Using Enterprise Captive Portals To Protect Connections To Enterprise Wi-Fi Networks Or Wi-Fi Hotspots; Authenticating A Blackberry Device User; Authenticating A User To A Blackberry Device Using A Password; Authenticating A Blackberry Device User Using A Smart Card - Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL Overview

BlackBerry Enterprise Solution
Using enterprise captive portals to protect connections to enterprise Wi-Fi networks or Wi-
Fi hotspots
A captive portal is a web-based authentication mechanism to permit access to an enterprise Wi-Fi network or Wi-
Fi hotspot. Supported Wi-Fi enabled BlackBerry devices can use a captive portal to gain access to an IP filtered
segment of the enterprise Wi-Fi network or hotspot. After using a captive portal to connect to an enterprise
network or hotspot, the user can send a browser request for a website from the supported Wi-Fi enabled
BlackBerry device to an HTML login page, which allows the enterprise Wi-Fi network or hotspot to authenticate
the BlackBerry device before permitting it access to the website.
If your organization has an enterprise captive portal, the BlackBerry Enterprise Server administrator can permit
users to access the captive portal using the WLAN Login application on the BlackBerry device. BlackBerry device
users must authenticate with the WLAN Login application browser using login credentials that the system
administrator provides.
When the BlackBerry device authenticates with the captive portal, the BlackBerry device user can use the
BlackBerry® Browser on the BlackBerry device to access other web sites and data service available on the
segregated Wi-Fi network. The BlackBerry device is designed to support web browsing using the BlackBerry MDS
Connection Service.

Authenticating a BlackBerry device user

When a user receives a new BlackBerry device, the BlackBerry Enterprise Solution uses either a desktop based or
wireless master encryption key generation method to authenticate the user and the BlackBerry device to the
BlackBerry Enterprise Server. The BlackBerry device user must have a valid email address for the BlackBerry
device to activate successfully and register with the wireless network.

Authenticating a user to a BlackBerry device using a password

When the BlackBerry Enterprise Server administrator adds a BlackBerry device to a BlackBerry Enterprise Server,
the BlackBerry Enterprise Server administrator can require a BlackBerry device user to authenticate to the
BlackBerry device using a security password. The BlackBerry Enterprise Server administrator can use IT policy
rules to set features such as password duration, length, and strength, to require password patterns, and to forbid
specific passwords. For more information, see the Policy Reference Guide.
If the BlackBerry device user intends to activate the BlackBerry device over the wireless network, they must
contact the BlackBerry Enterprise Server administrator for a temporary activation password that the BlackBerry
device uses to establish the master encryption key. The BlackBerry Enterprise Server administrator can set the
BlackBerry device activation password and communicate it to the BlackBerry device user.
The activation password
•
applies to that BlackBerry device user's email account only
•
is not valid after five unsuccessful activation attempts
•
expires if the BlackBerry device user does not activate the BlackBerry device within the default period of 48
hours, or a period of up to 720 hours that the BlackBerry Enterprise Server administrator sets after creating
the activation password
•
is deleted from the BlackBerry Enterprise Server when the BlackBerry device activates successfully

Authenticating a BlackBerry device user using a smart card

Use two-factor authentication, using a smart card, to require BlackBerry device users to prove their identities to
their BlackBerry device using two factors:
•
what they have (the smart card)
•
what they know (their smart card password).
www.blackberry.com
52