I can't seem to find the settings in BlackBerry Manager policy which control Content and Address Book protection. I want the former on, the later off. Encryption strength I found, but the other two, no luck.

Help?

If you search the BlackBerry Technical Solution Center for the Policy Reference Guide you'll receive a document with all current IT Policy Setting options. Search that document for Content Protection and you'll see all the glory of device encryption.

(Answer stolen from hdawg in IT Policy Queries - always search first!)

Content protection strength
Taken from the info regarding a policy item on my BES

Specify whether or not content protection is turned on by selecting the cryptography strength that the BlackBerry device uses to encrypt content that it receives while it is locked.

When content protection is turned on, BlackBerry device content is always protected with the 256 bit AES encryption algorithm. If the BlackBerry device is locked when it receives content, the BlackBerry device randomly generates the content protection key (a 256 bit AES encryption key) and an ECC key pair, derives an ephemeral 256 bit AES encryption key from the BlackBerry device password, and uses the ephemeral key to encrypt the content protection key and the ECC private key.

Strong: Provides good security and performance. This setting is adequate for most situations.
Stronger: Provides better security, but slower performance. If you use this setting, RIM recommends that you set the Minimum Password Length IT policy rule to 12 characters.
Strongest: Provides the best security, but with the slowest performance. If you use this setting, RIM recommends that you request that the user set a password of at least 21 characters.

Note: Set this rule to prioritize either encryption strength or decryption time. When the BlackBerry Enterprise Server decrypts the message using the BlackBerry device master encryption key, it uses the ECC public key in the decryption operation first, followed by a 256 bit AES decryption operation. The ECC decryption operation adds time to the decryption process.

Rule dependency: The BlackBerry device uses this IT policy rule only if the Password Required rule is set to True.
Note: If you do not set this rule, the BlackBerry Enterprise Server does not force content protection on the BlackBerry device; if the user enables content protection on the BlackBerry device, it forces the Strong setting, which is the Default setting.

This rule applies only to Java-based BlackBerry devices version 4.0.0 and higher.

Great stuff, thanks!

Anyone know whether the reason for the minimum password length is:

a) If you're using encryption this good you need a password to match or it's a waste.

b) You won't get a satisfactorily secure key without a password this length

??

Cynically, I'd always thought that it was:

c) Some corporate security policies require that a password is X characters long, and so in order to be accepted into such a corporation, the BB needs to support this policy.

(the serious answer, I suppose, is that it's not going to take some miscreant long to work out what characters someone's typing to unlock a device if they see them typing those characters a lot)

I don't know for sure, but I'd assume a mix of both. As stated in the RIM text above, part of the CP process requires creating a 256 bit AES key from the password.
The text also says the stronger the level of CP, the longer the password should be.

My assumption is that if you are using a short password, the device will pad the password length to a required length. Padding does not enhance security, as it leaves less "real" data to be cracked.

I might be wrong tho. Just a guess.

CP = Headache

Just my 2 cents... Activations take longer, and sometimes fail... wipes take longer (2+ hrs) etc...

However, without it I don't see what's to stop someone stealing your Blackberry, plugging it into a machine, then having access to the raw data files. I'd have thought that if you have sensitive information on your Blackberry (such as the kind your COS is sending by e-mail) then CP is simply a must.