Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Transcription

1 Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0

2 Published: SWD

3 Contents About this guide... 6 What is BES12?... 7 Key features of BES Security features... 8 Security features for devices with MDM controls... 8 Security features for devices with Secure Work Space...9 Protecting devices against jailbreaking and rooting...11 Supported features that are native to ios and Android Types of apps Activating and managing devices What is the BES12 Client? Activation passwords User registration with the BlackBerry Infrastructure...15 Using activation types to configure your control over devices Activating devices...17 Data flow: Activating an ios device...17 Data flow: Activating an Android device...19 Data flow: Activating a Windows Phone device Using IT policies to manage security...23 Using compliance profiles to enforce standards for ios, Android, and Windows Phone devices...24 Preventing users from installing specific ios, Android, and Windows Phone apps...25 Controlling which devices can use Exchange ActiveSync Protecting messages Data at rest...27 Passwords ios device passwords Android device passwords Windows Phone device passwords Security timeout Data wipe... 30

4 Full device wipe Work data wipe...31 Securing devices for work and personal use...31 Creating a work space on a device...32 Protecting work space data with encryption...33 Work space encryption Sharing information between secured apps...35 Storing and protecting the work space password Storing Work Browser data...35 Storing work space data on media cards Deleting the work space...36 Attachments for third-party secured apps Protecting work space data with password rules Showing work contacts in caller ID on ios devices Controlling when devices wipe the work space...37 Data in transit...39 Protection for all devices Protecting Wi-Fi connections Types of encryption used for communication between devices and your resources Protecting data in transit between BES12 and devices Protecting communication with devices using certificates Connecting to a VPN...45 Providing devices with single sign-on access to your organization's network...48 Protection for devices with enterprise connectivity How a device with enterprise connectivity connects to BES How BES12 authenticates with the BlackBerry Infrastructure...50 How a device with Secure Work Space connects to the BlackBerry Infrastructure Storing and protecting certificates User authentication with the BES12 Client Extending the security of messages using S/MIME...52 Secured apps Managing the availability of secured apps on devices...54 How a work space wraps secured apps...55 How a work space fingerprints secured apps App wrapping in the BlackBerry Infrastructure Product documentation...57

5 Provide feedback...60 Glossary Legal notice...63

6 About this guide About this guide 1 BES12 helps you manage devices for your organization, including BlackBerry 10, BlackBerry OS (5.0 to 7.1), ios, Android, and Windows Phone devices. This guide describes the security for ios, Android, and Windows Phone devices. It also describes how Secure Work Space delivers a higher level of control and security to ios and Android devices. This guide is intended for senior IT professionals responsible for evaluating the product and planning its deployment, as well as anyone who's interested in learning more about device security and Secure Work Space. After you read this guide, you should understand how BES12 can help protect data at rest, data in transit, and apps for your organization. 6

7 What is BES12? What is BES12? 2 BES12 is an EMM solution from BlackBerry. EMM solutions help you do the following: Manage mobile devices for your organization to protect business information Keep mobile workers connected with the information that they need Provide administrators with efficient business tools With BES12, you can manage the following device types: BlackBerry 10 BlackBerry OS (version 5.0 to 7.1) ios Android Windows Phone You can manage these devices from a single, simplified UI with industry-leading security. Key features of BES12 Feature Management of many types of devices Single, unified UI Trusted and secure experience Balance of work and personal needs Description You can manage BlackBerry 10, BlackBerry OS (version 5.0 to 7.1), ios, Android, and Windows Phone devices. You can view all devices in one place and access all management tasks in a single, web-based UI. You can share administrative duties with multiple administrators who can access the management console at the same time. Device controls give you precise management of how devices connect to your network, what capabilities are enabled, and what apps are available. Whether the devices are owned by your organization or your users, you can protect your organization's information. BlackBerry Balance and Secure Work Space technologies are designed to make sure that personal information and work information are kept separate and secure on devices. If the device is lost or the employee leaves the organization, you can delete only work-related information or all information from the device. 7

8 Security features Security features 3 Different levels of security are available for the devices that BES12 manages. Silver-level EMM provides MDM controls for ios, Android, and Windows Phone devices. MDM controls include device and app management and security features such as IT policies, profiles, and IT administration commands. Gold-level EMM provides all of these features for ios and Android devices plus Secure Work Space. Secure Work Space is a containerization, app wrapping, and secure enterprise connectivity option that delivers a higher level of control and security to ios and Android devices. Secured apps are protected and separated from personal apps and data. The secured apps include an integrated , calendar, and contacts app, an enterprise-level secure browser, and a secure document viewing and editing app. The work browser allows users to securely browse the work intranet and the Internet. If the device is lost or the employee leaves the organization, you can delete only work-related information or all information from the device. Security features for devices with MDM controls Feature Manage devices and their work data Description If the actions are supported by the device and its operating system version, you can perform many actions to control access to work data on devices: Lock the device, change the device password, or delete information from the device Control how the device can connect to your organization's network, including Wi-Fi settings and, for ios devices, VPN settings Control the capabilities of the device, such as setting rules for password strength and disabling functions like the camera Install certificates on ios devices and optionally configure SCEP to permit automatic certificate enrollment Control which devices can access Microsoft Exchange ActiveSync Manage work apps You can configure Microsoft Exchange to block devices from using Microsoft Exchange ActiveSync unless the devices are explicitly added to an allowed list in Microsoft Exchange. Using gatekeeping in BES12 lets you control which devices are added to the allowed list. When a device is added to the allowed list, a user can access work and other information on the device. On devices with MDM controls, work apps are apps that your organization makes available for its users. You can specify whether apps are required on devices, and you can view whether a work app is installed on a device. 8

9 Security features Feature Enforce your organization's requirements for devices Description You can use a compliance profile to help enforce your organization's requirements for devices, such as requiring that certain apps be installed on devices. On ios and Android devices, you can disallow devices that are jailbroken or rooted. You can send a notification to users to ask them to meet your organization's requirements, or you can limit users' access to your organization's resources and applications, delete work data, or delete all data on the device. Certificate-based authentication You can send certificates to devices using certificate profiles. You can also send certificates to ios devices using SCEP profiles. These profiles help to restrict access to Microsoft Exchange ActiveSync, Wi-Fi connections, or VPN connections to devices that use certificate-based authentication. (VPN is only available on ios devices.) This feature also helps you control Microsoft Exchange ActiveSync, Wi-Fi connections, or VPN connections on devices because BES12 is designed to automatically remove profiles and certificates when a device violates one of the predefined compliance conditions (for example, compliance conditions for jailbroken devices or rooted devices). Certificate-based authentication does not require a proxy server between the device and your organization's messaging server. FIPS certification for the BES12 Client The BES12 Client is an app that allows BES12 to communicate with ios and Android devices. The BES12 Client uses a FIPS-validated cryptographic module to encrypt all of the data that it stores directly and writes indirectly to files. Security features for devices with Secure Work Space Feature Protection of data in transit between BES12 and a device Ability to connect to work resources without using VPN or inbound ports in the firewall Description BES12 protects the data that is in transit between BES12 and a device with Secure Work Space. BES12 and a device can communicate using the TLS protocol with the AES-256 algorithm. A device with Secure Work Space sends data to the BlackBerry Infrastructure, which then communicates with BES12 over its outbound-initiated, bi-directional ports Data travels back from BES12 to the device using the same path. 9

10 Security features Feature Protection of work space data on a device Description The work space includes secured apps. Secured apps are work apps that the work space secures with additional protections. By default, secured apps protect their data using AES-256 encryption. If you choose to allow all apps to access data in the work space, then secured apps do not encrypt their data. Secured apps hash passwords before storing them. The work space isolates work space data from other data. A secured app can only communicate and share data with another secured app, unless you choose to allow all apps to access data in the work space. The work space allows a user to copy and paste from one secured app to another, but not to a work app or personal app. FIPS certification for the encryption of work space data Control of the behavior of a device Protection of user information The work space encrypts all of the data that it stores directly and writes indirectly to files using a FIPS-validated cryptographic module. To control the behavior of a device, you can send it an IT policy to change security settings or control hardware and software features. For example, you can send an IT policy to hide the default web browser or enforce a device password on a device with Secure Work Space. The device allows a user to delete all user information and app data from the device memory. Protection of the operating system The work space can restart a process for a secured app that stops responding without negatively affecting other processes. The work space validates requests that apps make for resources on the device. Protection of app data using sandboxing The work space uses sandboxing to separate and restrict the capabilities and permissions of secured apps that run on the device. Each application process in the work space runs in its own sandbox. The work space evaluates the requests that a secured app's processes make for memory outside of its sandbox. Management of permissions to access capabilities Ability to add your own secured apps The work space evaluates every request that a secured app makes to access a capability on the device. Your organization can convert internal apps into secured apps that can be installed and run in the work space. To convert an app into a secured app, you must secure the app binary file using the BES12 management console, and then the app 10

11 Security features Feature Description developer must re-sign the app (and if necessary for an ios app, create an entitlements file). You can then install the app in the work space on devices. Ability to add secured apps from other vendors Third-party app developers can secure and re-sign their applications and make them available on the App Store or Google Play for you to send to users. Apps from the App Store or Google Play that are not designated as secured apps cannot be installed or run in the work space. Only the app vendor can secure and re-sign an app so that it can be installed in the work space. Protection of the account manager on a device Protection of secured apps from trojans and malicious software Detection of jailbroken or rooted status Some devices use an account manager to store credentials for different user accounts. The work space protects the credentials stored by secured apps so that the credentials can be shared by secured apps but not other apps. The work space fingerprints apps to make sure that only known and trusted apps can run as secured apps. Secured apps are validated before they are sent to a device's work space and every time that the device runs them. If a device is jailbroken or rooted, the user has root access to the operating system of the device. BES12 is designed to detect if a device is jailbroken or rooted. You can notify or require the user to remove jailbreaking software or rooting software from the device. A user with a device with Secure Work Space cannot access the work space if the device is jailbroken or rooted. Protecting devices against jailbreaking and rooting ios: For ios devices, Secure Work Space has protections against jailbreaking that go beyond the checks for path names and common files that many competitors use. Secure Work Space performs additional checks, such as testing whether privileges can be escalated by forking processes and running system calls. Secured apps perform in-process memory checks that identify jailbreak signatures in real time and provide a robust defense against all forms of jailbreak. In-process memory checks are protected by multiple mechanisms to prevent the algorithms from being overcome. For example, checks are dispersed throughout the code and include red herrings and other defensive tactics. Jailbreak checks run when secured apps run. If a user loses a device, and an attacker jailbreaks the device, the encryption of the work space protects the work space data from exploits such as bit copies of persistent memory. To run Secure Work Space on an ios device that has been jailbroken, you must revert the device to a non-jailbroken state. 11

12 Security features Android OS: For Android devices, Secure Work Space uses the device manufacturer s MDM APIs to detect whether the device has been rooted, as well as additional detection methods specific to Secure Work Space. The checks are run in order of likelihood, and stop when they detect that the device has been rooted. The device manufacturer s detection methods are licensed through a partner program and are not publicly available. To run Secure Work Space on an Android device that has been rooted, you must revert the device to a non-rooted state. Supported features that are native to ios and Android The following features are native to ios and Android, and they are also supported by BES12. For more information about these features, see the ios and Android documentation available from Apple and Google. Feature Full-disk encryption Address space layout randomization Description Full-disk encryption ensures that all of a device s data is stored in an encrypted form, accessible to users who enter an encryption PIN or password. BES12 supports the native full-disk encryption offered on ios and Android. Address space layout randomization makes it more difficult for attackers to exploit a device and run their own code. This technique randomizes the location of system components in memory so that attackers find it difficult to know where a vulnerability exists. BES12 supports the native address space layout randomization offered on ios and Android. Types of apps Devices with Secure Work Space can run three different types of apps: Type of app Personal app Work app Description An app that the user installs on the device, or an app that the manufacturer or wireless service provider installs on the device. BES12 treats these apps, and the data that they store, as personal data. An app that you install and manage on a user's device. BES12 treats these apps, and the data that they store, as work data. 12

13 Security features Type of app Secured app Description A work app that the work space secures with additional protections. BES12 treats these apps, and the data that they store, as work space data. There are three different types of secured apps: Type of app Default secured app Internal secured app External secured app Description A secured app that appears on every device with Secure Work Space. An app that your organization develops and specifically prepares to run in the work space. An app that a third party develops and the app vendor specifically prepares to run in the work space. 13

14 Activating and managing devices Activating and managing devices 4 Device activation associates a device with a user account in BES12 and establishes a secure communication channel between the device and BES12. BES12 allows multiple devices to be activated for the same user account. More than one active ios, Android, Windows Phone and BlackBerry 10 device can be associated with a user account. All device types consume a license when they are activated. By default, a user can activate a device using any of the following connections: Over any Wi-Fi connection or mobile network through the BlackBerry Infrastructure Over any Wi-Fi connection or mobile network using a VPN connection with a connection to the BlackBerry Infrastructure (ios only) Your organization's activation information is registered automatically with the BlackBerry Infrastructure. The username and your organization's BES12 server address is sent to and stored in the BlackBerry Infrastructure. If you turn off registration with the BlackBerry Infrastructure, then BES12 users also require the organization's BES12 server address to activate their devices. Users can activate their devices after they receive an activation message from BES12, or they can log in to BES12 Self- Service and request an activation password. After the activation process completes, BES12 can send apps, profiles, and IT policies to the device. If an profile is configured, the user can send and receive work messages using the device. What is the BES12 Client? The BES12 Client is an app that allows BES12 to communicate with ios, Android, and Windows Phone devices. If users want to activate these devices on BES12, they must install the BES12 Client on the devices. Users can download the latest version of the BES12 Client from the App Store for ios devices, from Google Play for Android devices, or from the Windows Marketplace for Windows Phone. After users activate their devices, the BES12 Client allows users to do the following: Verify whether their devices are compliant with the organization's standards View the profiles that have been assigned to their user accounts View the IT policy rules that have been assigned to their user accounts Deactivate their devices 14

15 Activating and managing devices Activation passwords You can specify how long an activation password remains valid before it expires. You can also specify the default password length for the automatically generated password that is sent to users in the activation message. The value that you enter for the activation period expiration appears as the default setting in the "Activation period expiration" field when you add a user account to BES12. The activation period expiration can be 1 minute to 30 days, and the length of the automatically generated password can be 4 to 16 characters. User registration with the BlackBerry Infrastructure User registration with the BlackBerry Infrastructure is a setting in the default activation settings that allows users to be registered with the BlackBerry Infrastructure when you add a user to BES12. Information sent to the BlackBerry Infrastructure is sent and stored securely. The benefit of registration is that users don't have to enter the server address when they are activating a device; they only need to enter their address and password. The BES12 Client installed on ios, Android, and Windows Phone devices then communicates with the BlackBerry Infrastructure to retrieve the server address. A secure connection is established with BES12 with minimal user input. You can turn off user registration with the BlackBerry Infrastructure if you don't want to send user information to BlackBerry. Using activation types to configure your control over devices You can use activation types to configure how much control you have over activated devices. This flexibility of control levels is useful if you want to have full control over a device that you issue to a user or if you want to make sure that you have no control over the personal data on a device that the user owns and brings to work. There are three activation types for Android and ios devices, and one activation type for Windows Phone devices. Activation type MDM controls Description This activation type applies to: ios 15

16 Activating and managing devices Activation type Description Android Windows Phone This activation type provides basic device management using device controls made available by ios, Android, and Windows Phone. There is no separate work space installed on the device, and no added security for work data. You can control the device using IT administration commands and IT policies. During activation, users with an ios device must install a mobile device management profile, users with an Android device must permit Administrator permissions for the BES12 Client, and users with a Windows Phone device must enrol their device through the Windows Phone company apps. Work and personal - full control This activation type applies to: ios Android This activation type provides full control of devices. When a device is activated, a separate work space is created on the device and the user must create a password to access the work space. Work data is protected using encryption and password authentication. You can control the work space, and some other aspects of the device that affect both the personal and work space using IT administration commands and IT policies. During activation, users with an ios device must install a mobile device management profile and users with an Android device must permit Administrator permissions for the BES12 Client. Work and personal - user privacy This activation type applies to: ios Android This activation type provides control of work data on devices, while making sure that there is privacy for personal data. When a device is activated, a separate work space is created on the device and the user must create a password to access the work space. Work data is protected using encryption and password authentication. You can control the work space on the device using IT administration commands and IT policies, but you cannot control any aspects of the personal space on the device. Users with an ios device are not required to install a mobile device management profile and users with an Android device do not have to permit Administrator permissions for the BES12 Client. 16

17 Activating and managing devices Activating devices An activation type profile determines whether devices have a separate work space installed, and how you can manage the data in the work space and personal space. If you assign an activation type profile to a user account using the activation type "Work and personal - full control" or "Work and personal - user privacy," then when the device is activated, the following steps happen: 1. A work space is created on the device. 2. The work space is associated with a user account in BES A secure communication channel is established between the device and BES12 using an SSL certificate. For more information about activation types, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. For more information about installing an SSL certificate, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Configuration Guide. BES12 allows multiple devices to be activated for the same user account. Your organization must also activate the appropriate licenses. If you or a user tries a work space activation but the required license is not available, the device will not activate correctly and it will not be able to access your organization's data. You can activate a device for a user by logging in to the administration console and connecting the device to the computer. You can also configure how users can activate devices and whether you can use the administration console to send activation passwords and instructions to a user's work account. By default, a user can activate a device wirelessly using any of the following connections: Over your work Wi-Fi network through the BlackBerry Infrastructure Over any Wi-Fi connection or mobile network through the BlackBerry Infrastructure When the activation process completes, BES12 can send apps, profiles, and IT policies files to the device. If profiles are configured, users can send and receive work messages using the device. Data flow: Activating an ios device 1. You perform the following actions: a Add a user to BES12 as a local user account, or by using the account information retrieved from your company directory 17

18 Activating and managing devices b c Assign an activation profile to the user Use one of the following options to provide the user with activation details: Automatically generate a device activation password and send an with activation instructions for the user Set a device activation password and communicate the username and password to the user directly or by Don't set a device activation password and communicate the BES12 Self-Service address to the user so that they can set their own activation password 2. The user downloads and installs the BES12 Client on the device. Once installed, the user opens the BES12 Client and enters the address and activation password on the device. 3. The BES12 Client on the device performs the following actions: a b Establishes a connection to the BlackBerry Infrastructure Sends a request for activation information to the BlackBerry Infrastructure 4. The BlackBerry Infrastructure performs the following actions: a b c Verifies that the user is a valid, registered user Retrieves the BES12 address for the user Sends the address to the BES12 Client 5. The BES12 Client establishes a connection with BES BES12 prompts the user to accept the BES12 certificate. This prompt includes information about the SSL certificate, including the Common Name, fingerprint, and whether the certificate is trusted or untrusted. If the certificate has been preinstalled on the device, it is trusted; otherwise it is untrusted. 7. The user accepts the certificate. 8. The BES12 Client sends an activation request to BES12. The activation request includes the username, password, device operating system, and unique device identifier. 9. BES12 performs following actions: a b c d e Inspects the credentials for validity Creates a device instance Associates the device instance with the specified user account in the BES12 database Adds the enrollment session ID to an HTTP session Sends a successful authentication message to the device 10. The BES12 Client creates a CSR using the information received from BES12 and sends a client certificate request over HTTPS. 11. BES12 performs the following actions: a b Validates the client certificate request against the enrollment session ID in the HTTP session Signs the client certificate request with the root certificate 18

19 Activating and managing devices c Sends the signed client certificate and root certificate back to the BES12 Client 12. A mutually authenticated TLS session is established between the BES12 Client and BES The BES12 Client displays a message to inform the user that a certificate must be installed to complete the activation. 14. The user clicks OK and is redirected to the link for the native MDM Daemon activation. 15. The BES12 Client establishes a connection to BES BES12 provides the MDM profile to the BES12 Client. This profile contains the MDM activation URL and the challenge. The MDM profile is wrapped as a PKCS#7 signed message that includes the full certificate chain of the signer, which allows the device to validate the profile. This triggers the enrollment process. 17. The native MDM Daemon on the device sends the device profile, including the customer ID, language, and OS version, to BES BES12 validates that the request is signed by a CA and responds to the native MDM Daemon with a successful authentication notification. 19. The native MDM Daemon sends a request to BES12 asking for the CA certificate, CA capabilities information, and a device issued certificate. 20. BES12 sends the CA certificate, CA capabilities information, and the device issued certificate to the native MDM Daemon. 21. The native MDM Daemon installs the MDM profile on the device. 22. The BES12 Client notifies BES12 of the successful installation of the MDM profile and certificate and polls BES12 periodically until it acknowledges that the MDM activation is complete. 23. BES12 acknowledges that the MDM activation is complete. 24. The BES12 Client requests all configuration information and sends the device and software information to BES BES12 stores the device information in the database and sends configuration information to the device. 26. The device sends an acknowledgment to BES12 that it received and applied the configuration updates. The activation process is complete. If the activation type for the device is "Work and personal - user privacy" or "Work and personal - full control", after the activation is completed, the user is prompted to create a work space password. Additionally, the user may be prompted to install some or all of the following apps: Work Connect Work Browser Documents To Go Note: If the device is activated with the "Work and personal - user privacy" activation type, the users are not prompted to install the secure apps and must manually download and install them. Data flow: Activating an Android device 19

20 Activating and managing devices 1. You perform the following actions: a b c Add a user to BES12 as a local user account, or by using the account information retrieved from your company directory Assign an activation profile to the user Use one of the following options to provide the user with activation details: Automatically generate a device activation password and send an with activation instructions for the user Set a device activation password and communicate the username and password to the user directly or by Don't set a device activation password and communicate the BES12 Self-Service address to the user so that they can set their own activation password 2. The user downloads and installs the BES12 Client on the device. Once installed, the user opens the BES12 Client and enters the address and activation password on the device. 3. The BES12 Client on the device performs the following actions: a b Establishes a connection to the BlackBerry Infrastructure Sends a request for activation information to the BlackBerry Infrastructure 4. The BlackBerry Infrastructure performs the following actions: a b c Verifies that the user is a valid, registered user Retrieves the BES12 address for the user Sends the address to the BES12 Client 5. The BES12 Client establishes a connection with BES BES12 prompts the user to accept the BES12 certificate. This prompt includes information about the SSL certificate, including the Common Name, fingerprint, and whether the certificate is trusted or untrusted. If the certificate has been preinstalled on the device, it is trusted; otherwise, it is untrusted. 7. The user accepts the certificate. 8. The BES12 Client sends an activation request to BES12. The activation request includes the username, password, device operating system, and unique device identifier. 9. BES12 performs following actions: a Inspects the credentials for validity 20

21 Activating and managing devices b c d e Creates a device instance Associates the device instance with the specified user account in the BES12 database Adds the enrollment session ID to an HTTP session Sends a successful authentication message to the device 10. The BES12 Client creates a CSR using the information received from BES12 and sends a client certificate request to BES12 over HTTPS. 11. BES12 performs the following actions: a b c Validates the client certificate request against the enrollment session ID in the HTTP session Signs the client certificate request with the root certificate Sends the signed client certificate and root certificate back to the BES12 Client 12. A mutually authenticated TLS session is established between the BES12 Client and BES The BES12 Client requests all configuration information and sends the device and software information to BES BES12 stores the device information in the database and sends the requested configuration information to the device. 15. The device sends an acknowledgment to BES12 that it received and applied the configuration information. The activation process is complete. If the activation type for the device is "Work and personal - user privacy" or "Work and personal - full control", after the activation is completed, the user is prompted to create a work space password. Additionally, the user may be prompted to install some or all of the following apps: Secure Work Space Work Space Manager Documents To Go Note: If the device is activated with the "Work and personal - user privacy" activation type, the users are not prompted to install the secure apps and must manually download and install them. 21

22 Activating and managing devices Data flow: Activating a Windows Phone device 1. You perform the following actions: a b c Add a user to BES12 as a local user account, or by using the account information retrieved from your company directory Assign an activation profile to the user Use one of the following options to provide the user with activation details: Automatically generate a device activation password and send an with activation instructions for the user Set a device activation password and communicate the username and password to the user directly or by Don't set a device activation password and communicate the BES12 Self-Service address to the user so that they can set their own activation password 2. The user downloads and installs the BES12 Client on the device. After it is installed, the user opens the BES12 Client and enters the address and activation password on the device. 3. The BES12 Client on the device performs the following actions: a b Establishes a connection to the BlackBerry Infrastructure Sends a request for activation information to the BlackBerry Infrastructure 4. The BlackBerry Infrastructure performs the following actions: a b c Verifies that the user is a valid, registered user Retrieves the BES12 address for the user Sends the address to the BES12 Client 5. The BES12 Client establishes a connection with BES BES12 prompts the user to accept the BES12 certificate. This prompt includes information about the SSL certificate, including the Common Name and fingerprint. 7. The BES12 Client sends an activation request to BES12. The activation request includes the username, password, device operating system, and unique device identifier. 8. BES12 performs following actions: 22

23 Activating and managing devices a b c d e Inspects the credentials for validity Creates a device instance Associates the device instance with the specified user account in the BES12 database Adds the enrollment session ID to an HTTP session Sends a successful authentication message to the device 9. The BES12 Client creates a CSR using the information received from BES12 and sends a client certificate request over HTTPS. 10. BES12 performs the following actions: a b c Validates the client certificate request against the enrollment session ID in the HTTP session Signs the client certificate request with the root certificate Sends the signed client certificate and root certificate back to the BES12 Client 11. A mutually authenticated TLS session is established between the BES12 Client and BES The BES12 Client displays a message and a video to show the user the steps the user must take to complete the activation. 13. The BES12 Client sends the device information to BES The user copies the server address and navigates to the Windows Phone settings to complete the activation. 15. The user adds an account using their username and activation password and pastes the server address. 16. The native MDM Daemon on the Windows Phone device sends a CSR to BES12 that contains the username and activation password. 17. BES12 validates the username and password, validates the CSR and returns the client certificate and the CA certificate to the device. 18. All comunication between the native MDM Daemon and BES12 is now mutually authenticated end to end using these certificates. 19. The BES12 Client polls BES12 periodically until it acknowledges that the MDM activation is complete. 20. BES12 acknowledges that the MDM activation is complete. 21. The BES12 Client requests all configuration information. 22. BES12 stores the device information in the database and sends configuration information to the device. 23. The device sends an acknowledgment to BES12 that it received and applied the configuration updates. The activation process is complete. Using IT policies to manage security An IT policy is a set of rules that restrict or allow features and functionality on devices. IT policy rules can manage the security and behavior of devices. The device OS and device activation type determine which rules in an IT policy apply to a specific device. For example, depending on the device activation type, OS, and version, IT policy rules can be used to: 23

24 Activating and managing devices Enforce password requirements on devices or the device work space Prevent users from using the camera Force data encryption Only one IT policy can be assigned to each user account, and the assigned IT policy is sent to all of the user's devices. If you don't assign an IT policy to a user account or to a group that a user or device belongs to, BES12 sends the Default IT policy to the user's devices. You can rank IT policies to specify which policy is sent to devices if a user or a device is a member of two or more groups that have different IT policies and no IT policy is assigned directly to the user account. BES12 sends the highest ranked IT policy to the user's devices. For more information about assigning and ranking IT policies, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. BES12 automatically sends IT policies to devices when a user activates a device, when an assigned IT policy is updated, and when a different IT policy is assigned to a user or group. When a device receives a new or updated IT policy, the device applies the configuration changes in near real-time. For more information about specific IT policy rules, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Policy Reference Spreadsheet. Using compliance profiles to enforce standards for ios, Android, and Windows Phone devices You can use compliance profiles to encourage ios, Android, and Windows Phone device users to follow your organization s standards for the use of mobile devices. A compliance profile specifies the device conditions that aren't acceptable in your organization, the notification messages sent to users, and the actions taken if a device is non-compliant. Depending on the OS and version, you can specify whether the following conditions are permitted: Jailbroken or rooted device Non-assigned app is installed Required app isn't installed You can also specify how BES12 responds when a device violates compliance rules. Actions can include the following: Send an message to the user Display a notification message on the device Prevent the user from accessing the organization's resources and apps from the device, either immediately or after a period of time Delete work data from the device, either immediately or after a period of time Delete all data from the device, either immediately or after a period of time For more information, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. 24

25 Activating and managing devices Preventing users from installing specific ios, Android, and Windows Phone apps You can create a list of ios, Android, and Windows Phone apps that you do not want users to install on their devices. For example, you can prevent users from installing malicious apps or apps that require many resources. You can create a compliance profile that specifies what action an ios or Android device takes if a restricted app is installed and assign the compliance profile to users or user groups. If the user does not remove the restricted app from the device, the compliance profile specifies the actions that must occur. If a user installs a restricted app, the user's device reports that it is not compliant. The report displays the name of the restricted app and the actions that must occur if the user doesn't uninstall the app. For Windows Phone 8.1 or later, you have to add the app to the compliance profile only. The user cannot install any app that you add to the compliance profile. If a user tries to install a restricted app, the device displays a message that the app is restricted and cannot be installed. Controlling which devices can use Exchange ActiveSync Microsoft Exchange can be configured to block devices from using Exchange ActiveSync unless the devices are explicitly added to an allowed list in Microsoft Exchange. Devices that aren't on the allowed list can't access work and organizer data. In BES12, you can set up Microsoft Exchange gatekeeping to control which devices are automatically added to the allowed list on your Microsoft Exchange Server. If you use Microsoft Exchange gatekeeping, when a user who is assigned an profile activates an ios device or an Android device with a work space, the device is automatically added to the allowed list in Microsoft Exchange. A device is automatically removed from the allowed list if you remove the profile from the user account, if the device violates the settings in the assigned compliance profile, or if the device is deactivated. You must manually add and remove Android devices that do not have a work space to and from the allowed list. For more information about turning on Microsoft Exchange gatekeeping and adding or removing devices to or from the allowed list, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. Protecting messages Devices can use Exchange ActiveSync or IBM Notes Traveler to synchronize messages, calendar entries, contacts, and other organizer data with your organization s mail server. IBM Notes Traveler is supported with Windows Phone and in the secure work space on ios and Android devices. BES12 can allow devices that are not connected to your organization's internal network or do not have a VPN connection to synchronize with the mail server without requiring you to make connections to the mail server available from outside the firewall. 25

26 Activating and managing devices BES12 allows devices to synchronize securely with the mail server over the BlackBerry Infrastructure using the same encryption methods that it uses for all other work data. When BES12 provides the connection between your mail server and devices, BES12 IT policies take precedence over any policies set for the devices on the mail server. If your organization uses SCEP to enroll certificates to ios devices, you can associate a SCEP profile with an profile to require certificate-based authentication to help protect connections between ios devices and the mail server. 26

27 Data at rest Data at rest 5 The work space protects work space data at rest by encrypting the data and hashing passwords before storing them. You can also require password protection and control when devices wipe their work space. Passwords Device passwords protect your organization's data and user information that is stored on devices. For devices with a work space, the work space password is used to protect work space data. You can use BES12 to enforce password protection on devices. You can also use BES12 to lock devices remotely and change or clear their passwords. ios device passwords You can use the "Password required for device" IT policy rule to require ios device users to set a device password. You can enforce additional password requirements on devices using the following IT policy rules: Allow simple value Require alphanumeric value Minimum passcode length Minimum number of complex characters Maximum passcode age Maximum auto-lock Passcode history Maximum grace period for device lock Maximum number of failed attempts For more information about IT policy rules, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Policy Reference Spreadsheet. Changing ios device passwords You can use BES12 to lock or unlock ios devices remotely and clear their passwords. You can do this, for example, if a device is lost or if a user forgets their password. 27

28 Data at rest You can use the "Lock device" IT administration command to lock a device remotely. The user must type the existing device password to unlock the device. You can use this command if a device is lost or stolen. You can use the "Unlock and clear password" IT administration command to unlock a device and clear the existing password. The user is prompted to create a new device password. You can use this command if a user forgets their device password. For more information about sending these commands to devices, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. Android device passwords You can use the "Password requirements" IT policy rule to require Android device users to set a device password and to specify minimum requirements for device passwords. You can enforce additional password requirements on devices using the following IT policy rules: Maximum failed password attempts Maximum inactivity time lock Password expiration timeout Password history restriction Minimum password length Minimum uppercase letters required in password Minimum lowercase letters required in password Minimum letters required in password Minimum numerical digits required in password Minimum symbols required in password For more information about IT policy rules, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Policy Reference Spreadsheet. Changing Android device passwords You can use BES12 to lock or unlock Android devices remotely and change or clear their passwords. You can do this, for example, if a device is lost or if a user forgets the password. You can use the "Lock device" IT administration command to lock a device remotely. The user must type the existing device password to unlock the device. You can use this command if a device is lost or stolen. You can use the "Unlock and clear password" IT administration command to unlock a device and clear the existing password. The user is prompted to create a new device password. You can use this command if a user forgets their device password. You can use the "Specify device password and lock" IT administration command to create a new device password and lock a device. When the user unlocks the device, they are prompted to accept or reject the new password. You can use this command if a device is lost or stolen. 28

29 Data at rest For more information about sending these commands to devices, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. Windows Phone device passwords You can use the "Password required for device" IT policy rule to require Windows Phone device users to set a device password. Depending on the OS version, you can enforce additional password requirements on devices using the following IT policy rules: Allow simple password Minimum password length Password complexity Password expiration Password history Maximum failed password attempts Maximum inactivity time lock Minimum number of complex character types Allow idle return without password For more information about IT policy rules, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Policy Reference Spreadsheet. Security timeout You can use BES12 to require that ios, Android, and Windows Phone devices lock after a certain period of inactivity. For ios devices, the "Maximum auto-lock" IT policy rule can be used to require that devices lock after a certain period of inactivity. You can use the "Maximum grace period for device lock" IT policy rule to allow users to unlock their devices without entering their passwords after a specified period of inactivity. For Android devices, you can use the "Maximum inactivity time lock" IT policy rule to require that a device lock after a specified period of inactivity. For Windows Phone devices, you can use the "Maximum inactivity time lock" IT policy rule to require that a device lock after a specified period of inactivity. For more information about IT policy rules, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Policy Reference Spreadsheet. 29