BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 09-10-2007, 01:10 PM   #1 (permalink)
Thumbs Must Hurt
 
Join Date: Jan 2007
Model: 7100i
Carrier: Nextel
Posts: 64
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default How many of you actually implement security on your corporate Blackberries?

Please Login to Remove!

What I mean by security?
  • Known procedures or steps taken when a Blackberry is reported misplaced or stolen (i.e., misplaced = Blackberry is recoverable, stolen = Blackberry is not recoverable).
  • BES policy that enforces use of a password on Blackberries.

    Or, do you not use a BES policy, but instead use a corporate policy (i.e., you leave it up to the user to set a password on their device and they are the ones responsible for the data on it).
  • What do you do when a user decides to incorrectly type in their password 10 times (for whatever reason), wiping their handheld, and they are at a remote location?

    I guess you'd re-activate the Blackberry wirelessly ... but just wondering, cause we use Lotus Notes, and a user's address book is local on their PC, we currently have them trained to synch. up their address book by using desktop manager and usb cable. (I know it can be done wirelessly but most haven't been trained to do so).
  • What about a user who forgot their password and they are in a remote location with NO wireless coverage? What do you do you here? Do you pretty much inform that they are SOL? You can't really do that with execs, officers, or higher ups.

    Or, do you inform from the get go, if you are in a non-coverage location and forget your password, we can not reset your password.
  • Speaking of reseting Blackberry passwords, how do you confirm that who's calling in to reset their password, is who they say they are?

Just want to hear how others implement security in their environment.

Last edited by BlueBerry2007 : 09-11-2007 at 02:18 PM.
Offline  
Old 09-10-2007, 01:13 PM   #2 (permalink)
BBF Moderator
 
John Clark's Avatar
 
Join Date: Jun 2005
Model: Z30
OS: 10.2.1.x
PIN: s & needles
Carrier: AT&T
Posts: 34,667
Post Thanks: 1
Thanked 84 Times in 65 Posts
Default

Moved to the BES Admin Corner.
Offline  
Old 09-10-2007, 01:17 PM   #3 (permalink)
x14
BlackBerry Extraordinaire
 
Join Date: Jul 2005
Location: NYC
Model: 9800
OS: 6.0.0.546
Carrier: AT&T
Posts: 2,344
Post Thanks: 0
Thanked 17 Times in 16 Posts
Default

I would say 99% of BES Admins here have.
__________________
Exchange 2007/BES 5.0.2 MR2
Offline  
Old 09-10-2007, 01:26 PM   #4 (permalink)
iPhone Convert
 
juwaack68's Avatar
 
Join Date: Oct 2005
Location: Tulip City - MI
Model: iP5
OS: 6.0.2
PIN: to beans
Carrier: I'm not
Posts: 13,875
Post Thanks: 3
Thanked 72 Times in 55 Posts
Default

Quote:
Originally Posted by BlueBerry2007 View Post
Known procedures or steps taken when a Blackberry is reported misplaced or stolen (i.e., misplaced = Blackberry is recoverable, stolen = Blackberry is not recoverable).
The steps are pretty much the same in either instance:
- Issue 'Kill' command from BES
- Contact carrier to disable cell number

If stolen we will also order another device right away. If misplaced, we will wait a day or 2, unless it's an impatient VP

Quote:
Originally Posted by BlueBerry2007 View Post
BES policy that enforces use of a password on Blackberries.

Or, do you not use a BES policy, but instead use a corporate policy (i.e., you leave it up to the user to set a password on their device and they are the ones responsible for the data on it).
We enforce a password - mimimum of 6 characters with 1 letter and 1 digit.

Quote:
Originally Posted by BlueBerry2007 View Post
What do you do when a user decides to incorrectly type in their password 10 times (for whatever reason), wiping their handheld, and they are at a remote location?

I guess you'd re-activate the Blackberry wirelessly ... but just wondering, cause unfortunately for us, we use Lotus Notes, and a user's address book is local on their PC, we currently have them trained to synch. up their address book by using desktop manager and usb cable. (I know it can be done wirelessly but most haven't been trained to do so).
After we get done shaking our heads, we help the user complete a new Enterprise Activation (we use Exchange). We do not train them to do any wired activations, Lord knows what else they would break.

Quote:
Originally Posted by BlueBerry2007 View Post
What about a user who forgot their password and they are in a remote location with NO wireless coverage? What do you do here? Do you pretty much inform that they are SOL? You can't do that with execs, officers, or higher ups.

Or, do you inform from the get go, if you are in a non-coverage location and forget your password, we can not reset your password.
Pretty much SOL. Even execs and higher ups.

Quote:
Originally Posted by BlueBerry2007 View Post
Speaking of reseting Blackberry passwords, how do you confirm that who's calling in to reset their password, is who they say they are?
Our Helpdesk does the majority of resets and they ask for the person network userID (which is then entered into our Remedy software and returns the persons name). When people call me directly, I know most of them by their voice so I don't bother asking for any other identification.
__________________
No longer a BES Admin, but it was fun while it lasted!

Last edited by juwaack68 : 09-10-2007 at 01:29 PM.
Offline  
Old 09-10-2007, 01:36 PM   #5 (permalink)
CrackBerry Addict
 
ladydi's Avatar
 
Join Date: Jun 2005
Location: Washington
Model: 8800
Carrier: T-mobile
Posts: 848
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Step 1: use Exchange Everything syncs OTA without hassle.

x14 is probably correct. Here, we enforce 8 character alpha numeric passwords with a 20 minute timeout (no locking on holstering) and they get 5 tries before the device wipes. If they do wipe it and they are not on site, I walk them through re-activating over the phone. It hasn't been a problem.

Now that I have all of my users on 4.2 handheld software, we have a policy that says if the BB hasn't received IT policy in 12 days, the BB wipes itself. This was done in response to a user wholost their BB, but didn't report it lost for 5 days - long after the battery had died.

If someone forgets their password in a no coverage area, they ARE SOL. no ifs ands or buts. We support the technology, we do not have the ability to bend it to our will and create cell towers because some exec has forgotten their password at their country house. I inform them that they are responsible for remembering their password and being prepared for being inn an area with no coverage. there is literally nothing we can do. they will have to go where there is service.

As for user verification, I currently have a small enough number of users that I know them all by voice, but when I worked in a larger environment, we used to verify by the last 4 of their SSN before resetting their password.
__________________
~Di~
Windows 2003
Exchange 2003
BES 4.1
Offline  
Old 09-10-2007, 02:11 PM   #6 (permalink)
Thumbs Must Hurt
 
Join Date: Jan 2007
Model: 7100i
Carrier: Nextel
Posts: 64
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Now that I have all of my users on 4.2 handheld software, we have a policy that says if the BB hasn't received IT policy in 12 days, the BB wipes itself. This was done in response to a user wholost their BB, but didn't report it lost for 5 days - long after the battery had died..
Do handhelds have to be at least 4.0 software for remote lock and wipe to work? Some of our devices are still on 3.7 software.

Regarding the 12 day policy, if I understand correctly, since the BB has the policy already downloaded or applied on itself, whenever the BB gets powered back on, it will wipe itself, don't even need wireless signal?

Quote:
As for user verification, I currently have a small enough number of users that I know them all by voice, but when I worked in a larger environment, we used to verify by the last 4 of their SSN before resetting their password.
Some I know by voice also, it's just the what if part, we have about 150 Blackberry users.

I've been google'ing the internet I found one site implements a question and answer method. They must know the answer to a question they previously chosen to have their password reset. And the help desk doesn't even tell them what the reset password is. They will say something likes it's the last four digits of your social security.
Offline  
Old 09-10-2007, 02:16 PM   #7 (permalink)
BlackBerry God
 
penguin3107's Avatar
 
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
Post Thanks: 1
Thanked 237 Times in 219 Posts
Default

Quote:
Originally Posted by BlueBerry2007 View Post
And the help desk doesn't even tell them what the reset password is. They will say something likes it's the last four digits of your social security.
In addition to being the BES admin for my company, I'm also the head of the helpdesk team.
If any of my helpdesk team had access to another employee's social security number... even just the last 4 digits... that would be an absolute nightmare.

There is no way on earth that anyone other than your HR/Payroll department should have access to any part of another employee's SSN.
__________________
BCSA
BES 5.0.3 MR4 :-: Exchange 2007 SP3 RU3
http://port3101.org
Offline  
Old 09-10-2007, 02:19 PM   #8 (permalink)
Thumbs Must Hurt
 
Join Date: Jan 2007
Model: 7100i
Carrier: Nextel
Posts: 64
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for confirming my thoughts on resetting password when user's BB has no wireless coverage ... can't be done.

I don't believe we currently have password policy in place.

So, if we were to implement a password policy, we'll need to convey this to users (including higher ups) in a nice professional to the point manner, that we cannot reset your password if you are in a no coverage location. And the reason we have a password policy in place is to protect corporate data.

Last edited by BlueBerry2007 : 09-11-2007 at 02:20 PM.
Offline  
Old 09-10-2007, 02:23 PM   #9 (permalink)
Thumbs Must Hurt
 
Join Date: Jan 2007
Model: 7100i
Carrier: Nextel
Posts: 64
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default How do you verify messages were successfully sent?

How do you verify messages to lock or wipe the handheld were successfully sent?

I'm not a BES Admin, but I do have Blackberry Manager installed on my computer and have done remote reset password and wipe.

I found the following on the internet, but when I search for the log file or keywords nothing could up. I'm thinking this log file might actually be on the BES server. And I don't have access to the BES server.

-------------------------------------------------------

Verify messages to lock or wipe the handheld was successfully sent.

To verify that the Erase Data and Disable Handheld command has been sent and received, review the POLC log file. By default, the POLC log file is located in C:\Program Files\Research In Motion\BlackBerry Enterprise Server\Logs\<date>.

Lines similar to the following are displayed in the POLC log file:
[40000] (10/03 13:00:52):{0x974}{<user_name>@<domain>,PIN=XXXXXXX X, UserID=1}SCS::PollDBQueueNewRequests - Queuing KILL_DEVICE_REQUEST request

The above line indicates when the command was first sent, and that the command is being queued for the user.
[40000] (10/03 13:01:15):{0x960} {<user_name>@<domain>, PIN=XXXXXXXX, UserId=1}RequestHandler::HandleITADMINDataCommand - ITPolicy Success Ack for the command KILL_HANDHELD_COMMAND - Processing packet, Tag=23980295

The above line indicates when the BlackBerry device received the command, and that it sent a confirmation of the receipt.
Note: To search using a string in the log file, search for ITPolicy Success Ack for the command KILL_HANDHELD_COMMAND. Once it is located, you can verify the user associated with the command. Search for this string when the device does not meet the requirements to receive the command when it is first sent.

Additional Information

To configure logging levels, complete the following steps:
In the BlackBerry Server Configuration tool, click the Logging tab.
Select BlackBerry Policy Service and set the Debug Log Level to 4.
Click Apply, then click OK.
Offline  
Old 09-10-2007, 02:29 PM   #10 (permalink)
CrackBerry Addict
 
ladydi's Avatar
 
Join Date: Jun 2005
Location: Washington
Model: 8800
Carrier: T-mobile
Posts: 848
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

yes, this is the policy log on the BES.

I do believe that you should be able to send a wipe command to 3.7 devices. I didn't find any confirmation of this on RIM's site and it has been a long time since I used a 3.7 device, but it should work.

as for the wipe after 12 days of no policy recieved, yes it will wipe even if it doesn't have a signal because the command is in the IT policy that was pushed to the device and as soon as the device boots up and realizes it hasn't had a policy refresh for more than 12 days, it will initiate the wipe.
__________________
~Di~
Windows 2003
Exchange 2003
BES 4.1
Offline  
Old 09-10-2007, 02:29 PM   #11 (permalink)
Thumbs Must Hurt
 
Join Date: Jan 2007
Model: 7100i
Carrier: Nextel
Posts: 64
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I agree no other personnel should have access to social security numbers, even last 4 digits (which could be used to access credit card accounts).

The response may have also been, it's your mother's maiden name or your badge id number, or your home phone number, etc. ... something that only they would know and helpdesk would have records for.


Thanks for input on implementing. A lot of great ideas.

Quote:
Originally Posted by penguin3107 View Post
In addition to being the BES admin for my company, I'm also the head of the helpdesk team.
If any of my helpdesk team had access to another employee's social security number... even just the last 4 digits... that would be an absolute nightmare.

There is no way on earth that anyone other than your HR/Payroll department should have access to any part of another employee's SSN.
Offline  
Old 09-10-2007, 02:32 PM   #12 (permalink)
BlackBerry Extraordinaire
 
Frank Castle's Avatar
 
Join Date: Jul 2005
Location: MA
Model: 9930
PIN: PM Me!
Carrier: VZW
Posts: 1,073
Post Thanks: 0
Thanked 4 Times in 3 Posts
Default

We have terms of usage for Blackberry that aligns with our compliance, states a password is required, usage is tracked, if stolen it needs to be reported etc.

Password is 6, attempts 10 before wipe
looking to implement miniSD encryption next likely matching the password and disable USB mass storage mode (maybe)

Now that we've been on 4.1 it's much easier just issuing another Enterprise Activation. Help Desk manages all these calls and I'm unsure about their security but I would assume they ask the caller to verify their domain ID at a minimum.

Out of coverage - not much to be done .. call back when you have coverage.
Offline  
Old 09-10-2007, 02:33 PM   #13 (permalink)
Thumbs Must Hurt
 
Join Date: Jan 2007
Model: 7100i
Carrier: Nextel
Posts: 64
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

It'll be good for us to know. I can test this out, when I get a chance, and I'll report back.

Quote:
Originally Posted by ladydi View Post
yes, this is the policy log on the BES.

I do believe that you should be able to send a wipe command to 3.7 devices. I didn't find any confirmation of this on RIM's site and it has been a long time since I used a 3.7 device, but it should work.

as for the wipe after 12 days of no policy recieved, yes it will wipe even if it doesn't have a signal because the command is in the IT policy that was pushed to the device and as soon as the device boots up and realizes it hasn't had a policy refresh for more than 12 days, it will initiate the wipe.
Offline  
Old 09-10-2007, 02:37 PM   #14 (permalink)
Thumbs Must Hurt
 
Join Date: Jan 2007
Model: 7100i
Carrier: Nextel
Posts: 64
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
yes, this is the policy log on the BES.
I'll have to see if our server folks will allow us view access to the logs.

We our mainly end user Blackberry support, but can do BES stuff, but no access to BES server.

Last edited by BlueBerry2007 : 09-11-2007 at 01:05 PM.
Offline  
Old 09-10-2007, 02:40 PM   #15 (permalink)
CrackBerry Addict
 
ladydi's Avatar
 
Join Date: Jun 2005
Location: Washington
Model: 8800
Carrier: T-mobile
Posts: 848
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by penguin3107 View Post
In addition to being the BES admin for my company, I'm also the head of the helpdesk team.
If any of my helpdesk team had access to another employee's social security number... even just the last 4 digits... that would be an absolute nightmare.

There is no way on earth that anyone other than your HR/Payroll department should have access to any part of another employee's SSN.
I didn't say it was a good method. Its just what they do there. Personally, I don't put much stock in SSN's anymore. They are pretty easy to get. If they weren't, identity theft would be such a problem.

the security question method could work, but people will get frustrated when they can't remember the answer to that either. I guess I don't have any good suggestions as to how to securely identify someone over the phone - I will just thank my lucky stars that I know all my users.
__________________
~Di~
Windows 2003
Exchange 2003
BES 4.1
Offline  
Old 09-10-2007, 02:42 PM   #16 (permalink)
CrackBerry Addict
 
ladydi's Avatar
 
Join Date: Jun 2005
Location: Washington
Model: 8800
Carrier: T-mobile
Posts: 848
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by BlueBerry2007 View Post
I'll have to see if our server folks will allow us view access to the logs.

We our mainly end user Blackberry support, but can do BES stuff, but no access to BES server.



It'll be good for us to know. I can test this out, when I get a chance, and I'll report back.
what version of BES are you running? because I thought all devices had to be at 4.0 or higher to be on a 4.0 or higher BES. I distinctly remember upgrading all my BB's when I upgraded our BES to 4.0.
__________________
~Di~
Windows 2003
Exchange 2003
BES 4.1
Offline  
Old 09-10-2007, 02:59 PM   #17 (permalink)
Thumbs Must Hurt
 
Join Date: Jan 2007
Model: 7100i
Carrier: Nextel
Posts: 64
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Do you delete user from the BES?

User reports their BB stolen. Do you delete (or disable) user in the BES?

Or, just remotely wipe and call service provider to suspend account and deactivate sim card.

I guess "disable" use to be in older version of the BES server. And whenver user reported lost or stolen BB, their account was disabled in BES server.

We are currently at 4.x and "disable" is no longer there.
Offline  
Old 09-10-2007, 03:06 PM   #18 (permalink)
CrackBerry Addict
 
ladydi's Avatar
 
Join Date: Jun 2005
Location: Washington
Model: 8800
Carrier: T-mobile
Posts: 848
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by BlueBerry2007 View Post
User reports their BB stolen. Do you delete (or disable) user in the BES?

Or, just remotely wipe and call service provider to suspend account and deactivate sim card.

I guess "disable" use to be in older version of the BES server. And whenver user reported lost or stolen BB, their account was disabled in BES server.

We are currently at 4.x and "disable" is no longer there.
We just send a wipe command then call the provider to have the number suspended. We don't delete the user because they get another BB - usually within a few days.
__________________
~Di~
Windows 2003
Exchange 2003
BES 4.1
Offline  
Old 09-10-2007, 04:03 PM   #19 (permalink)
Thumbs Must Hurt
 
Join Date: Jan 2007
Model: 7100i
Carrier: Nextel
Posts: 64
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

We're on 4.x BES server ... I think 4.1

We have users with handheld 3.7 on our BES and their emails synch up wirelessly. I've unoticed though that 3.7 doesn't display all of it's information in the Blackberry Manager. And their a pain to activate--settings (like wireless sync) does not show up consistently, something has to happen before it does, and I dont' know what that is. Once I upgrade these to 4.x handheld software, activation is a charm and works like it's suppose to.

Quote:
Originally Posted by ladydi View Post
what version of BES are you running? because I thought all devices had to be at 4.0 or higher to be on a 4.0 or higher BES. I distinctly remember upgrading all my BB's when I upgraded our BES to 4.0.

Last edited by BlueBerry2007 : 09-10-2007 at 04:04 PM.
Offline  
Old 09-10-2007, 04:03 PM   #20 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2005
Model: Torch
Carrier: ATT
Posts: 179
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default encryption enabled

Slightly off topic from what I've read but after enforcing encryption (content protection), you can no longer reset passwords.

Anyone here enforcing content protection? Any gotchyas? Other than losing the password reset capability, I've noticed entering in the device unlock password on the model 7290 must be done at a much slower pace or the device starts clocking.

tks
Mark
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.