Table of Contents
Advertisement
BlackBerry Enterprise Solution
application policy rules for user groups, the BlackBerry Enterprise Server limits allowed application behavior to a
small subset of trusted BlackBerry device users only.
IT policy rule settings override application control policy rule settings. For example, if the BlackBerry Enterprise
Server administrator changes the Allow Internal Connections IT policy rule setting (the default value is True) for
BlackBerry devices for which the BlackBerry Enterprise Server administrator also sets an application control
policy that allows a specific application to make internal connections, the IT policy rule setting overrides the
application control policy rule setting and the application cannot make internal connections.
The BlackBerry device resets if the permissions of the application to which it is applied become more restrictive.
BlackBerry devices running BlackBerry Device Software Version 4.1 or later permit users to make application
permissions more, but never less restrictive than what is set by the BlackBerry Enterprise Server administrator.
Using code signing to contain malware on the BlackBerry device
RIM does not inspect or verify third-party applications that run on BlackBerry devices; however, RIM controls the
use of BlackBerry device APIs that include sensitive packages, classes, or methods to prevent unauthorized
applications from accessing data on the BlackBerry device. Each third-party application requires authorization to
run on the BlackBerry device.
Before the BlackBerry Enterprise Server administrator or a BlackBerry device user can run a third-party
application that uses the RIM controlled APIs on the BlackBerry device, the RIM signing authority system must
use public key cryptography to authorize and authenticate the application code. The third-party application
developer must visit
www.blackberry.com/developers/downloads/jde/api.shtml
authority system for access to the controlled APIs and use the BlackBerry Signature Tool, which is a component
of the BlackBerry JDE, to request, receive, and verify a digital code signature from RIM for the application.
Third party application developers who create controlled access third-party APIs can act as a signing authority
for those APIs. The application developer can download and install the BlackBerry® Signing Authority Tool to
allow other developers to register for access to the application developer's controlled APIs. Registered
developers can use their BlackBerry Signature Tool to request, receive, and verify digital code signatures from
the application developer's BlackBerry Signing Authority Tool for their applications.
Each third-party application requires authorization to run on the BlackBerry device. MIDlets (applications that
use standard MIDP and CLDC APIs only) cannot write to memory on a BlackBerry device, access the memory of
other applications, or access the persistent data of other MIDlets unless they are digitally signed by RIM's
signing authority system. For more information about code signing and third-party applications, see the
BlackBerry Signing Authority Tool Administrator Guide.
Using code signing on BlackBerry MDS Runtime Applications
Your organization's developers can digitally sign BlackBerry MDS Runtime Applications that they create using
BlackBerry MDS Studio, before publishing these applications to the BlackBerry MDS Application Repository.
BlackBerry devices support using a private key with a corresponding certificate in X.509 syntax to digitally sign
BlackBerry MDS Runtime Applications.
BlackBerry MDS Runtime Applications communicate with enterprise systems through the BlackBerry MDS
Integration Service, a component of the BlackBerry Enterprise Server. The BlackBerry MDS Integration Service
verifies the digital signature on the BlackBerry MDS Runtime Application code before sending the application to
BlackBerry devices over the wireless network. When the BlackBerry device receives the BlackBerry MDS Runtime
Application, it displays the certificate subject details as the code signer identity, and prompts the BlackBerry
device user to accept or reject the application.
The BlackBerry device does not display the code signer identity to the user, and does not install the application if
any of the following conditions are true:
•
the application is signed with an untrusted certificate
•
the signature is invalid
•
the Allow Unsigned Applications option is set to False for the BlackBerry MDS Integration Service, and the
application is not digitally signed
www.blackberry.com
to register with the RIM signing
60
Advertisement
Table of Contents
Related Manuals for Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL
Related Products for Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL
- BLACKBERRY ENTERPRISE SOLUTION SECURITY - ENFORCING ENCRYPTION OF INTERNAL AND EXTERNAL FILE SYSTEMS ON DEVICES
- BLACKBERRY ENTERPRISE SOLUTION SECURITY - ERASING FILE SYSTEMS ON DEVICES - TECHNICAL
- BLACKBERRY ENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL
- BLACKBERRY ENTERPRISE SOLUTION SECURITY - - ACRONYM GLOSSARY
- Blackberry ENTERPRISE SOLUTION ENFORCING
- Blackberry ENTERPRISE SOLUTION ERASING FI
- Blackberry ENTERPRISE SOLUTION DEVICES TE
- Blackberry Enterprise Solution Security
- Blackberry Enterprise Server For MDS
- Blackberry Enterprise Server Server Resource Kit
- Blackberry Enterprise Server Express
- BLACKBERRY ENHANCED GOOGLE MAIL PLUG IN - LEARN MORE
- Blackberry Enhanced Google Mail Plug-in
- BLACKBERRY EBAY - LEARN MORE
- Blackberry eBay
- BLACKBERRY ENTERPRISE SERVER FOR IBM LOTUS DOMINO - - TECHNICAL NOTE FOR JAPANESE ENVIRONMENTS