View Single Post
Old 03-01-2007, 01:42 AM   #1
John Clark
BBF Moderator
 
John Clark's Avatar
 
Join Date: Jun 2005
Model: Z30
OS: 10.2.1.x
PIN: s & needles
Carrier: AT&T
Posts: 34,720
Default Remove IT Policy

Please Login to Remove!

Important: If you're still connected to a company BES, and simply want to install the latest and greatest third party application I would not recommend this approach. Talk to your BES administrators and ask them to grant you the appropriate rights. There are two problems in using this guide to bypass your company's security policy. First, whenever you reconnect to the company server, your security settings will revert back to how they were. Second, and perhaps more importantly, you run the risk of getting fired. Use of this procedure will sever the tie between your BlackBerry and your company BES and you will need to reactivate in order to reestablish the connection.

Method 1: IT Policy Removal For Devices with OS 4.5 and higher (Preferred)

The preferred method for removing IT policy is to update your device to OS 4.5 or higher (if possible) and use JL_Cmder's "resettofactory" command or the resettofactory command that is included in Loader.exe that installs with Desktop Manager (or any BB OS) to remove ALL IT policy, Firewall restrictions and Application Permission settings. After you've upgraded to OS 4.5 or higher, simply backup the device using Desktop Manager, close Desktop Manager, then run JL_Cmder and execute the "resettofactory" command or if you don't have JL_Cmder, just do the following:

1. Go to Start >Run and type CMD (you can also find the command prompt in Programs >Accessories.)

A command box will open.

2. Type the following exactly including spaces: cd c:\program files\common files\research in motion\apploader

You should now see that path followed by the cursor.

3. Now type: loader.exe/resettofactory


After using JL_Cmder or the cmd prompt method above, the device will do a security wipe of the device; (meaning wipe your data but leave the OS, DO NOT use the "Wipe" command in JL_Cmder) then reboot leaving the OS, 3rd party apps but no data AND, best of all, NO IT policy whatsoever. When you're done, simply restore your backup and you're good to go with no policy or locked firewall. You can downgrade back to the old OS if you desire, too.




If your 7xxx or 8xxx device is running OS 4.2 or lower (look in Options >About) and you can't upgrade it to OS 4.5 or higher you will NOT be able to use method 1 above and you will need to use method #2 below:




================================================== ================================================== ================================================

Edit 04/16/2010: Since the procedure below is no longer needed on most of the current devices in use, the procedure below is no longer necessary in most cases and therefore the blank policy used is no longer available for download. I will leave the instructions posted so that they can be used to remove the policy.bin file from a PC if it gets left there inadvertently. Please refer to Method 1 above to remove the IT Policy from your device. If your device is running OS 4.2 you will need to update it to 4.5 before removing the policy using the method above.

Method 2: Placing Blank IT Policy on the Device(OS 4.2 and earlier devices ONLY)
Quote:
WARNING!
Follow these instructions only if you know what you are doing.
These instructions can actually downgrade certain BlackBerry's abilities (i.e. permanent loss of support for Bluetooth keyboards) if your BlackBerry actually does not already have an IT policy installed. These instructions are meant as a last resort to regain BlackBerry capabilities, in the event your BlackBerry is encumbered by a restrictive leftover IT policy after removal from a BES and you are unable to upgrade to OS 4.5 or higher and use Method 1 above. (i.e. eBay purchased older BlackBerry)
Removing IT Policy.


This procedure should ONLY be used on devices that cannot be upgraded to OS 4.5 or higher. If you have a device that can be upgraded to OS 4.5 or higher DO NOT USE THIS PROCEDURE. Use Method 1 described above. If you have an older device that cannot be upgraded to OS 4.5 then continue with the following instructions. This is a How-To for removing IT policy from your BB. In essence, what this does is apply a blank IT policy to the device. The blank IT policy does, unfortunatly, leave some IT policy firewalls in place, however. For instance "keystroke injection" is set by default to "deny" on most IT policies. This blank policy won't give back "allow" for this feature. This becomes a problem if you desire to use a Bluetooth keyboard. You'll be unable to use the keyboard. If a way is found to get this back then I'll edit this post accordingly. A quick check to see if your BB is under IT policy can be done by going to Options/Security on your Device. If you see any references to IT Policy whatsoever, then you have a potentially restrictive IT Policy that can be removed. The Disclaimer/Intended Use. This guide is intended for use by people that own their own Blackberry, and for whatever reason, have inherited a company's IT policy on their device. Really, there are two scenarios where this guide is useful.
  • You bought a Blackberry on eBay and are unable to make changes to the settings or install Third Party Applications.
  • You have a Blackberry that was previously connected to a company's BES and, for whatever reason, you no longer intend to connect to that BES.
Important: If you're still connected to a company BES, and simply want to install the latest and greatest third party application I would not recommend this approach. Talk to your BES administrators and ask them to grant you the appropriate rights. There are two problems in using this guide to bypass your company's security policy. First, whenever you reconnect to the company server, your security settings will revert back to how they were. Second, and perhaps more importantly, you run the risk of getting fired.
Procedure: Step 1 Ensure the Blackberry Desktop Manager is installed using Blackberry Internet Service, and not Blackberry Enterprise Server. If you are unsure, it would probably be a good idea to uninstall the Desktop Manager and start again. If you don't have the CD that came with your Blackberry, the Software can be downloaded here.

Step 2 Download the file Policy.bin (this file has been removed...see note in red above) and save it in your Blackberry installation directory (C:\Program Files\Research In Motion\BlackBerry).

Step 3 Wipe your Blackberry, creating a backup if necessary. Select Options/Security/Wipe on the Device. If this option is unavailable, you may have to install the latest software on your Blackberry. You need to Download and install the latest OS for your device. Connect your device, open the Desktop Manager, select Application Loader, and follow the prompts.

Step 4 Close the Desktop Manager if it is open.

Step 5 From the Windows XP Start Menu select Run..., and at the prompt type regedit. In the tree on the left hand side, navigate to:

HKEY_Current_Users\Software\Research In Motion\BlackBerry\PolicyManager

Right-Click the Policy Manager Folder and select New/String Value. Name the value Path. Now, Double-Click the Path Subkey and set Value Data to:

C:\Program Files\Research In Motion\BlackBerry\policy.bin

Step 6 Open the Desktop Manager.

Step 7Connect the Device. Verification Once complete, the Options/Security screen on your Blackberry should not contain references to an IT Policy, you should now be able to change all settings (including password prompts), and install Third Party Applications.

A big thanks to 7100simpleisbetter and barjohn of BlackberryForums.com for this BB saving procedure.

I personally wrote this policy so that there would be no question as to what it does to your device. Here is the code included in the Policy.bin above: (If you have comments or questions or you see something that should be changed, please contact me in this thread or via PM.)


IMPORTANT Note: After following the instructions in method 2, any BB connected to your Desktop Manager will have this policy applie to it. For that reason it is highly recommended that after finishing placing this blank policy to the restricted BlackBerry I recommend removing the policy.bin and the registry entry you added from your computer. Basically go back and reverse these instructions. If you don't then you risk plugging in a new BB or someone else's BB with NO policy and adding this blank policy to it as well.

Code:
;
;***************************************************************************
 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Desktop Manager Configuration
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
; If application is shown on task bar.
HideWhenMinimized {default} = true
 
; Prompt the user when the Desktop Manager starts.
MessagePrompt {default} = Welcome to the Desktop Manager.
 
; To enable or disable the USB-Serial converter
EnableUSBconverter {default} = true
 
; Control whether the Application Loader is available to the user.
ShowApplicationLoader {default} = true
 
; Control whether if offline IT Policy warning prompt should be displayed.
ShowPolicyErrMsg {default} = true
 
; Control the length of time the device password is cached by Desktop Manager. (Minutes)
DesktopPasswordTimeout {policy} = 10
 
; This setting controls whether or not Desktop add-ins are permitted.
; When set to false, no desktop add-in code will be executed.
AllowDesktopAddIns {policy} = true
 
; Indicates whether or not the desktop software will allow the user to switch devices.
AllowDeviceSwitch {policy} = true
 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Synchronization
;; Synchronize for PIM,Email and Folder Management defaults.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
 
; This setting allows you to specify whether or not you would like PIM 
; information to be synchronized when the user selects the Synchronize Now 
; button from the Intellisync dialog.
SynchronizeNowPIM = true
 
; This setting allows you to specify whether or not you would like Email
; information to be synchronized when the user selects the Synchronize Now 
; button from the Intellisync dialog.
SynchronizeNowEmail = true
 
; This setting allows you to specify whether or not you would like the date and 
; time to be synchronized when the user selects the Synchronize Now button from 
; the Intellisync dialog.
SynchronizeNowDateTime = true
 
; This setting allows you to specify whether or not you would like PIM 
; information to be  to be automatically synchronized when the handheld 
; is connected to the PC.
AutoSynchronizePIM = false
 
; This setting allows you to specify whether or not you would like Email
; information to be  to be automatically synchronized when the handheld 
; is connected to the PC.
AutoSynchronizeEmail = false
 
; This setting allows you to specify whether or not you would like Date and Time
; information to be  to be automatically synchronized when the handheld 
; is connected to the PC.
AutoSynchronizeDateTime = false
 
; This setting allows you to specify whether or not you would like to synchronize 
; folders instead of performing an import.
SyncFoldersInsteadOfImport = true
 
; This setting allows you to specify how information conflicts between the handheld 
; and the PC encountered during synchronization are handled. If set to true, desktop 
; information is used. If set to false, handheld information is used.
FolderConflictDesktopWins = true
 
; This setting allows the enabling or disabling of wireless email reconcilation.
AllowWirelessEmailSynchronization = true
 
; This setting allows the wireless calendar synchronization functionality to be disabled.
DisableWirelessCalendar = false
 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Redirector Settings
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
; Append signature on out going messages
AutoSignature = -----------------\
Sent from my BlackBerry Handheld.
 
; Forwards messages to the handheld
ForwardMessagesToHandheld = true
 
; Allows user's to receive mail when handheld is connected to cradle
ForwardMessagesInCradle = true
 
; Setup filter rules for email redirection
FilterRuleFile = c:\myfilters.rfi
; When filter rules don't apply, forward or don't send messages
ForwardWhenRulesDontApply = true
 
; When sending a message from handheld, don't save a copy in my 'Sent Items' folder
DontSaveSentMessages = false
 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Backup/Restore Configuration
;;
;; These value control the setting in "Backup and Restore Options" dialog
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
; This value control the value of the "Automatically backup my handheld" setting
; in the options dialog, which is enables or disables prompted Automatic Backups.
AutoBackupEnabled = true
 
; This value indicates how often an AutoBackup is performed in days.
AutoBackupFrequency = 7
 
; This setting controls the exclusion of Email and synchronized data from the
; automatic backup. If set to true, the "Backup all handheld application data"
; radio button is selected.
AutoBackupIncludeAll = true
 
; This setting allows control over whether email is excluded from automatic backups
; (when AutoBackupIncludeAll is false).
AutoBackupExcludeEmail = false
 
; This setting allows control over whether synchronized application data is excluded
; from automatic backups (when AutoBackupIncludeAll is false). "Synchronized data" is
; that data which is configured for synchronization with Intellisync; this varies
; according to the user's preferences.
AutoBackupExcludeSync = false
 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; WebLink Configuration
;;
;; These values control the appearance and behaviour of the WebLink extension.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
; Setting this value to false prevents the WebLink icon from being displayed.
ShowWebLink = true
 
; This setting specifies the URL that will be used when the WebLink
; icon is activated.
WebLinkURL = www.your_network_here.com/go/downloads
 
; This setting controls the label that is displayed for the WebLink icon.
WebLinkLabel = Downloads
 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Device Security Settings
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
; Determine if the password is required on device
PasswordRequired {policy} = false
 
; Determine if the user can disable the password
UserCanDisablePassword {policy} = true
 
; Minimum length of the password.
; Valid range is 1 to 12 characters, inclusive.
;
; This value indicates the minimum length of an acceptable device
; security password.
MinPasswordLength {policy} = 1
 
; Password Pattern Checks
; Valid range is 0 or 1 at this time
;    0 -> no checks
;    1 -> ensure password has at least on letter and one digit
PasswordPatternChecks {policy} = 0
 
; Suppress Password Echo
;
; Option to disable password echo after x numbers of fail attempts to unlock handheld.
; false -> Disable
; true -> Enable
;
SuppressPasswordEcho {policy} = false
 
; Maximum device security timeout.
; Valid range is 1 to 60 minutes, inclusive.
;
; The handheld user is permitted to select any security timeout value
; less than this value.
MaxSecurityTimeout {policy} = 60
 
; Password Timeout
; Valid range is 0 to 60 minutes, inclusive.
;
; Set the effective password timeout on handheld.  This value must be 
; less than that of the MaxSecurityTimeout.
SetPasswordTimeout {policy} = 0
 
;
; If set, forces the device to the lock screen when it is holstered
ForceLockWhenHolstered {policy} = false
 
; Determine if the user can change the timeout
UserCanChangeTimeout {policy} = TRUE
 
; Password aging.
; Valid range is 0 to 365.
; 
; Specifying a value of 0 indicates password aging is disabled. Other
; values specify the maximum age of the password before the handheld
; user is prompted to change it.
MaxPasswordAgeInDays {policy} = 0
 
; Password History
; Valid range is 0 to 15
;
; Specify the number of passwords to retain for checking. Passwords in password history cannot be used when 
; setting a new handheld password.
;
MaximumPasswordHistory {policy} = 0
 
 
; Maximum Password Attempts
; Valid range is 3 to 10
;
; Set the maximum number of  password attempts on handheld. 
;
SetMaximumPasswordAttempts {policy} = 10
 
; Indicate if Long Term Security Timeout is enabled/disabled
;
; If true, handheld long term timeout is enabled
; If false, handheld long term timeout is disabled.
LongTermTimeoutEnable {policy} = false
 
; Attachment Viewing
;
; Controls the ability to view email attachments on the handheld.  
; If set to true then users can view attachments on the handheld 
AllowAttachmentViewing {policy} = true
 
; Policies that control the behaviour of third party applications
; on Java-based handhelds.
AllowThirdPartyUseSerialPort {policy} = true
AllowExternalConnections {policy} = true
AllowInternalConnections {policy} = true
AllowSplitPipeConnections {policy} = true
DisallowThirdPartyAppDownloads {policy} = false
 
; Policies that control the behaviour of the handheld Browser application
;
; DefaultBrowserConfigUID {default} = "BlackBerry Browser"
; MDSBrowserTitle {default} = "YourCompany Intranet"
; HomepageAddress {default} = www.your_network_here.com
; HomepageAddressReadOnly {policy} = true
; EnableWAPConfig {policy} = false
 
 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
; Policies that apply to the TLS protocol. 
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
 
; TLS Disable Invalid Connection
; Disallow users to connect to a server with an invalid certificate (i.e revoked, expired, etc ).
; Value: 0=true,1=false,2=prompt on device
TLSDisableInvalidConnection {policy} = 1
 
; TLS Disable Untrusted Connection
; Prevent TLS connections to untrusted servers.
; Values: 0=true,1=false,2=prompt on device
TLSDisableUntrustedConnection {policy} = 2
 
; TLS Disable Weak Ciphers
; Disable use of weak ciphers during a TLS connection.
; Values: 0=true,1=false,2=prompt on device
TLSDisableWeakCiphers {policy} = 2
 
; TLS Minimum Strong DH Key Length,
; Valid range 512 to 4096
TLSMinimumStrongDHKeyLength {policy} = 1024
 
; TLS Minimum Strong ECC Key Length
; Valid range 160 to 571
TLSMinimumStrongECCKeyLength {policy} = 163
 
; TLS Minimum Strong RSA Key Length
; Valid range 512 to 4096
TLSMinimumStrongRSAKeyLength  {policy} = 1024
 
; Disable the use of any cipher that is not FIPS compliant.
TLSRestrictFIPSCiphers {policy} = false
 
; TLS Minimum Strong DSA Key Length
; 
; Set the minimum DSA key size allowed for use during a TLS connection.
; Range: 512 - 1024 bits in 64 bit increments
TLSMinimumStrongDSAKeyLength {policy} = 1024
 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Messaging Settings.
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
; Indicate if PIN to PIN messaging is permitted.
;
; If true, handheld users are permitted to use the PIN to PIN messaging
; feature. If false, this capability is hidden from the handheld user.
AllowPINtoPIN {policy} = true
 
; Indicate if the specification of BCC recipients is permitted.
;
; If true, handheld users can specify BCC recipients when composing messages.
; If false, this capability is unavailable to handheld users.
AllowBCCRecipients {policy} = true
 
; Indicate if SMS messaging is permitted.
;
; If true, handheld users are permitted to send SMS messages.
; If false, this capability is unavailable to handheld users.
AllowSMS {policy} = true
 
; Indicate if the RIM phone application can be used on the handheld.
;
; If true, handheld users are permitted to use the handheld's phone.
; If false, users are not permitted to use the handheld's phone.
AllowPhone {policy} = true
 
; Indicate if the RIM web browser can be used on the handheld.
;
; If true, handheld users are permitted to use the handheld's web browser.
; If false, users are not permitted to use the handheld's web browser.
AllowBrowser {policy} = true
 
; Indicate if other email services are permitted on the handheld.
;
; If false, no other email service books (other than the Enterprise
; edition one) are permitted on the handheld. Any other existing email
; service books are removed when the policy is installed; while the
; policy is in effect, other email service books will be rejected by the
; device. This forces all outbound email to be routed through the
; organization's BlackBerry Enterprise Server. 
;
; If true, no restrictions are applied to email service books.
AllowOtherEmailServices {policy} = true
 
; Indicate if other browser transport services are permitted on the handheld.
;
; If false, no other browser transport service books (other than the
; Enterprise edition one) are permitted on the handheld. In this case,
; any other existing browser transport service books are removed when the
; policy is installed; while the policy is in effect, other browser transport
; service books will be rejected by the device. This forces all browser
; traffic to be routed through the organization's BlackBerry Enterprise Server. 
;
; If true, no restrictions are applied to browser transport service books.
AllowOtherBrowserServices {policy} = true
 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Owner Information
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
; Owner Name - if value = '*' use the registry setting
OwnerName {default} = Research In Motion Ltd.
 
; Owner Info - if value = '*' use the registry setting
OwnerInfo {default} = This BB has Blank IT policy on it written by John Clark from www.BlackBerryForums.com
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Other Info
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

Last edited by John Clark; 10-10-2010 at 01:47 AM..
Offline   Reply With Quote