BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 01-03-2007, 07:35 PM   #1 (permalink)
New Member
 
Join Date: Dec 2006
Model: 8703e
Carrier: Sprint
Posts: 9
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Third party downloads versus software configuration deny policy

Please Login to Remove!

Hello - question about security policies and application deployment please:

In our IT policy, we have "disallow third party application downloads" set to true. In addition, our software configuration has a default application policy called "Deny Policy" with its disposition set to disallowed. From what I can tell, the software config policy will remove any applications which have not been specifically allowed, or "whitelisted". This seems to work and has removed apps correctly.

The problem is that I found that if third party downloads were not allowed, I was not able to deploy the Google Maps application. Once I allowed third party downloads, the deployment was successful.

My question is, does allowing third party downloads present a significant security risk? I will still have the "deny" software config in place. I assume that if a user were to download anything, the software config policy would immediately remove it. Is this accurate or am I introducing a security risk?

Thank you.
Offline  
Old 01-04-2007, 02:51 PM   #2 (permalink)
Knows Where the Search Button Is
 
nocerini's Avatar
 
Join Date: May 2005
Location: Rochester Hills, MI
Model: 8703e
Carrier: Sprint
Posts: 23
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Not only is it a security risk, but it has the potential to become a support nightmare.

At least with the implementation that I support, (1200+ and growing rapidly), allowing users to download their own applications, especially when they aren't technically savvy to begin with, is just asking for trouble.

In case of trouble, our users first contact is supposed to be with our Help Desk, which will attempt to resolve the problem, or route it to the appropriate department. If there are unknown, untested applications that reside on the BlackBerry handheld, these could complicate the support process, especially if the user has become "dependant" upon a particular unknown, untested, unsupported app.

As far as the security risk, Wired Magazine ran an article over the summer regarding an application known as BBProxy. This was a proof of concept created by a hacker that could be loaded on the BlackBerry handheld, and would exploit the trusted connection between the handheld and the BES to attack either the BES, or the network of the company that runs it.

A way around this is to use the BES to wirelessly load tested and approved handheld applications for your deployment. Look around on the RIM web site for information and a demonstration. This will override any security settings preventing third party downloads directly to the handheld.

I hope this provides some additional food for thought to your question.
Offline  
Old 01-04-2007, 03:00 PM   #3 (permalink)
New Member
 
Join Date: Dec 2006
Model: 8703e
Carrier: Sprint
Posts: 9
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for your comments. I agree that it would be a big risk, if I didn't have the software configuration policies configured like I do. This isn't the way it works at our Co., but say a user brings in his own BB with tons of apps on it. Once we assign our software configuration policy to that device, the policy will remove all applications that we have not specifically whitelisted.

I think I would be ok allowing the downloads, because the software config would eventually remove anything they brought down. However, I suppose there could be an interval there where they could have something installed and it could be a bit of time before the software config forces the removal.

Just an FYI - I continued testing after my post yesterday. The good and bad news is that I was finally able to deploy Google Maps to all my handhelds, IF I had allowed third party downloads. The good news is that once the application is installed, I can go back to prohibiting third party downloads. A little bit of monkeying around, but that's what I'll be doing going forward. Luckily, I only have 50 devices, and not 1200+
Offline  
Old 01-11-2007, 01:45 PM   #4 (permalink)
Knows Where the Search Button Is
 
Join Date: Aug 2005
Model: 9700
Carrier: T-Mobile
Posts: 29
Post Thanks: 0
Thanked 2 Times in 1 Post
Default

Quote:
Originally Posted by nocerini
At least with the implementation that I support, (1200+ and growing rapidly), allowing users to download their own applications, especially when they aren't technically savvy to begin with, is just asking for trouble.

A way around this is to use the BES to wirelessly load tested and approved handheld applications for your deployment. Look around on the RIM web site for information and a demonstration. This will override any security settings preventing third party downloads directly to the handheld.
Do you have a link about this?

AFAIK, the only way to restrict BlackBerry devices to approved 3rd party apps is to "allow third party downloads" but use whitelisting. This never seemed like a great solution since I have no control over what are BlackBerry signed apps so I'd love to hear a better way to do it.
Offline  
Old 01-11-2007, 01:57 PM   #5 (permalink)
CrackBerry Addict
 
ladydi's Avatar
 
Join Date: Jun 2005
Location: Washington
Model: 8800
Carrier: T-mobile
Posts: 848
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

why not have a seperate policy that allows the 3rd party apps, temporarily add the users long enough to push the app out then add them back to the usual policy?
__________________
~Di~
Windows 2003
Exchange 2003
BES 4.1
Offline  
Old 01-11-2007, 03:43 PM   #6 (permalink)
Knows Where the Search Button Is
 
Join Date: Aug 2005
Model: 9700
Carrier: T-Mobile
Posts: 29
Post Thanks: 0
Thanked 2 Times in 1 Post
Default

Quote:
Originally Posted by ladydi
why not have a seperate policy that allows the 3rd party apps, temporarily add the users long enough to push the app out then add them back to the usual policy?
That shouldn't be the right way to do it. It could take up to four hours for a software push. And that depends on all the BlackBerry handhelds being powered on and within reception to get the push. Plus, it adds steps to deploying new BlackBerry handhelds. It could certainly work but there has to be a more efficient way.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.