Several BES 3.6 Policy Questions
 

Good evening to all. Our company is considering the implementation of several security changes. I am not the BES Admin for our company but what I'd like to do is have a bit of feedback from the group before I talk to the security group...

1. Currently we have about 130 devices and are about to add quite a few more. Would it be possible to set up a policy for just about 8 of us (not all users) so we can test the effects of any changes we are considering?

2. My understanding is a password policy for all Blackberry devices can be forced down. What would this look like to existing users who have been using their devices without security policies? What would happen to users who currently have passwords set up on their device?

3. We would like to have all devices have the same Owner and Information details without the ability for them to modify this information. Could this information be pushed from the BES and then secured so it cannot be modified?

4. Would any security policies require an outage from the BES?

5. Can the number of password attempts be changed from the default of 10? What happens to the device once it wipes itself (heh)? Can it be reconfigured?

6. What is Content Protection under the Security options?

7. We've been advised by our service provider all devices will be able to make phone calls, even if they will only be used for data. Is there a way to lock these phone calls to emergency calls only (such as 911)? What is Call Barring (under the Phone options), and why won't mine activate?

8. Is the security policy only installed at the time the device is connected to the workstation or can this be maintained through the BES? Would this require an upgrade to BES 4.0?

9. What are the security risks of PIN to PIN communications?

10. Can the users be restricted from installing new software to the device? What happens to software already installed before the push? Is there a way to monitor or inventory what software is installed on each device? What if we want to install software globally to all devices - would this still be possible to restrict only the software we want?

11. In what ways can the devices activity and usage be monitored?

As I typed this I realized I had more questions than I expected. If anyone can shed some light on any of the above questions, I would be greatly appreciative.

Thanks to all.

TGRAY

You can create more than one policy (actually, you should leave the default as is and just create new ones for testing and implementation). Once you have created a new policy, you can add users to it.

Have you ever had a password policy implemented, lets say, within AD or perhaps a door code machine put in at work prior to your entering the building? Or maybe they up'd the price for a coca-cola in the soda machine? I think you get my point - change is never good, but people learn to adapt, especially when they have no choice (just be weary of the C/V/D executives, even though they are the ones who SHOULD have passwords implemented first).

As for existing users, it will only affect them if their password does not meet the minimum requirements set by the policy. Let's say that if they had a 4 character password setup and you all made it 5 characters. Or if they had a timeout period of 5 minutes and you implemented 30 seconds.

Either way, I would send an email letting everyone know of the upcoming changes LONG BEFORE you actually implement said changes.

Also, if you happen to belong to a publically traded company in the United States, then its everyone's best advice to implement fairly strict security policies across the board, down to the handhelds (just for potential scrutiny of SOX compliancy).

I do not see where you can set this in one of the default policies.

No.

10 is the highest number allowed by IT Policy (3-10) in BES 3.6. After it wipes the handheld, it can be restored to its former state from backup (assuming the user backed up info). If they did not complete a backup, then they're SOL (in my opinion).

Local encryption of ALL data on the handheld. Nifty little feature.

'Allow Phone' can be set to FALSE on the BES as a Policy.

Call Barring is disallowing certain types of calls. Most likely your provider does not allow setting this option by individuals (you will probably have to call them). Its similar to disallowing 900 numbers to be dialed from your home (hey, my mom did that to me when I was younger... hehe).

Policy is pushed OTA - in 3.6 and 4.0 - but only after the handheld is activated on the BES (i.e-they must cradle and/or enterprise activate atleast once).

The same as allowing just about any other form of communication - leakage of information. If you are not worried about that, then I'd say there would not be much risk involved. You may want to search PIN and/or Peer on this forum for a bit more information, though.

Yes. You can disable OTA downloads, as well as cripple/remove Application Loader from the Desktop Manager. You can basically disable user-initiated application loads from two directions.

Software that was loaded prior to the IT Policy push will stay on the handheld, I believe.

I'm not sure that OTA software pushes were available with 3.6. That option is available for 4.0, though.

The log files show quite a bit of information, although probably nothing that you would be looking for, to be honest. In 3.6, you are pretty limited by way of administration and monitoring.