BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 04-11-2005, 08:43 PM   #1 (permalink)
Thumbs Must Hurt
 
tgray's Avatar
 
Join Date: Apr 2005
Location: Fort Worth, TX
Model: 8310
PIN: 243b354f
Carrier: AT&T
Posts: 148
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Several BES 3.6 Policy Questions

Please Login to Remove!

Good evening to all. Our company is considering the implementation of several security changes. I am not the BES Admin for our company but what I'd like to do is have a bit of feedback from the group before I talk to the security group...

1. Currently we have about 130 devices and are about to add quite a few more. Would it be possible to set up a policy for just about 8 of us (not all users) so we can test the effects of any changes we are considering?

2. My understanding is a password policy for all Blackberry devices can be forced down. What would this look like to existing users who have been using their devices without security policies? What would happen to users who currently have passwords set up on their device?

3. We would like to have all devices have the same Owner and Information details without the ability for them to modify this information. Could this information be pushed from the BES and then secured so it cannot be modified?

4. Would any security policies require an outage from the BES?

5. Can the number of password attempts be changed from the default of 10? What happens to the device once it wipes itself (heh)? Can it be reconfigured?

6. What is Content Protection under the Security options?

7. We've been advised by our service provider all devices will be able to make phone calls, even if they will only be used for data. Is there a way to lock these phone calls to emergency calls only (such as 911)? What is Call Barring (under the Phone options), and why won't mine activate?

8. Is the security policy only installed at the time the device is connected to the workstation or can this be maintained through the BES? Would this require an upgrade to BES 4.0?

9. What are the security risks of PIN to PIN communications?

10. Can the users be restricted from installing new software to the device? What happens to software already installed before the push? Is there a way to monitor or inventory what software is installed on each device? What if we want to install software globally to all devices - would this still be possible to restrict only the software we want?

11. In what ways can the devices activity and usage be monitored?

As I typed this I realized I had more questions than I expected. If anyone can shed some light on any of the above questions, I would be greatly appreciative.

Thanks to all.

TGRAY

Last edited by tgray : 04-11-2005 at 08:59 PM.
Offline  
Old 04-11-2005, 09:21 PM   #2 (permalink)
BlackBerry God
 
jibi's Avatar
 
Join Date: Oct 2004
Location: Jibi's Secret Place
Model: 8900
OS: 4.6.1.174
Carrier: AT&T
Posts: 11,310
Post Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by tgray
1. Currently we have about 130 devices and are about to add quite a few more. Would it be possible to set up a policy for just about 8 of us (not all users) so we can test the effects of any changes we are considering?
You can create more than one policy (actually, you should leave the default as is and just create new ones for testing and implementation). Once you have created a new policy, you can add users to it.

Quote:
Originally Posted by tgray
2. My understanding is a password policy for all Blackberry devices can be forced down. What would this look like to existing users who have been using their devices without security policies? What would happen to users who currently have passwords set up on their device?
Have you ever had a password policy implemented, lets say, within AD or perhaps a door code machine put in at work prior to your entering the building? Or maybe they up'd the price for a coca-cola in the soda machine? I think you get my point - change is never good, but people learn to adapt, especially when they have no choice (just be weary of the C/V/D executives, even though they are the ones who SHOULD have passwords implemented first).

As for existing users, it will only affect them if their password does not meet the minimum requirements set by the policy. Let's say that if they had a 4 character password setup and you all made it 5 characters. Or if they had a timeout period of 5 minutes and you implemented 30 seconds.

Either way, I would send an email letting everyone know of the upcoming changes LONG BEFORE you actually implement said changes.

Also, if you happen to belong to a publically traded company in the United States, then its everyone's best advice to implement fairly strict security policies across the board, down to the handhelds (just for potential scrutiny of SOX compliancy).

Quote:
Originally Posted by tgray
3. We would like to have all devices have the same Owner and Information details without the ability for them to modify this information. Could this information be pushed from the BES and then secured so it cannot be modified?
I do not see where you can set this in one of the default policies.

Quote:
Originally Posted by tgray
4. Would any security policies require an outage from the BES?
No.

Quote:
Originally Posted by tgray
5. Can the number of password attempts be changed from the default of 10? What happens to the device once it wipes itself (heh)? Can it be reconfigured?
10 is the highest number allowed by IT Policy (3-10) in BES 3.6. After it wipes the handheld, it can be restored to its former state from backup (assuming the user backed up info). If they did not complete a backup, then they're SOL (in my opinion).

Quote:
Originally Posted by tgray
6. What is Content Protection under the Security options?
Local encryption of ALL data on the handheld. Nifty little feature.

Quote:
Originally Posted by tgray
7. We've been advised by our service provider all devices will be able to make phone calls, even if they will only be used for data. Is there a way to lock these phone calls to emergency calls only (such as 911)? What is Call Barring (under the Phone options), and why won't mine activate?
'Allow Phone' can be set to FALSE on the BES as a Policy.

Call Barring is disallowing certain types of calls. Most likely your provider does not allow setting this option by individuals (you will probably have to call them). Its similar to disallowing 900 numbers to be dialed from your home (hey, my mom did that to me when I was younger... hehe).

Quote:
Originally Posted by tgray
8. Is the security policy only installed at the time the device is connected to the workstation or can this be maintained through the BES? Would this require an upgrade to BES 4.0?
Policy is pushed OTA - in 3.6 and 4.0 - but only after the handheld is activated on the BES (i.e-they must cradle and/or enterprise activate atleast once).

Quote:
Originally Posted by tgray
9. What are the security risks of PIN to PIN communications?
The same as allowing just about any other form of communication - leakage of information. If you are not worried about that, then I'd say there would not be much risk involved. You may want to search PIN and/or Peer on this forum for a bit more information, though.

Quote:
Originally Posted by tgray
10. Can the users be restricted from installing new software to the device? What happens to software already installed before the push? Is there a way to monitor or inventory what software is installed on each device? What if we want to install software globally to all devices - would this still be possible to restrict only the software we want?
Yes. You can disable OTA downloads, as well as cripple/remove Application Loader from the Desktop Manager. You can basically disable user-initiated application loads from two directions.

Software that was loaded prior to the IT Policy push will stay on the handheld, I believe.

I'm not sure that OTA software pushes were available with 3.6. That option is available for 4.0, though.

Quote:
Originally Posted by tgray
11. In what ways can the devices activity and usage be monitored?
The log files show quite a bit of information, although probably nothing that you would be looking for, to be honest. In 3.6, you are pretty limited by way of administration and monitoring.
__________________
In the beginning the Universe was created. This has made a lot of people very angry and is widely regarded as a bad move.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.