BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Size: px
Start display at page:

Download "BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note"

Transcription

1 BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: Security Note

2 Published: SWD

3 Contents 1 About this guide What is BlackBerry Enterprise Service 10?...5 Key features of BlackBerry Enterprise Service Security features and architecture... 7 Security features...7 Types of apps...9 Components used to manage ios devices and Android devices Activating a device...13 Data flow: Activating an ios device over the wireless network...13 Data flow: Activating an Android device over the wireless network...18 Data flow: Receiving and organizer data on ios devices with a work space and Android devices with a work space Protecting work space data at rest Protecting work space data with encryption...25 Protecting work space data with password rules Controlling when devices wipe the work space Protecting work space data in transit...28 How a work space-enabled device connects to the Universal Device Service...28 How the Universal Device Service and the BlackBerry Infrastructure authenticate What happens when the Universal Device Service and the BlackBerry Infrastructure open an initial connection...30 Data flow: Authenticating the Universal Device Service with the BlackBerry Infrastructure...30 How the Universal Device Service protects a TCP/IP connection to the BlackBerry Infrastructure for work space data...30 How a work space-enabled device connects to the BlackBerry Infrastructure...31 Data flow: Opening a TLS session between a work space-enabled device and the Universal Device Service through the BlackBerry Infrastructure Protecting work space apps Managing the availability of work space apps on devices...32 How a work space wraps work space apps...33 How a work space fingerprints work space apps Product documentation Glossary Legal notice...38

4 About this guide About this guide 1 BlackBerry Enterprise Service 10 helps you manage BlackBerry devices, Android devices, and ios devices for your organization. This guide describes how Secure Work Space for ios and Android delivers a higher level of control and security to ios devices and Android devices. This guide is intended for senior IT professionals responsible for evaluating the product and planning its deployment, as well as anyone who's interested in learning more about Secure Work Space. After you read this guide, you should understand how Secure Work Space can help protect data at rest, data in transit, and apps for your organization. 4

5 What is BlackBerry Enterprise Service 10? What is BlackBerry Enterprise Service 10? 2 BlackBerry Enterprise Service 10 helps you manage mobile devices for your organization. You can manage BlackBerry devices and BlackBerry PlayBook tablets, as well as ios devices and Android devices, all from a unified interface. BlackBerry Enterprise Service 10 is designed to help protect business information, keep mobile workers connected with the information they need, and provide administrators with efficient tools that help keep business moving forward. BlackBerry Enterprise Service 10 includes the following components: Component BlackBerry Device Service Universal Device Service Description Provides advanced administration for BlackBerry 10 devices and BlackBerry PlayBook tablets Provides advanced administration for ios devices and Android devices BlackBerry Management Studio Provides a unified interface to administer common tasks for BlackBerry 10 devices, BlackBerry PlayBook tablets, BlackBerry 7.1 and earlier devices, ios devices, and Android devices Key features of BlackBerry Enterprise Service 10 The table below describes some of the key features for BlackBerry Enterprise Service 10. Feature Management of most types of devices Single, unified interface Description BlackBerry Enterprise Service 10 supports all types of BlackBerry devices and tablets, as well as ios devices and Android devices. BlackBerry Management Studio is a single, web-based interface where you can view all devices in one place and access the most common management tasks across multiple domains. These tasks include creating and managing groups, managing device controls, and activating mobile devices. 5

6 What is BlackBerry Enterprise Service 10? Feature Trusted and secure experience Balance of work and personal needs Description Device controls give you precise management of how devices connect to your network, what capabilities are enabled, and what apps are available. Whether the devices are owned by your organization or your users, you can protect your organization's information. BlackBerry Balance and Secure Work Space technology are designed to ensure that personal and work information are kept separate and secure on devices. If the device is lost or the employee leaves the organization, you can delete only work-related information or all information from the device. Additional security features are available depending on the device type. 6

7 Security features and architecture Security features and architecture 3 Secure Work Space for ios and Android is a containerization, app wrapping, and secure connectivity option that delivers a higher level of control and security to ios devices and Android devices. Work space apps are secured and separated from personal apps and data. The work space apps include an integrated , calendar, and contacts app, an enterprise-level secure browser, and a secure document viewing and editing app. The work browser allows users to securely browse the work intranet and the Internet. If the device is lost or the employee leaves the organization, you can delete only work-related information or all information from the device. Secure connectivity increases network security for ios devices and Android devices that have a work space by sending all device traffic from BlackBerry Enterprise Service 10 through through the outbound-initiated ports 3101 and 443. This feature avoids opening a direct connection from within your organization's firewall to the Internet for device management and third-party applications such as the messaging server, certification authority, and other web servers or content servers. Secure connectivity uses the BlackBerry Secure Connect Service to route traffic through port 3101 to the BlackBerry Infrastructure, similar to the BlackBerry Router for BlackBerry devices. The Universal Device Service is the BlackBerry Enterprise Service 10 component that manages ios devices and Android devices and enables Secure Work Space. Security features Feature Description Protection of data in transit between BlackBerry Enterprise Service 10 and a device BlackBerry Enterprise Service 10 protects the data that is in transit between BlackBerry Enterprise Service 10 and a work space-enabled device. BlackBerry Enterprise Service 10 and the device can communicate using both transport layer encryption (using AES-256) and TLS. Ability to connect to work resources without using VPN or inbound ports in the firewall Protection of work space data on a device A work space-enabled device sends data to the BlackBerry Infrastructure, which then communicates with BlackBerry Enterprise Service 10 over its outboundinitiated, bi-directional ports 3101 and 443. Data travels back from BlackBerry Enterprise Service 10 to the device using the same path. The work space includes work space apps. Work space apps are work apps that the work space secures with additional protections. 7

8 Security features and architecture Feature Description By default, work space apps protect their data using AES-256 encryption. If you choose to allow all apps to access data in the work space, then work space apps do not encrypt their data. Work space apps hash passwords before storing them. The work space isolates work space data from other data. A work space app can only communicate and share data with another work space app, unless you choose to allow all apps to access data in the work space. The work space allows a user to copy and paste from one work space app to another, but not to a work app or personal app. Control of device access to your organization's network Control of the behavior of a device BlackBerry Enterprise Service 10 allows you to send work Wi-Fi profiles and work VPN profiles to a device so that the device can connect to your organization's network. To control the behavior of a device, you can: Send IT administration commands to lock the device, wipe work data, wipe user information and app data, and return the device settings to the default values. Send an IT policy to a device to change security settings. You can use the IT policy to enforce a device password on a work space-enabled device. Send an IT policy to a device to control hardware and software features, such as disabling camera output and hiding the default web browser. Protection of user information The device allows a user to delete all user information and app data from the device memory. Protection of the operating system The work space can restart a process for a work space app that stops responding without negatively affecting other processes. The work space validates requests that apps make for resources on the device. Protection of app data using sandboxing Management of permissions to access capabilities Ability to add your own work space apps The work space uses sandboxing to separate and restrict the capabilities and permissions of work space apps that run on the device. Each application process in the work space runs in its own sandbox. The work space evaluates the requests that a work space app's processes make for memory outside of its sandbox. The work space evaluates every request that a work space app makes to access a capability on the device. Your organization can add an internal app to the work space to secure the app. You do not need to make any code changes to make an app a work space app. 8

9 Security features and architecture Feature Protection of the account manager on a device Protection of work space apps from trojans and malicious software Detection of jailbroken or rooted status Description Some devices use an account manager to store credentials for different user accounts. The work space protects the credentials stored by work space apps so that the credentials can be shared by work space apps but not other apps. The work space fingerprints apps to make sure that only known and trusted apps can run as work space apps. Work space apps are validated before they are sent to a device's work space and every time that the device runs them. If a device is jailbroken or rooted, the user has root access to the operating system of the device. The Universal Device Service is designed to detect if a device is jailbroken or rooted. You can notify or require the user to remove jailbreaking software or rooting software from the device. A user with a work space-enabled device cannot access the work space if the device is jailbroken or rooted. Types of apps Work space-enabled devices can run three different types of apps: Type of app Personal app Work app Work space app Description An app that the user installs on the device, or an app that is installed on the device by the manufacturer or wireless service provider. BlackBerry Enterprise Service 10 treats these apps and the data that they store as personal data. An app that you install and manage on a user's device. BlackBerry Enterprise Service 10 treats these apps and the data that they store as work data. A work app that the work space secures with additional protections. BlackBerry Enterprise Service 10 treats these apps and the data that they store as work space data. 9

10 Security features and architecture Components used to manage ios devices and Android devices Component APNs Description The APNs is a service for ios devices that Apple provides. BlackBerry Enterprise Service 10 uses APNs to inform the ios devices to contact BlackBerry Enterprise Service 10 for configuration updates and to provide information for your organization s device inventory. 10

11 Security features and architecture Component BES10 Client BlackBerry Licensing Service BlackBerry Management Studio BlackBerry Secure Connect Service BlackBerry Work Connect Notification Service Communication Module Core Module Scheduler TCP proxy Description The BES10 Client is installed on ios devices and Android devices. The BES10 Client communicates with BlackBerry Enterprise Service 10. The BES10 Client can be obtained from the App Store for ios devices or Google Play for Android devices. The BlackBerry Licensing Service, installed with the BlackBerry Enterprise Service 10 management consoles, communicates with the licensing infrastructure within the BlackBerry Infrastructure to validate licenses and enforce license compliance. BlackBerry Management Studio is the main console where you can perform common management tasks for users and devices, view report information, and manage licenses. You can also access the other management consoles from BlackBerry Management Studio for advanced administration tasks. The BlackBerry Secure Connect Service is a service responsible for providing a single access port for activation and management traffic of ios devices and Android devices. The BlackBerry Work Connect Notification Service is a web service responsible for providing new or changed mail and organizer notifications to the Work Connect app within the Secure Work Space on ios devices. The Communication Module is a gateway between ios devices and Android devices and BlackBerry Enterprise Service 10. It is responsible for the conversion of the proprietary protocols supported on the devices to and from the device-agnostic format used by the Core Module. The Core Module is a device-agnostic module that manages all the configuration data used to manage ios devices and Android devices and stores it in the Management Database. The Core Module is the only component that accesses the Management Database. The Core Module is responsible for communicating with Microsoft Active Directory, the APNs, the messaging server, the database server and the SCEP server. The Scheduler is responsible for initiating scheduled device management tasks, such as making available new or updated IT policy profiles, new applications, new or updated Wi-Fi or VPN profiles to ios devices and Android devices, or retrieving device information. The TCP proxy is an optional, third-party software component that can be deployed in a DMZ if required. A TCP proxy connects to the BlackBerry Infrastructure, which sends data to mobile networks or the Internet. 11

12 Security features and architecture Component Universal Device Service console Description You can use the Universal Device Service console, also known as the Administration Console, to manage user accounts, IT policies, profiles, and apps for ios devices and Android devices. 12

13 Activating a device Activating a device 4 If you assign a work space profile to a user account, when you or the user activates the device, you create the work space on the device, associate the work space with a user account in BlackBerry Enterprise Service 10, and establish a secure communication channel between the device and BlackBerry Enterprise Service 10 using an SSL certificate. For more information about installing an SSL certificate, see the BlackBerry Enterprise Service 10 Configuration Guide. BlackBerry Enterprise Service 10 allows multiple devices to be activated for the same user account. Your organization must also activate the appropriate licenses. If you or a user tries a work space activation but the required license is not available, the device will not activate correctly and it will not be able to access your organization's data. You can activate a device for a user by logging in to the Universal Device Service console and connecting the device to the computer. You can also configure how users can activate devices and whether you can use the Universal Device Service to send activation passwords and instructions to a user's work account. By default, a user can activate a device wirelessly using any of the following connections: Over your work Wi-Fi network through the BlackBerry Infrastructure Over any Wi-Fi connection or mobile network through the BlackBerry Infrastructure When the activation process completes, the BlackBerry Enterprise Service 10 can send apps, profiles, and IT policies files to the device and, if profiles are configured, users can send and receive work messages using the device. Data flow: Activating an ios device over the wireless network Adding the user 13

14 Activating a device 1. In BlackBerry Management Studio, or the Universal Device Service console, the administrator creates a local or a directory user account, and does one of the following: If the account is a local account, the administrator specifies an activation password (the local account password cannot be used for device activation). If the account is a directory account, the administrator can choose whether to specify an activation password or use the login information for the account instead. The administrator can select the option to send an activation to the user, assign group membership, and specify other device activation settings such as activation expiry date and time, maximum number of activations per device, device platform and device version. Optionally, the administrator assigns a work space profile to the account. Note: If the option to send an activation to the user is chosen, the administrator can customize the message to reflect company specific details. 2. The Core Module performs one of the following actions: If the account is a local account, the Core Module generates a hash of the user account password and stores it along with the account information in the Management Database. If the account is a directory account, the Core Module accesses Microsoft Active Directory, using LDAP, to retrieve the user account information and keeps a copy of the user account information in the Management Database. The Scheduler and Management Database periodically retrieve this information and keep it up to date. 14

15 Activating a device 3. If the option to send an activation was selected, the Core Module generates the activation and sends it to the user using the SMTP settings configured by the administrator. The message describes how to obtain the BES10 Client from the App Store and additional information the user needs to enter on the client, such as the domain name and SRP ID, the username, and the activation password for the user account if one was specified. Starting the activation process 1. The user installs the BES10 Client on the ios device. After launching the BES10 client, the user is prompted to enter the URL provided by the administrator (which consists of the BlackBerry Infrastructure URL followed by the SRP ID of the customer, for example <cc>.bbsecure.com/s , where <cc> is the country code), and accept the BlackBerry Enterprise Service 10 certificate. This prompt includes information about the SSL certificate, including the Common Name, fingerprint, and whether the certificate is trusted or untrusted. Once the user accepts the certificate, they enter the username specified in the activation and their password, and clicks Activate My Device. If the user clicks Decline, they are returned to the previous activation screen and the activation process stops. If the user clicks Accept, the certificate is installed on the device and the activation process continues. 2. The client sends an activation request over a secured channel, to the BlackBerry Infrastructure, which sends it to the server name specified by the user. The activation request includes the username, password, device operating system, and unique device identifier. 3. The BlackBerry Secure Connect Service receives the activation request from the BlackBerry Infrastructure and nds it to the Communication Module. 15

16 Activating a device 4. The Communication Module receives the activation request and queries the Core Module to validate the activation request. 5. The Core Module checks if the activation request is valid and performs one of the following actions: If the activation request does not meet the criteria defined in the activation settings (for example, the username is not valid, the password has expired, or the device type or version is not allowed for the user account), the Core Module responds with an error message. If the activation request meets all the activation criteria, the Core Module creates a device instance, associates it with the specified user account in the Management Database, sets the activation status for the device as unknown, and responds with a successful authentication to the Communication Module. 6. The Communication Module performs one of the following actions: If the response from the Core Module is an error, the Communication Module sends the error message to the BlackBerry Secure Connect Service to send to the BlackBerry Infrastructure. The BlackBerry Infrastructure passes the error message to the device and the activation stops. If the response from the Core Module is a successful authentication, the Communication Module generates a unique identifier for the device. This identifier is used to verify the authenticity of the device in every subsequent communication. The Communication Module sends a response to the BlackBerry Secure Connect Service that includes the identifier, the MDM profile of the device (these are the specific permissions that the BES10 Client can request to manage on the device such as Wi-Fi, VPN, Microsoft ActiveSync profile configuration, IT policy configuration, activation type and so on), a command to provide device information and configuration, and a link to the BlackBerry Secure Connect Service to initiate the MDM Daemon enrollment process. The BlackBerry Secure Connect Service sends this information to the BlackBerry Infrastructure, which sends it to the device. Installing the certificate and completing the activation 16

17 Activating a device 1. After receiving a successful response, the client displays a message to inform the user that a certificate must be installed to complete the activation. The user clicks OK and is redirected to the BlackBerry Secure Connect Service link for the MDM Daemon enrollment. 2. The BlackBerry Secure Connect Service connects to the Communication Module for the MDM Daemon enrollment. 3. A certificate is provided by the Communication Module and the user is presented with the option to install it. The user clicks Install Now and Done. 4. The client communicates with the BlackBerry Secure Connect Service to notify the successful installation of the MDM profile and certificate. 5. The BlackBerry Secure Connect Service informs the Communication Module of the successful installation of the MDM profile and certificate. 6. The Communication Module informs the Core Module of this success. 7. After successfully confirming the MDM enrollment of the device, the Core Module sets the device activation status to active on the Management Database. 8. The client continually checks with the Communication Module through the BlackBerry Secure Connect Service to verify the activation status. When the activation is set to active, the device requests all IT policy and configuration information from, and sends device information to, BlackBerry Enterprise Service The BlackBerry Secure Connect Service receives the device information and sends it to the Communication Module. 10. The Communication Module receives the information, converts it to a device-agnostic format and forwards it to the Core Module. 17

18 Activating a device 11. The Core Module stores the device information in the Management Database and sends the IT policy and configuration information back to the device. If the activation type for the device is Secure Work Space, after the activation is complete, the user is prompted to create a work space password and install some, or all, of the following apps: Work Connect Work Browser Documents To Go Data flow: Activating an Android device over the wireless network Adding the user 18

19 Activating a device 1. In BlackBerry Management Studio, or the Universal Device Service console, the administrator creates a local or a directory user account, and does one of the following: If the account is a local account, the administrator specifies an activation password (the local account password cannot be used for device activation). If the account is a directory account, the administrator can choose whether to specify an activation password or use the login information for the account instead. The administrator can select the option to send an activation to the user, assign group membership, and specify other device activation settings such as activation expiry date and time, maximum number of activations per device, device platform and device version. Optionally, the administrator assigns a work space profile to the account. Note: If the option to send an activation to the user is chosen, the administrator can customize the message to reflect company specific details. 2. The Core Module performs one of the following actions: If the account is a local account, the Core Module generates a hash of the user account password and stores it along with the account information in the Management Database. If the account is a directory account, the Core Module accesses Microsoft Active Directory, using LDAP, to retrieve the user account information and keeps a copy of the user account information in the Management Database. The Scheduler and Management Database periodically retrieve this information and keep it up to date. 3. If the option to send an activation was selected, the Core Module sends the activation using the SMTP settings configured by the administrator. The message describes how to obtain the BES10 Client from Google Play and additional information the user needs to type in the client, such as the company server name, the username, and the activation password for the user account if one was specified. Starting the activation process 19

20 Activating a device 1. The user installs the BES10 Client on the Android device. After launching the BES10 Client, the user is prompted to enter the URL provided by the administrator (which consists of the BlackBerry Infrastructure URL followed by the SRP ID of the customer, for example <cc>.bbsecure.com/s , where <cc> is the country code), and accept the BlackBerry Enterprise Service 10 certificate. This prompt includes information about the SSL certificate, including the Common Name, fingerprint, and whether the certificate is trusted or untrusted. Once the user accepts the certificate, they enter the username specified in the activation and their password, and clicks Activate My Device. If the user clicks Decline, they are returned to the previous activation screen and the activation process stops. If the user clicks Accept, the certificate is installed on the device and the activation process continues. 2. The client sends an activation request over a secured channel, to the BlackBerry Infrastructure, which sends it to the server name specified by the user. The activation request includes the username, password, device operating system, and unique device identifier. 3. The BlackBerry Secure Connect Service receives the activation request from the BlackBerry Infrastructure and sends it to the Communication Module. 4. The Communication Module receives the activation request and queries the Core Module to validate the activation request. 5. The Core Module checks if the activation request is valid and performs one of the following actions: If the activation request does not meet the criteria defined in the activation settings, for example, the username is not valid, the password has expired, or the device type or version is not allowed for the user account, the Core Module responds with an error message. 20

21 Activating a device If the activation request meets all the activation criteria, the Core Module creates a device instance, associates it to the specified user account in the Management Database, sets the activation status for the device as unknown, and responds with a successful authentication to the Communication Module. 6. The Communication Module performs one of the following actions: If the response from the Core Module is an error, the Communication Module sends the error message to the BlackBerry Secure Connect Service to send to the BlackBerry Infrastructure. The BlackBerry Infrastructure sends the error message and the activation stops. If the response from the Core Module is a successful authentication, the Communication Module generates a unique identifier for the device. This identifier is used to verify the authenticity of the device in every subsequent communication. The Communication Module sends a response to the BlackBerry Secure Connect Service that includes the identifier, the MDM profile of the device (these are the specific permissions that the BES10 Client requests to manage on the device such as, Wi-Fi, VPN, IT policy configuration, and so on), and a command to provide device information and configuration. The BlackBerry Secure Connect Service sends this information through the BlackBerry Infrastructure to the device. Completing the activation 1. After receiving a successful response, the BES10 Client requests all IT policy and configuration information and sends the device information and software information through the BlackBerry Infrastructure to the BlackBerry Secure Connect Service, which sends this information to the Communication Module. 21

22 Activating a device 2. The Communication Module receives the information, converts it to a device-agnostic format and sends it to the Core Module. 3. The Core Module stores the device information in the Management Database and sends the IT policy and configuration information back to the device. If the activation type for the device is Secure Work Space, after the activation is completed, the user is prompted to create a work space password and install some, or all, of the following apps: Work Connect Work Browser Documents To Go Data flow: Receiving and organizer data on ios devices with a work space and Android devices with a work space 22

23 Activating a device 1. At defined intervals, the messaging server checks for any new or changed items and notifies the ios device or Android device, through BlackBerry Enterprise Service 10, when there are new or changed items. If the device is an ios device: The BlackBerry Work Connect Notification Service receives the notificaton and sends it to the BlackBerry Secure Connect Service for forwarding If the device is an Android device: The notification is passed to the BlackBerry Secure Connect Service for forwarding 2. BlackBerry Secure Connect Service notifies the BlackBerry Infrastructure that there are new or changed items in the user's mailbox. 3. The BlackBerry Infrastructure notifies the device that there are new or changed items in the user's mailbox. If the device is an ios device: The BlackBerry Infrastructure contacts the APNs to notify the user that there is an item waiting to be synchronized. The APNs notifies the device that there is a new or changed item waiting to be synchronized. When the Work Connect app receives the notification, it displays an icon that indicates that there are new updates available for the user. If the device is an Android device: The BlackBerry Infrastructure contacts the device to notify the user that there is an item waiting to be synchronized. When the Work Connect app receives the notification, it displays an icon that indicates that there are new updates available for the user. 4. The device contacts the BlackBerry Infrastructure to request the new or changed items. 5. The BlackBerry Infrastructure contacts the BlackBerry Secure Connect Service and requests the new or changed items. 6. The BlackBerry Secure Connect Service contacts the messaging server and requests the new or changed items be sent to the device. 7. The messaging server sends the items to the device, through the BlackBerry Secure Connect Service and the BlackBerry Infrastructure. 8. The device sends confirmation back to the messaging server, through the BlackBerry Secure Connect Service and the BlackBerry Infrastructure, that the updates have been received. 9. When the synchronization of all items is complete, the messaging server sends an "HTTP 200 OK" message to the device. 23

24 Activating a device 10. The device waits for the next notification from BlackBerry Enterprise Service 10 that there are new or changed items to synchronize. 24

25 Protecting work space data at rest Protecting work space data at rest 5 The work space protects work space data at rest by encrypting the data and hashing passwords before storing them. You can also require password protection and control when devices wipe their work space. Protecting work space data with encryption A work space protects work space data by encrypting the data that work space apps store using AES-256 encryption. The work space randomly generates a separate encryption key for each work space app and encrypts the keys with the user's work space password. The work space encrypts all of the data that a work space app stores directly and writes indirectly to files. The encryption libraries (OpenSSL-FIIPTS or ios crypto on ios, and OpenSSL-FIPS on Android OS) are components of the FIPS validated BlackBerry Cryptographic Library for Secure Work Space. Work space apps can only share data with other work space apps. When a work space app requests to share data with another app, the work space intercepts the request and allows the request to proceed if both apps are work space apps. If both apps are not work space apps, the work space rejects the request. The work space allows a user to copy and paste from one work space app to another, but not to a work app or personal app. Protecting work space data with password rules To secure work space data and work space apps, work space-enabled devices require users to set a password for the work space by default. You can use IT policy rules to control password requirements for the password, such as complexity and length. For more information about IT policy rules for ios devices and Android devices, see the Universal Device Service Advanced Administration Guide. 25

26 Protecting work space data at rest Controlling when devices wipe the work space To protect your organization s data, you can wipe all work data from a device. All personal data remains on the device. For example, you can do this if a user no longer works at your organization. The following table lists examples of data that is removed when devices wipe the work space: Item Work messages Attachments Calendar entries Contacts Tasks and memos Browser Files IT policy Work apps Work app data Work space apps Description messages that are sent to the user s Work Connect app and messages that the user sends from the Work Connect app Draft messages that the user creates using the Work Connect app Attachments that are sent to the user s Work Connect app and attachments that the user sends from the Work Connect app Attachments that the user saves to the work space Calendar entries that the user creates using the Work Connect app Contacts that BlackBerry Enterprise Service 10 synchronizes with the user s Work Connect app All tasks and memos that BlackBerry Enterprise Service 10 synchronizes with the user's Work Connect app All Work Browser data Files that the user accessed and downloaded from your organization s network IT policy that is associated with your organization For an ios device, work apps that an administrator sent to a device For an ios device, work data that is associated with work apps on the device (for example, saved settings) For an ios device, work space apps that a user downloaded and installed on a device. For an Android device, the user is prompted to remove the work space apps. If the user does not remove the work space apps, they remain on the device but the user cannot run them. 26

27 Protecting work space data at rest Item Work space data Profiles Description For an ios device, work space data that is associated with work space apps on the device. For an Android device, the user is prompted to remove the work space data (for example, saved settings). If the user does not remove the work space data, it remains on the device but the user cannot access the data. For an ios device, VPN, Wi-Fi, Microsoft ActiveSync, SCEP, CA certificate, and shared certificate profiles that the user configures on the device 27

28 Protecting work space data in transit Protecting work space data in transit 6 The work space protects work space data in transit by authenticating its connections and sessions and encrypting the data. How a work space-enabled device connects to the Universal Device Service To access your organization's network, a work space-enabled device connects through any Wi-Fi access point or mobile network, the BlackBerry Infrastructure, your organization's firewall, and the Universal Device Service. 28

29 Protecting work space data in transit Devices and your organization s resources use tunneling to encapsulate various types of encryption in the end-to-end connection. Tunneling occurs when data is encrypted using more than one layer of encryption. The type of encryption used depends on the type of connection between the device and the resource. For example, the data that a device and the Universal Device Service send between each other is encrypted using TLS encryption. If the wireless access point was set up to use Wi-Fi encryption, the data that the device and wireless access point send to each other uses Wi-Fi encryption. Because the device uses tunneling, the data that the device sends to the Universal Device Service is encrypted first by TLS encryption and then by Wi-Fi encryption as it travels between the device and the wireless access point. Encryption type Wi-Fi encryption (IEEE ) TLS encryption SSL/TLS encryption Description Encrypts the data for the connection between the device and wireless access point if the wireless access point was set up to use Wi-Fi encryption. Encrypts the data for the connection between the Universal Device Service and the BlackBerry Infrastructure. Encrypts the data for the session between the device and Universal Device Service Encrypts the data for the session between the device and content server, web server, or messaging server that uses Microsoft ActiveSync. The encryption for this session must be set up separately on each server and uses a separate certificate with each server. The server might use SSL or TLS, depending how it is set up. How the Universal Device Service and the BlackBerry Infrastructure authenticate The BlackBerry Infrastructure and Universal Device Service must authenticate with each other before they can transfer data. The Universal Device Service uses a proprietary protocol to authenticate with and connect to the BlackBerry Infrastructure. The Universal Device Service uses the protocol and the SRP identifier to contact the BlackBerry Infrastructure and open a connection. When the Universal Device Service and the BlackBerry Infrastructure open a connection, they can perform the following actions: 1. Authenticate with each other 2. Exchange configuration information 3. Send and receive data 29

30 Protecting work space data in transit What happens when the Universal Device Service and the BlackBerry Infrastructure open an initial connection After the Universal Device Service and the BlackBerry Infrastructure open an initial connection over the Internet, the Universal Device Service authenticates the BlackBerry Infrastructure by verifying the authentication certificate that the BlackBerry Infrastructure sends. Next, the Universal Device Service sends a basic information packet to the BlackBerry Infrastructure immediately. A basic information packet includes the Universal Device Service version information, SRP identifier, the SRP authentication key, which is a 20-byte encryption key, and other information that is required to open an authenticated connection. Both the Universal Device Service and BlackBerry Infrastructure can recognize the basic information packet. The BlackBerry Infrastructure uses the basic information packet to authenticate the Universal Device Service. Data flow: Authenticating the Universal Device Service with the BlackBerry Infrastructure 1. The Universal Device Service connects to the BlackBerry Infrastructure and initiates a TLS connection. 2. The BlackBerry Infrastructure sends an authentication certificate to the Universal Device Service. 3. The Universal Device Service verifies that the authentication certificate is signed by a trusted authority and verifies the name of the server in the BlackBerry Infrastructure to establish the TLS connection. 4. The Universal Device Service sends a data packet that contains its unique SRP identifier and SRP authentication key to the BlackBerry Infrastructure. 5. The BlackBerry Infrastructure authenticates the SRP identifier and SRP authentication key. The BlackBerry Infrastructure now only allows traffic for this instance of the Universal Device Service, uniquely identified by its SRP identifier, to flow over the connection. How the Universal Device Service protects a TCP/IP connection to the BlackBerry Infrastructure for work space data After the Universal Device Service and the BlackBerry Infrastructure open a connection, the Universal Device Service uses a persistent TCP/IP connection to send data to the BlackBerry Infrastructure. The TCP/IP connection between the Universal Device Service and BlackBerry Infrastructure is secured with TLS encryption. No intermediate point decrypts and encrypts the data again. 30

31 Protecting work space data in transit You must configure your organization s firewall or proxy server to permit the Universal Device Service to start and maintain an outgoing connection to the BlackBerry Infrastructure over TCP port How a work space-enabled device connects to the BlackBerry Infrastructure Devices connect to the BlackBerry Infrastructure using a TCP/IP connection. The traffic over this connection is tunneled by the BlackBerry Infrastructure to the Universal Device Service. Devices and the Universal Device Service send all data to each other over a TLS session. The TLS session encrypts the data that devices and the Universal Device Service send between each other. A TLS session between a device and the Universal Device Service is designed so that an attacker cannot use the TLS connection to send data to or receive data from the device. If an attacker tries to impersonate the Universal Device Service, devices prevent the connection. Devices verify whether the public key of the TLS certificate of the Universal Device Service matches the private key of the root certificate that is loaded on the devices during the activation process. Data flow: Opening a TLS session between a work space-enabled device and the Universal Device Service through the BlackBerry Infrastructure 1. A device creates a TCP connection to the BlackBerry Infrastructure. 2. The BlackBerry Infrastructure creates a tunnel to the Universal Device Service. 3. The device sends a request over the tunnel to the Universal Device Service to open a TLS session. 4. The Universal Device Service sends its TLS certificate to the device over the tunnel. 5. The device uses a root certificate that is preloaded on the device to verify the TLS certificate. If the user deleted the root certificate, the device prompts the user to trust the TLS certificate. 6. The device opens the TLS session. 31

32 Protecting work space apps Protecting work space apps 7 The work space protects work space apps by wrapping and fingerprinting the apps. In addition to the default work space apps, you can send internal apps to devices as work space apps. Managing the availability of work space apps on devices You can use BlackBerry Enterprise Service 10 to install and manage work space apps on work space-enabled devices. Work space apps can only access work space data and interact with other work space apps. Default work space apps appear on every work space-enabled device. The following apps are default work space apps: Name Work Connect Work Browser Documents To Go Description The ios version of this app supports , calendar, contacts, notes, and tasks. The Android version of this app supports , calendar, and contacts. This app supports secure web browsing. This app supports the viewing and editing of Microsoft Office files. A work space app can also be an internal app in.apk or.ipa format that you send to a work space-enabled device. For more information about creating a work space app, see the Universal Device Service Advanced Administration Guide. You can specify the internal apps that you want to install, update, or remove, and you can specify whether internal apps are required or optional on devices. You can also specify the device models that support an internal app so that the app is installed only on compatible devices. If you specify that an app is required, the app is automatically installed on the device. If the user removes the app, you can use a compliance profile to send a notification to users to ask them to meet your organization's requirements or you can limit users' access to your organization's resources and applications, delete work data, or delete all data from the device. Work space-enabled devices can have the same app installed separately as a work space app and either a work app or a personal app. Each instance of the app is kept separate from the others and each operates under the rules and restrictions that apply to the space that it is installed in. The apps can be configured, upgraded, or removed independently, and changes to one instance have no effect on the other instance. For example, an instant messaging app installed as a personal app might be restricted from adding work contacts, while the same instant messaging app installed as a work space app does not have that restriction. 32

33 Protecting work space apps How a work space wraps work space apps A work space protects work space apps from other apps running on the device by using app wrapping. App wrapping is a process that adds a layer of security and control around an existing app. The source code of the app is not changed. Instead, the wrapping process takes the requests that the app makes to system services and redirects them to a library of mechanisms and policies. BlackBerry Enterprise Service 10 wraps apps automatically for ios devices and Android devices when you designate the apps as work space apps. The app wrapping process is fully compatible with the policies that Apple enforces for ios devices. The app wrapping process interposes system API calls to allow the work space to redirect a work space app's requests for system services. For the Android OS, where apps run under the Dalvik virtual machine, the work space performs the interposing on two layers: replacing Dalvik byte-code API calls with its own intercepts, and linking calls for native object code. For ios, where apps do not run under a virtual machine, the work space links calls for native object code only. The app wrapping process then repackages the app so that the security code and the original code are physically inseparable. This repackaging ensures that any subsequent modifications to a work space app by a third party will prevent the work space app from running on the device. How a work space fingerprints work space apps A work space protects work space apps from trojans and malicious software by using fingerprinting. Fingerprinting uses an algorithm to map an app to a short bit string, which is the app's fingerprint. The fingerprint serves as a unique record of the app. Verifying a fingerprint is more efficient than transmitting and comparing the original app with the app on the device, which involves much larger files than a fingerprint. Before a work space app is added to a work space-enabled device, the BlackBerry Infrastructure fingerprints the work space app. The BlackBerry Infrastructure sends the work space app and the fingerprint to the device. Before the work space app is added to the device, the work space calculates the work space app's fingerprint and compares it to the fingerprint sent by the BlackBerry Infrastructure. Each time that the work space app is run, the work space recalculates the work space app's fingerprint and compares it with the fingerprint sent by the BlackBerry Infrastructure. In all cases, if the fingerprints being compared do not match, the device does not run the work space app. 33

34 Product documentation Product documentation 8 To read the following guides or additional related materials, visit blackberry.com/go/serverdocs. Resource Introducing BlackBerry Enterprise Service 10 What's New in BlackBerry Enterprise Service 10 Quick Reference Description Quick, visual introduction to BlackBerry Enterprise Service 10 at a high level Summary of new features, enhancements, and updates in BlackBerry Enterprise Service 10 BlackBerry Enterprise Service 10 Product Overview Introduction to BlackBerry Enterprise Service 10 and its features Finding your way through the documentation Architecture BlackBerry Enterprise Service 10 Release Notes BlackBerry Enterprise Service 10 Installation Guide Descriptions of known issues and potential workarounds System requirements Installation instructions Capacity Calculator for BlackBerry Enterprise Service 10 Tool to estimate the hardware required to support a given workload for BlackBerry Enterprise Service 10 version BlackBerry Enterprise Service 10 Compatibility Matrix Software that is compatible with BlackBerry Enterprise Service 10 version BlackBerry Enterprise Service 10 Upgrade Guide System requirements Upgrade instructions BlackBerry Enterprise Service 10 Licensing Guide Descriptions of different types of licenses Instructions for activating licenses 34

Architecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference

Architecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference Architecture and Data Flow Overview BlackBerry Enterprise Service 10 721-08877-123 Version: Quick Reference Published: 2013-11-28 SWD-20131128130321045 Contents Key components of BlackBerry Enterprise

More information

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0 Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features

More information

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0 Configuration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2014-12-19 SWD-20141219132902639 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12...

More information

Troubleshooting BlackBerry Enterprise Service 10 version 10.1.1 726-08745-123. Instructor Manual

Troubleshooting BlackBerry Enterprise Service 10 version 10.1.1 726-08745-123. Instructor Manual Troubleshooting BlackBerry Enterprise Service 10 version 10.1.1 726-08745-123 Instructor Manual Published: 2013-07-02 SWD-20130702091645092 Contents Advance preparation...7 Required materials...7 Topics

More information

BlackBerry Enterprise Service 10. Version: 10.2. Configuration Guide

BlackBerry Enterprise Service 10. Version: 10.2. Configuration Guide BlackBerry Enterprise Service 10 Version: 10.2 Configuration Guide Published: 2015-02-27 SWD-20150227164548686 Contents 1 Introduction...7 About this guide...8 What is BlackBerry Enterprise Service 10?...9

More information

BlackBerry Enterprise Service 10. Universal Device Service Version: 10.2. Administration Guide

BlackBerry Enterprise Service 10. Universal Device Service Version: 10.2. Administration Guide BlackBerry Enterprise Service 10 Universal Service Version: 10.2 Administration Guide Published: 2015-02-24 SWD-20150223125016631 Contents 1 Introduction...9 About this guide...10 What is BlackBerry

More information

Configuration Guide BES12. Version 12.1

Configuration Guide BES12. Version 12.1 Configuration Guide BES12 Version 12.1 Published: 2015-04-22 SWD-20150422113638568 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12... 8 Product documentation...

More information

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0 Administration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2015-01-16 SWD-20150116150104141 Contents Introduction... 9 About this guide...10 What is BES12?...11 Key features of BES12...

More information

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2 BlackBerry Enterprise Service 10 BlackBerry Device Service Solution Version: 10.2 Security Technical Overview Published: 2014-09-10 SWD-20140908123239883 Contents 1 About BlackBerry Device Service solution

More information

Configuration Guide BES12. Version 12.2

Configuration Guide BES12. Version 12.2 Configuration Guide BES12 Version 12.2 Published: 2015-07-07 SWD-20150630131852557 Contents About this guide... 8 Getting started... 9 Administrator permissions you need to configure BES12... 9 Obtaining

More information

BYOD Guidance: BlackBerry Secure Work Space

BYOD Guidance: BlackBerry Secure Work Space GOV.UK Guidance BYOD Guidance: BlackBerry Secure Work Space Published 17 February 2015 Contents 1. About this guidance 2. Summary of key risks 3. Secure Work Space components 4. Technical assessment 5.

More information

Configuration Guide BES12. Version 12.3

Configuration Guide BES12. Version 12.3 Configuration Guide BES12 Version 12.3 Published: 2016-01-19 SWD-20160119132230232 Contents About this guide... 7 Getting started... 8 Configuring BES12 for the first time...8 Configuration tasks for managing

More information

Advanced Administration

Advanced Administration BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 10.2 Advanced Administration Guide Published: 2014-09-10 SWD-20140909133530796 Contents 1 Introduction...11 About this guide...12 What

More information

Configuration Guide. BES12 Cloud

Configuration Guide. BES12 Cloud Configuration Guide BES12 Cloud Published: 2016-04-08 SWD-20160408113328879 Contents About this guide... 6 Getting started... 7 Configuring BES12 for the first time...7 Administrator permissions you need

More information

Reference Guide. What's New in BES12 Cloud

Reference Guide. What's New in BES12 Cloud Reference Guide What's New in BES12 Cloud 711-60712-123 Published: 2016-06-20 SWD-20160620151902701 Contents What's new in BES12 Cloud...5 Supported features by device type... 5 Compatibility and requirements...11

More information

BlackBerry Enterprise Service 10. Version: 10.2. Installation Guide

BlackBerry Enterprise Service 10. Version: 10.2. Installation Guide BlackBerry Enterprise Service 10 Version: 10.2 Installation Guide Published: 2015-08-17 SWD-20150817115607897 Contents 1 About this guide...5 2 What is BlackBerry Enterprise Service 10?... 6 Key features

More information

Licensing Guide BES12. Version 12.1

Licensing Guide BES12. Version 12.1 Licensing Guide BES12 Version 12.1 Published: 2015-04-02 SWD-20150402115554403 Contents Introduction... 5 About this guide...5 What is BES12?...5 Key features of BES12... 5 About licensing...7 Steps to

More information

Ensuring the security of your mobile business intelligence

Ensuring the security of your mobile business intelligence IBM Software Business Analytics Cognos Business Intelligence Ensuring the security of your mobile business intelligence 2 Ensuring the security of your mobile business intelligence Contents 2 Executive

More information

Preparing for GO!Enterprise MDM On-Demand Service

Preparing for GO!Enterprise MDM On-Demand Service Preparing for GO!Enterprise MDM On-Demand Service This guide provides information on...... An overview of GO!Enterprise MDM... Preparing your environment for GO!Enterprise MDM On-Demand... Firewall rules

More information

Kaspersky Lab Mobile Device Management Deployment Guide

Kaspersky Lab Mobile Device Management Deployment Guide Kaspersky Lab Mobile Device Management Deployment Guide Introduction With the release of Kaspersky Security Center 10.0 a new functionality has been implemented which allows centralized management of mobile

More information

Administration Guide BES12. Version 12.3

Administration Guide BES12. Version 12.3 Administration Guide BES12 Version 12.3 Published: 2015-10-30 SWD-20151028105551254 Contents Introduction... 11 About this guide...12 How to use this guide... 13 Steps to administer BES12... 13 Examples

More information

Installation and Administration Guide

Installation and Administration Guide Installation and Administration Guide BlackBerry Enterprise Transporter for BlackBerry Enterprise Service 12 Version 12.0 Published: 2014-11-06 SWD-20141106165936643 Contents What is BES12?... 6 Key features

More information

BES10 Cloud architecture and data flows

BES10 Cloud architecture and data flows BES10 Cloud architecture and data flows Architecture: BES10 Cloud solution Component APNs BlackBerry Cloud Connector BES10 Cloud BlackBerry Infrastructure Company directory Devices GCM Other third-party

More information

Copyright 2013, 3CX Ltd. http://www.3cx.com E-mail: info@3cx.com

Copyright 2013, 3CX Ltd. http://www.3cx.com E-mail: info@3cx.com Manual Copyright 2013, 3CX Ltd. http://www.3cx.com E-mail: info@3cx.com Information in this document is subject to change without notice. Companies names and data used in examples herein are fictitious

More information

BlackBerry Enterprise Service 10 version 10.2 preinstallation and preupgrade checklist

BlackBerry Enterprise Service 10 version 10.2 preinstallation and preupgrade checklist BlackBerry Enterprise Service version.2 preinstallation and preupgrade checklist Verify that the following requirements are met before you install or upgrade to BlackBerry Enterprise Service version.2.

More information

Sophos Mobile Control SaaS startup guide. Product version: 6

Sophos Mobile Control SaaS startup guide. Product version: 6 Sophos Mobile Control SaaS startup guide Product version: 6 Document date: January 2016 Contents 1 About this guide...4 2 About Sophos Mobile Control...5 3 What are the key steps?...7 4 Change your password...8

More information

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2 Feature and Technical Overview Published: 2010-06-16 SWDT305802-1108946-0615123042-001 Contents 1 Overview: BlackBerry Enterprise

More information

Getting Started Guide

Getting Started Guide BlackBerry Web Services For Microsoft.NET developers Version: 10.2 Getting Started Guide Published: 2013-12-02 SWD-20131202165812789 Contents 1 Overview: BlackBerry Enterprise Service 10... 5 2 Overview:

More information

Server Software Installation Guide

Server Software Installation Guide Server Software Installation Guide This guide provides information on...... The architecture model for GO!Enterprise MDM system setup... Hardware and supporting software requirements for GO!Enterprise

More information

Configuration Guide BES12. Version 12.4

Configuration Guide BES12. Version 12.4 Configuration Guide BES12 Version 12.4 Published: 2016-04-13 SWD-20160413171027740 Contents About this guide... 8 Getting started... 9 Configuring BES12 for the first time...9 Configuration tasks for managing

More information

Feature and Technical

Feature and Technical BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 4 Feature and Technical Overview Published: 2013-11-07 SWD-20131107160132924 Contents 1 Document revision history...6 2 What's

More information

Security Guide. BlackBerry Enterprise Service 12. for BlackBerry. Version 12.0

Security Guide. BlackBerry Enterprise Service 12. for BlackBerry. Version 12.0 Security Guide BlackBerry Enterprise Service 12 for BlackBerry Version 12.0 Published: 2014-11-12 SWD-20141106140037727 Contents Introduction... 7 About this guide...8 What is BES12?...9 Key features of

More information

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution? MaaS360 FAQs This guide is meant to help answer some of the initial frequently asked questions businesses ask as they try to figure out the who, what, when, why and how of managing their smartphone devices,

More information

Components. Key features

Components. Key features BlackBerry Enterprise Service 10 What is it? BlackBerry Enterprise Service 10 helps you manage BlackBerry smartphones and BlackBerry PlayBook tablets, as well as ios devices and Android devices, all from

More information

Zenprise Device Manager 6.1.5

Zenprise Device Manager 6.1.5 Zenprise Device Manager 6.1.5 CLIENT GUIDE Rev 6.1.50 Introduction 2 ZENPRISE DEVICE MANAGER 6.1 CLIENT GUIDE 2011 Zenprise, Inc. All rights reserved. This manual, as well as the software described in

More information

Administration Guide. BlackBerry Resource Kit for BlackBerry Enterprise Service 10. Version 10.2

Administration Guide. BlackBerry Resource Kit for BlackBerry Enterprise Service 10. Version 10.2 Administration Guide BlackBerry Resource Kit for BlackBerry Enterprise Service 10 Version 10.2 Published: 2015-11-12 SWD-20151112124107981 Contents Overview: BlackBerry Enterprise Service 10... 8 Overview:

More information

Sophos Mobile Control Installation guide. Product version: 3

Sophos Mobile Control Installation guide. Product version: 3 Sophos Mobile Control Installation guide Product version: 3 Document date: January 2013 Contents 1 Introduction...3 2 The Sophos Mobile Control server...4 3 Set up Sophos Mobile Control...16 4 External

More information

Configuration Guide. BES12 Cloud

Configuration Guide. BES12 Cloud Configuration Guide BES12 Cloud Published: 2016-07-20 SWD-20160718120737425 Contents About this guide... 6 Getting started... 7 Configuring BES12 for the first time...7 Administrator permissions you need

More information

http://docs.trendmicro.com

http://docs.trendmicro.com Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,

More information

Installation and Administration Guide

Installation and Administration Guide Installation and Administration Guide BlackBerry Collaboration Service Version 12.1 Published: 2015-02-25 SWD-20150225135812271 Contents About this guide... 5 Planning a BlackBerry Collaboration Service

More information

Sophos Mobile Control Installation guide. Product version: 3.5

Sophos Mobile Control Installation guide. Product version: 3.5 Sophos Mobile Control Installation guide Product version: 3.5 Document date: July 2013 Contents 1 Introduction...3 2 The Sophos Mobile Control server...4 3 Set up Sophos Mobile Control...10 4 External

More information

http://docs.trendmicro.com

http://docs.trendmicro.com Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,

More information

Sophos Mobile Control Technical guide

Sophos Mobile Control Technical guide Sophos Mobile Control Technical guide Product version: 2 Document date: December 2011 Contents 1. About Sophos Mobile Control... 3 2. Integration... 4 3. Architecture... 6 4. Workflow... 12 5. Directory

More information

Mobile Device Management Version 8. Last updated: 17-10-14

Mobile Device Management Version 8. Last updated: 17-10-14 Mobile Device Management Version 8 Last updated: 17-10-14 Copyright 2013, 2X Ltd. http://www.2x.com E mail: info@2x.com Information in this document is subject to change without notice. Companies names

More information

BlackBerry Universal Device Service. Demo Access. AUTHOR: System4u

BlackBerry Universal Device Service. Demo Access. AUTHOR: System4u Demo Access AUTHOR: System4u BlackBerry Universal Device Service Revisions Date Version Description Author June 26 th 2012 1.0 Roman Přikryl September 25 th 2012 1.5 Revision Roman Přikryl October 5 th

More information

Managing BlackBerry Enterprise Service 10 version 10.2

Managing BlackBerry Enterprise Service 10 version 10.2 Managing BlackBerry Enterprise Service 10 version 10.2 Course details Course code 726-08882-123 Approximate duration Labs 3 days Labs are included in this course Course overview This course explains how

More information

Advanced Configuration Steps

Advanced Configuration Steps Advanced Configuration Steps After you have downloaded a trial, you can perform the following from the Setup menu in the MaaS360 portal: Configure additional services Configure device enrollment settings

More information

Mobile Admin Security

Mobile Admin Security Mobile Admin Security Introduction Mobile Admin is an enterprise-ready IT Management solution that generates significant cost savings by dramatically increasing the responsiveness of IT organizations facing

More information

Secure, Centralized, Simple

Secure, Centralized, Simple Whitepaper Secure, Centralized, Simple Multi-platform Enterprise Mobility Management 2 Controlling it all from one place BlackBerry Enterprise Service 10 (BES10) is a unified, multi-platform, device, application,

More information

Security Guide. BES12 Cloud. for BlackBerry

Security Guide. BES12 Cloud. for BlackBerry Security Guide BES12 Cloud for BlackBerry Published: 2015-03-31 SWD-20150317085646346 Contents Introduction... 7 About this guide...8 What is BES12 Cloud?... 9 Key features of BES12 Cloud...10 Security

More information

www.novell.com/documentation Server Installation ZENworks Mobile Management 2.7.x August 2013

www.novell.com/documentation Server Installation ZENworks Mobile Management 2.7.x August 2013 www.novell.com/documentation Server Installation ZENworks Mobile Management 2.7.x August 2013 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this

More information

Introduction to the EIS Guide

Introduction to the EIS Guide Introduction to the EIS Guide The AirWatch Enterprise Integration Service (EIS) provides organizations the ability to securely integrate with back-end enterprise systems from either the AirWatch SaaS environment

More information

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android GO!Enterprise MDM for Android, Version 3.x GO!Enterprise MDM for Android 1 Table of Contents GO!Enterprise MDM

More information

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment Paul Luetje Enterprise Solutions Architect Table of Contents Welcome... 3 Purpose of this document...

More information

Configuring Security Features of Session Recording

Configuring Security Features of Session Recording Configuring Security Features of Session Recording Summary This article provides information about the security features of Citrix Session Recording and outlines the process of configuring Session Recording

More information

Installation and Configuration Guide

Installation and Configuration Guide Installation and Configuration Guide BlackBerry Resource Kit for BlackBerry Enterprise Service 10 Version 10.2 Published: 2015-11-12 SWD-20151112124827386 Contents Overview: BlackBerry Enterprise Service

More information

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15 Product Manual MDM On Premise Installation Version 8.1 Last Updated: 06/07/15 Parallels IP Holdings GmbH Vordergasse 59 8200 Schaffhausen Switzerland Tel: + 41 52 632 0411 Fax: + 41 52 672 2010 www.parallels.com

More information

Sophos Mobile Control Startup guide. Product version: 3.5

Sophos Mobile Control Startup guide. Product version: 3.5 Sophos Mobile Control Startup guide Product version: 3.5 Document date: July 2013 Contents 1 About this guide...3 2 What are the key steps?...5 3 Log in as a super administrator...6 4 Activate Sophos Mobile

More information

Sophos Mobile Control Startup guide. Product version: 3

Sophos Mobile Control Startup guide. Product version: 3 Sophos Mobile Control Startup guide Product version: 3 Document date: January 2013 Contents 1 About this guide...3 2 What are the key steps?...5 3 Log in as a super administrator...6 4 Activate Sophos

More information

MaaS360 Mobile Enterprise Gateway

MaaS360 Mobile Enterprise Gateway MaaS360 Mobile Enterprise Gateway Administrator Guide Copyright 2014 Fiberlink, an IBM Company. All rights reserved. Information in this document is subject to change without notice. The software described

More information

MaaS360 Cloud Extender

MaaS360 Cloud Extender MaaS360 Cloud Extender Installation Guide Copyright 2013 Fiberlink Communications Corporation. All rights reserved. Information in this document is subject to change without notice. The software described

More information

Deploying iphone and ipad Security Overview

Deploying iphone and ipad Security Overview Deploying iphone and ipad Security Overview ios, the operating system at the core of iphone and ipad, is built upon layers of security. This enables iphone and ipad to securely access corporate services

More information

Sophos Mobile Control Installation guide

Sophos Mobile Control Installation guide Sophos Mobile Control Installation guide Product version: 2.5 Document date: July 2012 Contents 1 Introduction... 3 2 The Sophos Mobile Control server... 4 3 Set up Sophos Mobile Control... 13 4 Running

More information

CA Mobile Device Management 2014 Q1 Getting Started

CA Mobile Device Management 2014 Q1 Getting Started CA Mobile Device Management 2014 Q1 Getting Started This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

More information

MaaS360 On-Premises Cloud Extender

MaaS360 On-Premises Cloud Extender MaaS360 On-Premises Cloud Extender Installation Guide Copyright 2014 Fiberlink Communications Corporation. All rights reserved. Information in this document is subject to change without notice. The software

More information

How to Obtain an APNs Certificate for CA MDM

How to Obtain an APNs Certificate for CA MDM How to Obtain an APNs Certificate for CA MDM Contents How to Obtain an APNs Certificate for CA MDM Verify Prerequisites Obtaining Root and Intermediate Certificates Create a Certificate Signing Request

More information

ipad in Business Security

ipad in Business Security ipad in Business Security Device protection Strong passcodes Passcode expiration Passcode reuse history Maximum failed attempts Over-the-air passcode enforcement Progressive passcode timeout Data security

More information

MaaS360 Mobile Enterprise Gateway

MaaS360 Mobile Enterprise Gateway MaaS360 Mobile Enterprise Gateway Administrator Guide Copyright 2013 Fiberlink Communications Corporation. All rights reserved. Information in this document is subject to change without notice. The software

More information

introducing The BlackBerry Collaboration Service

introducing The BlackBerry Collaboration Service Introducing the Collaboration Service 10.2 for the Enterprise IM app 3.1 introducing The Collaboration Service Sender Instant Messaging Server Collaboration Service 10 device Recipient V. 1.0 June 2013

More information

Integrating Cisco ISE with GO!Enterprise MDM Quick Start

Integrating Cisco ISE with GO!Enterprise MDM Quick Start Integrating Cisco ISE with GO!Enterprise MDM Quick Start GO!Enterprise MDM Version 3.x Overview 1 Table of Contents Overview 3 Getting GO!Enterprise MDM Ready for ISE 5 Grant ISE Access to the GO!Enterprise

More information

Corporate-level device management for BlackBerry, ios and Android

Corporate-level device management for BlackBerry, ios and Android B L A C K B E R R Y E N T E R P R I S E S E R V I C E 1 0 Corporate-level device management for BlackBerry, ios and Android Corporate-level (EMM) delivers comprehensive device management, security and

More information

Sophos Mobile Control Administrator guide. Product version: 3

Sophos Mobile Control Administrator guide. Product version: 3 Sophos Mobile Control Administrator guide Product version: 3 Document date: January 2013 Contents 1 About Sophos Mobile Control...4 2 About the Sophos Mobile Control web console...7 3 Key steps for managing

More information

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version 1.0.1. ForeScout Mobile

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version 1.0.1. ForeScout Mobile CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module Version 1.0.1 ForeScout Mobile Table of Contents About the Integration... 3 ForeScout MDM... 3 Additional Documentation...

More information

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION Response Code: Offeror should place the appropriate letter designation in the Availability column according

More information

Administering Jive Mobile Apps

Administering Jive Mobile Apps Administering Jive Mobile Apps Contents 2 Contents Administering Jive Mobile Apps...3 Configuring Jive for Android and ios... 3 Native Apps and Push Notifications...4 Custom App Wrapping for ios... 5 Native

More information

CA Performance Center

CA Performance Center CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

More information

Upgrade Guide BES12. Version 12.1

Upgrade Guide BES12. Version 12.1 Upgrade Guide BES12 Version 12.1 Published: 2015-02-25 SWD-20150413111718083 Contents Supported upgrade environments...4 Upgrading from BES12 version 12.0 to BES12 version 12.1...5 Preupgrade tasks...5

More information

Workday Mobile Security FAQ

Workday Mobile Security FAQ Workday Mobile Security FAQ Workday Mobile Security FAQ Contents The Workday Approach 2 Authentication 3 Session 3 Mobile Device Management (MDM) 3 Workday Applications 4 Web 4 Transport Security 5 Privacy

More information

ManageEngine Desktop Central. Mobile Device Management User Guide

ManageEngine Desktop Central. Mobile Device Management User Guide ManageEngine Desktop Central Mobile Device Management User Guide Contents 1 Mobile Device Management... 2 1.1 Supported Devices... 2 1.2 What Management Operations you can Perform?... 2 2 Setting Up MDM...

More information

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown GO!Enterprise MDM for Android, Version 3.x GO!Enterprise MDM for Android with TouchDown 1 Table

More information

2X SecureRemoteDesktop. Version 1.1

2X SecureRemoteDesktop. Version 1.1 2X SecureRemoteDesktop Version 1.1 Website: www.2x.com Email: info@2x.com Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious

More information

Installing and Configuring vcenter Multi-Hypervisor Manager

Installing and Configuring vcenter Multi-Hypervisor Manager Installing and Configuring vcenter Multi-Hypervisor Manager vcenter Server 5.1 vcenter Multi-Hypervisor Manager 1.1 This document supports the version of each product listed and supports all subsequent

More information

Mobility Manager 9.5. Users Guide

Mobility Manager 9.5. Users Guide Mobility Manager 9.5 Users Guide LANDESK MOBILITY MANAGER Copyright 2002-2013, LANDesk Software, Inc. and its affiliates. All rights reserved. LANDesk and its logos are registered trademarks or trademarks

More information

Certificate Management

Certificate Management Certificate Management This guide provides information on...... Configuring the GO!Enterprise MDM server to use a Microsoft Active Directory Certificate Authority... Using Certificates from Outside Sources...

More information

Technical White Paper BlackBerry Security

Technical White Paper BlackBerry Security Technical White Paper BlackBerry Security For Microsoft Exchange Version 2.1 Research In Motion Limited 2002 Research In Motion Limited. All Rights Reserved Table of Contents 1. INTRODUCTION... 1 2. ARCHITECTURE...

More information

Vodafone Secure Device Manager Administration User Guide

Vodafone Secure Device Manager Administration User Guide Vodafone Secure Device Manager Administration User Guide Vodafone New Zealand Limited. Correct as of September 2014. Do business better Contents Introduction 3 Help 4 How to find help in the Vodafone Secure

More information

GO!Enterprise MDM Device Application User Guide Installation and Configuration for ios Devices

GO!Enterprise MDM Device Application User Guide Installation and Configuration for ios Devices GO!Enterprise MDM Device Application User Guide Installation and Configuration for ios Devices GO!Enterprise MDM for ios Devices, Version 3.x GO!Enterprise MDM for ios Devices 1 Table of Contents GO!Enterprise

More information

Kaspersky Security for Mobile Administrator's Guide

Kaspersky Security for Mobile Administrator's Guide Kaspersky Security for Mobile Administrator's Guide APPLICATION VERSION: 10.0 SERVICE PACK 1 Dear User, Thank you for choosing our product. We hope that you will find this documentation useful and that

More information

The Challenge. The Solution. Achieve Greater Employee Productivity & Collaboration...while Protecting Critical Business Data

The Challenge. The Solution. Achieve Greater Employee Productivity & Collaboration...while Protecting Critical Business Data The Challenge The Solution Today's employees demand mobile access to office information in order to maximize their productivity and they expect that enterprise collaboration and communication tools should

More information

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management Mobile Application Management and Protection Data Sheet: Mobile Security and Management Overview provides integrated mobile application and device management capabilities for enterprise IT to ensure data

More information

iphone in Business Security Overview

iphone in Business Security Overview iphone in Business Security Overview iphone can securely access corporate services and protect data on the device. It provides strong encryption for data in transmission, proven authentication methods

More information

A Guide to New Features in Propalms OneGate 4.0

A Guide to New Features in Propalms OneGate 4.0 A Guide to New Features in Propalms OneGate 4.0 Propalms Ltd. Published April 2013 Overview This document covers the new features, enhancements and changes introduced in Propalms OneGate 4.0 Server (previously

More information

When enterprise mobility strategies are discussed, security is usually one of the first topics

When enterprise mobility strategies are discussed, security is usually one of the first topics Acronis 2002-2014 Introduction When enterprise mobility strategies are discussed, security is usually one of the first topics on the table. So it should come as no surprise that Acronis Access Advanced

More information

GO!Enterprise MDM Device Application User Guide Installation and Configuration for ios with TouchDown

GO!Enterprise MDM Device Application User Guide Installation and Configuration for ios with TouchDown GO!Enterprise MDM Device Application User Guide Installation and Configuration for ios with TouchDown GO!Enterprise MDM for ios Devices, Version 3.x GO!Enterprise MDM for ios with TouchDown 1 Table of

More information

Sophos Mobile Control Installation guide. Product version: 3.6

Sophos Mobile Control Installation guide. Product version: 3.6 Sophos Mobile Control Installation guide Product version: 3.6 Document date: November 2013 Contents 1 Introduction...3 2 The Sophos Mobile Control server...5 3 Set up Sophos Mobile Control...11 4 External

More information

Introduction to the Mobile Access Gateway

Introduction to the Mobile Access Gateway Introduction to the Mobile Access Gateway This document provides an overview of the AirWatch Mobile Access Gateway (MAG) architecture and security and explains how to enable MAG functionality in the AirWatch

More information

NeoMail Guide. Neotel (Pty) Ltd

NeoMail Guide. Neotel (Pty) Ltd NeoMail Guide Neotel (Pty) Ltd NeoMail Connect Guide... 1 1. POP and IMAP Client access... 3 2. Outlook Web Access... 4 3. Outlook (IMAP and POP)... 6 4. Outlook 2007... 16 5. Outlook Express... 24 1.

More information

http://www.trendmicro.com/download

http://www.trendmicro.com/download Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,

More information

Active Directory Self-Service FAQ

Active Directory Self-Service FAQ Active Directory Self-Service FAQ General Information: info@cionsystems.com Online Support: support@cionsystems.com CionSystems Inc. Mailing Address: 16625 Redmond Way, Ste M106 Redmond, WA. 98052 http://www.cionsystems.com

More information

Cloud Services MDM. ios User Guide

Cloud Services MDM. ios User Guide Cloud Services MDM ios User Guide 10/24/2014 CONTENTS Overview... 3 Supported Devices... 3 System Capabilities... 3 Enrollment and Activation... 4 Download the Agent... 4 Enroll Your Device Using the Agent...

More information