Protecting Lost, Stolen, Or Replaced Blackberry Devices; Remotely Resetting The Password Of A Content Protected Blackberry Device - Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL Overview

BlackBerry Enterprise Solution

Protecting lost, stolen, or replaced BlackBerry devices

The BlackBerry Enterprise Server administrator controls BlackBerry devices remotely to immediately protect
confidential enterprise information using IT administration commands.
IT administration
command
Set Password and Lock
Handheld
Erase Data and
Disable Handheld
For more information, see the BlackBerry Enterprise Server System Administration Guide.

Remotely resetting the password of a content protected BlackBerry device

The remote password reset cryptographic protocol is designed to allow the BlackBerry Enterprise Server
administrator to set the BlackBerry device password remotely, even if content protection is enabled on the
BlackBerry device. The BlackBerry device does not prompt the user for the old BlackBerry device password.
The cryptographic protocol for resetting the password on a content-protected device remotely is designed to
provide the following features:
•
allows the BlackBerry device to re-encrypt the content protection key with the new password, without
knowing the old password
•
prevents a hardware-based attack on the BlackBerry device from recovering the content protection key
successfully without knowing either the BlackBerry device password or the IT policy private key of the IT
policy public and private key pair that the BlackBerry Enterprise Server generates for the BlackBerry device
•
prevents a small subgroup containment attack through the use of elliptic curve cryptography
•
prevents the BlackBerry Enterprise Server from learning anything that an attacker could use to recover the
content protection key
www.blackberry.com
Description
Use this command to create a new password and lock a lost BlackBerry device
remotely. The BlackBerry Enterprise Server administrator can then verbally
communicate the new password to the user when the user locates the BlackBerry
device. When the user unlocks the BlackBerry device, the BlackBerry device prompts
the user to accept or reject the new password change.
Use this command to remotely delete all user information and application data that
the BlackBerry device stores. The BlackBerry Enterprise Server administrator can
also configure the following options:
•
configure a delay, in hours, before the BlackBerry device starts the process of
deleting all of its user information and application data if a BlackBerry device is
lost and might be recovered by the user
•
require the BlackBerry device to return to factory default settings when it
receives this command (See "Remotely erasing data from BlackBerry device
memory and making the BlackBerry device unavailable" on page 63 for more
information.)
•
specify whether to allow the user to terminate the process of erasing data from
and making the BlackBerry device unavailable during the delay period
The BlackBerry Enterprise Server administrator can use this command to prepare a
BlackBerry device for transfer between users in your organization.
61