This article discusses the available IT policies applicable to Secure BlackBerry users. The term “IT policy” is strongly related to the secure use of BlackBerry devices. The information provided here is useful to both Secure Group distributors and end users with Secure BlackBerry handsets.
What are the IT policies for Secure BlackBerry?
The IT policies are simply definitions of restrictions applied to Secure BlackBerry devices and accounts. Each IT policy contains a set of restrictions which close many security backdoors of regular BlackBerry devices.
We added several implementations of the IT policies which can be enforced on the Secure BlackBerry users. There are two general ones; and each of them can have additional levels of restrictions, as explained below.
Default Secure Email Policy
The Default Secure Email Policy is the default device policy for Secure Blackberry devices. All activated Secure Email BlackBerry devices use this policy by default.
The most notable features it offers are as follows:
- Full levels of AES-256 bit encryption for email messages
- Emails that pass through Secure Email servers are further encrypted at the 4096 bit level.
- Social networking applications disabled.
- Browsing on the device disabled.
- Unsecured Calls and text messages (SMSs) disabled.
- Automatic device wipe after 5 wrong password inputs.
- Disabled device communications (no browser, GPS, Bluetooth).
Secure Email Policy with NO PIN
Secure Email Policy with NO PIN offers the same privacy and protection as the Default SecureEmail Policy. In this case, however PIN to PIN messages are blocked. The so-called BBM (BlackBerry Messenger) is the actual client that uses this PIN to PIN messaging technology.
Secure Group provides the Secure Blackberry users with the option to evade the security issues this service might come with. So this IT policy adds on top of the Default SecureEmail policy the restriction to exchange BBM messages.
Secure Email Policy with NO USB
This policy offers on top of the Default Secure Email Policy the following restrictions:
- Disables device Backup using BlackBerry Desktop Software.
- Disables USB data connectivity. The end user can only use the USB cable to charge the handset battery.
As a result of the NO USB IT policy, end users will not be able to install apps via a USB cable.
Secure Email Policy with NO USB, no Wi-Fi
As the name suggests, the Secure Email Policy with NO USB, no Wi-Fi adds to the Secure Email Policy with NO USB policy a restriction for Wi-Fi connectivity of Secure BlackBerry. And pretty much there is nothing more to add about it.
Ultra Secure Policy
This IT policy takes the default Secure Email policy a step further in terms of strictness. The Ultra Secure Policy comes with a list of advanced privacy features on their devices. For this reason we provided some detailed info about it.
Automatic wipe if no BlackBerry unlock takes place within 72 hours
A downside of mobile devices is that one can easily lose or leave one behind. For security freaks, the ULTRA Secure policy allows a 72 hours limit for you to unlock you Secure BlackBerry with the correct password. In case this period expires the device will wipe itself back to factory settings.
Media card format with wipe
A typical device wipe sets your BlackBerry to its factory settings, but the data on the media card remains. With stolen devices, this might pose a securty risk. To ensure you leave no data on the BlackBerry, media card format on device wipe is also a feature of the Ultra Secure policy. This ensures the media card wipe regardless whether the user performs the wipe; or the administrator using a wipe command from server-side.
PIN to PIN messaging is disabled
PIN messages are chat messages, similar to SMS or text. They appear as emails on a BlackBerry, but do not feature strong encryption like PGP with emails or OTR with chat messages. This restriction limits the possibility to have easily readable messages on a Secure BlackBerry. If the adversary gets your device, they will not have the option to scrutinize PIN to PIN messages; as you wouldn’t have any.
Disable Key Store Backup
Keys, such as the PGP keys used by Secure Email, are stored in a key store. Backing this up if you are the owner of the device is a great idea, but if a hacker or thief has your phone, you do not want to let him obtain your keys simply by performing a backup. For this reason, ULTRA Secure policy offers this policy rule to prevent back-up of your key store.
A weak password is always considered a security vulnerability. The ULTRA Secure Policy increases password security requirements to ensure maximal level of protection. The minimum character length requirement enforces you to type in at least 8 characters. Also, Secure BlackBerry will request of you to change your password every 60 days. The system memorizes the last 4 passwords and thus prevents password re-use, which is another unhealthy habit some people have. In addition, complexity restrictions disallow the input of some typical easy to guess passwords such as those containing the word “password” (ie, password1, password123, etc). Acceptable passwords will require an upper-case letter, a lower-case letter, a number, and a special character (such as !,$,%,&,#).
Duress security wipe
In the rare circumstance that someone forces to unlock your BlackBerry device against your will, you can alert your administrators with a silent alarm in the form of an email. To do this, you must place the first character of your password towards the end (example: your password is “thequickbrownfox” and instead you purposely type “hequickbrownfoxt”). In this case the BlackBerry will unlock and trick the person forcing you to unlock your BlackBerry think you are simply following instructions. Meanwhile, you have alerted your administrator that you and your device have been compromised.
Limited USB functionality
This IT policy prevents users from tethering their BlackBerry device via USB cable and using it as a mass storage device. No USB data transferring on devices under this policy. This is a good security measure because anything stored on the device via USB mass storage mode is not encrypted. In addition, USB is used to take backups of your device. If someone temporarily steals your device, they could be able to steal your data and then leave the phone as if nothing happened. Under this policy, you will still be able to connect and detect a device using BlackBerry Desktop Software application, and even take a backup. However, the back-up created will only capture device settings and nothing else. Your backups cannot include any data and personal contents such as emails, photos, contacts, etc.
Ultra Secure Policy with Weaker Password
The “weaker password” version of the Ultra Secure Policy relieves one of the key restrictions: the requirement for password complexity is removed. It represents weaker level of security; but serves the needs for less-stringent password requirements.
IT Policy Configuration
Only administrative access in Secure Manager allows you to select or change IT Policies for end user accounts.
It is usually the distributor / dealer who sets the IT Policies. As an Administrator in Secure Manager, you can set IT Policies when you:
- create an account preactivation
- order a subscription (and create the user account from scratch)
- access the “Management Аctions” for Secure BlackBerry subscriptions
It is strongly recommended to read how to change the IT Policy of an active subscription in Secure Manager.