separated Securing work space only devices Encryption How devices protect personal data...60 How devices protect work data How devices classify apps and data...62 Passwords Changing passwords...65 Data wipe Controlling when devices delete all data in the work space...69 Full device wipe Work data wipe...72 Controlling messaging...74 Controlling access to content Controlling access to devices Controlling device features...78 Controlling security timeout Managing sharing of work and personal files using the "Share" option Ensuring device integrity...80 Controlling software... 80

5 Controlling voice control Controlling logging Setting a home screen message...81 Controlling network connections from devices Transferring work data from devices using Bluetooth...82 Managing data transferred to and from a device using NFC Controlling roaming BlackBerry Link protection...86 Authentication between devices and BlackBerry Link...86 Data protection between BlackBerry Link and devices...86 Back up and restore Remote media and file access architecture Smart cards Unbinding the current smart card from a device...88 Authenticating a user using a smart card...88 Managing how devices use smart cards Apps Managing apps Managing work apps on devices...92 BlackBerry World for Work Installing personal apps on devices Preventing users from installing apps using development tools Protecting a device from malicious apps How devices are designed to prevent BlackBerry Runtime for Android apps from accessing work apps and data...93 Managing how apps open links in the work and personal spaces on devices...94 Preventing users from using voice dictation within work apps on devices Preventing users from sharing work data on devices when sharing the screen during BBM Video chats Making apps unavailable on devices Controlling how apps connect to networks...96 Controlling how work apps connect to work networks Preventing personal apps from connecting to work networks Allowing work apps to connect to personal networks...98 Cryptography...99 Cryptography on devices Symmetric encryption algorithms Asymmetric encryption algorithms...100

6 Hash algorithms Message authentication codes Signature algorithms Key agreement algorithms Cryptographic protocols Cipher suites for SSL/TLS connections Cryptographic libraries VPN cryptographic support Wi-Fi cryptographic support BlackBerry OS device security Product documentation Provide feedback Glossary Legal notice...121

7 Introduction

8 Introduction About this guide 1 BES12 helps you manage BlackBerry 10, BlackBerry OS (version 5.0 to 7.1), ios, Android, and Windows Phone devices in your organization's environment. This guide describes how BES12 delivers a higher level of control and security to BlackBerry 10 devices. This guide is intended for senior IT professionals responsible for evaluating the product and planning its deployment, as well as anyone who's interested in learning more about BES12 solution security. After you read this guide, you should understand how BES12 can help protect data in transit, data at rest, and apps for your organization. 8

9 Introduction What is BES12? 2 BES12 is an EMM solution from BlackBerry. EMM solutions help you do the following: Manage mobile devices for your organization to protect business information Keep mobile workers connected with the information that they need Provide administrators with efficient business tools With BES12, you can manage the following device types: BlackBerry 10 BlackBerry OS (version 5.0 to 7.1) ios Android Windows Phone You can manage these devices from a single, simplified UI with industry-leading security. Key features of BES12 Feature Management of many types of devices Single, unified UI Trusted and secure experience Balance of work and personal needs Description You can manage BlackBerry 10, BlackBerry OS (version 5.0 to 7.1), ios, Android, and Windows Phone devices. You can view all devices in one place and access all management tasks in a single, web-based UI. You can share administrative duties with multiple administrators who can access the management console at the same time. Device controls give you precise management of how devices connect to your network, what capabilities are enabled, and what apps are available. Whether the devices are owned by your organization or your users, you can protect your organization's information. BlackBerry Balance and Secure Work Space technologies are designed to make sure that personal information and work information are kept separate and secure on devices. If the device is lost or the employee leaves the organization, you can delete only work-related information or all information from the device. 9

10 Introduction Security features Feature Description BlackBerry manufacturing security model BlackBerry's end-to-end manufacturing model ensures BlackBerry 10 device hardware integrity and that only genuine BlackBerry devices connect to the BlackBerry Infrastructure. BlackBerry 10 OS protection Administrative control Control over device access to your organization s network Protection of data in transit Protection of data at rest Cryptography FIPS certification for the BES12 server The BlackBerry 10 OS is tamper-resistant, resilient, and secure, and includes many security features that protect data, apps, and resources on devices. BES12 provides you with control over device behavior through features such as device activation, IT administration commands, IT policies, and profiles. BES12 allows you to send work Wi-Fi profiles and work VPN profiles to BlackBerry 10 devices so that you can control which devices can connect to your organization's network. Data in transit within the BES12 solution is protected using security features such as encryption, certificates, and mutually authenticated connections. Data at rest on BlackBerry 10 devices is protected using security features such as encryption, passwords, and data wiping. BlackBerry 10 devices support various types of cryptographic algorithms, codes, protocols, and APIs. Each BES12 instance encrypts all of the data that it stores directly and writes indirectly to files using a FIPS-validated cryptographic module. 10

11 Hardware and OS security Secure

12 Hardware and OS security Hardware root of trust for BlackBerry devices 3 BlackBerry ensures the integrity of BlackBerry device hardware and makes sure that counterfeit devices can't connect to the BlackBerry Infrastructure and use BlackBerry services. From the beginning of the product lifecycle, BlackBerry integrates security into every major component of the product design of devices. BlackBerry has enhanced its end-to-end manufacturing model to securely connect the supply chain, BlackBerry manufacturing partners, the BlackBerry Infrastructure, and BlackBerry devices, which allows BlackBerry to build trusted devices anywhere in the world. The BlackBerry manufacturing security model prevents counterfeit devices from impersonating authentic devices and makes sure that only genuine BlackBerry devices can connect to the BlackBerry Infrastructure. The BlackBerry Infrastructure uses device authentication to cryptographically prove the identity of the device that attempts to register with it. The BlackBerry manufacturing systems use the device s hardware-based ECC 521-bit key pair to track, verify, and provision each device as it goes through the manufacturing process. Only devices that complete the verification and provisioning processes can register with the BlackBerry Infrastructure. 12

13 Hardware and OS security The BlackBerry 10 OS 4 The BlackBerry 10 OS is the microkernel operating system of the BlackBerry 10 device. Microkernel operating systems implement the minimum amount of software in the kernel and run other processes in the user space that is outside of the kernel. Microkernel operating systems are designed to contain less code in the kernel than other operating systems. The reduced amount of code helps the kernel to avoid the vulnerabilities that are associated with complex code and to make verification easier. Verification is the process of evaluating a system for programming errors. Many of the processes that run in the kernel in a conventional operating system run in the user space of the OS. The OS is tamper-resistant. The kernel performs an integrity test when the OS starts and if the integrity test detects damage to the kernel, the device doesn t start. The OS is resilient. The kernel isolates a process in its user space if it stops responding and restarts the process without negatively affecting other processes. In addition, the kernel uses adaptive partitioning to prevent apps from interfering with or reading the memory used by another app. The OS is secure. The kernel validates requests for resources and an authorization manager controls how apps access the capabilities of the device, such as access to the camera, contacts, and device identifying information. The file system The BlackBerry 10 device file system runs outside of the kernel and keeps work data secure and separate from personal data. The file system is divided into the following areas: Base file system Work file system Personal file system (on devices with a personal space) The base file system is read-only and contains system files. Because the base file system is read-only, the BlackBerry 10 OS can check the integrity of the base file system and mitigate any damage done by an attacker who changed the file system. The work file system contains work apps and data. The device encrypts the files stored in the work space. On devices with a personal space, the personal file system contains personal apps and data. Apps that a user installed on the device from the BlackBerry World storefront are located in the personal file system. The device can encrypt the files stored in the personal file system. Sandboxing The BlackBerry 10 OS uses a security mechanism called sandboxing to separate and restrict the capabilities and permissions of apps that run on the device. Each app process runs in its own sandbox, which is a virtual container that consists of the memory and the part of the file system that the app process has access to at a specific time. 13

14 Hardware and OS security Each sandbox is associated with both the app and the space that it's used in. For example, an app can have one sandbox in the personal space and another sandbox in the work space; each sandbox is isolated from the other one. The OS evaluates the requests that an app s process makes for memory outside of its sandbox. If a process tries to access memory outside of its sandbox without approval from the OS, the OS ends the process, reclaims all of the memory that the process is using, and restarts the process without negatively affecting other processes. When the OS is installed, it assigns a unique group ID to each app. Two apps can't share the same group ID, and the OS doesn't reuse group IDs after apps are removed. An app s group ID remains the same when the app is upgraded. By default, each app stores its data in its own sandbox. The OS prevents apps from accessing file system locations that aren't associated with the app s group ID. An app can also store and access data in a shared directory, which is a sandbox that is available to any app that has access to it. When an app that wants to store or access files in the shared directory starts for the first time, the app prompts the user to allow access. Device resources The BlackBerry 10 OS manages the device's resources so that an app can't take resources from another app. The OS uses adaptive partitioning to reallocate unused resources to apps during typical operating conditions and enhance the availability of the resources to specific apps during peak operating conditions. App permissions The authorization manager is the part of the BlackBerry 10 OS that evaluates requests from apps to access the capabilities of the device. Capabilities include taking a photograph and recording audio. The OS invokes the authorization manager when an app starts to set the permissions for the capabilities that the app uses. When an app starts, it might prompt the user to allow access to a capability. The authorization manager can store a permission that the user grants and apply the permission the next time that the app starts. Verifying software Verifying the boot loader code The BlackBerry 10 device uses an authentication method that verifies that the boot loader code is permitted to run on the device. The manufacturing process installs the boot loader into the flash memory of the device and a public signing key into the processor of the device. The BlackBerry signing authority system uses a private key to sign the boot loader code. The device stores information that it can use to verify the digital signature of the boot loader code. When a user turns on a device, the processor runs internal ROM code that reads the boot loader from flash memory and verifies the digital signature of the boot loader code using the stored public key. If the verification process completes, the boot loader is permitted to run on the device. If the verification process can't complete, the device stops running. 14

15 Hardware and OS security Verifying the OS and file system If the boot loader code is permitted to run on a BlackBerry 10 device, the boot loader code verifies the BlackBerry 10 OS. The OS is digitally signed using EC 521 with a series of private keys. The boot loader code uses the corresponding public keys to verify that the digital signature is correct. If it's correct, the boot loader code runs the BlackBerry 10 OS. Before the OS mounts the read-only base file system, it runs a validation program that generates a SHA-256 hash of the base file system content, including all metadata. The program compares the SHA-256 hash to a SHA-256 hash that is stored outside the base file system. This stored hash is digitally signed using EC 521 with a series of private keys. If the hashes match, the validation program uses the corresponding public keys to verify the signature and the integrity of the stored hash. Verifying apps and software upgrades Once the base file system is validated, the BlackBerry 10 OS verifies existing apps by reading an app s XML file and verifying the assets of the app against the cryptographically signed hashes contained in the XML manifest. Each software upgrade and app for the BlackBerry 10 device is packaged in the BlackBerry Archive (BAR) format. This format includes SHA-2 hashes of each archived file, and an ECC signature that covers the list of hashes. When a user installs a software upgrade or app, the installation program verifies that the hashes and the digital signature are correct. The digital signatures for a BAR file also indicate the author of the software upgrade or app. The user can then decide whether to install the software based on its author. Because the device can verify the integrity of a BAR file, the device can download BAR files over an HTTP connection, which makes the download process faster than over a more secure connection. Preventing memory corruption BlackBerry 10 devices prevent exploitation of memory corruption in a number of different ways, including the security mechanisms listed in the following table: Security mechanism Non-executable stack and heap Stack cookies Robust heap implementations Description The stack and heap areas of memory are marked as non-executable. This means that a process can't execute machine code in these areas of the memory, which makes it more difficult for an attacker to exploit potential buffer overflows. Stack cookies are a form of buffer overflow protection that helps prevent attackers from executing arbitrary code. The heap implementation includes a defense mechanism against the deliberate corruption of the heap area of memory. The mechanism is designed to detect or mitigate the overwriting of in-band heap data structures so that a program can fail in a secure manner. The mechanism helps prevent attackers from executing arbitrary code via heap corruption. 15

16 Hardware and OS security Security mechanism Address space layout randomization (ASLR) Compiler-level source fortification Guard pages Description By default, the memory positions of all areas of a program are randomly arranged in the address space of a process. This mechanism makes it more difficult for an attacker to perform an attack that involves predicting target addresses to execute arbitrary code. The compiler GCC uses the FORTIFY_SOURCE option to replace non-secure code constructs where possible. For example, it might replace an unbounded memory copy with its bounded equivalent. If a process attempts to access a memory page, the guard page raises a one-time exception and causes the process to fail. These guard pages are placed strategically between memory used for different purposes, such as the standard program heap and the object heap. This mechanism helps prevent an attacker from causing a heap buffer overflow and changing the behavior of a process or executing arbitrary code with the permissions of the compromised process. 16

17 Activating and managing devices Simple

18 Activating and managing devices Activating devices 5 Device activation associates a BlackBerry 10 device with a user account in BES12 and establishes a secure communication channel between the device and BES12. BES12 allows multiple devices to be activated for the same user account. More than one active ios, Android, and BlackBerry 10 device can be associated with a user account. All device types consume a license when they are activated. BlackBerry 10 devices can be activated using one of three activation types. Activation type Work and personal - Corporate Work and personal - Regulated Work space only Description This option activates a BlackBerry Balance device that separates work and personal data. Your organization only has control over the work space. This option activates a regulated BlackBerry Balance device. These devices separate work and personal data but give you additional control over the features available on the device. This option activates a device that has a work space only. By default, a user can activate a device using any of the following connections: Over any Wi-Fi connection or mobile network using a VPN connection with a connection to the BlackBerry Infrastructure Over any Wi-Fi connection or mobile network through the BlackBerry Infrastructure Your organization's activation information is registered automatically with the BlackBerry Infrastructure. The username and your organization's BES12 server address is sent to and stored in the BlackBerry Infrastructure. If you turn off registration with the BlackBerry Infrastructure, then BES12 users also require the organization's BES12 server address to activate their devices. Users can activate their devices after they receive an activation message from BES12, or they can log in to BES12 Self- Service and request an activation password. When a user begins activation of a BlackBerry Balance or regulated BlackBerry Balance device, if the device has an existing work space, the device displays a warning message to indicate that the work data and work apps on the device will be deleted. When the user confirms that the device should be activated, the existing work space is deleted and a new work space is created. When a user begins activation of a work space only device, the device displays a warning message to indicate that all data on the device will be deleted. When the user confirms that the device should be activated, all data is deleted and the device restarts before the new work space is created. 18

19 Activating and managing devices After the activation process completes, BES12 can send apps, profiles, and IT policies to the device. If an profile is configured, the user can send and receive work messages using the device. For more information about activating and managing Android and ios devices, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Security Guide for ios, Android, and Windows Phone. Activation passwords You can specify how long an activation password remains valid before it expires. You can also specify the default password length for the automatically generated password that is sent to users in the activation message. The value that you enter for the activation period expiration appears as the default setting in the "Activation period expiration" field when you add a user account to BES12. The activation period expiration can be 1 minute to 30 days, and the length of the automatically generated password can be 4 to 16 characters. User registration with the BlackBerry Infrastructure User registration with the BlackBerry Infrastructure is a setting in the default activation settings that allows users to be registered with the BlackBerry Infrastructure when you add a user to BES12. Information sent to the BlackBerry Infrastructure is sent and stored securely. The benefit of registration is that users don't have to enter the server address when they are activating a device; they only need to enter their address and password. The Enterprise Management Agent on BlackBerry 10 devices then communicates with the BlackBerry Infrastructure to retrieve the server address. A secure connection is established with BES12 with minimal user input. You can turn off user registration with the BlackBerry Infrastructure if you don't want to send user information to BlackBerry. Data flow: Activating a BlackBerry 10 device 1. You perform the following actions: 19

20 Activating and managing devices a b c Add a user to BES12 as a local user account, or by using the account information retrieved from your company directory Assign an activation profile to the user Use one of the following options to provide the user with activation details: Automatically generate a device activation password and send an with activation instructions for the user Set a device activation password and communicate the username and password to the user directly or by Don't set a device activation password and communicate the BES12 Self-Service address to the user so that they can set their own activation password 2. The user performs the following actions: a b Types the username and activation password on the device For a "Work and personal - Regulated" or "Work space only" activation, accepts the organization notice, which outlines the terms and conditions that the user must agree to 3. If the activation is a "Work space only" activation, the device deletes all existing data and restarts. 4. The Enterprise Management Agent on the device performs the following actions: a b Establishes a connection to the BlackBerry Infrastructure Sends a request for activation information to the BlackBerry Infrastructure 5. The BlackBerry Infrastructure performs the following actions: a b c Verifies that the user is a valid, registered user Retrieves the BES12 address for the user Sends the address to the Enterprise Management Agent 6. The device performs the following actions: a b c Establishes a connection with BES12 Generates a shared symmetric key with BES12, using the activation password and EC-SPEKE. The shared symmetric key protects the CSR and response. Creates an encrypted CSR and HMAC as follows: Generates a key pair for the certificate Creates a PKCS#10 CSR that includes the public key of the key pair Encrypts the CSR using the shared symmetric key and AES-256 in CBC mode with PKCS#5 padding Computes an HMAC of the encrypted CSR using SHA-256 and appends it to the CSR 20

21 Activating and managing devices d Sends the encrypted CSR and HMAC to BES12 7. BES12 performs the following actions: a b c d e f g Verifies the HMAC of the encrypted CSR and decrypts the CSR using the shared symmetric key Retrieves the username, work space ID, and your organization s name from the BES12 database Packages a client certificate using the information it retrieved and the CSR that the device sent Signs the client certificate using the enterprise management root certificate Encrypts the client certificate, enterprise management root certificate, and the BES12 URL using the shared symmetric key and AES-256 in CBC mode with PKCS#5 padding Computes an HMAC of the encrypted client certificate, enterprise management root certificate, and the BES12 URL and appends it to the encrypted data Sends the encrypted data and HMAC to the device 8. The device performs the following actions: a b c Verifies the HMAC Decrypts the data it received from BES12 Stores the client certificate and the enterprise management root certificate in its keystore 9. BES12 performs the following actions: a b c d BES12 Core assigns the new device to a BES12 instance in the domain BES12 Core notifies the active BlackBerry Affinity Manager that a new device is assigned to the BES12 instance The active BlackBerry Affinity Manager notifies the BlackBerry Dispatcher on that BES12 instance that there is a new device The BlackBerry Dispatcher starts processing configuration data for the device 10. The device and the BlackBerry Dispatcher perform the following actions: a b Establish a mutually authenticated TLS connection by verifying both the client certificate and the server certificate for BES12 using the enterprise management root certificate Generate the device transport key using ECMQV and the authenticated long-term public keys from the client certificate and the server certificate for BES The device stores the device transport key in its keystore. 12. The BlackBerry Dispatcher stores the device transport key in the database and sends the IT policy, SRP information, profiles, and required apps to the device over TLS. 13. The device sends an acknowledgment over TLS to BES12, that it received and applied the IT policy and other data and has created the work space. The activation process is complete. The elliptic curve protocols used during the activation process use the NIST-recommended 521-bit curve. 21

22 Activating and managing devices Using IT policies to manage security 6 An IT policy is a set of rules that restrict or allow features and functionality on devices. IT policy rules can manage the security and behavior of devices. The device OS and device activation type determine which rules in an IT policy apply to a specific device. For example, depending on the device activation type, OS, and version, IT policy rules can be used to: Enforce password requirements on devices or the device work space Prevent users from using the camera Control connections that use Bluetooth wireless technology Force data encryption Only one IT policy can be assigned to each user account, and the assigned IT policy is sent to all of the user's devices. If you don't assign an IT policy to a user account or to a group that a user or device belongs to, BES12 sends the Default IT policy to the user's devices. You can rank IT policies to specify which policy is sent to devices if a user or a device is a member of two or more groups that have different IT policies and no IT policy is assigned directly to the user account. BES12 sends the highest ranked IT policy to the user's devices. For more information about assigning and ranking IT policies, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. BES12 automatically sends IT policies to devices when a user activates a device, when an assigned IT policy is updated, and when a different IT policy is assigned to a user or group. When a device receives a new or updated IT policy, the device applies the configuration changes in near real-time. All of the BlackBerry 10 IT policy rules available in BES12 apply to regulated BlackBerry Balance devices. Work space only devices and BlackBerry Balance devices ignore rules in the IT policy that are not applicable to those devices. For more information about specific IT policy rules, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Policy Reference Spreadsheet. 22

23 Data in transit

24 Data in transit How devices communicate with BES12 and your resources 7 Data sent between BlackBerry 10 devices and your resources is protected using various methods depending on the path that the data takes. Most data sent between your organization's mail, web, and content servers and BlackBerry 10 devices can travel directly over a work VPN or work Wi-Fi network or through BES12 and the BlackBerry Infrastructure. When BES12 sends device management data such as IT policies, profiles, or IT administration commands and required apps from your organization's network to BlackBerry 10 devices, it always sends the data through the BlackBerry Infrastructure, even when the device is connected to a work Wi-Fi network or work VPN. Regardless of the type of data and the path it takes, the data is encrypted and travels over mutually authenticated connections. The data can't be decrypted by the BlackBerry Infrastructure or at any other point in transit. How devices connect to your resources BlackBerry 10 devices can connect to your organization s resources (for example, mail servers, web servers, and content servers) using a number of communication methods. By default, devices try to connect to your organization s resources using the following communication methods, in order: 1. Work VPN profiles that you configure 2. Work Wi-Fi profiles that you configure 3. The BlackBerry Infrastructure and BES12 4. Personal VPN profiles and personal Wi-Fi profiles that a user configures on the device 24

25 Data in transit By default, work apps on the device can also use any of these communication methods to access the resources in your organization s environment. Securing the communication between apps and your organization s network BlackBerry 10 devices permit work apps and personal apps (on devices with a personal space) to use any available Wi-Fi profile or VPN profile to connect to your organization s network. If you configure Wi-Fi profiles or VPN profiles using BES12, you permit personal apps to access your organization s network. If the security requirements of your organization don't permit personal apps to access your organization s network, you can restrict connection options. You can use the "Allow work network usage for personal apps" IT policy rule to prevent personal apps from using your organization s network to connect to the Internet using your work Wi-Fi network or work VPN connection. You can also limit the communication methods that devices can use to connect to your organization's network through BES12 by limiting connectivity options to the BlackBerry MDS Connection Service and the BlackBerry Infrastructure. Personal apps can't use the BlackBerry MDS Connection Service and the BlackBerry Infrastructure to connect to your organization s network. Related information Controlling how apps connect to networks, on page 96 Securing data pushed to apps on devices 25

26 Data in transit The BlackBerry MDS Connection Service connects push applications hosted on your organization's application servers or web servers to apps on BlackBerry 10 devices. The BlackBerry MDS Connection Service sends push requests, received from push applications, through the BlackBerry Infrastructure to apps on BlackBerry 10 devices. You can permit only specific push applications to push data to BlackBerry 10 devices and you can turn on authentication to prevent the BlackBerry MDS Connection Service from sending data from unauthorized push applications. To protect the connection between push applications and the BlackBerry MDS Connection Service, you can use TLS. Push applications can use the self-signed certificate that is generated when you configure the BlackBerry MDS Connection Service keystore, or you can add a signed certificate from a trusted public CA to the keystore. For more information about the BlackBerry MDS Connection Service, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Configuration Guide. Types of encryption used for communication between devices and your resources Communication between a device and your organization s resources can use various types of encryption. The type of encryption used depends on the connection method. Encryption type Wi-Fi encryption (IEEE ) VPN encryption Description Wi-Fi encryption is used for data in transit between a device and wireless access point if the wireless access point was set up to use Wi-Fi encryption. VPN encryption is used for data in transit between a device and a VPN server. 26

27 Data in transit Encryption type SSL/TLS encryption Description SSL/TLS encryption is used for data in transit between a device and content server, web server, or mail server in your organization. The encryption for this connection must be set up separately on each server and uses a separate certificate with each server. The server might use SSL or TLS, depending on how it's set up. Work Wi-Fi connection encryption In a work Wi-Fi connection, a BlackBerry 10 device connects to your organization s resources using the settings that you configured in a Wi-Fi profile. Wi-Fi encryption is used if the wireless access point was set up to use it. VPN connection encryption In a VPN connection, a BlackBerry 10 device connects to your organization s resources through any wireless access point or a mobile network, your organization s firewall, and your organization s VPN server. Wi-Fi encryption is used if the wireless access point was set up to use it. 27

28 Data in transit BlackBerry Infrastructure connection encryption In a BlackBerry Infrastructure connection, a device connects to your organization s resources through any wireless access point, the BlackBerry Infrastructure, your organization's firewall, and BES12. Wi-Fi encryption is only used if the wireless access point was set up to use it. Related information Types of encryption used to send device management data to devices, on page 40 28

29 Data in transit Protecting connections to work networks 8 Connecting to a VPN If your organization s environment includes VPNs, such as IPsec VPNs or SSL VPNs, you can configure BlackBerry 10 devices to authenticate with a VPN to access your organization's network. A VPN provides an encrypted tunnel between a device and the network. A VPN solution consists of a VPN client on a device and a VPN concentrator. The device can use the VPN client to authenticate with the VPN concentrator, which acts as the gateway to your organization's network. Each device includes a built-in VPN client that supports several VPN concentrators. Depending on the VPN solution, a client app may need to be installed on the device. The VPN client on the device supports the use of strong encryption to authenticate itself with the VPN concentrator. It creates an encrypted tunnel between the device and the VPN concentrator that the device and your organization's network can use to communicate. Protecting Wi-Fi connections A device can connect to work Wi-Fi networks that use the IEEE standard. The IEEE i standard uses the IEEE 802.1X standard for authentication and key management to protect work Wi-Fi networks. The IEEE i standard specifies that organizations must use the PSK protocol or the IEEE 802.1X standard as the access control method for Wi-Fi networks. You can use Wi-Fi profiles to send Wi-Fi configuration information, including security settings and any required certificates to devices. Layer 2 security methods that a device supports You can configure a device to use security methods for layer 2 (also known as the IEEE link layer) so that the wireless access point can authenticate the device to allow the device and the wireless access point to encrypt the data that they send to each other. The device supports the following layer 2 security methods: WEP encryption (64-bit and 128-bit) IEEE 802.1X standard and EAP authentication using PEAP, EAP-TLS, EAP-TTLS, and EAP-FAST TKIP and AES-CCMP encryption for WPA-Personal, WPA2-Personal, WPA-Enterprise, and WPA2-Enterprise To support layer 2 security methods, the device has a built-in IEEE 802.1X supplicant. If a work Wi-Fi network uses EAP authentication, you can permit and deny device access to the work Wi-Fi network by updating your organization s central authentication server. You're not required to update the configuration of each access point. 29

30 Data in transit For more information about IEEE and IEEE 802.1X, see For more information about EAP authentication, see RFC IEEE 802.1X standard The IEEE 802.1X standard defines a generic authentication framework that a device and a work Wi-Fi network can use for authentication. The EAP framework is specified in RFC The device supports EAP authentication methods that meet the requirements of RFC 4017 to authenticate the device to the work Wi-Fi network. Some EAP authentication methods (for example, EAP-TLS, EAP-TTLS, EAP-FAST, or PEAP) use credentials to provide mutual authentication between the device and the work Wi-Fi network. The device is compatible with the WPA-Enterprise and WPA2-Enterprise specifications. Data flow: Authenticating a device with a work Wi-Fi network using the IEEE 802.1X standard If you configured a wireless access point to use the IEEE 802.1X standard, the access point permits communication using EAP authentication only. This data flow assumes that you configured a device to use an EAP authentication method to communicate with the access point. 1. The device associates itself with the access point that you configured to use the IEEE 802.1X standard. The device sends its credentials (typically a username and password) to the access point. 2. The access point sends the credentials to the authentication server. 3. The authentication server performs the following actions: a b c Authenticates the device on behalf of the access point Instructs the access point to permit access to the work Wi-Fi network Sends Wi-Fi credentials to the device to permit it to authenticate with the access point 4. The access point and device use EAPoL-Key messages to generate encryption keys (for example, WEP, TKIP, or AES- CCMP, depending on the EAP authentication method that the device uses). When the device sends EAPoL messages, the device uses the encryption and integrity requirements that the EAP authentication method specifies. When the device sends EAPoL-Key messages, the device uses the ARC4 algorithm or AES algorithm to provide integrity and encryption. After the access point and device generate the encryption key, the device can access the work Wi-Fi network. 30

31 Data in transit EAP authentication methods that devices support PEAP authentication PEAP authentication permits devices to authenticate with an authentication server and access a work Wi-Fi network. PEAP authentication uses TLS to create an encrypted tunnel between a device and the authentication server. It uses the TLS tunnel to send the authentication credentials of the device to the authentication server. Devices support PEAPv0 and PEAPv1 for PEAP authentication. Devices also support EAP-MS-CHAPv2 and EAP-GTC as secondphase protocols during PEAP authentication so that devices can exchange credentials with the work Wi-Fi network. To configure PEAP authentication, you must send a CA certificate that corresponds to the authentication server certificate to devices and enroll client certificates, if required. You can use SCEP to enroll client certificates on devices. For more information, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. EAP-TLS authentication EAP-TLS authentication uses a PKI to permit a device to authenticate with an authentication server and access a work Wi-Fi network. EAP-TLS authentication uses TLS to create an encrypted tunnel between the device and the authentication server. EAP-TLS authentication uses the TLS encrypted tunnel and a client certificate to send the credentials of the device to the authentication server. Devices support EAP-TLS authentication when the authentication server and the client use certificates that meet specific requirements. To configure EAP-TLS authentication, you must send a CA certificate that corresponds to the authentication server certificate to devices and enroll client certificates. You can use SCEP to enroll certificates on devices. For more information, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. For more information about EAP-TLS authentication, see RFC EAP-TTLS authentication EAP-TTLS authentication extends EAP-TLS authentication to permit a device and an authentication server to mutually authenticate. When the authentication server uses its certificate to authenticate with the device and open a protected connection to the device, the authentication server uses an authentication protocol over the protected connection to authenticate with the device. Devices support EAP-MS-CHAPv2, MS-CHAPv2, and PAP as second-phase protocols during EAP-TTLS authentication so that devices can exchange credentials with the work Wi-Fi network. To configure EAP-TTLS authentication, you must send a CA certificate that corresponds to the authentication server certificate to devices. For more information, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. 31

32 Data in transit How a device and BES12 protect sensitive Wi-Fi information To permit a device to access a Wi-Fi network, you must send sensitive Wi-Fi information such as encryption keys and passwords to the device using Wi-Fi profiles and VPN profiles. After the device receives the sensitive Wi-Fi information, the device encrypts the encryption keys and passwords and stores them in flash memory. BES12 encrypts the sensitive Wi-Fi information that it sends to the device and stores the sensitive Wi-Fi information in the BES12 database. You can help protect the sensitive Wi-Fi information in BES12 database using access controls and configuration settings. EAP-FAST authentication EAP-FAST authentication uses PAC to open a TLS connection to a device and verify the supplicant credentials of the device over the TLS connection. Devices support EAP-MS-CHAPv2 and EAP-GTC as second-phase protocols during EAP-FAST authentication so that devices can exchange authentication credentials with work Wi-Fi networks. Devices support the use of automatic PAC provisioning with EAP-FAST authentication only. For more information about EAP-FAST authentication, see RFC Supported EAP authentication methods when using CCKM BlackBerry 10 devices support the use of CCKM with all supported EAP authentication methods to improve roaming between wireless access points. Devices don't support the use of CCKM with the CKIP encryption algorithm or the AES-CCMP encryption algorithm. Using certificates with PEAP authentication, EAP-TLS authentication, or EAP-TTLS authentication If your organization uses PEAP authentication, EAP-TLS authentication, or EAP-TTLS authentication to protect the wireless access points for a work Wi-Fi network, a device must authenticate mutually with an access point using an authentication server. To generate the certificates that the device and authentication server use to authenticate with each other, you require a CA. For PEAP authentication, EAP-TLS authentication, or EAP-TTLS authentication to be successful, the device must trust the certificate of the authentication server. The device doesn't trust the certificate of the authentication server automatically. Each device stores a list CA certificates that it explicitly trusts. To trust the certificate of the authentication server, the device must store the CA certificate for the certificate of the authentication server. You can send CA certificates to every device and you can use SCEP to enroll client certificates on devices. For more information, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. 32

33 Data in transit Protecting data in transit over the BlackBerry Infrastructure 9 Data sent between BlackBerry 10 devices and your resources passes through the BlackBerry Infrastructure in the following circumstances: BES12 sends required apps and all device management data, such as IT policies, profiles, or IT administration commands, to devices through the BlackBerry Infrastructure, even when the device is connected to a work VPN or work Wi-Fi network. Data sent between a device and your organization's mail, web, and content servers travels through BES12 and the BlackBerry Infrastructure only when the device isn't connected to a work VPN or work Wi-Fi network. How BES12 authenticates with the BlackBerry Infrastructure To protect data in transit between BES12 and the BlackBerry Infrastructure, BES12 and the BlackBerry Infrastructure must authenticate with each other before they can transfer data. BES12 and the BlackBerry Infrastructure use different authentication methods, depending on the type of data being sent: When BES12 sends device management data to BlackBerry 10 devices through the BlackBerry Infrastructure, BES12 and the BlackBerry Infrastructure establish a mutually authenticated TLS connection that uses AES-256 to protect the data. When BES12 sends work data from your organization's mail, web, and content servers to BlackBerry 10 devices through the BlackBerry Infrastructure, BES12 uses SRP to authenticate with and connect to the BlackBerry Infrastructure. SRP is a proprietary point-to-point protocol that runs over TCP/IP. BES12 uses SRP to contact the BlackBerry Infrastructure and open a connection. When BES12 and the BlackBerry Infrastructure open a connection, they can perform the following actions: Authenticate with each other Exchange configuration information Send and receive data Data flow: Authenticating BES12 with the BlackBerry Infrastructure when sending work data 33

34 Data in transit 1. BES12 connects to the BlackBerry Infrastructure and initiates a TLS connection. 2. The BlackBerry Infrastructure sends an authentication certificate to BES BES12 performs the following actions: Verifies that the authentication certificate is signed by a trusted CA Verifies the name of the server in the BlackBerry Infrastructure to establish the TLS connection Sends a data packet that contains its unique SRP ID and SRP authentication key to the BlackBerry Infrastructure to claim the SRP ID 4. The BlackBerry Infrastructure sends a random challenge string to BES BES12 sends a challenge string to the BlackBerry Infrastructure. 6. The BlackBerry Infrastructure hashes the challenge string it received from BES12 with the SRP authentication key using HMAC with the SHA-1 algorithm. The BlackBerry Infrastructure sends the resulting 20-byte value to BES12 as a challenge response. 7. BES12 hashes the challenge string it received from the BlackBerry Infrastructure with the SRP authentication key, and sends the result as a challenge response to the BlackBerry Infrastructure. 8. The BlackBerry Infrastructure performs one of the following actions: Accepts the challenge response and sends a confirmation to BES12 to complete the authentication process and configure an authenticated SRP connection Rejects the challenge response If the BlackBerry Infrastructure rejects the challenge response, the authentication process isn't successful. The BlackBerry Infrastructure and BES12 close the SRP connection. If BES12 uses the same SRP authentication key and SRP ID to connect to (and then disconnect from) the BlackBerry Infrastructure five times in one minute, the BlackBerry Infrastructure deactivates the SRP ID to help prevent an attacker from using the SRP ID to create conditions for a DoS attack. Data flow: Authenticating BES12 with the BlackBerry Infrastructure when sending device management data 1. BES12 connects to the BlackBerry Infrastructure and initiates a TLS connection. 2. The BlackBerry Infrastructure sends an authentication certificate to BES12. 34

Security Guide. BES12 Cloud. for BlackBerry

Security Guide. BES12 Cloud. for BlackBerry Security Guide BES12 Cloud for BlackBerry Published: 2015-03-31 SWD-20150317085646346 Contents Introduction... 7 About this guide...8 What is BES12 Cloud?... 9 Key features of BES12 Cloud...10 Security

More information

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2 BlackBerry Enterprise Service 10 BlackBerry Device Service Solution Version: 10.2 Security Technical Overview Published: 2014-09-10 SWD-20140908123239883 Contents 1 About BlackBerry Device Service solution

More information

Security Guide. BlackBerry 10 Device

Security Guide. BlackBerry 10 Device Security Guide BlackBerry 10 Device Published: 2016-01-29 SWD-20160129121335350 Contents Introduction... 5 Secure device management... 6 Hardware root of trust...7 The BlackBerry 10 OS... 8 The file system...8

More information

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0 Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features

More information

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise

More information

Architecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference

Architecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference Architecture and Data Flow Overview BlackBerry Enterprise Service 10 721-08877-123 Version: Quick Reference Published: 2013-11-28 SWD-20131128130321045 Contents Key components of BlackBerry Enterprise

More information

Security Technical. Overview. BlackBerry Enterprise Server for Microsoft Exchange. Version: 5.0 Service Pack: 4

Security Technical. Overview. BlackBerry Enterprise Server for Microsoft Exchange. Version: 5.0 Service Pack: 4 BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 4 Security Technical Overview Published: 2014-01-17 SWD-20140117135425071 Contents 1 New in this release...10 2 Overview...

More information

Advanced Administration

Advanced Administration BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 10.2 Advanced Administration Guide Published: 2014-09-10 SWD-20140909133530796 Contents 1 Introduction...11 About this guide...12 What

More information

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0 Administration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2015-01-16 SWD-20150116150104141 Contents Introduction... 9 About this guide...10 What is BES12?...11 Key features of BES12...

More information

BlackBerry Enterprise Server 5.0 SP3 and BlackBerry 7.1

BlackBerry Enterprise Server 5.0 SP3 and BlackBerry 7.1 BlackBerry Enterprise Server 5.0 SP3 and BlackBerry 7.1 Version: 5.0 Service Pack: 3 Security Technical Overview Published: 2012-01-17 SWD-1936256-0117012253-001 Contents 1 Document revision history...

More information

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0 Configuration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2014-12-19 SWD-20141219132902639 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12...

More information

Configuration Guide BES12. Version 12.1

Configuration Guide BES12. Version 12.1 Configuration Guide BES12 Version 12.1 Published: 2015-04-22 SWD-20150422113638568 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12... 8 Product documentation...

More information

ipad in Business Security

ipad in Business Security ipad in Business Security Device protection Strong passcodes Passcode expiration Passcode reuse history Maximum failed attempts Over-the-air passcode enforcement Progressive passcode timeout Data security

More information

Installation and Administration Guide

Installation and Administration Guide Installation and Administration Guide BlackBerry Enterprise Transporter for BlackBerry Enterprise Service 12 Version 12.0 Published: 2014-11-06 SWD-20141106165936643 Contents What is BES12?... 6 Key features

More information

BlackBerry Enterprise Service 10. Version: 10.2. Configuration Guide

BlackBerry Enterprise Service 10. Version: 10.2. Configuration Guide BlackBerry Enterprise Service 10 Version: 10.2 Configuration Guide Published: 2015-02-27 SWD-20150227164548686 Contents 1 Introduction...7 About this guide...8 What is BlackBerry Enterprise Service 10?...9

More information

BlackBerry Enterprise Service 10. Universal Device Service Version: 10.2. Administration Guide

BlackBerry Enterprise Service 10. Universal Device Service Version: 10.2. Administration Guide BlackBerry Enterprise Service 10 Universal Service Version: 10.2 Administration Guide Published: 2015-02-24 SWD-20150223125016631 Contents 1 Introduction...9 About this guide...10 What is BlackBerry

More information

Policy and Profile Reference Guide

Policy and Profile Reference Guide BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 10.2 Policy and Profile Reference Guide Published: 2014-06-16 SWD-20140616165002982 Contents 1 About this guide... 10 2 New IT policy

More information

Configuration Guide BES12. Version 12.2

Configuration Guide BES12. Version 12.2 Configuration Guide BES12 Version 12.2 Published: 2015-07-07 SWD-20150630131852557 Contents About this guide... 8 Getting started... 9 Administrator permissions you need to configure BES12... 9 Obtaining

More information

iphone in Business Security Overview

iphone in Business Security Overview iphone in Business Security Overview iphone can securely access corporate services and protect data on the device. It provides strong encryption for data in transmission, proven authentication methods

More information

Troubleshooting BlackBerry Enterprise Service 10 version 10.1.1 726-08745-123. Instructor Manual

Troubleshooting BlackBerry Enterprise Service 10 version 10.1.1 726-08745-123. Instructor Manual Troubleshooting BlackBerry Enterprise Service 10 version 10.1.1 726-08745-123 Instructor Manual Published: 2013-07-02 SWD-20130702091645092 Contents Advance preparation...7 Required materials...7 Topics

More information

Deploying iphone and ipad Security Overview

Deploying iphone and ipad Security Overview Deploying iphone and ipad Security Overview ios, the operating system at the core of iphone and ipad, is built upon layers of security. This enables iphone and ipad to securely access corporate services

More information

Configuration Guide BES12. Version 12.3

Configuration Guide BES12. Version 12.3 Configuration Guide BES12 Version 12.3 Published: 2016-01-19 SWD-20160119132230232 Contents About this guide... 7 Getting started... 8 Configuring BES12 for the first time...8 Configuration tasks for managing

More information

Security Guide. BES12 Cloud

Security Guide. BES12 Cloud Security Guide BES12 Cloud Published: 2015-08-20 SWD-20150812133927242 Contents Security features of BES12 Cloud...4 How BES12 Cloud protects data stored in BlackBerry data centers...4 How BES12 Cloud

More information

Licensing Guide BES12. Version 12.1

Licensing Guide BES12. Version 12.1 Licensing Guide BES12 Version 12.1 Published: 2015-04-02 SWD-20150402115554403 Contents Introduction... 5 About this guide...5 What is BES12?...5 Key features of BES12... 5 About licensing...7 Steps to

More information

Security Guide. PRIV by BlackBerry

Security Guide. PRIV by BlackBerry Security Guide PRIV by BlackBerry Published: 2016-04-25 SWD-20160425114127770 Contents Introduction: Security and privacy, deep and wide...5 Device security: Layered defenses throughout the stack...6 Device

More information

BlackBerry 10.3 Work and Personal Corporate

BlackBerry 10.3 Work and Personal Corporate GOV.UK Guidance BlackBerry 10.3 Work and Personal Corporate Published Contents 1. Usage scenario 2. Summary of platform security 3. How the platform can best satisfy the security recommendations 4. Network

More information

Policy and Profile Reference Guide. BES10 Cloud Market Preview

Policy and Profile Reference Guide. BES10 Cloud Market Preview Policy and Profile Reference Guide BES10 Cloud Market Preview Published: 2014-02-04 SWD-20140204170848330 Contents About this guide... 13 What is BES10 Cloud?... 13 Key features of BES10 Cloud...14 IT

More information

ClickShare Network Integration

ClickShare Network Integration ClickShare Network Integration Application note 1 Introduction ClickShare Network Integration aims at deploying ClickShare in larger organizations without interfering with the existing wireless network

More information

Salesforce1 Mobile Security Guide

Salesforce1 Mobile Security Guide Salesforce1 Mobile Security Guide Version 1, 1 @salesforcedocs Last updated: December 8, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,

More information

BYOD Guidance: BlackBerry Secure Work Space

BYOD Guidance: BlackBerry Secure Work Space GOV.UK Guidance BYOD Guidance: BlackBerry Secure Work Space Published 17 February 2015 Contents 1. About this guidance 2. Summary of key risks 3. Secure Work Space components 4. Technical assessment 5.

More information

BlackBerry Business Cloud Services. Policy Reference Guide

BlackBerry Business Cloud Services. Policy Reference Guide BlackBerry Business Cloud Services Policy Reference Guide Published: 2012-01-30 SWD-1710801-0125055002-001 Contents 1 IT policy rules... 5 Preconfigured IT policies... 5 Default for preconfigured IT policies...

More information

ClickShare Network Integration

ClickShare Network Integration ClickShare Network Integration Application note 1 Introduction ClickShare Network Integration aims at deploying ClickShare in larger organizations without interfering with the existing wireless network

More information

BlackBerry Enterprise Service 10. Version: 10.2. Installation Guide

BlackBerry Enterprise Service 10. Version: 10.2. Installation Guide BlackBerry Enterprise Service 10 Version: 10.2 Installation Guide Published: 2015-08-17 SWD-20150817115607897 Contents 1 About this guide...5 2 What is BlackBerry Enterprise Service 10?... 6 Key features

More information

Administration Guide BES12. Version 12.3

Administration Guide BES12. Version 12.3 Administration Guide BES12 Version 12.3 Published: 2015-10-30 SWD-20151028105551254 Contents Introduction... 11 About this guide...12 How to use this guide... 13 Steps to administer BES12... 13 Examples

More information

Ensuring the security of your mobile business intelligence

Ensuring the security of your mobile business intelligence IBM Software Business Analytics Cognos Business Intelligence Ensuring the security of your mobile business intelligence 2 Ensuring the security of your mobile business intelligence Contents 2 Executive

More information

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0. Administration Guide

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0. Administration Guide BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Administration Guide SWDT487521-635336-0528040852-001 Contents 1 Overview: BlackBerry Enterprise Server... 21 Getting started in your BlackBerry

More information

Corporate-level device management for BlackBerry, ios and Android

Corporate-level device management for BlackBerry, ios and Android B L A C K B E R R Y E N T E R P R I S E S E R V I C E 1 0 Corporate-level device management for BlackBerry, ios and Android Corporate-level (EMM) delivers comprehensive device management, security and

More information

Feature and Technical

Feature and Technical BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 4 Feature and Technical Overview Published: 2013-11-07 SWD-20131107160132924 Contents 1 Document revision history...6 2 What's

More information

Reference Guide. What's New in BES12 Cloud

Reference Guide. What's New in BES12 Cloud Reference Guide What's New in BES12 Cloud 711-60712-123 Published: 2016-06-20 SWD-20160620151902701 Contents What's new in BES12 Cloud...5 Supported features by device type... 5 Compatibility and requirements...11

More information

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2 Feature and Technical Overview Published: 2010-06-16 SWDT305802-1108946-0615123042-001 Contents 1 Overview: BlackBerry Enterprise

More information

HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY

HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY DATASHEET HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY Gold level EMM for BlackBerry Regulated-level security for BlackBerry 10 devices Ultimate security. BlackBerry 10 devices managed by BES10 with

More information

HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY

HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY GOLD EMM SUBSCRIPTIONS Experience the most secure mobility management solution with BES12 and Gold Enterprise Mobility Management (EMM) subscriptions. HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY

More information

7.1. Remote Access Connection

7.1. Remote Access Connection 7.1. Remote Access Connection When a client uses a dial up connection, it connects to the remote access server across the telephone system. Windows client and server operating systems use the Point to

More information

Deploying iphone and ipad Virtual Private Networks

Deploying iphone and ipad Virtual Private Networks Deploying iphone and ipad Virtual Private Networks Secure access to private corporate networks is available on iphone and ipad using established industry-standard virtual private network (VPN) protocols.

More information

Configuration Guide. BES12 Cloud

Configuration Guide. BES12 Cloud Configuration Guide BES12 Cloud Published: 2016-04-08 SWD-20160408113328879 Contents About this guide... 6 Getting started... 7 Configuring BES12 for the first time...7 Administrator permissions you need

More information

New Security Features

New Security Features New Security Features BlackBerry 10 OS Version 10.3.1 Published: 2014-12-17 SWD-20141211141004210 Contents About this guide... 4 Advanced data at rest protection... 5 System requirements... 6 Managing

More information

SIMPLIFY MULTI-PLATFORM ENTERPRISE MOBILITY MANAGEMENT

SIMPLIFY MULTI-PLATFORM ENTERPRISE MOBILITY MANAGEMENT DATASHEET SIMPLIFY MULTI-PLATFORM ENTERPRISE MOBILITY MANAGEMENT Silver level EMM Enterprise Mobility Management for Corporate-owned and BYOD devices BlackBerry Enterprise Service 10 is a powerful device,

More information

Feature and Technical

Feature and Technical BlackBerry Mobile Voice System for SIP Gateways and the Avaya Aura Session Manager Version: 5.3 Feature and Technical Overview Published: 2013-06-19 SWD-20130619135120555 Contents 1 Overview...4 2 Features...5

More information

ios Security Decoded Dave Test Classroom and Lab Computing Penn State ITS Feedback - http://j.mp/psumac33

ios Security Decoded Dave Test Classroom and Lab Computing Penn State ITS Feedback - http://j.mp/psumac33 ios Security Decoded Dave Test Classroom and Lab Computing Penn State ITS Feedback - http://j.mp/psumac33 Why care about ios Security? 800M 800 million ios devices activated 130 million in last year 98%

More information

PowerChute TM Network Shutdown Security Features & Deployment

PowerChute TM Network Shutdown Security Features & Deployment PowerChute TM Network Shutdown Security Features & Deployment By David Grehan, Sarah Jane Hannon ABSTRACT PowerChute TM Network Shutdown (PowerChute) software works in conjunction with the UPS Network

More information

Configuring Security Features of Session Recording

Configuring Security Features of Session Recording Configuring Security Features of Session Recording Summary This article provides information about the security features of Citrix Session Recording and outlines the process of configuring Session Recording

More information

In-Depth Look at Capabilities: Samsung KNOX and Android for Work

In-Depth Look at Capabilities: Samsung KNOX and Android for Work In-Depth Look at Capabilities: Samsung KNOX and Android for Work Silent Install Using the Samsung KNOX Workspace Mobile Device Management (MDM) APIs, IT admins can install and enable applications automatically.

More information

BlackBerry Enterprise Service 10 version 10.2 preinstallation and preupgrade checklist

BlackBerry Enterprise Service 10 version 10.2 preinstallation and preupgrade checklist BlackBerry Enterprise Service version.2 preinstallation and preupgrade checklist Verify that the following requirements are met before you install or upgrade to BlackBerry Enterprise Service version.2.

More information

BlackBerry 10.3 Work Space Only

BlackBerry 10.3 Work Space Only GOV.UK Guidance BlackBerry 10.3 Work Space Only Published Contents 1. Usage scenario 2. Summary of platform security 3. How the platform can best satisfy the security recommendations 4. Network architecture

More information

introducing The BlackBerry Collaboration Service

introducing The BlackBerry Collaboration Service Introducing the Collaboration Service 10.2 for the Enterprise IM app 3.1 introducing The Collaboration Service Sender Instant Messaging Server Collaboration Service 10 device Recipient V. 1.0 June 2013

More information

BlackBerry Desktop Software User Guide

BlackBerry Desktop Software User Guide BlackBerry Desktop Software User Guide Version: 2.4 SWD-1905381-0426093716-001 Contents Basics... 3 About the BlackBerry Desktop Software... 3 Set up your smartphone with the BlackBerry Desktop Software...

More information

The Importance of Wireless Security

The Importance of Wireless Security The Importance of Wireless Security Because of the increasing popularity of wireless networks, there is an increasing need for security. This is because unlike wired networks, wireless networks can be

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

Chapter 17. Transport-Level Security

Chapter 17. Transport-Level Security Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics

More information

Configuration Guide BES12. Version 12.4

Configuration Guide BES12. Version 12.4 Configuration Guide BES12 Version 12.4 Published: 2016-04-13 SWD-20160413171027740 Contents About this guide... 8 Getting started... 9 Configuring BES12 for the first time...9 Configuration tasks for managing

More information

BlackBerry Enterprise Solution

BlackBerry Enterprise Solution BlackBerry Enterprise Solution Security Technical Overview for BlackBerry Enterprise Server Version 4.1 Service Pack 5 and BlackBerry Device Software Version 4.5 2008 Research In Motion Limited. All rights

More information

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Administration Guide

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Administration Guide BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2 Administration Guide Published: 2010-06-16 SWDT487521-1041691-0616023638-001 Contents 1 Overview: BlackBerry Enterprise

More information

Installation and Upgrade Guide

Installation and Upgrade Guide Installation and Upgrade Guide BES12 Version 12.4 Published: 2016-05-31 SWD-20160531105238577 Contents Planning...6 Steps to plan your BES12 environment...6 Identifying your organization's needs...6 EMM

More information

Installation and Administration Guide

Installation and Administration Guide Installation and Administration Guide BlackBerry Collaboration Service Version 12.1 Published: 2015-02-25 SWD-20150225135812271 Contents About this guide... 5 Planning a BlackBerry Collaboration Service

More information

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Certificate Management. PAN-OS Administrator s Guide. Version 7.0 Certificate Management PAN-OS Administrator s Guide Version 7.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us

More information

Introduction to the Mobile Access Gateway

Introduction to the Mobile Access Gateway Introduction to the Mobile Access Gateway This document provides an overview of the AirWatch Mobile Access Gateway (MAG) architecture and security and explains how to enable MAG functionality in the AirWatch

More information

SENSE Security overview 2014

SENSE Security overview 2014 SENSE Security overview 2014 Abstract... 3 Overview... 4 Installation... 6 Device Control... 7 Enrolment Process... 8 Authentication... 9 Network Protection... 12 Local Storage... 13 Conclusion... 15 2

More information

BlackBerry Business Cloud Services. Administration Guide

BlackBerry Business Cloud Services. Administration Guide BlackBerry Business Cloud Services Administration Guide Published: 2012-07-25 SWD-20120725193410416 Contents 1 About BlackBerry Business Cloud Services... 8 BlackBerry Business Cloud Services feature overview...

More information

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com. 2006 Cisco Systems, Inc. All rights reserved.

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com. 2006 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS Overview By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com 2006 Cisco Systems, Inc. All rights reserved. 1 Cisco Secure Access Control System Policy Control and

More information

Ensuring the security of your mobile business intelligence

Ensuring the security of your mobile business intelligence IBM Software Business Analytics Cognos Business Intelligence Ensuring the security of your mobile business intelligence 2 Ensuring the security of your mobile business intelligence Contents 2 Executive

More information

FileCloud Security FAQ

FileCloud Security FAQ is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file

More information

BlackBerry Device Software. Protecting BlackBerry Smartphones Against Malware. Security Note

BlackBerry Device Software. Protecting BlackBerry Smartphones Against Malware. Security Note BlackBerry Device Software Protecting BlackBerry Smartphones Against Malware Security Note Published: 2012-05-14 SWD-20120514091746191 Contents 1 Protecting smartphones from malware... 4 2 System requirements...

More information

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

CrashPlan Security SECURITY CONTEXT TECHNOLOGY TECHNICAL SPECIFICATIONS CrashPlan Security CrashPlan is a continuous, multi-destination solution engineered to back up mission-critical data whenever and wherever it is created. Because mobile laptops

More information

802.1X Authentication

802.1X Authentication OS X 10.7.3 and ios 5.1 May 25, 2012 Contents About 802.1X... 3 Apple Product Compatibility with 802.1X... 7 Configuring 802.1X Settings... 10 Resources... 17 Appendix A: Payload Settings for 802.1X...

More information

Technical Certificates Overview

Technical Certificates Overview Technical Certificates Overview Version 8.2 Mobile Service Manager Legal Notice This document, as well as all accompanying documents for this product, is published by Good Technology Corporation ( Good

More information

Getting Started Guide

Getting Started Guide BlackBerry Web Services For Microsoft.NET developers Version: 10.2 Getting Started Guide Published: 2013-12-02 SWD-20131202165812789 Contents 1 Overview: BlackBerry Enterprise Service 10... 5 2 Overview:

More information

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security? 7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk

More information

State of Kansas. Interim Wireless Local Area Networks Security and Technical Architecture

State of Kansas. Interim Wireless Local Area Networks Security and Technical Architecture State of Kansas Interim Wireless Local Area Networks Security and Technical Architecture October 6, 2005 Prepared for Wireless Policy Committee Prepared by Revision Log DATE Version Change Description

More information

PMDP is simple to set up, start using, and maintain

PMDP is simple to set up, start using, and maintain Product Datasheet IBELEM, SA ITS Group - 5, boulevard des Bouvets 92741 Nanterre Cedex - FRANCE Tel: +33(0)1.55.17.45.75 Fax: +33(0)1.73.72.34.08 - www.ibelem.com - info@ibelem.com PMDP is simple to set

More information

Case Study for Layer 3 Authentication and Encryption

Case Study for Layer 3 Authentication and Encryption CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client

More information

Administration Guide. BlackBerry Resource Kit for BlackBerry Enterprise Service 10. Version 10.2

Administration Guide. BlackBerry Resource Kit for BlackBerry Enterprise Service 10. Version 10.2 Administration Guide BlackBerry Resource Kit for BlackBerry Enterprise Service 10 Version 10.2 Published: 2015-11-12 SWD-20151112124107981 Contents Overview: BlackBerry Enterprise Service 10... 8 Overview:

More information

THERE S GOOD SECURITY AND THEN THERE S NATIONAL SECURITY

THERE S GOOD SECURITY AND THEN THERE S NATIONAL SECURITY BROCHURE THERE S GOOD SECURITY AND THEN THERE S NATIONAL SECURITY BlackBerry 10 and BES10 The perfect balance of protection and productivity THE PERFECT BALANCE OF PROTECTION AND PRODUCTIVITY Contents

More information

McAfee Firewall Enterprise 8.2.1

McAfee Firewall Enterprise 8.2.1 Configuration Guide FIPS 140 2 Revision A McAfee Firewall Enterprise 8.2.1 The McAfee Firewall Enterprise FIPS 140 2 Configuration Guide, version 8.2.1, provides instructions for setting up McAfee Firewall

More information

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks Decryption Palo Alto Networks PAN-OS Administrator s Guide Version 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us

More information

Security Policy Revision Date: 23 April 2009

Security Policy Revision Date: 23 April 2009 Security Policy Revision Date: 23 April 2009 Remote Desktop Support Version 3.2.1 or later for Windows Version 3.1.2 or later for Linux and Mac 4 ISL Light Security Policy This section describes the procedure

More information

Windows Phone 8.1 in the Enterprise

Windows Phone 8.1 in the Enterprise Windows Phone 8.1 in the Enterprise Version 1.4 MobileIron 415 East Middlefield Road Mountain View, CA 94043 USA Tel. +1.650.919.8100 Fax +1.650.919.8006 info@mobileiron.com Introduction 3 Why Windows

More information

Xperia TM Security. Read about how Xperia TM devices manage security in a corporate IT environment

Xperia TM Security. Read about how Xperia TM devices manage security in a corporate IT environment Xperia TM Security in Business Read about how Xperia TM devices manage security in a corporate IT environment System security Secure storage Network security Device security Digital certificates June 2015

More information

Application Note: Onsight Device VPN Configuration V1.1

Application Note: Onsight Device VPN Configuration V1.1 Application Note: Onsight Device VPN Configuration V1.1 Table of Contents OVERVIEW 2 1 SUPPORTED VPN TYPES 2 1.1 OD VPN CLIENT 2 1.2 SUPPORTED PROTOCOLS AND CONFIGURATION 2 2 OD VPN CONFIGURATION 2 2.1

More information

Sync Security and Privacy Brief

Sync Security and Privacy Brief Introduction Security and privacy are two of the leading issues for users when transferring important files. Keeping data on-premises makes business and IT leaders feel more secure, but comes with technical

More information

Security Considerations for DirectAccess Deployments. Whitepaper

Security Considerations for DirectAccess Deployments. Whitepaper Security Considerations for DirectAccess Deployments Whitepaper February 2015 This white paper discusses security planning for DirectAccess deployment. Introduction DirectAccess represents a paradigm shift

More information

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May 2011. 1. New Features and Enhancements. Tip of the Day

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May 2011. 1. New Features and Enhancements. Tip of the Day NCP Secure Entry Mac Client Major Release 2.01 Build 47 May 2011 1. New Features and Enhancements Tip of the Day A Tip of the Day field for configuration tips and application examples is incorporated in

More information

Certificate Management

Certificate Management Certificate Management This guide provides information on...... Configuring the GO!Enterprise MDM server to use a Microsoft Active Directory Certificate Authority... Using Certificates from Outside Sources...

More information

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication Objectives Define authentication Describe the different types of authentication credentials List and explain the

More information

CS 356 Lecture 28 Internet Authentication. Spring 2013

CS 356 Lecture 28 Internet Authentication. Spring 2013 CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0 Configuration Guide for RFMS 3.0 Initial Configuration XXX-XXXXXX-XX WiNG 5 How-To Guide Digital Certificates July 2011 Revision 1.0 MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark

More information

Kaspersky Security for Mobile Administrator's Guide

Kaspersky Security for Mobile Administrator's Guide Kaspersky Security for Mobile Administrator's Guide APPLICATION VERSION: 10.0 SERVICE PACK 1 Dear User, Thank you for choosing our product. We hope that you will find this documentation useful and that

More information

Secure, Centralized, Simple

Secure, Centralized, Simple Whitepaper Secure, Centralized, Simple Multi-platform Enterprise Mobility Management 2 Controlling it all from one place BlackBerry Enterprise Service 10 (BES10) is a unified, multi-platform, device, application,

More information

Secure web transactions system

Secure web transactions system Secure web transactions system TRUSTED WEB SECURITY MODEL Recently, as the generally accepted model in Internet application development, three-tier or multi-tier applications are used. Moreover, new trends

More information

Step-by-step Guide for Configuring Cisco ACS server as the Radius with an External Windows Database

Step-by-step Guide for Configuring Cisco ACS server as the Radius with an External Windows Database Step-by-step Guide for Configuring Cisco ACS server as the Radius with an External Windows Database Table of Contents: INTRODUCTION:... 2 GETTING STARTED:... 3 STEP-1: INTERFACE CONFIGURATION... 4 STEP-2:

More information

Wireless Robust Security Networks: Keeping the Bad Guys Out with 802.11i (WPA2)

Wireless Robust Security Networks: Keeping the Bad Guys Out with 802.11i (WPA2) Wireless Robust Security Networks: Keeping the Bad Guys Out with 802.11i (WPA2) SUNY Technology Conference June 21, 2011 Bill Kramp FLCC Network Administrator Copyright 2011 William D. Kramp All Rights

More information