Installation guide
BlackBerry Enterprise Solution Security
Protecting lost, stolen, or replaced BlackBerry devices 43
Erasing data from BlackBerry device memory and making the BlackBerry device
unavailable
The BlackBerry device erases its user and application data when any of the following events occur:
• The user clicks Wipe Device (in the Security options) on the BlackBerry device.
• The user types the password incorrectly more times than the Set Maximum Password Attempts IT policy rule
allows. (The default is ten attempts.)
• You send the Erase Data and Disable Device IT Admin command to the BlackBerry device from the
BlackBerry Manager.
The BlackBerry device wipe process is designed to delete all data in memory and overwrite memory with zeroes.
If content protection is turned on, the BlackBerry device also uses a memory scrub process to overwrite the
BlackBerry device flash memory file system. The BlackBerry memory scrub process complies with United States
government requirements for clearing sensitive user data, including Department of Defense directive 5220.2-M
and National Institute of Standards and Technology Special Publication 800-88.
When the BlackBerry device erases its stored user and application data, it also performs the following actions:
BlackBerry device action Description
delete the master
encryption key
The BlackBerry device deletes its references to the master encryption key in
memory.
unbind the IT policy The BlackBerry device deletes the IT policy public key from its NV store so that
it can receive a new IT policy and digitally signed IT policy public key from a
BlackBerry Enterprise Server. The BlackBerry device does not delete its stored
IT policy.
unbind the smart card (if
applicable)
The BlackBerry device deletes the smart card binding information from the NV
store so that a user can authenticate with the BlackBerry device using a new
smart card.
See “Appendix D: BlackBerry device wipe process” on page 51 for more information.
Unbinding the smart card from the BlackBerry device
You can remove the smart card binding information from the BlackBerry device in different ways, depending on
the versions of BlackBerry device software and the S/MIME Support Package that are installed on the BlackBerry
device.
Software versions Unbinding method
BlackBerry Device Software version 3.6 or
earlier with either the S/MIME Support
Package version 1.5 or no S/MIME Support
Package installed
• Use the Smart Card Migration Tool to remove the binding
between a user’s current smart card and the BlackBerry
device.
BlackBerry Device Software version 3.6 or
earlier with the S/MIME Support Package
version 4.0 or later installed; or BlackBerry
Device Software version 4.0 or later (the
S/MIME Support Package is optional)
• Send the Erase Data and Disable Device IT Admin
command to the BlackBerry device to remove the binding
between a user’s current smart card and the BlackBerry
device.
• When you or the user disables two-factor authentication,
the BlackBerry device turns off two-factor authentication
with the installed smart card and deletes the smart card
binding information from the BlackBerry device.
Visit www.blackberry.com/knowledgecenterpublic/ to view the article KB-03125 “How to Download and use the
Smart Card Migration Tool.”
www.blackberry.com