Manualshelf

User guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL
101102103104105106107108109110
Configuring BlackBerry devices to enroll
certificates over the wireless network
You can configure the BlackBerry Enterprise Server to permit BlackBerry devices to enroll certificates that the devices can
use with any PKI-enabled application or process. You can permit devices to enroll the certificates instead of instructing
users to send the certificates to themselves in an email message or use the certificate synchronization tool in the
BlackBerry Desktop Software. When you configure the BlackBerry Enterprise Server to permit devices to enroll certificates,
you can control how users request certificates and which certification authority issues the certificates.
For example, you might want Wi-Fi enabled BlackBerry devices to enroll certificates so that they can authenticate to an
enterprise Wi-Fi network.
You can enroll certificates from one of the following certification authorities:
RSA certification authority
Microsoft standalone certification authority
Microsoft enterprise certification authority
During the enrollment process, the BlackBerry MDS Connection Service can verify the certificate if the certificate includes
an email address in the subject DN. The
BlackBerry MDS Connection Service verifies the certificate by checking if the
email address in the subject DN of the certificate matches the email address that is assigned to the device. For more
information about the enrollment process, see the BlackBerry Enterprise Solution Security Technical Overview.
You can make the certificate enrollment process required so that devices automatically start the certificate enrollment
process after the devices receive the updated IT policy from the BlackBerry Enterprise Server. If you do not make the
certificate enrollment process required, you must instruct users to start the CA Profile Manager on the devices manually.
Managing an enrolled certificate
After a BlackBerry device enrolls a certificate, the CA Profile Manager monitors the certificate's expiry date and revocation
status. When the expiry date approaches or the certification authority revokes the certificate, the CA Profile Manager
generates a new public-private key pair, and starts the certificate enrollment process for a new certificate.
The certificate enrollment process can also start again if you change the following IT policy rules and resend the IT policy:
Certificate Authority Profile Name
Certificate Authority Type
Certificate Authority Host
Common Name Components
Security Technical Overview Managing certificates on a device
105