Installation guide

BlackBerry Enterprise Solution 48

Accessing the BlackBerry Infrastructure

Wi-Fi enabled BlackBerry devices can connect directly to the BlackBerry Infrastructure over the Internet for

access to voice and data services that a mobile network provider offers, even if UMA is not available. If a user’s

mobile network provider makes UMA technology (GAN technology) available, and the user has subscribed to the

UMA feature, a Wi-Fi enabled BlackBerry device is designed to establish an IPSec VPN tunnel over the enterprise

Wi-Fi network to the GANC automatically to access the mobile network provider’s voice and data services.

The Wi-Fi enabled BlackBerry device and the BlackBerry Infrastructure send all data between them over the

established SSL connection, which encrypts the data using a negotiable algorithm. For more information, see

“Appendix I: Algorithm suites that the BlackBerry device supports for negotiating SSL connections” on page 85.

The BlackBerry Infrastructure sends its SSL certificate to the BlackBerry device when the BlackBerry device

attempts to establish the SSL connection to the BlackBerry Infrastructure. The BlackBerry device uses a

preloaded root certificate that is encrypted with a 1024 bit key to authenticate the SSL certificate. If the user

deletes the root certificate on the BlackBerry device, when the BlackBerry device attempts to establish the SSL

connection to the BlackBerry Infrastructure the device prompts the user to trust the SSL certificate.

Protecting connections from Wi-Fi enabled BlackBerry devices to the BlackBerry Infrastructure

A connection from a Wi-Fi enabled BlackBerry device to the BlackBerry Infrastructure over SSL is designed to

provide the same protection that an SRP authenticated connection from the BlackBerry Enterprise Server to the

BlackBerry Infrastructure provides. A user with malicious intent cannot use the connection to send data to or

receive data from the BlackBerry device.

If a user with malicious intent tries to impersonate the BlackBerry Infrastructure, the BlackBerry device is

designed to prevent the connection when the public key of the SSL certificate of the impersonated BlackBerry

Infrastructure does not match the private key of the root certificate that is pre-installed on the BlackBerry

device. If the BlackBerry device user accepts an invalid certificate, the connection cannot continue unless the

BlackBerry device can use the connection to authenticate with a valid BlackBerry Enterprise Server or BlackBerry

Internet Service.

Supported security features of Wi-Fi enabled BlackBerry devices

Wi-Fi enabled BlackBerry devices are designed to operate on supported IEEE 802.11 enterprise Wi-Fi networks to

let on-site BlackBerry device users access email, organizer, and browser-based applications over the wireless

network while those BlackBerry device users are mobile in the physical environment of their organization. Wi-Fi

enabled BlackBerry devices provide enterprise Wi-Fi network configuration options that are designed to be

compatible with the wireless security policies and environments of most organizations, and use the security

features of the BlackBerry Enterprise Solution.

Wi-Fi enabled BlackBerry devices support the following categories of enterprise Wi-Fi network security

technology:

Enterprise Wi-Fi network security technology Wi-Fi enabled BlackBerry device implementation

Enterprise captive portal Set authentication with enterprise captive portals

(enterprise Wi-Fi networks outside of your organization’s

network) using a configured login web page.