At A Glance
Local Navigation
The industry-leading security built into the BlackBerry® Enterprise Solution allows your users to confidently access sensitive information on the go.
Wireless Data Security
End-to-end Encryption
The BlackBerry Enterprise Solution offers two transport encryption options, Advanced Encryption Standard (AES) and Triple Data Encryption Standard (Triple DES)*, for all data transmitted between BlackBerry® Enterprise Server and BlackBerry smartphones.
Private encryption keys are generated in a secure, two-way authenticated environment and are assigned to each BlackBerry smartphone user. Each secret key is stored only in the user's secure enterprise account (i.e., Microsoft® Exchange, IBM® Lotus® Domino® or Novell® GroupWise®) and on their BlackBerry smartphone and can be regenerated wirelessly by the user.
Data sent to the BlackBerry smartphone is encrypted by BlackBerry Enterprise Server using the private key retrieved from the user's mailbox. The encrypted information travels securely across the network to the device where it is decrypted with the key stored there.
Data remains encrypted in transit and is never decrypted outside of the corporate firewall.
RSA SecurID Two-Factor Authentication
BlackBerry MDS Services on BlackBerry Enterprise Server support RSA SecurID® authentication, providing organizations with additional authorization when users access application data or corporate intranets on their BlackBerry smartphones. BlackBerry MDS Services utilize RSA ACE/Agent® Authorization API 5.0 to interface to RSA ACE Servers®. Users are prompted for their Username and Token Passcode when navigating to a site or application requiring authorization. Download the BlackBerry Enterprise Solution and RSA SecurID white paper to learn more (PDF)
HTTPS Secure Data Access
BlackBerry MDS Services act as a secure gateway between the wireless network and corporate intranets and the Internet. They leverage the BlackBerry AES or Triple DES* encryption transport and also enable HTTPS connections to application servers.
BlackBerry smartphones support HTTPS communication in one of two modes, depending on corporate security requirements:
- Proxy Mode: An SSL/TLS connection is created between BlackBerry Enterprise Server and the application server on behalf of BlackBerry smartphones. Data from the application server is then AES or Triple DES* encrypted and sent over the wireless network to BlackBerry smartphones.
- End-to-End Mode: Data is encrypted over SSL/TLS for the entire connection between BlackBerry smartphones and the application server, making End-to-End Mode connections most appropriate for applications where only the transaction end-points are trusted.
IBM Lotus Notes Email Encryption Support
BlackBerry Enterprise Solution support for Lotus Notes® email encryption is designed to increase usability of the BlackBerry Enterprise Solution. With BlackBerry Enterprise Server v4.1, BlackBerry smartphones are able to read Lotus Notes encrypted email. Additional BlackBerry smartphone user and administrative setup information is provided in the BlackBerry Enterprise Server for Lotus Domino documentation
Code Signing and Digital Certificates
BlackBerry smartphones applications created using the BlackBerry® Java™ Development Environment (JDE), which have certain functionality — such as the ability to execute on startup or to access potentially sensitive BlackBerry smartphone application data — require developers to sign and register their applications with Research In Motion (RIM). This adds protection by providing a greater degree of control and predictability to the loading and behaviour of applications on BlackBerry smartphones.
Additionally, the BlackBerry Signing Authority Tool can help protect access to the functionality and data of third party applications by enabling corporate developers or administrators to manage access to specific sensitive Application Programming Interfaces (APIs) and data stores through the use of server-side software and public and private signature keys. Learn more about RIM's Controlled APIs and Code Signing
To help protect BlackBerry® MDS Studio applications from tampering, corporate developers can sign an application bundle with a digital certificate described by an alias. They can use either a trusted certificate authority (CA) or a generated (self-signed) certificate. BlackBerry MDS Studio generates and signs applications with certificates that are compliant with the Public Key Infrastructure (X.509) standard.
For complete information on certificates and BlackBerry MDS Studio Applications, please refer to the BlackBerry MDS Studio Developer Guide (PDF)
Find out more
- Read information on stored data security
- Find out why BlackBerry is certified secure
- See why BlackBerry is trusted by the experts
*Available for BlackBerry Enterprise Server for Microsoft Exchange and BlackBerry Enterprise Server for IBM Lotus Domino only.
The BlackBerry and RIM families of related marks, images, and symbols are the exclusive properties of Research In Motion Limited. RIM, Research In Motion, "Always On, Always Connected", the "envelope in motion" symbol, and BlackBerry are registered with the U.S. Patent and Trademark Office and may be pending or registered in other countries.
IBM, Lotus, Domino, and Lotus Notes are trademarks of International Business Machines Corporation. Microsoft is a trademark of Microsoft Corporation. Novell and GroupWise are trademarks of Novell, Inc. PGP is a trademark of PGP Corporation. All other brands, product names, company names, trademarks and service marks are the properties of their respective owners.
Stored Data Security
Strong IT Policy Enforcement and Management
The BlackBerry Enterprise Solution extends corporate security to the wireless device and provides administrators with tools to manage this security. To secure information stored on BlackBerry smartphones, password authentication can be made mandatory through the customizable IT policies of the BlackBerry® Enterprise Server. By default, password authentication is limited to ten attempts after which the device's memory is erased.
Local encryption of all data (messages, address book entries, calendar entries, memos and tasks) can also be enforced via IT policy. And with the Password Keeper, Advanced Encryption Standard (AES) encryption technology allows password entries to be stored securely on the device (e.g., banking passwords, PINs, etc.).
Additionally, system administrators can create and send wireless commands to remotely change BlackBerry smartphone passwords and lock or delete information from lost or stolen BlackBerry smartphones. Learn more about BlackBerry Enterprise Server IT Policies
BlackBerry Enterprise Server Security
BlackBerry Enterprise Server does not store any email or data. To increase protection from unauthorized parties, there is no staging area between the server and the BlackBerry smartphone where data is decrypted.
Security is further enhanced by allowing only authenticated, outbound-initiated connections through port 3101 of the firewall. No inbound traffic is permitted from sources other than the BlackBerry smartphone or the email server, meaning unauthorized commands cannot be executed on the system. Only communications that can be decrypted with a valid encryption key are permitted between the server and the wireless network.
Find out more
Certified Secure
As a market leader in the area of information assurance and compliance, Research In Motion Limited (RIM) is committed to independent, third party approvals and certifications of BlackBerry security. The BlackBerry Enterprise Solution has been approved for use by numerous government agencies and has received several industry-recognized security certifications. Learn more about BlackBerry approvals and certifications
Find out more
Trusted by the Experts
Thousands of enterprises and government agencies have already adopted and deployed the BlackBerry Enterprise Solution. Find out how some of these customers are using the BlackBerry Enterprise Solution to securely access their sensitive information