Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to disallow mobile device applications the ability to reset the device lock timer. If this function is not present, this is a finding. The "Application Security Timer Reset" rule on the BlackBerry Device Service server specifies whether apps can reset the security timer on a BlackBerry device to prevent the device from locking after either, 1) the period of user inactivity that you specify in the Security Timeout rule, or 2) the user specifies in the Password Lock settings on the device elapses. If this rule is set to disallow, the device will lock without user interaction when running apps that attempt to reset the security timer, such as apps that display navigation information, slideshows, and videos. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to disallow mobile device applications the ability to reset the device lock timer.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to disable any mobile OS service that connects to a cloud storage server. If this function is not present, this is a finding. The "Cloud Storage Access from Work Space rule" specifies whether the cloud storage apps developed by Research In Motion are available in the work space on a BlackBerry device. If this rule is set to Disallow, the apps are not available in the work space on the device and they can be used as personal apps only. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to disable any mobile OS service that connects to a cloud storage server.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to direct all work persona application traffic through the BlackBerry Device Service server. If this function is not present, this is a finding. The "Network Access Control for Work Apps" rule specifies whether work apps on a BlackBerry device must connect to an organization's network through the BlackBerry Device Service. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to direct all work persona application traffic through the BlackBerry Device Service server.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to disallow personal persona applications access to the work personas network connection. If this function is not present, this is a finding. The "Work Network Usage for Personal Apps" rule specifies whether personal apps on a BlackBerry device can use your organization's Wi-Fi or VPN network to connect to the Internet. If this rule is set to Disallow, personal apps cannot use your organization's network to connect to the Internet. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to disallow personal persona applications access to the work personas network connection.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to disallow hyperlinks within work persona applications from opening within the personal persona browser application. If this function is not present, this is a finding. The "Open Links in Work Email Messages in the Personal Browser" rule specifies whether BlackBerry device users can use the browser in the personal space to open links in work email messages. If this rule is set to Disallow, links in work email messages will always open in the browser in the work space. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to disallow hyperlinks within work persona applications from opening within the personal persona browser application.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the number of allowed repeated characters in the mobile device unlock password. If this function is not present, this is a finding. This requirement can be met via one of two methods: Method #1: Train users to set the following device unlock/personal area password feature on a PlayBook 2.0 or BlackBerry 10 device: Navigate to "Options -> Security ->Password" and set "Enable Password" is set to "ON". Create a 4 digit passcode for the device lock that does not contain any repeated characters. **************************************************************************************** Method #2: The BDS IT policy rule "Apply Work Space Password to Full Device" can be applied to force the work space password to be used for both work and personal personas. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Method #1: Train users to set a 4-digit device unlock/personal area password that does not contain any repeated characters on a PlayBook 2.0 or BlackBerry 10 device. **************************************************************************************** Method #2: Configure the centrally managed BlackBerry Device Service server security policy rule to apply the work space password to the entire device.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to disallow sequential numbers in the mobile device unlock password. If this function is not present, this is a finding. This requirement can be met via one of two methods: Method #1: Train users to set the following device unlock/personal area password feature on a PlayBook 2.0 or BlackBerry 10 device: Navigate to "Options -> Security ->Password" and set "Enable Password" is set to "ON". Create a 4 digit passcode for the device lock that does not contain any sequential numbers. **************************************************************************************** Method #2: The BDS IT policy rule "Apply Work Space Password to Full Device" can be applied to force the work space password to be used for both work and personal personas. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Method #1: Train users to set a 4-digit device unlock/personal area password that does not contain any sequential numbers on a PlayBook 2.0 or BlackBerry 10 device. **************************************************************************************** Method #2: Configure the centrally managed BlackBerry Device Service server security policy rule to apply the work space password to the entire device.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to protect audit information on a managed mobile device from unauthorized distribution. The "Log Submission" rule on the BlackBerry Device Service server specifies whether a BlackBerry device can generate log files and them to the BlackBerry Technical Solution Center. If this rule is set to No, the device cannot generate and send log files to the BlackBerry Technical Solution Center. The "Transfer Work Files Using Bluetooth OPP" rule on the BlackBerry Device Service server specifies whether a BlackBerry device can send work files and objects such as contacts to another Bluetooth enabled or NFC-enabled device using the Bluetooth OPP. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide. If the centrally managed BlackBerry Device Service server security policy has not been configured to protect audit information on a managed mobile device from unauthorized distribution, this is a finding.
Configure the centrally managed BlackBerry Device Service server security policy to protect audit information on a managed mobile device from unauthorized distribution.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the capability to disable copying data from inside a non-secure data area on a mobile device into the security container. If this function is not present, this is a finding. The "Work App Access to Personal Data" rule on the BlackBerry Device Service server specifies whether work apps on a BlackBerry device can access personal data if a device user permits it. If this rule is set to Disallow, work apps cannot access personal data regardless of the user settings on the device. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to disable copying data from inside a non-secure data area on a mobile device into the security container.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the capability to allow only work persona contacts to be read from a native personal persona application. If this function is not present, this is a finding. The "Personal Apps Access to Work Contacts" rule on the BlackBerry Device Service server specifies whether personal apps can access work contacts on a BlackBerry device. If this rule is set to Only RIM Apps, some apps developed by Research In Motion (BlackBerry Messenger, Text Messages, visual voice mail, and voice dialing) can access work contacts. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to allow only work persona contacts to be read from a native personal persona application.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the capability to disable access to the work persona via any device-to-device bridging application. If this function is not present, this is a finding. The "Blackberry Bridge" rule on the BlackBerry Device Service server specifies whether a BlackBerry 10 smartphone can allow a BlackBerry PlayBook tablet to access work data on the smartphone using the BlackBerry Bridge app. If this rule is set to Disallow, the smartphone cannot allow a tablet to access work data on the smartphone using the BlackBerry Bridge app. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to disable access to the work persona via any device-to-device bridging application.
Review the BlackBerry Device Service server configuration to ensure there are accounts associated with the following roles: - MDM administrative account administrator: responsible for server installation, initial configuration, and maintenance functions. - Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies. - Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. - Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs. If this separation of duties is not present, this is a finding. Roles are assigned during the creation of the Administrator account as follows: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Administrator user. 2. Click Create an administrator user. 3. In the Display name field, type a name for the administrator account. 4. Configure the login information that the administrator account uses to log in to the BlackBerry Administration Service. 5. In the Role drop-down list, click the role that you want to assign to the administrator account. 6. Click Create an administrator user. The role can also be updated after account creation by selecting "Manage Users" under the "Administrator Users" option.
Create and configure accounts to be aligned with the following roles: - MDM administrative account administrator: responsible for server installation, initial configuration, and maintenance functions. - Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies. - Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. - Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.
The BlackBerry Device Service server has the capability to deploy mobile operation system and application updates via an over-the-air (OTA) session. Specific versions of applications can be sent to the device, or applications can be updated. OS updates are made available to the user for download. The user is notified when new updates are available. Create a software configuration: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software. 2. Click Create a software configuration. 3. In the Configuration information section, in the Name field, type a name for the software configuration. 4. Click Save. Add an app to a software configuration: You must add an app to a software configuration to send the app to BlackBerry devices. If you want to upgrade an app, you must add the new version of the app to the appropriate software configuration. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software. 2. Click Manage software configurations. 3. Click the software configuration that you want to add an app to. 4. Click Edit software configuration. 5. On the Applications tab, click Add applications to software configuration. 6. Search for the app that you want to add to the software configuration. 7. In the search results, select an app that you want to add to the software configuration. 8. For apps in the applications repository, in the Disposition drop-down list for the app, perform one of the following actions: * To install the app automatically on devices, and to prevent users from removing the app, select Required. * To permit users to install and remove the app, and to add the app to the Work tab in the BlackBerry World storefront, select Optional. 9. Repeat steps 6 to 8 for each app that you want to add to the software configuration. 10. Click Add to software configuration. 11. Click Save all. See the "Managing app availability on devices" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 6.2 Administration Guide for further details and other available options. If the BlackBerry Device Service server cannot be configured to send MOS and MAP updates OTA, this is a finding.
Configure the BlackBerry Device Service server to deploy MOS and MAP updates via an OTA session.
Application lists can be created for installation on the mobile devices. The applications can be identified as "Optional" or "Required". If an application is identified as "Required", it must be installed on the device, and cannot be removed by the user. After a software configuration is created on the BlackBerry Device Service server, approved applications are add to the software configuration and identified as optional or required. In addition, Before you can make an application that is developed by your organization available to BlackBerry devices on the BlackBerry App World storefront Work tab, Research In Motion requires that the RIM signing authority system digitally sign the application. The RIM signing authority system uses public key cryptography to authorize and authenticate the application code. When a user starts the application, the BlackBerry OS verifies that the RIM signing authority signed the application files and that the application files have not changed since that application was installed. Create a software configuration: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software. 2. Click Create a software configuration. 3. In the Configuration information section, in the Name field, type a name for the software configuration. 4. Click Save. Add an app to a software configuration: You must add an app to a software configuration to send the app to BlackBerry devices. If you want to upgrade an app, you must add the new version of the app to the appropriate software configuration. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software. 2. Click Manage software configurations. 3. Click the software configuration that you want to add an app to. 4. Click Edit software configuration. 5. On the Applications tab, click Add applications to software configuration. 6. Search for the app that you want to add to the software configuration. 7. In the search results, select an app that you want to add to the software configuration. 8. For apps in the applications repository, in the Disposition drop-down list for the app, perform one of the following actions: * To install the app automatically on devices, and to prevent users from removing the app, select Required. * To permit users to install and remove the app, and to add the app to the Work tab in the BlackBerry World storefront, select Optional. 9. Repeat steps 6 to 8 for each app that you want to add to the software configuration. 10. Click Add to software configuration. 11. Click Save all. See the "Managing app availability on devices" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 6.2 Administration Guide for further details and other available options. If the system does not prevent the installation of applications that are not digitally signed with an organizationally accepted private key, this is a finding.
Configure the BlackBerry Device Service server to prevent the installation of applications that are not digitally signed with an organizationally accepted private key.
Detailed Policy Requirements: 1. Separate STIG compliant IT policies will be set up on the BDS server: one for users that have been issued an approved Bluetooth headset/hands free device and one for users that have not been issued an approved Bluetooth headset/hands free device. 2. All user accounts will be assigned to a STIG compliant IT policy. Check Procedures: Interview the BlackBerry system administrator. Ask the administrator to identify the default IT policy on the BDS (usually labeled "Default" and any other non-STIG compliant IT policies set up on the BDS. View the list of IT policies set up on the BDS as follows: BDS -> BlackBerry solution management -> Policy -> Manage IT Policies Verify no users are assigned the default IT Policy or any other non-STIG IT policy by performing the following steps for each policy. For the default IT policy and other non-STIG IT policies, look at each IT policy listed under "Manage IT policies" to be checked. - Click on the policy name. - Click on "View Users with reconciled IT Policy." - A list of all users assigned to the selected IT policy will be shown. - Determine if any user has been assigned to the default IT Policy or any other non-STIG IT policy. If yes, this is a finding.
User accounts will only be assigned a STIG compliant IT policy.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to perform a "Data Wipe" function whereby all data stored in user addressable memory on the mobile device and the removable memory card is erased when the maximum number of incorrect passwords for device unlock has been reached. If this function is not configured, this is a finding. The "Maximum Password Attempt" rule allows administrator to enforce data wipe upon maximum number of incorrect passwords. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide..
Configure the centrally managed BlackBerry Device Service server security policy rule to perform a "Data Wipe" function whereby all data stored in user addressable memory on the mobile device and the removable memory card is erased when the maximum number of incorrect passwords for device unlock has been reached.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable data-at-rest encryption on the mobile device. If this function is not configured, this is a finding. The "Personal Perimeter Data Encryption" rule enforces data-at-rest encryption for the entire device. Work perimeter encryption is enforced by default and cannot be turned off. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable or disable data-at-rest encryption on the mobile device.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable two-factor encryption key generation on the mobile device. If this function is not configured, this is a finding. The "Two-Factor Encryption Key Generation" rule specifies whether a BlackBerry PlayBook tablet bases the encryption key on only the protected secret or both the protected secret and the password for the work space. If this rule is set to Yes, the tablet bases the encryption key on both the protected secret and the password for the work space. If this rule is set to Yes, a user must type the password for the mobile device to start for the first time. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable or disable two-factor encryption key generation on the mobile device.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to configure the encryption algorithms used to encrypt S/MIME protected email messages. If this function is not present, this is a finding. The "Allowed Content Ciphers" profile setting specifies the encryption algorithms that a BlackBerry device can use to encrypt S/MIME-protected email messages. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to specify the encryption algorithms used to encrypt S/MIME protected email messages with 3DES or AES encryption.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the device inactivity timeout (the following settings must be available, at a minimum: Disable (no timeout), 15 minutes, and 60 minutes). If this function is not present, this is a finding. The "Security Timeout" rule forces device to lock after a specified period of inactivity. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to set the device inactivity timeout.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the mobile device Bluetooth stack. If this function is not present, this is a finding. The "Bluetooth" rule on the BlackBerry Device Service server specifies whether a BlackBerry device can use Bluetooth technology. If this rule is set to Disallow, the device cannot use Bluetooth technology. This policy rule is applicable for corporate-liable devices only, introduced in OS version 10.1.0. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable or disable the mobile device Bluetooth stack.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable any supported Bluetooth profile. If this function is not present, this is a finding. The BlackBerry Device Service server supports policy rules for Several Bluetooth Policies. Each of these policies are managed individually and can be enabled or disabled. If you set these rules to Disallow, the device cannot use specific Bluetooth profile. The supported Bluetooth profiles are: - Bluetooth Message Access Profile (MAP) - Bluetooth Hands-Free Profile (HFP) - Bluetooth Serial Port Profile (SPP) - Bluetooth Discoverable Mode - Bluetooth Personal Area Networking Profile (PAN) - Bluetooth Advanced Audio Distribution Profile (A2DP) - Bluetooth Audio/Video Remote Control Profile (AVRCP) - Bluetooth SIM Access Profile (SAP) These profiles are applicable for corporate liable devices only, introduced in O.S. version 10.1.0. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable or disable any supported Bluetooth profile.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable Bluetooth. If this function is not present, this is a finding. The "Bluetooth" rule on the BlackBerry Device Service server specifies whether a BlackBerry device can use Bluetooth technology. If this rule is set to Disallow, the device cannot use Bluetooth technology. This policy rule is applicable for corporate-liable devices only, introduced in OS version 10.1.0. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable or disable Bluetooth.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable Bluetooth discovering mode. If this function is not present, this is a finding. The "Bluetooth Discoverable Mode" rule on the BlackBerry Device Service server specifies whether a BlackBerry device can use Bluetooth Discoverable mode. A device that is discoverable can be found by other Bluetooth enabled devices within range of the device. If this rule is set to Disallow, the device cannot use Bluetooth Discoverable mode. This policy rule is applicable for corporate-liable devices only, introduced in OS version 10.1.0. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable or disable Bluetooth discovering mode.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to enable or disable the transfer of any file-based data via Bluetooth. If this function is not present, this is a finding. The "Transfer Work Contacts Using Bluetooth PBAP or HFP" rule on the BlackBerry Device Service server specifies whether a BlackBerry device can send work contacts to another Bluetooth enabled device using the Bluetooth PBAP or HFP. If this rule is set to disallow, users cannot transfer work contacts using Bluetooth PBAP or HFP. Setting this rule to disallow also prevents users from transferring work messages using the Bluetooth MAP. The "Transfer Work Files Using Bluetooth OPP" rule on the BlackBerry Device Service server specifies whether a BlackBerry device can send work files and objects such as contacts to another Bluetooth-enabled or NFC-enabled device using the Bluetooth OPP. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable or disable the transfer of any file-based data via Bluetooth.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable Bluetooth pairing using a randomly generated passkey size of at least 8 digits. If this function is not configured, this is a finding. The "Enforce Minimum Bluetooth Passkey Length" rule on the BlackBerry Device Service server specifies whether a BlackBerry device can connect to another Bluetooth enabled device if the passkey that the Bluetooth enabled device requests from or provides to the BlackBerry device is less than 8 digits. If this rule is set to Yes, the BlackBerry device cannot connect to another Bluetooth enabled device if the passkey that the Bluetooth enabled device requests from or provides to the BlackBerry device is less than 8 digits. This policy rule is applicable for corporate-liable devices only, introduced in OS version 10.1.0. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable Bluetooth pairing using a randomly generated passkey size of at least 8 digits.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable Bluetooth 128 bit encryption. If this function is not configured, this is a finding. The "Minimum Bluetooth Encryption Key Length" rule on the BlackBerry Device Service server specifies the minimum encryption key length that a BlackBerry device uses to encrypt Bluetooth connections. Options range from 8-128 bits. This policy rule is applicable for corporate-liable devices only, introduced in OS version 10.1.0. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable Bluetooth 128 bit encryption.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to adjust Bluetooth radio range. If this function is not configured, this is a finding. The "Maximum Bluetooth Range" rule on the BlackBerry Device Service server specifies the maximum power range that a BlackBerry Smart Card Reader uses to send Bluetooth packets to a BlackBerry device or a computer. The permitted range is between 30% and 100%. The recommended range is 30%. This policy rule is applicable for corporate-liable devices only, introduced in OS version 10.1.0. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to adjust Bluetooth radio range.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable MMS messaging. If this function is not present, this is a finding. The "MMS" rule on the BlackBerry Device Service server specifies whether a BlackBerry device can send MMS messages. If this rule is set to Disallow, the device hides the option to send MMS text messages. This rule does not prevent the user from receiving MMS messages. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable or disable MMS messaging.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable device unlock password. If this function is not present, this is a finding. This requirement can be met via one of two methods: Method #1: Train users to set the following device unlock/personal area password feature on a PlayBook 2.0 or BlackBerry 10 device: Navigate to "Options -> Security ->Password" and set "Enable Password" is set to "ON". Create a 4 digit passcode for the device lock. **************************************************************************************** Method #2: The BDS IT policy rule "Apply Work Space Password to Full Device" can be applied to force the work space password to be used for both work and personal personas. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the BlackBerry Device Service server to enable or disable device unlock password. Method #1: Train users to set a 4-digit device unlock/personal area password feature on a PlayBook 2.0 or BlackBerry 10 device. **************************************************************************************** Method #2: Configure the centrally managed BlackBerry Device Service server security policy rule to apply the work space password to the entire device.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable a device unlock password with a minimum length of 4 characters. If this function is not present, this is a finding. This requirement can be met via one of two methods: Method #1: Train users to set the following device unlock/personal area password feature on a PlayBook 2.0 or BlackBerry 10 device: Navigate to "Options -> Security ->Password" and set "Enable Password" is set to "ON". Create a 4 digit passcode for the device lock. **************************************************************************************** Method #2: The BDS IT policy rule "Apply Work Space Password to Full Device" can be applied to force the work space password to be used for both work and personal personas. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the BlackBerry Device Service server to enable a device unlock password with a minimum length of 4 characters. Method #1: Train users to set a 4-digit device unlock/personal area password feature on a PlayBook 2.0 or BlackBerry 10 device. **************************************************************************************** Method #2: Configure the centrally managed BlackBerry Device Service server security policy rule to apply the work space password to the entire device.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable device unlock password. If this function is not present, this is a finding. This requirement can be met via one of two methods: Method #1: Train users to set the following device unlock/personal area inactivity timeout feature on a PlayBook 2.0 or BlackBerry 10 device: Navigate to "Options -> Security ->Password" and set "Inactivity Timeout" is set to "15 Minutes". **************************************************************************************** Method #2: The "Security Timeout" IT policy rule forces device to lock after a specified period of inactivity. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the BlackBerry Device Service server to set a device inactivity timeout. Method #1: Train users to set a 15 minute inactivity timeout feature on a PlayBook 2.0 or BlackBerry 10 device. **************************************************************************************** Method #2: Configure the centrally managed BlackBerry Device Service server security policy rule to enable a device inactivity timeout of 15 minutes.
When you install the BlackBerry Administration Service, the setup application generates a password for the web.keystore file. The web.keystore file stores the SSL certificate that the BlackBerry Administration Service uses to authenticate with browsers. You can change the web keystore password after the installation process completes. All BlackBerry Administration Service instances in a BlackBerry Device Service domain must use the same web keystore password. Before you begin: To verify the current password for the web.keystore file, log in to the BlackBerry Administration Service using an administrator account with the Security Administrator role. On the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view, click BlackBerry Administration Service, and check the Security settings section. 1. On a computer that hosts a BlackBerry Administration Service instance, open the BlackBerry Device Service Configuration tool. 2. On the Administration Service - Web Keystore tab, type the current password. 3. Type a new password and confirm the new password. 4. Click OK. 5. In the Windows Services, restart the BlackBerry Administration Service services. 6. Repeat steps 1 to 5 on each computer that hosts a BlackBerry Administration Service instance. If the default passwords have not been changed, this is a finding.
Change the key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use from the default.
Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism utilizing a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. If the BlackBerry Device Service server is not authenticating through the Enterprise Authentication Mechanism, this is a finding. Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server. Configure permissions for the service account: The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin. During the installation of the BlackBerry Device Service, steps 1 and 2 describe the setup of the Active Directory login, as follows: 1. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access. 2. In the Create an administrator account dialog box, perform one of the following actions: * If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 1, or you can specify the username and Windows domain for a different Microsoft Active Directory account. * If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account. You use the account information that you specify to log in to the BlackBerry Administration Service for the first time. Log in to the BlackBerry Administration Service: When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time. 1. In the browser, type https://<server_name>/webconsole/login, where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. 2. In the User name field, type your username. 3. In the Password field, type your password. 4. Perform one of the following actions: * In the Log in using drop-down list, click BlackBerry Administration Service. * In the Log in using drop-down list, click Active Directory and type the Microsoft Active Directory domain in the Domain field. 5. Click Log in. 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 6.2, Installation and Configuration Guide.
Configure the BlackBerry Device Service server to authenticate through the Enterprise Authentication Mechanism utilizing a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions. If the BlackBerry Device Service server is not authenticating through an Enterprise Authentication Mechanism that employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions, this is a finding. Local authentication rules are handled by the host operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server. Configure permissions for the service account: The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin. During the installation of the BlackBerry Device Service, steps 1 and 2 describe the setup of the Active Directory login, as follows: 1. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access. 2. In the Create an administrator account dialog box, perform one of the following actions: * If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 1, or you can specify the username and Windows domain for a different Microsoft Active Directory account. * If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account. You use the account information that you specify to log in to the BlackBerry Administration Service for the first time. Log in to the BlackBerry Administration Service: When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time. 1. In the browser, type https://<server_name>/webconsole/login, where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. 2. In the User name field, type your username. 3. In the Password field, type your password. 4. Perform one of the following actions: * In the Log in using drop-down list, click BlackBerry Administration Service. * In the Log in using drop-down list, click Active Directory and type the Microsoft Active Directory domain in the Domain field. 5. Click Log in. 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 6.2, Installation and Configuration Guide.
Configure the BlackBerry Device Service server to authenticate through an Enterprise Authentication Mechanism that employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.
Steps to replace self-signed certificate: Log into the server as the BlackBerry Enterprise Server (BES) service account and complete the following tasks to replace the self-signed Secure Socket Layer (SSL) certificate used by the BAS and the BWDM with a DoD PKI issued certificate. If a DoD PKI issued certificate was used during the installation of BlackBerry Device Service, this requirement has been met. Task 1 - Retrieve your keystore password: 1. Login to the BAS as an administrator with Security Administrator role 2. Click BlackBerry Solution topology -> BlackBerry Domain -> Component view -> BlackBerry Administration Service 3. In the Security Settings, check the value for Default password to encrypt the web.keystore file, and note it. Task 2 - Back up the web.keystore file 1. Open a Windows Command prompt as an Administrator 2. Type copy "c:\Program Files (x86)\Research In Motion\BlackBerry Device Service\BAS\bin\web.keystore" "c:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore.OLD" Note: Do not remove or rename the existing web.keystore file. Task 3 - Delete the self-signed SSL certificate from inside the keystore file 1. Open a Command prompt as an Administrator. 2. Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool.exe" -delete -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -storepass "<password>" Note: The -storepass parameter must be the password you retrieved from step 1. The quotes are required due to special characters. Task 4 - Generate the BlackBerry Administration Service certificate key pair. * Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool.exe" -genkey -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -storepass "<password>" -dname "CN=<BAS Server or BAS Pool full name>, OU=BAS, O=Company, L=City, ST=ST, C=US" Note: Some Certificate Authority (CA) servers require RSA encryption of the certificate request. If this is the case, add -keyalg RSA to this keytool command. Also, the -keyalg RSA switch defaults to 1024 as a keysize. For environments that require 2048 as a keysize, use the -keysize 2048 command switch, e.g., -keyalg RSA -keysize 2048 STOP: After following this step, the web.keystore file now contains a private key entry. This exact private key MUST be matched with the reply generated from your Certificate Authority below in order for this process to succeed. It is highly recommended that the web.keystore file be backed up after this step has been performed, so that this private key is retained. If this is not done, and any of the following steps are not successful, then it will be necessary to clear out the keystore and start again from Task 1. This is especially important to note for environments with manual certificate request processes. Task 5 - Generate a certificate request to the certification authority * Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certreq.csr" -storepass "<passwprd>" Note: If the -keyalg switch was used in Task 3 for a CA that requires RSA encryption, it is recommended to also use it here. Also, the -keyalg RSA switch defaults to 1024 as a keysize. For environments that require 2048 as a keysize, use the -keysize 2048 command switch. e.g. -keyalg RSA -keysize 2048 * "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certreq.csr" -storepass "<passwprd>" -keyalg RSA -keysize 2048 Task 6 - Request the certificate from the certificate authority (CA). Note: The steps in this task are based on the steps required to request a certificate from a Windows certificate authority. If requesting a certificate from a third-party certificate authority, see the information in the Additional Information section. Domain administrator permission is required to complete this task. 1. Log off the server as the BlackBerry Enterprise Server service account. 2. Log into the server with a domain account with domain administrator permissions or permissions to submit a webserver template request. 3. Browse to the organization's certificate server using Windows Internet Explorer. (For example: http://>certificate_server_name</certsrv) 4. Click Request a certificate. 5. Click Advanced certificate request. 6. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file. 7. Paste the full contents of the certreq.csr file into the Saved Request field. 8. Choose Web Server from the Certificate Template drop-down list. 9. Click Submit. 10. Click Download certificate. 11. Save the file to c:\bascert.cer when prompted. Note: If the error "The certificate is not valid for the requested usage" appears, choose Subordinates Certification Authority from the Certificate Template drop-down list instead of Web Server. Task 7 - Download the CA certificate from the certificate authority. 1. Browse to the organization's certificate server using Windows Internet Explorer. (For example: http://>certificate_server_name</certsrv) 2. Click Download a CA certificate, certificate chain, or CRL. 3. Click Download CA certificate. Save it as c:\certnewCA.cer. Task 8 - Import the CA certificate into the BlackBerry Administration Service key store. 1. Log off the server as the domain account used in Tasks 6 and 7 above to request the certificate from the certificate authority (CA). 2. Log onto the server as BES service account. 3. Open a command prompt window as Administrator in the same manner as used in Task 2. 4. Type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA.cer" -storepass "<password>" If the BlackBerry Administration Service certificate is issued by an Intermediate CA, perform step 4 to import certificates of every Intermediate CA in the certificate chain. Use a unique alias name for every imported certificate. If the error keytool error: java.lang.Exception: Failed to establish chain from reply is displayed when performing Task 9 below, this step needs to be completed. To import an Intermediate Certificate Authority certificate: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert2 -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA2.cer" -storepass "<password>" Task 9 - Import the BlackBerry Administration Service certificate to the BlackBerry Administration Service key store. * In the command prompt window used in Task 8, type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\bascert.cer" -storepass "<password>" Task 10 - Restart the BlackBerry Administration Service. If the PKI digital certificate installed on the BlackBerry Device Service server to support BAS and BWDM authentication is not a DoD PKI issued certificate, this is a finding.
Use a DoD issued digital certificate on the BES to support BAS and BlackBerry Web Desktop Manager authentication.
Examine the server configuration to determine if there is a DoD approved host-based firewall installed, and configured to filter both inbound and outbound traffic based on IP address and UDP/TCP port. If no firewall is installed, this is a finding. If a non-approved firewall is installed, this is a finding. Access to the host server for the BlackBerry Device Service is controlled by the host Operating System. Connection ports and protocols for communication with the BlackBerry Device Service can be configured during installation or after installation, if required, using the BlackBerry Device Service Configuration tool. You can use the BlackBerry Device Service Configuration tool to configure the settings that the BlackBerry Device Service uses. You can change settings for BlackBerry Device Service components such as the BlackBerry Configuration Database (for example, port configuration and database authentication) and the BlackBerry Administration Service (for example, pool name, port numbers, and web keystore password). 1. On a computer that hosts a BlackBerry Device Service component, on the taskbar, click Start > All Programs > BlackBerry Enterprise Service 10 > BlackBerry Device Service > BlackBerry Device Service Configuration. 2. If a Windows message appears and requests permission to make changes to the computer, click Yes. 3. In the BlackBerry Device Service Configuration tool, make changes on the appropriate tabs. For additional options and detailed instructions see the accompanying Overview document and the "Configuring connection types and port numbers" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 6.2 Administration Guide for details and options.
Remove any non-approved firewalls if present. Install a DoD approved host-based firewall, and configure to filter both inbound and outbound traffic based on IP address and UDP/TCP port.
By default, the connection between the BlackBerry Device Service server and the mobile device is initiated based on an out-bound connection request from the BlackBerry Device Service server only. No configuration or modification is required on the server; however, the corporate firewall must be configured for this connection. See the Firewall configuration settings in the "Architecture: BlackBerry Device Service" section of the Blackberry Enterprise Service 10 BlackBerry Device Service Solution Version: 6.2 Security Technical Overview document. If the system has not been configured so the connection between the BlackBerry Device Service server and the mobile device is initiated based on an out-bound connection request from the BlackBerry Device Service server only, this is a finding.
Configure the system so the connection between the BlackBerry Device Service server and the mobile device is initiated based on an out-bound connection request from the BlackBerry Device Service server only.
Review the BlackBerry Device Service (BDS) Server configuration to ensure the it detects and reports the version of the operating system, device drivers, and application software for managed mobile devices. If this function is not configured, this is a finding. The BlackBerry Device Service administrator is able to view the version of operating system and software configuration on the mobile devices using the "Managing Users" option in the BlackBerry Administration Service. To identify the operating system and application versions on the device: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Once the table of users appears, scroll down to the desired user, or use the search criteria to search for the desired user. 4. Scroll across the table to the column titled "Software version." To identify application software versions on the device: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Once the table of users appears, scroll down to the desired user, and select the user you want to see details for. 4. In the "Associated device properties" window, select the PIN for the appropriate device. 5. The Device software, Hardware, and other properties will be displayed in the corresponding windows. 6. From the Menu bar, select "Applications." 8. Optional and mandatory applications will be displayed with the current versions in the appropriate window for each category.
Configure the BlackBerry Device Service server to detect and report the version of the operating system, device drivers, and application software for managed mobile devices.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable Wi-Fi. If this function is not present, this is a finding. The "Wi-Fi" rule on the BlackBerry Device Service server specifies whether a BlackBerry device can use Wi-Fi. If this rule is set to Disallow, the device cannot use Wi-Fi. After you set this rule to Disallow, if you change this rule to Allow the device will restart before it turns Wi-Fi on. This policy rule is applicable for corporate-liable devices only, introduced in OS version 10.1.0. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable or disable Wi-Fi.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the voice recorder. If this function is not present, this is a finding. The "Voice Dictation" rule on the BlackBerry Device Service server specifies whether a BlackBerry device user can use voice dictation on a device. If this rule is set to Allow, the user can use voice dictation in all apps that support this feature. If this rule is set to Disallow, the user cannot use voice dictation on the device. This policy rule is applicable for corporate-liable devices only, introduced in OS version 10.1.0. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable or disable the voice recorder.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the near-field communications (NFC) radio. If this function is not present, this is a finding. The "NFC" rule on the BlackBerry Device Service server specifies whether a BlackBerry device can use NFC. If this rule is set to Disallow, the device cannot use NFC. This policy rule is applicable for corporate-liable devices only, introduced in OS version 10.1.0. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable or disable the near-field communications (NFC) radio.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable all cameras. If this function is not present, this is a finding. The "Camera" rule on the BlackBerry Device Service server specifies whether a BlackBerry device can use the camera. If this rule is set to Disallow, the device cannot use the camera. This policy rule is applicable for corporate-liable devices only, introduced in OS version 10.1.0. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable or disable all cameras.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the memory card port. If this function is not present, this is a finding. The "SD Card" rule on the BlackBerry Device Service server specifies whether a BlackBerry device can access the SD Card. If this rule is set to Disallow, the device cannot access the SD Card. This policy rule is applicable for corporate-liable devices only, introduced in OS version 10.1.0. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable or disable the memory card port.
Verify the BlackBerry Administration Service (BAS) has been configured to permit users to activate new BlackBerry devices only. Log into the BAS as an administrator with Security Administrator role. In the BAS Organization Administration menu, expand Organization. - Click My organization. - Click BlackBerry Web Desktop Manager Information. - On the Allowed user operations, verify "Allow user wireline activation" is set to "Activate unused PIN only." If BAS has not been configured to permit users to activate only new devices, this is a finding.
Configure BlackBerry Administration Service to permit users to activate new BlackBerry devices only via BlackBerry Web Desktop Manager.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable location services. If this function is not present, this is a finding. The "Location Services" rule on the BlackBerry Device Service server specifies whether a BlackBerry device can provide its geographic location to applications that are running on the device. If this rule is set to Disallow, applications on the device cannot use the GPS or geolocation service to determine the location of the device. This policy rule is applicable for corporate-liable devices only, introduced in OS version 10.1.0. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable or disable location services.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the video recorder. If this function is not present, this is a finding. The "Computer Access to Device" rule on the BlackBerry Device Service server specifies whether a computer can access content on a BlackBerry device using a USB connection or the file-sharing option with Wi-Fi. Where BlackBerry Balance is used. This policy rule is applicable for corporate-liable devices only, introduced in OS version 10.1.0. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable or disable the video recorder.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable the USB Port mass storage mode. If this function is not present, this is a finding. The "Computer Access to Device" rule on the BlackBerry Device Service server specifies whether a computer can access content on a BlackBerry device using a USB connection or the file-sharing option with Wi-Fi. Where BlackBerry Balance is used, The "Computer Access to Work Files" rule applies to the work perimeter only. The "BlackBerry Device Access to USB Device" rule on the BlackBerry Device Service server specifies whether USB devices (for example, USB flash drives and external hard drives) can interact with apps and data on a BlackBerry device. If this rule is set to Disallow, a USB device cannot access data on the BlackBerry device. These Policy rules are applicable for corporate liable devices only, introduced in O.S. version 10.1.0. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable or disable the USB Port mass storage mode.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable tethering (Wi-Fi, Bluetooth or USB). If this function is not present, this is a finding. The "Mobile Hotspot Mode and Tethering" rule on the BlackBerry Device Service server specifies whether to allow Mobile Hotspot mode, tethering using Bluetooth technology, and tethering using a USB cable on a BlackBerry device. If this rule is set to Allow, all of these features are available in the settings on the device. If this rule is set to Disallow, none of these features are available in the settings on the device. If you do not set this rule, a default value of Allow will be used. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable or disable tethering (Wi-Fi, Bluetooth, or USB).
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to perform a "Data Wipe" function whereby all data stored in the security container is erased when the maximum number of incorrect passwords for the security container application has been reached. If this function is not present, this is a finding. Once a password is set on the mobile device using the "Password Required for Work Space" security Policy Rule, if the number of attempts exceeds what is set for the "Maximum Password Attempts" security Policy Rule, the device performs a "Data Wipe" function whereby all data stored in the security container is erased. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to perform a "Data Wipe" function whereby all data stored in the security container is erased when the maximum number of incorrect passwords for the security container application has been reached.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the number of incorrect password attempts before a data wipe procedure is initiated (minimum requirement is 3-10). If this function is not present, this is a finding. The "Maximum Password Attempt" rule allows administrator to enforce data wipe upon maximum number of incorrect passwords. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to set the number of incorrect password attempts before a data wipe procedure is initiated.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to enable or disable MDM agent password. If this function is not present, this is a finding. The "Password Required for Work Space" rule specifies whether a BlackBerry device requires a password for the work space. If this rule is set to Yes, a BlackBerry device user must set a password for the work space on the device. For devices with the BlackBerry PlayBook OS, if you do not set this rule a default value of "No" will be used. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to enable an MDM agent password.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the number of upper case letters in the MDM agent password. If this function is not present, this is a finding. The "Minimum Password Complexity" rule allows the administrator of the BlackBerry Device Service server to force at least 1 upper case letter in the device unlock password. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to set the number of upper case letters in the MDM agent password.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the number of numbers in the MDM agent password. If this function is not present, this is a finding. The "Minimum Password Complexity" rule allows the administrator of the BlackBerry Device Service server to force at least 1 number in the device unlock password. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to set the number of numbers in the MDM agent password.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the number of special characters in the MDM agent password. If this function is not present, this is a finding. The "Minimum Password Complexity" rule allows the administrator of the BlackBerry Device Service server to force at least 1 special character in the device unlock password. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to set the number of special characters in the MDM agent password.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the maximum MDM agent password age (e.g., 30 days, 90 days, or 180 days). If this function is not configured, this is a finding. The "Maximum Password Age" rule enforces users to change their device password after a configured period of time. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to set the maximum MDM agent password age (e.g., 30 days, 90 days, or 180 days).
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the minimum MDM agent password length of eight or more characters. If this function is not present, this is a finding. The "Minimum Password Length" rule enforces a minimum number of characters for the device password. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to set the minimum MDM agent password length of eight or more characters.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the maximum MDM agent password history (3 previous passwords checked is the recommended setting). If this function is not present, this is a finding. The "Maximum Password History" prevents users from reusing previous passwords. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to set the maximum MDM agent password history (3 previous passwords checked is the recommended setting).
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to centrally manage the managed mobile device security policy rule to set the MDM agent inactivity timeout (the following settings must be available, at a minimum: Disable (no timeout), 15 minutes, and 60 minutes). If this function is not present, this is a finding. The "Security Timeout" rule forces device to lock after a specified period of inactivity. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to set the MDM agent inactivity timeout (the following settings must be available, at a minimum: Disable (no timeout), 15 minutes, and 60 minutes).
Review the BlackBerry Device Service server configuration to ensure the BlackBerry Device Service server can configure the mobile device agent to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or BlackBerry Device Service server). If this function is not present, this is a finding. The "Restrict Development Mode" rule prohibits mobile devices from downloading and installing applications from non-approved sources. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the BlackBerry Device Service server so the mobile device agent is configured to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or BlackBerry Device Service server).
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user. If this function is not present, this is a finding. Application lists can be created for installation on the mobile devices. The applications can be identified as "Optional" or "Required". If an application is identified as "Required", it must be installed on the device, and cannot be removed by the user. Create a software configuration: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software. 2. Click Create a software configuration. 3. In the Configuration information section, in the Name field, type a name for the software configuration. 4. Click Save. Add an app to a software configuration: You must add an app to a software configuration to send the app to BlackBerry devices. If you want to upgrade an app, you must add the new version of the app to the appropriate software configuration. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software. 2. Click Manage software configurations. 3. Click the software configuration that you want to add an app to. 4. Click Edit software configuration. 5. On the Applications tab, click Add applications to software configuration. 6. Search for the app that you want to add to the software configuration. 7. In the search results, select an app that you want to add to the software configuration. 8. For apps in the applications repository, in the Disposition drop-down list for the app, perform one of the following actions: * To install the app automatically on devices, and to prevent users from removing the app, select Required. * To permit users to install and remove the app, and to add the app to the Work tab in the BlackBerry World storefront, select Optional. 9. Repeat steps 6 to 8 for each app that you want to add to the software configuration. 10. Click Add to software configuration. 11. Click Save all. See the "Managing app availability on devices" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 6.2 Administration Guide for further details and other available options.
Configure the BlackBerry Device Service server so it has the administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user.
Verify the BlackBerry Administration Service (BAS) has been configured to disable users from performing administrative tasks on the BlackBerry Device Service server. Log into the BlackBerry Administration Service as an administrator with Security Administrator role. In the BlackBerry Administration Service in the Organization administration menu, expand Organization. - Click My organization. - Click BlackBerry Web Desktop Manager Information. - On the Allowed user operations, verify "Allow users to perform self service tasks" is set to No. This is a finding if not set as required.
Configure the BlackBerry Administration Service to disable a user from performing self-service tasks via BlackBerry Web Desktop Manager.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to disallow a user initiated backup or restore of the work persona of a managed mobile device. If this function is not present, this is a finding. The "Backup and Restore Work Perimeter Space" rule specifies whether a BlackBerry device user can back up and restore the apps and data that are located in the work space of the device using BlackBerry Link. If this rule is set to Disallow, the option to back up and restore the contents of the work space is disabled. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to disallow a user initiated backup or restore of the work persona of a managed mobile device.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to disallow any native applications pertaining to billing on a managed mobile device. If this function is not present, this is a finding. The "Plans App" rule prevents users from buying wireless service plans that are available from the Plans app. If this rule is set to Disallow, the Plans app is disabled on the device. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to disallow any native applications pertaining to billing on a managed mobile device.
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to disallow any native applications pertaining to billing on a managed mobile device. If this function is not present, this is a finding. The "Wireless Service Provider Billing" rule specifies whether a BlackBerry device user can purchase paid apps from the BlackBerry World storefront and the BlackBerry World for Work storefront using the purchasing plan for your organization's wireless service provider. If this rule is set to disallow, users must pay for app purchases using another payment method. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.
Configure the centrally managed BlackBerry Device Service server security policy rule to disallow any native applications pertaining to billing on a managed mobile device.
Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that performs individual authentication prior to performing group authentication. If the BlackBerry Device Service server is not authenticating through the Enterprise Authentication Mechanism, this is a finding. Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server. Configure permissions for the service account: The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin. During the installation of the BlackBerry Device Service, steps 1 and 2 describe the setup of the Active Directory login, as follows: 1. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access. 2. In the Create an administrator account dialog box, perform one of the following actions: * If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 1, or you can specify the username and Windows domain for a different Microsoft Active Directory account. * If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account. You use the account information that you specify to log in to the BlackBerry Administration Service for the first time. Log in to the BlackBerry Administration Service: When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time. 1. In the browser, type https://<server_name>/webconsole/login, where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. 2. In the User name field, type your username. 3. In the Password field, type your password. 4. Perform one of the following actions: * In the Log in using drop-down list, click BlackBerry Administration Service. * In the Log in using drop-down list, click Active Directory and type the Microsoft Active Directory domain in the Domain field. 5. Click Log in. 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 6.2, Installation and Configuration Guide.
Configure the BlackBerry Device Service server to authenticate through the Enterprise Authentication Mechanism prior to performing group authentication.
Review the BlackBerry Device Service server configuration to ensure the system is authenticating through an Enterprise Authentication Mechanism that employs replay-resistant features. If the BlackBerry Device Service server is not authenticating through an Enterprise Authentication Mechanism that employs replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding. Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server. Configure permissions for the service account: The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin. During the installation of the BlackBerry Device Service, steps 1 and 2 describe the setup of the Active Directory login, as follows: 1. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access. 2. In the Create an administrator account dialog box, perform one of the following actions: * If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 1, or you can specify the username and Windows domain for a different Microsoft Active Directory account. * If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account. You use the account information that you specify to log in to the BlackBerry Administration Service for the first time. Log in to the BlackBerry Administration Service. When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time. 1. In the browser, type https://<server_name>/webconsole/login, where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. 2. In the User name field, type your username. 3. In the Password field, type your password. 4. Perform one of the following actions: * In the Log in using drop-down list, click BlackBerry Administration Service. * In the Log in using drop-down list, click Active Directory and type the Microsoft Active Directory domain in the Domain field. 5. Click Log in. 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 6.2, Installation and Configuration Guide.
Configure the BlackBerry Device Service server to authenticate through the Enterprise Authentication Mechanism.
Verify BDS has been configured to require trusted connections to push enclave application or web servers, using the following procedure. In the BlackBerry Administration Service in the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service. - Click the instance that you want to change. - On the "Instance information" tab, click "Edit instance." - In the "Access control" section, verify "Push authentication" is set to Yes. If BDS has not been configured to require trusted connections to push enclave application or web servers, this is a finding.
Configure the BlackBerry Device Service server to push content to BlackBerry devices.
Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server. See the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 6.2, Installation and Configuration Guide. To ensure correct configuration: 1. Have the BlackBerry Device Service (BDS) Administrator logon to the BDS Server, and ensure authentication was performed via Active Directory. If access to the server is not being authenticated via this method, this is a finding.
Configure the BlackBerry Device Service server to support administrator authentication to the server via the Enterprise Authentication Mechanism's authentication.