Features for enterprise
Secure enterprise mobility is essential to your business today. The security and manageability of the BlackBerry® solution have made BlackBerry devices the gold standard for enterprises.
End-to-end data encryption
The BlackBerry Enterprise Solution offers two transport encryption options, Advanced Encryption Standard (AES) and Triple Data Encryption Standard (Triple DES), for all data transmitted between the BlackBerry® Enterprise Service 10 and BlackBerry smartphones. By default, the BlackBerry® Enterprise Service 10 uses the strongest algorithm that both the BlackBerry® Enterprise Service 10 and BlackBerry smartphone support for BlackBerry transport layer encryption.
A device transport encryption key is generated by the BlackBerry® Enterprise Service 10 and a BlackBerry smartphone using a secure, two-way authenticated protocol. This secret key is stored only in the user's secure enterprise account and on their BlackBerry smartphone. The smartphone user can choose to regenerate the key wirelessly at any time.
Data sent to the BlackBerry smartphone is encrypted by the BlackBerry® Enterprise Service 10 using a key retrieved from the user's mailbox. The encrypted information travels securely across the network to the smartphone where it’s decrypted using the key stored on the smartphone.
Data remains encrypted in transit and is never decrypted outside of the corporate firewall.
Strong IT policy enforcement and management
The BlackBerry Enterprise Solution extends corporate security to the smartphone and provides administrators with tools to manage this security. For example, to secure information stored on BlackBerry smartphones, an administrator can require BlackBerry smartphone users to protect their smartphones with passwords and set policies about the length and complexity of the passwords. By default, if a password is entered incorrectly ten times, the smartphone memory is erased.
Local encryption of all data (messages, address book entries, calendar entries, memos and tasks) can also be enforced via IT policy. Additionally, system administrators can create and send wireless commands to remotely change BlackBerry smartphone passwords and lock or delete information from lost or stolen BlackBerry smartphones.
BlackBerry® Enterprise Service 10 security
The BlackBerry® Enterprise Service 10 doesn’t store any email or data. To protect data from unauthorized access, there’s no staging area between the server and the BlackBerry smartphone where data is decrypted.
Security is further enhanced by allowing only authenticated, outbound-initiated connections through port 3101 of the firewall. No inbound traffic is permitted from sources other than the BlackBerry smartphone or the email server, meaning unauthorized commands can’t be executed on the system.
Secure browser connections
The BlackBerry MDS Connection Service permits BlackBerry smartphone users to access web content, the Internet or your organization's intranet. It also permits smartphone apps to connect to your organization's application servers or content servers to retrieve data and updates. It authenticates with Microsoft® Active Directory® on behalf of users, verifies the users' identities and retrieves the resource on behalf of the users.
Depending on corporate security requirements, if a third-party app on a BlackBerry smartphone can access servers on the Internet, you can configure the BlackBerry MDS Connection Service to use HTTPS to provide additional authentication and security for the connection. BlackBerry smartphones support HTTPS in proxy mode using a proxy server or in direct mode using TLS.
If you configure HTTPS using a proxy server, the BlackBerry MDS Connection Service uses cipher suite components of Sun JSSE version 1.4.1 to open the connections for BlackBerry smartphones. Data from the application server is then encrypted and sent over the wireless network to the smartphones.
You can use direct mode TLS for the entire connection between the BlackBerry smartphone and the application server when only the end points of the transaction are trusted (for example, with banking services). Smartphones that are running BlackBerry® Device Software version 3.6.1 or later support TLS for connections.
Application access controls
BlackBerry smartphone apps require developers to sign and register their applications with Research In Motion (RIM). This adds protection by providing a greater degree of control and predictability to the loading and behavior of apps on BlackBerry smartphones.
The BlackBerry® Signing Authority Tool can help protect access to the functionality and data of third-party apps by enabling corporate developers or administrators to manage access to specific sensitive Application Programming Interfaces (APIs) and data stores through the use of server-side software and public and private signature keys.