[BlueBerry2007]

What I mean by security?

• Known procedures or steps taken when a Blackberry is reported misplaced or stolen (i.e., misplaced = Blackberry is recoverable, stolen = Blackberry is not recoverable).
  
• BES policy that enforces use of a password on Blackberries.
  
  Or, do you not use a BES policy, but instead use a corporate policy (i.e., you leave it up to the user to set a password on their device and they are the ones responsible for the data on it).
  
• What do you do when a user decides to incorrectly type in their password 10 times (for whatever reason), wiping their handheld, and they are at a remote location?
  
  I guess you'd re-activate the Blackberry wirelessly ... but just wondering, cause we use Lotus Notes, and a user's address book is local on their PC, we currently have them trained to synch. up their address book by using desktop manager and usb cable. (I know it can be done wirelessly but most haven't been trained to do so).
  
• What about a user who forgot their password and they are in a remote location with NO wireless coverage? What do you do you here? Do you pretty much inform that they are SOL? You can't really do that with execs, officers, or higher ups.
  
  Or, do you inform from the get go, if you are in a non-coverage location and forget your password, we can not reset your password.
  
• Speaking of reseting Blackberry passwords, how do you confirm that who's calling in to reset their password, is who they say they are?

Just want to hear how others implement security in their environment.

[John Clark]

Moved to the BES Admin Corner.

[x14]

I would say 99% of BES Admins here have.

[juwaack68]

Quote:

Originally Posted by BlueBerry2007

Known procedures or steps taken when a Blackberry is reported misplaced or stolen (i.e., misplaced = Blackberry is recoverable, stolen = Blackberry is not recoverable).

The steps are pretty much the same in either instance:
- Issue 'Kill' command from BES
- Contact carrier to disable cell number

If stolen we will also order another device right away. If misplaced, we will wait a day or 2, unless it's an impatient VP

Quote:

Originally Posted by BlueBerry2007

BES policy that enforces use of a password on Blackberries.

Or, do you not use a BES policy, but instead use a corporate policy (i.e., you leave it up to the user to set a password on their device and they are the ones responsible for the data on it).

We enforce a password - mimimum of 6 characters with 1 letter and 1 digit.

Quote:

Originally Posted by BlueBerry2007

What do you do when a user decides to incorrectly type in their password 10 times (for whatever reason), wiping their handheld, and they are at a remote location?

I guess you'd re-activate the Blackberry wirelessly ... but just wondering, cause unfortunately for us, we use Lotus Notes, and a user's address book is local on their PC, we currently have them trained to synch. up their address book by using desktop manager and usb cable. (I know it can be done wirelessly but most haven't been trained to do so).

After we get done shaking our heads, we help the user complete a new Enterprise Activation (we use Exchange). We do not train them to do any wired activations, Lord knows what else they would break.

Quote:

Originally Posted by BlueBerry2007

What about a user who forgot their password and they are in a remote location with NO wireless coverage? What do you do here? Do you pretty much inform that they are SOL? You can't do that with execs, officers, or higher ups.

Or, do you inform from the get go, if you are in a non-coverage location and forget your password, we can not reset your password.

Pretty much SOL. Even execs and higher ups.

Quote:

Originally Posted by BlueBerry2007

Speaking of reseting Blackberry passwords, how do you confirm that who's calling in to reset their password, is who they say they are?

Our Helpdesk does the majority of resets and they ask for the person network userID (which is then entered into our Remedy software and returns the persons name). When people call me directly, I know most of them by their voice so I don't bother asking for any other identification.

[ladydi]

Step 1: use Exchange Everything syncs OTA without hassle.

x14 is probably correct. Here, we enforce 8 character alpha numeric passwords with a 20 minute timeout (no locking on holstering) and they get 5 tries before the device wipes. If they do wipe it and they are not on site, I walk them through re-activating over the phone. It hasn't been a problem.

Now that I have all of my users on 4.2 handheld software, we have a policy that says if the BB hasn't received IT policy in 12 days, the BB wipes itself. This was done in response to a user wholost their BB, but didn't report it lost for 5 days - long after the battery had died.

If someone forgets their password in a no coverage area, they ARE SOL. no ifs ands or buts. We support the technology, we do not have the ability to bend it to our will and create cell towers because some exec has forgotten their password at their country house. I inform them that they are responsible for remembering their password and being prepared for being inn an area with no coverage. there is literally nothing we can do. they will have to go where there is service.

As for user verification, I currently have a small enough number of users that I know them all by voice, but when I worked in a larger environment, we used to verify by the last 4 of their SSN before resetting their password.

[BlueBerry2007]

Quote:

Now that I have all of my users on 4.2 handheld software, we have a policy that says if the BB hasn't received IT policy in 12 days, the BB wipes itself. This was done in response to a user wholost their BB, but didn't report it lost for 5 days - long after the battery had died..

Do handhelds have to be at least 4.0 software for remote lock and wipe to work? Some of our devices are still on 3.7 software.

Regarding the 12 day policy, if I understand correctly, since the BB has the policy already downloaded or applied on itself, whenever the BB gets powered back on, it will wipe itself, don't even need wireless signal?

Quote:

As for user verification, I currently have a small enough number of users that I know them all by voice, but when I worked in a larger environment, we used to verify by the last 4 of their SSN before resetting their password.

Some I know by voice also, it's just the what if part, we have about 150 Blackberry users.

I've been google'ing the internet I found one site implements a question and answer method. They must know the answer to a question they previously chosen to have their password reset. And the help desk doesn't even tell them what the reset password is. They will say something likes it's the last four digits of your social security.

[penguin3107]

Quote:

Originally Posted by BlueBerry2007

And the help desk doesn't even tell them what the reset password is. They will say something likes it's the last four digits of your social security.

In addition to being the BES admin for my company, I'm also the head of the helpdesk team.
If any of my helpdesk team had access to another employee's social security number... even just the last 4 digits... that would be an absolute nightmare.

There is no way on earth that anyone other than your HR/Payroll department should have access to any part of another employee's SSN.

[BlueBerry2007]

Thanks for confirming my thoughts on resetting password when user's BB has no wireless coverage ... can't be done.

I don't believe we currently have password policy in place.

So, if we were to implement a password policy, we'll need to convey this to users (including higher ups) in a nice professional to the point manner, that we cannot reset your password if you are in a no coverage location. And the reason we have a password policy in place is to protect corporate data.

[BlueBerry2007]

How do you verify messages to lock or wipe the handheld were successfully sent?

I'm not a BES Admin, but I do have Blackberry Manager installed on my computer and have done remote reset password and wipe.

I found the following on the internet, but when I search for the log file or keywords nothing could up. I'm thinking this log file might actually be on the BES server. And I don't have access to the BES server.

-------------------------------------------------------

Verify messages to lock or wipe the handheld was successfully sent.

To verify that the Erase Data and Disable Handheld command has been sent and received, review the POLC log file. By default, the POLC log file is located in C:\Program Files\Research In Motion\BlackBerry Enterprise Server\Logs\<date>.

Lines similar to the following are displayed in the POLC log file:
[40000] (10/03 13:00:52):{0x974}{<user_name>@<domain>,PIN=XXXXXXX X, UserID=1}SCS::PollDBQueueNewRequests - Queuing KILL_DEVICE_REQUEST request

The above line indicates when the command was first sent, and that the command is being queued for the user.
[40000] (10/03 13:01:15):{0x960} {<user_name>@<domain>, PIN=XXXXXXXX, UserId=1}RequestHandler::HandleITADMINDataCommand - ITPolicy Success Ack for the command KILL_HANDHELD_COMMAND - Processing packet, Tag=23980295

The above line indicates when the BlackBerry device received the command, and that it sent a confirmation of the receipt.
Note: To search using a string in the log file, search for ITPolicy Success Ack for the command KILL_HANDHELD_COMMAND. Once it is located, you can verify the user associated with the command. Search for this string when the device does not meet the requirements to receive the command when it is first sent.

Additional Information

To configure logging levels, complete the following steps:
In the BlackBerry Server Configuration tool, click the Logging tab.
Select BlackBerry Policy Service and set the Debug Log Level to 4.
Click Apply, then click OK.

[ladydi]

yes, this is the policy log on the BES.

I do believe that you should be able to send a wipe command to 3.7 devices. I didn't find any confirmation of this on RIM's site and it has been a long time since I used a 3.7 device, but it should work.

as for the wipe after 12 days of no policy recieved, yes it will wipe even if it doesn't have a signal because the command is in the IT policy that was pushed to the device and as soon as the device boots up and realizes it hasn't had a policy refresh for more than 12 days, it will initiate the wipe.

[BlueBerry2007]

I agree no other personnel should have access to social security numbers, even last 4 digits (which could be used to access credit card accounts).

The response may have also been, it's your mother's maiden name or your badge id number, or your home phone number, etc. ... something that only they would know and helpdesk would have records for.


Thanks for input on implementing. A lot of great ideas.

Quote:

Originally Posted by penguin3107

In addition to being the BES admin for my company, I'm also the head of the helpdesk team.
If any of my helpdesk team had access to another employee's social security number... even just the last 4 digits... that would be an absolute nightmare.

There is no way on earth that anyone other than your HR/Payroll department should have access to any part of another employee's SSN.

[Frank Castle]

We have terms of usage for Blackberry that aligns with our compliance, states a password is required, usage is tracked, if stolen it needs to be reported etc.

Password is 6, attempts 10 before wipe
looking to implement miniSD encryption next likely matching the password and disable USB mass storage mode (maybe)

Now that we've been on 4.1 it's much easier just issuing another Enterprise Activation. Help Desk manages all these calls and I'm unsure about their security but I would assume they ask the caller to verify their domain ID at a minimum.

Out of coverage - not much to be done .. call back when you have coverage.

[BlueBerry2007]

It'll be good for us to know. I can test this out, when I get a chance, and I'll report back.

Quote:

Originally Posted by ladydi

yes, this is the policy log on the BES.

I do believe that you should be able to send a wipe command to 3.7 devices. I didn't find any confirmation of this on RIM's site and it has been a long time since I used a 3.7 device, but it should work.

as for the wipe after 12 days of no policy recieved, yes it will wipe even if it doesn't have a signal because the command is in the IT policy that was pushed to the device and as soon as the device boots up and realizes it hasn't had a policy refresh for more than 12 days, it will initiate the wipe.

[BlueBerry2007]

Quote:

yes, this is the policy log on the BES.

I'll have to see if our server folks will allow us view access to the logs.

We our mainly end user Blackberry support, but can do BES stuff, but no access to BES server.

[ladydi]

Quote:

Originally Posted by penguin3107

In addition to being the BES admin for my company, I'm also the head of the helpdesk team.
If any of my helpdesk team had access to another employee's social security number... even just the last 4 digits... that would be an absolute nightmare.

There is no way on earth that anyone other than your HR/Payroll department should have access to any part of another employee's SSN.

I didn't say it was a good method. Its just what they do there. Personally, I don't put much stock in SSN's anymore. They are pretty easy to get. If they weren't, identity theft would be such a problem.

the security question method could work, but people will get frustrated when they can't remember the answer to that either. I guess I don't have any good suggestions as to how to securely identify someone over the phone - I will just thank my lucky stars that I know all my users.

[ladydi]

Quote:

Originally Posted by BlueBerry2007

I'll have to see if our server folks will allow us view access to the logs.

We our mainly end user Blackberry support, but can do BES stuff, but no access to BES server.



It'll be good for us to know. I can test this out, when I get a chance, and I'll report back.

what version of BES are you running? because I thought all devices had to be at 4.0 or higher to be on a 4.0 or higher BES. I distinctly remember upgrading all my BB's when I upgraded our BES to 4.0.

[BlueBerry2007]

User reports their BB stolen. Do you delete (or disable) user in the BES?

Or, just remotely wipe and call service provider to suspend account and deactivate sim card.

I guess "disable" use to be in older version of the BES server. And whenver user reported lost or stolen BB, their account was disabled in BES server.

We are currently at 4.x and "disable" is no longer there.

[ladydi]

Quote:

Originally Posted by BlueBerry2007

User reports their BB stolen. Do you delete (or disable) user in the BES?

Or, just remotely wipe and call service provider to suspend account and deactivate sim card.

I guess "disable" use to be in older version of the BES server. And whenver user reported lost or stolen BB, their account was disabled in BES server.

We are currently at 4.x and "disable" is no longer there.

We just send a wipe command then call the provider to have the number suspended. We don't delete the user because they get another BB - usually within a few days.

[BlueBerry2007]

We're on 4.x BES server ... I think 4.1

We have users with handheld 3.7 on our BES and their emails synch up wirelessly. I've unoticed though that 3.7 doesn't display all of it's information in the Blackberry Manager. And their a pain to activate--settings (like wireless sync) does not show up consistently, something has to happen before it does, and I dont' know what that is. Once I upgrade these to 4.x handheld software, activation is a charm and works like it's suppose to.

Quote:

Originally Posted by ladydi

what version of BES are you running? because I thought all devices had to be at 4.0 or higher to be on a 4.0 or higher BES. I distinctly remember upgrading all my BB's when I upgraded our BES to 4.0.

[MarkF]

Slightly off topic from what I've read but after enforcing encryption (content protection), you can no longer reset passwords.

Anyone here enforcing content protection? Any gotchyas? Other than losing the password reset capability, I've noticed entering in the device unlock password on the model 7290 must be done at a much slower pace or the device starts clocking.

tks
Mark