[icontech]

Hello Everyone,
Our company is going to setup a password policy on all our devices. Just wondering if anyone had any suggestions for pushing this policy out smoothly - we have about 650 users total on 1 BES server.

Also how do you handle new activations in regards to the policy? My first thought is we would create the account, activate the device, then push the policy down for the user to setup a password. Typically our Telecom department receives a new device and does the activation, then hands it off to the user.

Thanks for any help.

[e_brown]

What version of BES?

[DarthBBerry]

Quote:

Originally Posted by icontech

Hello Everyone,
Our company is going to setup a password policy on all our devices. Just wondering if anyone had any suggestions for pushing this policy out smoothly - we have about 650 users total on 1 BES server.

Also how do you handle new activations in regards to the policy? My first thought is we would create the account, activate the device, then push the policy down for the user to setup a password. Typically our Telecom department receives a new device and does the activation, then hands it off to the user.

Thanks for any help.

Exactly how I do it. I get the device, set it up with OTA activation, make sure everything is set the way it needs to be... then power it off. THEN I change the policy to the Security Policy and resend the IT Policy to the device. When the power it on for the first time, the Policy will hit and they will need to set a password.

[icontech]

Quote:

Originally Posted by e_brown

What version of BES?

4.1.6 MR2

[misterbulldog]

The best way to update the users already on the BES is to send them a message in advance with all of the details and explain how they can create their password prior to the push so if they have any questions before hand that will cut down on the number of calls to the helpdesk after you push the policy. Send them another message a few days before the update as a reminder. I had 500 users and sent it to all devices at one time. I did it early in the morning so most users wouldn't get the update while they were typing on their device.

For new users, I used to activate the device while it was in the Default policy, test send/receive, then put them in the password policy.

Also consider adding Content Protection to the device.

[Frank Castle]

I would model your Blackberry policy as close as you can to your desktop one (if you have one). Most large companies have some guidelines on the desktop side and you can piggyback on top of that.

Hopefully you have support from your Information Security / Compliance group so if you have any annoyed users you can direct them to said policies vs. taking the brunt of their frustration.

[BBFlunkie]

DarthBerry's method works well. I do the same thing for Executives. Everyone else gets the New Password prompt when the device is WEA deployed. New accounts are assigned the correct IT policy before deployment.
We use maximum 1 hour, minimum 4 characters.

[Rich Y]

think CESG!!

[WMedley]

You need to watch out for the keystore password, there is an issue where if you set a policy to require a device password and the length requirement is longer then the keystore password set, it makes the user enter the keystore password and change it to match the length requirement. If they do not know the keystore password and type it wrong 10 times, it WILL wipe the device. There currently does not appear to be a method of removing the keystore password unless you already know what it is set to.

I have the same issue with my company. We have a new security policy for passwords and encryption on all devices, and during our testing phase found this issue. RIM has a technote stating they know about this issue, but do not have a timeframe for a fix.

[silver_2000]

I would recommend AGAINST matching your BB password policy/complexity to your desktop policy/complexity

the BB is nearly immune from a brute force attack or dictionary attack on the device - if you get the password wrong 10 times in ANY time frame the device gets wiped - setting a 8+ character complex password is OVERKILL and it reduces the effectiveness of the device without increasing security

my 0.02

[misterbulldog]

Quote:

Originally Posted by WMedley

You need to watch out for the keystore password, there is an issue where if you set a policy to require a device password and the length requirement is longer then the keystore password set, it makes the user enter the keystore password and change it to match the length requirement. If they do not know the keystore password and type it wrong 10 times, it WILL wipe the device. There currently does not appear to be a method of removing the keystore password unless you already know what it is set to.

I have the same issue with my company. We have a new security policy for passwords and encryption on all devices, and during our testing phase found this issue. RIM has a technote stating they know about this issue, but do not have a timeframe for a fix.

We had an issue where the user is prompted for a Key Store password after the password policy is pushed to the device. If the users removes the battery and then readds the battery, they will not see another prompt for a key store password. Our password was only 6 characters in length.

[Brownblue]

William, does the Keystore password issue pertain to alpha/numeric policy changes also? I am about to implement a password policy but I am concerned about people who may have set up Keystore passwords when prompted to do so and have no idea what that password may be.

[WMedley]

not in the testing that I have done, it only pertains to the password length. The complexity of the password is not an issue, it is only if the keystore password is shorter than your required length.

[Brownblue]

I tested this on my device and, unfortunately, I am being prompted for my keystore password when I change the policy to include characters not in the original keystore password. The message states the "Your password will be validated against new IT Policy password requirements". I tried misterbulldog's suggestion of removing the battery, it seems to have circumvented the requirement but I wonder what will happen next time the device tries to access the keystore?

Is there a way to change either the keystore password or the device password from the BES? Help on the BES indicates not to use the Set Password and Lock Handheld command to reset a password.

Thanks.

[WMedley]

No there is no way to change or remove the keystore password from the bes server directly. The only way i have been able to get rid of a keystore password that is unknown is to let the device wipe and then re-activate, which in a large environment is not something that I would think anyone would want to do.

[WMedley]

The other issue with this is also anytime you push a device password is change it will then prompt you for the keystore password again, so you would need to repeat the battery pull to get around it again.

[misterbulldog]

Quote:

Originally Posted by Brownblue

I tested this on my device and, unfortunately, I am being prompted for my keystore password when I change the policy to include characters not in the original keystore password. The message states the "Your password will be validated against new IT Policy password requirements". I tried misterbulldog's suggestion of removing the battery, it seems to have circumvented the requirement but I wonder what will happen next time the device tries to access the keystore?

Is there a way to change either the keystore password or the device password from the BES? Help on the BES indicates not to use the Set Password and Lock Handheld command to reset a password.

Thanks.

I'm curious as to why you set keystore passwords. Unless you are adding personal certificates to the keystore a password is not necessary.

As long as a user has not created a password for their keystore a battery pull will do the trick. They will not see the prompt again.

[Brownblue]

I was prompted to set up a keystore password on my Blackberry, I don't remember specifically when but I believe it was when I first pushed the IT policy requiring a security password.

When you say a battery pull will do the trick that implies that they will be prompted to enter a keystore password at some point. Does forcing a security password automatically try to get the user to create a keystore password also (I know from my first paragraph that this would appear to be the case but I want to be sure)?

Thanks.

[misterbulldog]

They may get the prompt for a keystore password but are not required to enter a keystore password (instruct them not to enter one if they get the prompt). If they receive the prompt, they should do the battery pull. When the device restarts they will not see the prompt again until either the password policy is changed or content protection is enabled. Either way, a battery pull should work. The only time they will be required to enter a keystore password is when S/MIME is enabled for use on the device.

[Brownblue]

Perfect, I'll make sure to include that in my instructions.

Thanks to all for your help.