Blackberry Enterprise Server 33, Reference Manual

Page 1: ...Policy Reference Guide BlackBerry Enterprise Server Policy Reference Guide Version 33 Version 4 1 Service Pack 6 ...

Page 2: ...SWDT323212 469781 0930122421 001 ...

Page 3: ...Initiated Activation With Public BlackBerry MDS Integration Service IT policy rule 20 Lowest BlackBerry MDS Integration Service Security Version Allowed IT policy rule 21 Verify BlackBerry MDS Integration Service Certificate IT policy rule 21 BlackBerry Messenger policy group 22 Disable BlackBerry Messenger IT policy rule 22 Disallow Forwarding Of Contacts IT policy rule 22 Messenger Audit Email A...

Page 4: ... Disable Address Book Transfer IT policy rule 35 Disable Advanced Audio Distribution Profile IT policy rule 35 Disable Audio Video Remote Control Profile IT policy rule 36 Disable Bluetooth IT policy rule 36 Disable Desktop Connectivity IT policy rule 36 Disable Dial Up Networking IT policy rule 37 Disable Discoverable Mode IT policy rule 37 Disable File Transfer IT policy rule 37 Disable Handsfre...

Page 5: ...le 47 MDS Browser Style Sheets Enabled IT policy rule 48 MDS Browser Title IT policy rule 48 MDS Browser Use Separate Icon IT policy rule 49 Camera policy group 49 Disable Photo Camera IT policy rule 49 Disable Video Camera IT policy rule 49 Certificate Synchronization policy group 50 Random Source URL IT policy rule 50 User Can Disable Automatic RNG Initialization IT policy rule 50 Common policy ...

Page 6: ...le 63 Web Link Label IT policy rule 64 Web Link URL IT policy rule 64 Desktop policy group 65 Desktop Allow Desktop Add ins IT policy rule 65 Desktop Allow Device Switch IT policy rule 65 Desktop Password Cache Timeout IT policy rule 66 Disable Check For Updates Link IT policy rule 67 Disable Media Manager IT policy rule 67 Override Check For Updates URL IT policy rule 67 Device IOT Application po...

Page 7: ...sion IT policy rule 80 Disable Manual Download of External Images IT policy rule 81 Disable Notes Native Encryption Forward And Reply IT policy rule 81 Disable Rich Content Email IT policy rule 82 Enable Wireless Message Reconciliation IT policy rule 82 Inline Content Requests IT policy rule 83 Keep Message Duration IT policy rule 83 Keep Saved Message Duration IT policy rule 83 Maximum Native Att...

Page 8: ...y group 93 Force Memory Clean When Holstered IT policy rule 93 Force Memory Clean When Idle IT policy rule 94 Memory Cleaner Maximum Idle Time IT policy rule 94 On Device Help policy group 95 On Device Help Links IT policy rule 95 On Device Help Group Label IT policy rule 95 Password policy group 96 Duress Notification Address IT policy rule 96 Forbidden Passwords IT policy rule 96 Maximum Passwor...

Page 9: ...y rule 109 PGP Universal Enrollment Method IT policy rule 109 PGP Universal Policy Cache Timeout IT policy rule 110 PGP Universal Server Address IT policy rule 110 RIM Value Added Applications policy group 111 Disable BlackBerry Wallet IT policy rule 111 Disable Ecommerce Content Optimization Engine IT policy rule 111 Disable Lotus Connections IT policy rule 111 Lotus Connections Activities Server...

Page 10: ...d Password Caching IT policy rule 123 Allow Split Pipe Connections IT policy rule 124 Allow Third Party Apps to Use Persistent Store IT policy rule 124 Allow Third Party Apps to Use Serial Port IT policy rule 125 Certificate Status Maximum Expiry Time IT policy rule 125 Content Protection Strength IT policy rule 126 Desktop Backup IT policy rule 126 Disable 3DES Transport Crypto IT policy rule 127...

Page 11: ...ges IT policy rule 142 Firewall Whitelist Addresses IT policy rule 143 Force Content Protection Of Master Keys IT policy rule 143 Force Include Address Book In Content Protection IT policy rule 144 Force LED Blinking When Microphone Is On IT policy rule 144 Force Lock When Holstered IT policy rule 144 Force Smart Card Two Factor Authentication IT policy rule 145 Force Smart Card Two Factor Challen...

Page 12: ...e 158 Allow Public IM Services IT policy rule 159 Allow Public WLM Services IT policy rule 159 Allow Public Yahoo Messenger Services IT policy rule 159 SIM Application Toolkit policy group 160 Disable Network Location Query IT policy rule 160 Disable SIM Call Control IT policy rule 160 Disable SIM Originated Calls IT policy rule 161 Smart Dialing policy group 161 Enable Smart Dialing Policy IT pol...

Page 13: ...alid Connection IT policy rule 172 WTLS Disable Untrusted Connection IT policy rule 172 WTLS Disable Weak Ciphers IT policy rule 173 WTLS Minimum Strong DH Key Length IT policy rule 173 WTLS Minimum Strong ECC Key Length IT policy rule 174 WTLS Minimum Strong RSA Key Length IT policy rule 175 WTLS Restrict FIPS Ciphers IT policy rule 175 3 Application control policy rules 177 Understanding applica...

Page 14: ...all by User BlackBerry MDS Services rule 189 Allow Push Application Install BlackBerry MDS Services rule 190 Allow Application Delete by User BlackBerry MDS Services rule 190 Allow External Access BlackBerry MDS Services rule 190 Allow Access to Multiple Domains BlackBerry MDS Services rule 191 Queue Limit for Inbound Application Messages BlackBerry MDS Services rule 191 Queue Limit for Outbound A...

Page 15: ...rd party applications 200 Permit a specific third party application while blocking all other third party applications 201 Controlling the behavior of third party applications 201 Assign a default application control policy to control the behavior of allowed third party applications 201 8 Legal notice 203 ...

Page 16: ......

Page 17: ...Bluetooth Disable SIM Access Profile 4 6 Browser Allow Hotspot Browser 4 6 Instant Messaging Disallow File Transfer Types 4 2 Instant Messaging Disable Emailing Conversation 4 1 Instant Messaging Disable Saving Conversation 4 2 PGP Application PGP Allowed Encryption Types 4 6 RIM Value Added Applications Disable BlackBerry Wallet RIM Value Added Applications Disable Lotus Connections RIM Value Add...

Page 18: ...nterprise Server administrator sets Understanding IT policy rule names and policy group names You can use IT policy rules to control BlackBerry devices and BlackBerry Desktop Software settings in your organization IT policy rules appear in the BlackBerry Administration Service in policy groups Each policy group contains rules that can control common properties or applications on BlackBerry devices...

Page 19: ...policy rules Devices that are running BlackBerry Built In software can use all the IT policy rules that are associated with the supported features of the specific BlackBerry Built In implementation Devices that are running the BlackBerry Application Suite can use all the IT policy rules that are associated with the supported features of the BlackBerry Application Suite IT policy rules that are ass...

Page 20: ......

Page 21: ...ckBerry Device Software Version 4 7 BlackBerry Enterprise Server Version 4 1 SP6 Disable Carrier Directory IT policy rule Description This rule specifies whether to prevent the user from having access to the carrier directory in the application center on the BlackBerry device Default setting The default setting is False Usage Set this rule to True to prevent the user from having access to the carr...

Page 22: ... Enterprise Server Version 4 1 SP2 Disable MDS Runtime IT policy rule Description This rule specifies whether the BlackBerry MDS Runtime is available on the BlackBerry device Default setting The default setting is False Usage Set this IT policy rule to True to prevent the user from activating the BlackBerry MDS Runtime Minimum requirements Java based BlackBerry device BlackBerry Device Software Ve...

Page 23: ...ting is 1 Usage Set this IT policy rule to 1 to permit BlackBerry devices that are running BlackBerry MDS Runtime Version 1 1 or later to communicate with all versions of the BlackBerry MDS Integration Service Set this IT policy rule to 2 to permit BlackBerry devices that are running BlackBerry MDS Runtime Version 1 1 or later to communicate with BlackBerry MDS Integration Service Version 4 1 SP2 ...

Page 24: ...ue to turn off BlackBerry Messenger This might help prevent risks associated with PIN messaging For more information about PIN messaging risks see the BlackBerry Enterprise Solution Security Technical Overview Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 BlackBerry Enterprise Server Version 4 0 SP2 Disallow Forwarding Of Contacts IT policy rule Descripti...

Page 25: ...cy rule Description This rule specifies the maximum amount of time in hours between BlackBerry Messenger audit reports sent by the BlackBerry device when there is no new data The permitted range is 1 through 8736 hours Default setting The default setting is 168 hours Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 BlackBerry Enterprise Server Version 4 0 SP...

Page 26: ...y device BlackBerry Device Software Version 3 6 BlackBerry Enterprise Server Version 4 0 SP2 BlackBerry Smart Card Reader policy group For more information about using the BlackBerry Smart Card Reader with computers and BlackBerry devices see the BlackBerry Enterprise Solution Security Technical Overview and the BlackBerry Smart Card Reader Security Technical Overview Disable Auto Reconnect To Bla...

Page 27: ...ader are deleted after the connection closes Default setting The default setting is False The secure pairing keys are not deleted from the BlackBerry device or the computer Usage If you set this IT policy rule to True the user cannot change this feature on the BlackBerry device Dependencies The BlackBerry device uses this IT policy rule only if the Maximum BlackBerry Disconnect Timeout IT policy r...

Page 28: ...d from the BlackBerry device Usage If you specify a value the user cannot turn off this timeout but can change the Disconnected Timeout field on the BlackBerry device to a lower value If you do not specify a value the user can change the Disconnected Timeout value to any value Dependencies The setting of this rule affects how the BlackBerry device uses the Force Erase All Keys on BlackBerry Discon...

Page 29: ...sed BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 0 SP2 Exceptions The BlackBerry Enterprise Server for Novell GroupWise does not support this IT policy rule Maximum BlackBerry Long Term Timeout IT policy rule Description Thisrulespecifiesthemaximumtime inhours aftertheBlackBerry deviceandtheBlackBerry SmartCardReaderestablish secure pairing inform...

Page 30: ...rry Smart Card Reader Default setting The default setting is a null value Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Smart Card Reader software Version 1 5 1 BlackBerry Enterprise Server Version 4 0 SP7 Maximum Bluetooth Range IT policy rule Description This rule specifies the maximum power range that the BlackBerry Smart Card Reader uses to...

Page 31: ...he Bluetooth connection between the BlackBerry device or computer and the BlackBerry Smart Card Reader open and the secure pairing keys present If you specify a value the user cannot turn off the heartbeat period but can change the Connection Heartbeat Period field on the BlackBerry device or computer to a lower value If you do not specify a value the user can change the Connection Heartbeat Perio...

Page 32: ...ser can change the Number of Transactions field to any value Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 0 SP2 Exceptions The BlackBerry Enterprise Server for Novell GroupWise does not support this IT policy rule Maximum Number of PC Pairings IT policy rule Description This rule specifies the maximum number of comp...

Page 33: ... to a lower value If you do not specify a value the user can change the Inactivity Timeout field to any value Minimum requirements BlackBerry Smart Card Reader software Version 1 5 BlackBerry Enterprise Server Version 4 0 SP5 Exceptions The BlackBerry Enterprise Server for Novell GroupWise does not support this IT policy rule Maximum Number of PC Transactions IT policy rule Description This rule s...

Page 34: ...cify a value the user cannot turn off this timeout but can change the Disconnected Timeout field in the BlackBerry Smart Card Reader options on the computer to a lower value If you do not specify a value the user can change the Disconnected Timeout field to any value Minimum requirements BlackBerry Smart Card Reader software Version 1 5 BlackBerry Enterprise Server Version 4 0 SP5 Exceptions The B...

Page 35: ...escription This rule specifies the maximum time in seconds after the user removes the smart card from the BlackBerry Smart Card Reader that the secure pairing information is deleted from the BlackBerry device and the BlackBerry Smart Card Reader Default setting The default setting is a null value The secure pairing information is not deleted from the BlackBerry device Usage If you specify a value ...

Page 36: ...iption This rule specifies whether to prevent applications for the BlackBerry Unite software from running on the BlackBerry device Default setting The default setting is False Minimum requirements Java based BlackBerry device BlackBerry Device Software version 4 2 2 BlackBerry Enterprise Server version 4 1 SP6 Bluetooth policy group For more information about Bluetooth security on BlackBerry devic...

Page 37: ...s book data with supported Bluetooth enabled devices Default setting The default setting is False Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 1 BlackBerry Enterprise Server Version 4 0 SP3 Disable Advanced Audio Distribution Profile IT policy rule Description This rule specifies whether a Bluetooth enabled BlackBerry device can use the Bluetooth A2DP Defa...

Page 38: ... is turned off Default setting The default setting is False Usage If Bluetooth technology is turned on when the BlackBerry device receives this IT policy rule the BlackBerry device must be reset for the change to take effect Minimum requirement Java based BlackBerry device BlackBerry Device Software Version 3 8 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Version 4 0...

Page 39: ...Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 2 BlackBerry Enterprise Server Version 4 0 SP6 Disable Discoverable Mode IT policy rule Description This rule specifies whether to prevent BlackBerry device users from making their BlackBerry devices discoverable A BlackBerry device that is discoverable can be found by other Bluetooth enabled devices in range of...

Page 40: ...tting is False Usage The BlackBerry device uses the Bluetooth HFP to connect to most car kits and some headsets Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 8 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Version 4 0 Exceptions The BlackBerry Enterprise Server for Novell GroupWise supports this IT policy rule in BlackBerry Dev...

Page 41: ...lt setting The default setting is False Usage After the BlackBerry device pairs with a supported Bluetooth enabled device you can use this IT policy rule to prevent the BlackBerry device from pairing with other Bluetooth enabled devices Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 8 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stac...

Page 42: ...r Disable SIM Access Profile IT policy rule Disable Wireless Bypass IT policy rule Description This rule specifies whether to prevent the BlackBerry device from using wireless bypass using Bluetooth technology Default setting The default setting is True Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 1 BlackBerry Enterprise Server Version 4 0 SP3 Force CHAP A...

Page 43: ...ies The BlackBerry device uses this IT policy rule only if the Disable Discovery Mode IT policy rule is set to False Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 5 BlackBerry Enterprise Server Version 4 1 SP5 Minimum Encryption Key Length IT policy rule Description This rule specifies the minimum encryption key length in bytes that the BlackBerry device us...

Page 44: ...device is connected to a Bluetooth enabled device Default setting The default setting is False Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 2 BlackBerry Enterprise Server Version 4 0 SP6 Require Password for Discoverable Mode IT policy rule Description This rule specifies whether it is mandatory for the user to type the BlackBerry device password before th...

Page 45: ...4 0 SP3 Browser policy group IT policy rules in the Browser policy group apply to all browser configurations on the BlackBerry device Allow Application Download Services IT policy rule Description This rule specifies whether application download service icons appear on the BlackBerry device when the wireless service provider assigns a service to the BlackBerry device and the appropriate service bo...

Page 46: ...ersion 4 6 BlackBerry Enterprise Server Version 4 1 SP6 Allow IBS Browser IT policy rule Description This rule specifies whether a separate icon appears on the BlackBerry device if the appropriate service books are present for BlackBerry Internet Service Browsing Default setting The default setting is True Usage Set this IT policy rule to False to hide the separate browser icon Minimum requirement...

Page 47: ...Default setting The default setting is False Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Version 4 0 internal Download Images URL IT policy rule Description This rule specifies a web address that provides additional pictures for the BlackBerry device Default setting The default ...

Page 48: ...sed BlackBerry device BlackBerry Device Software Version 4 1 BlackBerry Enterprise Server Version 4 0 SP3 MDS Browser BSM Enabled IT policy rule Description This rule specifies whether the browser session manager is turned on in the BlackBerry Browser Default setting The default setting is True Usage The browser session manager is designed to improve BlackBerry Browser performance by helping the B...

Page 49: ... ca www yahoo ca Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 2 BlackBerry Enterprise Server Version 4 0 SP6 MDS Browser HTML Tables Enabled IT policy rule Description This rule specifies whether support for HTML tables is turned on in the BlackBerry Browser Default setting The default setting is False Minimum requirements Java based BlackBerry device Blac...

Page 50: ...Berry device BlackBerry Device Software Version 4 0 2 BlackBerry Enterprise Server Version 4 0 SP2 BlackBerry Connect Transport Stack Version 4 0 internal MDS Browser Title IT policy rule Description This rule specifies the name that appears on the Home screen for the BlackBerry Browser icon Default setting The default setting is BlackBerry Browser Minimum requirements Java based BlackBerry device...

Page 51: ...Version 4 2 BlackBerry Enterprise Server Version 4 0 SP6 Camera policy group Disable Photo Camera IT policy rule Description This rule specifies whether the camera is available on the BlackBerry device Default setting The default setting is False Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 2 BlackBerry Enterprise Server Version 4 0 SP6 Disable Video Camer...

Page 52: ... the BlackBerry device the certificate synchronization tool of the BlackBerry Desktop Manager can use the web address to retrieve random data to add to the BlackBerry device Default setting The default setting is a null value Minimum requirements S MIME Support Package for BlackBerry devices Version 4 0 BlackBerry Desktop Software Version 4 0 BlackBerry Enterprise Server Version 4 0 Exceptions The...

Page 53: ...ns internal and external connections through the firewall by default Default setting The default setting is a null value Usage Set this IT policy rule to 4 0 to support application control features This IT policy rule is obsolete in BlackBerry Enterprise Server Version 4 1 and later Minimum requirements Java based BlackBerry device that is running BlackBerry Device Software Version 4 0 C based Bla...

Page 54: ...kBerry devices Default setting The default setting is False Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 2 BlackBerry Enterprise Server Version 4 0 SP6 Disable MMS IT policy rule Description This rule specifies whether to prevent the BlackBerry device user from sending and receiving MMS messages Default setting The default setting is False Usage Set this I...

Page 55: ...cy rule Description This rule specifies whether the voice note recording feature on the BlackBerry device is turned on Default setting The default setting is False Usage Set this rule to True to turn off the voice note recording feature and prevent applications on the BlackBerry device from accessing it Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 3 BlackB...

Page 56: ...ed using the Set Owner Info IT Policy rule Set this IT policy rule to 2 to lock the text that is defined using the Set Owner Name IT Policy rule Set this IT policy rule to 3 to lock the text that is defined using the Set Owner Info and Set Owner Name IT policy rules You can overwrite this information by sending the Set Owner Information IT administration command to the BlackBerry device Dependenci...

Page 57: ...ware Version 2 7 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Version 4 0 Exceptions The BlackBerry Enterprise Server for Novell GroupWise supports this IT policy rule only for Java based devices Set Owner Name IT policy rule Description This rule specifies the owner name that appears on the BlackBerry device Default setting The default setting is a null value Usage ...

Page 58: ...k up the BlackBerry device data automatically set this rule to True Automatic backups can help provide recent BlackBerry device data for recovery if you need to replace a lost or stolen BlackBerry device Dependencies The BlackBerry Enterprise Server for Novell GroupWise supports this rule with the BlackBerry Web Desktop Manager only Minimum requirements BlackBerry Desktop Software version 3 5 or B...

Page 59: ...his rule specifies whether application data that is synchronized with desktop organizer applications is excluded when an automatic backup occurs Default setting The default setting is False Dependencies If you set this rule to True you must set the Auto Backup Include All IT policy rule to False The BlackBerry Enterprise Server for Novell GroupWise supports this rule with the BlackBerry Web Deskto...

Page 60: ...ange supports this rule in BlackBerry Enterprise Server versions 3 5 and later Auto Backup Include All IT policy rule Description This rule specifies whether all BlackBerry device data is included when an automatic backup occurs Default setting The default setting is True Usage If you set this rule to True in the backup and restore tool options the Backup all device application data option is sele...

Page 61: ...e Server for Microsoft Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3 5 and later The BlackBerry Enterprise Server for Novell GroupWise does not support this IT policy rule Do Not Save Sent Messages IT policy rule Description This rule specifies whether the BlackBerry device saves a copy of each email message that the user sends in the sent messages folder on the u...

Page 62: ...the BlackBerry Desktop Manageror BlackBerry Web Desktop Manager automatically checks whether newer versions of the software are available and prompts the user to update the BlackBerry device Dependencies TheBlackBerry EnterpriseServerforNovell GroupWise supportsthisruleonlywiththeBlackBerryWebDesktopManager Minimum requirements BlackBerry Desktop Software version 3 5 or BlackBerry Web Desktop Mana...

Page 63: ... sets this value Default setting The default setting is True By default the BlackBerry device receives messages from the inbox only Usage When you set this IT policy rule the option changes in the email settings tool of the BlackBerry Desktop Manager Minimum requirements BlackBerry Desktop Software Version 3 5 BlackBerry Enterprise Server Version 4 0 Exceptions The BlackBerry Enterprise Server for...

Page 64: ... The default setting is a null value Minimum requirements BlackBerry Desktop Software Version 3 5 BlackBerry Enterprise Server Version 4 0 Exceptions The BlackBerry Enterprise Server for Microsoft Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3 5 and later The BlackBerry Enterprise Server for Novell GroupWise does not support this IT policy rule Show Application Loa...

Page 65: ...fault web address is set using the Web Link URL IT policy rule Minimum requirements BlackBerry Desktop Software Version 3 5 BlackBerry Enterprise Server Version 4 0 Exceptions The BlackBerry Enterprise Server for Microsoft Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3 5 and later The BlackBerry Enterprise Server for Novell GroupWise does not support this IT policy...

Page 66: ...quirements Dependencies If you set this IT policy rule for the web link icon to appear you must also set the Show Web Link IT policy rule to True Minimum requirements BlackBerry Desktop Software Version 3 5 BlackBerry Enterprise Server Version 4 0 Exceptions TheBlackBerryEnterpriseServerforMicrosoft Windows supportsthisITpolicyruleinBlackBerryEnterpriseServerVersion 3 5 and later The BlackBerry En...

Page 67: ...ktop Software can run add in applications such as third party COM based extensions that access the BlackBerry device databases during synchronization Default setting The default setting is True Minimum requirements BlackBerry Desktop Software Version 3 6 SP1 BlackBerry Enterprise Server Version 4 0 Exceptions The BlackBerry Enterprise Server for Microsoft Exchange supports this IT policy rule in B...

Page 68: ... later Desktop Password Cache Timeout IT policy rule Description This rule specifies the length of time in minutes that the BlackBerry Desktop Software or BlackBerry Web Desktop Manager caches the BlackBerry device password in memory Default setting The default setting is 10 minutes Usage If you set this rule to 0 the BlackBerry device clears the password from memory when the user disconnects the ...

Page 69: ...ager IT policy rule Description This rule specifies whether the media manager tool of the BlackBerry Desktop Manager is available Default setting The default setting is False Usage Set this IT policy rule to True to permit the user to access an external file system using the media manager tool Minimum requirements Java based BlackBerry device BlackBerry Desktop Software Version 4 2 BlackBerry Ente...

Page 70: ...g The default setting is False Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 2 BlackBerry Enterprise Server Version 4 0 SP6 Set Diagnostic Report Email Address IT policy rule Description This rule specifies one or more email addresses that should receive diagnostic reports Separate multiple email addresses with a comma Default setting The default setting is...

Page 71: ...kBerry device that is running BlackBerry Device Software Version 3 6 C based BlackBerry device that is running BlackBerry Device Software Version 2 5 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Versions 1 2 2 0 2 1 4 0 Exceptions The BlackBerry Enterprise Server for Microsoft Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3 5 or later ...

Page 72: ...or Microsoft Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3 5 or later The BlackBerry Enterprise Server for Novell GroupWise supports this IT policy rule only for Java based BlackBerry devices that are running BlackBerry Device Software Version 4 0 or later Allow SMS IT policy rule Description This rule specifies whether users can send SMS text messages Default set...

Page 73: ...s see the Browser policy group Default setting The default setting is a null value Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Version 4 0 internal Exceptions The BlackBerry Enterprise Server for Microsoft Exchange supports this IT policy rule in BlackBerry Enterprise Server Ver...

Page 74: ...es whether a separate icon appears on the BlackBerry device if the appropriate service books are present for the WAP Browser For more information about the browser configurations available on BlackBerry devices see the Browser policy group Default setting The default setting is True Usage Set this IT policy rule to False to turn off the WAP service and hide the WAP Browser icon on the BlackBerry d...

Page 75: ... running BlackBerry Device Software Version 2 5 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Version 4 0 internal Exceptions The BlackBerry Enterprise Server for Microsoft Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3 5 or later The BlackBerry Enterprise Server for Novell GroupWise supports this IT policy rule only for Java based Bla...

Page 76: ...n change the BlackBerry Browser home page Default setting The default setting is False Minimum requirements Java based BlackBerry device that is running BlackBerry Device Software Version 3 6 C based BlackBerry device that is running BlackBerry Device Software Version 2 5 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Version 4 0 internal Exceptions The BlackBerry Ente...

Page 77: ...ice password The permitted range is 4 through 14 characters Default setting The default setting is a null value Dependencies The BlackBerry device uses this IT policy rule only if the Password Required IT policy rule is set to True IftheFIPSLevelITpolicyruleissetto2 bydefault theBlackBerrydevicerequiresaminimumpasswordlengthof5characters Minimum requirements Java based BlackBerry device that is ru...

Page 78: ...hat use a natural sequence of characters or numbers If a symbol is inserted into a natural sequence the BlackBerry device can use the password Minimum requirements Java based BlackBerry device that is running BlackBerry Device Software Version 3 6 C based BlackBerry device that is running BlackBerry Device Software Version 2 5 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport S...

Page 79: ...tware Version 4 0 or later User Can Change Timeout IT policy rule Description This rule specifies whether the BlackBerry device user can override the security timeout value Default setting The default setting is True Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Versions 1 2 2 0 2...

Page 80: ...3 5 BlackBerry Connect Transport Stack Versions 1 2 2 0 2 1 4 0 Exceptions The BlackBerry Enterprise Server for Novell GroupWise supports this IT policy rule in BlackBerry Enterprise Server Version 4 0 or later The BlackBerry Enterprise Server for Novell GroupWise supports this IT policy rule only on Java based BlackBerry devices Documents To Go policy group Disable Documents To Go IT policy rule ...

Page 81: ...cription This rule specifies whether to hide the premium DataViz Documents To Go features that are not available on BlackBerry devices that are running the standard edition of the Documents To Go application Default setting The default setting is False Dependencies If you set the Disable Documents To Go IT policy rule to True the BlackBerry device ignores this rule Minimum requirements Java based ...

Page 82: ...vice is connected to the BlackBerry Enterprise Server using the BlackBerry Attachment Connector Setting this rule to False does not prevent downloading or viewing native attachments on the BlackBerry device Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 2 BlackBerry Enterprise Server Version 4 0 SP6 Exceptions The BlackBerry Enterprise Server for Microsoft E...

Page 83: ...o encrypted email messages from their BlackBerry devices By default BlackBerry device users with support for reading IBM Lotus Domino encrypted email messages on their BlackBerry devices can forward or reply to an encrypted email message which was received decrypted and decompressed on the device The BlackBerry Messaging Agent for IBM Lotus Domino decrypts the email message before the BlackBerry d...

Page 84: ...efault setting The default setting is True Usage If you set this IT policy rule to True or if it is not part of the IT policy that you assigned to the user by default wireless email reconciliation is turned on for both the BlackBerry device and the BlackBerry Enterprise Server Minimum requirements Java based BlackBerry device that is running BlackBerry Device Software Version 3 6 C based BlackBerr...

Page 85: ...ration IT policy rule Description Thisrulespecifiesthemaximumtime indays thattheBlackBerry devicekeepsmessages Thepermittedrangeis 1through 180 days Default setting The default setting is 1 The BlackBerry device keeps messages indefinitely Usage Set this IT policy rule to 0 or 1 to keep messages on the BlackBerry device indefinitely Minimum requirements Java based BlackBerry device BlackBerry Devi...

Page 86: ... size in bytes of a standard attachment that can be uploaded from the BlackBerry device The permitted range is 0 MB through 3 MB Default setting The default setting is 3 MB Minimum requirements Java based BlackBerry device BlackBerry Device Software version 4 2 BlackBerry Enterprise Server version 4 0 SP6 Maximum Native Attachment MFH total attachment size IT policy rule Description This rule spec...

Page 87: ...it www blackberry com knowledgecenterpublic livelink exe func ll objld 1295085 to read Prevent the BlackBerry Enterprise Server from storing the password for decrypting IBM Lotus Notes encrypted messages Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 3 BlackBerry Enterprise Server Version 4 1 SP5 Prepend Disclaimer IT policy rule Description This rule specif...

Page 88: ...scription This rule specifies whether the BlackBerry device can use a DTMF call format for outgoing calls if outgoings calls using the protocol format fail due to inadequate wireless coverage levels The DTMF call format uses weaker authentication than the protocol call format Default setting The default setting is False Usage Set this IT policy rule to True to prevent outgoing calls if the protoco...

Page 89: ...ription This rule specifies whether incoming calls are accepted only if they are sent through the BlackBerry Enterprise Server Default setting The default setting is False Minimum requirements Java based BlackBerry device BlackBerry Enterprise Server Version 4 1 SP4 Firewall policy group Restrict Incoming Cellular Calls IT policy rule Description This rule specifies whether the BlackBerry device f...

Page 90: ... Software Version 4 3 BlackBerry Enterprise Server Version 4 1 SP5 Restrict Outgoing Cellular Calls IT policy rule Description This rule specifies whether the BlackBerry device firewall blocks calls that the user makes unless the calls use a set fixed dialing pattern This IT policy rule does not affect emergency calls Default setting The default setting is a null value Usage Type one or more fixed...

Page 91: ... BlackBerry Device Software Version 3 6 C based BlackBerry device that is running BlackBerry Device Software Version 2 5 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Versions 1 2 2 0 2 1 4 0 internal Exceptions The BlackBerry Enterprise Server for Microsoft Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3 5 or later The BlackBerry Enter...

Page 92: ...olicy rule Description This rule specifies the signature that is attached to outgoing email messages automatically Default setting The default setting is a null value Usage Use this IT policy rule to add a disclaimer to the end of email messages that are sent from the BlackBerry device Minimum requirements BlackBerry Desktop Software Version 3 5 BlackBerry Enterprise Server Version 4 0 obsolete in...

Page 93: ...on 4 1 SP6 Disable Emailing Conversation IT policy rule Description This rule specifies whether the user can send an instant messaging conversation in an email message from the BlackBerry device Default setting The default setting is False Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 1 BlackBerry Enterprise Server Version 4 1 SP6 Disable Saving Conversatio...

Page 94: ...Berry device user must click Yes when prompted to allow location tracking on the BlackBerry device Default setting The default setting is False The default interval is 15 minutes Usage Set this rule to True to allow the BlackBerry device user to make it mandatory for the BlackBerry device to report its location to the BlackBerry Enterprise Server at regular intervals You can use the Enterprise Loc...

Page 95: ...erry Enterprise Server The permitted range is 15 through 60 minutes Default setting The default setting is 15 minutes Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 2 1 BlackBerry Enterprise Server Version 4 1 SP3 Memory Cleaner policy group For more information about cleaning the BlackBerry device memory see the BlackBerry Enterprise Solution Security Techn...

Page 96: ...on 1 5 BlackBerry Enterprise Server Version 4 0 SP3 BlackBerry Connect Transport Stack Version 4 0 Exceptions The BlackBerry Enterprise Server for Novell GroupWise does not support this IT policy rule Memory Cleaner Maximum Idle Time IT policy rule Description This rule specifies the maximum user inactivity time in minutes before the BlackBerry device cleans the memory Default setting The default ...

Page 97: ... multiple links you should also set the On Device Help Group Label IT policy rule Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 1 BlackBerry Enterprise Server Version 4 0 SP3 On Device Help Group Label IT policy rule Description This rule specifies a label to use for multiple links in the help on the BlackBerry device Default setting The default setting is ...

Page 98: ...alf Each time that the user types a password to unlock the BlackBerry device the BlackBerry device must confirm whether the password is either the correct password or the correct duress password Default setting The default setting is a null value Usage Set this IT policy rule to allow users to notify your administrators that the BlackBerry device might have been stolen Instruct users on how to use...

Page 99: ...swords against to prevent reusing old passwords Default setting The default setting is 0 Usage If this IT policy rule is set to 0 password checking is turned off Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Versions 1 2 2 0 2 1 4 0 Exceptions The BlackBerry Enterprise Server for ...

Page 100: ...he timeout settings on the BlackBerry device Minimum requirements Java based BlackBerry device BlackBerry Device Software version 4 0 BlackBerry Enterprise Server version 4 0 BlackBerry Connect Transport Stack version 4 0 Set Maximum Password Attempts IT policy rule Description This rule specifies the number of password attempts before the BlackBerry device erases all of the application data Defau...

Page 101: ...t rule to False the user can set the security timeout to any value Minimum requirements Java based BlackBerry device BlackBerry Device Software version 3 6 BlackBerry Enterprise Server version 4 0 BlackBerry Connect Transport Stack versions 1 2 2 0 2 1 4 0 Exceptions The BlackBerry Enterprise Server for Microsoft Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3 6 and...

Page 102: ...ization IT policy rule Description This rule specifies whether wireless data synchronization for the address book is turned off on the BlackBerry device Default setting The default setting is False Minimum requirements Java based BlackBerry device that is running BlackBerry Device Software Version 4 0 C based BlackBerry device that is running BlackBerry Device Software Version 2 7 BlackBerry Enter...

Page 103: ...urned off Default setting The default setting is False Minimum requirements Java based BlackBerry device that is running BlackBerry Device Software Version 4 0 C based BlackBerry device that is running BlackBerry Device Software Version 2 7 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Version 4 0 internal Exceptions The BlackBerry Enterprise Server for Novell GroupWi...

Page 104: ...ransport Stack Version 4 0 internal Exceptions The BlackBerry Enterprise Server for Novell GroupWise supports this IT policy rule only for Java based BlackBerry devices Disable Phone Call Log Wireless Synchronization IT policy rule Description This rule specifies whether wireless data synchronization for call logs is turned off Default setting The default setting is False Minimum requirements Java...

Page 105: ... rule to False the BlackBerry Enterprise Server logs all SMS text messages in unencrypted format to the specified log file Make sure that the log file is in a location which restricts internal and external user access Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 1 BlackBerry Enterprise Server Version 4 1 Exceptions The BlackBerry Enterprise Server for Nove...

Page 106: ...cted from the computer during the initial data transfer the BlackBerry Desktop Software sends the remaining data over the wireless network Minimum requirements Java based BlackBerry device that is running BlackBerry Device Software Version 4 0 C based BlackBerry device that is running BlackBerry Device Software Version 2 7 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack...

Page 107: ...vice is designed to encrypt email messages using Triple DES encryption if it does not know the decryption capabilities available to the recipient Dependencies If the FIPS Level IT policy rule is set to 2 the BlackBerry device uses AES 256 bit AES 192 bit AES 128 bit and Triple DES encryption Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 1 PGP Support Packag...

Page 108: ...on and conventional encryption Usage Set this rule PGP key based encryption only Set this rule to Conventional encryption only Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 6 BlackBerry Enterprise Server Version 4 1 SP6 PGP Support Package for BlackBerry devices Version 4 0 PGP Blind Copy Address IT policy rule Description This rule specifies an email addre...

Page 109: ...ver Version 4 0 SP2 Exceptions The BlackBerry Enterprise Server for Novell GroupWise does not support this IT policy rule PGP Force Encrypted Messages IT policy rule Description This rule specifies whether the BlackBerry device sends all PGP protected messages encrypted Default setting The default setting is False Usage If you apply this IT policy rule you might override secure email policy settin...

Page 110: ...ry Enterprise Server for Novell GroupWise does not support this IT policy rule PGP Minimum Strong DSA Key Length IT policy rule Description This rule specifies the minimum DSA key size in bits to use with PGP protected messages Default setting The default setting is 1024 bits Dependencies Set the Disable Weak Certificate Use IT policy rule to True to prevent users from sending email messages using...

Page 111: ...rry Enterprise Server for Novell GroupWise does not support this IT policy rule PGP Universal Enrollment Method IT policy rule Description This rule specifies the method that users must use to enroll with the PGP Universal Server from their BlackBerry devices Default setting The default setting is 1 Usage Set this IT policy rule to 1 to prompt users to type their user name and password Set this IT...

Page 112: ... policy rule PGP Universal Server Address IT policy rule Description This rule specifies the address of your organization s PGP Universal Server The PGP Universal Server applies secure email policies that the PGP Universal Server administrator sets Default setting The default setting is a null value Usage Set this IT policy rule to require the user to register with the PGP Universal Server When re...

Page 113: ... requirements Java based BlackBerry device BlackBerry Device Software Version 4 6 BlackBerry Enterprise Server Version 4 1 SP6 Disable Ecommerce Content Optimization Engine IT policy rule Description This rule specifies whether to prevent the ecommerce content optimization engine for the BlackBerry Browser from running on the BlackBerry device Default setting The default setting is False Minimum r...

Page 114: ...n use the specified server address only If you do not set this rule users must specify the server address manually Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 6 BlackBerry Enterprise Server Version 4 1 SP6 Lotus Connections Blogs Server IT policy rule Description This rule specifies the address of the server that hosts the IBM Lotus Connections Blogs comp...

Page 115: ...BlackBerry Device Software Version 4 6 BlackBerry Enterprise Server Version 4 1 SP6 Lotus Connections Dogear Server IT policy rule Description This rule specifies the address of the server that hosts the IBM Lotus Connections Dogear component Default setting The default setting is a null value Usage If you set this rule users can use the specified server address only If you do not set this rule us...

Page 116: ...ckage for BlackBerry devices see the S MIME Support Package for BlackBerry Devices Security Technical Overview Entrust Messaging Server EMS Email Address IT policy rule Description This rule specifies the email address for your organization s Entrust Entelligence messaging server Default setting The default setting is a null value Usage Set this IT policy rule to a null value if your organization ...

Page 117: ... RC2 40 bit To maintain compatibility with most S MIME clients use Triple DES encryption and one of the RC2 algorithms By default the BlackBerry device is designed to encrypt email messages using Triple DES encryption if it does not know the decryption capabilities available to the recipient Dependencies If the FIPS Level IT policy rule is set to 2 the BlackBerry device uses AES 256 bit AES 192 bi...

Page 118: ...IT policy rule Description This rule specifies the types of encryption that the BlackBerry device can use with S MIME protected messaging Default setting The default setting is Both use certificate based encryption and password based encryption Usage Set this rule to Certificate based encryption only Set this rule to Password based encryption only Minimum requirements Java based BlackBerry device ...

Page 119: ...t setting is False Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 S MIME Support Package for BlackBerry devices Version 1 5 BlackBerry Enterprise Server Version 3 6 BlackBerry Connect Transport Stack Version 4 0 Exceptions The BlackBerry Enterprise Server for Novell GroupWise does not support this IT policy rule S MIME Force Encrypted Messages IT policy ru...

Page 120: ...Support Package for BlackBerry devices Version 1 5 BlackBerry Enterprise Server Version 3 6 BlackBerry Connect Transport Stack Version 4 0 Exceptions The BlackBerry Enterprise Server for Novell GroupWise does not support this IT policy rule S MIME Minimum Strong DH Key Length IT policy rule Description This rule specifies the minimum Diffie Hellman key size in bits to use with S MIME protected mes...

Page 121: ...ackBerry Enterprise Server for Novell GroupWise does not support this IT policy rule S MIME Minimum Strong DSA Key Length IT policy rule Description This rule specifies the minimum DSA key size in bits to use with S MIME protected messages Default setting The default setting is 1024 bits Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 S MIME Support Package...

Page 122: ...or BlackBerry devices see the S MIME Support Package for BlackBerry Devices Security Technical Overview Canonical Certificate Domain Name IT policy rule Description This rule specifies the domain name used for the email addresses contained in certificates issued within your organization Default setting The default setting is False Usage Consider setting this IT policy rule to True if your organiza...

Page 123: ...Enterprise Server Version 4 0 SP6 Security policy group Allow External Connections IT policy rule Description This rule specifies whether applications including third party applications can initiate external connections for example to WAP gateways Default setting The default setting is True Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 BlackBerry Enterpri...

Page 124: ...er The BlackBerry Enterprise Server for Novell GroupWise supports this IT policy rule in BlackBerry Device Software Version 4 0 and later Allow Outgoing Call When Locked IT policy rule Description This rule specifies whether users can place calls while the BlackBerry device is locked Default setting The default setting is False Minimum requirements Java based BlackBerry device BlackBerry Device So...

Page 125: ...ise Server Version 4 1 SP4 Allow Smart Card Password Caching IT policy rule Description This rule specifies whether the BlackBerry device can cache the smart card password Default setting The default setting is False Usage Set this IT policy rule to True to cache the smart card password for the period of time set by the private key timeout The memory cleaner application deletes the password when t...

Page 126: ...nnect Transport Stack Version 4 0 Exceptions The BlackBerry Enterprise Server for Microsoft Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3 6 and later The BlackBerry Enterprise Server for Novell GroupWise supports this IT policy rule in BlackBerry Device Software Version 4 0 and later Allow Third Party Apps to Use Persistent Store IT policy rule Description This ru...

Page 127: ...ports this IT policy rule in BlackBerry Enterprise Server Version 3 6 and later The BlackBerry Enterprise Server for Novell GroupWise supports this IT policy rule in BlackBerry Device Software Version 4 0 and later Certificate Status Maximum Expiry Time IT policy rule Description This rule specifies the maximum length of time in hours that a certificate status can remain on the BlackBerry device b...

Page 128: ...the three settings Dependencies The BlackBerry device uses this IT policy rule only if the Password Required IT policy rule is set to True If you set this IT policy rule to Strong or Stronger set the Minimum Password Length IT policy rule to 12 characters If you set the content protection strength to Strongest instruct the user to set a password of at least 21 characters These password lengths max...

Page 129: ...setting The default setting is False The BlackBerry device and the BlackBerry Enterprise Server can use the Triple DES algorithm and the AES algorithm to encrypt and decrypt data sent between them Usage Set this IT policy rule to True to make it mandatory that the BlackBerry device and the BlackBerry Enterprise Server use the AES algorithm to encrypt and decrypt data that they send between them Mi...

Page 130: ...viceuserfromforwardingorreplyingtoamessageontheBlackBerry device using an email account or messaging service that is associated with a BlackBerry Enterprise Server or BlackBerry Internet Service that is different from the service that delivered the original message Usage For example use this IT policy rule to prevent forwarding or replying to a PIN message with an email message and replying to an ...

Page 131: ...re and prevent applications on the BlackBerry device from accessing it Dependencies If you set this rule to True the BlackBerry Maps application does not work and applications cannot access the BlackBerry device GPS APIs This rule overrides the Device GPS application control policy rule setting Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 3 BlackBerry Ente...

Page 132: ...tware Version 4 0 and later Disable IP Modem IT policy rule Description This rule specifies whether the IP modem on applicable BlackBerry devices is available Default setting The default setting is False Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Version 4 0 Disable Key Store B...

Page 133: ...ed BlackBerry device BlackBerry Device Software Version 3 6 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Version 4 0 Exceptions The BlackBerry Enterprise Server for Microsoft Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3 6 and later The BlackBerry Enterprise Server for Novell GroupWise supports this IT policy rule in BlackBerry Devic...

Page 134: ...y devices or the PGP Support Package for BlackBerry devices You must also turn on S MIME message processing on the BlackBerry Enterprise Server or set the PGP Universal Server Address IT policy rule Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Version 4 0 Exceptions The BlackBerr...

Page 135: ...se Server for Novell GroupWise supports this IT policy rule in BlackBerry Device Software Version 4 0 and later Disable Persisted Plain Text IT policy rule Description This rule specifies whether to prevent applications from keeping the plain text form of a content protected object in the persistent store for example the file system Default setting The default setting is False Usage Set this IT po...

Page 136: ...ations on the BlackBerry device to access public social networking services for example Facebook Default setting The default setting is False Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 5 BlackBerry Enterprise Server Version 4 1 SP5 Disable Radio When Cradled IT policy rule Description This rule specifies whether the BlackBerry device turns off the wirele...

Page 137: ...t setting is False Usage If you set this IT policy rule to False the BlackBerry device warns the user that the certificate is revoked but does not prevent the user from using the certificate Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Version 4 0 Exceptions The BlackBerry Enterp...

Page 138: ...erry device BlackBerry Device Software Version 4 2 BlackBerry Enterprise Server Version 4 0 SP6 Disable Stale Certificate Status Checks IT policy rule Description This rule specifies whether the BlackBerry device displays warnings and indicators if the user receives an email message that includes a certificate with a stale status Default setting The default setting is False Usage If you set this I...

Page 139: ...rusted Certificate Use IT policy rule Description This rule specifies whether to prevent the BlackBerry device user from sending an email message that is encrypted with a certificate that the BlackBerry device does not trust Default setting The default setting is False Usage If you set this IT policy rule to False the BlackBerry device warns the user that the certificate is not trusted but does no...

Page 140: ...t does not prevent the user from using the certificate Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Version 4 0 Disable Unverified CRLs IT policy rule Description This rule specifies whether to prevent the BlackBerry device user from accepting CRLs that are not verified on the Bl...

Page 141: ...c key Default setting The default setting is False Usage If you set this IT policy rule to False the BlackBerry device warns the user that the corresponding public key is weak but does not prevent the user from using the certificate Use the IT policy rules provided for the TLS application the WTLS application the S MIME Support Package for BlackBerry devices or the PGP Support Package for BlackBer...

Page 142: ...ons 2 1 4 0 Exceptions The BlackBerry Enterprise Server for Microsoft Exchange supports this IT policy rule in BlackBerry Enterprise Server Version 3 6 and later The BlackBerry Enterprise Server for Novell GroupWise supports this IT policy rule in BlackBerry Device Software Version 4 0 and later External File System Encryption Level IT policy rule Description This rule specifies the level of encry...

Page 143: ...irectories requires encryption with a user provided password and the BlackBerry device key Set this IT policy rule to 6 if the file system including multimedia directories requires encryption with a user provided password and the BlackBerry device key Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 2 BlackBerry Enterprise Server Version 4 0 SP6 FIPS Level IT ...

Page 144: ...xceptions The BlackBerry Enterprise Server for Novell GroupWise supports this IT policy rule in BlackBerry Device Software Version 4 0 to Version 4 2 1 Firewall Block Incoming Messages IT policy rule Description This rule specifies whether the BlackBerry device firewall prevents the device from processing specific types of incoming messages including SMS text messages MMS messages public and corpo...

Page 145: ...sage Specify email addresses with wildcard characters for example organization com to allow email messages from a specific domain Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 2 SP3 BlackBerry Enterprise Server Version 4 1 SP5 Force Content Protection Of Master Keys IT policy rule Description This rule specifies whether content protection is turned on for m...

Page 146: ...address book data when the BlackBerry device is locked In the general security options the user cannot change the Include Address Book field and call display and Bluetooth address book transfer do not work when the device is locked Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 2 BlackBerry Enterprise Server Version 4 0 SP6 Force LED Blinking When Microphone...

Page 147: ...k the BlackBerry device users might require an authenticator module for a smart card and must have a smart card driver and a BlackBerry Smart Card Reader driver installed on their BlackBerry device Dependencies If you set this IT policy rule to True the BlackBerry Enterprise Server automatically sets the Password Required IT policy rule to True in the same BlackBerry device IT policy You must set ...

Page 148: ...e to True to use the BlackBerry device users must have a BlackBerry Smart Card Reader and must install a smart card driver and a BlackBerry Smart Card Reader driver on their BlackBerry device Dependencies The BlackBerry device uses this IT policy rule only if you set the Password Required and Force Smart Card Two Factor Authentication IT policy rules to True Minimum requirements Java based BlackBe...

Page 149: ...BlackBerry Smart Card Reader from the BlackBerry device Not all smart card reader drivers support smart card removal detection Default setting The default setting is False Usage If you set this IT policy rule to True to use the BlackBerry device users might require an authenticator module for the smart card and must have a smart card driver and a BlackBerry Smart Card Reader driver installed on th...

Page 150: ...s Default setting The default setting is 1 which specifies no time limit Dependencies The BlackBerry device uses this IT policy rule only if the Password Required Force Smart Card User Authentication and Force Smart Card Two Factor Challenge Response IT policy rules are set to True Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 5 BlackBerry Enterprise Server...

Page 151: ...If you set this IT policy rule to Medium security the BlackBerry device prompts the user for the key store password when accessing the private key to encrypt messages only if the password is cleared from the key store cache If you set this IT policy rule to High security the BlackBerry device always prompts the user for the key store password when accessing the private key to encrypt messages If t...

Page 152: ...rd the BlackBerry device prompts the user to confirm the password With this IT policy rule set it is mandatory that keys use the security level that you set as the minimum but the user can set a higher security level on the BlackBerry device Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport...

Page 153: ...l If you set this IT policy rule the user can set a password greater than or equal to the length of the pattern on the BlackBerry device Password characters that exceed the pattern length can be any letters numbers or symbols CAUTION Preventing a particular password character reduces the entropy level and security level of the password Minimum requirements Java based BlackBerry device BlackBerry D...

Page 154: ...sages from the BlackBerry Enterprise Server that are not blocked at the BlackBerry device firewall unless you set this IT policy rule to True Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 2 BlackBerry Enterprise Server Version 4 0 SP6 Secure Wipe Delay After IT Policy Received IT policy rule Description This rule specifies the length of time in hours after ...

Page 155: ...e it mandatory for the BlackBerry device to delete the user data if the user has not unlocked the device within the specified period of time Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 2 BlackBerry Enterprise Server Version 4 0 SP6 Secure Wipe if Low Battery IT policy rule Description This rule specifies whether the BlackBerry device deletes all user data...

Page 156: ...colors 0xffffff white 0x000000 black 0xff0000 red 0x00ff00 green 0x0000ff blue Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Version 4 0 Security Transcoder Cod File Hashes IT policy rule Description This rule specifies which cod files the BlackBerry device permits to register as ...

Page 157: ...e that use the thumbprints that appear in the defined list Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Version 4 0 Exceptions The BlackBerry Enterprise Server for Novell GroupWise supports this IT policy rule in BlackBerry Device Software Version 4 0 and later Weak Digest Algori...

Page 158: ...device can use other browser services Default setting The default setting is True Usage Set this IT policy rule to False to make it mandatory to send browser data through your organization s BlackBerry Enterprise Server and to prevent users from installing other browser services on their BlackBerry devices Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 Bla...

Page 159: ...tosendoutgoingemailmessagesthroughyourorganization sBlackBerry Enterprise Server and to prevent users from sending email messages using other email message services ThisITpolicyruledoesnotpreventusersfromreceivingemailmessagesontheirBlackBerrydevicesfromotheremailmessage services Minimum requirements Java based BlackBerry device that is running BlackBerry Device Software Version 3 6 C based BlackB...

Page 160: ...alk for BlackBerry devices application the Google Talk for BlackBerry devices icon remains on the Home screen If users attempt to sign into the application a message appears indicating that they cannot use the application Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 BlackBerry Enterprise Server Version 4 0 SP4 Allow Public ICQ Services IT policy rule Des...

Page 161: ...ts Java based BlackBerry device that is running BlackBerry Device Software Version 3 6 C based BlackBerry device that is running BlackBerry Device Software Version 2 5 BlackBerry Enterprise Server Version 4 0 SP4 Allow Public WLM Services IT policy rule Description This rule specifies whether the user can use the public Windows Live Messenger for BlackBerry devices application Default setting The ...

Page 162: ...twork Location Query IT policy rule Description This rule specifies whether to prevent the wireless network or SIM card from querying the BlackBerry device for certain location related information Default setting The default setting is False Usage The information that the SIM card can query is limited to the current wireless network and cell identities the BlackBerry device IMEI the date the time ...

Page 163: ...SIM card from making a call performing a supplementary service operation or sending an SMS text message Default setting The default setting is False Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 S MIME Support Package for BlackBerry devices Version 4 0 BlackBerry Enterprise Server Version 4 0 SP3 BlackBerry Connect Transport Stack Version 4 0 Smart Dialin...

Page 164: ...on 4 0 BlackBerry Enterprise Server Version 4 0 SP1 Set Local Country Code IT policy rule Description This rule specifies the local country code for phone numbers Default setting The default setting is a null value Dependencies The BlackBerry device uses this IT policy rule only if you set the Enable Smart Dialing IT policy rule to True Minimum requirements Java based BlackBerry device BlackBerry ...

Page 165: ...g is True Dependencies The BlackBerry device uses this IT policy rule only if you set the Enable Smart Dialing IT policy rule to True Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 0 SP1 TCP policy group TCP APN IT policy rule Description This rule specifies whether a default APN must be used when the BlackBerry devic...

Page 166: ... Description This rule specifies whether a default APN user name must be used when the BlackBerry device uses TCP Default setting The default setting is a null value Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Version 4 0 TLS policy group TLS Device Side Only IT policy rule Desc...

Page 167: ...rmitting TLS connections to servers with invalid certificates Default setting The default setting is 2 Usage Set this IT policy rule to 0 to prevent invalid connections Set this IT policy rule to 1 to permit invalid connections Set this IT policy rule to 2 to prompt the user Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 1 BlackBerry Enterprise Server Vers...

Page 168: ...ing is 2 Usage Set this IT policy rule to 0 to prevent weak algorithms Set this IT policy rule to 1 to permit weak algorithms Set this IT policy rule to 2 to prompt the user Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 1 BlackBerry Enterprise Server Version 3 6 BlackBerry Connect Transport Stack Version 4 0 TLS Minimum Strong DH Key Length IT policy rule...

Page 169: ...on This rule specifies the minimum DSA key size in bits to use during TLS connections Default setting The default setting on the BlackBerry device is 1024 bits The default setting on the BlackBerry Enterprise Server is 512 bits Usage If you set the minimum key size on the BlackBerry Enterprise Server higher than the minimum key size on the BlackBerry device the BlackBerry device continues to promp...

Page 170: ...imum key size on the BlackBerry device is set to 160 bits If you set the minimum key size on the BlackBerry Enterprise Server to 233bits theBlackBerrydevicecontinuestoprompttheusertotrusteverysecurewebsitethatusesakeysizeinitscertificate that is less than 233 bits Minimum requirements Java based BlackBerry device BlackBerry Device Software version 3 6 1 BlackBerry Enterprise Server version 3 6 TLS...

Page 171: ...ersion 4 0 TLS Restrict FIPS Ciphers IT policy rule Description This rule specifies whether the BlackBerry device can use an algorithm with TLS that is not FIPS compliant Default setting The default setting is False Usage If the FIPS Level IT policy rule is set to 2 by default the BlackBerry device ignores this IT policy rule and uses only algorithms that are FIPS compliant Minimum requirements Ja...

Page 172: ...Version 4 5 BlackBerry Enterprise Server Version 4 1 SP4 Disallow Device User Requested Upgrade Description This rule specifies whether to prevent the BlackBerry device user from requesting available wireless software upgrades Default setting The default setting is False Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 5 BlackBerry Enterprise Server Version 4 ...

Page 173: ...rsion 4 5 BlackBerry Enterprise Server Version 4 1 SP4 Disallow Patch Download Over WAN IT policy rule Description ThisrulespecifieswhethertopreventthewirelesssoftwareupgradeapplicationontheBlackBerry devicefromdownloading software upgrades over a WAN connection Default setting The default setting is False Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 5 Bla...

Page 174: ... is 2 Usage Set this IT policy rule to 0 to prevent invalid connections Set this IT policy rule to 1 to permit invalid connections Set this IT policy rule to 2 to prompt the user Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 BlackBerry Enterprise Server Version 3 6 BlackBerry Connect Transport Stack Version 4 0 WTLS Disable Untrusted Connection IT policy ...

Page 175: ...setting The default setting is 2 Usage Set this IT policy rule to 0 to prevent weak algorithms Set this IT policy rule to 1 to permit weak algorithms Set this IT policy rule to 2 to prompt the user Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 3 6 BlackBerry Enterprise Server Version 3 6 BlackBerry Connect Transport Stack Version 4 0 WTLS Minimum Strong DH Ke...

Page 176: ...ption This rule specifies the minimum ECC key size in bits to use during WTLS connections Default setting The default setting on the BlackBerry device is 163 bits The default setting on the BlackBerry Enterprise Server is 160 bits Usage If you set the minimum key size on the BlackBerry Enterprise Server higher than the minimum key size on the BlackBerry device the BlackBerry device continues to pr...

Page 177: ...nd selects the Don t Ask Again option the minimum key size on the BlackBerry device is set to 512 bits If you set the minimum key size on the BlackBerry Enterprise Server to 2048 bits the BlackBerry device continues to prompt the user to trust every secure web site that uses a key size in its certificate that is less than 2048 bits Minimum requirements Java based BlackBerry device BlackBerry Devic...

Page 178: ... BlackBerry Enterprise Server Version 4 0 BlackBerry Connect Transport Stack Version 4 0 Policy Reference Guide WTLS policy group 176 ...

Page 179: ...f a default application control policy exists the user cannot change the application control settings Setting application control policy rules You can assign application control policy rules to satisfy your organization s security policy requirements and to reflect the needs of the users who are assigned to that application control policy You can set a default application control policy that block...

Page 180: ......

Page 181: ...e Medium Security application control policy rule Description This rule specifies whether an application can access key store items stored at the medium security level The application must prompt the BlackBerry device user for the key store password when it tries to access the private key for the first time or when the private key password timeout expires Default setting The default setting is All...

Page 182: ...s rule specifies the list of domains for which an application can apply browser filters to web page content on the BlackBerry device For example you can specify www google com and www yahoo com as domains for which an application can use a browser filter for search engines Default setting The default setting is a null value Minimum requirements Java based BlackBerry device BlackBerry Device Softwa...

Page 183: ...kBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 1 SP2 Disposition application control policy rule Description This rule specifies whether an application is optional required or not permitted on the BlackBerry device You can use this rule to make a specific application mandatory on the BlackBerry device or to prevent unspecified or untrusted applications ...

Page 184: ...erry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 0 External Network Connections application control policy rule Description This rule specifies whether an application can make external network connections You can set this rule to prevent the application from sending or receiving any data on the BlackBerry device using an external protocol such as WAP or TCP...

Page 185: ...ample the BlackBerry MDS Connection Service You can also set this rule so that an application prompts the user before it makes internal connections through the BlackBerry device firewall Default setting The default setting is Prompt User Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 0 Cross Application Communication ...

Page 186: ...s application control policy rule Description This rule specifies whether an application can send and receive email messages on the BlackBerry device Default setting The default setting is Allowed Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 0 Phone Access application control policy rule Description This rule specif...

Page 187: ...nd all of the user s personal information from the BlackBerry device Default setting The default setting is Allowed Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 0 Themes application control policy rule Description This rule specifies whether custom theme applications developed using the Plazmic Content Developer s K...

Page 188: ...urrently only smart card drivers are supported This application control policy rule applies to the BlackBerry Device Software and third party Java applications Default setting The default setting is Allowed Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 1 SP2 Policy Reference Guide User Authenticator application contr...

Page 189: ...devices Devicepoliciesdefinewhether userscanupgradetheBlackBerryMDSRuntime andwhetheruserscandiscover install andremoveBlackBerryMDSRuntime Applications from their BlackBerry devices You can also use device policies to define whether BlackBerry MDS Runtime Applications can access data and other applications on the BlackBerry devices and to specify message queue limits for data that BlackBerry MDS ...

Page 190: ......

Page 191: ...ch a BlackBerry MDS Studio Application Repository for BlackBerry MDS Studio Applications that can be installed on their BlackBerry devices Default setting The default setting is True Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 1 Allow Application Install by User BlackBerry MDS Services rule Description This rule sp...

Page 192: ...4 0 BlackBerry Enterprise Server Version 4 1 Allow Application Delete by User BlackBerry MDS Services rule Description This rule specifies whether users can delete BlackBerry MDS Studio Applications from their BlackBerry devices Default setting The default setting is True Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4...

Page 193: ...ns BlackBerry MDS Services rule Description This rule specifies whether BlackBerry MDS Studio Applications that are installed on the BlackBerry device can access web services in multiple domains Default setting The default setting is False Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 1 Queue Limit for Inbound Applic...

Page 194: ...ber of messages to BlackBerry MDS Studio Applications that can be queued locally on the BlackBerry device The permitted range is 1 through 50 messages Default setting The default setting is 16 messages Minimum requirements Java based BlackBerry device BlackBerry Device Software Version 4 0 BlackBerry Enterprise Server Version 4 1 Policy Reference Guide Queue Limit for Outbound Application Messages...

Page 195: ...mpliance for the embedded cryptographic module that is required for basic operation of the BlackBerry device Control application installation and use on BlackBerry devices PreventBlackBerrydeviceusersfromdownloadingthird partyapplications over the wireless network Specify whether applications on the BlackBerry device can establish specific types of connections Block viruses and malicious user acti...

Page 196: ...n Checks 2 requires at least one alphabetic onenumeric andone special character Forbidden Passwords obvious and insecure passwords for example password usernames and company names Set Password Timeout 5 minutes User Can Change Timeout False Delete all user data on the BlackBerry device if the user types the password incorrectly Set Maximum Password Attempts 10 number of incorrect passwords that ar...

Page 197: ...nge Time 60 minutes after which the user must type a password Lock the BlackBerry device automatically when a user inserts it in the holster Force Lock When Holstered True Lock the BlackBerry device automatically after a period of user inactivity Maximum Security Timeout 5 minutes of idle time that is allowed before the BlackBerry device locks Defining the encryption strength that the BlackBerry d...

Page 198: ...ecorded Allow Other Browser Services False Allow Other Message Services False Allow Peer to Peer Messages False Allow SMS False Disable Forwarding Between Services True Disable Cut Copy Paste True Prevent users from sending PIN messages Users can still receive PIN messages Allow Peer to Peer Messages False Prevent users from sending SMS messages Users can still receive SMS messages Allow SMS False...

Page 199: ...tion Disallowed Permit a third party Java application to access the phone application on BlackBerry devices Phone Access Allowed Permit a third party Java application to create public external network connections and allow connections to external domains without promptingusersforapasswordontheirBlackBerry devices External Network Connections Allowed External Domains addresses of the external domai...

Page 200: ...ication from their BlackBerry devices Disposition application control policy rule Required Prevent users from installing a third party Java application on their BlackBerry devices Disposition application control policy rule Required Remove a third party Java application from BlackBerry devices over the wireless network Disposition application control policy rule Required Prevent users from turning...

Page 201: ...uletoblockallthird partyapplications or apply an application control policy to block specific RIM value added applications if you want to remove the RIM value added applications from BlackBerry devices Set the Disable RIM Value Added Applications IT policy rule to True ecommerce content optimization engine for the BlackBerry Browser Set the Disable Ecommerce Content Optimization Engine IT policy r...

Page 202: ...tion screen click Manage Application Policies 2 Create and name an application control policy 3 To remove all existing third party applications from the BlackBerry device and prevent the BlackBerry device from installing any new third party applications set Disposition to Disallowed 4 Select a software configuration 5 Click Edit Configuration 6 Apply the application control policy to the default t...

Page 203: ...ts to application security without banning all third party applications on BlackBerry devices you can replace a default application control policy that blocks all third party applications with a less restrictive application control policy that controls the behavior of third party applications You can allow specific behavior for registered third party applications while preventing other third party...

Page 204: ......

Page 205: ...search In Motion Limited and its affiliated companies RIM and RIM assumes no responsibility for any typographical technical or other inaccuracies errors or omissions in this documentation In order to protect RIM proprietary and confidential information and or trade secrets this documentation maydescribesomeaspectsofRIMtechnologyingeneralizedterms RIMreservestherighttoperiodicallychangeinformation ...

Page 206: ... DEMAND OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT NEGLIGENCE TORT STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN AND B TO RIM AND ITS AFFILIATED COMPANIES THEIR SUCCESSORS ASSIGNS AGENTS SUPPLIERS INCLUDING AIRTIME SERVICE PROVIDERS AUTHO...

Page 207: ... SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY RIM FOR PORTIONS OF ANY RIM PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION Research In Motion Limited 295 Phillip Street Waterloo ON N2L 3W8 Canada Research In Motion UK Limited Centrum House 36 Station Road Egham Surrey TW20 9LF United Kingdom Published in Canada Policy Reference Guide Legal notice 205 ...