1. Home
  2. Secure BlackBerry
  3. User Guide
  4. IT Policies on Secure BlackBerry

IT Policies on Secure BlackBerry

This article discusses the available IT policies applicable to Secure BlackBerry users. The term “IT policy” is strongly related to the secure use of BlackBerry devices. The information provided here is useful to both Secure Group distributors and end users with Secure BlackBerry handsets.

What are the IT policies for Secure BlackBerry?

The IT policies are simply definitions of restrictions applied to Secure BlackBerry devices and accounts. Each IT policy contains a set of restrictions which close many security backdoors of regular BlackBerry devices.

We added several implementations of the IT policies which can be enforced on the Secure BlackBerry users. There are two general ones; and each of them can have additional levels of restrictions, as explained below.

Default Secure Email Policy

The Default Secure Email Policy is the default device policy for Secure Blackberry devices. All activated Secure Email BlackBerry devices use this policy by default.

The most notable features it offers are as follows:

  • Full levels of AES-256 bit encryption for email messages
  • Emails that pass through Secure Email servers are further encrypted at the 4096 bit level.
  • Social networking applications disabled.
  • Browsing on the device disabled.
  • Unsecured Calls and text messages (SMSs) disabled.
  • Automatic device wipe after 5 wrong password inputs.
  • Disabled device communications (no browser, GPS, Bluetooth).
Note

This list with restrictions is compared to the typical activated Blackberry for enterprise and personal use.

Secure Email Policy with NO PIN

Secure Email Policy with NO PIN offers the same privacy and protection as the Default SecureEmail Policy. In this case, however PIN to PIN messages are blocked. The so-called BBM (BlackBerry Messenger) is the actual client that uses this PIN to PIN messaging technology.

Secure Group provides the Secure Blackberry users with the option to evade the security issues this service might come with. So this IT policy adds on top of the Default SecureEmail policy the restriction to exchange BBM messages.

Why restrict PIN-to-PIN messaging?

PIN messaging is relatively secure, but is only protected by a single universal key, and stores your messages on the BES Server, and centrally at BlackBerry. Basically, the administrator of your organization can read any on PIN to PIN (if you are connected to a BES server). Also, anyone with access can store it and send  it in plain text to any unwanted third party, such as a government agency that puts in a request. These messages are not protected by the per session/individual AES 256-bit PGP Encryption of Secure Email, or the OTR protection of Secure Chat.  For this reason, some prefer this policy in order to ensure they are not sending messages nor replying to a PIN message by mistake. In that same sense, to all who need an instant messaging service, we recommend Secure Chat. Nevertheless, keep in mind that the email service on BlackBerry, not excluding the Secure Email service on Secure BlackBerry, is the best of its kind and may easily serve the same purpose as instant messaging.

Secure Email Policy with NO USB

This policy offers on top of the Default Secure Email Policy the following restrictions:

  • Disables device Backup using BlackBerry Desktop Software.
  • Disables USB data connectivity. The end user  can only use the USB cable to charge the handset battery.

As a result of the NO USB IT policy, end users will not be able to install apps via a USB cable.

Secure Email Policy with NO USB, no Wi-Fi

As the name suggests, the Secure Email Policy with NO USB, no Wi-Fi adds to the Secure Email Policy with NO USB policy a restriction for Wi-Fi connectivity of Secure BlackBerry. And pretty much there is nothing more to add about it.

Ultra Secure Policy

This IT policy  takes the default Secure Email policy a step further in terms of strictness. The Ultra Secure Policy comes with a list of advanced privacy features on their devices. For this reason we provided some detailed info about it.

Automatic wipe if no BlackBerry unlock takes place within 72 hours

A downside of mobile devices is that one can easily lose or leave one behind. For security freaks, the ULTRA Secure policy allows a 72 hours limit for you to unlock you Secure BlackBerry with the correct password. In case this period expires the device will wipe itself back to factory settings.

Media card format with wipe

A typical device wipe sets your BlackBerry to its factory settings, but the data on the media card remains. With stolen devices, this might pose a securty risk. To ensure you leave no data on the BlackBerry, media card format on device wipe is also a feature of the Ultra Secure policy. This ensures the media card wipe regardless whether the user performs the wipe; or the administrator using a wipe command from server-side.

PIN to PIN messaging is disabled

PIN messages are chat messages, similar to SMS or text. They appear as emails on a BlackBerry,  but do not feature strong encryption like PGP with emails or OTR with chat messages. This restriction limits the possibility to have easily readable messages on a Secure BlackBerry.  If the adversary gets your device, they will not have the option to scrutinize PIN to PIN messages; as you wouldn’t have any.

Disable Key Store Backup

Keys, such as the PGP keys used by Secure Email, are stored in a key store. Backing this up if you are the owner of the device is a great idea, but if a hacker or thief has your phone, you do not want to let him obtain your keys simply by performing a backup.  For this reason, ULTRA Secure policy offers this policy rule to prevent back-up of your key store.

Password complexity

A weak password is always considered a security vulnerability. The ULTRA Secure Policy increases password security requirements to ensure maximal level of protection. The minimum character length requirement enforces you to type in at least 8 characters. Also, Secure BlackBerry will request of you to change your password every 60 days. The system memorizes the last 4 passwords and thus prevents password re-use, which is another unhealthy habit some people have. In addition, complexity restrictions disallow the input of some typical easy to guess passwords such as those containing the word “password” (ie, password1, password123, etc). Acceptable passwords will require an upper-case letter, a lower-case letter, a number, and a special character (such as !,$,%,&,#).

Duress security wipe

In the rare circumstance that someone forces to unlock your BlackBerry device against your will, you can alert your administrators with a silent alarm in the form of an email.  To do this, you must place the first character of your password towards the end (example: your password is “thequickbrownfox” and instead you purposely type “hequickbrownfoxt”). In this case the BlackBerry will unlock and trick the person forcing you to unlock your BlackBerry think you are simply following instructions.  Meanwhile, you have alerted your administrator that you and your device have been compromised.

Limited USB functionality

This IT policy prevents users from tethering their BlackBerry device via USB cable and using it as a mass storage device. No USB data transferring on devices under this policy. This is a good security measure because anything stored on the device via USB mass storage mode is not encrypted. In addition, USB is used to take backups of your device. If someone temporarily steals your device, they could be able to steal your data and then leave the phone as if nothing happened. Under this policy, you will still be able to connect and detect a device using BlackBerry Desktop Software application, and even take a backup. However, the back-up created will only capture device settings and nothing else. Your backups cannot include any data and personal contents such as emails, photos, contacts, etc.

Ultra Secure Policy with Weaker Password

The “weaker password” version of the Ultra Secure Policy relieves one of the key restrictions: the requirement for password complexity is removed. It represents weaker level of security; but serves the needs for less-stringent password requirements.

IT Policy Configuration

Only administrative access in Secure Manager allows you to select or change IT Policies for end user accounts.

It is usually the distributor / dealer who sets the IT Policies. As an Administrator in  Secure Manager, you can set IT Policies when you:

  • create an account preactivation
  • order a subscription (and create the user account from scratch)
  • access the “Management Аctions” for Secure BlackBerry subscriptions

It is strongly recommended to read how to change the IT Policy of an active subscription in Secure Manager.

 

Updated on September 14, 2017

Was this article helpful?

Related Articles