[Brendan42]

To everyone who has enabled Content Encryption on their BES:

We are about to have this forced upon us by our USA head-office. As we are in control of our BES, we'd like to weigh up pros and cons first. Any help on the following questions will be appreciated:
1) Any suggested policy settings? WE're not planning on encrypting the SD cards, but open to suggestions. Possibly include some of the policy setting you have implemented so far.
2) Device performance. We still have quite a few older devices, from 6230 to 7100, 7290 to newer 8100, 8800, 8900, 9000. Any performance issues with the older ones?
3) Any negative comments regarding encryption welcome. Would help us assess a worse-case scenario

[hdawg]

First off ... I'm sorry. Unless your USA office is under some government regulation I'd be surprised if they had a good reason for enabling this; in general it is overkill.

Personally I'd stick with a good password policy and some user education. Anything before the 8xxx series is horrible with content protection, and even the 8xxx series isn't really all the glorious with it. 9xxx is ok, 82xx is so so, and 8900 is a little better than the 82xx.

Worst case scenario:

1) Users complain that the devices are horribly slow
2) When you wipe a device it does a full memory scrub expect it to take an hour ... instead of the standard 5 minutes without content protection enabled.

I'd highly recommend you start with a pilot group of users that is patient... plus what is the point of enabling content protection on the devices and not encrypting SD? Someone can copy data to that card ... and then you've busted the whole security model.

[Brendan42]

Thanks hdawg. We're trying to fight back on this issue, just not sure for how long.
Reading your log-analysis blog with great interest. About time someone shed some light on this.

[cgprelude]

Yes the scrubbing feature is terrible. Our security department likes to all enable this feature. Then when I need to wipe their devices and it starts scrubbing I just say OK bring it back tomorrow when its done so I can finish working on it. It's ridiculous...

[hdawg]

Quote:

Originally Posted by Brendan42

Thanks hdawg. We're trying to fight back on this issue, just not sure for how long.
Reading your log-analysis blog with great interest. About time someone shed some light on this.

Keep fighting the good fight ... your end users will appreciate you.

... and thanks for reading

[AlanM]

The length of time needed to scrub it dependant on the type of processor in the Blackberry. 88xx will still take somtime, I've seen 87xx take over an hour to wipe the device. I don't think users will see a great deal of slowness with daily use and content protection enabled. One thing that they will notice is that when the device is locked and you have enabled content protection on the addressbook, when you receive a call it will not display the caller's info only the number (addressbook is encrypted remember). If the device is unlocked and you receive a call then the caller info will display (if you have the info in your addressbook). Also, with content protection, if the blackberry OS is pre-4.5 you will not be able to send a password over the air. This is big for us because we do have users that forget their passwords (don't know how) and we have to reset them.

We are most likely due to enforce the Content Protection and media card encryption (password and device) soon.

[misterbulldog]

Quote:

Originally Posted by AlanM

The length of time needed to scrub it dependant on the type of processor in the Blackberry. 88xx will still take somtime, I've seen 87xx take over an hour to wipe the device. I don't think users will see a great deal of slowness with daily use and content protection enabled. One thing that they will notice is that when the device is locked and you have enabled content protection on the addressbook, when you receive a call it will not display the caller's info only the number (addressbook is encrypted remember). If the device is unlocked and you receive a call then the caller info will display (if you have the info in your addressbook). Also, with content protection, if the blackberry OS is pre-4.5 you will not be able to send a password over the air. This is big for us because we do have users that forget their passwords (don't know how) and we have to reset them.

We are most likely due to enforce the Content Protection and media card encryption (password and device) soon.

We completed a Content Protection push to our large BES environment yesterday. We started the project earlier this year. The Address Book was excluded in the policy. Scrubbing will take a while no matter what model you have. We also changed the password policy to require a more complex password so we had quite a few users who forgot their new password as soon as they created it. However, we have found that password resets work with some devices that have 4.2 software and CP. I have not nailed it down to which model/carrier it works with yet. When a user calls for a password reset we give it a try and warn the user that it might not work. If it works, great. If not, oh well.

[DarthBBerry]

Quote:

Originally Posted by misterbulldog

We completed a Content Protection push to our large BES environment yesterday. We started the project earlier this year. The Address Book was excluded in the policy. Scrubbing will take a while no matter what model you have. We also changed the password policy to require a more complex password so we had quite a few users who forgot their new password as soon as they created it. However, we have found that password resets work with some devices that have 4.2 software and CP. I have not nailed it down to which model/carrier it works with yet. When a user calls for a password reset we give it a try and warn the user that it might not work. If it works, great. If not, oh well.

The device OS must be 4.2.1 or higher for a password reset with Content Protection to work. If the device is 4.2.0 or less, it won't work. This is from personal, first-hand experience.

We have CP enabled on the devices which includes media cards, password protection, security time out, minimum length, and prohibited passwords. We've been using this model for almost a year with mixed results.