Specifications

a Types the user ID, activation password, and the Enterprise Management Web Service web address (if necessary) on
the device
b For a work space only activation, accepts the organization notice, which outlines the terms and conditions that the
user must agree to.
3. If the activation is a work space only activation, the device deletes all existing data and restarts.
4. The Enterprise Management Agent on the device performs the following actions:
a Establishes a connection to the Enterprise Management Web Service
b Sends an activation request to the Enterprise Management Web Service
c Creates the work space on the device
5. The Enterprise Management Agent and Enterprise Management Web Service generate a shared symmetric key using
the activation password and EC-SPEKE. The shared symmetric key is designed to help protect the CSR and response.
6. The Enterprise Management Agent performs the following actions:
a Generates a key pair for the certificate
b Creates a PKCS#10 CSR that includes the public key of the key pair
c Encrypts the CSR using the shared symmetric key and AES-256 in CBC mode with PKCS #5 padding
d Computes an HMAC of the encrypted CSR using SHA-256 and appends it to the CSR
e Sends the encrypted CSR and HMAC to the Enterprise Management Web Service
7. The Enterprise Management Web Service performs the following actions:
a Verifies the HMAC of the encrypted CSR and decrypts the CSR using the shared symmetric key
b Retrieves the user ID, work space ID, device PIN, and your organization’s name from the BlackBerry Configuration
Database
c Packages a client certificate using the information it retrieved and the CSR that the Enterprise Management Agent
sent
d Signs the client certificate using the enterprise management root certificate
e Encrypts the client certificate, enterprise management root certificate, and the Enterprise Management Web
Service URL using the shared symmetric key and AES-256 in CBC mode with PKCS #5 padding
f Computes an HMAC of the encrypted client certificate, enterprise management root certificate, and the Enterprise
Management Web Service URL and appends it to the encrypted data
g Sends the encrypted data and HMAC to the Enterprise Management Agent
8. The Enterprise Management Agent performs the following actions:
a Verifies the HMAC
b Decrypts the data it received from the Enterprise Management Web Service
c Stores the client certificate and the enterprise management root certificate in its keystore
9. The Enterprise Management Agent and Enterprise Management Web Service perform the following actions:
Security Technical Overview Activating devices
32