BES12 Cloud Security Guide for iOS, Android, and Windows Phone

Transcription

BES12 Cloud Security Guide for iOS, Android, and Windows Phone
Security Guide
BES12 Cloud
for iOS, Android, and Windows Phone
Published: 2015-03-18
SWD-20150318090739059
Contents
About this guide............................................................................................................... 5
What is BES12 Cloud?....................................................................................................................................................... 5
Security features.............................................................................................................. 6
Security features for devices with MDM controls................................................................................................................ 6
Security features for Android devices that use KNOX MDM................................................................................................ 7
Security features for devices with Secure Work Space........................................................................................................8
Protecting devices against jailbreaking and rooting............................................................................................................9
Supported features that are native to iOS and Android..................................................................................................... 10
Types of apps................................................................................................................................................................. 10
Activating and managing devices.................................................................................... 12
What is the BES12 Client?............................................................................................................................................... 12
Activation passwords...................................................................................................................................................... 13
User registration with the BlackBerry Infrastructure.........................................................................................................13
Using activation types to configure your control over devices .......................................................................................... 13
Data flow: Activating a device..........................................................................................................................................15
Using IT policies to manage security................................................................................................................................15
Using compliance profiles to enforce standards for iOS, Android, and Windows Phone devices.........................................16
Preventing users from installing specific iOS, Android, and Windows Phone apps......................................................17
Protecting email messages............................................................................................................................................. 17
Data at rest.....................................................................................................................18
Passwords...................................................................................................................................................................... 18
iOS device passwords.............................................................................................................................................. 18
Android device passwords....................................................................................................................................... 19
Windows Phone device passwords........................................................................................................................... 20
Security timeout............................................................................................................................................................. 21
Data wipe....................................................................................................................................................................... 21
Full device wipe....................................................................................................................................................... 21
Work data wipe........................................................................................................................................................22
Securing devices for work and personal use.....................................................................................................................23
Creating a work space on a device...................................................................................................................................24
Protecting work space data with encryption.....................................................................................................................24
Work space encryption............................................................................................................................................ 25
Protecting the work space password........................................................................................................................ 25
Inactivity timeout in the work space..........................................................................................................................26
Sharing information between secured apps..............................................................................................................26
Storing Work Browser data.......................................................................................................................................27
Storing work space data on media cards.................................................................................................................. 27
Deleting the work space...........................................................................................................................................27
Attachments for third-party secured apps................................................................................................................ 27
Showing work contacts in caller ID on iOS devices........................................................................................................... 27
Controlling when devices wipe the work space.................................................................................................................28
Data in transit.................................................................................................................30
Types of encryption used for communication between devices and your resources.......................................................... 30
Work Wi-Fi connection............................................................................................................................................. 30
VPN connection.......................................................................................................................................................31
Protecting communication with devices using certificates............................................................................................... 33
Sending client certificates to devices........................................................................................................................34
Using SCEP to enroll client certificates to devices..................................................................................................... 34
Sending CA certificates to devices............................................................................................................................35
Providing devices with single sign-on access to your organization's network.....................................................................35
Protecting data in transit between BES12 and devices.....................................................................................................36
Protecting data in transit between BES12 Cloud and your company directory...................................................................36
Data flow: Establishing a secure connection between BES12 Cloud and the BlackBerry Cloud Connector..................36
Extending the security of email messages using S/MIME.................................................................................................. 38
S/MIME certificates and S/MIME private keys on devices.......................................................................................... 38
Data flow: Sending an email message from a device using S/MIME encryption.......................................................... 39
Secured apps................................................................................................................. 40
Managing the availability of secured apps on devices.......................................................................................................40
How a work space wraps secured apps............................................................................................................................40
How a work space fingerprints secured apps................................................................................................................... 41
Product documentation.................................................................................................. 42
Glossary......................................................................................................................... 44
Legal notice....................................................................................................................46
About this guide
About this guide
1
BES12 helps you manage devices for your organization, including BlackBerry 10, iOS, Android, and Windows Phone devices.
This guide describes the security for iOS, Android, and Windows Phone devices. It also describes how Secure Work Space
delivers a higher level of control and security to iOS and Android devices.
This guide is intended for senior IT professionals responsible for evaluating the product and planning its deployment, as well as
anyone who's interested in learning more about device security and Secure Work Space. After you read this guide, you should
understand how BES12 can help protect data at rest, data in transit, and apps for your organization.
What is BES12 Cloud?
BES12 Cloud is an EMM solution from BlackBerry. EMM solutions help you manage mobile devices for your organization. You
can manage BlackBerry 10, iOS, Android and Windows Phone devices, all from a unified interface.
EMM solutions from BlackBerry protect business information, keep mobile workers connected with the information they need,
and provide administrators with efficient tools that help keep business moving.
BES12 Cloud is an EMM solution that is available in the cloud.
EMM solution
Description
BES12 Cloud
An easy-to-use, low-cost, and secure solution. BlackBerry hosts this service over
the Internet. You only need a supported web browser to access the service, and
BlackBerry maintains high availability to minimize downtime. Optionally, you can
connect your on-premises company directory to BES12 Cloud.
BES12
A comprehensive, scalable, and secure solution. Your organization installs this
service in its environment. The deployment can range in size from one server to
many, and you can set up and maintain high availability to minimize downtime.
5
Security features
Security features
2
Different levels of security are available for the devices that BES12 manages. Silver-level EMM provides MDM controls for iOS,
Android, and Windows Phone devices. MDM controls include device and app management and security features such as IT
policies, profiles, and IT administration commands. Gold-level EMM provides all of these features for iOS and Android devices
plus Secure Work Space.
Secure Work Space is a containerization, and app wrapping option that delivers a higher level of control and security to iOS and
Android devices. Secured apps are protected and separated from personal apps and data. The secured apps include an
integrated email, calendar, and contacts app, an enterprise-level secure browser, and a secure document viewing and editing
app. The work browser allows users to securely browse the work intranet and the Internet. If the device is lost or the employee
leaves the organization, you can delete only work-related information or all information from the device.
Security features for devices with MDM controls
Feature
Description
Manage devices and their work data
If the actions are supported by the device and its operating system version, you can
perform many actions to control access to work data on devices:
•
Lock the device, change the device password, or delete information from the
device
•
Control how the device can connect to your organization's network, including
Wi-Fi settings and, for iOS devices, VPN settings
•
Control the capabilities of the device, such as setting rules for password
strength and disabling functions like the camera
•
Install certificates on iOS devices and optionally configure SCEP to permit
automatic certificate enrollment
Manage work apps
On devices with MDM controls, work apps are apps that your organization makes
available for its users. You can specify whether apps are required on devices, and
you can view whether a work app is installed on a device.
Enforce your organization's
requirements for devices
You can use a compliance profile to help enforce your organization's requirements
for devices, such as requiring that certain apps be installed on devices. On iOS and
Android devices, you can disallow devices that are jailbroken or rooted.
You can send a notification to users to ask them to meet your organization's
requirements, or you can limit users' access to your organization's resources and
applications, delete work data, or delete all data on the device.
6
Security features
Feature
Description
Certificate-based authentication
You can send certificates to devices using certificate profiles. You can also send
certificates to iOS devices using SCEP profiles. These profiles help to restrict access
to Exchange ActiveSync, Wi-Fi connections, or VPN connections to devices that use
certificate-based authentication. (VPN is only available on iOS devices.)
This feature also helps you control Exchange ActiveSync, Wi-Fi connections, or VPN
connections on devices because BES12 is designed to automatically remove
profiles and certificates when a device violates one of the predefined compliance
conditions (for example, compliance conditions for jailbroken devices or rooted
devices).
Certificate-based authentication does not require a proxy server between the
device and your organization's mail server.
FIPS certification for the BES12 Client
The BES12 Client is an app that allows BES12 to communicate with iOS, Android,
and Windows Phone devices. The BES12 Client uses a FIPS-validated
cryptographic module to encrypt all of the data that it stores directly and writes
indirectly to files.
Security features for Android devices that use
KNOX MDM
BES12 can manage Samsung devices using KNOX MDM. KNOX MDM includes the security capabilities that Samsung provides
for its devices. When a device is activated, BES12 automatically identifies whether the device supports KNOX MDM.
In addition to the standard Android security features, BES12 includes the following security capabilities for devices that support
KNOX MDM:
•
An enhanced set of IT policy rules, called the KNOX MDM policy set
•
Enhanced application management including silent app installations and uninstallations, silent uninstallations of
restricted apps, and prohibitions to installing restricted apps
You can use KNOX MDM with or without Secure Work Space. Without Secure Work Space, devices require a silver license and
use the "MDM controls" activation type. If you also want to use Secure Work Space, devices require a gold license and use the
"Work and personal - full control" activation type.
For more information about the KNOX MDM policy set, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud
Policy Reference Spreadsheet.
7
Security features
Security features for devices with Secure Work
Space
Feature
Protection of work space data on a
device
Description
•
The work space includes secured apps. Secured apps are work apps that
the work space secures with additional protections.
•
By default, secured apps protect their data using AES-256 encryption. If
you choose to allow all apps to access data in the work space, then
secured apps do not encrypt their data.
•
Secured apps hash passwords before storing them.
•
The work space isolates work space data from other data. A secured app
can only communicate and share data with another secured app, unless
you choose to allow all apps to access data in the work space.
•
The work space allows a user to copy and paste from one secured app to
another, but not to a work app or personal app.
FIPS certification for the encryption of
work space data
The work space encrypts all of the data that it stores directly and writes indirectly to
files using a FIPS-validated cryptographic module.
Control of the behavior of a device
To control the behavior of a device, you can send it an IT policy to change security
settings or control hardware and software features. For example, you can send an
IT policy to hide the default web browser or enforce a device password on a device
with Secure Work Space.
Protection of user information
The device allows a user to delete all user information and app data from the device
memory.
Protection of the operating system
•
The work space can restart a process for a secured app that stops
responding without negatively affecting other processes.
•
The work space validates requests that apps make for resources on the
device.
Protection of app data using sandboxing The work space uses sandboxing to separate and restrict the capabilities and
permissions of secured apps that run on the device. Each application process in the
work space runs in its own sandbox.
The work space evaluates the requests that a secured app's processes make for
memory outside of its sandbox.
8
Security features
Feature
Description
Management of permissions to access
capabilities
The work space evaluates every request that a secured app makes to access a
capability on the device.
Ability to add secured apps from other
vendors
Third-party app developers can secure and re-sign their applications and make
them available on the App Store or Google Play for you to send to users.
Apps from the App Store or Google Play that are not designated as secured apps
cannot be installed or run in the work space. Only the app vendor can secure and
re-sign an app so that it can be installed in the work space.
Protection of the account manager on a
device
Some devices use an account manager to store credentials for different user
accounts. The work space protects the credentials stored by secured apps so that
the credentials can be shared by secured apps but not other apps.
Protection of secured apps from trojans
and malicious software
The work space fingerprints apps to make sure that only known and trusted apps
can run as secured apps. Secured apps are validated before they are sent to a
device's work space and every time that the device runs them.
Detection of jailbroken or rooted status
If a device is jailbroken or rooted, the user has root access to the operating system
of the device. BES12 is designed to detect if a device is jailbroken or rooted. You
can notify or require the user to remove jailbreaking software or rooting software
from the device. If a device is jailbroken or rooted, the user cannot install the work
space or acccess the work space if it's already installed.
Allowed and restricted email domains
To help prevent data leakage, devices with Secure Work Space support allowed and
restricted domains for email, calendar, and organizer data. The allowed and
restricted domain lists determine what links users can access from their work email
and organizer data and who users can send email messages, calendar invitations,
and organizer data to.
Protecting devices against jailbreaking and
rooting
iOS:
For iOS devices, Secure Work Space has protections against jailbreaking that go beyond the checks for path names and
common files that many competitors use. Secure Work Space performs additional checks, such as testing whether privileges
can be escalated by forking processes and running system calls.
Secured apps perform in-process memory checks that identify jailbreak signatures in real time and provide a robust defense
against all forms of jailbreak. In-process memory checks are protected by multiple mechanisms to prevent the algorithms from
being overcome. For example, checks are dispersed throughout the code and include red herrings and other defensive tactics.
9
Security features
Jailbreak checks run when secured apps run. If a user loses a device, and an attacker jailbreaks the device, the encryption of
the work space protects the work space data from exploits such as bit copies of persistent memory.
To run Secure Work Space on an iOS device that has been jailbroken, you must revert the device to a non-jailbroken state.
Android OS:
For Android devices, Secure Work Space uses the device manufacturer’s MDM APIs to detect whether the device has been
rooted, as well as additional detection methods specific to Secure Work Space. The checks are run in order of likelihood, and
stop when they detect that the device has been rooted. The device manufacturer’s detection methods are licensed through a
partner program and are not publicly available.
To run Secure Work Space on an Android device that has been rooted, you must revert the device to a non-rooted state.
Supported features that are native to iOS and
Android
The following features are native to iOS and Android, and they are also supported by BES12. For more information about these
features, see the iOS and Android documentation available from Apple and Google.
Feature
Description
Full-disk encryption
Full-disk encryption ensures that all of a device’s data is stored in an encrypted
form, accessible to users who enter an encryption PIN or password. BES12
supports the native full-disk encryption offered on iOS and Android.
Address space layout randomization
Address space layout randomization makes it more difficult for attackers to exploit
a device and run their own code. This technique randomizes the location of system
components in memory so that attackers find it difficult to know where a
vulnerability exists. BES12 supports the native address space layout randomization
offered on iOS and Android.
Types of apps
Devices with Secure Work Space can run three different types of apps:
Type of app
Description
Personal app
An app that the user installs on the device, or an app that the manufacturer or
wireless service provider installs on the device. BES12 treats these apps, and the
data that they store, as personal data.
10
Security features
Type of app
Description
Work app
An app that you install and manage on a user's device. BES12 treats these apps,
and the data that they store, as work data.
Secured app
A work app that the work space secures with additional protections. BES12 treats
these apps, and the data that they store, as work space data.
There are different types of secured apps:
Type of app
Description
Default secured app
A secured app that appears on every device with Secure Work Space.
External secured app
An app that a third party develops and the app vendor specifically prepares to run
in the work space.
11
Activating and managing devices
Activating and managing devices
3
Device activation associates a device with a user account in BES12 and establishes a secure communication channel between
the device and BES12.
BES12 allows multiple devices to be activated for the same user account. More than one active iOS, Android, Windows Phone
and BlackBerry 10 device can be associated with a user account.
All device types consume a license when they are activated.
By default, a user can activate a device using any of the following connections:
•
Over any Wi-Fi connection or mobile network through the BlackBerry Infrastructure
•
Over any Wi-Fi connection or mobile network using a VPN connection with a connection to the BlackBerry
Infrastructure (iOS only)
Your organization's activation information is registered automatically with the BlackBerry Infrastructure.
Users can activate their devices after they receive an activation email message from BES12, or they can log in to BES12 SelfService and request an activation password.
After the activation process completes, BES12 can send apps, profiles, and IT policies to the device. If an email profile is
configured, the user can send and receive work email messages using the device.
What is the BES12 Client?
The BES12 Client is an app that allows BES12 to communicate with iOS, Android, and Windows Phone devices. If you want to
manage these devices using BES12, users must first install the BES12 Client on the devices. Users can download the latest
version of the BES12 Client from the App Store for iOS devices, from Google Play for Android devices, or from the Windows
Marketplace for Windows Phone.
After users activate their devices, the BES12 Client allows users to do the following:
•
Verify whether their devices are compliant with the organization's standards
•
View the profiles that have been assigned to their user accounts
•
View the IT policy rules that have been assigned to their user accounts
•
Deactivate their devices
12
Activating and managing devices
Activation passwords
You can specify how long an activation password remains valid before it expires. You can also specify the default password
length for the automatically generated password that is sent to users in the activation email message.
The value that you enter for the activation period expiration appears as the default setting in the "Activation period expiration"
field when you add a user account to BES12.
The activation period expiration can be 1 minute to 30 days, and the length of the automatically generated password can be 4
to 16 characters.
User registration with the BlackBerry
Infrastructure
User registration with the BlackBerry Infrastructure is a setting in the default activation settings that allows users to be
registered with the BlackBerry Infrastructure when you add a user to BES12. Information sent to the BlackBerry Infrastructure
is sent and stored securely.
The benefit of registration is that users don't have to enter the server address when they are activating a device; they only need
to enter their email address and password. The BES12 Client installed on iOS, Android, and Windows Phone devices then
communicates with the BlackBerry Infrastructure to retrieve the server address. A secure connection is established with BES12
with minimal user input.
You can turn off user registration with the BlackBerry Infrastructure if you don't want to send user information to BlackBerry.
Using activation types to configure your control
over devices
You can use activation types to configure how much control you have over activated devices. This flexibility of control levels is
useful if you want to have full control over a device that you issue to a user or if you want to make sure that you have no control
over the personal data on a device that the user owns and brings to work.
There are three activation types for Android and iOS devices, and one activation type for Windows Phone devices.
Activation type
Description
MDM controls
This activation type applies to:
13
Activating and managing devices
Activation type
Description
•
iOS
•
Android (including KNOX MDM)
•
Windows Phone
This activation type provides basic device management using device controls
made available by iOS, Android, and Windows Phone. There is no separate work
space installed on the device, and no added security for work data.
If the device supports KNOX MDM, this activation type will apply the KNOX MDM IT
policy rules instead of the other IT policy rules available for Android devices.
You can control the device using IT administration commands and IT policies.
During activation, users with an iOS device must install a mobile device
management profile, users with an Android device must permit Administrator
permissions for the BES12 Client, and users with a Windows Phone device must
enrol their device through the Windows Phone company apps.
Work and personal - full control
This activation type applies to:
•
iOS
•
Android (including KNOX MDM)
This activation type provides full control of devices. When a device is activated, a
separate work space is created on the device and the user must create a password
to access the work space. Work data is protected using encryption and password
authentication.
If the device supports KNOX MDM, this activation type will apply the KNOX MDM IT
policy rules instead of the other IT policy rules available for Android devices.
You can control the work space, and some other aspects of the device that affect
both the personal and work space using IT administration commands and IT
policies. During activation, users with an iOS device must install a mobile device
management profile and users with an Android device must permit Administrator
permissions for the BES12 Client.
Work and personal - user privacy
This activation type applies to:
•
iOS
•
Android
This activation type provides control of work data on devices, while making sure
that there is privacy for personal data. When a device is activated, a separate work
space is created on the device and the user must create a password to access the
work space. Work data is protected using encryption and password authentication.
14
Activating and managing devices
Activation type
Description
For Android devices, this activation type does not permit you to use the IT policy
rules available for KNOX MDM.
You can control the work space on the device using IT administration commands
and IT policies, but you cannot control any aspects of the personal space on the
device. Users with an iOS device are not required to install a mobile device
management profile and users with an Android device do not have to permit
Administrator permissions for the BES12 Client.
Data flow: Activating a device
You can activate a device using any wireless connection, such as a Wi-Fi network or the mobile network.
1.
You add a user to BES12 using the management console.
2.
If the device is an Android, iOS, or Windows Phone device, the user downloads and installs the BES12 Client on their
device.
3.
The user enters their activation username and password on their device.
4.
BES12 verifies the user's activation credentials and sends the activation details to the device, including device
configuration information.
5.
The device receives the activation details from BES12 and completes the configuration. The device then sends
confirmation to BES12 that the activation was successful.
Using IT policies to manage security
An IT policy is a set of rules that restrict or allow features and functionality on devices. IT policy rules can manage the security
and behavior of devices. The device OS and device activation type determine which rules in an IT policy apply to a specific
device. For example, depending on the device activation type, OS, and version, IT policy rules can be used to:
15
Activating and managing devices
•
Enforce password requirements on devices or the device work space
•
Prevent users from using the camera
•
Force data encryption
Only one IT policy can be assigned to each user account, and the assigned IT policy is sent to all of the user's devices. If you
don't assign an IT policy to a user account or to a group that a user or device belongs to, BES12 sends the Default IT policy to
the user's devices.
You can rank IT policies to specify which policy is sent to devices if a user or a device is a member of two or more groups that
have different IT policies and no IT policy is assigned directly to the user account. BES12 sends the highest ranked IT policy to
the user's devices.
BES12 automatically sends IT policies to devices when a user activates a device, when an assigned IT policy is updated, and
when a different IT policy is assigned to a user or group. When a device receives a new or updated IT policy, the device applies
the configuration changes in near real-time.
For more information about assigning and ranking IT policies, visit docs.blackberry.com/bes12cloud to see the Administration
content. For more information about specific IT policy rules, visit docs.blackberry.com/bes12cloud to see the Policy Reference
Spreadsheet in the Administration content.
Using compliance profiles to enforce standards
for iOS, Android, and Windows Phone devices
You can use compliance profiles to encourage iOS, Android, and Windows Phone device users to follow your organization’s
standards for the use of mobile devices. A compliance profile specifies the device conditions that aren't acceptable in your
organization, the notification messages sent to users, and the actions taken if a device is non-compliant.
Depending on the OS and version, you can specify whether the following conditions are permitted:
•
Jailbroken or rooted device
•
Non-assigned app is installed
•
Required app isn't installed
You can also specify how BES12 responds when a device violates compliance rules. Actions can include the following:
•
Send an email message to the user
•
Display a notification message on the device
•
Prevent the user from accessing the organization's resources and apps from the device, either immediately or after a
period of time
•
Delete work data from the device, either immediately or after a period of time
•
Delete all data from the device, either immediately or after a period of time
16
Activating and managing devices
For Android devices that use KNOX MDM, you can add a list of restricted apps to a compliance profile. However, BES12 does
not enforce the compliance rules. Instead, the restricted app list is sent to devices, and the device enforces compliance. Any
restricted apps cannot be installed, or if they are already installed, they are disabled. When you remove an app from the
restricted list, the app is re-enabled if it is already installed.
For more information about compliance profiles, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud
Administration Guide.
Preventing users from installing specific iOS, Android, and
Windows Phone apps
You can create a list of iOS, Android, and Windows Phone apps that you do not want users to install on their devices. For
example, you can prevent users from installing malicious apps or apps that require many resources.
You can create a compliance profile that specifies what action an iOS or Android device takes if a restricted app is installed and
assign the compliance profile to users or user groups. If the user does not remove the restricted app from the device, the
compliance profile specifies the actions that must occur. If a user installs a restricted app, the user's device reports that it is not
compliant. The report displays the name of the restricted app and the actions that must occur if the user doesn't uninstall the
app.
For Windows Phone 8.1 or later and Android devices that use KNOX MDM, you have to add the app to the compliance profile
only. The user cannot install any app that you add to the compliance profile. If a user tries to install a restricted app, the device
displays a message that the app is restricted and cannot be installed.
Protecting email messages
Devices can use Exchange ActiveSync or IBM Notes Traveler to synchronize email messages, calendar entries, contacts, and
other organizer data with your organization’s mail server. IBM Notes Traveler is supported with Windows Phone and in the
secure work space on iOS and Android devices.
When users send and receive email messages, the data travels over one of the following communication paths:
•
A direct connection from the device to the mail server through your VPN or over your work Wi-Fi network
•
A direct connection from the device to a mail server that is located in a DMZ or is exposed to the public network
Messages and organizer data in transit between devices and your mail server aren't routed through BES12.
If your organization uses SCEP to enroll certificates to iOS devices, you can associate a SCEP profile with an email profile to
require certificate-based authentication to help protect connections between iOS devices and the mail server.
17
Data at rest
Data at rest
4
The work space protects work space data at rest by encrypting the data and hashing passwords before storing them. You can
also require password protection and control when devices wipe their work space.
Passwords
Device passwords protect your organization's data and user information that is stored on devices. For devices with a work
space, the work space password is used to protect work space data. You can use BES12 to enforce password protection on
devices.
You can also use BES12 to lock devices remotely and change or clear their passwords.
iOS device passwords
You can use the "Password required for device" IT policy rule to require iOS device users to set a device password.
You can enforce additional password requirements on devices using the following IT policy rules:
•
Allow simple value
•
Require alphanumeric value
•
Minimum passcode length
•
Minimum number of complex characters
•
Maximum passcode age
•
Maximum auto-lock
•
Passcode history
•
Maximum grace period for device lock
•
Maximum number of failed attempts
For more information about IT policy rules, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Policy
Reference Spreadsheet.
Changing iOS device passwords
You can use BES12 to lock or unlock iOS devices remotely and clear their passwords. You can do this, for example, if a device is
lost or if a user forgets their password.
18
Data at rest
You can use the "Lock device" IT administration command to lock a device remotely. The user must type the existing device
password to unlock the device. You can use this command if a device is lost or stolen.
You can use the "Unlock and clear password" IT administration command to unlock a device and clear the existing password.
The user is prompted to create a new device password. You can use this command if a user forgets their device password.
For more information about sending these commands to devices, visit http://docs.blackberry.com/bes12cloud to read the
BES12 Cloud Administration Guide.
Android device passwords
You can use the "Password requirements" IT policy rule to require Android device users to set a device password and to specify
minimum requirements for device passwords.
You can enforce additional password requirements on devices using the following IT policy rules:
•
Maximum failed password attempts (native Android OS)
•
Maximum failed password attempts before device is disabled (KNOX MDM)
•
Maximum inactivity time lock
•
Password expiration timeout
•
Password history restriction
•
Minimum password length (native Android OS only)
•
Minimum uppercase letters required in password
•
Minimum lowercase letters required in password
•
Minimum letters required in password (native Android OS only)
•
Minimum numerical digits required in password (native Android OS only)
•
Minimum symbols required in password (native Android OS only)
•
Minimum complex characters required in password (KNOX MDM only)
•
Maximum character sequence length (KNOX MDM only)
•
Maximum numeric sequence length (KNOX MDM only)
•
Allow password visibility (KNOX MDM only)
For more information about IT policy rules, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Policy
Reference Spreadsheet.
Changing Android device passwords
You can use BES12 to lock or unlock Android devices remotely and change or clear their passwords. You can do this, for
example, if a device is lost or if a user forgets the password.
You can use the "Lock device" IT administration command to lock a device remotely. The user must type the existing device
password to unlock the device. You can use this command if a device is lost or stolen.
19
Data at rest
You can use the "Unlock and clear password" IT administration command to unlock a device and clear the existing password.
The user is prompted to create a new device password. You can use this command if a user forgets their device password.
You can use the "Specify device password and lock" IT administration command to create a new device password and lock a
device. When the user unlocks the device, they are prompted to accept or reject the new password. You can use this command
if a device is lost or stolen.
For more information about sending these commands to devices, visit http://docs.blackberry.com/bes12cloud to read the
BES12 Cloud Administration Guide.
Windows Phone device passwords
You can use the "Password required for device" IT policy rule to require Windows Phone device users to set a device password.
Depending on the OS version, you can enforce additional password requirements on devices using the following IT policy rules:
•
Allow simple password
•
Minimum password length
•
Password complexity
•
Password expiration
•
Password history
•
Maximum failed password attempts
•
Maximum inactivity time lock
•
Minimum number of complex character types
•
Allow idle return without password
For more information about IT policy rules, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Policy
Reference Spreadsheet.
Changing Windows Phone device passwords
You can use BES12 to lock Windows Phone devices remotely and change or clear their passwords. You can do this, for example,
if a device is lost or if a user forgets the password.
You can use the "Lock device" IT administration command to lock a device remotely. The user must type the existing device
password to unlock the device. You can use this command if a device is lost or stolen.
You can use the "Generate device password and lock" IT administration command to create a new device password and lock a
device. When the user unlocks the device, they are prompted to accept or reject the new password. You can use this command
if a device is lost or stolen.
For more information about sending these commands to devices, visit http://docs.blackberry.com/bes12cloud to read the
BES12 Cloud Administration Guide.
20
Data at rest
Security timeout
You can use BES12 to require that iOS, Android, and Windows Phone devices lock after a certain period of inactivity.
For iOS devices, the "Maximum auto-lock" IT policy rule can be used to require that devices lock after a certain period of
inactivity. You can use the "Maximum grace period for device lock" IT policy rule to allow users to unlock their devices without
entering their passwords after a specified period of inactivity.
For Android devices, you can use the "Maximum inactivity time lock" IT policy rule to require that a device lock after a specified
period of inactivity.
For Windows Phone devices, you can use the "Maximum inactivity time lock" IT policy rule to require that a device lock after a
specified period of inactivity.
For more information about IT policy rules, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Policy
Reference Spreadsheet.
Data wipe
To protect your organization's data and user information on devices, you can use BES12 to delete work data or all data on
devices.
Users can also delete work data or all data on their devices.
Full device wipe
Devices delete all data in the device memory when any of the following events occur:
Event
Device type
Description
You send the “Delete all device data”
IT administration command to a
device.
•
iOS
•
Android
•
Windows Phone
You can use BES12 to delete all data from devices using the
"Delete all device data" IT administration command. For
example, you can send this command to a device to
redistribute a previously used device to another user in your
organization, or to a device that is lost and unlikely to be
recovered.
This command deletes all user information and app data that
the device stores (including information in the work space, if
applicable) returns the device to factory defaults, and
removes the device from BES12.
After you submit this command, an option to remove the
device from BES12 is displayed. If the device can no longer
21
Data at rest
Event
Device type
Description
connect to BES12, you can remove the device from BES12. If
the device connects to BES12 after you removed it, only the
work data is removed from the device, including the work
space, if applicable.
For more information about sending this command to devices,
visit http://docs.blackberry.com/bes12cloud to read the
BES12 Cloud Administration Guide.
A user types the device password
incorrectly more times than the
"Maximum number of failed
attempts" IT policy rule allows.
•
iOS
•
Android
•
Windows Phone
A user uses the "Erase All Content
And Settings" option on an iOS 8
device.
iOS
This command deletes all user information and app data that
the device stores, including information in the work space,
and returns the device to factory defaults.
A user can delete all data on devices using the "Erase All
Content And Settings" option on the device.
Work data wipe
To protect your organization's data on devices, devices delete all work data when any of the following events occur:
Event
Device type
Description
You send the “Delete only work
data” IT administration
command to a device.
•
iOS
•
Android
•
Windows Phone
You can use BES12 to delete all work data from devices using
the "Delete only work data" IT administration command. For
example, you can send this command to a personal device
when a user no longer works at your organization, or if a device
is lost or stolen.
This command deletes work data, including the IT policy,
profiles, apps, and certificates that are on a device, and
removes the device from BES12.
After you submit this command, an option to remove the device
from BES12 is displayed. If the device can no longer connect to
BES12, you can remove the device from BES12. If the device
connects to BES12 after you removed it, only the work data is
removed from the device, including the work space, if
applicable.
A user can still use the device while the work space data is
being deleted.
22
Data at rest
Event
Device type
Description
For more information about sending this command to devices,
visit http://docs.blackberry.com/bes12cloud to read the BES12
Cloud Administration Guide.
Securing devices for work and personal use
Secure Work Space technology allows users to use their iOS and Android devices for both work and personal use securely. For
example, Secure Work Space allows your organization to control its information even when it’s stored on devices that employees
own and bring to work.
The security features of BES12 and Secure Work Space control how devices protect your organization's data, apps, and
network connections and force devices to treat your organization's data and apps differently from personal data and apps. This
means that you can:
•
Control access to your organization's data and apps on devices
•
Prevent data from being compromised
•
Delete your organization's data and apps from devices when you need to
•
Control network connections that work and personal apps use
Secure Work Space uses separate areas of the device called spaces to separate work and personal activities. A space is a
distinct area of the device that enables the segregation and management of different types of data, apps, and network
connections. Different spaces can have different rules for data storage, app permissions, and network routing. The separate
spaces help users to avoid activities such as copying work data into a personal app.
23
Data at rest
Creating a work space on a device
To create a work space on a device, you activate it on BES12 using either the “Work and personal - full control” or “Work and
personal - user privacy” activation type. The work space is a segregated area of the device for work resources where users can
create, edit, and save work documents. The work space also stores configuration details from the server and any information
associated with them, such as Microsoft Active Directory credentials and profiles. During the activation process, the device
encrypts the work space.
By default, during the activation process, devices with Secure Work Space require users to set a work space password. The
work space password is used to protect work space data and secured apps. You can use IT policy rules to control password
requirements, such as complexity and length.
After a device is activated on BES12, the device still contains the personal space on the device and any user data, apps, or
network connections that the user was using before the device was activated. Users can use their devices for activities that your
organization's security policies might not otherwise allow, such as downloading videos, playing online multi-player games, or
uploading personal photos and Facebook entries, without exposing the work data that is stored on the device.
For more information about IT policy rules, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud Policy
Reference Spreadsheet.
Protecting work space data with encryption
A work space protects work space data by encrypting the data that secured apps store using AES-256 encryption. The work
space randomly generates a separate encryption key for each secured app and encrypts the keys with the user's work space
password. The work space encrypts all of the data that a secured app stores directly and writes indirectly to files. The encryption
libraries (OpenSSL-FIIPTS or iOS crypto on iOS, and OpenSSL-FIPS on Android OS) are components of the FIPS validated
BlackBerry Cryptographic Library for Secure Work Space.
Secured apps can only share data with other secured apps. When a secured app requests to share data with another app, the
work space intercepts the request and allows the request to proceed if both apps are secured apps. If both apps are not
secured apps, the work space rejects the request. The work space allows a user to copy and paste from one secured app to
another, but not to a work app or personal app.
24
Data at rest
Work space encryption
For Android devices, the Android OS assigns a UID to an app when the app is installed. The UID is unique to each app, except
when the app requests to share a UID with another app. The two apps in this case must be signed with the same certificate from
the same developer.
Each UID is assigned a random encryption key the first time that the UID runs, and the UID uses the key to encrypt its data. The
keys are stored in a separate secure filesystem in the work space, and the filesystem is shared between secured apps. When the
app with the UID runs for the first time, it requests the encryption key associated with the UID from the Work Space Manager
app. All of the secure filesystem, except for the first block, is encrypted using AES-256 in CBC mode with 128-bit blocks. The
key to the filesystem is stored in the first block, and then the first block is encrypted with a key derived from the work space
password.
For iOS devices, the Secure Work Space assigns each secured app a random encryption key the first time that the app runs, and
the app uses the key to encrypt its data. The keys are stored in a completely segmented virtual and secure filesystem that is
shared between the apps. The underlying block structure of the secure filesystem is proprietary. The virtual filesystem is layered
on top of a NAND-style block, with a virtual device interface.
On both Android and iOS devices, the entire virtual filesystem, except for the first block, is encrypted using AES-256 in CBC
mode with 128-bit blocks. The key to the virtual filesystem is stored in the first block, and then the first block is encrypted with a
key derived from the work space password. The work space password is derived using PBKDF2 as the key derivation function
with HMAC-SHA1.
Protecting the work space password
The work space does not store the work space password. Instead, it encrypts data using a hash derived from the password as
the encryption key. After the password has been set, when the user enters the password to access the work space, the work
space tries to decrypt data with the hash derived from the password that the user entered. If the data does not decrypt, the
password that the user entered is rejected as incorrect.
25
Data at rest
To allow for password resets, the device generates a public and private key, encrypts the derived key for the work space with the
private key, and stores the encrypted block independently of the work space. The device sends the public key to BES12 and
deletes local copies of the public and private keys.
When the user changes the work space password, the device regenerates the derived key. A user can change the work space
password at any time, and an administrator can use an IT administration command to reset the work space password and force
the user to change it.
When an administrator uses the IT administration command to reset the work space password, BES12 sends the public key
back to the device and the device uses the public key to decrypt the derived key. The user is also forced to enter a new work
space password.
BES12 and the BlackBerry Infrastructure do not store the user’s encryption keys.
Inactivity timeout in the work space
When a secured app is sent to the background by a user, it starts the inactivity grace period timer for the work space. If the user
launches another secured app during the grace period, the user doesn’t need to enter their work space password. You can
configure the inactivity timeout using the "Inactivity period before locking" IT policy rule. You can configure the inactivity
timeout using the "Inactivity period before locking" IT policy rule. For more information, visit http://docs.blackberry.com/
bes12cloud to read the BES12 Cloud Policy Reference Spreadsheet.
Sharing information between secured apps
Federating allows secured apps to share information in a controlled manner. App wrapping provides a defined interface that
restricts what the apps can do when they communicate using the encrypted filesystem.
When a secured app is wrapped in the BlackBerry Infrastructure, a hash of the app’s code is produced. This hash is also known
as a fingerprint, and the BlackBerry Infrastructure records the fingerprint and the app’s metadata.
When a secured app runs for the first time on a device, the device generates a runtime version of the app’s fingerprint and
metadata and sends them to the BlackBerry Infrastructure. The BlackBerry Infrastructure compares the fingerprint and
metadata that it stored with the runtime versions of the fingerprint and metadata. If they match, the BlackBerry Infrastructure
notifies the device that it can federate and run the app. If the two versions of the fingerprint and metadata do not match, the
BlackBerry Infrastructure notifies the device that it cannot federate and run the app, and the user sees an error message.
A dynamic federation list on the device identifies which secured apps can federate. When the BlackBerry Infrastructure notifies
the device that it can federate and run an app, the device adds the app to the federation list. Each subsequent time the app is
run, the device compares the runtime fingerprint of the app to the fingerprint cached in the federation list. At any time, the
BlackBerry Infrastructure can revoke the federation list and force the device to reconstruct the list. Network connectivity is
required to verify an app to allow federation.
When federation is successful, the federated apps can perform a key exchange with constraints so that they have access to the
same data in the encrypted filesystem.
26
Data at rest
Storing Work Browser data
When using the Work Browser, the work space does not store Internet or intranet passwords. Cookie storage, however, is
protected by the secure filesystem just like other work space data.
Storing work space data on media cards
For Android devices, any work space data that is stored on media cards is part of the secure filesystem, just like any work space
data stored on the device itself. The data on the media card can only be decrypted when the card is attached to the original
device and the user has entered the work space password. The data on the media card is cryptographically inaccessible if the
card is inserted into another device because the encryption keys are not available.
Deleting the work space
When you delete the work space from a device, you do not need to perform additional steps to prevent the recovery of data.
Without the encryption keys, any recovered data is cryptographically inaccessible.
Deleting the work space also deletes work space data from a media card if it is connected to the device at the time of deletion.
Attachments for third-party secured apps
By default, attachments for a third-party secured app cannot be opened outside of the UID unless the app allows for data
sharing with other apps. Examples of attachments for a third-party secured app include email, MMS, and browser downloads.
The wrapping on the app intercepts the standard APIs that iOS and Android use and prevents the app from transferring data to
another app. Private APIs are not allowed in iOS or Android. The wrapping also ensures that attachments are encrypted before
they are stored.
Showing work contacts in caller ID on iOS
devices
You can use the "Work Connect contacts" IT policy rule to specify whether caller ID on an iOS device can show the names and
phone numbers of work contacts, even if the work space is locked. This rule allows the Work Connect app in the work space to
export work contacts to the personal address book (the Contacts app). The Work Connect app exports contact names and
phone numbers only. When you deactivate the device, work contacts are removed from the personal address book.
If this rule is set to "Export to personal address book," the Work Connect app exports the work contacts to the personal address
book. The app also exports a work contact again when the work contact's name or phone number changes or a contact is added
or deleted. Only work contacts with phone numbers are exported.
27
Data at rest
If this rule is set to "Do not export to personal address book," work contacts are not exported, and calls and SMS text messages
from work contacts do not display the contact name. If this rule is set to "Allow user to configure," a user can choose to export
work contacts from the Work Connect app to the personal address book.
Controlling when devices wipe the work space
To protect your organization’s data, you can wipe all work data from a device. All personal data remains on the device. For
example, you can do this if a user no longer works at your organization.
The following table lists examples of data that is removed when devices wipe the work space:
Item
Description
Work email messages
•
Email messages that are sent to the user’s email app in the work space
•
Email messages that the user sends from the email app in the work space
•
Draft email messages that the user creates using the email app in the work space
•
Attachments that are sent to the user’s email app in the work space
•
Attachments that the user sends from the email app in the work space
•
Attachments that the user saves to the work space
Attachments
Calendar entries
Calendar entries that the user creates using the calendar app in the work space
Contacts
Contacts that BES12 synchronizes with the user’s contacts app in the work space
Tasks and memos
All tasks and memos that BES12 synchronizes with the user's tasks and memos app in
the work space
Browser
All Work Browser data
Files
Files that the user accessed and downloaded from your organization’s network
IT policy
IT policy that is assigned to the device
Work apps
For an iOS device, work apps that an administrator sent to a device
Work app data
For an iOS device, work data that is associated with work apps on the device (for example,
saved settings)
Secured apps
For an iOS device, secured apps that a user downloaded and installed on a device.
For an Android device, the user is prompted to remove the secured apps. If the user does
not remove the secured apps, they remain on the device but the user cannot run them.
Work space data
For an iOS device, work space data that is associated with secured apps on the device.
28
Data at rest
Item
Description
For an Android device, the user is prompted to remove the work space data (for example,
saved settings). If the user does not remove the work space data, it remains on the device
but the user cannot access the data.
Profiles
For an iOS device, VPN, Wi-Fi, email, SCEP, CA certificate, shared certificate, single signon, and managed domains profiles.
For an Android device, Wi-Fi, email, CA certificate, and shared certificate profiles.
29
Data in transit
Data in transit
5
With BES12, when you manage an iOS, Android, or Windows Phone device, you can protect data in transit with security settings,
VPNs, and certificates.
Types of encryption used for communication
between devices and your resources
Communication between a device and your organization’s resources can use various types of encryption. The type of encryption
used depends on the connection method.
Encryption type
Description
Wi-Fi encryption (IEEE 802.11)
Wi-Fi encryption is used for data in transit between a device and wireless access point if
the wireless access point was set up to use Wi-Fi encryption.
VPN encryption
VPN encryption is used for data in transit between a device and a VPN server.
SSL/TLS encryption
SSL/TLS encryption is used for data in transit between a device and content server, web
server, or mail server in your organization. The encryption for this connection must be set
up separately on each server and uses a separate certificate with each server. The server
might use SSL or TLS, depending on how it's set up.
Work Wi-Fi connection
In a work Wi-Fi connection, a device connects to your organization’s resources using the settings that you configured in a Wi-Fi
profile. Wi-Fi encryption is used if the wireless access point was set up to use it.
30
Data in transit
Protecting Wi-Fi connections
A device can connect to work Wi-Fi networks that use the IEEE 802.11 standard. The IEEE 802.11i standard uses the IEEE
802.1X standard for authentication and key management to protect work Wi-Fi networks. The IEEE 802.11i standard specifies
that organizations must use the PSK protocol or the IEEE 802.1X standard as the access control method for Wi-Fi networks.
You can use Wi-Fi profiles to send Wi-Fi configuration information, including security settings and any required certificates to
devices.
VPN connection
In a VPN connection, an iOS device connects to your organization’s resources through any wireless access point or a mobile
network, your organization’s firewall, and your organization’s VPN server. Wi-Fi encryption is used if the wireless access point
was set up to use it.
31
Data in transit
Connecting to a VPN
If your organization’s environment includes VPNs, such as IPsec VPNs or SSL VPNs, you can configure iOS devices to
authenticate with a VPN to access your organization's network. A VPN provides an encrypted tunnel between a device and the
network.
A VPN solution consists of a VPN client on a device and a VPN concentrator. The device can use the VPN client to authenticate
with the VPN concentrator, which acts as the gateway to your organization's network. Each device includes a built-in VPN client
that supports several VPN concentrators. Depending on the VPN solution, a client app may need to be installed on the device.
The VPN client on the device supports the use of strong encryption to authenticate itself with the VPN concentrator. It creates
an encrypted tunnel between the device and the VPN concentrator that the device and your organization's network can use to
communicate.
How BES12 configures a device to use per-app VPN and VPN on demand
When BES12 sends a VPN profile to a device, it uses a configuration profile defined by Apple to send a VPN payload and perapp VPN payload (if necessary) to the device. BES12 converts the settings that you specified in the VPN profile to a series of
keys and values (for example, BES12 converts the connection type that you specified to the VPNType key). For more
information about configuration profiles, visit www.apple.com to read the Configuration Profile Reference.
Enabling per-app VPN for iOS apps
You can use per-app VPN to specify which work apps and secured apps on iOS devices must use a VPN for their data in transit.
Per-app VPN helps decrease the load on your organization’s VPN by enabling only certain work traffic to use the VPN (for
example, accessing application servers or webpages behind the firewall). This feature also supports user privacy and increases
connection speed for personal apps by not sending the personal traffic through the VPN.
You then associate apps with per-app VPN by assigning the VPN profile to apps or app groups.
How BES12 chooses which per-app VPN settings to assign
Only one VPN profile can be assigned to an app or app group. BES12 uses the following rules to determine which per-app VPN
settings to assign to an app:
•
Per-app VPN settings that are associated with an app directly take precedence over per-app VPN settings associated
indirectly by an app group.
•
Per-app VPN settings that are associated with a user directly take precedence over per-app VPN settings associated
indirectly by a user group.
•
Per-app VPN settings that are assigned to a required app take precedence over per-app VPN settings assigned to an
optional instance of the same app.
•
Per-app VPN settings that are associated with the user group name that appears earlier in the alphabetical list takes
precedence if the following conditions are met:
◦
An app is assigned to multiple user groups
32
Data in transit
◦
The same app appears in the user groups
◦
The app is assigned in the same way, either as a single app or an app group
◦
The app has the same disposition in all assignments, either required or optional
For example, you assign Cisco WebEx Meetings as an optional app to the user groups Development and Marketing.
When a user is in both groups, the per-app VPN settings for the Development group is applied to the WebEx Meetings
app for that user.
If a per-app VPN profile is assigned to a device group, it takes precedence over the per-app VPN profile that is assigned to the
user account for any devices that belong to the device group.
Enabling VPN on demand for iOS devices
VPN on demand allows you to specify whether an iOS device connects automatically to a VPN in a particular domain.
Certificates, such as SCEP or Shared certificates, provide authentication for the user's device when accessing the particular
domain. For example, you can specify your organization's domain to allow users access to your intranet content using VPN on
demand.
How BES12 configures a device to use per-app VPN and VPN on demand
When BES12 sends a VPN profile to a device, it uses a configuration profile defined by Apple to send a VPN payload and perapp VPN payload (if necessary) to the device. BES12 converts the settings that you specified in the VPN profile to a series of
keys and values (for example, BES12 converts the connection type that you specified to the VPNType key). For more
information about configuration profiles, visit www.apple.com to read the Configuration Profile Reference.
Protecting communication with devices using
certificates
A certificate is a digital document that binds the identity and public key of a certificate subject. Each certificate has a
corresponding private key that is stored separately. A CA signs the certificate to verify that it can be trusted.
Devices can use certificates to:
•
Authenticate using SSL/TLS when they connect to web pages that use HTTPS
•
Authenticate with a work mail server
•
Authenticate with a work Wi-Fi network and, for iOS devices only, VPN
•
Encrypt and sign email messages using S/MIME protection (iOS devices only)
You can send client certificates and CA certificates to all devices managed by BES12.
33
Data in transit
Sending client certificates to devices
You might need to distribute client certificates to devices if the devices use certificate-based authentication to connect to a
network or server in your organization’s environment, or if your organization uses S/MIME.
Depending on the device capabilities, client certificates can be used for many purposes, including certificate-based
authentication from the browser, connecting to your work Wi-Fi network, work VPN, or work mail server, and for digital
signatures on S/MIME-protected email messages.
You can send client certificates to devices in several ways:
Profile
Description
SCEP profiles
You can create SCEP profiles that iOS devices use to request and obtain client certificates
from a SCEP-compliant Microsoft or Entrust CA.
When you use SCEP to enroll client certificates to iOS, the administrator never has access
to the user's private key.
User credential profiles
If your organization uses Entrust IdentityGuard to issue and manage certificates, you can
create user credential profiles that iOS and Android devices use to get client certificates
from your organization's CA.
When you use Entrust IdentityGuard, the administrator does not have access to the user's
private key.
Shared certificate profiles
A shared certificate profile specifies a client certificate that BES12 sends to iOS and
Android devices. BES12 sends the same client certificate to every user that the profile is
assigned to.
The administrator must have access to the certificate and private key to create a shared
certificate profile.
Sending client certificates to
individual user accounts
To send a client certificate to the devices for an individual user, you can add a client
certificate to a user account. BES12 sends the certificate to the user's iOS and Android
devices.
The administrator must have access to the certificate and private key to send the client
certificate to the user.
For more information about sending client certificates to devices, visit http://docs.blackberry.com/bes12cloud to read the
BES12 Cloud Administration Guide.
Using SCEP to enroll client certificates to devices
SCEP is an IETF protocol that simplifies the process of enrolling certificates to a large number of devices without any
administrator input or approval required to issue each certificate. iOS devices can use SCEP to request and obtain client
34
Data in transit
certificates from a SCEP-compliant Microsoft or Entrust CA that your organization uses. You can use SCEP to enroll client
certificates to devices so that the devices can use certificate-based authentication in the browser and to connect to a work Wi-Fi
network, work VPN, or work mail server.
Certificate enrollment starts after a device receives a SCEP profile that is assigned to the user or associated with an assigned WiFi, VPN, or email profile. Devices can receive a SCEP profile from BES12 during the activation process, when you change a
SCEP profile, or when you change another profile that has an associated SCEP profile. After the certificate enrollment
completes, the client certificate and its certificate chain and private key are stored in the work keystore on the device.
If you use a Microsoft CA, the CA must support challenge passwords. The CA uses challenge passwords to verify that the device
is authorized to submit a certificate request. If the CA has implemented NDES, you use dynamic challenge passwords. You
specify the static challenge password or the settings to obtain a dynamically generated challenge password from the SCEP
service in the SCEP profile. The password is sent to the device to allow the device to make the certificate request. If you use a
static challenge password, all devices that use the SCEP profile use the same challenge password.
The certificate enrollment process does not delete existing certificates from devices or notify the CA that previously enrolled
certificates are no longer in use. If a SCEP profile is removed from BES12, the corresponding certificates are not removed from
the assigned users' devices.
To read the SCEP Internet Draft, visit www.ietf.org.
Sending CA certificates to devices
You might need to distribute CA certificates to devices if your organization uses S/MIME or if devices use certificate-based
authentication to connect to a network or server in your organization’s environment.
When the certificates for the CAs that issued your organization's network and server certificates are stored on devices, the
devices can trust your networks and servers when making secure connections. When the CA certificates for the CAs that issued
your organization's S/MIME certificates are stored on devices, the devices can trust the sender's certificate when an S/MIMEprotected email message is received.
You can use CA certificate profiles to send CA certificates to devices. For more information, visit docs.blackberry.com/
bes12cloud to see the Administration content.
Providing devices with single sign-on access to
your organization's network
You can allow iOS 7 and later device users to authenticate automatically with domains and web services in your organization’s
network.
You can use single sign-on profiles to set up device authentication using a user’s login information or certificate. Certificate
authentication is supported for iOS 8.0 and later devices. After you assign a single sign-on profile to a user, the user's login
information or certificate is saved on the device the first time they access a domain specified in the profile. The user's saved
login information or certificate is used automatically when the user tries to access any of the domains specified in the profile.
35
Data in transit
The user is not prompted again for the login information or certificate until the user's password changes or the certificate
expires.
BES12 supports Kerberos for single sign-on access for the browser and apps on iOS 7 and later devices. You can restrict which
apps have single sign-on access.
For more information on creating single sign-on profiles, visit http://docs.blackberry.com/bes12cloud to read the BES12 Cloud
Administration Guide.
Protecting data in transit between BES12 and
devices
BES12 protects the data in transit between itself and iOS, Android, and Windows Phone devices.
During the activation process for these devices, a mutually authenticated TLS connection is established between BES12 and
the BES12 Client on the device. When BES12 needs to send configuration information such as IT polices, profiles, and app
configurations to a device, BES12 and the device use the TLS connection to protect the data.
Protecting data in transit between BES12 Cloud
and your company directory
The BlackBerry Cloud Connector is an optional component that you can install behind your organization's firewall to provide a
secure connection between BES12 Cloud and your company directory.
If you use the BlackBerry Cloud Connector to give BES12 Cloud access to your company directory, you can create user
accounts by searching for and importing user data from the directory and you can allow users to use their directory credentials
to access BES12 Self-Service. BES12 Cloud synchronizes user data with the directory daily. You can also start the
synchronization process manually for individual users.
For more information about configuring the BlackBerry Cloud Connector, visit docs.blackberry.com/bes12cloud to see the
Administration content.
Data flow: Establishing a secure connection between BES12
Cloud and the BlackBerry Cloud Connector
1.
You download the installation and activation files using the administration console and install the BlackBerry Cloud
Connector on a computer that can access the Internet and your company directory.
2.
The BlackBerry Cloud Connector establishes a connection with BES12 Cloud and sends an activation request.
36
Data in transit
3.
BES12 Cloud verifies that the activation information is valid.
4.
The BlackBerry Cloud Connector and BES12 Cloud generate a shared symmetric key using the activation password and
EC-SPEKE. The shared symmetric key protects the CSR and response.
5.
The BlackBerry Cloud Connector performs the following actions:
6.
7.
8.
a
Generates a key pair for the certificate
b
Creates a PKCS#10 CSR that includes the public key of the key pair
c
Encrypts the CSR using the shared symmetric key and AES-256 in CBC mode with PKCS #5 padding
d
Computes an HMAC of the encrypted CSR using SHA-256 and appends it to the CSR
e
Sends the encrypted CSR and HMAC to BES12 Cloud
BES12 Cloud performs the following actions:
a
Verifies the HMAC of the encrypted CSR and decrypts the CSR using the shared symmetric key
b
Packages a client certificate using your organization's information and the CSR that the BlackBerry Cloud Connector
sent
c
Signs the client certificate using the enterprise management root certificate
d
Encrypts the client certificate, enterprise management root certificate, and the BES12 Cloud URL using the shared
symmetric key and AES-256 in CBC mode with PKCS #5 padding
e
Computes an HMAC of the encrypted client certificate, enterprise management root certificate, and the BES12
Cloud URL and appends it to the encrypted data
f
Sends the encrypted data and HMAC to the BlackBerry Cloud Connector
The BlackBerry Cloud Connector performs the following actions:
a
Verifies the HMAC
b
Decrypts the data it received from BES12 Cloud
c
Stores the client certificate and the enterprise management root certificate in its keystore
d
Establishes a TLS connection with BES12 Cloud
e
Creates a registration request that includes the tenant ID, the client certificate signed with its private key using SHA1
and ECDSA, and the time stamp of the signing action
f
Sends the registration request to BES12 Cloud
BES12 Cloud performs the following actions:
a
Validates the registration request
b
Ensures that the time stamp of the signing action isn't older than 3 minutes
c
Performs one of the following actions:
•
If the validation is successful, registers the BlackBerry Cloud Connector instance and sends the BlackBerry
Cloud Connector an authorization token that the BlackBerry Cloud Connector uses for subsequent
connections with BES12 Cloud.
•
If the validation fails, BES12 Cloud closes the TLS connection with the BlackBerry Cloud Connector.
37
Data in transit
After the BlackBerry Cloud Connector is activated and registration is complete, when BES12 Cloud sends a directory request to
the BlackBerry Cloud Connector, a mutually authenticated TLS connection is established using the trusted certificates and the
authorization token and the BlackBerry Cloud Connector sends your company directory information to BES12 Cloud over the
secure TLS connection.
Extending the security of email messages using
S/MIME
You can extend the security of email messages for iOS and Android device users by permitting users to send and receive S/
MIME-protected email messages in secured apps.
Digitally signing or encrypting messages adds another level of security to email messages that users send or receive from the
work space. Users can digitally sign or encrypt messages using S/MIME encryption if they use a work email account that
supports S/MIME-protected messages in the work space. When a device is activated and the work space enabled, you can allow
users to choose whether the device signs, encrypts, or signs and encrypts messages, using S/MIME encryption when sending
email messages using a work email address.
Digital signatures help recipients verify the authenticity and integrity of messages that users send. When a user digitally signs a
message with their private key, recipients use the sender's public key to verify that the message is from the sender and that the
message has not changed.
Encryption helps keep messages confidential. When a user encrypts a message, the device uses the recipient's public key to
encrypt the message. The recipient uses their private key to decrypt the message.
Devices support keys and certificates in the PFX file format with either a .pfx or .p12 file name extension.
Users must store their private keys and a certificate for each recipient that they want to send an encrypted email message to in
the work space on their devices. Users can store a key and certificates by importing the files from a work email message.
If devices don't have S/MIME support turned on, users can't send signed or encrypted email messages from the devices. If
users don't have their private keys on their devices, users can't read S/MIME-encrypted messages on the devices, and the
devices display an error message.
S/MIME certificates and S/MIME private keys on devices
Devices with Secure Work Space can use public key cryptography with S/MIME certificates and S/MIME private keys to encrypt
and decrypt email messages.
Item
Description
S/MIME public key
When a user sends an email message from a device, the device uses the S/MIME
public key of the recipient to encrypt the message.
When a user receives a signed email message on a device, the device uses the S/
MIME public key of the sender to verify the message signature.
38
Data in transit
Item
Description
S/MIME private key
When a user sends a signed email message from a device, the device hashes the
message using SHA-1, SHA-2, or MD5. The device then uses the S/MIME private
key of the user to digitally sign the message hash.
When a user receives an encrypted email message on a device, the device uses the
private key of the user to decrypt the message. The private key is stored on the
device.
Data flow: Sending an email message from a device using S/
MIME encryption
1.
A user sends an email message from a device. The device performs the following actions:
a
Checks the device keystore for the S/MIME certificate of the recipient.
b
Encrypts the email message with the S/MIME certificate of the recipient.
c
Sends the encrypted message to the mail server.
2.
The mail server sends the S/MIME-encrypted message to the recipient.
3.
The recipient decrypts the S/MIME-encrypted message using the recipient's S/MIME private key.
39
Secured apps
Secured apps
6
The work space protects secured apps by wrapping and fingerprinting the apps. You can distribute secured apps from the App
Store or Google Play that the app vendor has specifically prepared to run in the work space.
Managing the availability of secured apps on
devices
Secured apps can only access work space data and interact with other secured apps.
Default secured apps appear on every device with Secure Work Space. The following apps are default secured apps:
Device type
iOS
Android
Name
•
Work Connect - for email, calendar, contacts, notes, and tasks
•
Work Browser - for web browsing
•
Documents To Go - for viewing and editing Microsoft Office files
•
Work Space Manager - required to run the other secured apps on the device
•
Secure Work Space - for email, calendar, contacts, and web browsing
•
Documents To Go - for viewing and editing Microsoft Office files
Third-party app vendors can create secured apps that are prepared specifically to run in the work space and make them
available in the App Store or Google Play. You can install these apps in the work space on users' devices. Apps from the App
Store or Google Play that are not designated as secured apps cannot be installed or run in the work space. Only the app vendor
can secure and re-sign an app so that it can be installed in the work space.
How a work space wraps secured apps
A work space protects secured apps from other apps running on the device by using app wrapping. App wrapping is a process
that adds a layer of security and control around an existing app. The source code of the app is not changed. Instead, the
wrapping process takes the requests that the app makes to system services and redirects them to a library of mechanisms and
policies. The app wrapping process is fully compatible with the policies that Apple enforces for iOS devices.
40
Secured apps
The app wrapping process interposes system API calls to allow the work space to redirect a secured app's requests for system
services. For the Android OS, where apps run under the Dalvik virtual machine, the work space performs the interposing on two
layers: replacing Dalvik byte-code API calls with its own intercepts, and linking calls for native object code. For iOS, where apps
do not run under a virtual machine, the work space links calls for native object code only.
The app wrapping process then repackages the app so that the security code and the original code are physically inseparable.
This repackaging ensures that any subsequent modifications to a secured app by a third party will prevent the secured app from
running on the device.
How a work space fingerprints secured apps
A work space protects secured apps from trojans and malicious software by using fingerprinting. Fingerprinting uses an
algorithm to map an app to a short bit string, which is the app's fingerprint. The fingerprint serves as a unique record of the app.
Verifying a fingerprint is more efficient than transmitting and comparing the original app with the app on the device, which
involves much larger files than a fingerprint.
Before a secured app is added to a device with Secure Work Space, the BlackBerry Infrastructure fingerprints the secured app.
The BlackBerry Infrastructure sends the secured app and the fingerprint to the device. Before the secured app is added to the
device, the work space calculates the secured app's fingerprint and compares it to the fingerprint sent by the BlackBerry
Infrastructure. Each time that the secured app is run, the work space recalculates the secured app's fingerprint and compares
it with the fingerprint sent by the BlackBerry Infrastructure. In all cases, if the fingerprints being compared do not match, the
device does not run the secured app.
41
Product documentation
Product documentation
7
Resource
Description
BES12 Cloud Product Overview
•
Introduction to BES12 and its features
•
Finding your way through the documentation
•
Architecture
BES12 Cloud Architecture and Data
Flow Reference Guide
•
Descriptions of BES12 components
•
Descriptions of activation and other data flows, such as
configuration updates and email, for different types of
devices
Release notes
BES12 Cloud Release Notes
•
Descriptions of known issues and potential workarounds
Licensing
BES12 Cloud Licensing Guide
•
Descriptions of different types of licenses
•
Instructions for registering with BES12 Cloud and
managing licenses
•
Basic and advanced administration for all supported device
types, including BlackBerry 10 devices, iOS devices,
Android devices, and Windows Phone devices
•
Instructions for creating user accounts, groups, roles, and
administrator accounts
•
Instructions for activating devices
•
Instructions for creating and assigning IT policies and
profiles
•
Instructions for managing apps on devices
•
Descriptions of profile settings
BES12 Cloud Policy Reference
Spreadsheet
•
Descriptions of IT policy rules for BlackBerry 10 devices,
iOS devices, Android devices, and Windows Phone devices
BES12 Cloud Security Guide for
BlackBerry
•
Description of the security maintained by BES12, the
BlackBerry Infrastructure, and BlackBerry 10 devices to
protect data and connections
Overview
Administration
Security
BES12 Cloud Administration Guide
42
Product documentation
Resource
BES12 Cloud Security Guide for iOS,
Android, and Windows Phone
Description
•
Description of the BlackBerry 10 OS
•
Description of how work data is protected on BlackBerry 10
devices when you use BES12
•
Description of the security maintained by BES12, the
BlackBerry Infrastructure, and work space-enabled
devices to protect work space data at rest and in transit
•
Description of how work space apps are protected on work
space-enabled devices when you use BES12
43
Glossary
Glossary
8
AES
Advanced Encryption Standard
API
application programming interface
CA
certification authority
CBC
cipher block chaining
EMM
Enterprise Mobility Management
FIPS
Federal Information Processing Standards
HMAC
keyed-hash message authentication code
HTTPS
Hypertext Transfer Protocol over Secure Sockets Layer
IEEE
Institute of Electrical and Electronics Engineers
IETF
Internet Engineering Task Force
IP
Internet Protocol
IPsec
Internet Protocol Security
MD5
Message-Digest Algorithm, version 5
MDM
mobile device management
MMS
Multimedia Messaging Service
NDES
Network Device Enrollment Service
PBKDF2
Password-Based Key Derivation Function 2
PFX
Personal Information Exchange
PIN
personal identification number
PSK
pre-shared key
S/MIME
Secure Multipurpose Internet Mail Extensions
SCEP
simple certificate enrollment protocol
SHA
Secure Hash Algorithm
SMS
Short Message Service
SSL
Secure Sockets Layer
TCP
Transmission Control Protocol
TCP/IP
Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of communication protocols that is
used to transmit data over networks, such as the Internet.
44
Glossary
TLS
Transport Layer Security
UID
unique identifier
VPN
virtual private network
45
Legal notice
Legal notice
9
©2015 BlackBerry. All rights reserved. BlackBerry® and related trademarks, names, and logos are the property of BlackBerry
Limited and are registered and/or used in the U.S. and countries around the world.
Android, Google, Dalvik and Google Play are trademarks of Google Inc. Apple and App Store are trademarks of Apple Inc. Cisco
WebEx is a trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. Entrust and
Entrust IdentityGuard are trademarks of Entrust, Inc. Facebook is a trademark of Facebook, Inc. IBM and Notes are trademarks
of International Business Machines Corporation. IEEE, 802.1X, 802.11, and 802.11i are trademarks of the Institute of Electrical
and Electronics Engineers, Inc. iOS is a trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other
countries. iOS® is used under license by Apple Inc. Kerberos is a trademark of Massachusetts Institute of Technology.
Microsoft, Active Directory, ActiveSync, and Windows Phone are trademarks of Microsoft Corporation. OpenSSL is a trademark
of the The OpenSSL Software Foundation, Inc. Samsung, Samsung KNOX, and KNOX are trademarks of Samsung Electronics
Co., Ltd. Wi-Fi is a trademark of the Wi-Fi Alliance. All other trademarks are the property of their respective owners.
This documentation including all documentation incorporated by reference herein such as documentation provided or made
available on the BlackBerry website provided or made accessible "AS IS" and "AS AVAILABLE" and without condition,
endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its affiliated companies
("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or
omissions in this documentation. In order to protect BlackBerry proprietary and confidential information and/or trade secrets,
this documentation may describe some aspects of BlackBerry technology in generalized terms. BlackBerry reserves the right to
periodically change information that is contained in this documentation; however, BlackBerry makes no commitment to provide
any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all.
This documentation might contain references to third-party sources of information, hardware or software, products or services
including components and content such as content protected by copyright and/or third-party websites (collectively the "Third
Party Products and Services"). BlackBerry does not control, and is not responsible for, any Third Party Products and Services
including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality,
decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products
and Services in this documentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the
third party in any way.
EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS,
ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF
DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NONINFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF
DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NONPERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES
REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR
PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND
CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE
DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY
46
Legal notice
LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE
SUBJECT OF THE CLAIM.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL BLACKBERRY
BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NONPERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES
REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL,
EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS
OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS
INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR
RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY
PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY
PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR
SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE
FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO
OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY
LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.
THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE
CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT,
NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR
BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED
HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS
(INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME
SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS.
IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE,
AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF BLACKBERRY
HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.
Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your
airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet
browsing functionality with a subscription to the BlackBerry® Internet Service. Check with your service provider for availability,
roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with BlackBerry's
products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or
violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if
any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use
Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that
are provided with BlackBerry's products and services are provided as a convenience to you and are provided "AS IS" with no
express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by BlackBerry and
BlackBerry assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed
by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties,
except to the extent expressly covered by a license or other agreement with BlackBerry.
The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry
applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN
47
Legal notice
AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR SERVICE
OTHER THAN THIS DOCUMENTATION.
BlackBerry Enterprise Software incorporates certain third-party software. The license and copyright information associated with
this software is available at http://worldwide.blackberry.com/legal/thirdpartysoftware.jsp.
BlackBerry Limited
2200 University Avenue East
Waterloo, Ontario
Canada N2K 0A7
BlackBerry UK Limited
200 Bath Road
Slough, Berkshire SL1 3XE
United Kingdom
Published in Canada
48