Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Transcription

1 Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0

2 Published: SWD

3 Contents About this guide... 6 What is BES12?... 7 Key features of BES Security features... 8 Security features for devices with MDM controls... 8 Security features for devices with Secure Work Space...9 Protecting devices against jailbreaking and rooting...11 Supported features that are native to ios and Android Types of apps Activating and managing devices What is the BES12 Client? Activation passwords User registration with the BlackBerry Infrastructure...15 Using activation types to configure your control over devices Activating devices...17 Data flow: Activating an ios device...17 Data flow: Activating an Android device...19 Data flow: Activating a Windows Phone device Using IT policies to manage security...23 Using compliance profiles to enforce standards for ios, Android, and Windows Phone devices...24 Preventing users from installing specific ios, Android, and Windows Phone apps...25 Controlling which devices can use Exchange ActiveSync Protecting messages Data at rest...27 Passwords ios device passwords Android device passwords Windows Phone device passwords Security timeout Data wipe... 30

4 Full device wipe Work data wipe...31 Securing devices for work and personal use...31 Creating a work space on a device...32 Protecting work space data with encryption...33 Work space encryption Sharing information between secured apps...35 Storing and protecting the work space password Storing Work Browser data...35 Storing work space data on media cards Deleting the work space...36 Attachments for third-party secured apps Protecting work space data with password rules Showing work contacts in caller ID on ios devices Controlling when devices wipe the work space...37 Data in transit...39 Protection for all devices Protecting Wi-Fi connections Types of encryption used for communication between devices and your resources Protecting data in transit between BES12 and devices Protecting communication with devices using certificates Connecting to a VPN...45 Providing devices with single sign-on access to your organization's network...48 Protection for devices with enterprise connectivity How a device with enterprise connectivity connects to BES How BES12 authenticates with the BlackBerry Infrastructure...50 How a device with Secure Work Space connects to the BlackBerry Infrastructure Storing and protecting certificates User authentication with the BES12 Client Extending the security of messages using S/MIME...52 Secured apps Managing the availability of secured apps on devices...54 How a work space wraps secured apps...55 How a work space fingerprints secured apps App wrapping in the BlackBerry Infrastructure Product documentation...57

5 Provide feedback...60 Glossary Legal notice...63

6 About this guide About this guide 1 BES12 helps you manage devices for your organization, including BlackBerry 10, BlackBerry OS (5.0 to 7.1), ios, Android, and Windows Phone devices. This guide describes the security for ios, Android, and Windows Phone devices. It also describes how Secure Work Space delivers a higher level of control and security to ios and Android devices. This guide is intended for senior IT professionals responsible for evaluating the product and planning its deployment, as well as anyone who's interested in learning more about device security and Secure Work Space. After you read this guide, you should understand how BES12 can help protect data at rest, data in transit, and apps for your organization. 6

7 What is BES12? What is BES12? 2 BES12 is an EMM solution from BlackBerry. EMM solutions help you do the following: Manage mobile devices for your organization to protect business information Keep mobile workers connected with the information that they need Provide administrators with efficient business tools With BES12, you can manage the following device types: BlackBerry 10 BlackBerry OS (version 5.0 to 7.1) ios Android Windows Phone You can manage these devices from a single, simplified UI with industry-leading security. Key features of BES12 Feature Management of many types of devices Single, unified UI Trusted and secure experience Balance of work and personal needs Description You can manage BlackBerry 10, BlackBerry OS (version 5.0 to 7.1), ios, Android, and Windows Phone devices. You can view all devices in one place and access all management tasks in a single, web-based UI. You can share administrative duties with multiple administrators who can access the management console at the same time. Device controls give you precise management of how devices connect to your network, what capabilities are enabled, and what apps are available. Whether the devices are owned by your organization or your users, you can protect your organization's information. BlackBerry Balance and Secure Work Space technologies are designed to make sure that personal information and work information are kept separate and secure on devices. If the device is lost or the employee leaves the organization, you can delete only work-related information or all information from the device. 7

8 Security features Security features 3 Different levels of security are available for the devices that BES12 manages. Silver-level EMM provides MDM controls for ios, Android, and Windows Phone devices. MDM controls include device and app management and security features such as IT policies, profiles, and IT administration commands. Gold-level EMM provides all of these features for ios and Android devices plus Secure Work Space. Secure Work Space is a containerization, app wrapping, and secure enterprise connectivity option that delivers a higher level of control and security to ios and Android devices. Secured apps are protected and separated from personal apps and data. The secured apps include an integrated , calendar, and contacts app, an enterprise-level secure browser, and a secure document viewing and editing app. The work browser allows users to securely browse the work intranet and the Internet. If the device is lost or the employee leaves the organization, you can delete only work-related information or all information from the device. Security features for devices with MDM controls Feature Manage devices and their work data Description If the actions are supported by the device and its operating system version, you can perform many actions to control access to work data on devices: Lock the device, change the device password, or delete information from the device Control how the device can connect to your organization's network, including Wi-Fi settings and, for ios devices, VPN settings Control the capabilities of the device, such as setting rules for password strength and disabling functions like the camera Install certificates on ios devices and optionally configure SCEP to permit automatic certificate enrollment Control which devices can access Microsoft Exchange ActiveSync Manage work apps You can configure Microsoft Exchange to block devices from using Microsoft Exchange ActiveSync unless the devices are explicitly added to an allowed list in Microsoft Exchange. Using gatekeeping in BES12 lets you control which devices are added to the allowed list. When a device is added to the allowed list, a user can access work and other information on the device. On devices with MDM controls, work apps are apps that your organization makes available for its users. You can specify whether apps are required on devices, and you can view whether a work app is installed on a device. 8

9 Security features Feature Enforce your organization's requirements for devices Description You can use a compliance profile to help enforce your organization's requirements for devices, such as requiring that certain apps be installed on devices. On ios and Android devices, you can disallow devices that are jailbroken or rooted. You can send a notification to users to ask them to meet your organization's requirements, or you can limit users' access to your organization's resources and applications, delete work data, or delete all data on the device. Certificate-based authentication You can send certificates to devices using certificate profiles. You can also send certificates to ios devices using SCEP profiles. These profiles help to restrict access to Microsoft Exchange ActiveSync, Wi-Fi connections, or VPN connections to devices that use certificate-based authentication. (VPN is only available on ios devices.) This feature also helps you control Microsoft Exchange ActiveSync, Wi-Fi connections, or VPN connections on devices because BES12 is designed to automatically remove profiles and certificates when a device violates one of the predefined compliance conditions (for example, compliance conditions for jailbroken devices or rooted devices). Certificate-based authentication does not require a proxy server between the device and your organization's messaging server. FIPS certification for the BES12 Client The BES12 Client is an app that allows BES12 to communicate with ios and Android devices. The BES12 Client uses a FIPS-validated cryptographic module to encrypt all of the data that it stores directly and writes indirectly to files. Security features for devices with Secure Work Space Feature Protection of data in transit between BES12 and a device Ability to connect to work resources without using VPN or inbound ports in the firewall Description BES12 protects the data that is in transit between BES12 and a device with Secure Work Space. BES12 and a device can communicate using the TLS protocol with the AES-256 algorithm. A device with Secure Work Space sends data to the BlackBerry Infrastructure, which then communicates with BES12 over its outbound-initiated, bi-directional ports Data travels back from BES12 to the device using the same path. 9

10 Security features Feature Protection of work space data on a device Description The work space includes secured apps. Secured apps are work apps that the work space secures with additional protections. By default, secured apps protect their data using AES-256 encryption. If you choose to allow all apps to access data in the work space, then secured apps do not encrypt their data. Secured apps hash passwords before storing them. The work space isolates work space data from other data. A secured app can only communicate and share data with another secured app, unless you choose to allow all apps to access data in the work space. The work space allows a user to copy and paste from one secured app to another, but not to a work app or personal app. FIPS certification for the encryption of work space data Control of the behavior of a device Protection of user information The work space encrypts all of the data that it stores directly and writes indirectly to files using a FIPS-validated cryptographic module. To control the behavior of a device, you can send it an IT policy to change security settings or control hardware and software features. For example, you can send an IT policy to hide the default web browser or enforce a device password on a device with Secure Work Space. The device allows a user to delete all user information and app data from the device memory. Protection of the operating system The work space can restart a process for a secured app that stops responding without negatively affecting other processes. The work space validates requests that apps make for resources on the device. Protection of app data using sandboxing The work space uses sandboxing to separate and restrict the capabilities and permissions of secured apps that run on the device. Each application process in the work space runs in its own sandbox. The work space evaluates the requests that a secured app's processes make for memory outside of its sandbox. Management of permissions to access capabilities Ability to add your own secured apps The work space evaluates every request that a secured app makes to access a capability on the device. Your organization can convert internal apps into secured apps that can be installed and run in the work space. To convert an app into a secured app, you must secure the app binary file using the BES12 management console, and then the app 10

11 Security features Feature Description developer must re-sign the app (and if necessary for an ios app, create an entitlements file). You can then install the app in the work space on devices. Ability to add secured apps from other vendors Third-party app developers can secure and re-sign their applications and make them available on the App Store or Google Play for you to send to users. Apps from the App Store or Google Play that are not designated as secured apps cannot be installed or run in the work space. Only the app vendor can secure and re-sign an app so that it can be installed in the work space. Protection of the account manager on a device Protection of secured apps from trojans and malicious software Detection of jailbroken or rooted status Some devices use an account manager to store credentials for different user accounts. The work space protects the credentials stored by secured apps so that the credentials can be shared by secured apps but not other apps. The work space fingerprints apps to make sure that only known and trusted apps can run as secured apps. Secured apps are validated before they are sent to a device's work space and every time that the device runs them. If a device is jailbroken or rooted, the user has root access to the operating system of the device. BES12 is designed to detect if a device is jailbroken or rooted. You can notify or require the user to remove jailbreaking software or rooting software from the device. A user with a device with Secure Work Space cannot access the work space if the device is jailbroken or rooted. Protecting devices against jailbreaking and rooting ios: For ios devices, Secure Work Space has protections against jailbreaking that go beyond the checks for path names and common files that many competitors use. Secure Work Space performs additional checks, such as testing whether privileges can be escalated by forking processes and running system calls. Secured apps perform in-process memory checks that identify jailbreak signatures in real time and provide a robust defense against all forms of jailbreak. In-process memory checks are protected by multiple mechanisms to prevent the algorithms from being overcome. For example, checks are dispersed throughout the code and include red herrings and other defensive tactics. Jailbreak checks run when secured apps run. If a user loses a device, and an attacker jailbreaks the device, the encryption of the work space protects the work space data from exploits such as bit copies of persistent memory. To run Secure Work Space on an ios device that has been jailbroken, you must revert the device to a non-jailbroken state. 11

12 Security features Android OS: For Android devices, Secure Work Space uses the device manufacturer s MDM APIs to detect whether the device has been rooted, as well as additional detection methods specific to Secure Work Space. The checks are run in order of likelihood, and stop when they detect that the device has been rooted. The device manufacturer s detection methods are licensed through a partner program and are not publicly available. To run Secure Work Space on an Android device that has been rooted, you must revert the device to a non-rooted state. Supported features that are native to ios and Android The following features are native to ios and Android, and they are also supported by BES12. For more information about these features, see the ios and Android documentation available from Apple and Google. Feature Full-disk encryption Address space layout randomization Description Full-disk encryption ensures that all of a device s data is stored in an encrypted form, accessible to users who enter an encryption PIN or password. BES12 supports the native full-disk encryption offered on ios and Android. Address space layout randomization makes it more difficult for attackers to exploit a device and run their own code. This technique randomizes the location of system components in memory so that attackers find it difficult to know where a vulnerability exists. BES12 supports the native address space layout randomization offered on ios and Android. Types of apps Devices with Secure Work Space can run three different types of apps: Type of app Personal app Work app Description An app that the user installs on the device, or an app that the manufacturer or wireless service provider installs on the device. BES12 treats these apps, and the data that they store, as personal data. An app that you install and manage on a user's device. BES12 treats these apps, and the data that they store, as work data. 12

13 Security features Type of app Secured app Description A work app that the work space secures with additional protections. BES12 treats these apps, and the data that they store, as work space data. There are three different types of secured apps: Type of app Default secured app Internal secured app External secured app Description A secured app that appears on every device with Secure Work Space. An app that your organization develops and specifically prepares to run in the work space. An app that a third party develops and the app vendor specifically prepares to run in the work space. 13

14 Activating and managing devices Activating and managing devices 4 Device activation associates a device with a user account in BES12 and establishes a secure communication channel between the device and BES12. BES12 allows multiple devices to be activated for the same user account. More than one active ios, Android, Windows Phone and BlackBerry 10 device can be associated with a user account. All device types consume a license when they are activated. By default, a user can activate a device using any of the following connections: Over any Wi-Fi connection or mobile network through the BlackBerry Infrastructure Over any Wi-Fi connection or mobile network using a VPN connection with a connection to the BlackBerry Infrastructure (ios only) Your organization's activation information is registered automatically with the BlackBerry Infrastructure. The username and your organization's BES12 server address is sent to and stored in the BlackBerry Infrastructure. If you turn off registration with the BlackBerry Infrastructure, then BES12 users also require the organization's BES12 server address to activate their devices. Users can activate their devices after they receive an activation message from BES12, or they can log in to BES12 Self- Service and request an activation password. After the activation process completes, BES12 can send apps, profiles, and IT policies to the device. If an profile is configured, the user can send and receive work messages using the device. What is the BES12 Client? The BES12 Client is an app that allows BES12 to communicate with ios, Android, and Windows Phone devices. If users want to activate these devices on BES12, they must install the BES12 Client on the devices. Users can download the latest version of the BES12 Client from the App Store for ios devices, from Google Play for Android devices, or from the Windows Marketplace for Windows Phone. After users activate their devices, the BES12 Client allows users to do the following: Verify whether their devices are compliant with the organization's standards View the profiles that have been assigned to their user accounts View the IT policy rules that have been assigned to their user accounts Deactivate their devices 14

15 Activating and managing devices Activation passwords You can specify how long an activation password remains valid before it expires. You can also specify the default password length for the automatically generated password that is sent to users in the activation message. The value that you enter for the activation period expiration appears as the default setting in the "Activation period expiration" field when you add a user account to BES12. The activation period expiration can be 1 minute to 30 days, and the length of the automatically generated password can be 4 to 16 characters. User registration with the BlackBerry Infrastructure User registration with the BlackBerry Infrastructure is a setting in the default activation settings that allows users to be registered with the BlackBerry Infrastructure when you add a user to BES12. Information sent to the BlackBerry Infrastructure is sent and stored securely. The benefit of registration is that users don't have to enter the server address when they are activating a device; they only need to enter their address and password. The BES12 Client installed on ios, Android, and Windows Phone devices then communicates with the BlackBerry Infrastructure to retrieve the server address. A secure connection is established with BES12 with minimal user input. You can turn off user registration with the BlackBerry Infrastructure if you don't want to send user information to BlackBerry. Using activation types to configure your control over devices You can use activation types to configure how much control you have over activated devices. This flexibility of control levels is useful if you want to have full control over a device that you issue to a user or if you want to make sure that you have no control over the personal data on a device that the user owns and brings to work. There are three activation types for Android and ios devices, and one activation type for Windows Phone devices. Activation type MDM controls Description This activation type applies to: ios 15

16 Activating and managing devices Activation type Description Android Windows Phone This activation type provides basic device management using device controls made available by ios, Android, and Windows Phone. There is no separate work space installed on the device, and no added security for work data. You can control the device using IT administration commands and IT policies. During activation, users with an ios device must install a mobile device management profile, users with an Android device must permit Administrator permissions for the BES12 Client, and users with a Windows Phone device must enrol their device through the Windows Phone company apps. Work and personal - full control This activation type applies to: ios Android This activation type provides full control of devices. When a device is activated, a separate work space is created on the device and the user must create a password to access the work space. Work data is protected using encryption and password authentication. You can control the work space, and some other aspects of the device that affect both the personal and work space using IT administration commands and IT policies. During activation, users with an ios device must install a mobile device management profile and users with an Android device must permit Administrator permissions for the BES12 Client. Work and personal - user privacy This activation type applies to: ios Android This activation type provides control of work data on devices, while making sure that there is privacy for personal data. When a device is activated, a separate work space is created on the device and the user must create a password to access the work space. Work data is protected using encryption and password authentication. You can control the work space on the device using IT administration commands and IT policies, but you cannot control any aspects of the personal space on the device. Users with an ios device are not required to install a mobile device management profile and users with an Android device do not have to permit Administrator permissions for the BES12 Client. 16

17 Activating and managing devices Activating devices An activation type profile determines whether devices have a separate work space installed, and how you can manage the data in the work space and personal space. If you assign an activation type profile to a user account using the activation type "Work and personal - full control" or "Work and personal - user privacy," then when the device is activated, the following steps happen: 1. A work space is created on the device. 2. The work space is associated with a user account in BES A secure communication channel is established between the device and BES12 using an SSL certificate. For more information about activation types, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. For more information about installing an SSL certificate, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Configuration Guide. BES12 allows multiple devices to be activated for the same user account. Your organization must also activate the appropriate licenses. If you or a user tries a work space activation but the required license is not available, the device will not activate correctly and it will not be able to access your organization's data. You can activate a device for a user by logging in to the administration console and connecting the device to the computer. You can also configure how users can activate devices and whether you can use the administration console to send activation passwords and instructions to a user's work account. By default, a user can activate a device wirelessly using any of the following connections: Over your work Wi-Fi network through the BlackBerry Infrastructure Over any Wi-Fi connection or mobile network through the BlackBerry Infrastructure When the activation process completes, BES12 can send apps, profiles, and IT policies files to the device. If profiles are configured, users can send and receive work messages using the device. Data flow: Activating an ios device 1. You perform the following actions: a Add a user to BES12 as a local user account, or by using the account information retrieved from your company directory 17

18 Activating and managing devices b c Assign an activation profile to the user Use one of the following options to provide the user with activation details: Automatically generate a device activation password and send an with activation instructions for the user Set a device activation password and communicate the username and password to the user directly or by Don't set a device activation password and communicate the BES12 Self-Service address to the user so that they can set their own activation password 2. The user downloads and installs the BES12 Client on the device. Once installed, the user opens the BES12 Client and enters the address and activation password on the device. 3. The BES12 Client on the device performs the following actions: a b Establishes a connection to the BlackBerry Infrastructure Sends a request for activation information to the BlackBerry Infrastructure 4. The BlackBerry Infrastructure performs the following actions: a b c Verifies that the user is a valid, registered user Retrieves the BES12 address for the user Sends the address to the BES12 Client 5. The BES12 Client establishes a connection with BES BES12 prompts the user to accept the BES12 certificate. This prompt includes information about the SSL certificate, including the Common Name, fingerprint, and whether the certificate is trusted or untrusted. If the certificate has been preinstalled on the device, it is trusted; otherwise it is untrusted. 7. The user accepts the certificate. 8. The BES12 Client sends an activation request to BES12. The activation request includes the username, password, device operating system, and unique device identifier. 9. BES12 performs following actions: a b c d e Inspects the credentials for validity Creates a device instance Associates the device instance with the specified user account in the BES12 database Adds the enrollment session ID to an HTTP session Sends a successful authentication message to the device 10. The BES12 Client creates a CSR using the information received from BES12 and sends a client certificate request over HTTPS. 11. BES12 performs the following actions: a b Validates the client certificate request against the enrollment session ID in the HTTP session Signs the client certificate request with the root certificate 18

19 Activating and managing devices c Sends the signed client certificate and root certificate back to the BES12 Client 12. A mutually authenticated TLS session is established between the BES12 Client and BES The BES12 Client displays a message to inform the user that a certificate must be installed to complete the activation. 14. The user clicks OK and is redirected to the link for the native MDM Daemon activation. 15. The BES12 Client establishes a connection to BES BES12 provides the MDM profile to the BES12 Client. This profile contains the MDM activation URL and the challenge. The MDM profile is wrapped as a PKCS#7 signed message that includes the full certificate chain of the signer, which allows the device to validate the profile. This triggers the enrollment process. 17. The native MDM Daemon on the device sends the device profile, including the customer ID, language, and OS version, to BES BES12 validates that the request is signed by a CA and responds to the native MDM Daemon with a successful authentication notification. 19. The native MDM Daemon sends a request to BES12 asking for the CA certificate, CA capabilities information, and a device issued certificate. 20. BES12 sends the CA certificate, CA capabilities information, and the device issued certificate to the native MDM Daemon. 21. The native MDM Daemon installs the MDM profile on the device. 22. The BES12 Client notifies BES12 of the successful installation of the MDM profile and certificate and polls BES12 periodically until it acknowledges that the MDM activation is complete. 23. BES12 acknowledges that the MDM activation is complete. 24. The BES12 Client requests all configuration information and sends the device and software information to BES BES12 stores the device information in the database and sends configuration information to the device. 26. The device sends an acknowledgment to BES12 that it received and applied the configuration updates. The activation process is complete. If the activation type for the device is "Work and personal - user privacy" or "Work and personal - full control", after the activation is completed, the user is prompted to create a work space password. Additionally, the user may be prompted to install some or all of the following apps: Work Connect Work Browser Documents To Go Note: If the device is activated with the "Work and personal - user privacy" activation type, the users are not prompted to install the secure apps and must manually download and install them. Data flow: Activating an Android device 19

20 Activating and managing devices 1. You perform the following actions: a b c Add a user to BES12 as a local user account, or by using the account information retrieved from your company directory Assign an activation profile to the user Use one of the following options to provide the user with activation details: Automatically generate a device activation password and send an with activation instructions for the user Set a device activation password and communicate the username and password to the user directly or by Don't set a device activation password and communicate the BES12 Self-Service address to the user so that they can set their own activation password 2. The user downloads and installs the BES12 Client on the device. Once installed, the user opens the BES12 Client and enters the address and activation password on the device. 3. The BES12 Client on the device performs the following actions: a b Establishes a connection to the BlackBerry Infrastructure Sends a request for activation information to the BlackBerry Infrastructure 4. The BlackBerry Infrastructure performs the following actions: a b c Verifies that the user is a valid, registered user Retrieves the BES12 address for the user Sends the address to the BES12 Client 5. The BES12 Client establishes a connection with BES BES12 prompts the user to accept the BES12 certificate. This prompt includes information about the SSL certificate, including the Common Name, fingerprint, and whether the certificate is trusted or untrusted. If the certificate has been preinstalled on the device, it is trusted; otherwise, it is untrusted. 7. The user accepts the certificate. 8. The BES12 Client sends an activation request to BES12. The activation request includes the username, password, device operating system, and unique device identifier. 9. BES12 performs following actions: a Inspects the credentials for validity 20

21 Activating and managing devices b c d e Creates a device instance Associates the device instance with the specified user account in the BES12 database Adds the enrollment session ID to an HTTP session Sends a successful authentication message to the device 10. The BES12 Client creates a CSR using the information received from BES12 and sends a client certificate request to BES12 over HTTPS. 11. BES12 performs the following actions: a b c Validates the client certificate request against the enrollment session ID in the HTTP session Signs the client certificate request with the root certificate Sends the signed client certificate and root certificate back to the BES12 Client 12. A mutually authenticated TLS session is established between the BES12 Client and BES The BES12 Client requests all configuration information and sends the device and software information to BES BES12 stores the device information in the database and sends the requested configuration information to the device. 15. The device sends an acknowledgment to BES12 that it received and applied the configuration information. The activation process is complete. If the activation type for the device is "Work and personal - user privacy" or "Work and personal - full control", after the activation is completed, the user is prompted to create a work space password. Additionally, the user may be prompted to install some or all of the following apps: Secure Work Space Work Space Manager Documents To Go Note: If the device is activated with the "Work and personal - user privacy" activation type, the users are not prompted to install the secure apps and must manually download and install them. 21

22 Activating and managing devices Data flow: Activating a Windows Phone device 1. You perform the following actions: a b c Add a user to BES12 as a local user account, or by using the account information retrieved from your company directory Assign an activation profile to the user Use one of the following options to provide the user with activation details: Automatically generate a device activation password and send an with activation instructions for the user Set a device activation password and communicate the username and password to the user directly or by Don't set a device activation password and communicate the BES12 Self-Service address to the user so that they can set their own activation password 2. The user downloads and installs the BES12 Client on the device. After it is installed, the user opens the BES12 Client and enters the address and activation password on the device. 3. The BES12 Client on the device performs the following actions: a b Establishes a connection to the BlackBerry Infrastructure Sends a request for activation information to the BlackBerry Infrastructure 4. The BlackBerry Infrastructure performs the following actions: a b c Verifies that the user is a valid, registered user Retrieves the BES12 address for the user Sends the address to the BES12 Client 5. The BES12 Client establishes a connection with BES BES12 prompts the user to accept the BES12 certificate. This prompt includes information about the SSL certificate, including the Common Name and fingerprint. 7. The BES12 Client sends an activation request to BES12. The activation request includes the username, password, device operating system, and unique device identifier. 8. BES12 performs following actions: 22

23 Activating and managing devices a b c d e Inspects the credentials for validity Creates a device instance Associates the device instance with the specified user account in the BES12 database Adds the enrollment session ID to an HTTP session Sends a successful authentication message to the device 9. The BES12 Client creates a CSR using the information received from BES12 and sends a client certificate request over HTTPS. 10. BES12 performs the following actions: a b c Validates the client certificate request against the enrollment session ID in the HTTP session Signs the client certificate request with the root certificate Sends the signed client certificate and root certificate back to the BES12 Client 11. A mutually authenticated TLS session is established between the BES12 Client and BES The BES12 Client displays a message and a video to show the user the steps the user must take to complete the activation. 13. The BES12 Client sends the device information to BES The user copies the server address and navigates to the Windows Phone settings to complete the activation. 15. The user adds an account using their username and activation password and pastes the server address. 16. The native MDM Daemon on the Windows Phone device sends a CSR to BES12 that contains the username and activation password. 17. BES12 validates the username and password, validates the CSR and returns the client certificate and the CA certificate to the device. 18. All comunication between the native MDM Daemon and BES12 is now mutually authenticated end to end using these certificates. 19. The BES12 Client polls BES12 periodically until it acknowledges that the MDM activation is complete. 20. BES12 acknowledges that the MDM activation is complete. 21. The BES12 Client requests all configuration information. 22. BES12 stores the device information in the database and sends configuration information to the device. 23. The device sends an acknowledgment to BES12 that it received and applied the configuration updates. The activation process is complete. Using IT policies to manage security An IT policy is a set of rules that restrict or allow features and functionality on devices. IT policy rules can manage the security and behavior of devices. The device OS and device activation type determine which rules in an IT policy apply to a specific device. For example, depending on the device activation type, OS, and version, IT policy rules can be used to: 23

24 Activating and managing devices Enforce password requirements on devices or the device work space Prevent users from using the camera Force data encryption Only one IT policy can be assigned to each user account, and the assigned IT policy is sent to all of the user's devices. If you don't assign an IT policy to a user account or to a group that a user or device belongs to, BES12 sends the Default IT policy to the user's devices. You can rank IT policies to specify which policy is sent to devices if a user or a device is a member of two or more groups that have different IT policies and no IT policy is assigned directly to the user account. BES12 sends the highest ranked IT policy to the user's devices. For more information about assigning and ranking IT policies, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. BES12 automatically sends IT policies to devices when a user activates a device, when an assigned IT policy is updated, and when a different IT policy is assigned to a user or group. When a device receives a new or updated IT policy, the device applies the configuration changes in near real-time. For more information about specific IT policy rules, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Policy Reference Spreadsheet. Using compliance profiles to enforce standards for ios, Android, and Windows Phone devices You can use compliance profiles to encourage ios, Android, and Windows Phone device users to follow your organization s standards for the use of mobile devices. A compliance profile specifies the device conditions that aren't acceptable in your organization, the notification messages sent to users, and the actions taken if a device is non-compliant. Depending on the OS and version, you can specify whether the following conditions are permitted: Jailbroken or rooted device Non-assigned app is installed Required app isn't installed You can also specify how BES12 responds when a device violates compliance rules. Actions can include the following: Send an message to the user Display a notification message on the device Prevent the user from accessing the organization's resources and apps from the device, either immediately or after a period of time Delete work data from the device, either immediately or after a period of time Delete all data from the device, either immediately or after a period of time For more information, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. 24

25 Activating and managing devices Preventing users from installing specific ios, Android, and Windows Phone apps You can create a list of ios, Android, and Windows Phone apps that you do not want users to install on their devices. For example, you can prevent users from installing malicious apps or apps that require many resources. You can create a compliance profile that specifies what action an ios or Android device takes if a restricted app is installed and assign the compliance profile to users or user groups. If the user does not remove the restricted app from the device, the compliance profile specifies the actions that must occur. If a user installs a restricted app, the user's device reports that it is not compliant. The report displays the name of the restricted app and the actions that must occur if the user doesn't uninstall the app. For Windows Phone 8.1 or later, you have to add the app to the compliance profile only. The user cannot install any app that you add to the compliance profile. If a user tries to install a restricted app, the device displays a message that the app is restricted and cannot be installed. Controlling which devices can use Exchange ActiveSync Microsoft Exchange can be configured to block devices from using Exchange ActiveSync unless the devices are explicitly added to an allowed list in Microsoft Exchange. Devices that aren't on the allowed list can't access work and organizer data. In BES12, you can set up Microsoft Exchange gatekeeping to control which devices are automatically added to the allowed list on your Microsoft Exchange Server. If you use Microsoft Exchange gatekeeping, when a user who is assigned an profile activates an ios device or an Android device with a work space, the device is automatically added to the allowed list in Microsoft Exchange. A device is automatically removed from the allowed list if you remove the profile from the user account, if the device violates the settings in the assigned compliance profile, or if the device is deactivated. You must manually add and remove Android devices that do not have a work space to and from the allowed list. For more information about turning on Microsoft Exchange gatekeeping and adding or removing devices to or from the allowed list, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. Protecting messages Devices can use Exchange ActiveSync or IBM Notes Traveler to synchronize messages, calendar entries, contacts, and other organizer data with your organization s mail server. IBM Notes Traveler is supported with Windows Phone and in the secure work space on ios and Android devices. BES12 can allow devices that are not connected to your organization's internal network or do not have a VPN connection to synchronize with the mail server without requiring you to make connections to the mail server available from outside the firewall. 25

26 Activating and managing devices BES12 allows devices to synchronize securely with the mail server over the BlackBerry Infrastructure using the same encryption methods that it uses for all other work data. When BES12 provides the connection between your mail server and devices, BES12 IT policies take precedence over any policies set for the devices on the mail server. If your organization uses SCEP to enroll certificates to ios devices, you can associate a SCEP profile with an profile to require certificate-based authentication to help protect connections between ios devices and the mail server. 26

27 Data at rest Data at rest 5 The work space protects work space data at rest by encrypting the data and hashing passwords before storing them. You can also require password protection and control when devices wipe their work space. Passwords Device passwords protect your organization's data and user information that is stored on devices. For devices with a work space, the work space password is used to protect work space data. You can use BES12 to enforce password protection on devices. You can also use BES12 to lock devices remotely and change or clear their passwords. ios device passwords You can use the "Password required for device" IT policy rule to require ios device users to set a device password. You can enforce additional password requirements on devices using the following IT policy rules: Allow simple value Require alphanumeric value Minimum passcode length Minimum number of complex characters Maximum passcode age Maximum auto-lock Passcode history Maximum grace period for device lock Maximum number of failed attempts For more information about IT policy rules, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Policy Reference Spreadsheet. Changing ios device passwords You can use BES12 to lock or unlock ios devices remotely and clear their passwords. You can do this, for example, if a device is lost or if a user forgets their password. 27

28 Data at rest You can use the "Lock device" IT administration command to lock a device remotely. The user must type the existing device password to unlock the device. You can use this command if a device is lost or stolen. You can use the "Unlock and clear password" IT administration command to unlock a device and clear the existing password. The user is prompted to create a new device password. You can use this command if a user forgets their device password. For more information about sending these commands to devices, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. Android device passwords You can use the "Password requirements" IT policy rule to require Android device users to set a device password and to specify minimum requirements for device passwords. You can enforce additional password requirements on devices using the following IT policy rules: Maximum failed password attempts Maximum inactivity time lock Password expiration timeout Password history restriction Minimum password length Minimum uppercase letters required in password Minimum lowercase letters required in password Minimum letters required in password Minimum numerical digits required in password Minimum symbols required in password For more information about IT policy rules, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Policy Reference Spreadsheet. Changing Android device passwords You can use BES12 to lock or unlock Android devices remotely and change or clear their passwords. You can do this, for example, if a device is lost or if a user forgets the password. You can use the "Lock device" IT administration command to lock a device remotely. The user must type the existing device password to unlock the device. You can use this command if a device is lost or stolen. You can use the "Unlock and clear password" IT administration command to unlock a device and clear the existing password. The user is prompted to create a new device password. You can use this command if a user forgets their device password. You can use the "Specify device password and lock" IT administration command to create a new device password and lock a device. When the user unlocks the device, they are prompted to accept or reject the new password. You can use this command if a device is lost or stolen. 28

29 Data at rest For more information about sending these commands to devices, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. Windows Phone device passwords You can use the "Password required for device" IT policy rule to require Windows Phone device users to set a device password. Depending on the OS version, you can enforce additional password requirements on devices using the following IT policy rules: Allow simple password Minimum password length Password complexity Password expiration Password history Maximum failed password attempts Maximum inactivity time lock Minimum number of complex character types Allow idle return without password For more information about IT policy rules, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Policy Reference Spreadsheet. Security timeout You can use BES12 to require that ios, Android, and Windows Phone devices lock after a certain period of inactivity. For ios devices, the "Maximum auto-lock" IT policy rule can be used to require that devices lock after a certain period of inactivity. You can use the "Maximum grace period for device lock" IT policy rule to allow users to unlock their devices without entering their passwords after a specified period of inactivity. For Android devices, you can use the "Maximum inactivity time lock" IT policy rule to require that a device lock after a specified period of inactivity. For Windows Phone devices, you can use the "Maximum inactivity time lock" IT policy rule to require that a device lock after a specified period of inactivity. For more information about IT policy rules, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Policy Reference Spreadsheet. 29

30 Data at rest Data wipe To protect your organization's data and user information on devices, you can use BES12 to delete work data or all data on devices. Users can also delete work data or all data on their devices. Full device wipe Devices delete all data in the device memory when any of the following events occur: Event Device type Description You send the Delete all device data IT administration command to a device. ios Android Windows Phone You can use BES12 to delete all data from devices using the "Delete all device data" IT administration command. For example, you can send this command to a device to redistribute a previously used device to another user in your organization, or to a device that is lost and unlikely to be recovered. This command deletes all user information and app data that the device stores (including information in the work space, if applicable) returns the device to factory defaults, and removes the device from BES12. After you submit this command, an option to remove the device from BES12 is displayed. You can remove the device from BES12 if it's possible that the device is unable to connect to the organization's network to receive the command. If the device connects to the organization's network after it has been deleted, only the work data is removed from the device, including the work space, if applicable. For more information about sending this IT administration command, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. A user types the device password incorrectly more times than the "Maximum number of failed attempts" IT policy rule allows. ios Android Windows Phone This command deletes all user information and app data that the device stores, including information in the work space, and returns the device to factory defaults. 30

31 Data at rest Event Device type Description A user uses the "Erase All Content And Settings" option on an ios 8 device. ios A user can delete all data on devices using the "Erase All Content And Settings" option on the device. Work data wipe To protect your organization's data on devices, devices delete all work data when any of the following events occur: Event Device type Description You send the Delete only work data IT administration command to a device. ios Android Windows Phone You can use BES12 to delete all work data from devices using the "Delete only work data" IT administration command. For example, you can send this command to a personal device when a user no longer works at your organization, or if a device is lost or stolen. This command deletes work data, including the IT policy, profiles, apps, and certificates that are on a device, and removes the device from BES12. After you submit this command, an option to remove the device from BES12 is displayed. You can remove a device from BES12 if it's possible that the device is unable to connect to the organization's network to receive the command. If the device connects to the organization's network after it has been deleted, all work data is removed from the device, including the work space, if applicable. A user can still use the device while the work space data is being deleted. For more information about sending this IT administration command, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. Securing devices for work and personal use 31

32 Data at rest Secure Work Space technology allows users to use their ios and Android devices for both work and personal use securely. For example, Secure Work Space allows your organization to control its information even when it s stored on devices that employees own and bring to work. The security features of BES12 and Secure Work Space control how devices protect your organization's data, apps, and network connections and force devices to treat your organization's data and apps differently from personal data and apps. This means that you can: Control access to your organization's data and apps on devices Prevent data from being compromised Install and manage your organization's apps on devices Delete your organization's data and apps from devices when you need to Control network connections that work and personal apps use Secure Work Space uses separate areas of the device called spaces to separate work and personal activities. A space is a distinct area of the device that enables the segregation and management of different types of data, apps, and network connections. Different spaces can have different rules for data storage, app permissions, and network routing. The separate spaces help users to avoid activities such as copying work data into a personal app. Creating a work space on a device To create a work space on a device, you activate it on BES12 using either the Work and personal - full control or Work and personal - user privacy activation type. The work space is a segregated area of the device for work resources where users can create, edit, and save work documents. The work space also stores configuration details from the server and any information associated with them, such as Microsoft Active Directory credentials and profiles. During the activation process, the device encrypts the work space. 32

33 Data at rest After a device is activated on BES12, the device still contains the personal space on the device and any user data, apps, or network connections that the user was using before the device was activated. Users can use their devices for activities that your organization's security policies might not otherwise allow, such as downloading videos, playing online multi-player games, or uploading personal photos and Facebook entries, without exposing the work data that is stored on the device. Protecting work space data with encryption A work space protects work space data by encrypting the data that secured apps store using AES-256 encryption. The work space randomly generates a separate encryption key for each secured app and encrypts the keys with the user's work space password. The work space encrypts all of the data that a secured app stores directly and writes indirectly to files. The encryption libraries (OpenSSL-FIIPTS or ios crypto on ios, and OpenSSL-FIPS on Android OS) are components of the FIPS validated BlackBerry Cryptographic Library for Secure Work Space. Secured apps can only share data with other secured apps. When a secured app requests to share data with another app, the work space intercepts the request and allows the request to proceed if both apps are secured apps. If both apps are not secured apps, the work space rejects the request. The work space allows a user to copy and paste from one secured app to another, but not to a work app or personal app. Work space encryption Android OS: The Android OS assigns a UID to an app when the app is installed. The UID is unique to each app, except when the app requests to share a UID with another app. The two apps in this case must be signed with the same certificate from the same developer. Each UID is assigned a random encryption key the first time that the UID runs, and the UID uses the key to encrypt its data. The keys are stored in a separate secure filesystem in the work space, and the filesystem is shared between secured apps. When the 33

34 Data at rest app with the UID runs for the first time, it requests the encryption key associated with the UID from the Work Space Manager app. All of the secure filesystem, except for the first block, is encrypted using AES-256 in CBC mode with 128-bit blocks. The key to the filesystem is stored in the first block, and then the first block is encrypted with a key derived from the work space password. The device stores the secure filesystem key in a proprietary file format that is protected by filesystem permissions. The device uses the work space password and PBKDF2 as the key derivation function with HMAC-SHA1 to generate the derived key that encrypts the file. The key derivation is password based, and uses the work space password as the input password. Next the device generates a public and private key, encrypts the derived key with the private key, and stores the encrypted block independently of the work space. The device sends the public key to BES12 and deletes local copies of the public and private keys. The device regenerates the derived key and re-encrypts the file that stores the filesystem key each time the user changes the work space password. A user can change the work space password at any time, and an administrator can use an IT administration command to reset the work space password and force the user to change it. When an administrator uses the IT administration command to reset the work space password, BES12 sends the public key back to the device and the device uses the public key to decrypt the derived key. The user is also forced to enter a new work space password. ios: The Secure Work Space assigns each secured app a random encryption key the first time that the app runs, and the app uses the key to encrypt its data. The keys are stored in a completely segmented virtual and secure filesystem that is shared between the apps. The underlying block structure of the secure filesystem is proprietary. The virtual filesystem is layered on top of a NAND-style block, with a virtual device interface. All of the virtual filesystem, except for the first block, is encrypted using AES-256 in CBC mode with 128-bit blocks. The key to the virtual filesystem is stored in the first block, and then the first block is encrypted with a key derived from the work space password. The device stores the filesystem key in a proprietary file format that is protected by filesystem permissions. The device uses the work space password and PBKDF2 as the key derivation function with HMAC-SHA1 to generate the key that encrypts the file. The key derivation is password based and uses the work space password as the input password. Next the device generates a public and private key, encrypts the derived key with the private key, and stores the encrypted block independently of the work space. The device sends the public key to BES12 and deletes local copies of the public and private keys. The device regenerates the derived key and re-encrypts the file that stores the filesystem key each time the user changes the work space password. A user can change the work space password at any time, and an administrator can use an IT administration command to reset the work space password and force the user to change it. When an administrator uses the IT administration command to reset the work space password, BES12 sends the public key back to the device and the device uses the public key to decrypt the derived key. The user is also forced to enter a new work space password. Each app accesses the filesystem one at a time rather than concurrent access. There is a grace period after the user enters the work space password. An administrator configures the grace period, can be up to ten minutes long. If the user launches another app during the grace period, a control channel does a key exchange with Diffie-Hillman so that the apps can share data. There 34

35 Data at rest is a 20-second time limit for the key exchange. The key material for the shared secret is hardcoded between the apps. If the user launches another app after the grace period, the user is prompted to re-enter the work space password. This key exchange allows the user to launch additional apps within the grace period without having to enter the work space password each time. Sharing information between secured apps Federating allows secured apps to share information in a controlled manner. App wrapping provides a defined interface that restricts what the apps can do when they communicate using the encrypted filesystem. When a secured app is wrapped in the BlackBerry Infrastructure, a hash of the app s code is produced. This hash is also known as a fingerprint, and the BlackBerry Infrastructure records the fingerprint and the app s metadata. When a secured app runs for the first time on a device, the device generates a runtime version of the app s fingerprint and metadata and sends them to the BlackBerry Infrastructure. The BlackBerry Infrastructure compares the fingerprint and metadata that it stored with the runtime versions of the fingerprint and metadata. If they match, the BlackBerry Infrastructure notifies the device that it can federate and run the app. If the two versions of the fingerprint and metadata do not match, the BlackBerry Infrastructure notifies the device that it cannot federate and run the app, and the user sees an error message. A dynamic federation list on the device identifies which secured apps can federate. When the BlackBerry Infrastructure notifies the device that it can federate and run an app, the device adds the app to the federation list. Each subsequent time the app is run, the device compares the runtime fingerprint of the app to the fingerprint cached in the federation list. At any time, the BlackBerry Infrastructure can revoke the federation list and force the device to reconstruct the list. Network connectivity is required to verify an app to allow federation. When federation is successful, the federated apps can perform a key exchange with constraints so that they have access to the same data in the encrypted filesystem. Storing and protecting the work space password The work space does not store the work space password. Instead, it encrypts some data using a hash of the password as the encryption key. After the password has been set, when the user enters the password to access the work space, the work space tries to decrypt the data with the hash of the password that the user entered. If the data does not decrypt, the password that the user entered is rejected as incorrect. When a user changes a work space password, the work space re-encrypts the data with a hash of the derived key. BES12 and the BlackBerry Infrastructure do not store the user s encryption keys. If the user forgets the work space password, the data stored in the user s work space cannot be retrieved. This approach is taken so that if the servers are compromised, the devices are not also compromised. To reset the password for a device, the device must be reactivated. Storing Work Browser data When using the Work Browser, the work space does not store Internet or intranet passwords. Cookie storage, however, is protected by the secure filesystem just like other work space data. 35

36 Data at rest Storing work space data on media cards For Android devices, any work space data that is stored on media cards is part of the secure filesystem, just like any work space data stored on the device itself. The data on the media card can only be decrypted when the card is attached to the original device and the user has entered the work space password. The data on the media card is cryptographically inaccessible if the card is inserted into another device because the encryption keys are not available. Deleting the work space When you delete the work space from a device, you do not need to perform additional steps to prevent the recovery of data. Without the encryption keys, any recovered data is cryptographically inaccessible. Deleting the work space also deletes work space data from a media card if it is connected to the device at the time of deletion. Attachments for third-party secured apps By default, attachments for a third-party secured app cannot be opened outside of the UID unless the app allows for data sharing with other apps. Examples of attachments for a third-party secured app include , MMS, and browser downloads. The wrapping on the app intercepts the standard APIs that ios and Android use and prevents the app from transferring data to another app. Private APIs are not allowed in ios or Android. The wrapping also ensures that attachments are encrypted before they are stored. Protecting work space data with password rules To protect work space data and secured apps, by default devices with Secure Work Space require users to set a password for the work space. You can use IT policy rules to control password requirements, such as complexity and length. For more information about IT policy rules for ios devices and Android devices, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Policy Reference Spreadsheet. Showing work contacts in caller ID on ios devices You can use the "Work Connect contacts" IT policy rule to specify whether caller ID on an ios device can show the names and phone numbers of work contacts, even if the work space is locked. This rule allows the Work Connect app in the work space to export work contacts to the personal address book (the Contacts app). The Work Connect app exports contact names and phone numbers only. When you deactivate the device, work contacts are removed from the personal address book. 36

37 Data at rest If this rule is set to "Export to personal address book," the Work Connect app exports the work contacts to the personal address book. The app also exports a work contact again when the work contact's name or phone number changes or a contact is added or deleted. Only work contacts with phone numbers are exported. If this rule is set to "Do not export to personal address book," work contacts are not exported, and calls and SMS text messages from work contacts do not display the contact name. If this rule is set to "Allow user to configure," a user can choose to export work contacts from the Work Connect app to the personal address book. Controlling when devices wipe the work space To protect your organization s data, you can wipe all work data from a device. All personal data remains on the device. For example, you can do this if a user no longer works at your organization. The following table lists examples of data that is removed when devices wipe the work space: Item Description Work messages messages that are sent to the user s app in the work space messages that the user sends from the app in the work space Draft messages that the user creates using the app in the work space Attachments Attachments that are sent to the user s app in the work space Attachments that the user sends from the app in the work space Attachments that the user saves to the work space Calendar entries Contacts Tasks and memos Browser Files IT policy Work apps Work app data Secured apps Calendar entries that the user creates using the calendar app in the work space Contacts that BES12 synchronizes with the user s contacts app in the work space All tasks and memos that BES12 synchronizes with the user's tasks and memos app in the work space All Work Browser data Files that the user accessed and downloaded from your organization s network IT policy that is assigned to the device For an ios device, work apps that an administrator sent to a device For an ios device, work data that is associated with work apps on the device (for example, saved settings) For an ios device, secured apps that a user downloaded and installed on a device. For an Android device, the user is prompted to remove the secured apps. If the user does not remove the secured apps, they remain on the device but the user cannot run them. 37

38 Data at rest Item Work space data Description For an ios device, work space data that is associated with secured apps on the device. For an Android device, the user is prompted to remove the work space data (for example, saved settings). If the user does not remove the work space data, it remains on the device but the user cannot access the data. Profiles For an ios device, VPN, Wi-Fi, Microsoft ActiveSync, SCEP, CA certificate, and shared certificate profiles that the user configures on the device 38

39 Data in transit Data in transit 6 With BES12, when you manage an ios, Android, or Windows Phone device, you can protect data in transit with security settings, VPNs, and certificates. When you manage an ios or Android device with Secure Work Space, you can enable enterprise connectivity to provide additional protection to a device's data in transit, including authenticating connections and sessions and encrypting the data. Protection for all devices BES12 protects data in transit between itself and all ios, Android, and Windows Phone devices with security features, such as security settings, VPNs, and certificates. Protecting Wi-Fi connections A device can connect to work Wi-Fi networks that use the IEEE standard. The IEEE i standard uses the IEEE 802.1X standard for authentication and key management to protect work Wi-Fi networks. The IEEE i standard specifies that organizations must use the PSK protocol or the IEEE 802.1X standard as the access control method for Wi-Fi networks. You can use Wi-Fi profiles to send Wi-Fi configuration information, including security settings and any required certificates to devices. Types of encryption used for communication between devices and your resources Communication between a device and your organization s resources can use various types of encryption. The type of encryption used depends on the connection method. Encryption type Wi-Fi encryption (IEEE ) VPN encryption SSL/TLS encryption Description Wi-Fi encryption is used for data in transit between a device and wireless access point if the wireless access point was set up to use Wi-Fi encryption. VPN encryption is used for data in transit between a device and a VPN server. SSL/TLS encryption is used for data in transit between a device and content server, web server, or mail server in your organization. The encryption for this connection must be set 39

40 Data in transit Encryption type Description up separately on each server and uses a separate certificate with each server. The server might use SSL or TLS, depending on how it's set up. Work Wi-Fi connection In a work Wi-Fi connection, a device connects to your organization s resources using the settings that you configured in a Wi-Fi profile. Wi-Fi encryption is used if the wireless access point was set up to use it. VPN connection In a VPN connection, an ios device connects to your organization s resources through any wireless access point or a mobile network, your organization s firewall, and your organization s VPN server. Wi-Fi encryption is used if the wireless access point was set up to use it. 40

41 Data in transit Protecting data in transit between BES12 and devices When you send configuration information, such as IT polices, profiles, and app configurations to devices, BES12 uses TLS to protect the data in transit between itself and devices. Protecting data in transit between BES12 and ios, Android, and Windows Phone devices BES12 protects the data in transit between itself and ios, Android, and Windows Phone devices. During the activation process for these devices, a mutually authenticated TLS connection is established between BES12 and the BES12 Client on the device. When BES12 needs to send configuration information to a device, BES12 and the device use the TLS connection to protect the data. Protecting connections to BES12 with the BlackBerry Router The BlackBerry Router is an optional component that connects to your network and sends data to and receives data from the BlackBerry Infrastructure on behalf of BES12. The BlackBerry Router acts as a proxy server for connections over the BlackBerry Infrastructure between BES12 and all devices. You can use one instance of the BlackBerry Router for all BES5, BES10, and BES12 domains in your organization's environment. When BES12 detects a BlackBerry Router, it identifies the IP address of the computer that hosts the BlackBerry Router and writes the IP address to the BES12 database. Using the BlackBerry Router or a proxy server with BES12 If you want to use a proxy server with BES12, you can install the BlackBerry Router in the BES12 domain to act as a proxy server, or you can use a TCP proxy server that is already installed in your environment. You install the BlackBerry Router or the proxy server outside your organization s firewall in the DMZ. Installing the BlackBerry Router or a TCP proxy server in the DMZ provides an extra level of security for BES12. Only the BlackBerry Router or the proxy server connects to BES12 from outside the firewall. All connections over the BlackBerry Infrastructure between BES12 and devices go through the BlackBerry Router or the proxy server. 41

42 Data in transit If you choose to use a TCP proxy server, the proxy server must be transparent or use SOCKS v5 with no authentication. For more information about planning where to install the BlackBerry Router, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Planning Guide. For more information about configuring the BlackBerry Router or a proxy server, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Configuration Guide. Protecting communication with devices using certificates A certificate is a digital document that binds the identity and public key of a certificate subject. Each certificate has a corresponding private key that is stored separately. A CA signs the certificate to verify that it can be trusted. Devices can use certificates to: Authenticate using SSL/TLS when they connect to web pages that use HTTPS Authenticate with a work mail server Authenticate with a work Wi-Fi network or VPN Encrypt and sign messages using S/MIME protection (BlackBerry 10 and ios devices only) You can send client certificates and CA certificates to all devices managed by BES12. 42

43 Data in transit Sending client certificates to devices You might need to distribute client certificates to devices if the devices use certificate-based authentication to connect to a network or server in your organization s environment, or if your organization uses S/MIME. Depending on the device capabilities, client certificates can be used for many purposes, including certificate-based authentication from the browser, connecting to your work Wi-Fi network, work VPN, or work mail server, and for digital signatures on S/MIME-protected messages. You can send client certificates to devices in several ways: Profile SCEP profiles Description A SCEP profile specifies how ios devices obtain certificates from your organization's CA using a SCEP service. When you use SCEP to enroll client certificates to ios, the administrator never has access to the user's private key. Shared certificate profiles A shared certificate profile specifies a client certificate that BES12 sends to ios and Android devices. BES12 sends the same client certificate to every user that the profile is assigned to. The administrator must have access to the certificate and private key to create a shared certificate profile. Sending client certificates to individual user accounts To send a client certificate to the devices for an individual user, you can add a client certificate to a user account. BES12 sends the certificate to the user's ios and Android devices. The administrator must have access to the certificate and private key to send the client certificate to the user. For more information about sending client certificates to devices, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. Using SCEP to enroll client certificates to devices SCEP is an IETF protocol that simplifies the process of enrolling certificates to a large number of devices without any administrator input or approval required to issue each certificate. ios devices can use SCEP to request and obtain client certificates from a SCEP-compliant CA that your organization uses. You can use SCEP to enroll client certificates to devices so that the devices can use certificate-based authentication in the browser and to connect to a work Wi-Fi network, work VPN, or work mail server. Certificate enrollment starts after a device receives a SCEP profile that is assigned to the user or associated with an assigned Wi- Fi, VPN, or profile. Devices can receive a SCEP profile from BES12 during the activation process, when you change a SCEP profile, or when you change another profile that has an associated SCEP profile. After the certificate enrollment completes, the client certificate and its certificate chain and private key are stored in the work keystore on the device. 43

44 Data in transit The CA that you use must support challenge passwords. The CA uses challenge passwords to verify that the device is authorized to submit a certificate request. If the CA is Microsoft CA that has implemented NDES, you use dynamic challenge passwords. You specify the static challenge password or the settings to obtain a dynamically generated challenge password from the SCEP service in the SCEP profile. The password is sent to the device to allow the device to make the certificate request. If you use a static challenge password, all devices that use the SCEP profile use the same challenge password. The certificate enrollment process does not delete existing certificates from devices or notify the CA that previously enrolled certificates are no longer in use. If a SCEP profile is removed from BES12, the corresponding certificates are not removed from the assigned users' devices. To read the SCEP Internet Draft, visit Using BES12 as a proxy for SCEP requests You can use BES12 as a proxy for SCEP requests sent from ios devices to the CA. If the CA is behind your firewall, using BES12 as a proxy allows you to enroll client certificates to devices without exposing the CA outside of the firewall. Data flow: Enrolling a client certificate to a device using BES12 as a proxy for the SCEP request 1. BES12 sends a SCEP profile that is assigned to the user or associated with an assigned Wi-Fi, VPN, or profile to the device. 2. The device generates a SCEP request and sends it to the BlackBerry Infrastructure. 3. The BlackBerry Infrastructure send the SCEP request to BES BES12 updates the URL for the SCEP request and sends the SCEP request to the CA. 5. The CA issues the certificate and sends it to BES BES12 sends the SCEP request to the BlackBerry Infrastructure. 7. The BlackBerry Infrastructure send the SCEP request to the device. 8. The device adds the certificate and corresponding private key to the keystore. 44

45 Data in transit Sending CA certificates to devices You might need to distribute CA certificates to devices if your organization uses S/MIME or if devices use certificate-based authentication to connect to a network or server in your organization s environment. When the certificates for the CAs that issued your organization's network and server certificates are stored on devices, the devices can trust your networks and servers when making secure connections. When the CA certificates for the CAs that issued your organization's S/MIME certificates are stored on devices, the devices can trust the sender's certificate when an S/MIMEprotected message is received. You can use CA certificate profiles to send CA certificates to devices. For more information visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. Connecting to a VPN If your organization s environment includes VPNs, such as IPsec VPNs or SSL VPNs, you can configure ios devices to authenticate with a VPN to access your organization's network. A VPN provides an encrypted tunnel between a device and the network. A VPN solution consists of a VPN client on a device and a VPN concentrator. The device can use the VPN client to authenticate with the VPN concentrator, which acts as the gateway to your organization's network. Each device includes a built-in VPN client that supports several VPN concentrators. Depending on the VPN solution, a client app may need to be installed on the device. The VPN client on the device supports the use of strong encryption to authenticate itself with the VPN concentrator. It creates an encrypted tunnel between the device and the VPN concentrator that the device and your organization's network can use to communicate. Enabling per-app VPN for ios apps You can use per-app VPN to specify which work apps and secured apps on ios 7.0 and later devices must use a VPN for their data in transit. Per-app VPN helps decrease the load on your organization s VPN by enabling only certain work traffic to use the VPN (for example, accessing application servers or webpages behind the firewall). This feature also supports user privacy and increases connection speed for personal apps by not sending the personal traffic through the VPN. Per-app VPN is available for the following connection types: Cisco AnyConnect Juniper F5 SonicWALL Mobile Connect Aruba VIA Check Point Mobile OpenVPN Custom connection type 45

46 Data in transit When you configure a VPN profile, there are three settings that you can specify: Whether the VPN profile supports per-app VPN. Whether the Safari app on devices must use VPN when connecting to particular web domains. If you have configured Safari domains and a user accesses one of the specified domains using the Safari app, all of the browser s traffic goes through the VPN (for example, traffic from other tabs in the browser). Whether to allow apps to connect automatically to the VPN. If you enable this feature, the per-app VPN connection starts automatically when a specified app starts communicating with the network. If you do not enable this feature, the user must start the per-app VPN connection manually before a specified app starts communicating with the network. You then associate apps with per-app VPN by assigning the VPN profile to apps or app groups. How BES12 chooses which per-app VPN settings to assign Only one VPN profile can be assigned to an app or app group. BES12 uses the following rules to determine which per-app VPN settings to assign to an app: Per-app VPN settings that are associated with a secured app take precedence over an enterprise connectivity profile Per-app VPN settings that are associated with an app directly take precedence over per-app VPN settings associated indirectly by an app group. Per-app VPN settings that are associated with a user directly take precedence over per-app VPN settings associated indirectly by a user group. Per-app VPN settings that are assigned to a required app take precedence over per-app VPN settings assigned to an optional instance of the same app. Per-app VPN settings that are associated with the user group name that appears earlier in the alphabetical list takes precedence if the following conditions are met: An app is assigned to multiple user groups The same app appears in the user groups The app is assigned in the same way, either as a single app or an app group The app has the same disposition in all assignments, either required or optional For example, you assign Cisco WebEx Meetings as an optional app to the user groups Development and Marketing. When a user is in both groups, the per-app VPN settings for the Development group is applied to the WebEx Meetings app for that user. If a per-app VPN profile is assigned to a device group, it takes precedence over the per-app VPN profile that is assigned to the user account for any devices that belong to the device group. 46

47 Data in transit Enabling VPN on demand for ios devices VPN on demand allows you to specify whether an ios 6.0 or later device connects automatically to a VPN when it tries to connect to a particular domain. VPN on demand is available for the following connection types: IPsec Cisco AnyConnect Juniper F5 SonicWALL Mobile Connect Aruba VIA Check Point Mobile OpenVPN Custom connection type with certificate or SCEP authentication When you specify a domain for VPN on demand for ios 6.x devices, you have three options for the domain: A device always connects automatically to a VPN when it accesses a particular domain. A device never connects automatically to a VPN when it accesses a particular domain. A device attempts to connect to a VPN when it accesses a particular domain if domain name resolution cannot be completed (for example, if the DNS server cannot resolve the domain, responds with a redirect to a different DNS server, or does not respond). When you specify a domain for VPN on demand for ios 7.0 or later devices, you have an additional two options for the domain: A device disconnects the VPN connection and does not reconnect when it accesses a particular domain. A device keeps the existing VPN connection, but does not reconnect to a VPN when it accesses a particular domain. How BES12 configures a device to use per-app VPN and VPN on demand When BES12 sends a VPN profile to a device, it uses a configuration profile defined by Apple to send a VPN payload and perapp VPN payload (if necessary) to the device. BES12 converts the settings that you specified in the VPN profile to a series of keys and values (for example, BES12 converts the connection type that you specified to the VPNType key). For more information about configuration profiles, visit to read the Configuration Profile Reference. 47

48 Data in transit Providing devices with single sign-on access to your organization's network You can allow ios 7 and later device users to authenticate automatically with domains and web services in your organization s network. You can use single sign-on profiles to set up device authentication using a user s login information or certificate. Certificate authentication is supported for ios 8.0 and later devices. After you assign a single sign-on profile to a user, the user's login information or certificate is saved on the device the first time they access a domain specified in the profile. The user's saved login information or certificate is used automatically when the user tries to access any of the domains specified in the profile. The user is not prompted again for the login information or certificate until the user's password changes or the certificate expires. BES12 supports Kerberos for single sign-on access for the browser and apps on ios 7 and later devices. You can restrict which apps have single sign-on access. For more information on creating single sign-on profiles, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. Protection for devices with enterprise connectivity You can provide additional protection to a device's data in transit, including authenticating connections and sessions and encrypting the data, by enabling enterprise connectivity for a device with Secure Work Space. With enterprise connectivity, you avoid opening a direct connection from within your organization's firewall to the Internet for device management and third-party applications such as the mail server, certificate authority, and other web servers or content servers. Enterprise connectivity sends all traffic through the BlackBerry Infrastructure to BES12. For more information about enterprise connectivity profiles, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. How a device with enterprise connectivity connects to BES12 48

49 Data in transit To access your organization's network, a device with enterprise connectivity connects through any Wi-Fi access point or mobile network, the BlackBerry Infrastructure, your organization's firewall, and BES12. Devices and your organization s resources use tunneling to encapsulate various types of encryption in the end-to-end connection. Tunneling occurs when data is encrypted using more than one layer of encryption. The type of encryption used depends on the type of connection between the device and the resource. For example, the data that a device and BES12 send between each other is encrypted using TLS encryption. If the wireless access point was set up to use Wi-Fi encryption, the data that the device and wireless access point send to each other uses Wi- Fi encryption. Because the device uses tunneling, the data that the device sends to BES12 is encrypted first by TLS encryption and then by Wi-Fi encryption as it travels between the device and the wireless access point. Encryption type Wi-Fi encryption (IEEE ) TLS encryption SSL/TLS encryption Description Encrypts the data for the connection between the device and wireless access point if the wireless access point was set up to use Wi-Fi encryption. Encrypts the data for the connection between a device and BES12 using the TLS protocol with the AES-256 algorithm. Encrypts the data for the session between the device and content server, web server, or messaging server that uses Microsoft ActiveSync. The encryption for this session must be set up separately on each server and uses a separate certificate with each server. The server might use SSL or TLS, depending how it is set up. Encrypting and protecting work space data in transit Traffic for secured apps (for example, and calendar data) uses TLS authenticated sessions to encrypt the data for the session between the device and BES12. This traffic uses SSL or TLS encryption to encrypt the data for the session between the device and content server, web server, or mail server that uses Exchange ActiveSync. 49

50 Data in transit Secured apps with enterprise connectivity also use per-api authentication and session token validation. With per-api authentication, each method of communication in an API uses a unique method of establishing trust. If one method of communication is compromised, other methods are still safe. Session token validation is used to identify the device when provisioning, and some APIs use the session token, depending on the security context. How BES12 authenticates with the BlackBerry Infrastructure To protect data in transit between BES12 and the BlackBerry Infrastructure, BES12 and the BlackBerry Infrastructure must authenticate with each other before they can transfer data. When BES12 sends data to devices through the BlackBerry Infrastructure, BES12 and the BlackBerry Infrastructure establish a mutually authenticated TLS connection that uses AES-256 to protect the data. Data flow: Authenticating BES12 with the BlackBerry Infrastructure 1. BES12 connects to the BlackBerry Infrastructure and initiates a TLS connection. 2. The BlackBerry Infrastructure sends an authentication certificate to BES BES12 performs the following actions: Verifies that the authentication certificate that a trusted CA signed Verifies the name of the server in the BlackBerry Infrastructure to establish the TLS connection Sends a data packet that contains its unique SRP identifier and SRP authentication key to the BlackBerry Infrastructure to claim the SRP identifier 4. The BlackBerry Infrastructure verifies the SRP identifier and SRP authentication key that BES12 sent and performs one of the following actions: If the credentials are valid, sends a confirmation to BES12 to complete the authentication process and configure an authenticated SRP connection If the credentials are not valid, stops the authentication process and closes the SRP connection How BES12 protects a TCP/IP connection to the BlackBerry Infrastructure for work space data After BES12 and the BlackBerry Infrastructure open a connection, BES12 uses a persistent TCP/IP connection to send data to the BlackBerry Infrastructure. The TCP/IP connection between BES12 and BlackBerry Infrastructure is secured with TLS encryption. No intermediate point decrypts and encrypts the data again. You must configure your organization s firewall or proxy server to permit BES12 to start and maintain an outgoing connection to the BlackBerry Infrastructure over TCP port

51 Data in transit How a device with Secure Work Space connects to the BlackBerry Infrastructure Devices connect to the BlackBerry Infrastructure using a TCP/IP connection. The traffic over this connection is tunneled by the BlackBerry Infrastructure to BES12. Devices and BES12 send all data to each other over a TLS session. The TLS session encrypts the data that devices and BES12 send between each other. A TLS session between a device and BES12 is designed so that an attacker cannot use the TLS connection to send data to or receive data from the device. If an attacker tries to impersonate BES12, devices prevent the connection. Devices verify whether the server certificate chain was signed by the root certificate that is loaded on the devices during the activation process. Data flow: Opening a TLS session between a device with Secure Work Space and BES12 through the BlackBerry Infrastructure 1. A device creates a TCP connection to the BlackBerry Infrastructure. 2. The BlackBerry Infrastructure creates a tunnel to BES The device sends a request over the tunnel to BES12 to open a TLS session. 4. BES12 sends its TLS certificate to the device over the tunnel. 5. The device uses a root certificate that is preloaded on the device to verify the TLS certificate. The user cannot delete the root certificate. 6. The device opens the TLS session. Storing and protecting certificates All Secure Work Space traffic travels securely through the BlackBerry Infrastructure to BES12. BES12 and the BES12 Client on the device secure the channel and each store a copy of the certificate. The BES12 Client stores the certificate in the secure filesystem. Secured apps use the certificate s credentials when communicating with BES12 through the secure channel. Within the secure channel, a third-party secured app can set up a second secure channel when it authenticates with websites. To do this, the app uses the underlying keystore of the device (for example, the ios keystore). User authentication with the BES12 Client The BES12 Client authenticates the device user with BES12, using a certificate signed by BES12. This authentication takes place before BES12 pushes secured apps to a device. If the authentication is successful, BES12 sends the provisioning details to the BES12 Client. 51

52 Data in transit After secured apps are pushed to the device, when a secured app is opened, the BES12 Client sends the provisioning details to Secure Work Space. Secure Work Space uses these provisioning details to create a connection to BES12. Extending the security of messages using S/MIME You can extend the security of messages for ios and Android device users by permitting users to send and receive S/ MIME-protected messages in secured apps. Digitally signing or encrypting messages adds another level of security to messages that users send or receive from the work space. Users can digitally sign or encrypt messages using S/MIME encryption if they use a work account that supports S/MIME-protected messages in the work space. When a device is activated and the work space enabled, you can allow users to choose whether the device signs, encrypts, or signs and encrypts messages, using S/MIME encryption when sending messages using a work address. Digital signatures help recipients verify the authenticity and integrity of messages that users send. When a user digitally signs a message with their private key, recipients use the sender's public key to verify that the message is from the sender and that the message has not changed. Encryption helps keep messages confidential. When a user encrypts a message, the device uses the recipient's public key to encrypt the message. The recipient uses their private key to decrypt the message. Devices support keys and certificates in the PFX file format with either a.pfx or.p12 file name extension. Users must store their private keys and a certificate for each recipient that they want to send an encrypted message to in the work space on their devices. Users can store a key and certificates by importing the files from a work message. If devices don't have S/MIME support turned on, users can't send signed or encrypted messages from the devices. If users don't have their private keys on their devices, users can't read S/MIME-encrypted messages on the devices, and the devices display an error message. S/MIME certificates and S/MIME private keys on devices Devices with Secure Work Space can use public key cryptography with S/MIME certificates and S/MIME private keys to encrypt and decrypt messages. Item S/MIME public key Description When a user sends an message from a device, the device uses the S/MIME public key of the recipient to encrypt the message. When a user receives a signed message on a device, the device uses the S/ MIME public key of the sender to verify the message signature. S/MIME private key When a user sends a signed message from a device, the device hashes the message using SHA-1, SHA-2, or MD5. The device then uses the S/MIME private key of the user to digitally sign the message hash. 52

53 Data in transit Item Description When a user receives an encrypted message on a device, the device uses the private key of the user to decrypt the message. The private key is stored on the device. Data flow: Sending an message from a device using S/MIME encryption 1. A user sends an message from a device. The device performs the following actions: a Checks the device keystore for the S/MIME certificate of the recipient. b Encrypts the message with the S/MIME certificate of the recipient. c Sends the encrypted message to the mail server. 2. The mail server sends the S/MIME-encrypted message to the recipient. 3. The recipient decrypts the S/MIME-encrypted message using the recipient's S/MIME private key. 53

54 Secured apps Secured apps 7 The work space protects secured apps by wrapping and fingerprinting the apps. In addition to the default secured apps, you can convert your organization's internal apps into secured apps and install them in the work space. Alternatively, you can distribute secured apps from the App Store or Google Play that the app vendor has specifically prepared to run in the work space. Managing the availability of secured apps on devices You can use BES12 to install and manage secured apps on devices with Secure Work Space. Secured apps can only access work space data and interact with other secured apps. Default secured apps appear on every device with Secure Work Space. The following apps are default secured apps: Device type Name ios Work Connect - for , calendar, contacts, notes, and tasks Work Browser - for web browsing Documents To Go - for viewing and editing Microsoft Office files Android Work Space Manager - required to run the other secured apps on the device Secure Work Space - for , calendar, contacts, and web browsing Documents To Go - for viewing and editing Microsoft Office files You can also convert your organization's internal apps into secured apps. You must secure the app binary file (.apk or.ipa) using the administration console, and then the app developer must re-sign the app (and if necessary, create an entitlements file). You can then install the app in the work space on devices. For more information about installing an app in the work space, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. Third-party app vendors can create secured apps that are prepared specifically to run in the work space and make them available in the App Store or Google Play. You can install these apps in the work space on users' devices. Apps from the App Store or Google Play that are not designated as secured apps cannot be installed or run in the work space. Only the app vendor can secure and re-sign an app so that it can be installed in the work space. You can specify the secured apps that you want to install, update, or remove, and you can specify whether the apps are required or optional. You can also specify the device models that support an app so that it is installed only on compatible devices. If you specify that an app is required, the app is automatically installed on the device. If the user removes the app, you 54

55 Secured apps can use a compliance profile to send a notification to users to ask them to meet your organization's requirements, or you can limit users' access to your organization's resources and applications, delete work data, or delete all data from the device. Devices with Secure Work Space can have the same app installed separately as a secured app and either a work app or a personal app. Each instance of the app is kept separate from the others and each operates under the rules and restrictions that apply to the space that it is installed in. The apps can be configured, upgraded, or removed independently, and changes to one instance have no effect on the other instance. For example, an instant messaging app installed as a personal app might be restricted from adding work contacts, while the same instant messaging app installed as a secured app does not have that restriction. How a work space wraps secured apps A work space protects secured apps from other apps running on the device by using app wrapping. App wrapping is a process that adds a layer of security and control around an existing app. The source code of the app is not changed. Instead, the wrapping process takes the requests that the app makes to system services and redirects them to a library of mechanisms and policies. BES12 wraps apps automatically for ios devices and Android devices when you designate the apps as secured apps. The app wrapping process is fully compatible with the policies that Apple enforces for ios devices. The app wrapping process interposes system API calls to allow the work space to redirect a secured app's requests for system services. For the Android OS, where apps run under the Dalvik virtual machine, the work space performs the interposing on two layers: replacing Dalvik byte-code API calls with its own intercepts, and linking calls for native object code. For ios, where apps do not run under a virtual machine, the work space links calls for native object code only. The app wrapping process then repackages the app so that the security code and the original code are physically inseparable. This repackaging ensures that any subsequent modifications to a secured app by a third party will prevent the secured app from running on the device. How a work space fingerprints secured apps A work space protects secured apps from trojans and malicious software by using fingerprinting. Fingerprinting uses an algorithm to map an app to a short bit string, which is the app's fingerprint. The fingerprint serves as a unique record of the app. Verifying a fingerprint is more efficient than transmitting and comparing the original app with the app on the device, which involves much larger files than a fingerprint. Before a secured app is added to a device with Secure Work Space, the BlackBerry Infrastructure fingerprints the secured app. The BlackBerry Infrastructure sends the secured app and the fingerprint to the device. Before the secured app is added to the device, the work space calculates the secured app's fingerprint and compares it to the fingerprint sent by the BlackBerry Infrastructure. Each time that the secured app is run, the work space recalculates the secured app's fingerprint and compares it with the fingerprint sent by the BlackBerry Infrastructure. In all cases, if the fingerprints being compared do not match, the device does not run the secured app. 55

56 Secured apps App wrapping in the BlackBerry Infrastructure If wrapping an app succeeds, then the app persists for 72 hours in the BlackBerry Infrastructure after the wrapping is complete. If wrapping an app fails, then the BlackBerry Infrastructure returns a failure status to BES12 before the BlackBerry Infrastructure deletes the app from its records. When BES12 sends an app to the BlackBerry Infrastructure to be wrapped, it sends a unique tenant identifier. The BlackBerry Infrastructure includes the tenant identifier in the wrapping and also records the association between the tenant identifier and the wrapped app. After the app is pushed to a device, when the app attempts to federate with other secured apps, the device first sends a request to the BlackBerry Infrastructure to verify that the particular user, device, and app are all associated with the tenant identifier. This check prevents the app from running in the work space of other owners of BES12. The BlackBerry Infrastructure also examines app metadata such as the signature and package name during the verification process. If the verification is successful, the app is allowed to federate on the device. External secured apps that are available publicly in an app store do not include a tenant identifier and can run in the work space of any BES12 owner. 56

57 Product documentation Product documentation 8 To read the following guides or other related materials, visit docs.blackberry.com/bes12. Category Resource Description Overview BlackBerry Enterprise Service 12 Product Overview Introduction to BES12 and its features Finding your way through the documentation Architecture Enterprise Solution Comparison Chart Comparison of what features are available across different BlackBerry enterprise solutions BlackBerry Enterprise Service 12 Architecture and Data Flow Reference Guide Descriptions of BES12 components Descriptions of activation and other data flows, such as configuration updates and , for different types of devices Release notes BlackBerry Enterprise Service 12 Release Notes Descriptions of known issues and potential workarounds Installation and upgrade BlackBerry Enterprise Service 12 Compatibility Matrix 3rd party software that is compatible with BES12 BlackBerry Enterprise Service 12 Performance Calculator Tool to estimate the hardware required to support a given workload for BES12 BES12 Preinstallation Checklist Checklist of requirements to check before you install or upgrade your environment BlackBerry Enterprise Service 12 Planning Guide System requirements Planning BES12 deployment for an installation or an upgrade from BES5 or BES10 BlackBerry Enterprise Service 12 Installation Guide Installation instructions Configuration BlackBerry Enterprise Service 12 Licensing Guide Descriptions of different types of licenses Instructions for activating and managing licenses 57

58 Product documentation Category Resource Description BlackBerry Enterprise Service 12 Configuration Guide Instructions for how to configure server components before you start administering users and their devices Instructions for migrating BES10 data from an existing BES10 database Administration BlackBerry Enterprise Service 12 Administration Guide Basic and advanced administration for all supported device types, including BlackBerry 10 devices, ios devices, Android devices, Windows Phone devices and BlackBerry OS (version 5.0 to 7.1) and earlier devices Instructions for creating user accounts, groups, roles, and administrator accounts Instructions for activating devices Instructions for creating and assigning IT policies and profiles Instructions for managing apps on devices Descriptions of profile settings BlackBerry Enterprise Service 12 Policy Reference Spreadsheet Descriptions of IT policy rules for BlackBerry 10 devices, ios devices, Android devices, Windows Phone devices and BlackBerry OS (version 5.0 to 7.1) and earlier devices Supported Features by Device Type Comparison of what device management features are supported for each type of device in BES12 Getting started. 5 Steps To Get Your Devices Active Minimum requirements to configure to get you started with activating devices Security BlackBerry 10 Security Overview Introduction to BlackBerry 10 security Description of how BlackBerry 10 protects data at rest and in transit Description of our security platform, from the device to the BlackBerry Infrastructure BlackBerry Enterprise Service 12 Security Guide for BlackBerry Description of the security maintained by BES12, the BlackBerry Infrastructure, and BlackBerry 10 devices to protect data and connections Description of the BlackBerry 10 OS 58

59 Product documentation Category Resource Description Description of how work data is protected on BlackBerry 10 devices when you use BES12 BlackBerry Enterprise Service 12 Security Guide for ios, Android, and Windows Phone Description of the security maintained by BES12, the BlackBerry Infrastructure, and work space-enabled devices to protect work space data at rest and in transit Description of how work space apps are protected on work space-enabled devices when you use BES12 Resources for enterprise users BES12 Self-Service User Guide Instructions for activating devices Instructions for protecting a lost device 59

60 Provide feedback Provide feedback 9 To provide feedback on this deliverable, visit 60

61 Glossary Glossary 10 AES APNs API CA CBC CSR DMZ DNS DoS EMM FIPS GCM HMAC HTTP HTTPS IEEE IETF IP IPsec MD Advanced Encryption Standard Apple Push Notification service application programming interface certification authority cipher block chaining certificate signing request A demilitarized zone (DMZ) is a neutral subnetwork outside of an organization's firewall. It exists between the trusted LAN of the organization and the untrusted external wireless network and public Internet. Domain Name System denial of service Enterprise Mobility Management Federal Information Processing Standards Galois/Counter Mode keyed-hash message authentication code Hypertext Transfer Protocol Hypertext Transfer Protocol over Secure Sockets Layer Institute of Electrical and Electronics Engineers Internet Engineering Task Force Internet Protocol Internet Protocol Security Message Digest Algorithm MD5 Message-Digest Algorithm, version 5 MDM MMS NDES mobile device management Multimedia Messaging Service Network Device Enrollment Service PBKDF2 Password-Based Key Derivation Function 2 PFX Personal Information Exchange 61

62 Glossary PIN PKCS PSK S/MIME SCEP SHA SMS SRP SSL TCP TCP/IP TLS UID VIA VPN personal identification number Public-Key Cryptography Standards pre-shared key Secure Multipurpose Internet Mail Extensions simple certificate enrollment protocol Secure Hash Algorithm Short Message Service Server Routing Protocol Secure Sockets Layer Transmission Control Protocol Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of communication protocols that is used to transmit data over networks, such as the Internet. Transport Layer Security unique identifier Virtual Intranet Access virtual private network 62

63 Legal notice Legal notice BlackBerry. All rights reserved. BlackBerry and related trademarks, names, and logos are the property of BlackBerry Limited and are registered and/or used in the U.S. and countries around the world. Android, Google, Dalvik and Google Play are trademarks of Google Inc. Apple, App Store, and Safari are trademarks of Apple Inc. Aruba, VIA, and Virtual Intranet Acess are trademarks of Aruba Networks, Inc. Check Point is a trademark of Check Point Software Technologies Ltd. Cisco AnyConnect and Cisco WebEx is a trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. ios is used under license by Apple Inc. Juniper is a trademark of Juniper Networks, Inc. Microsoft, Active Directory, ActiveSync, and Windows Phone are trademarks of Microsoft Corporation. OpenSSL is a trademark of the The OpenSSL Software Foundation, Inc. OpenVPN is a trademark of OpenVPN Technologies, Inc.SonicWALL and Mobile Connect are trademarks of Dell, Inc. Wi-Fi is a trademark of the Wi-Fi Alliance. All other trademarks are the property of their respective owners. This documentation including all documentation incorporated by reference herein such as documentation provided or made available at is provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its affiliated companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of BlackBerry technology in generalized terms. BlackBerry reserves the right to periodically change information that is contained in this documentation; however, BlackBerry makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all. This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or third-party websites (collectively the "Third Party Products and Services"). BlackBerry does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the third party in any way. EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON- INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON- PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY 63

64 Legal notice LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON- PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY. THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS. IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION. Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with BlackBerry's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with BlackBerry's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with BlackBerry. Certain features outlined in this documentation require a minimum version of BlackBerry Enterprise Server, BlackBerry Desktop Software, and/or BlackBerry Device Software. 64

65 Legal notice The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION. BlackBerry Limited 2200 University Avenue East Waterloo, Ontario Canada N2K 0A7 BlackBerry UK Limited 200 Bath Road Slough, Berkshire SL1 3XE United Kingdom Published in Canada 65