User guide
• unlock the BlackBerry device and access BlackBerry services and PKI applications using two-factor authentication
• digitally sign and encrypt email messages and PIN messages using S/MIME encryption when the user installs the S/
MIME Support Package for BlackBerry smartphones on the BlackBerry device
• decrypt S/MIME-encrypted email messages and PIN messages
• import certificates that are stored on the Advanced Security SD card into the NV store of the BlackBerry device flash
memory
• open SSL connections
To configure the BlackBerry device to support an Advanced Security SD card, a user must insert the Advanced Security SD
card into the BlackBerry device and install the smart card driver of the Advanced Security SD card on the BlackBerry
device using the BlackBerry Desktop Manager. After the user installs the smart card driver on the BlackBerry device, the
user can configure the driver settings in the security options, on the Smart Card screen.
To control how a BlackBerry device can use an Advanced Security SD card, you can use the Force Smart Card Two-Factor
Authentication IT policy rule, Force Smart Card Two Factor Challenge Response IT policy rule, or Disable Certificate or Key
Import From External Memory IT policy rule.
To permit third-party applications on the BlackBerry device to access the Advanced Security SD card, a developer can use
the SmartCard API in the BlackBerry Java Development Environment.
BlackBerry Device Software versions 5.0 and later support Advanced Security SD cards.
For more information about configuring the BlackBerry device to support an Advanced Security SD card, see the user
guide for the BlackBerry device. For more information about using IT policy rules, see the BlackBerry Enterprise Server
Policy Reference Guide.
Two-factor authentication
You can use the BlackBerry Smart Card Reader or an Advanced Security SD card to require a user to use a smart card and
the smart card password to prove the user’s identity before the BlackBerry device unlocks. If a user installs a smart card
authenticator, smart card driver, and the driver for the smart card reader on the
BlackBerry device, you or the user can
configure two-factor authentication on the BlackBerry device to bind the BlackBerry device to the installed smart card.
After the BlackBerry device binds to the smart card, the BlackBerry device requires the user to use the smart card to
authenticate before the BlackBerry device unlocks.
To require that a user authenticate with the BlackBerry device using the smart card, you can configure the Force Smart
Card Two-Factor Authentication IT policy rule in the BlackBerry Administration Service. If you do not require the user to
authenticate with the
BlackBerry device using a smart card, the user can turn on or turn off two-factor authentication in the
BlackBerry device options, in the security options, in the User Authenticator field.
Verifying that a device is bound to a smart card
After a user turns on two-factor authentication, the BlackBerry device prompts the user to insert the smart card into the
BlackBerry Smart Card Reader. The device displays the label and card type of the bound smart card.
Security Technical Overview Configuring two-factor authentication and protecting Bluetooth connections
132