Table of Contents
Advertisement
BlackBerry Enterprise Solution
The system administrator can install the BlackBerry Attachment Service on a remote computer and then place
that computer on its own network segment to prevent the spread of potential attacks from the BlackBerry
Attachment Service to another computer within your organization's network. In a segmented network, attacks
are isolated and contained on a single area of the network. Using segmented network architecture is designed to
improve the security and performance of the BlackBerry Attachment Service network segment by filtering out
attachment data that is not destined for other network segments. For more information about placing the
BlackBerry Enterprise Solution components in a network architecture that is segmented, see Placing the
BlackBerry Enterprise Solution in a Segmented Network.
Viewing attachments in PGP encrypted or S/MIME-encrypted messages
The BlackBerry Enterprise Server administrator can use the S/MIME Allowed Encrypted Attachment Mode IT
policy rule and the PGP Allowed Encrypted Attachment Mode IT policy rule to specify the least restrictive mode
that the BlackBerry device can use to retrieve PGP (OpenPGP (RFC 2440) or PGP/MIME (RFC 3156) message
formatting) encrypted and S/MIME-encrypted attachment information.
When a user receives an OpenPGP encrypted message that includes an attachment, the BlackBerry Enterprise
Server reads the attachment header data and is designed to send the message and the encrypted message key
to the BlackBerry device automatically.
When a user receives a PGP/MIME encrypted or S/MIME-encrypted message that includes an attachment on the
BlackBerry device, depending on the setting of the S/MIME Allowed Encrypted Attachment Mode IT policy rule
or the PGP Allowed Encrypted Attachment Mode IT policy rule, the following actions can occur automatically
when the user opens the message, or when the user requests the actions manually.
1.
The BlackBerry device sends the message key and a request for the attachment header data to the
BlackBerry Enterprise Server.
2.
The BlackBerry Enterprise Server uses the message key to decrypt the message and access the attachment
header data.
3. The BlackBerry Enterprise Server sends the attachment header data to the BlackBerry device.
4. The BlackBerry device processes the attachment header data with the message and displays the associated
attachment information so that the user can select the attachment for viewing.
When the user tries to view an attachment that is encrypted using S/MIME, PGP/MIME, or OpenPGP on the
BlackBerry device, the following actions occur:
1.
The BlackBerry device sends the message key and a request for the attachment data to the BlackBerry
Enterprise Server.
2.
The BlackBerry Enterprise Server uses the message key to decrypt the message and access the attachment
data that corresponds to the attachment header data.
3. The BlackBerry Enterprise Server decrypts the attachment and sends the rendered attachment data to the
BlackBerry device.
4. The BlackBerry device displays the attachment.
Note: To protect the decrypted attachment data that the BlackBerry device stores, turn on content protection.
PIN-to-PIN messaging
A PIN uniquely identifies each BlackBerry device and BlackBerry enabled device on the wireless network. If a
BlackBerry device user knows the PIN of another BlackBerry device, the user can send a PIN message to that
BlackBerry device. Unlike an email message that the BlackBerry device user sends to an email address, a PIN
message bypasses the BlackBerry Enterprise Server and your organization's network.
PIN message scrambling
During the manufacturing process, Research In Motion (RIM) loads a common peer-to-peer, or PIN-to-PIN,
encryption key onto BlackBerry devices. Although the BlackBerry device uses the peer-to-peer encryption key
www.blackberry.com
20
Advertisement
Table of Contents
