Security for enterprise

On a BlackBerry device that is activated with BlackBerry Enterprise Service 10 (BES10) or BlackBerry Enterprise Service 12 (BES12), advanced data at rest protection is available, at the administrator's discretion. The device must be activated with an activation type of "Work and personal - Regulated" or "Work space only". For more information about activation types, see Enterprise activation types.

Advanced data at rest protection

Advanced data at rest protection helps to secure sensitive data by restricting access to files in the device's work space when the work space is in a data lock state. When the work space is data locked, only apps that are data lock aware are allowed to continue to run in the work space. They are restricted to accessing only certain parts of the work space file system.

In addition to restricting when files can be accessed, advanced data at rest protection provides enhanced file encryption. The master keys for encrypting work space files are also encrypted. The files are encrypted using keys that are tied to information that is not stored on the device, such as a user password or smart card.

To use advanced data at rest protection, an organization needs to have BES10 version 10.2 or later or BES12. Its BlackBerry 10 devices must be running BlackBerry 10 OS version 10.3.1 or later.

For BES10, the organization must:

  • Set the "Advanced Data at Rest Protection" IT policy rule to Yes.
  • Decide whether data lock should be activated as soon as the work space locks or if there should be a delay between the work space locking and data lock being activated. Use the Advanced Data at Rest Protection Timeout" IT policy rule to set the delay, if any.
  • Activate the device using an activation type of "Work space only" or "Work and personal - Regulated". Advanced data at rest protection is not available on personal devices or on devices that are activated with an activation type of "Work and personal - Corporate".

For BES12, the organization must:

  • Select the "Force advanced data at rest protection" IT policy rule.
  • Decide whether data lock should be activated as soon as the work space locks or if there should be a delay between the work space locking and data lock being activated. Use the "Advanced data at rest protection timeout" IT policy rule to set the delay, if any.
  • Activate the device using an activation type of "Work space only" or "Work and personal - Regulated". Advanced data at rest protection is not available on personal devices or on devices that are activated with an activation type of "Work and personal - Corporate".

On devices with both a work space and a personal space, personal apps are not affected by the work space entering into a data lock state. They continue to run and can access the device's file system normally.

Every app in the work space has a home folder in the work space file system that is accessible only to that app. An app that is data lock aware has two additional standard folders that only that app can access: a startup folder and an operational folder.

There are two types of data lock:

  • Startup locked: When a device is first turned on and the user has not yet authenticated to the work space, the work space is startup locked. An app that is data lock aware can run, but the only folder in the work space file system that it can access is the app's startup folder.
  • Data locked: If the administrator sets a timeout of 0, as soon as the work space on a device locks, the work space is data locked, too. If the administrator sets a longer timeout, the work space is data locked after the specified amount of time (unless the user unlocks the work space before the timeout ends). An app that is data lock aware can continue to run when the work space is data locked, but the only folders in the work space file system that it can access are the app's startup and operational folders.

When the work space is not in a data lock state, the work space file system can be accessed normally.

For information about creating data lock aware apps, see Creating apps that are data lock aware.

Data lock state transitions

The following diagram shows how the work space can move between data lock states. It also shows, in italics, the corresponding device locked statuses.

Data lock state transitions
  • The device returns to the Off state when the user turns off the device, the battery power gets too low, or the battery is removed.
  • User authentication means that the user’s identity is confirmed by a password or smart card.
  • The data lock trigger can be any of the following:
    • The smart card is removed.
    • An app triggers data lock.
    • For a device activated on BES10, the administrator uses BlackBerry Management Studio to send the "Specify a new password and lock the device" command.
    • For a device activated on BES12, the administrator uses the BES12 management console to send the "Specify the device password, lock the device and set message" command.
  • For BES10, the timeout delay is specified by the "Advanced Data at Rest Protection Timeout" IT policy rule. For BES12, the delay is specified by the "Advanced data at rest protection timeout" IT policy rule. In both cases, the delay can be set to 0.
  • The device can be locked for the user (deviceLockedStatus = passwordLocked) without the work space being dataLocked.
  • This diagram applies only to the work space. In the personal space, dataLockState is always notLocked.

For information about creating data lock aware apps, see Creating apps that are data lock aware.