BlackBerry Device Service Solution Version: 10.
Published: 2013-05-14 SWD-20130514151546118
Contents 1 About BlackBerry Device Service solution security ........................................................................... 7 BlackBerry Device Service solution security ........................................................................................................................ 7 Device security features .....................................................................................................................................................
5 Managing certificates on devices ................................................................................................... 38 Certificates that the BlackBerry Device Service and a device use to authenticate with each other ...................................... 38 Using SCEP to enroll client certificates to a device ............................................................................................................. 39 Managing certificates that a device enrolls using SCEP .............
Controlling app connections ............................................................................................................................................. 80 10 Managing app availability on devices ............................................................................................. 83 Preventing users from installing apps using development tools .......................................................................................... 84 Signing apps ...............................
How the BlackBerry 10 device prevents the exploitation of memory corruption ................................................................ 110 14 The BlackBerry PlayBook OS ....................................................................................................... 112 The BlackBerry PlayBook tablet file system .....................................................................................................................
Security Technical Overview About BlackBerry Device Service solution security About BlackBerry Device Service solution security 1 BlackBerry Device Service solution security The BlackBerry Device Service solution consists of various components and features that extend your organization's communication methods to BlackBerry devices. The BlackBerry Device Service solution protects data that is in transit at all points between a device and the BlackBerry Device Service.
Security Technical Overview About BlackBerry Device Service solution security Device security features Feature Description Protection of data between the BlackBerry Device Service and a device The BlackBerry Device Service protects data that is in transit between the BlackBerry Device Service and a device. The BlackBerry Device Service and a device can communicate using both transport layer encryption (using AES-256) and TLS.
Security Technical Overview About BlackBerry Device Service solution security Feature Description Protection of application data using sandboxing The BlackBerry 10 OS and PlayBook OS use sandboxing to separate and restrict the capabilities and permissions of apps that run on the device. Each application process runs in its own sandbox. The BlackBerry 10 OS and PlayBook OS evaluate the requests that an app's processes make for memory outside of its sandbox.
Security Technical Overview About BlackBerry Device Service solution security • Install and manage your organization's applications on devices • Protect your organization's data and applications on devices Component Description BlackBerry Administration Service You can use the BlackBerry Administration Service to manage the BlackBerry Device Service and the user accounts and devices that are associated with it.
Security Technical Overview About BlackBerry Device Service solution security Component Description BlackBerry Infrastructure The BlackBerry Infrastructure validates SRP information and controls the IPPP traffic that travels outside your organization's firewall to and from BlackBerry devices. BlackBerry Dispatcher The BlackBerry Dispatcher maintains an SRP connection with the BlackBerry Infrastructure over the Internet.
Security Technical Overview How the BlackBerry Device Service and the BlackBerry Infrastructure authenticate with each other How the BlackBerry Device Service and the BlackBerry Infrastructure authenticate with each other 2 The BlackBerry Infrastructure and BlackBerry Device Service must authenticate with each other before they can transfer data. The BlackBerry Device Service uses SRP to authenticate with and connect to the BlackBerry Infrastructure.
Security Technical Overview How the BlackBerry Device Service and the BlackBerry Infrastructure authenticate with each other Data flow: Authenticating the BlackBerry Device Service with the BlackBerry Infrastructure 1. The BlackBerry Device Service sends a data packet that contains its unique SRP identifier to the BlackBerry Infrastructure to claim the SRP identifier. 2. The BlackBerry Infrastructure sends a random challenge string to the BlackBerry Device Service. 3.
Security Technical Overview How the BlackBerry Device Service and the BlackBerry Infrastructure authenticate with each other How the BlackBerry Device Service protects a TCP/IP connection to the BlackBerry Infrastructure After the BlackBerry Device Service and the BlackBerry Infrastructure open an SRP connection, the BlackBerry Device Service uses a persistent TCP/IP connection to send data to the BlackBerry Infrastructure.
Security Technical Overview How devices connect to the BlackBerry Device Service How devices connect to the BlackBerry Device Service 3 Devices can connect to the BlackBerry Device Service and access your organization’s network using a number of communication methods. By default, devices attempt to connect to your organization’s network using the following communication methods, in order: 1. Work VPN profiles that you configure 2. Work Wi-Fi profiles that you configure 3. BlackBerry Infrastructure 4.
Security Technical Overview How devices connect to the BlackBerry Device Service By default, the Enterprise Management Agent on the device can use all of these communication methods to connect to the BlackBerry Device Service and obtain the latest updates that you made to IT policies, profiles, software configurations, or IT administration commands.
Security Technical Overview Encryption type How devices connect to the BlackBerry Device Service Description certificate with each server. The server might use SSL or TLS, depending how it is set up. AES encryption Encrypts the data that is sent between the device and BlackBerry Device Service. This type of encryption uses the device transport key. Work Wi-Fi connection In a work Wi-Fi connection, a device connects to your organization’s resources through a work Wi-Fi connection that you set up.
Security Technical Overview How devices connect to the BlackBerry Device Service BlackBerry Infrastructure connection In a BlackBerry Infrastructure connection, a device connects to your organization’s resources through any wireless access point, the BlackBerry Infrastructure, your organization's firewall, and the BlackBerry Device Service. Wi-Fi encryption is only used if the wireless access point was set up to use Wi-Fi encryption.
Security Technical Overview How devices connect to the BlackBerry Device Service Securing the communication between devices and your organization’s network Devices permit work apps and personal apps (on BlackBerry Balance devices) to use any of the Wi-Fi profiles or VPN profiles that are stored on the devices to connect to your organization’s network.
Security Technical Overview How devices connect to the BlackBerry Device Service Controlling how work and personal apps connect to your organization's network, 57 Controlling the network connections that work and personal apps on BlackBerry PlayBook tablets can access, 71 Controlling app connections, 80 Using Kerberos to provide single sign-on from BlackBerry 10 devices If your organization uses Kerberos to provide users with single sign-on access to your organization's resources, you can also provide us
Security Technical Overview How devices connect to the BlackBerry Device Service How the BlackBerry Device Service manages email messages Devices use Microsoft ActiveSync to synchronize email messages, calendar entries, and contacts with your organization’s messaging server.
Security Technical Overview How devices connect to the BlackBerry Device Service Data flow: Opening a TLS connection between the BlackBerry Infrastructure and a device 1. A device sends a request to the BlackBerry Infrastructure to open a TLS connection. 2. The BlackBerry Infrastructure sends its TLS certificate to the device. 3. The device uses a root certificate that is preloaded on the device to verify the TLS certificate.
Security Technical Overview How devices connect to the BlackBerry Device Service Devices store device transport keys in a keystore database in flash memory. The keystore database prevents an attacker from copying the device transport keys to a computer by trying to back up the device transport keys. An attacker cannot extract key data from flash memory. The BlackBerry Device Service stores device transport keys in the BlackBerry Configuration Database.
Security Technical Overview How devices connect to the BlackBerry Device Service Data flow: Generating a message key on a device A device uses the DRBG function to generate a message key. To generate a message key, the device performs the following actions: 1. Retrieves random data from multiple sources to generate the seed using a technique that the device derives from the initialization function of the ARC4 encryption algorithm 2. Uses the random data to reorder the contents of a 256-byte state array 3.
Security Technical Overview How devices connect to the BlackBerry Device Service The BlackBerry Device Service stores a copy of the seed in a file. When the BlackBerry Device Service restarts, it reads the seed from the file and uses the XOR function to compare the stored seed with the new seed. 7. Uses the DSA PRNG function to generate 256 pseudorandom bits for use with AES encryption 8.
Security Technical Overview How devices connect to the BlackBerry Device Service How a device and the BlackBerry Device Service protect sensitive Wi-Fi information To permit a device to access a Wi-Fi network, you must send sensitive Wi-Fi information such as encryption keys and passwords to the device using Wi-Fi profiles and VPN profiles. After the device receives the sensitive Wi-Fi information, the device encrypts the encryption keys and passwords and stores them in flash memory.
Security Technical Overview How devices connect to the BlackBerry Device Service Data flow: Authenticating a device with a work Wi-Fi network using the IEEE 802.1X standard If you configured a wireless access point to use the IEEE 802.1X standard, the access point permits communication using EAP authentication only. This data flow assumes that you configured a device to use an EAP authentication method to communicate with the access point. 1.
Security Technical Overview How devices connect to the BlackBerry Device Service server. EAP-TLS authentication uses the TLS encrypted tunnel and a client certificate to send the credentials of the device to the authentication server. Devices support EAP-TLS authentication when the authentication server and the client use certificates that meet specific requirements.
Security Technical Overview How devices connect to the BlackBerry Device Service For PEAP authentication, EAP-TLS authentication, or EAP-TTLS authentication to be successful, the device must trust the certificate of the authentication server. The device does not trust the certificate of the authentication server automatically.
Security Technical Overview Activating devices Activating devices 4 When you or a user activates a device, you create the work space on the device, associate the work space with a user account in the BlackBerry Device Service, and establish a secure communication channel between the device and the BlackBerry Device Service. The BlackBerry Device Service allows multiple devices to be activated for the same user account.
Security Technical Overview Activating devices the BlackBerry Infrastructure. If you register the activation information, the user's account information, including their username, activation password, required server address and SRP information will be sent to and stored in the BlackBerry Infrastructure.
Security Technical Overview Activating devices a Types the user ID, activation password, and the Enterprise Management Web Service web address (if necessary) on the device b For a work space only activation, accepts the organization notice, which outlines the terms and conditions that the user must agree to. 3. If the activation is a work space only activation, the device deletes all existing data and restarts. 4.
Security Technical Overview Activating devices a Establish a mutually authenticated TLS connection by verifying both the client certificate and the server certificate for the Enterprise Management Web Service using the enterprise management root certificate b Generate the device transport key using ECMQV and the authenticated long-term public keys from the client certificate and the server certificate for the Enterprise Management Web Service 10.
Security Technical Overview b Activating devices For a work space only activation, accepts the organization notice, which outlines the terms and conditions that the user must agree to 3. If the activation is a work space only activation, the device deletes all existing data and restarts. 4. The Enterprise Management Agent on the device establishes a connection through the BlackBerry Infrastructure to the BlackBerry Device Service. 5.
Security Technical Overview c Activating devices Stores the client certificate and the enterprise management root certificate in its keystore 11.
Security Technical Overview Activating devices Data flow: Activating a device using the BlackBerry Web Desktop Manager 1. You perform the following actions: a Add a user account to the BlackBerry Device Service using the account information retrieved from your organization's Microsoft Active Directory b Set the user's activation type to either BlackBerry Balance or work space only 2.
Security Technical Overview e Activating devices Sends the encrypted CSR and HMAC to the Enterprise Management Web Service 11.
Security Technical Overview Managing certificates on devices Managing certificates on devices 5 A certificate is a digital document that binds the identity and public key of a certificate subject. Each certificate has a corresponding private key that is stored separately. A CA signs the certificate to verify that it can be trusted.
Security Technical Overview • Managing certificates on devices To set up a TLS connection between the BlackBerry Device Service and a device so that the BlackBerry Device Service can activate the device and send management commands to it The BlackBerry Device Service setup application creates the server certificate during the installation process. When a user activates a device, the device generates a key pair and sends the public key to the BlackBerry Device Service in a CSR.
Security Technical Overview Managing certificates on devices certificate. You can use the Automatic Renewal SCEP profile setting to configure how many days before the certificate expires that automatic renewal occurs.
Security Technical Overview Managing certificates on devices d Adds the computed signature response to the PKCS#10 CSR e Encrypts the PKCS#10 CSR using PKCS#7 enveloped data format and the CA public key f Sends the PKCS#7 enveloped data to the device 6. The device completes the SCEP request by signing the PKCS#7 enveloped data using PKCS#7 signed data format and sends the SCEP request to the CA. 7. The CA issues the certificate and sends it to the device. 8.
Security Technical Overview Folder Managing certificates on devices Description Devices running BlackBerry 10 OS version 10.0 also use certificates in this folder to authenticate with your work messaging server if it uses certificate-based authentication and to authenticate secure email messages that have been received. Enterprise The BlackBerry Device Service sends certificates in the Enterprise folder to the Enterprise Root Certificates list on devices running BlackBerry 10 OS version 10.1 and later.
Security Technical Overview Using IT policies to manage BlackBerry Device Service security Using IT policies to manage BlackBerry Device Service security 6 You can use IT policies to control and manage devices in your organization's environment. An IT policy consists of multiple IT policy rules that manage the security and behavior of the BlackBerry Device Service solution.
Security Technical Overview Using IT policies to manage BlackBerry Device Service security Resolving IT policy conflicts If you add a user account to multiple groups, multiple IT policies can be added to the user account. You can control how the BlackBerry Device Service applies the correct IT policies and IT policy rules to the user account. The BlackBerry Device Service applies the IT policy that you assign directly to the user account first.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use 7 Your organization can use BlackBerry Balance technology to permit users to use BlackBerry 10 devices for both work and personal use.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use that the user was using before the device was activated on the BlackBerry Device Service are available to the user in the personal space on the device.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use How devices classify work and personal data and apps BlackBerry Balance devices running BlackBerry 10 can distinguish between data that is for work use and data that is for personal use.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use Description Apps that are available in both the work space and the personal space and display work data and personal data in a unified view These apps classify the data that they use as either work or personal data based on the source of the data and manage each type of data within the space that it belongs to.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use How devices are designed to prevent BlackBerry Runtime for Android apps from accessing work data and apps BlackBerry Balance devices running BlackBerry 10 classify Android apps as personal apps and as such, they can be installed only in the personal space on devices. You cannot deploy or approve Android apps for installation in the work space.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use How devices protect personal data BlackBerry Balance devices running BlackBerry 10 allow the encryption of personal files on devices. You can use the "Personal Space Data Encryption" IT policy rule to turn on encryption for the personal space of devices.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use Protecting work data on devices with password rules To secure work content and resources in the work space, when BlackBerry 10 devices are activated on the BlackBerry Device Service using the BlackBerry Balance option, devices require users to set a password for the work space by default.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use Item Description Work app data Work data that is associated with work apps on the device Work Wi-Fi profiles Work Wi-Fi profiles that the user configures on the device Work VPN profiles Work VPN profiles that the user configures on the device Related information Data wipe, 99 How the BlackBerry Device Service and devices manage work and personal dat
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use When users are in the work space on devices, they see the work space wallpaper. If you do not send a work space wallpaper image to devices, users can still set a different wallpaper image for the work space using the Wallpaper option in the Display settings, from the work space on devices.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use Related information Transferring work data from devices using Bluetooth, 55 Managing how apps open links in the work and personal spaces on devices In general, work apps can open only other work apps and personal apps can open only other personal apps on BlackBerry Balance devices running BlackBerry 10.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use Managing data transferred to and from a device using NFC Data that a BlackBerry Balance device running BlackBerry 10 receives from another device using NFC is generally classified as personal data.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use Devices use the Bluetooth MAP to send messages to another Bluetooth enabled device. To prevent a user from using the Bluetooth MAP to send messages from the work space (for example, email messages and instant messages) to another Bluetooth enabled device, you can set the "Transfer Work Messages Using Bluetooth MAP" IT policy rule to Disallow.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use Related information Back up and restore, 101 Controlling how work and personal apps connect to your organization's network The BlackBerry Device Service controls how work apps and personal apps on BlackBerry Balance devices running BlackBerry 10 connect to your organization's network.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use By default, work apps can use the Wi-Fi profiles or VPN profiles that are stored on the device to connect to your organization's network and can also connect to your organization's network through the BlackBerry Device Service.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use The "Work Network Usage for Personal Apps" IT policy rule controls what interfaces are available to apps that are in the personal space. If the "Work Network Usage for Personal Apps" IT policy rule is set to Allow, personal apps attempt to connect to your organization's network using the following communication methods, in order: 1.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use If the "Work Network Usage for Personal Apps" IT policy rule is set to Disallow, personal apps attempt to connect to your organization's network using the following communication methods, in order: 1. Personal VPN profiles over a Wi-Fi network 2. Personal VPN profiles over a mobile network 3. Personal Wi-Fi profiles 4. Mobile network 5.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use You can use IT policy rules to prevent or protect connections to your organization’s network: • Prevent personal apps from using your organization’s networks to connect to the Internet • Allow the BBM Video feature to use your organization’s networks when personal apps cannot For more information about IT policy rules, see the BlackBerry Device Service P
Security Technical Overview Using BlackBerry Balance to secure BlackBerry 10 devices in your organization’s environment for work use and personal use If the "Work Network Usage for Personal Apps" IT policy rule is set to Allow, users can still prevent all apps in the personal space from using your organization's network to connect to the Internet using the Allow Personal Apps to Use Work Networks option in the BlackBerry Balance settings on the device.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry PlayBook tablets in your organization’s environment for work use Using BlackBerry Balance to secure BlackBerry PlayBook tablets in your organization’s environment for work use 8 Your organization can use BlackBerry Balance technology to permit users to use BlackBerry PlayBook tablets for both work and personal use.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry PlayBook tablets in your organization’s environment for work use Tablets encrypt data stored in the personal file system if you set the "Personal Space Data Encryption" IT policy rule to Yes or if the user turns on encryption for personal data using the Encryption option in the Security settings on tablets. Tablets encrypt data stored in the personal file system using XTS-AES-256 encryption.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry PlayBook tablets in your organization’s environment for work use Data flow: Generating a work space key when the “Two-factor Encryption Key Generation” IT policy rule is set to Yes If you set the "Two-factor Encryption Key Generation" IT policy rule to Yes, BlackBerry PlayBook tablets base the encryption key on both the protected secret and the password for the work space.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry PlayBook tablets in your organization’s environment for work use Controlling when BlackBerry PlayBook tablets delete all data in the work space To protect your organization's data on a BlackBerry PlayBook tablet, you can delete all work data from the tablet by wiping the work space and all of its contents. All personal data remains on the device. For example, you can do this if a user no longer works at your organization.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry PlayBook tablets in your organization’s environment for work use Item Description IT policy IT policy that is associated with your organization Device transport key References to the device transport key, which prevents the tablet from communicating with the BlackBerry Device Service Work data Work data that is associated with work apps on the tablet Wi-Fi and VPN profiles Wi-Fi and VPN profiles that the user configures on
Security Technical Overview Using BlackBerry Balance to secure BlackBerry PlayBook tablets in your organization’s environment for work use What happens when a user updates or creates files on a BlackBerry PlayBook tablet The BlackBerry PlayBook tablet helps protect data when a user performs the following actions: Action Description Open a file to view or update it When the user opens a file that belongs to one space, the tablet starts the app in the space mode that the file belongs to.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry PlayBook tablets in your organization’s environment for work use Some apps, such as Documents To Go, can run in work mode or personal mode. If the user opens an attachment in a work email message or work calendar entry, Documents To Go runs in work mode. If the user opens an attachment in a personal email message or personal calendar entry, Documents To Go runs in personal mode.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry PlayBook tablets in your organization’s environment for work use Comparison of work and personal apps Work apps Personal apps Work apps can view and change work data. Personal apps cannot view work data but they can view and change personal data. Work apps can view but not change personal data.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry PlayBook tablets in your organization’s environment for work use How a BlackBerry PlayBook tablet is designed to prevent BlackBerry Runtime for Android apps from accessing work data or apps Tablets consider Android apps to be personal apps and install them in the personal spaces on BlackBerry PlayBook tablets. Android apps can only access personal data that is located in the personal space.
Security Technical Overview Using BlackBerry Balance to secure BlackBerry PlayBook tablets in your organization’s environment for work use If a user uses the browser to connect to web servers that support NTLM using a work Wi-Fi network or a work VPN network, the tablet supports NTLMv1 authentication. The tablet also supports the message-signing capabilities of both NTLMv1 standard session security and NTLM Extended Session Security (also known as NTLM2).
Security Technical Overview Securing work space only devices Securing work space only devices 9 You can activate devices using the work space only option. These devices contain only one space that is considered a work space and is secure. All data and apps on these devices are classified as work resources.
Security Technical Overview Securing work space only devices Classifying data All data and apps on work space only devices are classified as work resources, even when users use the devices for personal tasks like visiting personal web pages or receiving personal email messages. Protecting data Work space only devices protect work data by encrypting the files stored in the work space. Devices can also encrypt the files stored on media cards.
Security Technical Overview Securing work space only devices Related information Media cards, 103 Password protection Password protection on work space only devices is not optional. To secure work data on these devices, users must set a device password during activation. You can use IT policy rules to control device password requirements such as complexity and length.
Security Technical Overview • Hotspot Browser • NFC • User-Created VPN Profiles • Wi-Fi Securing work space only devices For more information about these IT policy rules, see the BlackBerry Device Service Policy and Profile Reference Guide. Related information Controlling Bluetooth, 76 Controlling Bluetooth Bluetooth wireless technology lets users open wireless connections with other Bluetooth enabled devices.
Security Technical Overview • Bluetooth File Transfer Using OBEX • Bluetooth HFP • Bluetooth MAP • Bluetooth PAN • Bluetooth SPP Securing work space only devices For more information about these IT policy rules, see the BlackBerry Device Service Policy and Profile Reference Guide. Controlling messaging By default, users can set up various messaging methods on work space only devices such as Facebook and text messaging.
Security Technical Overview Securing work space only devices For more information about these IT policy rules, see the BlackBerry Device Service Policy and Profile Reference Guide. Related information BlackBerry World for Work, 78 Controlling messaging, 77 BlackBerry World for Work During work space only activation, the BlackBerry World for Work app is loaded on devices. BlackBerry World for Work contains a Company Apps tab and a Public Apps tab that lists optional apps.
Security Technical Overview • Roaming • Voice dictation • Voice control Securing work space only devices For more information about these IT policy rules, see the BlackBerry Device Service Policy and Profile Reference Guide. Controlling voice control By default, users can use voice control commands on BlackBerry 10 devices. To prevent users from using voice control commands for Email and Calendar apps on devices, set the "Voice Control" IT policy rule to Disallow for Email and Calendar.
Security Technical Overview Securing work space only devices Controlling app connections The BlackBerry Device Service controls how apps on work space only devices connect to your organization’s network. Because work space only devices are entirely controlled by your organization, all apps and data on these devices are considered work apps and work data. You can use IT policy rules to control the type of connections that work apps use to connect to your organization’s network.
Security Technical Overview Securing work space only devices By default, work apps can use Wi-Fi profiles, VPN profiles, or the BlackBerry Device Service to connect to your organization's network. If you want to control or filter all work traffic on devices, you can set the "Network Access Control for Work Applications" IT policy rule to Yes.
Security Technical Overview 82 Securing work space only devices
Security Technical Overview Managing app availability on devices Managing app availability on devices 10 You can use the BlackBerry Device Service to install and manage work apps in the work space on devices. Work apps can only access work data and interact with other work apps. A work app can be either an internal app or a public app available from the BlackBerry World storefront. You can add an internal app to the BlackBerry Device Service by specifying the .
Security Technical Overview Managing app availability on devices Preventing users from installing apps using development tools App developers can use development tools to test apps that they are developing by installing the apps on devices using a USB or Wi-Fi connection. You can use the "Restrict Development Mode" IT policy rule to prevent users from using development tools to install apps on BlackBerry Balance devices. Users cannot use development tools to install apps on work space only devices.
Security Technical Overview Extending messaging security on BlackBerry 10 devices Extending messaging security on BlackBerry 10 devices 11 You can extend messaging security for the BlackBerry Device Service solution and permit BlackBerry 10 device users to send and receive S/MIME-protected email messages. Digitally signing or encrypting messages adds another level of security to email messages that users send or receive from their devices.
Security Technical Overview Extending messaging security on BlackBerry 10 devices Extending messaging security on BlackBerry 10 devices using S/MIME protection You can extend messaging security for the BlackBerry Device Service and permit users to send S/MIME-protected email messages on BlackBerry 10 devices. Users do not have to install additional software on devices to support S/MIME protection.
Security Technical Overview Extending messaging security on BlackBerry 10 devices S/MIME profile setting Description Encrypted S/MIME messages You can make encryption of outgoing messages allowed, required, or disallowed: Allowed content ciphers • Allowed: users can choose whether or not to encrypt messages (default value) • Required: users must encrypt messages • Disallowed: users cannot encrypt messages You can choose any or all of the following encryption algorithms that a device can use to
Security Technical Overview S/MIME Messages profile setting Extending messaging security on BlackBerry 10 devices Encrypted S/MIME Messages profile setting Digitally Signed S/ MIME Messages profile setting S/MIME options on device Encoding drop-down on device Allowed Disallowed User can turn S/MIME on or off • Plain text • S/MIME [Sign] S/MIME is on. User cannot turn S/MIME off. • S/MIME [Sign] • S/MIME [Sign and Encrypt] Required Required Required Required S/MIME is on.
Security Technical Overview S/MIME Messages profile setting Disallowed Extending messaging security on BlackBerry 10 devices Encrypted S/MIME Messages profile setting Digitally Signed S/ MIME Messages profile setting S/MIME options on device Encoding drop-down on device Required Allowed S/MIME is on. User cannot turn S/MIME off. • S/MIME [Sign] • S/MIME [Sign and Encrypt] Required Required S/MIME is on. User cannot turn S/MIME off.
Security Technical Overview Extending messaging security on BlackBerry 10 devices Item Description S/MIME public key When a user sends an email message from a device, the device uses the S/MIME public key of the recipient to encrypt the message. When a user receives a signed email message on a device, the device uses the S/MIME public key of the sender to verify the message signature.
Security Technical Overview d Extending messaging security on BlackBerry 10 devices Sends the encrypted message to the BlackBerry Device Service 2. If the device is connected to the BlackBerry Infrastructure, the BlackBerry Device Service decrypts the BlackBerry transport layer encryption. 3. The BlackBerry Device Service sends the S/MIME-encrypted message to the recipient. 4. The recipient decrypts the S/MIME-encrypted message using their S/MIME private key.
Security Technical Overview Protecting data Protecting data 12 The BlackBerry Device Service and BlackBerry devices offer security features to protect user information, including: • Passwords • Security timeout • Data wipe • Back up and restore • Encryption • Home screen messages • Smart cards with BlackBerry Smart Card Reader Passwords You can use password protection to protect your organization’s data and user information on devices.
Security Technical Overview Rule settings Protecting data Result policy rules in the Password rule group apply to the work space password. Users have the option to use their work space password as their device password using the “Set as device password” option in the BlackBerry Balance settings, or the “Device password can be connected to the BlackBerry Balance Password" option in the Device Password settings on the device.
Security Technical Overview Device type Protecting data Conditions BlackBerry Balance (excluding • BlackBerry PlayBook tablets) Device has a work space password • The command creates a full device password • Device does not have a full device password • The work space password is not affected • The entire device locks and the new password is the device password • Device has a work space password • The command changes the full device password • Device has a full device password • The wor
Security Technical Overview Device type Protecting data Conditions Result • • The command changes the work space password • You enforce the work space • password as the full device password using the "Apply Work Space Password to Full Device" IT policy rule The command changes the full device password Device has a work space password • The command changes the work space password • The user enforces the work space password as the full device password using the "Use as my device password" option
Security Technical Overview Protecting data The Enterprise Management Web Service stores a unique private key for each device that is activated on the Enterprise Management Web Service. 4.
Security Technical Overview Protecting data Data flow: When you change the work space password on a BlackBerry PlayBook tablet 1. You send the "Specify new device password and lock device" IT administration command to the BlackBerry PlayBook tablet. 2. The tablet sends the encrypted intermediate key to the Enterprise Management Web Service. 3.
Security Technical Overview Protecting data If the "Two-factor Encryption Key Generation" IT policy rule is set to Yes, the tablet uses the current password to derive the current intermediate key. If the "Two-factor Encryption Key Generation" IT policy rule is set to No, the tablet retrieves and uses the domain key from the NV store to derive the current intermediate key.
Security Technical Overview Protecting data On BlackBerry 10 devices, certain apps, such as apps that display navigation information, slideshows, and videos, can extend the security timeout. By default, these apps can reset the security timer to prevent the device from locking after the period of user inactivity that you specify in the "Security Timeout" IT policy rule or specified in the Password Lock settings on the device.
Security Technical Overview Event Protecting data Device type Description can use either the "Delete all device data and remove device" or "Delete only the organization data and remove device" IT administration commands to wipe these devices. If the BlackBerry Device Service can’t connect to the device because it is off or not connected to a network, the BlackBerry Device Service sends the command after the device connects to a network.
Security Technical Overview Protecting data Work space only wipe To protect your organization's data on BlackBerry Balance devices, including BlackBerry PlayBook tablets, these devices delete all data in the work space when any of the following events occur: Event Description You send the “Delete only the To require that a device delete all data in the work space, you can use the organization data and remove device” BlackBerry Device Service to send the “Delete only the organization data and IT administ
Security Technical Overview Protecting data Device Spaces users can backup/restore Software to use BlackBerry Balance device (excluding BlackBerry PlayBook tablet) • Work space • BlackBerry Link • Personal space Work space only device • Work space • BlackBerry Link BlackBerry PlayBook tablet • Personal space • BlackBerry Link • BlackBerry Desktop Software Backup protection When a user backs up data and apps, the device encrypts the data and apps and then authenticates the backup file
Security Technical Overview Protecting data Encryption Devices use encryption to protect the following: • Work space data • Personal space data • Media card data Work data Devices protect work data by encrypting the files stored in the work space. Work space encryption is not optional.
Security Technical Overview Protecting data Users can also turn on media card encryption using the Media Card Encryption option in the Security and Privacy settings on the device. Related information Protecting data on media cards, 50 Media card encryption, 74 Home screen message If devices are lost, you can change the information that appears on the home screen to display contact information that can be used to return the device.
Security Technical Overview • Protecting data Trying an action on the device that requires the smart card (for example, importing certificates, signing or decrypting a message, or turning on two-factor authentication) The reader reconnects automatically to a device that it has previously connected.
Security Technical Overview Protecting data • You or a user wipes the device. During this process, the device deletes the smart card binding information from device memory. When the process completes, a user can authenticate with the device using a new smart card. You can wipe the device by sending the “Delete all device data and remove device” IT administration command or the “Delete only the organization data and remove device” IT administration command.
Security Technical Overview The BlackBerry 10 OS The BlackBerry 10 OS 13 The BlackBerry 10 OS is the microkernel operating system of the BlackBerry 10 device. Microkernel operating systems implement the minimum amount of software in the kernel and run other processes in the user space that is outside of the kernel. Microkernel operating systems are designed to contain less code in the kernel than other operating systems.
Security Technical Overview The BlackBerry 10 OS How the BlackBerry 10 OS uses sandboxing to protect app data The BlackBerry 10 OS uses a security mechanism called sandboxing to separate and restrict the capabilities and permissions of apps that run on the BlackBerry 10 device. Each application process runs in its own sandbox, which is a virtual container that consists of the memory and the part of the file system that the application process has access to at a specific time.
Security Technical Overview The BlackBerry 10 OS How the BlackBerry 10 device manages permissions for apps The authorization manager is the part of the BlackBerry 10 OS that evaluates requests from apps to access the capabilities of the BlackBerry 10 device. Capabilities include taking a photograph and recording audio. The BlackBerry 10 OS invokes the authorization manager when an app starts to set the permissions for the capabilities that the app uses.
Security Technical Overview The BlackBerry 10 OS corresponding public keys to verify that the digital signature is correct. If it is correct, the boot ROM code runs the BlackBerry 10 OS. Before the BlackBerry 10 OS mounts the read-only base file system, it runs a validation program that generates a SHA-256 hash of the base file system content, including all metadata. The program compares the SHA-256 hash to a SHA-256 hash that is stored outside the base file system.
Security Technical Overview The BlackBerry 10 OS Security mechanism Description Robust heap implementations The heap implementation includes a defense mechanism against the deliberate corruption of the heap area of memory. The mechanism is designed to detect or mitigate the overwriting of in-band heap data structures so that a program can fail in a secure manner. The mechanism helps prevent attackers from executing arbitrary code via heap corruption.
Security Technical Overview The BlackBerry PlayBook OS The BlackBerry PlayBook OS 14 The BlackBerry PlayBook OS is the microkernel operating system of the BlackBerry PlayBook tablet. Microkernel operating systems implement the minimum amount of software in the kernel and run other processes in the user space that is outside of the kernel. Microkernel operating systems are designed to contain less code in the kernel than other operating systems.
Security Technical Overview The BlackBerry PlayBook OS How the BlackBerry PlayBook OS uses sandboxing to protect app data The BlackBerry PlayBook OS uses a security mechanism called sandboxing to separate and restrict the capabilities and permissions of apps that run on the BlackBerry PlayBook tablet. Each application process runs in its own sandbox, which is a virtual container that consists of the memory and the part of the file system that the application process has access to at a specific time.
Security Technical Overview The BlackBerry PlayBook OS How the BlackBerry PlayBook tablet manages permissions for apps The authorization manager is the part of the BlackBerry PlayBook OS that evaluates requests from apps to access the capabilities of the BlackBerry PlayBook tablet. Capabilities include taking a photograph and recording audio. The PlayBook OS invokes the authorization manager when an app starts to set the permissions for the capabilities that the app uses.
Security Technical Overview The BlackBerry PlayBook OS corresponding public keys to verify that the digital signature is correct. If it is correct, the boot ROM code runs the PlayBook OS. Before the PlayBook OS mounts the read-only base file system, it runs a validation program that generates a SHA-256 hash of the base file system content, including all metadata. The program compares the SHA-256 hash to a SHA-256 hash that is stored outside the base file system.
Security Technical Overview The BlackBerry PlayBook OS Security mechanism Description Stack cookies Stack cookies are a form of buffer overflow protection that helps prevent attackers from executing arbitrary code. Robust heap implementations The heap implementation includes a defense mechanism against the deliberate corruption of the heap area of memory. The mechanism detects or mitigates the overwriting of in-band heap data structures so that a program can fail in a secure manner.
Security Technical Overview Protecting the data that the BlackBerry Device Service stores in your organization's environment Protecting the data that the BlackBerry Device Service stores in your organization's environment 15 Data that the BlackBerry Configuration Database stores The BlackBerry Configuration Database stores the following information: • Name of the BlackBerry Device Service • Unique SRP authentication keys and unique SRP IDs, or UIDs, that the BlackBerry Device Service uses in the SRP
Security Technical Overview Protecting the data that the BlackBerry Device Service stores in your organization's environment Best practice: Protecting the data that the BlackBerry Configuration Database stores Best practice Description Audit connections to the Microsoft SQL Server. Consider the following guidelines: Delete unsecured, old setup files. • At a minimum, write failed connection attempts to the Microsoft SQL Server log file and review the log file regularly.
Security Technical Overview Protecting the data that the BlackBerry Device Service stores in your organization's environment Best practice Description Protect the Microsoft SQL Server installation from Internet-based attacks. Consider the following guidelines: Use a secure file system. Use Microsoft SQL Server Management Studio.
Security Technical Overview Cryptographic algorithms, codes, protocols, and libraries that devices support Cryptographic algorithms, codes, protocols, and libraries that devices support 16 BlackBerry devices support the following types of cryptographic algorithms, codes, protocols, and APIs: • Symmetric encryption algorithms • Asymmetric encryption algorithms • Hash algorithms • Message authentication codes • Signature algorithms • Key agreement algorithms • Cryptographic protocols • Cryp
Security Technical Overview Cryptographic algorithms, codes, protocols, and libraries that devices support Algorithm Key length (in bits) Modes DES 56 CBC, CFB, ECB, OFB DESX 184 CBC, CFB, ECB, OFB RC2 up to 256 CBC, CFB, ECB, OFB RC4 up to 256 — Triple DES 112, 168 CBC, CFB, ECB, OFB Asymmetric encryption algorithms Algorithm Supported curve or key length (in bits) ECIES secp192r1, secp256r1, secp384r1, secp521r1, sect163k1, sect283k1 RSA PKCS#1 v1.5 / PKCS#1 v2.
Security Technical Overview Cryptographic algorithms, codes, protocols, and libraries that devices support Message authentication codes Codes Key length (in bits) AES-XCBC-MAC 128 CMAC-AES 28, 192, 256 HMAC-MD5 128 HMAC-SHA-1 160 HMAC-SHA-2 224, 256, 384, 512 HMAC-RIPEMD-160 160 Signature algorithms Algorithm Supported curve or key length (in bits) DSA (FIPS 186-3) 1024, 2048, 3072 ECDSA secp192r1, secp256r1, secp384r1, secp521r1, sect163k1, sect283k1 ECQV secp192r1, secp256r1, secp38
Security Technical Overview Cryptographic algorithms, codes, protocols, and libraries that devices support Key agreement algorithms Algorithm Supported curve or key length (in bits) DH 1024, 2048, 3072 ECDH secp192r1, secp256r1, secp384r1, secp521r1, sect163k1, sect283k1 ECMQV secp192r1, secp256r1, secp384r1, secp521r1, sect163k1, sect283k1 Cryptographic protocols Internet security protocols • SSL 2.0 • SSL 3.0 • TLS 1.
Security Technical Overview • WPA-Personal • WPA-Enterprise • WPA2-Personal • WPA2-Enterprise Cryptographic algorithms, codes, protocols, and libraries that devices support Cipher suites that a device supports for opening SSL/TLS connections A device supports various cipher suites for direct mode SSL/TLS when the device opens SSL/TLS connections to the BlackBerry Infrastructure or to web servers that are internal or external to your organization.
Security Technical Overview Cryptographic algorithms, codes, protocols, and libraries that devices support • TLS_ECDH_ECDSA_WITH_RC4_128_SHA • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA • TLS_ECDH_RSA_WITH_RC4_128_SHA • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA • TLS_ECDHE_RSA_
Security Technical Overview Cryptographic algorithms, codes, protocols, and libraries that devices support Cryptographic Libraries • BlackBerry OS Cryptographic Library • OpenSSL VPN cryptographic support Protocol Authentication types IKE IPSec DH group IKE IPSec cipher IKE IPSec hash IKE PRF IKE PSK, PKI, XAUTH- 1, 2, 5, 7 to PSK, XAUTH-PKI 26 DES (56-bit key), Triple DES (168-bit key), AES (128, 192, 256-bit keys) AES-XCBC, MD5, AES-XCBC, HMACSHA-1, SHA-256, MD5, HMACSHA-384, SHA-512 SHA-1,
Security Technical Overview Cryptographic algorithms, codes, protocols, and libraries that devices support Cryptographic protocol Encryption EAP outer method EAP inner method WPA2 TKIP, CCMP (AES) PEAP, EAP-TTLS, EAP-FAST, EAP-TLS, EAP-AKA, EAP-SIM MSCHAPv2, EAP-GTC, PAP 127
Security Technical Overview Product documentation Product documentation 17 To read the following guides or additional related materials, visit blackberry.com/go/serverdocs.
Security Technical Overview Product documentation Resource Description BlackBerry Enterprise Service 10 Configuration Guide • Instructions for how to configure server components before you start administering users and their devices BlackBerry Device Service Advanced Administration Guide • Advanced administration for BlackBerry 10 devices and BlackBerry PlayBook tablets • Instructions for creating user accounts, groups, roles, and administrator accounts • Instructions for activating devices •
Security Technical Overview Product documentation Resource Description BlackBerry Bridge App Security Technical Overview • Description of how work data is protected on devices when you use the BlackBerry Bridge app • Description of how work data is protected when it is in transit between a BlackBerry PlayBook tablet and a BlackBerry smartphone • Description of attacks that the BlackBerry Bridge pairing process is designed to prevent 130
Security Technical Overview Glossary Glossary 18 A2DP Advanced Audio Distribution Profile ACL An access control list (ACL) is a list of permissions that are associated with an object, such as a file, directory, or other network resource. It specifies which users or components have permission to perform specific operations on an object.
Security Technical Overview Glossary DRBG deterministic random bit generator DSA Digital Signature Algorithm EAP Extensible Authentication Protocol EAP-AKA Extensible Authentication Protocol Authentication and Key Agreement EAP-FAST Extensible Authentication Protocol Flexible Authentication via Secure Tunneling EAP-GTC Extensible Authentication Protocol Generic Token Card EAP-SIM Extensible Authentication Protocol Subscriber Identity Module EAPoL Extensible Authentication Protocol over LAN
Security Technical Overview Glossary HTTP Hypertext Transfer Protocol over Secure Sockets Layer HTTPS Hypertext Transfer Protocol over Secure Sockets Layer IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force IKE Internet Key Exchange IPPP Internet Protocol Proxy Protocol IPsec Internet Protocol Security IT policy An IT policy consists of various IT policy rules that control the security features and behavior of BlackBerry smartphones, BlackBerry PlayB
Security Technical Overview Glossary OFB output feedback OPP Object Push Profile PAC Protected Access Credential PAN Personal Area Networking PAP Password Authentication Protocol PBAP Phone Book Access Profile PEAP Protected Extensible Authentication Protocol PEM Privacy Enhanced Mail PFX Personal Information Exchange PIN personal identification number PKCS Public-Key Cryptography Standards PKI Public Key Infrastructure PRNG pseudorandom number generator PSK pre-shared key RACE
Security Technical Overview Glossary SPP Serial Port Profile SRP Server Routing Protocol SSL Secure Sockets Layer TCP Transmission Control Protocol TCP MD5 Transmission Control Protocol message digest algorithm 5 TGT The Ticket Granting Ticket (TGT) is a service ticket that a client of a Kerberos enabled service sends to the TGS to request the service ticket for the Kerberos enabled service.
Security Technical Overview Legal notice Legal notice 19 ©2013 Research In Motion Limited. All rights reserved. BlackBerry®, RIM®, Research In Motion®, and related trademarks, names, and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world. Adobe and Reader are trademarks of Adobe Systems Incorporated. Android is a trademark of Google Inc. Bluetooth is a trademark of Bluetooth SIG. Box is a trademark of Box, Inc.
Security Technical Overview Legal notice HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM.
Security Technical Overview Legal notice Certain features outlined in this documentation require a minimum version of BlackBerry Enterprise Server, BlackBerry Desktop Software, and/or BlackBerry Device Software. The terms of use of any RIM product or service are set out in a separate license or other agreement with RIM applicable thereto.
