Have another policy rule that I have questions about. Our security group wants us to set the content protection strength rule. I obviously reviewed the IT policy rule but also checked out the BES 5.0 Security Technical Overview. I have a couple concerns about how this rule might effect the BlackBerry in real world situations

1. How does setting the rule to Strong/Stronger/Strongest effect the end-users experience? If slower, how significant is the slow down?
2. Is the slow down all the time or only when unlocking the device?
3. Does this effect the functionality of applications or BT devices?
4. Does this cause any support issues? I know some previously existed.

As always, thanks to everyone for taking the time to respond.

-Doug

1. How does setting the rule to Strong/Stronger/Strongest effect the end-users experience? If slower, how significant is the slow down?

The response of the device on unlocking is MUCH slower on the Strongest setting. To unlock, when Content Protection is enabled, takes up to 7 seconds in my experience. On older devices (prior to Bold) the wiping of said devices takes up to 3 hours as well. so if a user forgets their password x number of times and it wipes, they are SOL for up to 3 hours. The device does however wipe, then scrub to DoD standards

2. Is the slow down all the time or only when unlocking the device?

There is a very small slowdown during operation at all times, though most users will not notice. The unlocking is the pain.


3. Does this effect the functionality of applications or BT devices?

I do not allow Bluetooth devices in my environment (excluding the CAC reader) so I cannot comment on this, though I seriously doubt Bluetooth would have any noticeable difference. (Encryption on BT is seperate)


4. Does this cause any support issues? I know some previously existed.

The only one I have come across is the user wiping their device/complaining about the sluggishness to unlock. On devices not running 4.5+ and BES prior to 4.1.6, you could NOT reset the password for a user when content protection was enabled (could not translate plain text to encrypted text and back). These issues have been resolved with the above listed software versions.


Let me know what additional questions you have. Also, the above list is from BES 4.1.5+, prior versions did not have that robust an encryption.

__________________

Perfect, this is exactly what I was looking for. Thanks!

Wow, I believe that was the best explanation of said policy that I've seen to date. Good job, Sith!

__________________
BCSA (4.1, 5.0) | BCSD (4.1, 5.0)

The views expressed by me on Port3101.org are my own and do not necessarily reflect the views of my employer.

One last question about this policy.
Are you required to set the password requirement to 12 or 21 character when using this rule? I saw verbage from BlackBerry in a different location that recommended the longer passwords. So is it a recommendation or a requirement? The password change would be a huge change for out users (currently only require 4 characters).

Doug

No, it is not a requirement it is recommended.

__________________

Thank you sir. Blog away

__________________

FYI the wiping will take longer than 3 hours. If you have 8700 series, then you can take the day off. I've seen the 8830s take more like 4 hours.

__________________
AUTIGER92
Exchange\Blackberry Admin
4 - BES Servers (4.1.6), 3 Exchange Organizations,
~1800 BB Users, and a headache.
War Eagle!!

Doesn't content protection also disable address book lookup for incoming calls when the device is locked?

You have to carefully revie the need for content protection. If your devices are password protected already, you can't get to the info unless you know the password.

Are the address books automatically encrypted once content protection is turned on? I thought that it falls under a different policy rule, Force Include Address Book In Content Protection. Maybe I am not reading this one correctly. Does it mean the address book is encrypted automatically but the user can disable it after the fact? -OR- Is the address book NOT encrypted but the user can enable it?

Address books are not included unless forced. Also, I wipe devices daily 8820s take roughly 2 hours 20 minutes, 8700c will take just over 3 hours 15 min, Bolds will take 20-30 minutes. I have never had a device take longer than 40 minutes

__________________

Content Protection is a major pain. I would not implement it if you have a choice.

I believe it is an unnecessary overhead. The risk of someone obtaining a BlackBerry & having the tools to decrypt data from the chipset is very low.

Below are some issues I came across with content protection:

1. BlackBerry is slower to respond - When you lock the handheld, the BlackBerry will start to encrypt data, initially this may take quite some time. While the BlackBerry is encrypting data, an open Padlock icon will be displayed in the status bar at the top of the screen. When the BlackBerry is finished encrypting data, the Padlock icon will appear closed. The BlackBerry will continue to encrypt new data received over the air whilst locked.

2. If the Address Book is included - contacts can not be accessed using the "Place Call" option due to the address book being encrypted whilst the BlackBerry is locked.

Once the address book is excluded, note that when placing a call from the locked screen it will no longer display the call log (as the call log is still encrypted), but you can still type alpha characters to search for contacts in the address book.

3. An additional advantage of removing the content protection on the Address Book is to enable caller identification of incoming calls when the device is locked. Previously when locked, the BlackBerry would display "Unknown Caller" even if the callers details are in the address book (because the address book was encrypted & could not be accessed when locked).

4. Extends the time of wiping a device from 5 minutes to approximately 1 hour. This increases the amount of time it takes for us to get a BlackBerry reconfigured for our customers.

5. Forgotten passwords - Restricts our ability to send a remote command to change the password on a BlackBerry.

6. SMS messages over 160 characters are split into multiple parts is due to content protection. This only occurs when the BlackBerry is locked & the data is encrypted (blue closed padlock appears in status bar). All data received during this state is encrypted until unlocked. Hence additional portions of the SMS cannot be added to the first portion of the SMS when delivered. Multi part SMS messages received whilst the BlackBerry is unlocked are merged into one message.

One exception would be if an SMS was received just after the BlackBerry was locked but had not yet encrypted the SMS message database (the blue padlock in the status bar would appear unlocked).

Unfortunatlly, I no longer have a choice. Our security group has made it a requirement that content protection is enabled. They don't care what strength we use, just as long as its enabled. Obviously, we are going to use the weakest (STRONG) and only go stronger if required at a later date.

Fortunatly, we are not being required to protect the address book so we shouldn't be affected by those issues.

Hopefully this won't be the case on the STRONG setting. We still need to perform some testing. May have to change our procedures from the help desk. Currently they will wipe and reactivate while on the phone phone with the customer. That will not be realistic if the wipes take an hour.

This shouldn't be a problem going forward. KM12826

Came across another issue with content protection the other day. When its enabled you can't enable debug logging on the handheld. See KB05349 for details. This won't be an every day problem but I was just asked by RIM last week to provide them some logs. If content protection was enabled I would not have been able to do it.

Doug

We have content protection and I reset passwords daily (users are idiots). Soon I will not have to worry about this as we are going to entirely CAC logon which is fantastic for me. I dont have to worry about resets.

__________________

A work around I discovered was to apply the blank' Default' IT Policy to the handheld, disable Content Protection on the handheld, & then wipe the device. Reassign the correct IT Policy before reactivating.

P.S. A word of warning - a couple of years back when I was running a 4.0.6 BES & we decided to unlock Content Protection for all via the IT Policies, we had a major issue with at least half the fleet getting an App 205 error the next time the handheld was reset. Make sure the users disable Content Protection on the handheld straight away. Having to delete & recreate user accounts, & reload the device software on 200+ devices was not fun! Hopefully the same problem would not occur in a 4.1.6 or 5.0 environment with later device software.

Users aren't too happy when they find out they've locked their CAC pin and have to jump through some hoops to get it unlocked. (I almost feel bad for snickering)

__________________
AUTIGER92
Exchange\Blackberry Admin
4 - BES Servers (4.1.6), 3 Exchange Organizations,
~1800 BB Users, and a headache.
War Eagle!!

Have you tried to explain the performance hits, and that unlike a laptop HDD, once a Berry is password protected, you can't get at the data without the password?