Specifications

installed only in the personal space on devices. You cannot deploy or approve Android apps for installation in the work

space. Android apps can access only personal data that is located in the personal space. Android apps do not have access

to the work apps or work data that are located in the work space.

BlackBerry Balance devices running BlackBerry 10 protect work data by encrypting the files stored in the work space.

Devices can also protect personal data by encrypting the files stored in the personal space if you or a user requires. Devices

can also encrypt the files stored on media cards that are inserted in devices; only personal data can be saved to media

cards. Devices encrypt only the contents of files; file and directory names are not encrypted.

A device randomly generates an encryption key to encrypt the contents of a file. The file encryption keys are protected by a

hierarchical system of encryption keys as follows:

• The device encrypts the file encryption key with the work domain key and stores the encrypted file encryption key as a

metadata attribute of the file

• The work domain key is a randomly generated key that is stored in the file system metadata and is encrypted using the

work master key

• The work master key is also randomly generated. The work master key is stored in NVRAM on the device and is

encrypted with the system master key

• The system master key is stored in the replay protected memory block on the device

• The replay protected memory block is encrypted with a key that is embedded in the processor when the processor is