BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 11-07-2007, 12:55 PM   #1 (permalink)
iPhone Convert
 
juwaack68's Avatar
 
Join Date: Oct 2005
Location: Tulip City - MI
Model: iP5
OS: 6.0.2
PIN: to beans
Carrier: I'm not
Posts: 13,875
Post Thanks: 3
Thanked 72 Times in 55 Posts
Default Media Card Encryption/Security via IT Policy

Please Login to Remove!

I am trying to set some security on media cards and have run into some odd behavior. I don't want to disable the media cards, just encrypt and secure the data in the event the device is lost/stolen/abducted by aliens.

Not sure if I've missed something or not....I wasn't able to find anything about this on the boards. We are running BES 4.1.4 MR2; Exchange 2003 SP2.

In my test IT Policy I have the 'External File System Encryption Level' set to "Encrypt to user-provided password; include multi-media directories". I then applied this policy to my Sprint 8830 (has a 4G Sandisk card).

Under Options / Media card the Encryption Mode changed to "Security Password", and Encrypt Media Card changed to "Yes". Neither one of these options can be changed on the device.

I put some additional media (.jpg's) on my card via Media Manager and noticed that the NEW files received a new extension of .ren. The OLD files (already existing) still had the .jpg extension.

I then took the media card out of my device and put it into another 8830. The other device prompted for a password in order to read the media card. Ok, good. He tried a wrong password and it wouldn't let him past the password prompt.

However, I then took that same device with my card in it and connected it to Desktop Manager. The user entered his password (on the PC) to complete the connection and opened Media Manager. At this point, no (correct) password had been entered on the device for the media card.

The files with the .ren were not able to be manipulated with Media Manager - He received a 'General Failure'. So far so good.

However, he was able to use Media Manager to acccess the OLD files from the media card, copy them to his PC, and open them (the ones with the .jpg). This is NOT good.

I'm currently on the phone with RIM to find out if there is a way to encrypt the EXISTING files on a media card so that I can implement this policy. If there is no way to do this, I fear our security director (the guy I was testing with) will want me to disable the media cards.

Any help would be appreciated, and I will post back after I talk more with RIM.
__________________
No longer a BES Admin, but it was fun while it lasted!
Offline  
Old 11-07-2007, 01:14 PM   #2 (permalink)
zip
Thumbs Must Hurt
 
Join Date: Oct 2005
Model: 9700
Carrier: at&t
Posts: 57
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

In my testing, I was not able to encrypt existing files on the SD card. Also, there would still be alternative ways to add unencrypted data to the cards as detailed in this article from blackberry.com: BlackBerry Search Results

Our inability adquately ensure the data was encrypted, combined with little to no current business requirements for the functionality led us to disable SD card access for now.

-zip
Offline  
Old 11-07-2007, 01:30 PM   #3 (permalink)
iPhone Convert
 
juwaack68's Avatar
 
Join Date: Oct 2005
Location: Tulip City - MI
Model: iP5
OS: 6.0.2
PIN: to beans
Carrier: I'm not
Posts: 13,875
Post Thanks: 3
Thanked 72 Times in 55 Posts
Default

Thanks for the reply, Zip, I heard the same thing from RIM (glad they are on the same page! )

They said there is no way, via IT Policy, to encrypt existing files on a media card. He did say that users could move the files off the card and then back onto the card and they would then be encrypted. Yea, right, that'll happen right after I win the lottery.

The security guy isn't very excited about this, but is going let me invoke the encryption vs. disabling the card, pending further research - like how many of our users are already using cards.

My next step is to see if there is a way that I can find out how many users have media cards. Anyone know of a way to check this from the BES???
__________________
No longer a BES Admin, but it was fun while it lasted!
Offline  
Old 11-07-2007, 01:41 PM   #4 (permalink)
BlackBerry God
 
penguin3107's Avatar
 
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
Post Thanks: 1
Thanked 237 Times in 219 Posts
Default

Quote:
Originally Posted by juwaack68 View Post
My next step is to see if there is a way that I can find out how many users have media cards. Anyone know of a way to check this from the BES???
Sure... set and apply an IT to policy to disable the Media Card and then wait for your phone to ring.
__________________
BCSA
BES 5.0.3 MR4 :-: Exchange 2007 SP3 RU3
http://port3101.org
Offline  
Old 11-07-2007, 01:48 PM   #5 (permalink)
iPhone Convert
 
juwaack68's Avatar
 
Join Date: Oct 2005
Location: Tulip City - MI
Model: iP5
OS: 6.0.2
PIN: to beans
Carrier: I'm not
Posts: 13,875
Post Thanks: 3
Thanked 72 Times in 55 Posts
Default

Hahaha..... that thought DID cross my mind
__________________
No longer a BES Admin, but it was fun while it lasted!
Offline  
Old 11-07-2007, 01:58 PM   #6 (permalink)
BlackBerry Extraordinaire
 
Frank Castle's Avatar
 
Join Date: Jul 2005
Location: MA
Model: 9930
PIN: PM Me!
Carrier: VZW
Posts: 1,073
Post Thanks: 0
Thanked 4 Times in 3 Posts
Default

I played with these policies when they first came out and found the same things. I think what I question is since the main reason for concern is putting work DATA (word, excel) on the device it's easier to disable USB use and let the user use the card for photo / video / music storage as there is no way to open and edit a DATA type document .. yet.
Offline  
Old 11-07-2007, 01:59 PM   #7 (permalink)
iPhone Convert
 
juwaack68's Avatar
 
Join Date: Oct 2005
Location: Tulip City - MI
Model: iP5
OS: 6.0.2
PIN: to beans
Carrier: I'm not
Posts: 13,875
Post Thanks: 3
Thanked 72 Times in 55 Posts
Default

^^ Can you explain that a little further? I'm not sure I follow.....
__________________
No longer a BES Admin, but it was fun while it lasted!
Offline  
Old 11-07-2007, 03:27 PM   #8 (permalink)
iPhone Convert
 
juwaack68's Avatar
 
Join Date: Oct 2005
Location: Tulip City - MI
Model: iP5
OS: 6.0.2
PIN: to beans
Carrier: I'm not
Posts: 13,875
Post Thanks: 3
Thanked 72 Times in 55 Posts
Default

Now I have found something else that is a little irritating.

If I put my media card in a USB adapter I can copy files to it from my PC (or anyone else PC) via Windows Explorer or Media Manager and they are not encrypted. Even after I put the media card back into my Blackberry.

UGH!
__________________
No longer a BES Admin, but it was fun while it lasted!
Offline  
Old 11-08-2007, 10:19 AM   #9 (permalink)
zip
Thumbs Must Hurt
 
Join Date: Oct 2005
Model: 9700
Carrier: at&t
Posts: 57
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by juwaack68 View Post
Now I have found something else that is a little irritating.

If I put my media card in a USB adapter I can copy files to it from my PC (or anyone else PC) via Windows Explorer or Media Manager and they are not encrypted. Even after I put the media card back into my Blackberry.

UGH!
That is what I was referencing in the link in my post above. Even with encryption enabled, there are multiple methods to transfer unencrypted data to the card, and no way to encrypt it once it is there.

-zip
Offline  
Old 11-25-2007, 02:00 PM   #10 (permalink)
BlackBerry Genius
 
hdawg's Avatar
 
Join Date: Aug 2006
Model: hdawg
PIN: port3101.org
Carrier: hdawg
Posts: 6,631
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by juwaack68 View Post
Now I have found something else that is a little irritating.

If I put my media card in a USB adapter I can copy files to it from my PC (or anyone else PC) via Windows Explorer or Media Manager and they are not encrypted. Even after I put the media card back into my Blackberry.

UGH!
I submitted a request to have the ability to encrypt everything either locally or remotely ... hopefully both!

I believe Windows Mobile 6.1 will support this functionality; BlackBerry needs to do this.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.