Manualshelf

Specifications

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL
71727374757677787980
Classifying data
All data and apps on work space only devices are classified as work resources, even when users use the devices for
personal tasks like visiting personal web pages or receiving personal email messages.
Protecting data
Work space only devices protect work data by encrypting the files stored in the work space. Devices can also encrypt the
files stored on media cards. Only the contents of files are encrypted; the files themselves or directory names are not
encrypted.
You can protect data further by controlling device password requirements and controlling when device wipes occur.
Related information
Protecting data, 92
Work space encryption
Work space only devices encrypt data stored on devices using XTS-AES-256.
A device randomly generates an encryption key to encrypt the contents of a file. The file encryption keys are protected by a
hierarchical system of encryption keys as follows:
The device encrypts the file encryption key with the work domain key and stores the encrypted file encryption key as a
metadata attribute of the file.
The work domain key is a randomly generated key that is stored in the file system metadata and is encrypted using the
work master key.
The work master key is also randomly generated. The work master key is stored in NVRAM on the device and is
encrypted with the system master key.
The system master key is stored in the replay protected memory block on the device.
The replay protected memory block is encrypted with a key that is embedded in the processor when the processor is
manufactured.
These keys are generated using the BlackBerry OS Cryptographic Kernel, which is FIPS 140-2 certified.
Media card encryption
By default, work space only devices allow users to save data to media cards, and that data is stored in an unencrypted
format.
Because users can store work data on media cards in an unencrypted format by default, it is highly recommended that you
turn on media card encryption using the "Media Card Encryption" IT policy rule.
To prevent users from saving data to media cards, you can set the "Media Card" IT policy rule to Disallow.
Security Technical Overview Securing work space only devices
74