Manualshelf

User guide

ManualsBrandsBlackberry ManualsOtherENTERPRISE SOLUTION SECURITY - ENFORCING ENCRYPTION OF INTERNAL AND EXTERNAL FILE SYSTEMS ON DEVICES
101102103104105106107108109110
Two-factor content protection
Content protection is designed to encrypt data on a BlackBerry® device when the BlackBerry device is locked. When you configure
two-factor content protection, the BlackBerry device performs the following actions:
encrypts the user data on the BlackBerry device using the content encryption key
generates a key using the BlackBerry device password that encrypts the content encryption key
encrypts the key that the BlackBerry device generates using the private key that is stored on the smart card
You can use either a smart card with the BlackBerry® Smart Card Reader or a microSD smart card to store the private key. The
content encryption key is not transferred from the BlackBerry device to the BlackBerry Smart Card Reader or to the microSD
smart card.
Two-factor content protection requires the BlackBerry device password, a smart card, and an authentication certificate that is
stored on the BlackBerry device. The authentication certificate must contain the public key for the private key that is stored on
the smart card. If the authentication certificate expires or is revoked before a user can replace it, the user must delete all BlackBerry
device data from the BlackBerry device before the BlackBerry device can recover. This feature is designed to protect the user
data on the BlackBerry device if the BlackBerry device is lost or stolen.
You or a user can configure two-factor content protection. By default, if a user has a smart card and an authentication certificate
on the BlackBerry device, the user can turn on two-factor content protection. To make two-factor content protection mandatory
or optional, or to prevent a user from configuring it, you can use the Two-factor Content Protection Usage IT policy rule. After
you or a user turns on two-factor content protection, to unlock the BlackBerry device, the user must type the BlackBerry device
password and smart card PIN on the login screen in the appropriate fields.
If you or a user turns on two-factor content protection, you cannot change the BlackBerry device password using the BlackBerry
Administration Service. Only the user can change the BlackBerry device password on the BlackBerry device.
BlackBerry® Device Software versions 5.0 and later and BlackBerry Smart Card Reader versions 2.0 and later support two-factor
content protection. You must verify that the IT policies that you can use to manage two-factor content protection are available
on your organization’s BlackBerry® Enterprise Server. BlackBerry Enterprise Server versions 5.0 SP1 and later include the IT
policies that you require to manage two-factor content protection.
Unbinding a smart card from a BlackBerry device
When you or a user turns off two-factor authentication, the BlackBerry® device turns off two-factor authentication with the
installed smart card. The BlackBerry device also permanently deletes the binding information for the smart card from the
BlackBerry device.
When you or the user deletes all BlackBerry device data, the BlackBerry device permanently deletes the smart card binding
information from the NV store in flash memory so that a user can authenticate with the BlackBerry device using a new smart
card. You can permanently delete the binding information for the smart card from the BlackBerry device by sending the Delete
all device data and disable device IT administration command to the BlackBerry device.
Security Technical Overview
Two-factor content protection
99