BES12 Cloud Security Guide for iOS, Android, and Windows Phone
Transcription
BES12 Cloud Security Guide for iOS, Android, and Windows Phone
Security Guide BES12 Cloud for iOS, Android, and Windows Phone Published: 2015-03-18 SWD-20150318090739059 Contents About this guide............................................................................................................... 5 What is BES12 Cloud?....................................................................................................................................................... 5 Security features.............................................................................................................. 6 Security features for devices with MDM controls................................................................................................................ 6 Security features for Android devices that use KNOX MDM................................................................................................ 7 Security features for devices with Secure Work Space........................................................................................................8 Protecting devices against jailbreaking and rooting............................................................................................................9 Supported features that are native to iOS and Android..................................................................................................... 10 Types of apps................................................................................................................................................................. 10 Activating and managing devices.................................................................................... 12 What is the BES12 Client?............................................................................................................................................... 12 Activation passwords...................................................................................................................................................... 13 User registration with the BlackBerry Infrastructure.........................................................................................................13 Using activation types to configure your control over devices .......................................................................................... 13 Data flow: Activating a device..........................................................................................................................................15 Using IT policies to manage security................................................................................................................................15 Using compliance profiles to enforce standards for iOS, Android, and Windows Phone devices.........................................16 Preventing users from installing specific iOS, Android, and Windows Phone apps......................................................17 Protecting email messages............................................................................................................................................. 17 Data at rest.....................................................................................................................18 Passwords...................................................................................................................................................................... 18 iOS device passwords.............................................................................................................................................. 18 Android device passwords....................................................................................................................................... 19 Windows Phone device passwords........................................................................................................................... 20 Security timeout............................................................................................................................................................. 21 Data wipe....................................................................................................................................................................... 21 Full device wipe....................................................................................................................................................... 21 Work data wipe........................................................................................................................................................22 Securing devices for work and personal use.....................................................................................................................23 Creating a work space on a device...................................................................................................................................24 Protecting work space data with encryption.....................................................................................................................24 Work space encryption............................................................................................................................................ 25 Protecting the work space password........................................................................................................................ 25 Inactivity timeout in the work space..........................................................................................................................26 Sharing information between secured apps..............................................................................................................26 Storing Work Browser data.......................................................................................................................................27 Storing work space data on media cards.................................................................................................................. 27 Deleting the work space...........................................................................................................................................27 Attachments for third-party secured apps................................................................................................................ 27 Showing work contacts in caller ID on iOS devices........................................................................................................... 27 Controlling when devices wipe the work space.................................................................................................................28 Data in transit.................................................................................................................30 Types of encryption used for communication between devices and your resources.......................................................... 30 Work Wi-Fi connection............................................................................................................................................. 30 VPN connection.......................................................................................................................................................31 Protecting communication with devices using certificates............................................................................................... 33 Sending client certificates to devices........................................................................................................................34 Using SCEP to enroll client certificates to devices..................................................................................................... 34 Sending CA certificates to devices............................................................................................................................35 Providing devices with single sign-on access to your organization's network.....................................................................35 Protecting data in transit between BES12 and devices.....................................................................................................36 Protecting data in transit between BES12 Cloud and your company directory...................................................................36 Data flow: Establishing a secure connection between BES12 Cloud and the BlackBerry Cloud Connector..................36 Extending the security of email messages using S/MIME.................................................................................................. 38 S/MIME certificates and S/MIME private keys on devices.......................................................................................... 38 Data flow: Sending an email message from a device using S/MIME encryption.......................................................... 39 Secured apps................................................................................................................. 40 Managing the availability of secured apps on devices.......................................................................................................40 How a work space wraps secured apps............................................................................................................................40 How a work space fingerprints secured apps................................................................................................................... 41 Product documentation.................................................................................................. 42 Glossary......................................................................................................................... 44 Legal notice....................................................................................................................46 About this guide About this guide 1 BES12 helps you manage devices for your organization, including BlackBerry 10, iOS, Android, and Windows Phone devices. This guide describes the security for iOS, Android, and Windows Phone devices. It also describes how Secure Work Space delivers a higher level of control and security to iOS and Android devices. This guide is intended for senior IT professionals responsible for evaluating the product and planning its deployment, as well as anyone who's interested in learning more about device security and Secure Work Space. After you read this guide, you should understand how BES12 can help protect data at rest, data in transit, and apps for your organization. What is BES12 Cloud? BES12 Cloud is an EMM solution from BlackBerry. EMM solutions help you manage mobile devices for your organization. You can manage BlackBerry 10, iOS, Android and Windows Phone devices, all from a unified interface. EMM solutions from BlackBerry protect business information, keep mobile workers connected with the information they need, and provide administrators with efficient tools that help keep business moving. BES12 Cloud is an EMM solution that is available in the cloud. EMM solution Description BES12 Cloud An easy-to-use, low-cost, and secure solution. BlackBerry hosts this service over the Internet. You only need a supported web browser to access the service, and BlackBerry maintains high availability to minimize downtime. Optionally, you can connect your on-premises company directory to BES12 Cloud. BES12 A comprehensive, scalable, and secure solution. Your organization installs this service in its environment. The deployment can range in size from one server to many, and you can set up and maintain high availability to minimize downtime. 5 Security features Security features 2 Different levels of security are available for the devices that BES12 manages. Silver-level EMM provides MDM controls for iOS, Android, and Windows Phone devices. MDM controls include device and app management and security features such as IT policies, profiles, and IT administration commands. Gold-level EMM provides all of these features for iOS and Android devices plus Secure Work Space. Secure Work Space is a containerization, and app wrapping option that delivers a higher level of control and security to iOS and Android devices. Secured apps are protected and separated from personal apps and data. The secured apps include an integrated email, calendar, and contacts app, an enterprise-level secure browser, and a secure document viewing and editing app. The work browser allows users to securely browse the work intranet and the Internet. If the device is lost or the employee leaves the organization, you can delete only work-related information or all information from the device. Security features for devices with MDM controls Feature Description Manage devices and their work data If the actions are supported by the device and its operating system version, you can perform many actions to control access to work data on devices: • Lock the device, change the device password, or delete information from the device • Control how the device can connect to your organization's network, including Wi-Fi settings and, for iOS devices, VPN settings • Control the capabilities of the device, such as setting rules for password strength and disabling functions like the camera • Install certificates on iOS devices and optionally configure SCEP to permit automatic certificate enrollment Manage work apps On devices with MDM controls, work apps are apps that your organization makes available for its users. You can specify whether apps are required on devices, and you can view whether a work app is installed on a device. Enforce your organization's requirements for devices You can use a compliance profile to help enforce your organization's requirements for devices, such as requiring that certain apps be installed on devices. On iOS and Android devices, you can disallow devices that are jailbroken or rooted. You can send a notification to users to ask them to meet your organization's requirements, or you can limit users' access to your organization's resources and applications, delete work data, or delete all data on the device. 6 Security features Feature Description Certificate-based authentication You can send certificates to devices using certificate profiles. You can also send certificates to iOS devices using SCEP profiles. These profiles help to restrict access to Exchange ActiveSync, Wi-Fi connections, or VPN connections to devices that use certificate-based authentication. (VPN is only available on iOS devices.) This feature also helps you control Exchange ActiveSync, Wi-Fi connections, or VPN connections on devices because BES12 is designed to automatically remove profiles and certificates when a device violates one of the predefined compliance conditions (for example, compliance conditions for jailbroken devices or rooted devices). Certificate-based authentication does not require a proxy server between the device and your organization's mail server. FIPS certification for the BES12 Client The BES12 Client is an app that allows BES12 to communicate with iOS, Android, and Windows Phone devices. The BES12 Client uses a FIPS-validated cryptographic module to encrypt all of the data that it stores directly and writes indirectly to files. Security features for Android devices that use KNOX MDM BES12 can manage Samsung devices using KNOX MDM. KNOX MDM includes the security capabilities that Samsung provides for its devices. When a device is activated, BES12 automatically identifies whether the device supports KNOX MDM. In addition to the standard Android security features, BES12 includes the following security capabilities for devices that support KNOX MDM: • An enhanced set of IT policy rules, called the KNOX MDM policy set • Enhanced application management including silent app installations and uninstallations, silent uninstallations of restricted apps, and prohibitions to installing restricted apps You can use KNOX MDM with or without Secure Work Space. Without Secure Work Space, devices require a silver license and use the "MDM controls" activation type. If you also want to use Secure Work Space, devices require a gold license and use the "Work and personal - full control" activation type. For more information about the KNOX MDM policy set, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Policy Reference Spreadsheet. 7 Security features Security features for devices with Secure Work Space Feature Protection of work space data on a device Description • The work space includes secured apps. Secured apps are work apps that the work space secures with additional protections. • By default, secured apps protect their data using AES-256 encryption. If you choose to allow all apps to access data in the work space, then secured apps do not encrypt their data. • Secured apps hash passwords before storing them. • The work space isolates work space data from other data. A secured app can only communicate and share data with another secured app, unless you choose to allow all apps to access data in the work space. • The work space allows a user to copy and paste from one secured app to another, but not to a work app or personal app. FIPS certification for the encryption of work space data The work space encrypts all of the data that it stores directly and writes indirectly to files using a FIPS-validated cryptographic module. Control of the behavior of a device To control the behavior of a device, you can send it an IT policy to change security settings or control hardware and software features. For example, you can send an IT policy to hide the default web browser or enforce a device password on a device with Secure Work Space. Protection of user information The device allows a user to delete all user information and app data from the device memory. Protection of the operating system • The work space can restart a process for a secured app that stops responding without negatively affecting other processes. • The work space validates requests that apps make for resources on the device. Protection of app data using sandboxing The work space uses sandboxing to separate and restrict the capabilities and permissions of secured apps that run on the device. Each application process in the work space runs in its own sandbox. The work space evaluates the requests that a secured app's processes make for memory outside of its sandbox. 8 Security features Feature Description Management of permissions to access capabilities The work space evaluates every request that a secured app makes to access a capability on the device. Ability to add secured apps from other vendors Third-party app developers can secure and re-sign their applications and make them available on the App Store or Google Play for you to send to users. Apps from the App Store or Google Play that are not designated as secured apps cannot be installed or run in the work space. Only the app vendor can secure and re-sign an app so that it can be installed in the work space. Protection of the account manager on a device Some devices use an account manager to store credentials for different user accounts. The work space protects the credentials stored by secured apps so that the credentials can be shared by secured apps but not other apps. Protection of secured apps from trojans and malicious software The work space fingerprints apps to make sure that only known and trusted apps can run as secured apps. Secured apps are validated before they are sent to a device's work space and every time that the device runs them. Detection of jailbroken or rooted status If a device is jailbroken or rooted, the user has root access to the operating system of the device. BES12 is designed to detect if a device is jailbroken or rooted. You can notify or require the user to remove jailbreaking software or rooting software from the device. If a device is jailbroken or rooted, the user cannot install the work space or acccess the work space if it's already installed. Allowed and restricted email domains To help prevent data leakage, devices with Secure Work Space support allowed and restricted domains for email, calendar, and organizer data. The allowed and restricted domain lists determine what links users can access from their work email and organizer data and who users can send email messages, calendar invitations, and organizer data to. Protecting devices against jailbreaking and rooting iOS: For iOS devices, Secure Work Space has protections against jailbreaking that go beyond the checks for path names and common files that many competitors use. Secure Work Space performs additional checks, such as testing whether privileges can be escalated by forking processes and running system calls. Secured apps perform in-process memory checks that identify jailbreak signatures in real time and provide a robust defense against all forms of jailbreak. In-process memory checks are protected by multiple mechanisms to prevent the algorithms from being overcome. For example, checks are dispersed throughout the code and include red herrings and other defensive tactics. 9 Security features Jailbreak checks run when secured apps run. If a user loses a device, and an attacker jailbreaks the device, the encryption of the work space protects the work space data from exploits such as bit copies of persistent memory. To run Secure Work Space on an iOS device that has been jailbroken, you must revert the device to a non-jailbroken state. Android OS: For Android devices, Secure Work Space uses the device manufacturer’s MDM APIs to detect whether the device has been rooted, as well as additional detection methods specific to Secure Work Space. The checks are run in order of likelihood, and stop when they detect that the device has been rooted. The device manufacturer’s detection methods are licensed through a partner program and are not publicly available. To run Secure Work Space on an Android device that has been rooted, you must revert the device to a non-rooted state. Supported features that are native to iOS and Android The following features are native to iOS and Android, and they are also supported by BES12. For more information about these features, see the iOS and Android documentation available from Apple and Google. Feature Description Full-disk encryption Full-disk encryption ensures that all of a device’s data is stored in an encrypted form, accessible to users who enter an encryption PIN or password. BES12 supports the native full-disk encryption offered on iOS and Android. Address space layout randomization Address space layout randomization makes it more difficult for attackers to exploit a device and run their own code. This technique randomizes the location of system components in memory so that attackers find it difficult to know where a vulnerability exists. BES12 supports the native address space layout randomization offered on iOS and Android. Types of apps Devices with Secure Work Space can run three different types of apps: Type of app Description Personal app An app that the user installs on the device, or an app that the manufacturer or wireless service provider installs on the device. BES12 treats these apps, and the data that they store, as personal data. 10 Security features Type of app Description Work app An app that you install and manage on a user's device. BES12 treats these apps, and the data that they store, as work data. Secured app A work app that the work space secures with additional protections. BES12 treats these apps, and the data that they store, as work space data. There are different types of secured apps: Type of app Description Default secured app A secured app that appears on every device with Secure Work Space. External secured app An app that a third party develops and the app vendor specifically prepares to run in the work space. 11 Activating and managing devices Activating and managing devices 3 Device activation associates a device with a user account in BES12 and establishes a secure communication channel between the device and BES12. BES12 allows multiple devices to be activated for the same user account. More than one active iOS, Android, Windows Phone and BlackBerry 10 device can be associated with a user account. All device types consume a license when they are activated. By default, a user can activate a device using any of the following connections: • Over any Wi-Fi connection or mobile network through the BlackBerry Infrastructure • Over any Wi-Fi connection or mobile network using a VPN connection with a connection to the BlackBerry Infrastructure (iOS only) Your organization's activation information is registered automatically with the BlackBerry Infrastructure. Users can activate their devices after they receive an activation email message from BES12, or they can log in to BES12 SelfService and request an activation password. After the activation process completes, BES12 can send apps, profiles, and IT policies to the device. If an email profile is configured, the user can send and receive work email messages using the device. What is the BES12 Client? The BES12 Client is an app that allows BES12 to communicate with iOS, Android, and Windows Phone devices. If you want to manage these devices using BES12, users must first install the BES12 Client on the devices. Users can download the latest version of the BES12 Client from the App Store for iOS devices, from Google Play for Android devices, or from the Windows Marketplace for Windows Phone. After users activate their devices, the BES12 Client allows users to do the following: • Verify whether their devices are compliant with the organization's standards • View the profiles that have been assigned to their user accounts • View the IT policy rules that have been assigned to their user accounts • Deactivate their devices 12 Activating and managing devices Activation passwords You can specify how long an activation password remains valid before it expires. You can also specify the default password length for the automatically generated password that is sent to users in the activation email message. The value that you enter for the activation period expiration appears as the default setting in the "Activation period expiration" field when you add a user account to BES12. The activation period expiration can be 1 minute to 30 days, and the length of the automatically generated password can be 4 to 16 characters. User registration with the BlackBerry Infrastructure User registration with the BlackBerry Infrastructure is a setting in the default activation settings that allows users to be registered with the BlackBerry Infrastructure when you add a user to BES12. Information sent to the BlackBerry Infrastructure is sent and stored securely. The benefit of registration is that users don't have to enter the server address when they are activating a device; they only need to enter their email address and password. The BES12 Client installed on iOS, Android, and Windows Phone devices then communicates with the BlackBerry Infrastructure to retrieve the server address. A secure connection is established with BES12 with minimal user input. You can turn off user registration with the BlackBerry Infrastructure if you don't want to send user information to BlackBerry. Using activation types to configure your control over devices You can use activation types to configure how much control you have over activated devices. This flexibility of control levels is useful if you want to have full control over a device that you issue to a user or if you want to make sure that you have no control over the personal data on a device that the user owns and brings to work. There are three activation types for Android and iOS devices, and one activation type for Windows Phone devices. Activation type Description MDM controls This activation type applies to: 13 Activating and managing devices Activation type Description • iOS • Android (including KNOX MDM) • Windows Phone This activation type provides basic device management using device controls made available by iOS, Android, and Windows Phone. There is no separate work space installed on the device, and no added security for work data. If the device supports KNOX MDM, this activation type will apply the KNOX MDM IT policy rules instead of the other IT policy rules available for Android devices. You can control the device using IT administration commands and IT policies. During activation, users with an iOS device must install a mobile device management profile, users with an Android device must permit Administrator permissions for the BES12 Client, and users with a Windows Phone device must enrol their device through the Windows Phone company apps. Work and personal - full control This activation type applies to: • iOS • Android (including KNOX MDM) This activation type provides full control of devices. When a device is activated, a separate work space is created on the device and the user must create a password to access the work space. Work data is protected using encryption and password authentication. If the device supports KNOX MDM, this activation type will apply the KNOX MDM IT policy rules instead of the other IT policy rules available for Android devices. You can control the work space, and some other aspects of the device that affect both the personal and work space using IT administration commands and IT policies. During activation, users with an iOS device must install a mobile device management profile and users with an Android device must permit Administrator permissions for the BES12 Client. Work and personal - user privacy This activation type applies to: • iOS • Android This activation type provides control of work data on devices, while making sure that there is privacy for personal data. When a device is activated, a separate work space is created on the device and the user must create a password to access the work space. Work data is protected using encryption and password authentication. 14 Activating and managing devices Activation type Description For Android devices, this activation type does not permit you to use the IT policy rules available for KNOX MDM. You can control the work space on the device using IT administration commands and IT policies, but you cannot control any aspects of the personal space on the device. Users with an iOS device are not required to install a mobile device management profile and users with an Android device do not have to permit Administrator permissions for the BES12 Client. Data flow: Activating a device You can activate a device using any wireless connection, such as a Wi-Fi network or the mobile network. 1. You add a user to BES12 using the management console. 2. If the device is an Android, iOS, or Windows Phone device, the user downloads and installs the BES12 Client on their device. 3. The user enters their activation username and password on their device. 4. BES12 verifies the user's activation credentials and sends the activation details to the device, including device configuration information. 5. The device receives the activation details from BES12 and completes the configuration. The device then sends confirmation to BES12 that the activation was successful. Using IT policies to manage security An IT policy is a set of rules that restrict or allow features and functionality on devices. IT policy rules can manage the security and behavior of devices. The device OS and device activation type determine which rules in an IT policy apply to a specific device. For example, depending on the device activation type, OS, and version, IT policy rules can be used to: 15 Activating and managing devices • Enforce password requirements on devices or the device work space • Prevent users from using the camera • Force data encryption Only one IT policy can be assigned to each user account, and the assigned IT policy is sent to all of the user's devices. If you don't assign an IT policy to a user account or to a group that a user or device belongs to, BES12 sends the Default IT policy to the user's devices. You can rank IT policies to specify which policy is sent to devices if a user or a device is a member of two or more groups that have different IT policies and no IT policy is assigned directly to the user account. BES12 sends the highest ranked IT policy to the user's devices. BES12 automatically sends IT policies to devices when a user activates a device, when an assigned IT policy is updated, and when a different IT policy is assigned to a user or group. When a device receives a new or updated IT policy, the device applies the configuration changes in near real-time. For more information about assigning and ranking IT policies, visit docs.blackberry.com/bes12cloud to see the Administration content. For more information about specific IT policy rules, visit docs.blackberry.com/bes12cloud to see the Policy Reference Spreadsheet in the Administration content. Using compliance profiles to enforce standards for iOS, Android, and Windows Phone devices You can use compliance profiles to encourage iOS, Android, and Windows Phone device users to follow your organization’s standards for the use of mobile devices. A compliance profile specifies the device conditions that aren't acceptable in your organization, the notification messages sent to users, and the actions taken if a device is non-compliant. Depending on the OS and version, you can specify whether the following conditions are permitted: • Jailbroken or rooted device • Non-assigned app is installed • Required app isn't installed You can also specify how BES12 responds when a device violates compliance rules. Actions can include the following: • Send an email message to the user • Display a notification message on the device • Prevent the user from accessing the organization's resources and apps from the device, either immediately or after a period of time • Delete work data from the device, either immediately or after a period of time • Delete all data from the device, either immediately or after a period of time 16 Activating and managing devices For Android devices that use KNOX MDM, you can add a list of restricted apps to a compliance profile. However, BES12 does not enforce the compliance rules. Instead, the restricted app list is sent to devices, and the device enforces compliance. Any restricted apps cannot be installed, or if they are already installed, they are disabled. When you remove an app from the restricted list, the app is re-enabled if it is already installed. For more information about compliance profiles, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Administration Guide. Preventing users from installing specific iOS, Android, and Windows Phone apps You can create a list of iOS, Android, and Windows Phone apps that you do not want users to install on their devices. For example, you can prevent users from installing malicious apps or apps that require many resources. You can create a compliance profile that specifies what action an iOS or Android device takes if a restricted app is installed and assign the compliance profile to users or user groups. If the user does not remove the restricted app from the device, the compliance profile specifies the actions that must occur. If a user installs a restricted app, the user's device reports that it is not compliant. The report displays the name of the restricted app and the actions that must occur if the user doesn't uninstall the app. For Windows Phone 8.1 or later and Android devices that use KNOX MDM, you have to add the app to the compliance profile only. The user cannot install any app that you add to the compliance profile. If a user tries to install a restricted app, the device displays a message that the app is restricted and cannot be installed. Protecting email messages Devices can use Exchange ActiveSync or IBM Notes Traveler to synchronize email messages, calendar entries, contacts, and other organizer data with your organization’s mail server. IBM Notes Traveler is supported with Windows Phone and in the secure work space on iOS and Android devices. When users send and receive email messages, the data travels over one of the following communication paths: • A direct connection from the device to the mail server through your VPN or over your work Wi-Fi network • A direct connection from the device to a mail server that is located in a DMZ or is exposed to the public network Messages and organizer data in transit between devices and your mail server aren't routed through BES12. If your organization uses SCEP to enroll certificates to iOS devices, you can associate a SCEP profile with an email profile to require certificate-based authentication to help protect connections between iOS devices and the mail server. 17 Data at rest Data at rest 4 The work space protects work space data at rest by encrypting the data and hashing passwords before storing them. You can also require password protection and control when devices wipe their work space. Passwords Device passwords protect your organization's data and user information that is stored on devices. For devices with a work space, the work space password is used to protect work space data. You can use BES12 to enforce password protection on devices. You can also use BES12 to lock devices remotely and change or clear their passwords. iOS device passwords You can use the "Password required for device" IT policy rule to require iOS device users to set a device password. You can enforce additional password requirements on devices using the following IT policy rules: • Allow simple value • Require alphanumeric value • Minimum passcode length • Minimum number of complex characters • Maximum passcode age • Maximum auto-lock • Passcode history • Maximum grace period for device lock • Maximum number of failed attempts For more information about IT policy rules, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Policy Reference Spreadsheet. Changing iOS device passwords You can use BES12 to lock or unlock iOS devices remotely and clear their passwords. You can do this, for example, if a device is lost or if a user forgets their password. 18 Data at rest You can use the "Lock device" IT administration command to lock a device remotely. The user must type the existing device password to unlock the device. You can use this command if a device is lost or stolen. You can use the "Unlock and clear password" IT administration command to unlock a device and clear the existing password. The user is prompted to create a new device password. You can use this command if a user forgets their device password. For more information about sending these commands to devices, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Administration Guide. Android device passwords You can use the "Password requirements" IT policy rule to require Android device users to set a device password and to specify minimum requirements for device passwords. You can enforce additional password requirements on devices using the following IT policy rules: • Maximum failed password attempts (native Android OS) • Maximum failed password attempts before device is disabled (KNOX MDM) • Maximum inactivity time lock • Password expiration timeout • Password history restriction • Minimum password length (native Android OS only) • Minimum uppercase letters required in password • Minimum lowercase letters required in password • Minimum letters required in password (native Android OS only) • Minimum numerical digits required in password (native Android OS only) • Minimum symbols required in password (native Android OS only) • Minimum complex characters required in password (KNOX MDM only) • Maximum character sequence length (KNOX MDM only) • Maximum numeric sequence length (KNOX MDM only) • Allow password visibility (KNOX MDM only) For more information about IT policy rules, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Policy Reference Spreadsheet. Changing Android device passwords You can use BES12 to lock or unlock Android devices remotely and change or clear their passwords. You can do this, for example, if a device is lost or if a user forgets the password. You can use the "Lock device" IT administration command to lock a device remotely. The user must type the existing device password to unlock the device. You can use this command if a device is lost or stolen. 19 Data at rest You can use the "Unlock and clear password" IT administration command to unlock a device and clear the existing password. The user is prompted to create a new device password. You can use this command if a user forgets their device password. You can use the "Specify device password and lock" IT administration command to create a new device password and lock a device. When the user unlocks the device, they are prompted to accept or reject the new password. You can use this command if a device is lost or stolen. For more information about sending these commands to devices, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Administration Guide. Windows Phone device passwords You can use the "Password required for device" IT policy rule to require Windows Phone device users to set a device password. Depending on the OS version, you can enforce additional password requirements on devices using the following IT policy rules: • Allow simple password • Minimum password length • Password complexity • Password expiration • Password history • Maximum failed password attempts • Maximum inactivity time lock • Minimum number of complex character types • Allow idle return without password For more information about IT policy rules, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Policy Reference Spreadsheet. Changing Windows Phone device passwords You can use BES12 to lock Windows Phone devices remotely and change or clear their passwords. You can do this, for example, if a device is lost or if a user forgets the password. You can use the "Lock device" IT administration command to lock a device remotely. The user must type the existing device password to unlock the device. You can use this command if a device is lost or stolen. You can use the "Generate device password and lock" IT administration command to create a new device password and lock a device. When the user unlocks the device, they are prompted to accept or reject the new password. You can use this command if a device is lost or stolen. For more information about sending these commands to devices, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Administration Guide. 20 Data at rest Security timeout You can use BES12 to require that iOS, Android, and Windows Phone devices lock after a certain period of inactivity. For iOS devices, the "Maximum auto-lock" IT policy rule can be used to require that devices lock after a certain period of inactivity. You can use the "Maximum grace period for device lock" IT policy rule to allow users to unlock their devices without entering their passwords after a specified period of inactivity. For Android devices, you can use the "Maximum inactivity time lock" IT policy rule to require that a device lock after a specified period of inactivity. For Windows Phone devices, you can use the "Maximum inactivity time lock" IT policy rule to require that a device lock after a specified period of inactivity. For more information about IT policy rules, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Policy Reference Spreadsheet. Data wipe To protect your organization's data and user information on devices, you can use BES12 to delete work data or all data on devices. Users can also delete work data or all data on their devices. Full device wipe Devices delete all data in the device memory when any of the following events occur: Event Device type Description You send the “Delete all device data” IT administration command to a device. • iOS • Android • Windows Phone You can use BES12 to delete all data from devices using the "Delete all device data" IT administration command. For example, you can send this command to a device to redistribute a previously used device to another user in your organization, or to a device that is lost and unlikely to be recovered. This command deletes all user information and app data that the device stores (including information in the work space, if applicable) returns the device to factory defaults, and removes the device from BES12. After you submit this command, an option to remove the device from BES12 is displayed. If the device can no longer 21 Data at rest Event Device type Description connect to BES12, you can remove the device from BES12. If the device connects to BES12 after you removed it, only the work data is removed from the device, including the work space, if applicable. For more information about sending this command to devices, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Administration Guide. A user types the device password incorrectly more times than the "Maximum number of failed attempts" IT policy rule allows. • iOS • Android • Windows Phone A user uses the "Erase All Content And Settings" option on an iOS 8 device. iOS This command deletes all user information and app data that the device stores, including information in the work space, and returns the device to factory defaults. A user can delete all data on devices using the "Erase All Content And Settings" option on the device. Work data wipe To protect your organization's data on devices, devices delete all work data when any of the following events occur: Event Device type Description You send the “Delete only work data” IT administration command to a device. • iOS • Android • Windows Phone You can use BES12 to delete all work data from devices using the "Delete only work data" IT administration command. For example, you can send this command to a personal device when a user no longer works at your organization, or if a device is lost or stolen. This command deletes work data, including the IT policy, profiles, apps, and certificates that are on a device, and removes the device from BES12. After you submit this command, an option to remove the device from BES12 is displayed. If the device can no longer connect to BES12, you can remove the device from BES12. If the device connects to BES12 after you removed it, only the work data is removed from the device, including the work space, if applicable. A user can still use the device while the work space data is being deleted. 22 Data at rest Event Device type Description For more information about sending this command to devices, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Administration Guide. Securing devices for work and personal use Secure Work Space technology allows users to use their iOS and Android devices for both work and personal use securely. For example, Secure Work Space allows your organization to control its information even when it’s stored on devices that employees own and bring to work. The security features of BES12 and Secure Work Space control how devices protect your organization's data, apps, and network connections and force devices to treat your organization's data and apps differently from personal data and apps. This means that you can: • Control access to your organization's data and apps on devices • Prevent data from being compromised • Delete your organization's data and apps from devices when you need to • Control network connections that work and personal apps use Secure Work Space uses separate areas of the device called spaces to separate work and personal activities. A space is a distinct area of the device that enables the segregation and management of different types of data, apps, and network connections. Different spaces can have different rules for data storage, app permissions, and network routing. The separate spaces help users to avoid activities such as copying work data into a personal app. 23 Data at rest Creating a work space on a device To create a work space on a device, you activate it on BES12 using either the “Work and personal - full control” or “Work and personal - user privacy” activation type. The work space is a segregated area of the device for work resources where users can create, edit, and save work documents. The work space also stores configuration details from the server and any information associated with them, such as Microsoft Active Directory credentials and profiles. During the activation process, the device encrypts the work space. By default, during the activation process, devices with Secure Work Space require users to set a work space password. The work space password is used to protect work space data and secured apps. You can use IT policy rules to control password requirements, such as complexity and length. After a device is activated on BES12, the device still contains the personal space on the device and any user data, apps, or network connections that the user was using before the device was activated. Users can use their devices for activities that your organization's security policies might not otherwise allow, such as downloading videos, playing online multi-player games, or uploading personal photos and Facebook entries, without exposing the work data that is stored on the device. For more information about IT policy rules, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Policy Reference Spreadsheet. Protecting work space data with encryption A work space protects work space data by encrypting the data that secured apps store using AES-256 encryption. The work space randomly generates a separate encryption key for each secured app and encrypts the keys with the user's work space password. The work space encrypts all of the data that a secured app stores directly and writes indirectly to files. The encryption libraries (OpenSSL-FIIPTS or iOS crypto on iOS, and OpenSSL-FIPS on Android OS) are components of the FIPS validated BlackBerry Cryptographic Library for Secure Work Space. Secured apps can only share data with other secured apps. When a secured app requests to share data with another app, the work space intercepts the request and allows the request to proceed if both apps are secured apps. If both apps are not secured apps, the work space rejects the request. The work space allows a user to copy and paste from one secured app to another, but not to a work app or personal app. 24 Data at rest Work space encryption For Android devices, the Android OS assigns a UID to an app when the app is installed. The UID is unique to each app, except when the app requests to share a UID with another app. The two apps in this case must be signed with the same certificate from the same developer. Each UID is assigned a random encryption key the first time that the UID runs, and the UID uses the key to encrypt its data. The keys are stored in a separate secure filesystem in the work space, and the filesystem is shared between secured apps. When the app with the UID runs for the first time, it requests the encryption key associated with the UID from the Work Space Manager app. All of the secure filesystem, except for the first block, is encrypted using AES-256 in CBC mode with 128-bit blocks. The key to the filesystem is stored in the first block, and then the first block is encrypted with a key derived from the work space password. For iOS devices, the Secure Work Space assigns each secured app a random encryption key the first time that the app runs, and the app uses the key to encrypt its data. The keys are stored in a completely segmented virtual and secure filesystem that is shared between the apps. The underlying block structure of the secure filesystem is proprietary. The virtual filesystem is layered on top of a NAND-style block, with a virtual device interface. On both Android and iOS devices, the entire virtual filesystem, except for the first block, is encrypted using AES-256 in CBC mode with 128-bit blocks. The key to the virtual filesystem is stored in the first block, and then the first block is encrypted with a key derived from the work space password. The work space password is derived using PBKDF2 as the key derivation function with HMAC-SHA1. Protecting the work space password The work space does not store the work space password. Instead, it encrypts data using a hash derived from the password as the encryption key. After the password has been set, when the user enters the password to access the work space, the work space tries to decrypt data with the hash derived from the password that the user entered. If the data does not decrypt, the password that the user entered is rejected as incorrect. 25 Data at rest To allow for password resets, the device generates a public and private key, encrypts the derived key for the work space with the private key, and stores the encrypted block independently of the work space. The device sends the public key to BES12 and deletes local copies of the public and private keys. When the user changes the work space password, the device regenerates the derived key. A user can change the work space password at any time, and an administrator can use an IT administration command to reset the work space password and force the user to change it. When an administrator uses the IT administration command to reset the work space password, BES12 sends the public key back to the device and the device uses the public key to decrypt the derived key. The user is also forced to enter a new work space password. BES12 and the BlackBerry Infrastructure do not store the user’s encryption keys. Inactivity timeout in the work space When a secured app is sent to the background by a user, it starts the inactivity grace period timer for the work space. If the user launches another secured app during the grace period, the user doesn’t need to enter their work space password. You can configure the inactivity timeout using the "Inactivity period before locking" IT policy rule. You can configure the inactivity timeout using the "Inactivity period before locking" IT policy rule. For more information, visit http://docs.blackberry.com/ bes12cloud to read the BES12 Cloud Policy Reference Spreadsheet. Sharing information between secured apps Federating allows secured apps to share information in a controlled manner. App wrapping provides a defined interface that restricts what the apps can do when they communicate using the encrypted filesystem. When a secured app is wrapped in the BlackBerry Infrastructure, a hash of the app’s code is produced. This hash is also known as a fingerprint, and the BlackBerry Infrastructure records the fingerprint and the app’s metadata. When a secured app runs for the first time on a device, the device generates a runtime version of the app’s fingerprint and metadata and sends them to the BlackBerry Infrastructure. The BlackBerry Infrastructure compares the fingerprint and metadata that it stored with the runtime versions of the fingerprint and metadata. If they match, the BlackBerry Infrastructure notifies the device that it can federate and run the app. If the two versions of the fingerprint and metadata do not match, the BlackBerry Infrastructure notifies the device that it cannot federate and run the app, and the user sees an error message. A dynamic federation list on the device identifies which secured apps can federate. When the BlackBerry Infrastructure notifies the device that it can federate and run an app, the device adds the app to the federation list. Each subsequent time the app is run, the device compares the runtime fingerprint of the app to the fingerprint cached in the federation list. At any time, the BlackBerry Infrastructure can revoke the federation list and force the device to reconstruct the list. Network connectivity is required to verify an app to allow federation. When federation is successful, the federated apps can perform a key exchange with constraints so that they have access to the same data in the encrypted filesystem. 26 Data at rest Storing Work Browser data When using the Work Browser, the work space does not store Internet or intranet passwords. Cookie storage, however, is protected by the secure filesystem just like other work space data. Storing work space data on media cards For Android devices, any work space data that is stored on media cards is part of the secure filesystem, just like any work space data stored on the device itself. The data on the media card can only be decrypted when the card is attached to the original device and the user has entered the work space password. The data on the media card is cryptographically inaccessible if the card is inserted into another device because the encryption keys are not available. Deleting the work space When you delete the work space from a device, you do not need to perform additional steps to prevent the recovery of data. Without the encryption keys, any recovered data is cryptographically inaccessible. Deleting the work space also deletes work space data from a media card if it is connected to the device at the time of deletion. Attachments for third-party secured apps By default, attachments for a third-party secured app cannot be opened outside of the UID unless the app allows for data sharing with other apps. Examples of attachments for a third-party secured app include email, MMS, and browser downloads. The wrapping on the app intercepts the standard APIs that iOS and Android use and prevents the app from transferring data to another app. Private APIs are not allowed in iOS or Android. The wrapping also ensures that attachments are encrypted before they are stored. Showing work contacts in caller ID on iOS devices You can use the "Work Connect contacts" IT policy rule to specify whether caller ID on an iOS device can show the names and phone numbers of work contacts, even if the work space is locked. This rule allows the Work Connect app in the work space to export work contacts to the personal address book (the Contacts app). The Work Connect app exports contact names and phone numbers only. When you deactivate the device, work contacts are removed from the personal address book. If this rule is set to "Export to personal address book," the Work Connect app exports the work contacts to the personal address book. The app also exports a work contact again when the work contact's name or phone number changes or a contact is added or deleted. Only work contacts with phone numbers are exported. 27 Data at rest If this rule is set to "Do not export to personal address book," work contacts are not exported, and calls and SMS text messages from work contacts do not display the contact name. If this rule is set to "Allow user to configure," a user can choose to export work contacts from the Work Connect app to the personal address book. Controlling when devices wipe the work space To protect your organization’s data, you can wipe all work data from a device. All personal data remains on the device. For example, you can do this if a user no longer works at your organization. The following table lists examples of data that is removed when devices wipe the work space: Item Description Work email messages • Email messages that are sent to the user’s email app in the work space • Email messages that the user sends from the email app in the work space • Draft email messages that the user creates using the email app in the work space • Attachments that are sent to the user’s email app in the work space • Attachments that the user sends from the email app in the work space • Attachments that the user saves to the work space Attachments Calendar entries Calendar entries that the user creates using the calendar app in the work space Contacts Contacts that BES12 synchronizes with the user’s contacts app in the work space Tasks and memos All tasks and memos that BES12 synchronizes with the user's tasks and memos app in the work space Browser All Work Browser data Files Files that the user accessed and downloaded from your organization’s network IT policy IT policy that is assigned to the device Work apps For an iOS device, work apps that an administrator sent to a device Work app data For an iOS device, work data that is associated with work apps on the device (for example, saved settings) Secured apps For an iOS device, secured apps that a user downloaded and installed on a device. For an Android device, the user is prompted to remove the secured apps. If the user does not remove the secured apps, they remain on the device but the user cannot run them. Work space data For an iOS device, work space data that is associated with secured apps on the device. 28 Data at rest Item Description For an Android device, the user is prompted to remove the work space data (for example, saved settings). If the user does not remove the work space data, it remains on the device but the user cannot access the data. Profiles For an iOS device, VPN, Wi-Fi, email, SCEP, CA certificate, shared certificate, single signon, and managed domains profiles. For an Android device, Wi-Fi, email, CA certificate, and shared certificate profiles. 29 Data in transit Data in transit 5 With BES12, when you manage an iOS, Android, or Windows Phone device, you can protect data in transit with security settings, VPNs, and certificates. Types of encryption used for communication between devices and your resources Communication between a device and your organization’s resources can use various types of encryption. The type of encryption used depends on the connection method. Encryption type Description Wi-Fi encryption (IEEE 802.11) Wi-Fi encryption is used for data in transit between a device and wireless access point if the wireless access point was set up to use Wi-Fi encryption. VPN encryption VPN encryption is used for data in transit between a device and a VPN server. SSL/TLS encryption SSL/TLS encryption is used for data in transit between a device and content server, web server, or mail server in your organization. The encryption for this connection must be set up separately on each server and uses a separate certificate with each server. The server might use SSL or TLS, depending on how it's set up. Work Wi-Fi connection In a work Wi-Fi connection, a device connects to your organization’s resources using the settings that you configured in a Wi-Fi profile. Wi-Fi encryption is used if the wireless access point was set up to use it. 30 Data in transit Protecting Wi-Fi connections A device can connect to work Wi-Fi networks that use the IEEE 802.11 standard. The IEEE 802.11i standard uses the IEEE 802.1X standard for authentication and key management to protect work Wi-Fi networks. The IEEE 802.11i standard specifies that organizations must use the PSK protocol or the IEEE 802.1X standard as the access control method for Wi-Fi networks. You can use Wi-Fi profiles to send Wi-Fi configuration information, including security settings and any required certificates to devices. VPN connection In a VPN connection, an iOS device connects to your organization’s resources through any wireless access point or a mobile network, your organization’s firewall, and your organization’s VPN server. Wi-Fi encryption is used if the wireless access point was set up to use it. 31 Data in transit Connecting to a VPN If your organization’s environment includes VPNs, such as IPsec VPNs or SSL VPNs, you can configure iOS devices to authenticate with a VPN to access your organization's network. A VPN provides an encrypted tunnel between a device and the network. A VPN solution consists of a VPN client on a device and a VPN concentrator. The device can use the VPN client to authenticate with the VPN concentrator, which acts as the gateway to your organization's network. Each device includes a built-in VPN client that supports several VPN concentrators. Depending on the VPN solution, a client app may need to be installed on the device. The VPN client on the device supports the use of strong encryption to authenticate itself with the VPN concentrator. It creates an encrypted tunnel between the device and the VPN concentrator that the device and your organization's network can use to communicate. How BES12 configures a device to use per-app VPN and VPN on demand When BES12 sends a VPN profile to a device, it uses a configuration profile defined by Apple to send a VPN payload and perapp VPN payload (if necessary) to the device. BES12 converts the settings that you specified in the VPN profile to a series of keys and values (for example, BES12 converts the connection type that you specified to the VPNType key). For more information about configuration profiles, visit www.apple.com to read the Configuration Profile Reference. Enabling per-app VPN for iOS apps You can use per-app VPN to specify which work apps and secured apps on iOS devices must use a VPN for their data in transit. Per-app VPN helps decrease the load on your organization’s VPN by enabling only certain work traffic to use the VPN (for example, accessing application servers or webpages behind the firewall). This feature also supports user privacy and increases connection speed for personal apps by not sending the personal traffic through the VPN. You then associate apps with per-app VPN by assigning the VPN profile to apps or app groups. How BES12 chooses which per-app VPN settings to assign Only one VPN profile can be assigned to an app or app group. BES12 uses the following rules to determine which per-app VPN settings to assign to an app: • Per-app VPN settings that are associated with an app directly take precedence over per-app VPN settings associated indirectly by an app group. • Per-app VPN settings that are associated with a user directly take precedence over per-app VPN settings associated indirectly by a user group. • Per-app VPN settings that are assigned to a required app take precedence over per-app VPN settings assigned to an optional instance of the same app. • Per-app VPN settings that are associated with the user group name that appears earlier in the alphabetical list takes precedence if the following conditions are met: ◦ An app is assigned to multiple user groups 32 Data in transit ◦ The same app appears in the user groups ◦ The app is assigned in the same way, either as a single app or an app group ◦ The app has the same disposition in all assignments, either required or optional For example, you assign Cisco WebEx Meetings as an optional app to the user groups Development and Marketing. When a user is in both groups, the per-app VPN settings for the Development group is applied to the WebEx Meetings app for that user. If a per-app VPN profile is assigned to a device group, it takes precedence over the per-app VPN profile that is assigned to the user account for any devices that belong to the device group. Enabling VPN on demand for iOS devices VPN on demand allows you to specify whether an iOS device connects automatically to a VPN in a particular domain. Certificates, such as SCEP or Shared certificates, provide authentication for the user's device when accessing the particular domain. For example, you can specify your organization's domain to allow users access to your intranet content using VPN on demand. How BES12 configures a device to use per-app VPN and VPN on demand When BES12 sends a VPN profile to a device, it uses a configuration profile defined by Apple to send a VPN payload and perapp VPN payload (if necessary) to the device. BES12 converts the settings that you specified in the VPN profile to a series of keys and values (for example, BES12 converts the connection type that you specified to the VPNType key). For more information about configuration profiles, visit www.apple.com to read the Configuration Profile Reference. Protecting communication with devices using certificates A certificate is a digital document that binds the identity and public key of a certificate subject. Each certificate has a corresponding private key that is stored separately. A CA signs the certificate to verify that it can be trusted. Devices can use certificates to: • Authenticate using SSL/TLS when they connect to web pages that use HTTPS • Authenticate with a work mail server • Authenticate with a work Wi-Fi network and, for iOS devices only, VPN • Encrypt and sign email messages using S/MIME protection (iOS devices only) You can send client certificates and CA certificates to all devices managed by BES12. 33 Data in transit Sending client certificates to devices You might need to distribute client certificates to devices if the devices use certificate-based authentication to connect to a network or server in your organization’s environment, or if your organization uses S/MIME. Depending on the device capabilities, client certificates can be used for many purposes, including certificate-based authentication from the browser, connecting to your work Wi-Fi network, work VPN, or work mail server, and for digital signatures on S/MIME-protected email messages. You can send client certificates to devices in several ways: Profile Description SCEP profiles You can create SCEP profiles that iOS devices use to request and obtain client certificates from a SCEP-compliant Microsoft or Entrust CA. When you use SCEP to enroll client certificates to iOS, the administrator never has access to the user's private key. User credential profiles If your organization uses Entrust IdentityGuard to issue and manage certificates, you can create user credential profiles that iOS and Android devices use to get client certificates from your organization's CA. When you use Entrust IdentityGuard, the administrator does not have access to the user's private key. Shared certificate profiles A shared certificate profile specifies a client certificate that BES12 sends to iOS and Android devices. BES12 sends the same client certificate to every user that the profile is assigned to. The administrator must have access to the certificate and private key to create a shared certificate profile. Sending client certificates to individual user accounts To send a client certificate to the devices for an individual user, you can add a client certificate to a user account. BES12 sends the certificate to the user's iOS and Android devices. The administrator must have access to the certificate and private key to send the client certificate to the user. For more information about sending client certificates to devices, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Administration Guide. Using SCEP to enroll client certificates to devices SCEP is an IETF protocol that simplifies the process of enrolling certificates to a large number of devices without any administrator input or approval required to issue each certificate. iOS devices can use SCEP to request and obtain client 34 Data in transit certificates from a SCEP-compliant Microsoft or Entrust CA that your organization uses. You can use SCEP to enroll client certificates to devices so that the devices can use certificate-based authentication in the browser and to connect to a work Wi-Fi network, work VPN, or work mail server. Certificate enrollment starts after a device receives a SCEP profile that is assigned to the user or associated with an assigned WiFi, VPN, or email profile. Devices can receive a SCEP profile from BES12 during the activation process, when you change a SCEP profile, or when you change another profile that has an associated SCEP profile. After the certificate enrollment completes, the client certificate and its certificate chain and private key are stored in the work keystore on the device. If you use a Microsoft CA, the CA must support challenge passwords. The CA uses challenge passwords to verify that the device is authorized to submit a certificate request. If the CA has implemented NDES, you use dynamic challenge passwords. You specify the static challenge password or the settings to obtain a dynamically generated challenge password from the SCEP service in the SCEP profile. The password is sent to the device to allow the device to make the certificate request. If you use a static challenge password, all devices that use the SCEP profile use the same challenge password. The certificate enrollment process does not delete existing certificates from devices or notify the CA that previously enrolled certificates are no longer in use. If a SCEP profile is removed from BES12, the corresponding certificates are not removed from the assigned users' devices. To read the SCEP Internet Draft, visit www.ietf.org. Sending CA certificates to devices You might need to distribute CA certificates to devices if your organization uses S/MIME or if devices use certificate-based authentication to connect to a network or server in your organization’s environment. When the certificates for the CAs that issued your organization's network and server certificates are stored on devices, the devices can trust your networks and servers when making secure connections. When the CA certificates for the CAs that issued your organization's S/MIME certificates are stored on devices, the devices can trust the sender's certificate when an S/MIMEprotected email message is received. You can use CA certificate profiles to send CA certificates to devices. For more information, visit docs.blackberry.com/ bes12cloud to see the Administration content. Providing devices with single sign-on access to your organization's network You can allow iOS 7 and later device users to authenticate automatically with domains and web services in your organization’s network. You can use single sign-on profiles to set up device authentication using a user’s login information or certificate. Certificate authentication is supported for iOS 8.0 and later devices. After you assign a single sign-on profile to a user, the user's login information or certificate is saved on the device the first time they access a domain specified in the profile. The user's saved login information or certificate is used automatically when the user tries to access any of the domains specified in the profile. 35 Data in transit The user is not prompted again for the login information or certificate until the user's password changes or the certificate expires. BES12 supports Kerberos for single sign-on access for the browser and apps on iOS 7 and later devices. You can restrict which apps have single sign-on access. For more information on creating single sign-on profiles, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Administration Guide. Protecting data in transit between BES12 and devices BES12 protects the data in transit between itself and iOS, Android, and Windows Phone devices. During the activation process for these devices, a mutually authenticated TLS connection is established between BES12 and the BES12 Client on the device. When BES12 needs to send configuration information such as IT polices, profiles, and app configurations to a device, BES12 and the device use the TLS connection to protect the data. Protecting data in transit between BES12 Cloud and your company directory The BlackBerry Cloud Connector is an optional component that you can install behind your organization's firewall to provide a secure connection between BES12 Cloud and your company directory. If you use the BlackBerry Cloud Connector to give BES12 Cloud access to your company directory, you can create user accounts by searching for and importing user data from the directory and you can allow users to use their directory credentials to access BES12 Self-Service. BES12 Cloud synchronizes user data with the directory daily. You can also start the synchronization process manually for individual users. For more information about configuring the BlackBerry Cloud Connector, visit docs.blackberry.com/bes12cloud to see the Administration content. Data flow: Establishing a secure connection between BES12 Cloud and the BlackBerry Cloud Connector 1. You download the installation and activation files using the administration console and install the BlackBerry Cloud Connector on a computer that can access the Internet and your company directory. 2. The BlackBerry Cloud Connector establishes a connection with BES12 Cloud and sends an activation request. 36 Data in transit 3. BES12 Cloud verifies that the activation information is valid. 4. The BlackBerry Cloud Connector and BES12 Cloud generate a shared symmetric key using the activation password and EC-SPEKE. The shared symmetric key protects the CSR and response. 5. The BlackBerry Cloud Connector performs the following actions: 6. 7. 8. a Generates a key pair for the certificate b Creates a PKCS#10 CSR that includes the public key of the key pair c Encrypts the CSR using the shared symmetric key and AES-256 in CBC mode with PKCS #5 padding d Computes an HMAC of the encrypted CSR using SHA-256 and appends it to the CSR e Sends the encrypted CSR and HMAC to BES12 Cloud BES12 Cloud performs the following actions: a Verifies the HMAC of the encrypted CSR and decrypts the CSR using the shared symmetric key b Packages a client certificate using your organization's information and the CSR that the BlackBerry Cloud Connector sent c Signs the client certificate using the enterprise management root certificate d Encrypts the client certificate, enterprise management root certificate, and the BES12 Cloud URL using the shared symmetric key and AES-256 in CBC mode with PKCS #5 padding e Computes an HMAC of the encrypted client certificate, enterprise management root certificate, and the BES12 Cloud URL and appends it to the encrypted data f Sends the encrypted data and HMAC to the BlackBerry Cloud Connector The BlackBerry Cloud Connector performs the following actions: a Verifies the HMAC b Decrypts the data it received from BES12 Cloud c Stores the client certificate and the enterprise management root certificate in its keystore d Establishes a TLS connection with BES12 Cloud e Creates a registration request that includes the tenant ID, the client certificate signed with its private key using SHA1 and ECDSA, and the time stamp of the signing action f Sends the registration request to BES12 Cloud BES12 Cloud performs the following actions: a Validates the registration request b Ensures that the time stamp of the signing action isn't older than 3 minutes c Performs one of the following actions: • If the validation is successful, registers the BlackBerry Cloud Connector instance and sends the BlackBerry Cloud Connector an authorization token that the BlackBerry Cloud Connector uses for subsequent connections with BES12 Cloud. • If the validation fails, BES12 Cloud closes the TLS connection with the BlackBerry Cloud Connector. 37 Data in transit After the BlackBerry Cloud Connector is activated and registration is complete, when BES12 Cloud sends a directory request to the BlackBerry Cloud Connector, a mutually authenticated TLS connection is established using the trusted certificates and the authorization token and the BlackBerry Cloud Connector sends your company directory information to BES12 Cloud over the secure TLS connection. Extending the security of email messages using S/MIME You can extend the security of email messages for iOS and Android device users by permitting users to send and receive S/ MIME-protected email messages in secured apps. Digitally signing or encrypting messages adds another level of security to email messages that users send or receive from the work space. Users can digitally sign or encrypt messages using S/MIME encryption if they use a work email account that supports S/MIME-protected messages in the work space. When a device is activated and the work space enabled, you can allow users to choose whether the device signs, encrypts, or signs and encrypts messages, using S/MIME encryption when sending email messages using a work email address. Digital signatures help recipients verify the authenticity and integrity of messages that users send. When a user digitally signs a message with their private key, recipients use the sender's public key to verify that the message is from the sender and that the message has not changed. Encryption helps keep messages confidential. When a user encrypts a message, the device uses the recipient's public key to encrypt the message. The recipient uses their private key to decrypt the message. Devices support keys and certificates in the PFX file format with either a .pfx or .p12 file name extension. Users must store their private keys and a certificate for each recipient that they want to send an encrypted email message to in the work space on their devices. Users can store a key and certificates by importing the files from a work email message. If devices don't have S/MIME support turned on, users can't send signed or encrypted email messages from the devices. If users don't have their private keys on their devices, users can't read S/MIME-encrypted messages on the devices, and the devices display an error message. S/MIME certificates and S/MIME private keys on devices Devices with Secure Work Space can use public key cryptography with S/MIME certificates and S/MIME private keys to encrypt and decrypt email messages. Item Description S/MIME public key When a user sends an email message from a device, the device uses the S/MIME public key of the recipient to encrypt the message. When a user receives a signed email message on a device, the device uses the S/ MIME public key of the sender to verify the message signature. 38 Data in transit Item Description S/MIME private key When a user sends a signed email message from a device, the device hashes the message using SHA-1, SHA-2, or MD5. The device then uses the S/MIME private key of the user to digitally sign the message hash. When a user receives an encrypted email message on a device, the device uses the private key of the user to decrypt the message. The private key is stored on the device. Data flow: Sending an email message from a device using S/ MIME encryption 1. A user sends an email message from a device. The device performs the following actions: a Checks the device keystore for the S/MIME certificate of the recipient. b Encrypts the email message with the S/MIME certificate of the recipient. c Sends the encrypted message to the mail server. 2. The mail server sends the S/MIME-encrypted message to the recipient. 3. The recipient decrypts the S/MIME-encrypted message using the recipient's S/MIME private key. 39 Secured apps Secured apps 6 The work space protects secured apps by wrapping and fingerprinting the apps. You can distribute secured apps from the App Store or Google Play that the app vendor has specifically prepared to run in the work space. Managing the availability of secured apps on devices Secured apps can only access work space data and interact with other secured apps. Default secured apps appear on every device with Secure Work Space. The following apps are default secured apps: Device type iOS Android Name • Work Connect - for email, calendar, contacts, notes, and tasks • Work Browser - for web browsing • Documents To Go - for viewing and editing Microsoft Office files • Work Space Manager - required to run the other secured apps on the device • Secure Work Space - for email, calendar, contacts, and web browsing • Documents To Go - for viewing and editing Microsoft Office files Third-party app vendors can create secured apps that are prepared specifically to run in the work space and make them available in the App Store or Google Play. You can install these apps in the work space on users' devices. Apps from the App Store or Google Play that are not designated as secured apps cannot be installed or run in the work space. Only the app vendor can secure and re-sign an app so that it can be installed in the work space. How a work space wraps secured apps A work space protects secured apps from other apps running on the device by using app wrapping. App wrapping is a process that adds a layer of security and control around an existing app. The source code of the app is not changed. Instead, the wrapping process takes the requests that the app makes to system services and redirects them to a library of mechanisms and policies. The app wrapping process is fully compatible with the policies that Apple enforces for iOS devices. 40 Secured apps The app wrapping process interposes system API calls to allow the work space to redirect a secured app's requests for system services. For the Android OS, where apps run under the Dalvik virtual machine, the work space performs the interposing on two layers: replacing Dalvik byte-code API calls with its own intercepts, and linking calls for native object code. For iOS, where apps do not run under a virtual machine, the work space links calls for native object code only. The app wrapping process then repackages the app so that the security code and the original code are physically inseparable. This repackaging ensures that any subsequent modifications to a secured app by a third party will prevent the secured app from running on the device. How a work space fingerprints secured apps A work space protects secured apps from trojans and malicious software by using fingerprinting. Fingerprinting uses an algorithm to map an app to a short bit string, which is the app's fingerprint. The fingerprint serves as a unique record of the app. Verifying a fingerprint is more efficient than transmitting and comparing the original app with the app on the device, which involves much larger files than a fingerprint. Before a secured app is added to a device with Secure Work Space, the BlackBerry Infrastructure fingerprints the secured app. The BlackBerry Infrastructure sends the secured app and the fingerprint to the device. Before the secured app is added to the device, the work space calculates the secured app's fingerprint and compares it to the fingerprint sent by the BlackBerry Infrastructure. Each time that the secured app is run, the work space recalculates the secured app's fingerprint and compares it with the fingerprint sent by the BlackBerry Infrastructure. In all cases, if the fingerprints being compared do not match, the device does not run the secured app. 41 Product documentation Product documentation 7 Resource Description BES12 Cloud Product Overview • Introduction to BES12 and its features • Finding your way through the documentation • Architecture BES12 Cloud Architecture and Data Flow Reference Guide • Descriptions of BES12 components • Descriptions of activation and other data flows, such as configuration updates and email, for different types of devices Release notes BES12 Cloud Release Notes • Descriptions of known issues and potential workarounds Licensing BES12 Cloud Licensing Guide • Descriptions of different types of licenses • Instructions for registering with BES12 Cloud and managing licenses • Basic and advanced administration for all supported device types, including BlackBerry 10 devices, iOS devices, Android devices, and Windows Phone devices • Instructions for creating user accounts, groups, roles, and administrator accounts • Instructions for activating devices • Instructions for creating and assigning IT policies and profiles • Instructions for managing apps on devices • Descriptions of profile settings BES12 Cloud Policy Reference Spreadsheet • Descriptions of IT policy rules for BlackBerry 10 devices, iOS devices, Android devices, and Windows Phone devices BES12 Cloud Security Guide for BlackBerry • Description of the security maintained by BES12, the BlackBerry Infrastructure, and BlackBerry 10 devices to protect data and connections Overview Administration Security BES12 Cloud Administration Guide 42 Product documentation Resource BES12 Cloud Security Guide for iOS, Android, and Windows Phone Description • Description of the BlackBerry 10 OS • Description of how work data is protected on BlackBerry 10 devices when you use BES12 • Description of the security maintained by BES12, the BlackBerry Infrastructure, and work space-enabled devices to protect work space data at rest and in transit • Description of how work space apps are protected on work space-enabled devices when you use BES12 43 Glossary Glossary 8 AES Advanced Encryption Standard API application programming interface CA certification authority CBC cipher block chaining EMM Enterprise Mobility Management FIPS Federal Information Processing Standards HMAC keyed-hash message authentication code HTTPS Hypertext Transfer Protocol over Secure Sockets Layer IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force IP Internet Protocol IPsec Internet Protocol Security MD5 Message-Digest Algorithm, version 5 MDM mobile device management MMS Multimedia Messaging Service NDES Network Device Enrollment Service PBKDF2 Password-Based Key Derivation Function 2 PFX Personal Information Exchange PIN personal identification number PSK pre-shared key S/MIME Secure Multipurpose Internet Mail Extensions SCEP simple certificate enrollment protocol SHA Secure Hash Algorithm SMS Short Message Service SSL Secure Sockets Layer TCP Transmission Control Protocol TCP/IP Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of communication protocols that is used to transmit data over networks, such as the Internet. 44 Glossary TLS Transport Layer Security UID unique identifier VPN virtual private network 45 Legal notice Legal notice 9 ©2015 BlackBerry. All rights reserved. BlackBerry® and related trademarks, names, and logos are the property of BlackBerry Limited and are registered and/or used in the U.S. and countries around the world. Android, Google, Dalvik and Google Play are trademarks of Google Inc. Apple and App Store are trademarks of Apple Inc. Cisco WebEx is a trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. Entrust and Entrust IdentityGuard are trademarks of Entrust, Inc. Facebook is a trademark of Facebook, Inc. IBM and Notes are trademarks of International Business Machines Corporation. IEEE, 802.1X, 802.11, and 802.11i are trademarks of the Institute of Electrical and Electronics Engineers, Inc. iOS is a trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. iOS® is used under license by Apple Inc. Kerberos is a trademark of Massachusetts Institute of Technology. Microsoft, Active Directory, ActiveSync, and Windows Phone are trademarks of Microsoft Corporation. OpenSSL is a trademark of the The OpenSSL Software Foundation, Inc. Samsung, Samsung KNOX, and KNOX are trademarks of Samsung Electronics Co., Ltd. Wi-Fi is a trademark of the Wi-Fi Alliance. All other trademarks are the property of their respective owners. This documentation including all documentation incorporated by reference herein such as documentation provided or made available on the BlackBerry website provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its affiliated companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of BlackBerry technology in generalized terms. BlackBerry reserves the right to periodically change information that is contained in this documentation; however, BlackBerry makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all. This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or third-party websites (collectively the "Third Party Products and Services"). BlackBerry does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the third party in any way. EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NONINFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NONPERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY 46 Legal notice LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NONPERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY. THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS. IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION. Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry® Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with BlackBerry's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with BlackBerry's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with BlackBerry. The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN 47 Legal notice AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION. BlackBerry Enterprise Software incorporates certain third-party software. The license and copyright information associated with this software is available at http://worldwide.blackberry.com/legal/thirdpartysoftware.jsp. BlackBerry Limited 2200 University Avenue East Waterloo, Ontario Canada N2K 0A7 BlackBerry UK Limited 200 Bath Road Slough, Berkshire SL1 3XE United Kingdom Published in Canada 48