[Blackberry Gall]

Hello All,

We're a small school w/about 30 BB users on a BES, w/Exchange '07. I wanted to get a sense of the IT policies others are using. Currently, we've altered the Default policy to include a forced password, but that's about it. Anyone else using additional policies?

TIA!!

Quote:

Originally Posted by Blackberry Gall

Currently, we've altered the Default policy

This is bad practice, IMO. You shouldn't change the Default policy from its original state.

A better idea is to copy the Default policy and alter the copy... or simply create some new policies from scratch.

That aside, we use many IT Policy settings in our environment... too many to list.
Some departments or groups of users have more restrictive policies than others.

Your particular business practices and security needs will give you a good outline of what policy settings you should push to your handhelds.

[rsk]

This is quite the can of worms and will depend mostly on your existing IT & Security policies. Since the BB device is esentially another node on you internal network you may want to think twice about carrier based internet browsing, BIS email or the abbility to load applications on the device.

[juwaack68]

Agree with soupandsandwich - keep the Default policy w/o restrictions in case you need to put a blank policy on a device for any reason (say....troubleshooting something).

That being said, we are not horribly restrictive. Force a password, and some users have phone usage blocked (mostly our users in Asia Pacific).

[Jadey]

In a nutshell, we:

a) enforce an idle lock password
The password has no minimum requirements apart from 6 characters, sets at 30 mins, and a change history of 6 pwds is maintained so users cannot reselect them. Also certain keywords banned (blackberry, password, company name, repetitive letters, etc) also 6 attempts till device wipes

b) in use password lock
As above, but after 1 hour continuous use device will still lock (this is so that if stolen, a key press keep-alive cannot be used)

I wanted stronger password requirements, but this is all senior management would go for.

We also:

c) ban app downloads
d) are in process of finalising the app control policies so that anything not sanctioned by IT/available via BES will die. I am not being a total arse, and am not being too strict with "business only" apps - the only way I could get this past management was to take the "I don't care how people spend their time, but security matters. If app is secure, they can have it" approach.
e) Banned any other IM than SameTime
f) Banned BIS email (although this looks like senior management are about to tell me to allow it)
g) Banned web browsing through anything other than BES

If I think of anything else, will add it.

I would like a stronger policy, but the issue is always getting execs to understand that in the trade-off between security and end-user convenience, security should win every time. I'm a policy *****, they'd have a 5 minute lockout if it were solely down to me! That said, we are reviewing the policies so that more options available. I think I have enough support that I will soon be banning app loader on desktop manager (and indeed the whole of desktop manager if I can) and all sorts of other fun things.

[DarthBBerry]

Modifying the Default Policy = Egon says that's bad.

We use our IT policy for Security and Encryption.

• Minimum 6 characters
• Password must be changed every 90 days
• Previous 4 passwords cannot be used
• BlackBerry device will lock after 60 minutes of inactivity
• Letter repetition in passwords is restricted (e.g.: aaa, bbb, ccc)
• 6 Tries and yer out
• Encryption enabled
• Media cards encrypted to device

And ya'll don't give me any flak about the 60 minutes of inactivity. It was hard enough to get management to alllow the 6 characters.

[DarthBBerry]

Quote:

Originally Posted by Jadey

...I would like a stronger policy, but the issue is always getting execs to understand that in the trade-off between security and end-user convenience, security should win every time. I'm a policy *****, they'd have a 5 minute lockout if it were solely down to me! That said, we are reviewing the policies so that more options available. I think I have enough support that I will soon be banning app loader on desktop manager (and indeed the whole of desktop manager if I can) and all sorts of other fun things.

I <3 Jadey!

[SteveO86]

Currently,

Passwords enforced.
BlueTooth encryption (required).
BlueTooth discoverable mode turned off.
10 minute lock out.
Lock when holster.
IM's Disabled (not SameTime, of course I haven't got that working yet).
Media Card support disabled. (No one are using media cards yet).
3rd Party Apps disallowed.

I think I got a few more policies in play but they are escpaing me at the moment. All depends on how everyone is on security, just remind them of what type of information is stored on the BlackBerry and how sensitive it is.

[BBFanboy]

Quote:

Originally Posted by Jadey

In a nutshell, we:

a) enforce an idle lock password
The password has no minimum requirements apart from 6 characters, sets at 30 mins, and a change history of 6 pwds is maintained so users cannot .. also 6 attempts till device wipes
b) in use password lock
..
I wanted stronger password requirements, but this is all senior management would go for.
c) ban app downloads
d) are in process of finalising the app control policies so that anything not sanctioned by IT/available via BES will die. I am not being a total arse, and e) Banned any other IM than SameTime
f) Banned BIS email (although this looks like senior management are about to tell me to allow it)
g) Banned web browsing through anything other than BES

If I think of anything else, will add it.

I would like a stronger policy, but the issue is always getting execs to understand that in the trade-off between security and end-user convenience, security should win every time. I'm a policy *****, they'd have a 5 minute lockout if it were solely down to me! That said, we are reviewing the policies so that more options available. I think I have enough support that I will soon be banning app loader on desktop manager (and indeed the whole of desktop manager if I can) and all sorts of other fun things.

Are you in the military? - that seems very restrictive.

We
1. Password 4 characters minimum (this is plenty strong when you have an entire keyboard to work with)
2. 15 minute lockout enforced - I would have liked 10 minutes
3. 90 minute idle lock enforced
4. 10 password attempts - but can be changed lower by user
5. Encrypt media
6. We are toying with the idea of disabling certain apps for some users.

It's all about security without making your users feel like they are in prison.
You have to consider what are you trying to prevent, stop, slow down?

[acnst]

Quote:

Originally Posted by soupandsandwich

This is bad practice, IMO. You shouldn't change the Default policy from its original state.

You are wrong. Modifying your default policy is a good practice! Ideally the default IT Policy should be the most restrictive one - just in case someone forgets to assign the right IT Policy to a (new) user. The default IT policy is the one that gets automatically assigned to new users. This way you will make sure your devices are "protected" well. If required, you then can assign a less restrictive policy to user accounts.

[juwaack68]

Quote:

Originally Posted by acnst

Ideally the default IT Policy should be the most restrictive one - just in case someone forgets to assign the right IT Policy to a (new) user.

Interesting perspective. I don't agree with you, but I appreciate the different view

[acnst]

Quote:

Originally Posted by juwaack68

I don't agree with you, but I appreciate the different view

Good to know

Btw, if you do it this way and still need to assign a blank policy to a device, create a new one.

[juwaack68]

It does make sense, on the one hand, to make the Default policy the most restrictive. Especially in the case where another department (say....my company's Helpdesk) is adding users and they forget to apply the 'Company Policy'.

On the other hand, if they do that, then they have to troubleshoot why a device isn't working properly...and I'm not sure they'd think to look at the IT Policy as the culprit.

Quote:

Originally Posted by acnst

You are wrong. Modifying your default policy is a good practice! Ideally the default IT Policy should be the most restrictive one - just in case someone forgets to assign the right IT Policy to a (new) user. The default IT policy is the one that gets automatically assigned to new users. This way you will make sure your devices are "protected" well. If required, you then can assign a less restrictive policy to user accounts.

How can my opinion be wrong? It's an opinion... that's what IMO means.

[acnst]

Quote:

Originally Posted by soupandsandwich

How can my opinion be wrong? It's an opinion... that's what IMO means.

I am not a native english speaker, this results in this kind misunderstanding. The words I used are not 100% accurate. For sure your or any other opinion can't be wrong.
I hope I didn't offend you.

[juwaack68]

Wirelessly posted (My blond BlackBerry)

Your non-native English is better then some folks who only speak English (or some IM-speak variation of it)

[acnst]

Quote:

Originally Posted by juwaack68

Wirelessly posted (My blond BlackBerry)

Your non-native English is better then some folks who only speak English (or some IM-speak variation of it)

Thank you for the compliment

[BBFanboy]

Quote:

Originally Posted by acnst

You are wrong. Modifying your default policy is a good practice! Ideally the default IT Policy should be the most restrictive one - just in case someone forgets to assign the right IT Policy to a (new) user. The default IT policy is the one that gets automatically assigned to new users. This way you will make sure your devices are "protected" well. If required, you then can assign a less restrictive policy to user accounts.

Just for the record - I agree with you. From an IT security perspective, the default should always be the most restrictive.

We do the same - default is so restrictive that it's noticed right away. We also have helpdesk personnel adding Blackberries - and that was the only way to ensure they assign correct policies to people.

[Jadey]

I think this is context sensitive. In my environment, I agree with Soupandsandwich and juwaack68. This is because I control BES and the admins, and the three people with access to add users have a standard procedure where new BES users are instantly added to a group, tied to a policy. For this reason I leave default as default, with no changes. This is because it DOES make troubleshooting easier, and is also a very useful reference to check what options have been modified on our live policies.

The problem with security is that there is no "right" way, it all depends on many factors. Someone in this thread commented that my policies are strong and asked whether I work in military - no, I do not! I work in corporate business, and here data is everything - you cannot put too high a cost on data. A BB is a route into our LAN, it holds very sensitive information (CEO email, for example), it also would provide someone who stole it a great tool for identity theft. Mobile execs email secretaries and ask them to do all sorts, what's to stop someone stealing an unlocked BB from the CEO and emailing the PA and asking them to fax unreleased results to an analyst "friend" or something? Read some Kevin Mitnick books, identity fraud is just one way to misuse information. So I care about data, wherever it is and whatever it is on. IF I HAD MY WAY the Bb policies would be as restrictive as network logon accounts. The Execs frieked when the BB policy first went live, and hated every part of it [despite the fact they all signed it off before go-live. Apparantly, agreeing to a password lock on paper is not the same as actually living with it - gah]. I have been ORDERED to scale back some parts such as password length and lockout time, and now allowing BIS (!!). Other things I have been able to open senior Execs eyes to potential security issues, and those parts of the policy remain unchanged. It is always, always a trade-off between what the management will agree to in terms of usability, and high security. As a BES Admin, I see my role as to fight for security, not what "makes life easy" - easy not necessarily good IMO. Easy for my users, easy for someone who nicks the BB. Google the stats on targetted laptop theft for execs, you think those same people wouldn't lift a BB out of a pocket at an airport?

Anyway getting back on track. Regarding default being most restrictive with regards to BB policies - this drove my Execs nuts. When I first applied a very strong BB policy, and was after several months and lots of complaints later told to ease it on password reqs., the users moaned that the new policy had not changed their settings. Bear in mind that the BB will always check it's settings against policy, and keep the most restrictive settings. So if you send a BES policy to a BB requiring a 2 minute lockout, that is what the BB will set itself to. Change the policy to 30 mins, and the BB will do nothing. The user will have to go through menus to alter timeout to their choice. In my experience, this is just another thing that won't go down well with Execs. So I guess what I am really saying is that the trade-off is between:
End-user convenience vs. Security vs. Keeping your job by not seriously annoying the CEO

[fadmin]

Quote:

Originally Posted by acnst

You are wrong. Modifying your default policy is a good practice! Ideally the default IT Policy should be the most restrictive one - just in case someone forgets to assign the right IT Policy to a (new) user. The default IT policy is the one that gets automatically assigned to new users. This way you will make sure your devices are "protected" well. If required, you then can assign a less restrictive policy to user accounts.

I agree.