Page 1 Policy Reference Guide BlackBerry Enterprise Server Policy Reference Guide Version 33 Version: 4.1 | Service Pack: 6...
Page 2 SWDT323212-469781-0930122421-001...
Page 3: Table Of Contents
Setting IT policy rules................................. Where to find descriptions of Wi-Fi IT policy rules......................... Using IT policy rules on other devices............................Importing IT policy rules without the required minimum BlackBerry Enterprise Server software......... 2 Descriptions of IT policy rules............................Application Center policy group...............................
Page 4 Maximum Bluetooth Encryption Key Regeneration Period IT policy rule..............Maximum Bluetooth Range IT policy rule..........................Maximum Connection Heartbeat Period IT policy rule..................... Maximum Number of BlackBerry Transactions IT policy rule..................Maximum Number of PC Pairings IT policy rule......................... Maximum PC Bluetooth Traffic Inactivity Timeout IT policy rule..................
Page 5 Random Source URL IT policy rule............................User Can Disable Automatic RNG Initialization IT policy rule..................Common policy group................................. BlackBerry Server Version IT policy rule..........................Confirm On Send IT policy rule............................. Disable Kodiak PTT IT policy rule............................Disable MMS IT policy rule..............................
Page 6 Auto Backup Enabled IT policy rule............................Auto Backup Exclude Messages IT policy rule........................Auto Backup Exclude Sync IT policy rule..........................Auto Backup Frequency IT policy rule..........................Auto Backup Include All IT policy rule..........................Disable Wireless Calendar IT policy rule..........................Do Not Save Sent Messages IT policy rule.......................... Force Load Count IT policy rule.............................
Page 7 Home Page Address IT policy rule............................Maximum Password Age IT policy rule..........................Home Page Address Is Read-Only IT policy rule........................ Maximum Security Timeout IT policy rule........................... Minimum Password Length IT policy rule..........................Password Pattern Checks IT policy rule..........................Password Required IT policy rule............................User Can Change Timeout IT policy rule..........................
Page 8 Disable Emailing Conversation IT policy rule........................Disable Saving Conversation IT policy rule......................... Location Based Services policy group............................Disable BlackBerry Maps IT policy rule..........................Enable Enterprise Location Tracking IT policy rule......................Enterprise Location Tracking User Prompt Message IT policy rule................. Enterprise Location Tracking Interval IT policy rule......................
Page 9 PGP Universal Policy Cache Timeout IT policy rule......................PGP Universal Server Address IT policy rule........................RIM Value-Added Applications policy group.......................... Disable BlackBerry Wallet IT policy rule..........................Disable Ecommerce Content Optimization Engine IT policy rule..................Disable Lotus Connections IT policy rule..........................
Page 10 S/MIME Force Encrypted Messages IT policy rule......................S/MIME Force Smartcard Use IT policy rule........................S/MIME Minimum Strong DH Key Length IT policy rule....................S/MIME Minimum Strong ECC Key Length IT policy rule....................S/MIME Minimum Strong DSA Key Length IT policy rule....................S/MIME Minimum Strong RSA Key Length IT policy rule....................
Page 11 Disable Persisted Plain Text IT policy rule........................... 133 Disable Public Photo Sharing Applications IT policy rule....................134 Disable Public Social Networking Applications IT policy rule..................134 Disable Radio When Cradled IT policy rule......................... 134 Disable Revoked Certificate Use IT policy rule........................135 Disable Smart Password Entry IT policy rule........................
Page 12 Secure Wipe Delay After IT Policy Received IT policy rule....................152 Secure Wipe Delay After Lock IT policy rule........................153 Secure Wipe if Low Battery IT policy rule..........................153 Security Service Colors IT policy rule........................... 154 Security Transcoder Cod File Hashes IT policy rule......................154 Trusted Certificate Thumbprints IT policy rule........................
Page 13 4 Descriptions of application control policy rules......................179 Security Data application control policy rule.......................... 179 BlackBerry Device Keystore Medium Security application control policy rule..............179 Bluetooth Serial Profile application control policy rule......................180 Browser Filter Domains application control policy rule......................180 Browser Filters application control policy rule........................
Page 14 Defining acceptable use of passwords and passphrases on BlackBerry devices.............. 194 Defining measures to protect BlackBerry devices from unauthorized use................. 195 Defining the encryption strength that the BlackBerry device uses to protect data............195 Restricting unsecured messaging............................196 Defining measures to prevent threats from viruses and malicious users................197 Limiting the resources that installed third-party applications can access on BlackBerry devices......
Page 15 Blocking all third-party applications............................ 200 Block all third-party applications............................200 Permitting specific third-party applications........................200 Permit a specific third-party application while blocking all other third-party applications........201 Controlling the behavior of third-party applications......................201 Assign a default application control policy to control the behavior of allowed third-party applications....201 8 Legal notice..................................
Page 17: It Policy Rules
Using the BlackBerry Professional Software If you are using the BlackBerry® Professional Software, consider BlackBerry® Enterprise Server to mean BlackBerry Professional Software in the descriptions for all IT policy rules and application control policy rules that the BlackBerry Professional Software supports.
Page 18: Policy Precedence On The Blackberry Device
IT policy rule settings override application control policy rule settings. For example, if you set the Allow Internal Connections IT policy rule to False for BlackBerry® devices, and if these devices have an application control policy set that allows a specific application to make internal connections, the application cannot make internal connections.
Page 19: Where To Find Descriptions Of Wi-Fi It Policy Rules
BlackBerry® Connect™ Transport Stack supports, the BlackBerry Connect Transport Stack reports the rule to the BlackBerry Connect software. The BlackBerry Connect Transport Stack can apply a specific subset of the IT policy rules internally. You must use the BlackBerry Connect software to apply the remaining IT policy rules.
Page 21: Descriptions Of It Policy Rules
This rule specifies whether to prevent the application center from running on the BlackBerry® device. Default setting The default setting is False. Usage Set this rule to True to prevent the BlackBerry device user from having access to the application center. Minimum requirements • Java® based BlackBerry device •...
Page 22: Blackberry Mds Integration Service Policy Group
BlackBerry MDS Integration Service policy group Disable Activation With Public BlackBerry MDS Integration Service IT policy rule Description This rule specifies whether to prevent the BlackBerry® device user from initiating a connection with the public BlackBerry MDS Integration Service. Default setting The default setting is False.
Page 23: Lowest Blackberry Mds Integration Service Security Version Allowed It Policy Rule
The default setting is 1. Usage Set this IT policy rule to 1 to permit BlackBerry devices that are running BlackBerry MDS Runtime Version 1.1 or later to communicate with all versions of the BlackBerry MDS Integration Service. Set this IT policy rule to 2 to permit BlackBerry devices that are running BlackBerry MDS Runtime Version 1.1 or later to communicate with BlackBerry MDS Integration Service Version 4.1 SP2 or later only.
Page 24: Blackberry Messenger Policy Group
The default setting is False. Usage Set this rule to True to turn off BlackBerry Messenger. This might help prevent risks associated with PIN messaging. For more information about PIN messaging risks, see the BlackBerry® Enterprise Solution Security Technical Overview.
Page 25: Messenger Audit Email Address It Policy Rule
The default setting is a null value. BlackBerry Messenger turns off auditing and does not send reports. Usage Set a value for this rule if you want to audit the use of BlackBerry Messenger in your organization. Minimum requirements •...
Page 26: Messenger Audit Uid It Policy Rule
This rule specifies the unique identifier of the service book to use when sending BlackBerry® Messenger audit reports. Default setting The default setting is a null value. Usage If this IT policy rule is set to a null value, the BlackBerry device uses the first available service that encrypts messages to send reports. Minimum requirements •...
Page 27: Force Erase All Keys On Blackberry Disconnect Timeout It Policy Rule
If you set this IT policy rule to True, the user cannot change this feature on the BlackBerry device. Dependencies The BlackBerry device uses this IT policy rule only if the Maximum BlackBerry Disconnect Timeout IT policy rule is set. Minimum requirements •...
Page 28: Maximum Blackberry Disconnected Timeout It Policy Rule
The default setting is a null value. The secure pairing information is not deleted from the BlackBerry device. Usage If you specify a value, the user cannot turn off this timeout, but can change the Disconnected Timeout field on the BlackBerry device to a lower value.
Page 29: Maximum Blackberry Long Term Timeout It Policy Rule
The default setting is False. Usage If you specify a value, the user cannot turn off this timeout, but can change the Long Term Timeout field on the BlackBerry device to a lower value. If you do not specify a value, the user can change the Long Term Timeout field to any value.
Page 30: Maximum Bluetooth Encryption Key Regeneration Period It Policy Rule
30% through 100%. Default setting The default setting is 100%. Usage Set a longer power range for the BlackBerry device or the computer to communicate with the BlackBerry Smart Card Reader over a greater distance. Minimum requirements •...
Page 31: Maximum Connection Heartbeat Period It Policy Rule
BlackBerry device or computer closes the Bluetooth® connection. Note: If the disconnected timer is on, it starts when the connection closes. The BlackBerry device or computer deletes the secure pairing keys when the disconnected timeout expires.
Page 32: Maximum Number Of Blackberry Transactions It Policy Rule
The default setting is a null value. Usage If you specify a value while computers are paired with the BlackBerry Smart Card Reader and more than the maximum number of computers are connected, the BlackBerry Smart Card Reader closes connections with the last computers to pair.
Page 33: Maximum Pc Bluetooth Traffic Inactivity Timeout It Policy Rule
The default setting is a null value. The secure pairing information is not deleted from the computer. Usage If you specify a value, the user cannot turn off this timeout, but can change the Inactivity Timeout field in the BlackBerry Smart Card Reader options on the computer to a lower value.
Page 34: Maximum Pc Disconnected Timeout It Policy Rule
The default setting is a null value. Usage If you specify a value, the user cannot turn off this timeout, but can change the Disconnected Timeout field in the BlackBerry Smart Card Reader options on the computer to a lower value.
Page 35: Maximum Smart Card Not Present Timeout It Policy Rule
Policy Reference Guide If you specify a value, the user cannot turn off this timeout, but can change the Long Term Timeout field in the BlackBerry Smart Card Reader options on the computer to a lower value. If you do not specify a value, the user can change the Long Term Timeout field to any value.
Page 36: Blackberry Unite! Policy Group
BlackBerry Unite! policy group BlackBerry Unite! policy group Disable Download Manager IT policy rule Description This rule specifies whether to prevent the Download Manager for the BlackBerry® Unite!™ software from running on the BlackBerry device. Default setting The default setting is False.
Page 37: Disable Address Book Transfer It Policy Rule
Policy Reference Guide Bluetooth policy group This rule specifies whether the user can place outgoing calls from a BlackBerry® device using Bluetooth® technology. Default setting The default setting is always. Usage Set this IT policy rule to always, never, or only when the BlackBerry device is unlocked.
Page 38: Disable Audio/Video Remote Control Profile It Policy Rule
This rule specifies whether support for Bluetooth® technology is turned off. Default setting The default setting is False. Usage If Bluetooth technology is turned on when the BlackBerry® device receives this IT policy rule, the BlackBerry device must be reset for the change to take effect. Minimum requirement •...
Page 39: Disable Dial-Up Networking It Policy Rule
Description This rule specifies whether to prevent BlackBerry® device users from making their BlackBerry devices discoverable. A BlackBerry device that is discoverable can be found by other Bluetooth® enabled devices in range of the BlackBerry device. Default setting The default setting is False.
Page 40: Disable Handsfree Profile It Policy Rule
Policy Reference Guide Bluetooth policy group This rule specifies whether to prevent the BlackBerry® device from exchanging files with supported Bluetooth OBEX devices. Default setting The default setting is False. Minimum requirements • Java® based BlackBerry device • BlackBerry® Device Software Version 4.2 •...
Page 41: Disable Pairing It Policy Rule
Default setting The default setting is False. Usage After the BlackBerry device pairs with a supported Bluetooth enabled device, you can use this IT policy rule to prevent the BlackBerry device from pairing with other Bluetooth enabled devices. Minimum requirements •...
Page 42: Disable Sim Access Profile It Policy Rule
Policy Reference Guide Bluetooth policy group The default setting is False. Usage The BlackBerry device uses the Bluetooth SPP to establish a serial connection between the BlackBerry device and a Bluetooth enabled device that uses a serial port interface. Minimum requirements •...
Page 43: Limit Discoverable Time It Policy Rule
Set this rule to True to permit users to set the Bluetooth discoverable mode option to have a time limit of 2 minutes or to turn off Bluetooth discoverable mode. Dependencies The BlackBerry device uses this IT policy rule only if the Disable Discovery Mode IT policy rule is set to False. Minimum requirements •...
Page 44: Require Led Connection Indicator It Policy Rule
BlackBerry® Enterprise Server Version 4.0 SP6 Require Password for Discoverable Mode IT policy rule Description This rule specifies whether it is mandatory for the user to type the BlackBerry® device password before the BlackBerry device can be discovered by Bluetooth® enabled devices. Default setting The default setting is False.
Page 45: Require Password For Enabling Bluetooth Support It Policy Rule
BlackBerry® Enterprise Server Version 4.0 SP3 Require Password for Enabling Bluetooth Support IT policy rule Description This rule specifies whether it is mandatory for the user to type the BlackBerry® device password to turn on Bluetooth® technology. Default setting The default setting is False.
Page 46: Allow Hotspot Browser It Policy Rule
BlackBerry® Enterprise Server Version 4.1 SP6 Allow IBS Browser IT policy rule Description This rule specifies whether a separate icon appears on the BlackBerry® device if the appropriate service books are present for BlackBerry Internet Service Browsing. Default setting The default setting is True.
Page 47: Disable Javascript In Browser It Policy Rule
• BlackBerry® Connect™ Transport Stack Version 4.0 (internal) Download Images URL IT policy rule Description This rule specifies a web address that provides additional pictures for the BlackBerry® device. Default setting The default setting is a null value. Minimum requirements •...
Page 48: Download Tunes Url It Policy Rule
This rule specifies whether the browser session manager is turned on in the BlackBerry® Browser. Default setting The default setting is True. Usage The browser session manager is designed to improve BlackBerry Browser performance by helping the BlackBerry® Mobile Data Service use the BlackBerry Browser cache. Minimum requirements •...
Page 49: Mds Browser Domains It Policy Rule
This rule supports the use of wildcard characters. If you want to allow the BlackBerry Browser to retrieve sub-domains of a web address, prefix the domain with a period. For example, type ".yahoo.ca" to allow the BlackBerry Browser to retrieve all sub-domains of yahoo.ca (such as mail.yahoo.ca, www.yahoo.ca).
Page 50: Mds Browser Style Sheets Enabled It Policy Rule
BlackBerry® Device Software Version 3.6 • BlackBerry® Enterprise Server Version 4.0 • BlackBerry® Connect™ Transport Stack Version 4.0 (internal) Exceptions The BlackBerry Enterprise Server for Microsoft® Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3.6 and later.
Page 51: Mds Browser Use Separate Icon It Policy Rule
Policy Reference Guide Camera policy group The BlackBerry Enterprise Server for Novell® GroupWise® supports this IT policy rule in BlackBerry Enterprise Server Version 4.0 and later. MDS Browser Use Separate Icon IT policy rule Description This rule specifies whether a separate icon for the BlackBerry® Browser appears on the Home screen.
Page 52: Certificate Synchronization Policy Group
S/MIME Support Package for BlackBerry® devices Version 4.0 or later is installed on the BlackBerry device, the certificate synchronization tool of the BlackBerry® Desktop Manager can use the web address to retrieve random data to add to the BlackBerry device.
Page 53: Common Policy Group
This rule specifies the BlackBerry® Enterprise Server version number that the BlackBerry® Enterprise Server sends to the BlackBerry device. Note: Where applicable, if this IT policy rule is not set, the BlackBerry device uses the settings specified by application control policy rules, or by software configurations defined in the BlackBerry device configuration tool. If no application control data exists, then the BlackBerry device opens internal and external connections through the firewall by default.
Page 54: Disable Kodiak Ptt It Policy Rule
The BlackBerry Enterprise Server for Novell® GroupWise® supports this IT policy rule only for Java based BlackBerry devices. Disable Kodiak PTT IT policy rule Description This rule specifies whether to prevent the BlackBerry® device user from using Push to Talk on supported BlackBerry devices. Default setting The default setting is False.
Page 55: Disable Voice-Activated Dialing It Policy Rule
This rule specifies whether the voice note recording feature on the BlackBerry® device is turned on. Default setting The default setting is False. Usage Set this rule to True to turn off the voice note recording feature and prevent applications on the BlackBerry device from accessing it. Minimum requirements •...
Page 56: Lock Owner Info It Policy Rule
The BlackBerry Enterprise Server for Novell® GroupWise® supports this IT policy rule only for Java based devices. Lock Owner Info IT policy rule Description This rule specifies whether the user can change the owner information for the BlackBerry® device. You can lock the Information field, the Name field, or both fields. Default setting The default setting is a null value.
Page 57: Set Owner Info It Policy Rule
Default setting The default setting is a null value. Usage You can overwrite this information by sending the Set Owner Information IT administration command to the BlackBerry device. Dependencies The Set Owner Info IT policy rule is related to the Lock Owner Info IT policy rule.
Page 58: Desktop Only Items
Usage To allow the backup and restore tool to back up the BlackBerry device data automatically, set this rule to True. Automatic backups can help provide recent BlackBerry device data for recovery if you need to replace a lost or stolen BlackBerry device.
Page 59: Auto Backup Exclude Sync It Policy Rule
Dependencies If you set this rule to True, you must set the Auto Backup Include All IT policy rule to False. The BlackBerry® Enterprise Server for Novell® GroupWise® supports this rule with the BlackBerry® Web Desktop Manager only. Minimum requirements •...
Page 60: Auto Backup Include All It Policy Rule
The default setting is 7 days. Usage Set this value to a minimum of 2 days so that changes made to the BlackBerry® device data can be backed up more frequently, to a maximum of 99 days. If the user's computer memory is limited, save backup files to a network drive.
Page 61: Disable Wireless Calendar It Policy Rule
The BlackBerry Enterprise Server for Novell® GroupWise® does not support this IT policy rule. Do Not Save Sent Messages IT policy rule Description This rule specifies whether the BlackBerry® device saves a copy of each email message that the user sends in the sent messages folder on the user's computer. Default setting The default setting is False.
Page 62: Force Load Count It Policy Rule
Force Load Message IT policy rule Description This rule specifies the message that appears when users are prompted to update to a later version of the BlackBerry® Device Software. Default setting The default setting is a null value.
Page 63: Forward Messages In Cradle It Policy Rule
Desktop Only items The BlackBerry device uses this rule only if you set the Force Load Count IT policy rule to 0 or higher. The BlackBerry® Enterprise Server for Novell® GroupWise® supports this rule with the BlackBerry® Web Desktop Manager only.
Page 64: Message Prompt It Policy Rule
BlackBerry® Enterprise Server Version 4.0 Exceptions The BlackBerry Enterprise Server for Microsoft® Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3.5 and later. The BlackBerry Enterprise Server for Novell® GroupWise® does not support this IT policy rule.
Page 65: Show Web Link It Policy Rule
BlackBerry® Enterprise Server Version 4.0 Exceptions The BlackBerry Enterprise Server for Microsoft Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3.5 and later. The BlackBerry Enterprise Server for Novell® GroupWise® does not support this IT policy rule.
Page 66: Web Link Label It Policy Rule
The BlackBerry Enterprise Server for Novell® GroupWise® does not support this IT policy rule. Web Link URL IT policy rule Description This rule specifies the web address for the web link icon, if it appears in the BlackBerry® Desktop Manager. Default setting The default setting is a null value.
Page 67: Desktop Policy Group
BlackBerry® Enterprise Server Version 4.0 Exceptions The BlackBerry Enterprise Server for Microsoft® Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3.5 and later. The BlackBerry Enterprise Server for Novell® GroupWise® does not support this IT policy rule.
Page 68: Desktop Password Cache Timeout It Policy Rule
The default setting is 10 minutes. Usage If you set this rule to 0, the BlackBerry device clears the password from memory when the user disconnects the device from the computer, regardless of the length of time that the device was connected.
Page 69: Disable Check For Updates Link It Policy Rule
Policy Reference Guide Desktop policy group The BlackBerry® Enterprise Server for Microsoft® Exchange supports this rule in BlackBerry Enterprise Server versions 3.6 SP1 and later. Disable Check For Updates Link IT policy rule Description This rule specifies whether the Check for updates link in the BlackBerry® Desktop Manager is available.
Page 70: Device Iot Application Policy Group
Policy Reference Guide Device IOT Application policy group This rule specifies the destination web address for the Check for updates link in the BlackBerry® Desktop Manager. Minimum requirements • Java® based BlackBerry device • BlackBerry® Desktop Software Version 4.6 •...
Page 71: Device Only Items
The BlackBerry Enterprise Server for Microsoft® Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3.5 or later. The BlackBerry Enterprise Server for Novell® GroupWise® supports this IT policy rule only for Java based BlackBerry devices that are running BlackBerry Device Software Version 4.0 or later.
Page 72: Allow Sms It Policy Rule
The BlackBerry Enterprise Server for Microsoft® Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3.5 or later. The BlackBerry Enterprise Server for Novell® GroupWise® supports this IT policy rule only for Java based BlackBerry devices that are running BlackBerry Device Software Version 4.0 or later.
Page 73: Default Browser Config Uid It Policy Rule
The BlackBerry Enterprise Server for Novell® GroupWise® supports this IT policy rule in BlackBerry Device Software Version 4.0 or later. Enable Long-Term Timeout IT policy rule Description This rule specifies whether the BlackBerry® device locks after a predefined period of time, regardless of user activity. Default setting The default setting is null. Usage...
Page 74: Enable Wap Config It Policy Rule
Usage Set this IT policy rule to False to turn off the WAP service and hide the WAP Browser icon on the BlackBerry device. Turning off the WAP service might turn off the ability to send and receive MMS messages if your network service provider uses the WAP service for MMS messaging.
Page 75: Home Page Address It Policy Rule
BlackBerry Device Software Version 4.0 or later. Maximum Password Age IT policy rule Description This rule specifies the number of days before the BlackBerry® device password expires and the user must set a new password. Default setting The default setting is a null value.
Page 76: Home Page Address Is Read-Only It Policy Rule
Maximum Security Timeout IT policy rule Description This rule specifies the maximum time (in minutes) that a BlackBerry® device user can set as the security timeout value. The security timeout value is the number of minutes of inactivity before the device locks.
Page 77: Minimum Password Length It Policy Rule
The BlackBerry device uses this IT policy rule only if the Password Required IT policy rule is set to True. If the FIPS Level IT policy rule is set to 2, by default, the BlackBerry device requires a minimum password length of 5 characters.
Page 78: Password Pattern Checks It Policy Rule
If you set this IT policy rule to 2 or 3, password pattern checking is not available for C++-based BlackBerry devices. By default, the BlackBerry device prevents setting passwords that use a natural sequence of characters or numbers. If a symbol is inserted into a natural sequence, the BlackBerry device can use the password.
Page 79: User Can Change Timeout It Policy Rule
The BlackBerry Enterprise Server for Microsoft® Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3.5 or later. The BlackBerry Enterprise Server for Novell® GroupWise® supports this IT policy rule only for Java based BlackBerry devices that are running BlackBerry Device Software Version 4.0 or later.
Page 80: Documents To Go Policy Group
Dependencies The BlackBerry device uses this IT policy rule only if the Password Required IT policy rule is set to True. This IT policy rule is obsolete for Java® based BlackBerry devices that are running BlackBerry® Device Software Version 4.0 or later and C++-based BlackBerry devices that are running BlackBerry Device Software Version 2.7.
Page 81: Hide Documents To Go Premium Feature Menus It Policy Rule
DataViz, and use the premium edition of the DataViz Documents To Go application on the BlackBerry® device. Default setting The default setting is False. Dependencies If you set the Disable Documents To Go IT policy rule to True, the BlackBerry device ignores this rule. Minimum requirements • Java® based BlackBerry device •...
Page 82: Attachment Viewing It Policy Rule
The default setting is False. Usage If you set this IT policy rule to True, and the BlackBerry Attachment Service is connected to the BlackBerry® Enterprise Server using the BlackBerry Attachment Connector, the BlackBerry device downloads attachments automatically. Minimum requirements •...
Page 83: Disable Manual Download Of External Images It Policy Rule
Enterprise Solution Security Technical Overview. Default setting The default setting is False. Usage If you set this rule to True, BlackBerry device users cannot forward or reply to received IBM Lotus Domino encrypted email messages on their BlackBerry devices. Minimum requirements •...
Page 84: Disable Rich Content Email It Policy Rule
This rule specifies whether the BlackBerry® device supports wireless email reconciliation. When users move or delete email messages on the BlackBerry device or the email application on their computer, or mark messages as opened or unopened, the BlackBerry Messaging Agent reconciles the changes over the wireless network.
Page 85: Inline Content Requests It Policy Rule
Default setting The default setting is False. Usage If you set this IT policy rule to True, the BlackBerry device user can continue to request inline content in messages manually. Minimum requirements • Java® based BlackBerry device •...
Page 86: Maximum Native Attachment Mfh Attachment Size It Policy Rule
Set this rule to 0 or -1 to keep saved messages on the BlackBerry device indefinitely. Set this rule to -2 to delete saved messages and turn off the ability to save messages on a BlackBerry device that is running BlackBerry®...
Page 87: Notes Native Encryption Password Timeout It Policy Rule
Usage Set this rule to 0 to never store the password that the user types on the BlackBerry device. If you do this, you should also prevent the BlackBerry® Enterprise Server from storing a copy of the password by default. For more information on changing the BlackBerry Enterprise Server default behavior, visit www.blackberry.com/knowledgecenterpublic/livelink.exe?
Page 88: Enterprise Voice Client Policy Group
Description This rule specifies whether the BlackBerry® device can use a DTMF call format for outgoing calls if outgoings calls using the protocol format fail due to inadequate wireless coverage levels. The DTMF call format uses weaker authentication than the protocol call format.
Page 89: Lock Outgoing Line It Policy Rules
Restrict Incoming Cellular Calls IT policy rule Description This rule specifies whether the BlackBerry® device firewall blocks calls that the user receives unless the calls use a set fixed dialing pattern. This IT policy rule does not affect emergency calls.
Page 90: Restrict Outgoing Cellular Calls It Policy Rule
Restrict Outgoing Cellular Calls IT policy rule Description This rule specifies whether the BlackBerry® device firewall blocks calls that the user makes unless the calls use a set fixed dialing pattern. This IT policy rule does not affect emergency calls.
Page 91: Global Items
The BlackBerry Enterprise Server for Microsoft® Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3.5 or later. The BlackBerry Enterprise Server for Novell® GroupWise® supports this IT policy rule only for Java based BlackBerry devices that are running BlackBerry Device Software Version 4.0 or later.
Page 92: Auto Signature It Policy Rule
Default setting The default setting is a null value. Usage Use this IT policy rule to add a disclaimer to the end of email messages that are sent from the BlackBerry® device. Minimum requirements • BlackBerry® Desktop Software Version 3.5 •...
Page 93: Disable Emailing Conversation It Policy Rule
BlackBerry® Enterprise Server Version 4.1 SP6 Disable Saving Conversation IT policy rule Description This rule specifies whether the user can save an instant messaging conversation to the BlackBerry® device or a media card. Default setting The default setting is False.
Page 94: Location Based Services Policy Group
Usage Set this rule to True to allow the BlackBerry device user to make it mandatory for the BlackBerry device to report its location to the BlackBerry Enterprise Server at regular intervals. You can use the Enterprise Location Tracking Interval IT policy rule to change the interval.
Page 95: Enterprise Location Tracking Interval It Policy Rule
Enterprise Location Tracking Interval IT policy rule Description This rule specifies the amount of time (in minutes) between location reports sent by the BlackBerry® device to the BlackBerry® Enterprise Server. The permitted range is 15 through 60 minutes. Default setting The default setting is 15 minutes.
Page 96: Force Memory Clean When Idle It Policy Rule
This rule specifies the maximum user inactivity time (in minutes) before the BlackBerry® device cleans the memory. Default setting The default setting is 1 minute. Dependencies The BlackBerry device uses this IT policy rule only if you set the Force Memory Clean When Idle IT policy rule to True. Minimum requirements • Java® based BlackBerry device •...
Page 97: On-Device Help Policy Group
The BlackBerry Enterprise Server for Novell® GroupWise® does not support this IT policy rule. On-Device Help policy group On-Device Help Links IT policy rule Description This rule specifies links to add to the index page of the help on the BlackBerry® device. Default setting The default setting is a null value. Usage Specify links in the following format: uri1\|label1\|...\|uriN\|labelN..
Page 98: Password Policy Group
Password policy group The BlackBerry® device uses the IT policy rules in the Password policy group only if, in the Device Only items, you set the Password Required IT policy rule to True. For more information about using passwords on BlackBerry devices, see the BlackBerry®...
Page 99: Maximum Password History It Policy Rule
The default setting is a null value. Usage By default, the BlackBerry® device prevents setting passwords that use a natural sequence of characters or numbers. If a symbol is inserted into a natural sequence, the BlackBerry device can use the password.
Page 100: Set Maximum Password Attempts It Policy Rule
Policy Reference Guide Password policy group This rule specifies the security timeout interval (in hours) after which the BlackBerry® device locks and prompts the user to type a password, regardless of whether the BlackBerry device has been active during that interval.
Page 101: Set Password Timeout It Policy Rule
Password policy group Set Password Timeout IT policy rule Description This rule specifies the number of minutes of inactivity before the security timeout occurs and the BlackBerry® device user must type the password to unlock the BlackBerry device. Default setting The default setting is 2 minutes for BlackBerry®...
Page 102: Pim Synchronization Policy Group
4.0 and later. PIM Synchronization policy group Disable Address Wireless Synchronization IT policy rule Description This rule specifies whether wireless data synchronization for the address book is turned off on the BlackBerry® device. Default setting The default setting is False. Minimum requirements •...
Page 103: Disable Calendar Wireless Synchronization It Policy Rule
• BlackBerry® Connect™ Transport Stack Version 4.0 (internal) Exceptions The BlackBerry Enterprise Server for Novell® GroupWise® supports this IT policy rule only for Java based BlackBerry devices. Disable Enterprise Activation Progress IT policy rule Description This rule specifies whether the Home screen displays enterprise activation progress.
Page 104: Disable Memopad Wireless Sync It Policy Rule
• BlackBerry® Connect™ Transport Stack Version 4.0 (internal) Exceptions The BlackBerry Enterprise Server for Novell® GroupWise® supports this IT policy rule only for Java based BlackBerry devices. Disable Phone Call Log Wireless Synchronization IT policy rule Description This rule specifies whether wireless data synchronization for call logs is turned off.
Page 105: Disable Sms Messages Wireless Sync It Policy Rule
Usage If you set this IT policy rule to False, the BlackBerry® Enterprise Server logs all PIN messages in unencrypted format to the specified log file. Make sure that the log file is in a location which restricts internal and external user access.
Page 106: Disable Wireless Bulk Loads It Policy Rule
The default setting is False. Usage Set this IT policy rule to True to minimize wireless data transfers when activating or updating BlackBerry® devices. The BlackBerry device must be physically connected to a computer before the data transfer starts. If the BlackBerry device is disconnected from the computer during the initial data transfer, the BlackBerry® Desktop Software sends the remaining data over the wireless network.
Page 107: Pgp Allowed Content Ciphers It Policy Rule
Triple DES encryption if it does not know the decryption capabilities available to the recipient. Dependencies If the FIPS Level IT policy rule is set to 2, the BlackBerry device uses AES (256-bit), AES (192-bit), AES (128-bit), and Triple DES encryption. Minimum requirements •...
Page 108: Pgp Allowed Encryption Type It Policy Rule
BlackBerry Enterprise Server Version 4.1 SP5 PGP Allowed Encryption Type IT policy rule Description This rule specifies the types of encryption that the BlackBerry® device can use with PGP® protected messaging. Default setting The default setting is Both, use PGP based encryption and conventional encryption.
Page 109: Pgp Force Digital Signature It Policy Rule
Policy Reference Guide PGP Application policy group The BlackBerry Enterprise Server for Novell® GroupWise® does not support this IT policy rule. PGP Force Digital Signature IT policy rule Description This rule specifies whether the BlackBerry® device sends all PGP® protected messages digitally signed.
Page 110: Pgp Minimum Strong Dh Key Length It Policy Rule
• BlackBerry® Enterprise Server Version 4.0 SP2 Exceptions The BlackBerry Enterprise Server for Novell® GroupWise® does not support this IT policy rule. PGP Minimum Strong DSA Key Length IT policy rule Description This rule specifies the minimum DSA key size (in bits) to use with PGP® protected messages.
Page 111: Pgp Minimum Strong Rsa Key Length It Policy Rule
The BlackBerry Enterprise Server for Novell® GroupWise® does not support this IT policy rule. PGP Universal Enrollment Method IT policy rule Description This rule specifies the method that users must use to enroll with the PGP® Universal Server from their BlackBerry® devices. Default setting The default setting is 1.
Page 112: Pgp Universal Policy Cache Timeout It Policy Rule
BlackBerry® device with the PGP Support Package for BlackBerry devices installed enforces compliance with the secure email policies for all email messages. Dependencies If you set this IT policy rule, the PGP Support Package for BlackBerry devices must be installed on the BlackBerry device. Minimum requirements •...
Page 113: Rim Value-Added Applications Policy Group
BlackBerry® Enterprise Server Version 4.1 SP6 Disable Ecommerce Content Optimization Engine IT policy rule Description This rule specifies whether to prevent the ecommerce content optimization engine for the BlackBerry® Browser from running on the BlackBerry device. Default setting The default setting is False.
Page 114: Lotus Connections Activities Server It Policy Rule
Policy Reference Guide RIM Value-Added Applications policy group This rule specifies whether to prevent IBM® Lotus® Connections from running on the BlackBerry® device. Default setting The default is False. Minimum requirements • Java® based BlackBerry device • BlackBerry® Device Software Version 4.6 •...
Page 115: Lotus Connections Communities Server It Policy Rule
RIM Value-Added Applications policy group • BlackBerry® Device Software Version 4.6 • BlackBerry® Enterprise Server Version 4.1 SP6 Lotus Connections Communities Server IT policy rule Description This rule specifies the address of the server that hosts the IBM® Lotus® Connections Communities component.
Page 116: S/Mime Application Policy Group
S/MIME Application policy group The IT policy rules in the S/MIME Application policy group apply to BlackBerry® devices running the S/MIME Support Package for BlackBerry devices. For more information about using the S/MIME Support Package for BlackBerry devices, see the S/ MIME Support Package for BlackBerry Devices Security Technical Overview.
Page 117: S/Mime Allowed Content Ciphers It Policy Rule
BlackBerry device is designed to encrypt email messages using Triple DES encryption if it does not know the decryption capabilities available to the recipient. Dependencies If the FIPS Level IT policy rule is set to 2, the BlackBerry device uses AES (256-bit), AES (192-bit), AES (128-bit), and Triple DES encryption. Minimum requirements •...
Page 118: S/Mime Allowed Encrypted Attachment Mode It Policy Rule
BlackBerry Enterprise Server Version 4.1 SP5 S/MIME Allowed Encryption Types IT policy rule Description This rule specifies the types of encryption that the BlackBerry® device can use with S/MIME-protected messaging. Default setting The default setting is Both, use certificate-based encryption and password-based encryption.
Page 119: S/Mime Force Digital Signature It Policy Rule
• BlackBerry® Connect™ Transport Stack Version 4.0 Exceptions The BlackBerry Enterprise Server for Novell® GroupWise® does not support this IT policy rule. S/MIME Force Digital Signature IT policy rule Description This rule specifies whether the BlackBerry® device sends all S/MIME-protected messages digitally signed.
Page 120: S/Mime Force Smartcard Use It Policy Rule
The BlackBerry Enterprise Server for Novell® GroupWise® does not support this IT policy rule. S/MIME Force Smartcard Use IT policy rule Description This rule specifies whether all operations that use certificates on the BlackBerry® device must be performed while the device is attached to a BlackBerry® Smart Card Reader. Default setting The default setting is False.
Page 121: S/Mime Minimum Strong Ecc Key Length It Policy Rule
Policy Reference Guide S/MIME Application policy group The BlackBerry Enterprise Server for Novell® GroupWise® does not support this IT policy rule. S/MIME Minimum Strong ECC Key Length IT policy rule Description This rule specifies the minimum ECC key size (in bits) to use with S/MIME-protected messages.
Page 122: Secure Email Policy Group
Secure Email policy group The IT policy rules in the Secure Email policy group apply to BlackBerry® devices that are running the S/MIME Support Package for BlackBerry devices. For more information about using the S/MIME Support Package for BlackBerry devices, see the S/MIME Support Package for BlackBerry Devices Security Technical Overview.
Page 123: Disable Certificate Address Checks It Policy Rule
Description This rule specifies whether a warning appears if the BlackBerry® device user receives a signed email message and the sender's email address does not appear in the certificate or the PGP® key that was used to sign the email message.
Page 124: Allow Internal Connections It Policy Rule
BlackBerry® Connect™ Transport Stack Version 4.0 (internal) Exceptions The BlackBerry Enterprise Server for Microsoft® Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3.6 and later. The BlackBerry Enterprise Server for Novell® GroupWise® supports this IT policy rule in BlackBerry Device Software Version 4.0 and later.
Page 125: Allow Screen Shot Capture It Policy Rule
• BlackBerry® Enterprise Server Version 4.1 SP4 Allow Screen Shot Capture IT policy rule Description This rule specifies whether the BlackBerry® device permits applications, including third-party applications, to take screen shots. Default setting The default setting is True. Minimum requirements •...
Page 126: Allow Split-Pipe Connections It Policy Rule
The default setting is True. Usage This IT policy rule is obsolete in BlackBerry® Enterprise Server for Microsoft® Exchange Version 3.6 SP2. In later versions, use the Interprocess Communication application control policy rule to specify whether applications can access the persistent store API.
Page 127: Allow Third Party Apps To Use Serial Port It Policy Rule
This rule specifies the maximum length of time (in hours) that a certificate status can remain on the BlackBerry® device before it should be updated in the key store on the BlackBerry device and in the certificate synchronization tool of the BlackBerry®...
Page 128: Content Protection Strength It Policy Rule
Content Protection Strength IT policy rule Description This rule specifies the cryptography strength that the BlackBerry® device uses to encrypt content that it receives while it is locked. When you specify a value, the content protection feature is turned on.
Page 129: Disable 3Des Transport Crypto It Policy Rule
Security policy group Set this IT policy rule to 1 to back up a minimal subset of BlackBerry device databases, including databases that some desktop components, such as the certificate synchronization tool of the BlackBerry® Desktop Manager require access to.
Page 130: Disable External Memory It Policy Rule
Disable Forwarding Between Services IT policy rule Description This rule specifies whether to prevent the BlackBerry® device user from forwarding or replying to a message on the BlackBerry device using an email account or messaging service that is associated with a BlackBerry® Enterprise Server or BlackBerry®...
Page 131: Disable Gps It Policy Rule
The default setting is False. Usage Set this rule to True to turn off the GPS feature and prevent applications on the BlackBerry device from accessing it. Dependencies If you set this rule to True, the BlackBerry® Maps application does not work and applications cannot access the BlackBerry device GPS APIs.
Page 132: Disable Ip Modem It Policy Rule
Policy Reference Guide Security policy group If you set this IT policy rule to False, the BlackBerry device warns the user that the certificate is expired or invalid, but does not prevent the user from using the certificate. Minimum requirements •...
Page 133: Disable Key Store Low Security It Policy Rule
BlackBerry® Connect™ Transport Stack Version 4.0 Disable Key Store Low Security IT policy rule Description This rule specifies whether to prevent the BlackBerry® device user from setting the key store security level to Low. Default setting The default setting is False.
Page 134: Disable Message Normal Send It Policy Rule
Usage If you set this IT policy rule to True, to send email messages the user must install the S/MIME Support Package for BlackBerry devices or the PGP® Support Package for BlackBerry devices. You must also turn on S/MIME message processing on the BlackBerry®...
Page 135: Disable Persisted Plain Text It Policy Rule
Usage If you set this IT policy rule to True, to send PIN messages the user must install the S/MIME Support Package for BlackBerry devices or the PGP Support Package for BlackBerry devices on the BlackBerry device. You must also turn on S/MIME message processing on the BlackBerry®...
Page 136: Disable Public Photo Sharing Applications It Policy Rule
BlackBerry® Enterprise Server Version 4.1 SP5 Disable Radio When Cradled IT policy rule Description This rule specifies whether the BlackBerry® device turns off the wireless transceiver when it connects to a USB device. Default setting The default setting is 0.
Page 137: Disable Revoked Certificate Use It Policy Rule
Default setting The default setting is False. Usage If you set this IT policy rule to False, the BlackBerry device warns the user that the certificate is revoked, but does not prevent the user from using the certificate. Minimum requirements •...
Page 138: Disable Stale Certificate Status Checks It Policy Rule
The default setting is False. Usage If you set the IT policy rule to True, the BlackBerry device deletes any knowledge of the user’s numeric passwords if the user is currently using smart password entry. If you set this IT policy rule to False, the BlackBerry device stores the user’s numeric passwords, and the user can use smart password entry on the BlackBerry device when using two-factor authentication.
Page 139: Disable Stale Status Use It Policy Rule
The default setting is False. Usage If you set this IT policy rule to False, the BlackBerry device warns the user that the certificate has a stale status, but does not prevent the user from using the certificate. Minimum requirements •...
Page 140: Disable Unverified Certificate Use It Policy Rule
The default setting is False. Usage If you set this IT policy rule to False, the BlackBerry device warns the user that the certificate could not be verified, but does not prevent the user from using the certificate. Minimum requirements •...
Page 141: Disable Weak Certificate Use It Policy Rule
Usage If you set this IT policy rule to True, the BlackBerry device cannot access an external file system that is connected to the USB port. This means that the ability to transfer files to an external file system using the Roxio® Media Manager with the BlackBerry®...
Page 142: Disallow Third Party Application Downloads It Policy Rule
External File System Encryption Level IT policy rule Description This rule specifies the level of encryption that the BlackBerry® device uses to encrypt files that it stores on an external file system, such as an external memory device. Default setting The default setting is 0.
Page 143: Fips Level It Policy Rule
BlackBerry device. Set this IT policy rule to 2 for FIPS 140-2 Level 2 compliance. Level 2 compliance affects only the BlackBerry Device Software. It does not result in the BlackBerry device meeting FIPS 140-2 Level 2 hardware security requirements.
Page 144: Firewall Block Incoming Messages It Policy Rule
Policy Reference Guide Security policy group If you set this IT policy rule to 2, the BlackBerry device prevents WTLS from using an RC encryption algorithm, which can cause problems when using WTLS. Dependencies If you set this IT policy rule to 2, the following additional IT policy rules are set: •...
Page 145: Firewall Whitelist Addresses It Policy Rule
Policy Reference Guide Security policy group Users can specify whether to block public PIN messages on the BlackBerry device. Users cannot specify whether to block corporate PIN messages on the BlackBerry device. Minimum requirements • Java® based BlackBerry device •...
Page 146: Force Include Address Book In Content Protection It Policy Rule
This rule specifies whether the address book is encrypted when content protection is turned on. By default, the content protection feature on the BlackBerry® device is designed to encrypt the user data on the device when it is locked, but the user can choose to turn off content protection for the address book specifically.
Page 147: Force Smart Card Two Factor Authentication It Policy Rule
Usage If you set this IT policy rule to True, to unlock the BlackBerry device, users might require an authenticator module for a smart card and must have a smart card driver and a BlackBerry® Smart Card Reader driver installed on their BlackBerry device.
Page 148: Force Smart Card Two Factor Challenge Response It Policy Rule
The default setting is False. Usage If you set this IT policy rule to True, when the user unlocks the BlackBerry device, the device sends a challenge to the smart card to verify the authenticator module for the smart card.
Page 149: Lock On Smart Card Removal It Policy Rule
Policy Reference Guide Security policy group If you set this IT policy rule to 0, the BlackBerry device cannot cache the key store password and cannot reduce the number of password prompts. Minimum requirements • Java® based BlackBerry device •...
Page 150: Maximum Smart Card User Authenticator Certificate Status Check Period It Policy Rule
BlackBerry® device uses with smart cards. Each period, the BlackBerry device requests the status of the certificate. If the certificate is revoked, the BlackBerry device locks and the user is unable to unlock it unless the certificate status changes from On Hold to Good.
Page 151: Minimal Encryption Key Store Security Level It Policy Rule
The default setting is Medium security. Usage If you set this IT policy rule to Low security, the BlackBerry device never prompts the user for the key store password when accessing the private key to encrypt messages. If you set this IT policy rule to Medium security, the BlackBerry device prompts the user for the key store password when accessing the private key to encrypt messages only if the password is cleared from the key store cache.
Page 152: Password Required For Application Download It Policy Rule
The default setting is Medium security. Usage If you set this IT policy rule to Low security, the BlackBerry device never prompts the user for the key store password when accessing the private key to sign messages. If you set this IT policy rule to Medium security, the BlackBerry device prompts the user for the key store password when accessing the private key to sign messages only if the password is cleared from the key store cache.
Page 153: Required Password Pattern It Policy Rule
?: Permits any letter, number, or symbol. If you set this IT policy rule, the user can set a password greater than or equal to the length of the pattern on the BlackBerry device. Password characters that exceed the pattern length can be any letters, numbers, or symbols.
Page 154: Require Secure Apb Messages It Policy Rule
Policy Reference Guide Security policy group Set this IT policy rule to True to make it mandatory for the BlackBerry device to delete its stored IT policy permanently, to delete all third-party applications, and to delete all user data. Minimum requirements •...
Page 155: Secure Wipe Delay After Lock It Policy Rule
The default setting is a null value. Usage Use this IT policy rule to make it mandatory for the BlackBerry device to delete the user data if the user has not unlocked the device within the specified period of time.
Page 156: Security Service Colors It Policy Rule
Security Service Colors IT policy rule Description This rule specifies two background colors for email messages that the BlackBerry® device receives. Set the colors in RGB hexadecimal format. The first color represents the background color of email messages that are received from the same BlackBerry® Enterprise Server that sent the IT policy.
Page 157: Trusted Certificate Thumbprints It Policy Rule
This rule specifies the digest algorithms that the BlackBerry® device considers weak. When a BlackBerry device sends email messages, it uses the algorithms that it considers strong to digitally sign the messages. The BlackBerry device uses the list of weak digest algorithms to verify the following data: •...
Page 158: Service Exclusivity Policy Group
The default setting is True. Usage Set this IT policy rule to False to make it mandatory to send browser data through your organization's BlackBerry® Enterprise Server, and to prevent users from installing other browser services on their BlackBerry devices.
Page 159: Allow Other Message Services It Policy Rule
Service Exclusivity policy group The default setting is True. Usage Set this rule to False to make it mandatory for BlackBerry device users in your organization to send appointments using a BlackBerry® Enterprise Server within your organization's environment. Minimum requirements •...
Page 160: Allow Public Google Talk Services It Policy Rule
Set this IT policy rule to False to prevent communication using the public Google Talk service on the BlackBerry device. If you set this IT policy rule to False and users have downloaded the Google Talk for BlackBerry devices application, the Google Talk for BlackBerry devices icon remains on the Home screen.
Page 161: Allow Public Im Services It Policy Rule
This rule applies to all Research In Motion® public instant messaging for BlackBerry devices applications that were released after the first availability of this rule. Yahoo!® Messenger for BlackBerry devices version 1.0 is controlled by a separate IT policy rule.
Page 162: Sim Application Toolkit Policy Group
Default setting The default setting is True. Usage Set this IT policy rule to False to prevent communication using the public Yahoo! Messenger service on the BlackBerry device. Minimum requirements • Java® based BlackBerry device that is running BlackBerry® Device Software Version 3.6 •...
Page 163: Disable Sim Originated Calls It Policy Rule
BlackBerry® Connect™ Transport Stack Version 4.0 Smart Dialing policy group Enable Smart Dialing Policy IT policy rule Description This rule specifies whether smart dialing for VoIP calls is available on the BlackBerry® device. Default setting The default setting is True. Minimum requirements •...
Page 164: Set Local Area Code It Policy Rule
This rule specifies the local area code for phone numbers. Default setting The default setting is a null value. Dependencies The BlackBerry® device uses this IT policy rule only if you set the Enable Smart Dialing IT policy rule to True. Minimum requirements • Java® based BlackBerry device •...
Page 165: Smart Dialing Allow Device Changes It Policy Rule
Policy Reference Guide TCP policy group The default setting is a null value. Dependencies The BlackBerry® device uses this IT policy rule only if you set the Enable Smart Dialing IT policy rule to True. Minimum requirements • Java® based BlackBerry device •...
Page 166: Tcp Password It Policy Rule
BlackBerry® Connect™ Transport Stack Version 4.0 TLS policy group TLS Device Side Only IT policy rule Description This rule specifies whether the BlackBerry® device and the BlackBerry® Enterprise Server can use proxy mode TLS or proxy mode HTTPS. Default setting...
Page 167: Tls Disable Invalid Connection It Policy Rule
• BlackBerry® Connect™ Transport Stack Version 4.0 TLS Disable Invalid Connection IT policy rule Description This rule specifies whether to prevent the BlackBerry® device from permitting TLS connections to servers with invalid certificates. Default setting The default setting is 2.
Page 168: Tls Disable Weak Ciphers It Policy Rule
• BlackBerry® Enterprise Server Version 3.6 TLS Disable Weak Ciphers IT policy rule Description This rule specifies whether to prevent the BlackBerry® device from using weak algorithms during TLS connections. Default setting The default setting is 2. Usage Set this IT policy rule to 0 to prevent weak algorithms.
Page 169: Tls Minimum Strong Dsa Key Length It Policy Rule
If the user trusts the web site and selects the Don't Ask Again option, the minimum key size on the BlackBerry device is set to 512 bits. If you set the minimum key size on the BlackBerry Enterprise Server to 2048 bits, the BlackBerry device continues to prompt the user to trust every secure web site that uses a key size in its certificate that is less than 2048 bits.
Page 170: Tls Minimum Strong Ecc Key Length It Policy Rule
If the user trusts the web site and selects the Don't Ask Again option, the minimum key size on the BlackBerry device is set to 160 bits. If you set the minimum key size on the BlackBerry Enterprise Server to 233 bits, the BlackBerry device continues to prompt the user to trust every secure web site that uses a key size in its certificate that is less than 233 bits.
Page 171: Tls Restrict Fips Ciphers It Policy Rule
This rule specifies whether the BlackBerry® device can use an algorithm with TLS that is not FIPS-compliant. Default setting The default setting is False. Usage If the FIPS Level IT policy rule is set to 2, by default, the BlackBerry device ignores this IT policy rule and uses only algorithms that are FIPS-compliant. Minimum requirements •...
Page 172: Disallow Device User Requested Rollback It Policy Rule
BlackBerry® Enterprise Server Version 4.1 SP4 Disallow Device User Requested Rollback IT policy rule Description This rule specifies whether to prevent the BlackBerry® device user from returning to a previous version of the BlackBerry® Device Software after a previously successful wireless software upgrade. Default setting The default setting is False.
Page 173: Disallow Patch Download Over Roaming Wan It Policy Rule
BlackBerry® Enterprise Server Version 4.1 SP4 Disallow Patch Download Over Roaming WAN IT policy rule Description This rule specifies whether to prevent the wireless software upgrade application on the BlackBerry® device from downloading software upgrades over a WAN connection while roaming. Default setting The default setting is False.
Page 174: Wtls Policy Group
BlackBerry® Enterprise Server Version 4.1 SP4 WTLS policy group WTLS Disable Invalid Connection IT policy rule Description This rule specifies whether to prevent the BlackBerry® device from permitting WTLS connections to servers with invalid certificates. Default setting The default setting is 2.
Page 175: Wtls Disable Weak Ciphers It Policy Rule
• BlackBerry® Connect™ Transport Stack Version 4.0 WTLS Disable Weak Ciphers IT policy rule Description This rule specifies whether to prevent the BlackBerry® device from using weak algorithms during WTLS connections. Default setting The default setting is 2. Usage Set this IT policy rule to 0 to prevent weak algorithms.
Page 176: Wtls Minimum Strong Ecc Key Length It Policy Rule
If the user trusts the web site and selects the Don't Ask Again option, the minimum key size on the BlackBerry device is set to 512 bits. If you set the minimum key size on the BlackBerry Enterprise Server to 2048 bits, the BlackBerry device continues to prompt the user to trust every secure web site that uses a key size in its certificate that is less than 2048 bits.
Page 177: Wtls Minimum Strong Rsa Key Length It Policy Rule
This rule specifies whether the BlackBerry® device can use an algorithm with WTLS that is not FIPS-compliant. Default setting The default setting is False. Usage If the FIPS Level IT policy rule is set to 2, by default, the BlackBerry device ignores this IT policy rule and uses only algorithms that are FIPS-compliant. Minimum requirements •...
Page 178 Policy Reference Guide WTLS policy group • BlackBerry® Enterprise Server Version 4.0 • BlackBerry® Connect™ Transport Stack Version 4.0...
Page 179: Application Control Policy Rules
BlackBerry device. After you assign a software configuration to a BlackBerry device, you can set the BlackBerry Enterprise Server to send the software configuration to the BlackBerry device over the wireless network. The user can use the application loader tool of the BlackBerry®...
Page 181: Descriptions Of Application Control Policy Rules
This rule specifies whether an application can access key store items stored at the medium security level. The application must prompt the BlackBerry® device user for the key store password when it tries to access the private key for the first time or when the private key password timeout expires.
Page 182: Bluetooth Serial Profile Application Control Policy Rule
This rule specifies whether an application can access browser filter APIs to register a browser filter on the BlackBerry® device. You can use this rule to permit third-party applications to apply custom browser filters to web page content on the BlackBerry device.
Page 183: Device Gps Application Control Policy Rule
Description This rule specifies whether an application can access the GPS APIs on the BlackBerry® device. You can set this rule to prevent the application from accessing the GPS APIs on the BlackBerry device or to prompt the user before an application can access the GPS APIs.
Page 184: External Domains Application Control Policy Rule
BlackBerry® device using an external protocol (such as, WAP or TCP). You can also set this rule so that an application prompts the user before it makes external connections through the BlackBerry device firewall.
Page 185: Internal Domains Application Control Policy Rule
BlackBerry® device using an internal protocol (for example, the BlackBerry MDS Connection Service). You can also set this rule so that an application prompts the user before it makes internal connections through the BlackBerry device firewall.
Page 186: Local Connections Application Control Policy Rule
Description This rule specifies whether an application can make calls and access call logs on the BlackBerry® device. You can set this rule to prevent the application from making any calls on the BlackBerry device or to prompt the user before making calls.
Page 187: Organizer Data Access Application Control Policy Rule
Organizer Data Access application control policy rule Description This rule specifies whether an application can access the BlackBerry® device PIM APIs, which control access to the user's personal information on the BlackBerry device, such as the address book. Note: Permitting an application to access PIM data APIs and to use internal and external network connection protocols might permit an application to send all of the user’s personal information from the BlackBerry device.
Page 188 User Authenticator application control policy rule This rule specifies whether an application can access the user authenticator framework API. The user authenticator framework permits the registration of drivers that provide two-factor authentication to unlock the BlackBerry® device. Currently, only smart card drivers are supported.
Page 189: Blackberry Mds Services Policy Rules
Configuring how users access and use BlackBerry MDS Runtime Applications You can create BlackBerry® MDS Integration Service device policies and assign them to users and user groups to control how users access and use BlackBerry® MDS Runtime Applications on their BlackBerry devices. Device policies define whether users can upgrade the BlackBerry MDS Runtime, and whether users can discover, install, and remove BlackBerry MDS Runtime Applications from their BlackBerry devices.
Page 191: Descriptions Of Blackberry Mds Services Policy Rules
BlackBerry® Enterprise Server Version 4.1 Allow Discovery by User BlackBerry MDS Services rule Description This rule specifies whether users can search a BlackBerry® MDS Studio Application Repository for BlackBerry MDS Studio Applications that can be installed on their BlackBerry devices. Default setting The default setting is True.
Page 192: Allow Push Application Install Blackberry Mds Services Rule
BlackBerry® Enterprise Server Version 4.1 Allow External Access BlackBerry MDS Services rule Description This rule specifies whether BlackBerry® MDS Studio Applications that are installed on the BlackBerry device can access other applications and data, such as email messages and calendar entries. Default setting...
Page 193: Allow Access To Multiple Domains Blackberry Mds Services Rule
Set this rule to 1 to permit BlackBerry MDS Studio Applications to retrieve data from other applications on the BlackBerry device. Set this rule to 2 to permit BlackBerry MDS Studio Applications to retrieve data from and send data to other applications on the BlackBerry device.
Page 194: Queue Limit For Outbound Application Messages Blackberry Mds Services Rule
Queue Limit for Outbound Application Messages BlackBerry MDS Services rule Description This rule specifies the maximum number of messages to BlackBerry® MDS Studio Applications that can be queued locally on the BlackBerry device. The permitted range is 1 through 50 messages. Default setting The default setting is 16 messages.
Page 195: Examples Of Security Policy Goals
Require the BlackBerry device to generate and use the content protection key to encrypt user data while the BlackBerry device is locked. • Require the BlackBerry device to generate and use the grand master key to encrypt the master encryption key while the BlackBerry device is locked. •...
Page 196: Defining Acceptable Use Of Passwords And Passphrases On Blackberry Devices
Policy Reference Guide Defining acceptable use of passwords and passphrases on BlackBerry devices Example goal Description • Specify whether the BlackBerry device can pair with another Bluetooth enabled device. • Specify whether the user can turn on and turn off the Bluetooth profiles that are on the BlackBerry device.
Page 197: Defining Measures To Protect Blackberry Devices From Unauthorized Use
Maximum Security Timeout 5 (minutes of idle time that is period of user inactivity. allowed before the BlackBerry device locks) Defining the encryption strength that the BlackBerry device uses to protect data Scenario Example IT policy rule Example setting Protect user and application data on...
Page 198: Restricting Unsecured Messaging
Policy Reference Guide Defining the encryption strength that the BlackBerry device uses to protect data Scenario Example IT policy rule Example setting Specify the algorithms that the PGP Allowed Content Ciphers AES (256-bit), AES (192-bit), AES (128- BlackBerry device uses to encrypt and bit), and Triple DES decrypt PGP®...
Page 199: Defining Measures To Prevent Threats From Viruses And Malicious Users
Setting policy rule Prevent third-party Java® applications from Browser Filter Domains addresses of the domains accessing a list of domains using the BlackBerry® Browser. Permit a third-party Java application from sending Message Access Allowed and receiving messages on BlackBerry devics.
Page 200: Limiting User Control Of Third-Party Applications On Blackberry Devices
Policy Reference Guide Defining measures to prevent threats from viruses and malicious users Limiting user control of third-party applications on BlackBerry devices Scenario Example policy rule Setting Prevent third-party applications from accessing Allow Third Party Apps to Use False serial ports or USB ports on BlackBerry® devices.
Page 201: Preventing Rim Value-Added Applications From Running On Blackberry Devices
RIM value-added applications using the Disable RIM Value-Added Applications IT policy rule, or you can block specific RIM value-added applications using the application-specific IT policy rules. To prevent the RIM value-added applications from running on BlackBerry Device Software version 4.5 or later, you can use any of the following application-specific methods:...
Page 202: Example Application Control Policies
Example application control policies Blocking all third-party applications When the Disallow Third Party Application Download IT policy rule is set to True, it prevents BlackBerry® devices from downloading third-party applications over the wireless network. It does not remove existing third-party applications from the BlackBerry devices.
Page 203: Permit A Specific Third-Party Application While Blocking All Other Third-Party Applications
To permit the third-party application, perform one of the following actions: • To permit the user to add the third-party application to the BlackBerry device, and to permit the user to delete the application from the BlackBerry device, set Disposition to Optional.
Page 205: Legal Notice
Legal notice Legal notice ©2008 Research In Motion Limited. All rights reserved. BlackBerry®, RIM®, Research In Motion®, SureType® and related trademarks, names, and logos are the property of Research In Motion Limited and are registered and/or used in the U.S.
Page 206 Policy Reference Guide Legal notice REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM.
Page 207 Policy Reference Guide Legal notice The terms of use of any RIM product or service are set out in a separate license or other agreement with RIM applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY RIM FOR PORTIONS OF ANY RIM PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION.

This manual is also suitable for:

Enterprise server 33

Blackberry ENTERPRISE SOLUTION SECURITY - - POLICY Reference Manual

1 IT Policy Rules

2 Descriptions of IT Policy Rules

Quick Links

Need help?

Questions and answers

Related Manuals for Blackberry ENTERPRISE SOLUTION SECURITY - - POLICY

Summary of Contents for Blackberry ENTERPRISE SOLUTION SECURITY - - POLICY