Installation guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL

BlackBerry Enterprise Solution 60

• specify whether or not applications, including third-party applications, on the BlackBerry device can initiate

specific types of connections

Note: The BlackBerry Enterprise Server administrator cannot use an IT policy to permit or prevent downloading

specific applications on the BlackBerry device. The BlackBerry Enterprise Server administrator can do this using

one or more application control policies.

Using application control policy rules to contain malware on the BlackBerry device

The BlackBerry Enterprise Server application control policy rules are designed to let the BlackBerry Enterprise

Server administrator allow or prevent the installation of specific third-party applications on the BlackBerry

device and to limit the permissions of third-party applications, including

• the resources (for example, email, phone, and BlackBerry device key store) that third-party applications can

access on the BlackBerry device

• the types of connections that a third-party application running on the BlackBerry device can establish (for

example, local, internal, and external connections)

• whether or not an application can access the user authenticator framework API, which permits the

registration of drivers to provide two-factor authentication to unlock the BlackBerry device

For example, to control connections to your internal servers from third-party applications on the BlackBerry

device, the BlackBerry Enterprise Server administrator can create an application control policy that prevents the

application to which it is assigned from making internal connections. When the BlackBerry Enterprise Server

administrator applies the application control policy to a software configuration for a user or one or more user

groups, those BlackBerry device users might not be able to use the full functionality of any third-party

application to which the BlackBerry Enterprise Server administrator assigns the application control policy to

send and receive data from internal servers. When the BlackBerry Enterprise Server administrator sets

application policy rules for user groups, the BlackBerry Enterprise Server limits allowed application behavior to a

small subset of trusted BlackBerry device users only.

IT policy rule settings override application control policy rule settings. For example, if the BlackBerry Enterprise

Server administrator changes the Allow Internal Connections IT policy rule setting (the default value is True) for

BlackBerry devices for which the BlackBerry Enterprise Server administrator also sets an application control

policy that allows a specific application to make internal connections, the IT policy rule setting overrides the

application control policy rule setting and the application cannot make internal connections.

The BlackBerry device resets if the permissions of the application to which it is applied become more restrictive.

BlackBerry devices running BlackBerry Device Software Version 4.1 or later permit users to make application

permissions more, but never less restrictive than what is set by the BlackBerry Enterprise Server administrator.

Using code signing to contain malware on the BlackBerry device

RIM does not inspect or verify third-party applications that run on BlackBerry devices; however, RIM controls the

use of BlackBerry device APIs that include sensitive packages, classes, or methods to prevent unauthorized

applications from accessing data on the BlackBerry device. Each third-party application requires authorization to

run on the BlackBerry device.

Before the BlackBerry Enterprise Server administrator or a BlackBerry device user can run a third-party

application that uses the RIM controlled APIs on the BlackBerry device, the RIM signing authority system must

use public key cryptography to authorize and authenticate the application code. The third-party application

developer must visit

www.blackberry.com/developers/downloads/jde/api.shtml to register with the RIM signing

authority system for access to the controlled APIs and use the BlackBerry Signature Tool, which is a component

of the BlackBerry JDE, to request, receive, and verify a digital code signature from RIM for the application.

Third party application developers who create controlled access third-party APIs can act as a signing authority

for those APIs. The application developer can download and install the BlackBerry® Signing Authority Tool to

allow other developers to register for access to the application developer’s controlled APIs. Registered

developers can use their BlackBerry Signature Tool to request, receive, and verify digital code signatures from

the application developer’s BlackBerry Signing Authority Tool for their applications.