Embed Size (px)
Citation preview
Back to the Contents
THERErsquoS GOOD SECURITYAND THEN THERErsquoS NATIONAL SECURITYBlackBerry 10 and BES10 The perfect balance of protection and productivity
BROCHURE
Contents
BlackBerry 10 amp BES10 3
Corporate Networks Under Attack 4
BlackBerry Security 5
Protecting Data in Motion 7
BES10 Security Philosophy 8
BES10 Certification amp Encryption 9
BES10 Layers of Protection 9
Tech Talk 1 amp 2 10
Protecting Work Data on Personal-Use-Enabled Devices 11
BlackBerry Balance 12
Tech Talk 3 13
Enforcing Strong Access Controls 14
BlackBerry 10 Device OS Security Features 15
BES10rsquos Gold level Controls and Settings 16
Manging Devices 18
BlackBerry Mobile Device Management in Action 19
End-to-end Security 21
THE PERFECT BALANCE OF PROTECTION AND PRODUCTIVITY
Back to the Contents
BlackBerry 10 amp BES10End-to-end mobile data security without compromising business productivity or user satisfaction
Keeping corporate data secure is a top priority for any organization After all a data breach can cause significant financial losses expose executives to legal actions damage your companys reputation and weaken or eliminate competitive business advantage
As more employees access your corporate network through mobile devices to communicate collaborate and share data your infrastructure becomes increasingly vulnerable to outside attacks and harder to secure and protect The mixing of personal and work email accounts apps and data as well as the proliferation of employee-owned devices increases the chance of major data leaks
Rivaling the importance of information security however is business-user productivity and satisfaction A mobilized workforce is only effective if the end-user experience is uncompromised and critical applications and productivity tools operate as efficiently from a mobile device as they do from a PC attached directly to the corporate network An effective mobile security solution is one that imposes no limitations on end-user productivity
The BlackBerry end-to-end enterprise security solution secures data from would-be attacks and loss without requiring you to compromise productivity or user satisfaction
IT managers must now consider a highly complex corporate network infrastructure accessible to a growing number and diversity of devices and applications when devising a plan to protect corporate information and maintain worker productivity
The entryways for potential attacks data loss and productivity compromises include
Employees maintaining a mix of corporate and third-party applications on the same device and exchanging information between the two domains
The installation of threat-vulnerable containerization on mobile devices
Employees visiting sites where they encounter malware or malicious threats
The use of employee-owned devices to access enterprise resources and information
IT managers need a solution that helps them
Deliver transparent security for an optimal user experience
Provide integrated containerization that enables simple enterprise application development and deployment
Reduce employee misuse of devices
Keep personal and work information separate
Ensure that network data both in transit and at rest are kept secure
BlackBerry delivers a security solution that satisfies the needs of both enterprises and government agencies The solution provides the confidentiality integrity and authenticity to help protect your organization from data loss and theft while delivering a seamless simple and uncompromised end-user experience
3
Corporate Networks Under Attack
Verizon 2013 Data Breach Investigations Report
71of breaches targeted user devices
54of breaches compromised servers
78of intrusions rated as low difficulty
66of breaches go undetected for six months or longer
Back to the Contents
4
Back to the Contents
An unavoidable consequence of the explosive expansion of mobile devices within businesses and organization of all sizes is a proportional elevation in vulnerability to security breaches and data leakage To protect your information from increased exposure to attacks or data loss through accidental or malicious means IT administrators require a comprehensive security solution but one that does not sacrifice business productivity or end-user satisfaction BlackBerry end-to-end security is purpose built to deliver optimal protection for work-related content both on devices and in transit BlackBerry security delivers fast integrated device application and content management and fully encrypted behind-the-firewall access to corporate data without the need for 3rd-party VPNs or add-on security
The BlackBerry network combined with its infrastructure authentication device management capabilities and hardened BlackBerryreg 10 operating system is the ultimate end-to-end mobile security solution
BlackBerry Security A fully integrated end-to-end enterprise mobility security solution
BlackBerry security focuses on four critical areas
bull Protecting data in motion
bull Protecting work data on personal-use-enabled devices
bull Enforcing strong access controls
bull Managing devices
These four functions protect your data from breaches losses or alteration as it transits the end-to-end path from your enterprise BES10 server the BlackBerry network and ultimately your employeesrsquo BlackBerry devices
All G7GOVERNMENTSand 16 of the G20 governments rely on BlackBerry security1
5
Security certificatesMore than any other mobile vendor3
per month on averageMoves more secure mobile datathrough its infrastructure thanany other EMM vendor3
Only MDM providerto obtain ATO on US Defense networks2
The ultimate standard for end-to-end mobile security
45 35PB
Dedicated Security Team
FIPS 140-2
AES256
Back to the Contents
6
Back to the Contents
Because many of your employees work outside the office itrsquos critical that you have strong security measures in place ndash both on employeesrsquo devices and across internal network infrastructure ndash to protect data in transit A key element of the BlackBerry solution for in-transit data security is the BlackBerry Enterprise Service 10 BlackBerrys device and application management platform BES10 offers built-in data encryption to help both enterprises and government agencies protect sensitive information and minimize data loss or alteration
BES10 Overview BlackBerry has long-been the ultimate in mobile security An integral component of the BlackBerry solution is BES10 which secures in-transit data using transport layer security over the BlackBerry infrastructure BES10 encrypts data using AES 256-bit encryption prior to transmission while message keys are encrypted by the device transport key BES10 also protects and manages devices and applications within the end-to-end BlackBerry security solution
Protecting Data in MotionA key element of the BlackBerry solution for in-transit data security in BES10
Secure Enterprise Connectivity
Wi Fi
BlackBerryMobile Data and ConnectionService
Work Personal
BlackBerry Enterprise Service 10
BlackBerryDispatcher
EnerpriseManagementWeb Service
Content servers
Web servers
Microsoft ActiveSync
BlackBerryInfrastructure
BlackBerry 10
BlackBerry 10Firewall withVPN Gateway
Firewall
Firewall withVPN Gateway
PrivateNetwork
Wi Fi
or 3G4G
SSL (Optional)
Wi Fi
or 3G4G
TLS over
Wi Fi
or 3G4G
VPN over
AES
Wi Fi
or 3G4G
VPN over
Enable Work NetworkFor Personal Use (EnableDisable)
Enable Work NetworkFor Personal Use (EnableDisable)
SSL (Optional)
SSL
Wi Fi
VPN IPSec or SSL
TLS BlackBerry infrastructure authenticatedwith self certification
AES 256 Encrypted with device transport keygenerated during activation
SSL (Optional) Authenticated with server specific certificate
SSL Authenicated with clientserver certificates generatedduring activation
Wi-Fi IEE 80211i with 802 1x(EAP-FAST EAP-TLS EAP-TTLS PEAP and LEAP)
7
BES10 Security Philosophy
Integrity Authenticity
Confidentiality
The security features found in BES10 are built upon a foundation of confidentiality integrity and authenticity
Confidentiality BES10s encryption capabilities ensures that only intended recipients can view corporate data
Integrity All email sent over a secure network is strongly encrypted to keep third parties from decrypting or altering the message
Authenticity BES10 provides two-way authentication upon pairing with the device helping reduce the possibility of counterfeit devices accessing your infrastructure
8 Protecting Data in Motion cont
Back to the Contents
Back to the Contents
BlackBerry 10BES10 FIPS 140-2 CertificationBusinesses and government agencies alike need to feel confident that their highly sensitive data ndash whether itrsquos in storage or in transit ndash stays secure from would-be attackers The US government created and implemented the FIPS 140-2 computer security standard and uses it to accredit file encryption modules
Both the BlackBerry 10 OS and BES10 software are FIPS 140-2 certified which means that your organizationrsquos data is strongly encrypted and the corresponding encryption keys are rigorously protected BlackBerry 10 devices controlled by BES10 are the only mobile devices to be given Authority to Operate (ATO) on Department of Defense networks
SMIME Messaging Encryption BES10 gives you the option of using digital certificates to sign and encrypt email and file attachments using industry standard SMIME encryption When IT personnel activate a mobile device on BES10 the device can be configured to sign and encrypt messages using SMIME whenever the employee sends emails via his or her work account SMIME encryption keeps messages secure by using recipientsrsquo public keys to encrypt the message and their private key to decrypt it Often overlooked as a security agent SMIME is a cost-effective productivity tool for enabling highly secure email communications with business partners and contractors outside of your organization
Encryption OptionsBES10 uses a technique called tunneling to protect data in transit over a secure network Tunneling incorporates multiple layers of encryption between devices BES10 and the wireless resource for additional data protection
For example when employees access the corporate Wi-Fi network data transmissions between their device and BES10 are secured first by AES encryption and then by Wi-Fi encryption
Wi-Fi Encryption (IEEE 80211) Encrypts data transmitted between mobile devices and wireless access points set up to use Wi-Fi encryption
VPN Encryption Encrypts data transmitted between mobile devices and VPN servers
AES Encryption Encrypts data transmitted between mobile devices the BlackBerry infrastructure and BES10
SSLTLS Encryption Encrypts data transmitted between mobile devices and content servers Web servers or messaging servers that use Microsoft ActiveSync
BES10 Layers of ProtectionBES10 contains multiple layers of protection so data stays secure both in transit and on devices
In-transit Data Protection BES10 protects data transmissions using transport layer security
Work Data Device Protection Work file systems and applications are kept separate from personal data and encrypted
Personal Data Device Protection IT managers can create policy rules to encrypt data within the personal file system
Device Access Control Work Wi-Fi and VPN profiles may be delivered remotely via BES10 to enable corporate network access
Device Behavior Control IT managers can remotely lock mobile devices enforce policies and wipe workpersonal data from devices
Device User Information Protection Users can delete all their information and application data from device memory
BlackBerry 10 OS Protection BlackBerry 10 devices conduct integrity tests to detect kernel damage and restart processes that stop responding
Application Data Protection Via Sandboxing Sandboxing separates and restricts the capabilities and permissions of applications running on the device
Resource Protection Adaptive partitioning is used to allocate unused resources during typical operating conditions to help ensure resources are available during peak conditions
Access Capabilities Permissions Management The BlackBerry 10 OS evaluates each device capability request made by an application then grants access accordingly
Boot Rom Code Verification The device verifies that the boot ROM code is authentic unmodified and has permission to run on the device
9 Protecting Data in Motion cont
Tech Talk 2SMIME Keys Certificates and Encryption Algorithms
BlackBerry devices support keys and certificates for the following file format and file name extensions
bull PEM (pem cer) bull DER (der cer)bull PFX (pfx p12)
A private key and certificate must be stored on the device for each recipient of an encrypted email message Keys and certificates can be stored simply by importing the files from a work email message To send encrypted messages your employees must use their work email accounts
The following encryption algorithms can be used by BlackBerry devices to encrypt SMIME-protected messages
bull AES (256-bit) bull AES (192-bit)bull AES (128-bit) bull Triple DESbull RC2
Tech Talk 1FIPS 140-2 Certification Details
The FIPS 140-2 certification was implemented by the National Institute of Standards and Technology to govern cryptography modules that involve both hardware and software components
The BlackBerry OS cryptographic kernel which received FIPS 140-2 certification for the BlackBerry 10 OS and BES10 generates the file encryption keys the work domain key the work master key and the system master key to provide a strong layer of security to protect data
The FIPS 140-2 certificate for BlackBerry 10 and BES10 BlackBerry Enterprise Service 10 FIPS-1402 Certificate no 1765 Consolidated Certificate no 0019 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0019pdf
BlackBerry 10 FIPS 140-2 Certificate no 1578 Consolidated Certificate no 0007 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0007pdf
10 Protecting Data in Motion cont
Back to the Contents
Protecting Work Data on Personal-Use-Enabled DevicesBlackBerry Balance and BES10 protect sensitive data
Protecting work data accessible over the corporate Intranet or stored on employeesrsquo devices is a critical part of any comprehensive mobile data security plan The widespread use of employee-owned and personal-use-enabled devices in corporate environments ndash Bring Your Own Device (BYOD) and Corporate Owned Personally Enabled (COPE) movements ndash creates major data security challenges Without a heavy-duty security architecture in place one designed for work and personal use it is easy for employees to leak sensitive work data through personal use such as webmail and browsing social networking and media and untrusted personal applications
With BlackBerry BalanceTM a feature of BES10 you can create a ldquodual-personardquo environment on employeesrsquo mobile devices by establishing a separate secure environment for work-related applications and associated sensitive data This work environment leverages integrated cryptographically partitioned file systems to protect sensitive work data while delivering a compelling ldquowork-liferdquo user experience
BlackBerry Balance Seamless Separation of Personal amp Work Data
BlackBerry Balance identifies and tags data and processes that originate from your companyrsquos Wi-Fi VPN access or Intranet and routes it to the employeersquos work profile on the device Other personal data and activities including third-party applications public Web browsing and personal email are contained within the personal profile
BlackBerry Balance Overview and Features BlackBerry Balance keeps employeesrsquo work and personal information separate and secure on BlackBerry 10 devices using specifically designated areas called Spaces Within each of these Spaces data applications and network connections can be safely stored Individual Spaces can be governed by their own rules for data storage application permissions and network routing Using separate Spaces for work and personal activities helps keep sensitive data secure by preventing employees from copying work data into personal email or displaying information during video chats
Back to the Contents
11
Built-in Password Protection BES10 allows you to establish and enforce password policies quickly and easily to better protect data stored in employeesrsquo devices IT policies can be set to require your employees to enter a password or use their corporate single sign-on using Active Directoryreg services to gain access to Spaces containing work-related data This keeps data at rest on employee devices safe and protected
BlackBerry Balance in action After eight years of employment at your company a salesperson is leaving to take a leadership role at a startup business that will share the same competitive space as your company Looking to jumpstart the customer acquisition process the departing salesperson who has access to the corporate customer relationship
management (CRM) system attempts to send your companyrsquos customer list and deal status to his personal email account before leaving the company
The soon-to-be former employee accesses the CRM application from his BlackBerry 10 device and tries to paste the list and deal information into his personal email account Because BlackBerry Balance prevents copy and paste functions between employeesrsquo work profiles and personal profiles the employee is unable to move data into his personal email or copy files from his Work Space to his Personal Space Your companyrsquos sales information stays safe In addition BES10 allows you to wipe all corporate information from an employee-owned device after the employee has left the company without impacting personal data
Using BlackBerry Balance you can
Control employee access to company data and applications on their devices
Prevent company data from becoming compromised
Provide employees a unified and consistent user experience with a core set of applications when accessing personal or work data
Install and manage company applications on employeesrsquo devices remotely
Remove company data and applications from employee-owned devices when needed without impacting personal configuration and data
Control network connections for work and personal applications remotely
BlackBerry Balance lets you control how devices separate secure and protect company data and resources
12 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Tech Talk 3Work SpacePersonal Space in Detail
BlackBerry Balance and BES10 provide a work environment that securely separates work and personal information on mobile devices Devices classify data as work data or personal data based on the source of the data For example if data comes from a work-related source it is stored in the devicersquos Work Space Personal and Work Spaces can have different rules for data storage application permissions and network routing The separate spaces help users to avoid activities such as accidentally copying work data into a personal application or displaying confidential work data IT administrators have the option of managing and securing data in a Personal Space
Work Personal
Encrypt
App App
Data
Work Space
Base file system Encrypt (optional)
App App
Data
Personal Space
13 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Back to the Contents
Enforcing Strong Access ControlsBlackBerry security gives you greater control over how and when mobile devices connect to your network infrastructure and access data
BlackBerry security delivers multiple access control features such as device authentication anti-counterfeiting manufacturing controls and device OS protection that verify and maintain device integrity These features help ensure only authorized devices used by authorized employees gain entry into your network use network services and access data
BlackBerry Hardware Root of Trust BlackBerry takes specific steps to help ensure the integrity of its devices and prevent counterfeit devices from connecting to the BlackBerry infrastructure
Security is built into each major BlackBerry device component making it more difficult for unauthorized users to remove or circumvent security on a BlackBerry device than on other mobile operating systems Plus all parts of the BlackBerry supply chain from its manufacturing partners to the BlackBerry
infrastructure and devices are securely connected which means trusted BlackBerry devices can be built around the world
This secure manufacturing model helps prevent the impersonation of authentic BlackBerry devices and ensures that only authentic BlackBerry devices can connect to the BlackBerry infrastructure Any device trying to connect to the BlackBerry infrastructure must complete the self-verification process before access is granted
Authentication Multiple forms of authentication take place within the BlackBerry system to minimize the possibility of data loss and outside attack First the BlackBerry infrastructure and BES10 authenticate with each other by sharing a Server Routing Protocol (SRP) authentication key before a connection takes place
The second level of authentication takes place between BES10 and the activated BlackBerry 10 device When the device is activated it generates a key pair and sends the public key to BES10 The BES10 server then creates a client certificate and sends an enterprise management root certificate and client certificate back to the device It uses the enterprise management root certificate to authenticate the server certificate for the enterprise management Web service BES10 and the BlackBerry 10 device use the client certificate to authenticate users their Work Spaces and their devices
BlackBerry 10 Operating System
CPU Embedded Boot ROM
Boot ROM digital signature
bull Application 4
bull Application 3
bull Application 2
bull Application 1
Boot ROM
Public EC 521 Key of OS Signature
Verified
BlackBerry 10 OS
SHA256 hash of Base File System (Signed with EC 521
Verified
Base File System (Read only)
XML Manifest of loaded applications (Cryptographically hashed)
Verified
Software Upgrades and Application Downloads from BlackBerry World All downloads verified with ECC signed SHA-2 hashes
14
Back to the Contents
BlackBerry 10 Device OS Security Features Protecting the devicersquos OS is one of the most important functions of mobile device security However itrsquos sometimes neglected by other manufacturers focused on consumer devices since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code a common characteristic of many devicesrsquo OSs The BlackBerry 10 OS includes security features for OS protection including
Microkernel Implementation The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150000 lines of code With fewer lines of code the BlackBerry OS is less susceptible to vulnerabilities than other platforms As a result rigorous security verification and testing are achieved even with a fixed amount of IT resources
Resilient Design To reduce risks the microkernel contains processes associated with personal use Any unresponsive or misbehaving process is automatically restarted or killed respectively without impacting other processes
Root Process Minimization To reduce security risks only the most essential BlackBerry processes are run in root mode This mode is never available to third parties
Blackberry World Application Stores Once a BlackBerry 10 device is activated on BES10 it has access to two separate BlackBerry World application storefronts BlackBerry World for personal use and BlackBerry World for Work for enterprise use
Within the Work Space only applications approved by the BES 10 administrator are permitted to be installed Work applications can either be ldquopushedrdquo to users based on policy or ldquopulledrdquo by users for optional use Within the Personal Space users are free to download any application available through BlackBerry World
15 Enforcing Strong Access Controls cont
Back to the Contents
For the large majority of organizations BlackBerry Balance available via the BES10 Silver EMM4 configuration optimizes the balance between security and employee expectations for a compelling work and life end-user experience Some highly sensitive regulated environments however may not permit personal use on employee devices due to established risk management policies For these organizations often operating in government financial services or healthcare sectors for example BlackBerry offers the BES10 Gold EMM5 configuration which gives administrators the ability to disable personal use as well as impose device application and content controls that exceeded the granularity of the BES10 Silver EMM configuration No other mobile platform offers this unique capability
The BES10 regulated-level device management control features enable large enterprises and government and regulated industries to manage fully locked-down devices with a set of controls unmatched in their level of granularity
Gold level device management capabilities include
BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure government and regulated environments
Enforcement of corporate-only use and granular controls to manage use of camera storage WiFi Bluetooth and other device features
Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space
User friendly and intuitive management console to manage your devices users groups apps and services including reporting and dashboard capabilities
Sampling of Regulated-level BlackBerry 10 Device Management Controls
Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode tethering using Bluetooth technology and tethering using a USB cable on a BlackBerry 10 device
Wireless Service Provider Billing Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organizationrsquos wireless service provider
Maximum Password Age Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password
Wipe the Work Space without Network Connectivity Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organizationrsquos network before wiping the entire device
Non-Email Accounts Specify whether a BlackBerry 10 device user can add third-party accounts for services such as Facebook Twitter LinkedIn and Evernote to the device
Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device must connect to your organizationrsquos network through BES10
Log Submission Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center
Bluetooth Specify whether a BlackBerry 10 device can use Bluetooth technology
SMSMMS Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages
Camera Specify whether a BlackBerry 10 device can use the camera
BES10rsquos Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments
16 Enforcing Strong Access Controls cont
Leaders in innovation
Largest Research amp Development sta ofany EMM vendor3
Expansion of security modelto iOS and Android
Scalability Devices per server
100KBES10 servers globally
30K+44K
PATENTS1 1
Back to the Contents
17
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Contents
BlackBerry 10 amp BES10 3
Corporate Networks Under Attack 4
BlackBerry Security 5
Protecting Data in Motion 7
BES10 Security Philosophy 8
BES10 Certification amp Encryption 9
BES10 Layers of Protection 9
Tech Talk 1 amp 2 10
Protecting Work Data on Personal-Use-Enabled Devices 11
BlackBerry Balance 12
Tech Talk 3 13
Enforcing Strong Access Controls 14
BlackBerry 10 Device OS Security Features 15
BES10rsquos Gold level Controls and Settings 16
Manging Devices 18
BlackBerry Mobile Device Management in Action 19
End-to-end Security 21
THE PERFECT BALANCE OF PROTECTION AND PRODUCTIVITY
Back to the Contents
BlackBerry 10 amp BES10End-to-end mobile data security without compromising business productivity or user satisfaction
Keeping corporate data secure is a top priority for any organization After all a data breach can cause significant financial losses expose executives to legal actions damage your companys reputation and weaken or eliminate competitive business advantage
As more employees access your corporate network through mobile devices to communicate collaborate and share data your infrastructure becomes increasingly vulnerable to outside attacks and harder to secure and protect The mixing of personal and work email accounts apps and data as well as the proliferation of employee-owned devices increases the chance of major data leaks
Rivaling the importance of information security however is business-user productivity and satisfaction A mobilized workforce is only effective if the end-user experience is uncompromised and critical applications and productivity tools operate as efficiently from a mobile device as they do from a PC attached directly to the corporate network An effective mobile security solution is one that imposes no limitations on end-user productivity
The BlackBerry end-to-end enterprise security solution secures data from would-be attacks and loss without requiring you to compromise productivity or user satisfaction
IT managers must now consider a highly complex corporate network infrastructure accessible to a growing number and diversity of devices and applications when devising a plan to protect corporate information and maintain worker productivity
The entryways for potential attacks data loss and productivity compromises include
Employees maintaining a mix of corporate and third-party applications on the same device and exchanging information between the two domains
The installation of threat-vulnerable containerization on mobile devices
Employees visiting sites where they encounter malware or malicious threats
The use of employee-owned devices to access enterprise resources and information
IT managers need a solution that helps them
Deliver transparent security for an optimal user experience
Provide integrated containerization that enables simple enterprise application development and deployment
Reduce employee misuse of devices
Keep personal and work information separate
Ensure that network data both in transit and at rest are kept secure
BlackBerry delivers a security solution that satisfies the needs of both enterprises and government agencies The solution provides the confidentiality integrity and authenticity to help protect your organization from data loss and theft while delivering a seamless simple and uncompromised end-user experience
3
Corporate Networks Under Attack
Verizon 2013 Data Breach Investigations Report
71of breaches targeted user devices
54of breaches compromised servers
78of intrusions rated as low difficulty
66of breaches go undetected for six months or longer
Back to the Contents
4
Back to the Contents
An unavoidable consequence of the explosive expansion of mobile devices within businesses and organization of all sizes is a proportional elevation in vulnerability to security breaches and data leakage To protect your information from increased exposure to attacks or data loss through accidental or malicious means IT administrators require a comprehensive security solution but one that does not sacrifice business productivity or end-user satisfaction BlackBerry end-to-end security is purpose built to deliver optimal protection for work-related content both on devices and in transit BlackBerry security delivers fast integrated device application and content management and fully encrypted behind-the-firewall access to corporate data without the need for 3rd-party VPNs or add-on security
The BlackBerry network combined with its infrastructure authentication device management capabilities and hardened BlackBerryreg 10 operating system is the ultimate end-to-end mobile security solution
BlackBerry Security A fully integrated end-to-end enterprise mobility security solution
BlackBerry security focuses on four critical areas
bull Protecting data in motion
bull Protecting work data on personal-use-enabled devices
bull Enforcing strong access controls
bull Managing devices
These four functions protect your data from breaches losses or alteration as it transits the end-to-end path from your enterprise BES10 server the BlackBerry network and ultimately your employeesrsquo BlackBerry devices
All G7GOVERNMENTSand 16 of the G20 governments rely on BlackBerry security1
5
Security certificatesMore than any other mobile vendor3
per month on averageMoves more secure mobile datathrough its infrastructure thanany other EMM vendor3
Only MDM providerto obtain ATO on US Defense networks2
The ultimate standard for end-to-end mobile security
45 35PB
Dedicated Security Team
FIPS 140-2
AES256
Back to the Contents
6
Back to the Contents
Because many of your employees work outside the office itrsquos critical that you have strong security measures in place ndash both on employeesrsquo devices and across internal network infrastructure ndash to protect data in transit A key element of the BlackBerry solution for in-transit data security is the BlackBerry Enterprise Service 10 BlackBerrys device and application management platform BES10 offers built-in data encryption to help both enterprises and government agencies protect sensitive information and minimize data loss or alteration
BES10 Overview BlackBerry has long-been the ultimate in mobile security An integral component of the BlackBerry solution is BES10 which secures in-transit data using transport layer security over the BlackBerry infrastructure BES10 encrypts data using AES 256-bit encryption prior to transmission while message keys are encrypted by the device transport key BES10 also protects and manages devices and applications within the end-to-end BlackBerry security solution
Protecting Data in MotionA key element of the BlackBerry solution for in-transit data security in BES10
Secure Enterprise Connectivity
Wi Fi
BlackBerryMobile Data and ConnectionService
Work Personal
BlackBerry Enterprise Service 10
BlackBerryDispatcher
EnerpriseManagementWeb Service
Content servers
Web servers
Microsoft ActiveSync
BlackBerryInfrastructure
BlackBerry 10
BlackBerry 10Firewall withVPN Gateway
Firewall
Firewall withVPN Gateway
PrivateNetwork
Wi Fi
or 3G4G
SSL (Optional)
Wi Fi
or 3G4G
TLS over
Wi Fi
or 3G4G
VPN over
AES
Wi Fi
or 3G4G
VPN over
Enable Work NetworkFor Personal Use (EnableDisable)
Enable Work NetworkFor Personal Use (EnableDisable)
SSL (Optional)
SSL
Wi Fi
VPN IPSec or SSL
TLS BlackBerry infrastructure authenticatedwith self certification
AES 256 Encrypted with device transport keygenerated during activation
SSL (Optional) Authenticated with server specific certificate
SSL Authenicated with clientserver certificates generatedduring activation
Wi-Fi IEE 80211i with 802 1x(EAP-FAST EAP-TLS EAP-TTLS PEAP and LEAP)
7
BES10 Security Philosophy
Integrity Authenticity
Confidentiality
The security features found in BES10 are built upon a foundation of confidentiality integrity and authenticity
Confidentiality BES10s encryption capabilities ensures that only intended recipients can view corporate data
Integrity All email sent over a secure network is strongly encrypted to keep third parties from decrypting or altering the message
Authenticity BES10 provides two-way authentication upon pairing with the device helping reduce the possibility of counterfeit devices accessing your infrastructure
8 Protecting Data in Motion cont
Back to the Contents
Back to the Contents
BlackBerry 10BES10 FIPS 140-2 CertificationBusinesses and government agencies alike need to feel confident that their highly sensitive data ndash whether itrsquos in storage or in transit ndash stays secure from would-be attackers The US government created and implemented the FIPS 140-2 computer security standard and uses it to accredit file encryption modules
Both the BlackBerry 10 OS and BES10 software are FIPS 140-2 certified which means that your organizationrsquos data is strongly encrypted and the corresponding encryption keys are rigorously protected BlackBerry 10 devices controlled by BES10 are the only mobile devices to be given Authority to Operate (ATO) on Department of Defense networks
SMIME Messaging Encryption BES10 gives you the option of using digital certificates to sign and encrypt email and file attachments using industry standard SMIME encryption When IT personnel activate a mobile device on BES10 the device can be configured to sign and encrypt messages using SMIME whenever the employee sends emails via his or her work account SMIME encryption keeps messages secure by using recipientsrsquo public keys to encrypt the message and their private key to decrypt it Often overlooked as a security agent SMIME is a cost-effective productivity tool for enabling highly secure email communications with business partners and contractors outside of your organization
Encryption OptionsBES10 uses a technique called tunneling to protect data in transit over a secure network Tunneling incorporates multiple layers of encryption between devices BES10 and the wireless resource for additional data protection
For example when employees access the corporate Wi-Fi network data transmissions between their device and BES10 are secured first by AES encryption and then by Wi-Fi encryption
Wi-Fi Encryption (IEEE 80211) Encrypts data transmitted between mobile devices and wireless access points set up to use Wi-Fi encryption
VPN Encryption Encrypts data transmitted between mobile devices and VPN servers
AES Encryption Encrypts data transmitted between mobile devices the BlackBerry infrastructure and BES10
SSLTLS Encryption Encrypts data transmitted between mobile devices and content servers Web servers or messaging servers that use Microsoft ActiveSync
BES10 Layers of ProtectionBES10 contains multiple layers of protection so data stays secure both in transit and on devices
In-transit Data Protection BES10 protects data transmissions using transport layer security
Work Data Device Protection Work file systems and applications are kept separate from personal data and encrypted
Personal Data Device Protection IT managers can create policy rules to encrypt data within the personal file system
Device Access Control Work Wi-Fi and VPN profiles may be delivered remotely via BES10 to enable corporate network access
Device Behavior Control IT managers can remotely lock mobile devices enforce policies and wipe workpersonal data from devices
Device User Information Protection Users can delete all their information and application data from device memory
BlackBerry 10 OS Protection BlackBerry 10 devices conduct integrity tests to detect kernel damage and restart processes that stop responding
Application Data Protection Via Sandboxing Sandboxing separates and restricts the capabilities and permissions of applications running on the device
Resource Protection Adaptive partitioning is used to allocate unused resources during typical operating conditions to help ensure resources are available during peak conditions
Access Capabilities Permissions Management The BlackBerry 10 OS evaluates each device capability request made by an application then grants access accordingly
Boot Rom Code Verification The device verifies that the boot ROM code is authentic unmodified and has permission to run on the device
9 Protecting Data in Motion cont
Tech Talk 2SMIME Keys Certificates and Encryption Algorithms
BlackBerry devices support keys and certificates for the following file format and file name extensions
bull PEM (pem cer) bull DER (der cer)bull PFX (pfx p12)
A private key and certificate must be stored on the device for each recipient of an encrypted email message Keys and certificates can be stored simply by importing the files from a work email message To send encrypted messages your employees must use their work email accounts
The following encryption algorithms can be used by BlackBerry devices to encrypt SMIME-protected messages
bull AES (256-bit) bull AES (192-bit)bull AES (128-bit) bull Triple DESbull RC2
Tech Talk 1FIPS 140-2 Certification Details
The FIPS 140-2 certification was implemented by the National Institute of Standards and Technology to govern cryptography modules that involve both hardware and software components
The BlackBerry OS cryptographic kernel which received FIPS 140-2 certification for the BlackBerry 10 OS and BES10 generates the file encryption keys the work domain key the work master key and the system master key to provide a strong layer of security to protect data
The FIPS 140-2 certificate for BlackBerry 10 and BES10 BlackBerry Enterprise Service 10 FIPS-1402 Certificate no 1765 Consolidated Certificate no 0019 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0019pdf
BlackBerry 10 FIPS 140-2 Certificate no 1578 Consolidated Certificate no 0007 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0007pdf
10 Protecting Data in Motion cont
Back to the Contents
Protecting Work Data on Personal-Use-Enabled DevicesBlackBerry Balance and BES10 protect sensitive data
Protecting work data accessible over the corporate Intranet or stored on employeesrsquo devices is a critical part of any comprehensive mobile data security plan The widespread use of employee-owned and personal-use-enabled devices in corporate environments ndash Bring Your Own Device (BYOD) and Corporate Owned Personally Enabled (COPE) movements ndash creates major data security challenges Without a heavy-duty security architecture in place one designed for work and personal use it is easy for employees to leak sensitive work data through personal use such as webmail and browsing social networking and media and untrusted personal applications
With BlackBerry BalanceTM a feature of BES10 you can create a ldquodual-personardquo environment on employeesrsquo mobile devices by establishing a separate secure environment for work-related applications and associated sensitive data This work environment leverages integrated cryptographically partitioned file systems to protect sensitive work data while delivering a compelling ldquowork-liferdquo user experience
BlackBerry Balance Seamless Separation of Personal amp Work Data
BlackBerry Balance identifies and tags data and processes that originate from your companyrsquos Wi-Fi VPN access or Intranet and routes it to the employeersquos work profile on the device Other personal data and activities including third-party applications public Web browsing and personal email are contained within the personal profile
BlackBerry Balance Overview and Features BlackBerry Balance keeps employeesrsquo work and personal information separate and secure on BlackBerry 10 devices using specifically designated areas called Spaces Within each of these Spaces data applications and network connections can be safely stored Individual Spaces can be governed by their own rules for data storage application permissions and network routing Using separate Spaces for work and personal activities helps keep sensitive data secure by preventing employees from copying work data into personal email or displaying information during video chats
Back to the Contents
11
Built-in Password Protection BES10 allows you to establish and enforce password policies quickly and easily to better protect data stored in employeesrsquo devices IT policies can be set to require your employees to enter a password or use their corporate single sign-on using Active Directoryreg services to gain access to Spaces containing work-related data This keeps data at rest on employee devices safe and protected
BlackBerry Balance in action After eight years of employment at your company a salesperson is leaving to take a leadership role at a startup business that will share the same competitive space as your company Looking to jumpstart the customer acquisition process the departing salesperson who has access to the corporate customer relationship
management (CRM) system attempts to send your companyrsquos customer list and deal status to his personal email account before leaving the company
The soon-to-be former employee accesses the CRM application from his BlackBerry 10 device and tries to paste the list and deal information into his personal email account Because BlackBerry Balance prevents copy and paste functions between employeesrsquo work profiles and personal profiles the employee is unable to move data into his personal email or copy files from his Work Space to his Personal Space Your companyrsquos sales information stays safe In addition BES10 allows you to wipe all corporate information from an employee-owned device after the employee has left the company without impacting personal data
Using BlackBerry Balance you can
Control employee access to company data and applications on their devices
Prevent company data from becoming compromised
Provide employees a unified and consistent user experience with a core set of applications when accessing personal or work data
Install and manage company applications on employeesrsquo devices remotely
Remove company data and applications from employee-owned devices when needed without impacting personal configuration and data
Control network connections for work and personal applications remotely
BlackBerry Balance lets you control how devices separate secure and protect company data and resources
12 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Tech Talk 3Work SpacePersonal Space in Detail
BlackBerry Balance and BES10 provide a work environment that securely separates work and personal information on mobile devices Devices classify data as work data or personal data based on the source of the data For example if data comes from a work-related source it is stored in the devicersquos Work Space Personal and Work Spaces can have different rules for data storage application permissions and network routing The separate spaces help users to avoid activities such as accidentally copying work data into a personal application or displaying confidential work data IT administrators have the option of managing and securing data in a Personal Space
Work Personal
Encrypt
App App
Data
Work Space
Base file system Encrypt (optional)
App App
Data
Personal Space
13 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Back to the Contents
Enforcing Strong Access ControlsBlackBerry security gives you greater control over how and when mobile devices connect to your network infrastructure and access data
BlackBerry security delivers multiple access control features such as device authentication anti-counterfeiting manufacturing controls and device OS protection that verify and maintain device integrity These features help ensure only authorized devices used by authorized employees gain entry into your network use network services and access data
BlackBerry Hardware Root of Trust BlackBerry takes specific steps to help ensure the integrity of its devices and prevent counterfeit devices from connecting to the BlackBerry infrastructure
Security is built into each major BlackBerry device component making it more difficult for unauthorized users to remove or circumvent security on a BlackBerry device than on other mobile operating systems Plus all parts of the BlackBerry supply chain from its manufacturing partners to the BlackBerry
infrastructure and devices are securely connected which means trusted BlackBerry devices can be built around the world
This secure manufacturing model helps prevent the impersonation of authentic BlackBerry devices and ensures that only authentic BlackBerry devices can connect to the BlackBerry infrastructure Any device trying to connect to the BlackBerry infrastructure must complete the self-verification process before access is granted
Authentication Multiple forms of authentication take place within the BlackBerry system to minimize the possibility of data loss and outside attack First the BlackBerry infrastructure and BES10 authenticate with each other by sharing a Server Routing Protocol (SRP) authentication key before a connection takes place
The second level of authentication takes place between BES10 and the activated BlackBerry 10 device When the device is activated it generates a key pair and sends the public key to BES10 The BES10 server then creates a client certificate and sends an enterprise management root certificate and client certificate back to the device It uses the enterprise management root certificate to authenticate the server certificate for the enterprise management Web service BES10 and the BlackBerry 10 device use the client certificate to authenticate users their Work Spaces and their devices
BlackBerry 10 Operating System
CPU Embedded Boot ROM
Boot ROM digital signature
bull Application 4
bull Application 3
bull Application 2
bull Application 1
Boot ROM
Public EC 521 Key of OS Signature
Verified
BlackBerry 10 OS
SHA256 hash of Base File System (Signed with EC 521
Verified
Base File System (Read only)
XML Manifest of loaded applications (Cryptographically hashed)
Verified
Software Upgrades and Application Downloads from BlackBerry World All downloads verified with ECC signed SHA-2 hashes
14
Back to the Contents
BlackBerry 10 Device OS Security Features Protecting the devicersquos OS is one of the most important functions of mobile device security However itrsquos sometimes neglected by other manufacturers focused on consumer devices since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code a common characteristic of many devicesrsquo OSs The BlackBerry 10 OS includes security features for OS protection including
Microkernel Implementation The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150000 lines of code With fewer lines of code the BlackBerry OS is less susceptible to vulnerabilities than other platforms As a result rigorous security verification and testing are achieved even with a fixed amount of IT resources
Resilient Design To reduce risks the microkernel contains processes associated with personal use Any unresponsive or misbehaving process is automatically restarted or killed respectively without impacting other processes
Root Process Minimization To reduce security risks only the most essential BlackBerry processes are run in root mode This mode is never available to third parties
Blackberry World Application Stores Once a BlackBerry 10 device is activated on BES10 it has access to two separate BlackBerry World application storefronts BlackBerry World for personal use and BlackBerry World for Work for enterprise use
Within the Work Space only applications approved by the BES 10 administrator are permitted to be installed Work applications can either be ldquopushedrdquo to users based on policy or ldquopulledrdquo by users for optional use Within the Personal Space users are free to download any application available through BlackBerry World
15 Enforcing Strong Access Controls cont
Back to the Contents
For the large majority of organizations BlackBerry Balance available via the BES10 Silver EMM4 configuration optimizes the balance between security and employee expectations for a compelling work and life end-user experience Some highly sensitive regulated environments however may not permit personal use on employee devices due to established risk management policies For these organizations often operating in government financial services or healthcare sectors for example BlackBerry offers the BES10 Gold EMM5 configuration which gives administrators the ability to disable personal use as well as impose device application and content controls that exceeded the granularity of the BES10 Silver EMM configuration No other mobile platform offers this unique capability
The BES10 regulated-level device management control features enable large enterprises and government and regulated industries to manage fully locked-down devices with a set of controls unmatched in their level of granularity
Gold level device management capabilities include
BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure government and regulated environments
Enforcement of corporate-only use and granular controls to manage use of camera storage WiFi Bluetooth and other device features
Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space
User friendly and intuitive management console to manage your devices users groups apps and services including reporting and dashboard capabilities
Sampling of Regulated-level BlackBerry 10 Device Management Controls
Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode tethering using Bluetooth technology and tethering using a USB cable on a BlackBerry 10 device
Wireless Service Provider Billing Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organizationrsquos wireless service provider
Maximum Password Age Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password
Wipe the Work Space without Network Connectivity Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organizationrsquos network before wiping the entire device
Non-Email Accounts Specify whether a BlackBerry 10 device user can add third-party accounts for services such as Facebook Twitter LinkedIn and Evernote to the device
Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device must connect to your organizationrsquos network through BES10
Log Submission Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center
Bluetooth Specify whether a BlackBerry 10 device can use Bluetooth technology
SMSMMS Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages
Camera Specify whether a BlackBerry 10 device can use the camera
BES10rsquos Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments
16 Enforcing Strong Access Controls cont
Leaders in innovation
Largest Research amp Development sta ofany EMM vendor3
Expansion of security modelto iOS and Android
Scalability Devices per server
100KBES10 servers globally
30K+44K
PATENTS1 1
Back to the Contents
17
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Back to the Contents
BlackBerry 10 amp BES10End-to-end mobile data security without compromising business productivity or user satisfaction
Keeping corporate data secure is a top priority for any organization After all a data breach can cause significant financial losses expose executives to legal actions damage your companys reputation and weaken or eliminate competitive business advantage
As more employees access your corporate network through mobile devices to communicate collaborate and share data your infrastructure becomes increasingly vulnerable to outside attacks and harder to secure and protect The mixing of personal and work email accounts apps and data as well as the proliferation of employee-owned devices increases the chance of major data leaks
Rivaling the importance of information security however is business-user productivity and satisfaction A mobilized workforce is only effective if the end-user experience is uncompromised and critical applications and productivity tools operate as efficiently from a mobile device as they do from a PC attached directly to the corporate network An effective mobile security solution is one that imposes no limitations on end-user productivity
The BlackBerry end-to-end enterprise security solution secures data from would-be attacks and loss without requiring you to compromise productivity or user satisfaction
IT managers must now consider a highly complex corporate network infrastructure accessible to a growing number and diversity of devices and applications when devising a plan to protect corporate information and maintain worker productivity
The entryways for potential attacks data loss and productivity compromises include
Employees maintaining a mix of corporate and third-party applications on the same device and exchanging information between the two domains
The installation of threat-vulnerable containerization on mobile devices
Employees visiting sites where they encounter malware or malicious threats
The use of employee-owned devices to access enterprise resources and information
IT managers need a solution that helps them
Deliver transparent security for an optimal user experience
Provide integrated containerization that enables simple enterprise application development and deployment
Reduce employee misuse of devices
Keep personal and work information separate
Ensure that network data both in transit and at rest are kept secure
BlackBerry delivers a security solution that satisfies the needs of both enterprises and government agencies The solution provides the confidentiality integrity and authenticity to help protect your organization from data loss and theft while delivering a seamless simple and uncompromised end-user experience
3
Corporate Networks Under Attack
Verizon 2013 Data Breach Investigations Report
71of breaches targeted user devices
54of breaches compromised servers
78of intrusions rated as low difficulty
66of breaches go undetected for six months or longer
Back to the Contents
4
Back to the Contents
An unavoidable consequence of the explosive expansion of mobile devices within businesses and organization of all sizes is a proportional elevation in vulnerability to security breaches and data leakage To protect your information from increased exposure to attacks or data loss through accidental or malicious means IT administrators require a comprehensive security solution but one that does not sacrifice business productivity or end-user satisfaction BlackBerry end-to-end security is purpose built to deliver optimal protection for work-related content both on devices and in transit BlackBerry security delivers fast integrated device application and content management and fully encrypted behind-the-firewall access to corporate data without the need for 3rd-party VPNs or add-on security
The BlackBerry network combined with its infrastructure authentication device management capabilities and hardened BlackBerryreg 10 operating system is the ultimate end-to-end mobile security solution
BlackBerry Security A fully integrated end-to-end enterprise mobility security solution
BlackBerry security focuses on four critical areas
bull Protecting data in motion
bull Protecting work data on personal-use-enabled devices
bull Enforcing strong access controls
bull Managing devices
These four functions protect your data from breaches losses or alteration as it transits the end-to-end path from your enterprise BES10 server the BlackBerry network and ultimately your employeesrsquo BlackBerry devices
All G7GOVERNMENTSand 16 of the G20 governments rely on BlackBerry security1
5
Security certificatesMore than any other mobile vendor3
per month on averageMoves more secure mobile datathrough its infrastructure thanany other EMM vendor3
Only MDM providerto obtain ATO on US Defense networks2
The ultimate standard for end-to-end mobile security
45 35PB
Dedicated Security Team
FIPS 140-2
AES256
Back to the Contents
6
Back to the Contents
Because many of your employees work outside the office itrsquos critical that you have strong security measures in place ndash both on employeesrsquo devices and across internal network infrastructure ndash to protect data in transit A key element of the BlackBerry solution for in-transit data security is the BlackBerry Enterprise Service 10 BlackBerrys device and application management platform BES10 offers built-in data encryption to help both enterprises and government agencies protect sensitive information and minimize data loss or alteration
BES10 Overview BlackBerry has long-been the ultimate in mobile security An integral component of the BlackBerry solution is BES10 which secures in-transit data using transport layer security over the BlackBerry infrastructure BES10 encrypts data using AES 256-bit encryption prior to transmission while message keys are encrypted by the device transport key BES10 also protects and manages devices and applications within the end-to-end BlackBerry security solution
Protecting Data in MotionA key element of the BlackBerry solution for in-transit data security in BES10
Secure Enterprise Connectivity
Wi Fi
BlackBerryMobile Data and ConnectionService
Work Personal
BlackBerry Enterprise Service 10
BlackBerryDispatcher
EnerpriseManagementWeb Service
Content servers
Web servers
Microsoft ActiveSync
BlackBerryInfrastructure
BlackBerry 10
BlackBerry 10Firewall withVPN Gateway
Firewall
Firewall withVPN Gateway
PrivateNetwork
Wi Fi
or 3G4G
SSL (Optional)
Wi Fi
or 3G4G
TLS over
Wi Fi
or 3G4G
VPN over
AES
Wi Fi
or 3G4G
VPN over
Enable Work NetworkFor Personal Use (EnableDisable)
Enable Work NetworkFor Personal Use (EnableDisable)
SSL (Optional)
SSL
Wi Fi
VPN IPSec or SSL
TLS BlackBerry infrastructure authenticatedwith self certification
AES 256 Encrypted with device transport keygenerated during activation
SSL (Optional) Authenticated with server specific certificate
SSL Authenicated with clientserver certificates generatedduring activation
Wi-Fi IEE 80211i with 802 1x(EAP-FAST EAP-TLS EAP-TTLS PEAP and LEAP)
7
BES10 Security Philosophy
Integrity Authenticity
Confidentiality
The security features found in BES10 are built upon a foundation of confidentiality integrity and authenticity
Confidentiality BES10s encryption capabilities ensures that only intended recipients can view corporate data
Integrity All email sent over a secure network is strongly encrypted to keep third parties from decrypting or altering the message
Authenticity BES10 provides two-way authentication upon pairing with the device helping reduce the possibility of counterfeit devices accessing your infrastructure
8 Protecting Data in Motion cont
Back to the Contents
Back to the Contents
BlackBerry 10BES10 FIPS 140-2 CertificationBusinesses and government agencies alike need to feel confident that their highly sensitive data ndash whether itrsquos in storage or in transit ndash stays secure from would-be attackers The US government created and implemented the FIPS 140-2 computer security standard and uses it to accredit file encryption modules
Both the BlackBerry 10 OS and BES10 software are FIPS 140-2 certified which means that your organizationrsquos data is strongly encrypted and the corresponding encryption keys are rigorously protected BlackBerry 10 devices controlled by BES10 are the only mobile devices to be given Authority to Operate (ATO) on Department of Defense networks
SMIME Messaging Encryption BES10 gives you the option of using digital certificates to sign and encrypt email and file attachments using industry standard SMIME encryption When IT personnel activate a mobile device on BES10 the device can be configured to sign and encrypt messages using SMIME whenever the employee sends emails via his or her work account SMIME encryption keeps messages secure by using recipientsrsquo public keys to encrypt the message and their private key to decrypt it Often overlooked as a security agent SMIME is a cost-effective productivity tool for enabling highly secure email communications with business partners and contractors outside of your organization
Encryption OptionsBES10 uses a technique called tunneling to protect data in transit over a secure network Tunneling incorporates multiple layers of encryption between devices BES10 and the wireless resource for additional data protection
For example when employees access the corporate Wi-Fi network data transmissions between their device and BES10 are secured first by AES encryption and then by Wi-Fi encryption
Wi-Fi Encryption (IEEE 80211) Encrypts data transmitted between mobile devices and wireless access points set up to use Wi-Fi encryption
VPN Encryption Encrypts data transmitted between mobile devices and VPN servers
AES Encryption Encrypts data transmitted between mobile devices the BlackBerry infrastructure and BES10
SSLTLS Encryption Encrypts data transmitted between mobile devices and content servers Web servers or messaging servers that use Microsoft ActiveSync
BES10 Layers of ProtectionBES10 contains multiple layers of protection so data stays secure both in transit and on devices
In-transit Data Protection BES10 protects data transmissions using transport layer security
Work Data Device Protection Work file systems and applications are kept separate from personal data and encrypted
Personal Data Device Protection IT managers can create policy rules to encrypt data within the personal file system
Device Access Control Work Wi-Fi and VPN profiles may be delivered remotely via BES10 to enable corporate network access
Device Behavior Control IT managers can remotely lock mobile devices enforce policies and wipe workpersonal data from devices
Device User Information Protection Users can delete all their information and application data from device memory
BlackBerry 10 OS Protection BlackBerry 10 devices conduct integrity tests to detect kernel damage and restart processes that stop responding
Application Data Protection Via Sandboxing Sandboxing separates and restricts the capabilities and permissions of applications running on the device
Resource Protection Adaptive partitioning is used to allocate unused resources during typical operating conditions to help ensure resources are available during peak conditions
Access Capabilities Permissions Management The BlackBerry 10 OS evaluates each device capability request made by an application then grants access accordingly
Boot Rom Code Verification The device verifies that the boot ROM code is authentic unmodified and has permission to run on the device
9 Protecting Data in Motion cont
Tech Talk 2SMIME Keys Certificates and Encryption Algorithms
BlackBerry devices support keys and certificates for the following file format and file name extensions
bull PEM (pem cer) bull DER (der cer)bull PFX (pfx p12)
A private key and certificate must be stored on the device for each recipient of an encrypted email message Keys and certificates can be stored simply by importing the files from a work email message To send encrypted messages your employees must use their work email accounts
The following encryption algorithms can be used by BlackBerry devices to encrypt SMIME-protected messages
bull AES (256-bit) bull AES (192-bit)bull AES (128-bit) bull Triple DESbull RC2
Tech Talk 1FIPS 140-2 Certification Details
The FIPS 140-2 certification was implemented by the National Institute of Standards and Technology to govern cryptography modules that involve both hardware and software components
The BlackBerry OS cryptographic kernel which received FIPS 140-2 certification for the BlackBerry 10 OS and BES10 generates the file encryption keys the work domain key the work master key and the system master key to provide a strong layer of security to protect data
The FIPS 140-2 certificate for BlackBerry 10 and BES10 BlackBerry Enterprise Service 10 FIPS-1402 Certificate no 1765 Consolidated Certificate no 0019 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0019pdf
BlackBerry 10 FIPS 140-2 Certificate no 1578 Consolidated Certificate no 0007 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0007pdf
10 Protecting Data in Motion cont
Back to the Contents
Protecting Work Data on Personal-Use-Enabled DevicesBlackBerry Balance and BES10 protect sensitive data
Protecting work data accessible over the corporate Intranet or stored on employeesrsquo devices is a critical part of any comprehensive mobile data security plan The widespread use of employee-owned and personal-use-enabled devices in corporate environments ndash Bring Your Own Device (BYOD) and Corporate Owned Personally Enabled (COPE) movements ndash creates major data security challenges Without a heavy-duty security architecture in place one designed for work and personal use it is easy for employees to leak sensitive work data through personal use such as webmail and browsing social networking and media and untrusted personal applications
With BlackBerry BalanceTM a feature of BES10 you can create a ldquodual-personardquo environment on employeesrsquo mobile devices by establishing a separate secure environment for work-related applications and associated sensitive data This work environment leverages integrated cryptographically partitioned file systems to protect sensitive work data while delivering a compelling ldquowork-liferdquo user experience
BlackBerry Balance Seamless Separation of Personal amp Work Data
BlackBerry Balance identifies and tags data and processes that originate from your companyrsquos Wi-Fi VPN access or Intranet and routes it to the employeersquos work profile on the device Other personal data and activities including third-party applications public Web browsing and personal email are contained within the personal profile
BlackBerry Balance Overview and Features BlackBerry Balance keeps employeesrsquo work and personal information separate and secure on BlackBerry 10 devices using specifically designated areas called Spaces Within each of these Spaces data applications and network connections can be safely stored Individual Spaces can be governed by their own rules for data storage application permissions and network routing Using separate Spaces for work and personal activities helps keep sensitive data secure by preventing employees from copying work data into personal email or displaying information during video chats
Back to the Contents
11
Built-in Password Protection BES10 allows you to establish and enforce password policies quickly and easily to better protect data stored in employeesrsquo devices IT policies can be set to require your employees to enter a password or use their corporate single sign-on using Active Directoryreg services to gain access to Spaces containing work-related data This keeps data at rest on employee devices safe and protected
BlackBerry Balance in action After eight years of employment at your company a salesperson is leaving to take a leadership role at a startup business that will share the same competitive space as your company Looking to jumpstart the customer acquisition process the departing salesperson who has access to the corporate customer relationship
management (CRM) system attempts to send your companyrsquos customer list and deal status to his personal email account before leaving the company
The soon-to-be former employee accesses the CRM application from his BlackBerry 10 device and tries to paste the list and deal information into his personal email account Because BlackBerry Balance prevents copy and paste functions between employeesrsquo work profiles and personal profiles the employee is unable to move data into his personal email or copy files from his Work Space to his Personal Space Your companyrsquos sales information stays safe In addition BES10 allows you to wipe all corporate information from an employee-owned device after the employee has left the company without impacting personal data
Using BlackBerry Balance you can
Control employee access to company data and applications on their devices
Prevent company data from becoming compromised
Provide employees a unified and consistent user experience with a core set of applications when accessing personal or work data
Install and manage company applications on employeesrsquo devices remotely
Remove company data and applications from employee-owned devices when needed without impacting personal configuration and data
Control network connections for work and personal applications remotely
BlackBerry Balance lets you control how devices separate secure and protect company data and resources
12 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Tech Talk 3Work SpacePersonal Space in Detail
BlackBerry Balance and BES10 provide a work environment that securely separates work and personal information on mobile devices Devices classify data as work data or personal data based on the source of the data For example if data comes from a work-related source it is stored in the devicersquos Work Space Personal and Work Spaces can have different rules for data storage application permissions and network routing The separate spaces help users to avoid activities such as accidentally copying work data into a personal application or displaying confidential work data IT administrators have the option of managing and securing data in a Personal Space
Work Personal
Encrypt
App App
Data
Work Space
Base file system Encrypt (optional)
App App
Data
Personal Space
13 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Back to the Contents
Enforcing Strong Access ControlsBlackBerry security gives you greater control over how and when mobile devices connect to your network infrastructure and access data
BlackBerry security delivers multiple access control features such as device authentication anti-counterfeiting manufacturing controls and device OS protection that verify and maintain device integrity These features help ensure only authorized devices used by authorized employees gain entry into your network use network services and access data
BlackBerry Hardware Root of Trust BlackBerry takes specific steps to help ensure the integrity of its devices and prevent counterfeit devices from connecting to the BlackBerry infrastructure
Security is built into each major BlackBerry device component making it more difficult for unauthorized users to remove or circumvent security on a BlackBerry device than on other mobile operating systems Plus all parts of the BlackBerry supply chain from its manufacturing partners to the BlackBerry
infrastructure and devices are securely connected which means trusted BlackBerry devices can be built around the world
This secure manufacturing model helps prevent the impersonation of authentic BlackBerry devices and ensures that only authentic BlackBerry devices can connect to the BlackBerry infrastructure Any device trying to connect to the BlackBerry infrastructure must complete the self-verification process before access is granted
Authentication Multiple forms of authentication take place within the BlackBerry system to minimize the possibility of data loss and outside attack First the BlackBerry infrastructure and BES10 authenticate with each other by sharing a Server Routing Protocol (SRP) authentication key before a connection takes place
The second level of authentication takes place between BES10 and the activated BlackBerry 10 device When the device is activated it generates a key pair and sends the public key to BES10 The BES10 server then creates a client certificate and sends an enterprise management root certificate and client certificate back to the device It uses the enterprise management root certificate to authenticate the server certificate for the enterprise management Web service BES10 and the BlackBerry 10 device use the client certificate to authenticate users their Work Spaces and their devices
BlackBerry 10 Operating System
CPU Embedded Boot ROM
Boot ROM digital signature
bull Application 4
bull Application 3
bull Application 2
bull Application 1
Boot ROM
Public EC 521 Key of OS Signature
Verified
BlackBerry 10 OS
SHA256 hash of Base File System (Signed with EC 521
Verified
Base File System (Read only)
XML Manifest of loaded applications (Cryptographically hashed)
Verified
Software Upgrades and Application Downloads from BlackBerry World All downloads verified with ECC signed SHA-2 hashes
14
Back to the Contents
BlackBerry 10 Device OS Security Features Protecting the devicersquos OS is one of the most important functions of mobile device security However itrsquos sometimes neglected by other manufacturers focused on consumer devices since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code a common characteristic of many devicesrsquo OSs The BlackBerry 10 OS includes security features for OS protection including
Microkernel Implementation The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150000 lines of code With fewer lines of code the BlackBerry OS is less susceptible to vulnerabilities than other platforms As a result rigorous security verification and testing are achieved even with a fixed amount of IT resources
Resilient Design To reduce risks the microkernel contains processes associated with personal use Any unresponsive or misbehaving process is automatically restarted or killed respectively without impacting other processes
Root Process Minimization To reduce security risks only the most essential BlackBerry processes are run in root mode This mode is never available to third parties
Blackberry World Application Stores Once a BlackBerry 10 device is activated on BES10 it has access to two separate BlackBerry World application storefronts BlackBerry World for personal use and BlackBerry World for Work for enterprise use
Within the Work Space only applications approved by the BES 10 administrator are permitted to be installed Work applications can either be ldquopushedrdquo to users based on policy or ldquopulledrdquo by users for optional use Within the Personal Space users are free to download any application available through BlackBerry World
15 Enforcing Strong Access Controls cont
Back to the Contents
For the large majority of organizations BlackBerry Balance available via the BES10 Silver EMM4 configuration optimizes the balance between security and employee expectations for a compelling work and life end-user experience Some highly sensitive regulated environments however may not permit personal use on employee devices due to established risk management policies For these organizations often operating in government financial services or healthcare sectors for example BlackBerry offers the BES10 Gold EMM5 configuration which gives administrators the ability to disable personal use as well as impose device application and content controls that exceeded the granularity of the BES10 Silver EMM configuration No other mobile platform offers this unique capability
The BES10 regulated-level device management control features enable large enterprises and government and regulated industries to manage fully locked-down devices with a set of controls unmatched in their level of granularity
Gold level device management capabilities include
BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure government and regulated environments
Enforcement of corporate-only use and granular controls to manage use of camera storage WiFi Bluetooth and other device features
Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space
User friendly and intuitive management console to manage your devices users groups apps and services including reporting and dashboard capabilities
Sampling of Regulated-level BlackBerry 10 Device Management Controls
Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode tethering using Bluetooth technology and tethering using a USB cable on a BlackBerry 10 device
Wireless Service Provider Billing Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organizationrsquos wireless service provider
Maximum Password Age Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password
Wipe the Work Space without Network Connectivity Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organizationrsquos network before wiping the entire device
Non-Email Accounts Specify whether a BlackBerry 10 device user can add third-party accounts for services such as Facebook Twitter LinkedIn and Evernote to the device
Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device must connect to your organizationrsquos network through BES10
Log Submission Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center
Bluetooth Specify whether a BlackBerry 10 device can use Bluetooth technology
SMSMMS Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages
Camera Specify whether a BlackBerry 10 device can use the camera
BES10rsquos Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments
16 Enforcing Strong Access Controls cont
Leaders in innovation
Largest Research amp Development sta ofany EMM vendor3
Expansion of security modelto iOS and Android
Scalability Devices per server
100KBES10 servers globally
30K+44K
PATENTS1 1
Back to the Contents
17
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Corporate Networks Under Attack
Verizon 2013 Data Breach Investigations Report
71of breaches targeted user devices
54of breaches compromised servers
78of intrusions rated as low difficulty
66of breaches go undetected for six months or longer
Back to the Contents
4
Back to the Contents
An unavoidable consequence of the explosive expansion of mobile devices within businesses and organization of all sizes is a proportional elevation in vulnerability to security breaches and data leakage To protect your information from increased exposure to attacks or data loss through accidental or malicious means IT administrators require a comprehensive security solution but one that does not sacrifice business productivity or end-user satisfaction BlackBerry end-to-end security is purpose built to deliver optimal protection for work-related content both on devices and in transit BlackBerry security delivers fast integrated device application and content management and fully encrypted behind-the-firewall access to corporate data without the need for 3rd-party VPNs or add-on security
The BlackBerry network combined with its infrastructure authentication device management capabilities and hardened BlackBerryreg 10 operating system is the ultimate end-to-end mobile security solution
BlackBerry Security A fully integrated end-to-end enterprise mobility security solution
BlackBerry security focuses on four critical areas
bull Protecting data in motion
bull Protecting work data on personal-use-enabled devices
bull Enforcing strong access controls
bull Managing devices
These four functions protect your data from breaches losses or alteration as it transits the end-to-end path from your enterprise BES10 server the BlackBerry network and ultimately your employeesrsquo BlackBerry devices
All G7GOVERNMENTSand 16 of the G20 governments rely on BlackBerry security1
5
Security certificatesMore than any other mobile vendor3
per month on averageMoves more secure mobile datathrough its infrastructure thanany other EMM vendor3
Only MDM providerto obtain ATO on US Defense networks2
The ultimate standard for end-to-end mobile security
45 35PB
Dedicated Security Team
FIPS 140-2
AES256
Back to the Contents
6
Back to the Contents
Because many of your employees work outside the office itrsquos critical that you have strong security measures in place ndash both on employeesrsquo devices and across internal network infrastructure ndash to protect data in transit A key element of the BlackBerry solution for in-transit data security is the BlackBerry Enterprise Service 10 BlackBerrys device and application management platform BES10 offers built-in data encryption to help both enterprises and government agencies protect sensitive information and minimize data loss or alteration
BES10 Overview BlackBerry has long-been the ultimate in mobile security An integral component of the BlackBerry solution is BES10 which secures in-transit data using transport layer security over the BlackBerry infrastructure BES10 encrypts data using AES 256-bit encryption prior to transmission while message keys are encrypted by the device transport key BES10 also protects and manages devices and applications within the end-to-end BlackBerry security solution
Protecting Data in MotionA key element of the BlackBerry solution for in-transit data security in BES10
Secure Enterprise Connectivity
Wi Fi
BlackBerryMobile Data and ConnectionService
Work Personal
BlackBerry Enterprise Service 10
BlackBerryDispatcher
EnerpriseManagementWeb Service
Content servers
Web servers
Microsoft ActiveSync
BlackBerryInfrastructure
BlackBerry 10
BlackBerry 10Firewall withVPN Gateway
Firewall
Firewall withVPN Gateway
PrivateNetwork
Wi Fi
or 3G4G
SSL (Optional)
Wi Fi
or 3G4G
TLS over
Wi Fi
or 3G4G
VPN over
AES
Wi Fi
or 3G4G
VPN over
Enable Work NetworkFor Personal Use (EnableDisable)
Enable Work NetworkFor Personal Use (EnableDisable)
SSL (Optional)
SSL
Wi Fi
VPN IPSec or SSL
TLS BlackBerry infrastructure authenticatedwith self certification
AES 256 Encrypted with device transport keygenerated during activation
SSL (Optional) Authenticated with server specific certificate
SSL Authenicated with clientserver certificates generatedduring activation
Wi-Fi IEE 80211i with 802 1x(EAP-FAST EAP-TLS EAP-TTLS PEAP and LEAP)
7
BES10 Security Philosophy
Integrity Authenticity
Confidentiality
The security features found in BES10 are built upon a foundation of confidentiality integrity and authenticity
Confidentiality BES10s encryption capabilities ensures that only intended recipients can view corporate data
Integrity All email sent over a secure network is strongly encrypted to keep third parties from decrypting or altering the message
Authenticity BES10 provides two-way authentication upon pairing with the device helping reduce the possibility of counterfeit devices accessing your infrastructure
8 Protecting Data in Motion cont
Back to the Contents
Back to the Contents
BlackBerry 10BES10 FIPS 140-2 CertificationBusinesses and government agencies alike need to feel confident that their highly sensitive data ndash whether itrsquos in storage or in transit ndash stays secure from would-be attackers The US government created and implemented the FIPS 140-2 computer security standard and uses it to accredit file encryption modules
Both the BlackBerry 10 OS and BES10 software are FIPS 140-2 certified which means that your organizationrsquos data is strongly encrypted and the corresponding encryption keys are rigorously protected BlackBerry 10 devices controlled by BES10 are the only mobile devices to be given Authority to Operate (ATO) on Department of Defense networks
SMIME Messaging Encryption BES10 gives you the option of using digital certificates to sign and encrypt email and file attachments using industry standard SMIME encryption When IT personnel activate a mobile device on BES10 the device can be configured to sign and encrypt messages using SMIME whenever the employee sends emails via his or her work account SMIME encryption keeps messages secure by using recipientsrsquo public keys to encrypt the message and their private key to decrypt it Often overlooked as a security agent SMIME is a cost-effective productivity tool for enabling highly secure email communications with business partners and contractors outside of your organization
Encryption OptionsBES10 uses a technique called tunneling to protect data in transit over a secure network Tunneling incorporates multiple layers of encryption between devices BES10 and the wireless resource for additional data protection
For example when employees access the corporate Wi-Fi network data transmissions between their device and BES10 are secured first by AES encryption and then by Wi-Fi encryption
Wi-Fi Encryption (IEEE 80211) Encrypts data transmitted between mobile devices and wireless access points set up to use Wi-Fi encryption
VPN Encryption Encrypts data transmitted between mobile devices and VPN servers
AES Encryption Encrypts data transmitted between mobile devices the BlackBerry infrastructure and BES10
SSLTLS Encryption Encrypts data transmitted between mobile devices and content servers Web servers or messaging servers that use Microsoft ActiveSync
BES10 Layers of ProtectionBES10 contains multiple layers of protection so data stays secure both in transit and on devices
In-transit Data Protection BES10 protects data transmissions using transport layer security
Work Data Device Protection Work file systems and applications are kept separate from personal data and encrypted
Personal Data Device Protection IT managers can create policy rules to encrypt data within the personal file system
Device Access Control Work Wi-Fi and VPN profiles may be delivered remotely via BES10 to enable corporate network access
Device Behavior Control IT managers can remotely lock mobile devices enforce policies and wipe workpersonal data from devices
Device User Information Protection Users can delete all their information and application data from device memory
BlackBerry 10 OS Protection BlackBerry 10 devices conduct integrity tests to detect kernel damage and restart processes that stop responding
Application Data Protection Via Sandboxing Sandboxing separates and restricts the capabilities and permissions of applications running on the device
Resource Protection Adaptive partitioning is used to allocate unused resources during typical operating conditions to help ensure resources are available during peak conditions
Access Capabilities Permissions Management The BlackBerry 10 OS evaluates each device capability request made by an application then grants access accordingly
Boot Rom Code Verification The device verifies that the boot ROM code is authentic unmodified and has permission to run on the device
9 Protecting Data in Motion cont
Tech Talk 2SMIME Keys Certificates and Encryption Algorithms
BlackBerry devices support keys and certificates for the following file format and file name extensions
bull PEM (pem cer) bull DER (der cer)bull PFX (pfx p12)
A private key and certificate must be stored on the device for each recipient of an encrypted email message Keys and certificates can be stored simply by importing the files from a work email message To send encrypted messages your employees must use their work email accounts
The following encryption algorithms can be used by BlackBerry devices to encrypt SMIME-protected messages
bull AES (256-bit) bull AES (192-bit)bull AES (128-bit) bull Triple DESbull RC2
Tech Talk 1FIPS 140-2 Certification Details
The FIPS 140-2 certification was implemented by the National Institute of Standards and Technology to govern cryptography modules that involve both hardware and software components
The BlackBerry OS cryptographic kernel which received FIPS 140-2 certification for the BlackBerry 10 OS and BES10 generates the file encryption keys the work domain key the work master key and the system master key to provide a strong layer of security to protect data
The FIPS 140-2 certificate for BlackBerry 10 and BES10 BlackBerry Enterprise Service 10 FIPS-1402 Certificate no 1765 Consolidated Certificate no 0019 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0019pdf
BlackBerry 10 FIPS 140-2 Certificate no 1578 Consolidated Certificate no 0007 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0007pdf
10 Protecting Data in Motion cont
Back to the Contents
Protecting Work Data on Personal-Use-Enabled DevicesBlackBerry Balance and BES10 protect sensitive data
Protecting work data accessible over the corporate Intranet or stored on employeesrsquo devices is a critical part of any comprehensive mobile data security plan The widespread use of employee-owned and personal-use-enabled devices in corporate environments ndash Bring Your Own Device (BYOD) and Corporate Owned Personally Enabled (COPE) movements ndash creates major data security challenges Without a heavy-duty security architecture in place one designed for work and personal use it is easy for employees to leak sensitive work data through personal use such as webmail and browsing social networking and media and untrusted personal applications
With BlackBerry BalanceTM a feature of BES10 you can create a ldquodual-personardquo environment on employeesrsquo mobile devices by establishing a separate secure environment for work-related applications and associated sensitive data This work environment leverages integrated cryptographically partitioned file systems to protect sensitive work data while delivering a compelling ldquowork-liferdquo user experience
BlackBerry Balance Seamless Separation of Personal amp Work Data
BlackBerry Balance identifies and tags data and processes that originate from your companyrsquos Wi-Fi VPN access or Intranet and routes it to the employeersquos work profile on the device Other personal data and activities including third-party applications public Web browsing and personal email are contained within the personal profile
BlackBerry Balance Overview and Features BlackBerry Balance keeps employeesrsquo work and personal information separate and secure on BlackBerry 10 devices using specifically designated areas called Spaces Within each of these Spaces data applications and network connections can be safely stored Individual Spaces can be governed by their own rules for data storage application permissions and network routing Using separate Spaces for work and personal activities helps keep sensitive data secure by preventing employees from copying work data into personal email or displaying information during video chats
Back to the Contents
11
Built-in Password Protection BES10 allows you to establish and enforce password policies quickly and easily to better protect data stored in employeesrsquo devices IT policies can be set to require your employees to enter a password or use their corporate single sign-on using Active Directoryreg services to gain access to Spaces containing work-related data This keeps data at rest on employee devices safe and protected
BlackBerry Balance in action After eight years of employment at your company a salesperson is leaving to take a leadership role at a startup business that will share the same competitive space as your company Looking to jumpstart the customer acquisition process the departing salesperson who has access to the corporate customer relationship
management (CRM) system attempts to send your companyrsquos customer list and deal status to his personal email account before leaving the company
The soon-to-be former employee accesses the CRM application from his BlackBerry 10 device and tries to paste the list and deal information into his personal email account Because BlackBerry Balance prevents copy and paste functions between employeesrsquo work profiles and personal profiles the employee is unable to move data into his personal email or copy files from his Work Space to his Personal Space Your companyrsquos sales information stays safe In addition BES10 allows you to wipe all corporate information from an employee-owned device after the employee has left the company without impacting personal data
Using BlackBerry Balance you can
Control employee access to company data and applications on their devices
Prevent company data from becoming compromised
Provide employees a unified and consistent user experience with a core set of applications when accessing personal or work data
Install and manage company applications on employeesrsquo devices remotely
Remove company data and applications from employee-owned devices when needed without impacting personal configuration and data
Control network connections for work and personal applications remotely
BlackBerry Balance lets you control how devices separate secure and protect company data and resources
12 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Tech Talk 3Work SpacePersonal Space in Detail
BlackBerry Balance and BES10 provide a work environment that securely separates work and personal information on mobile devices Devices classify data as work data or personal data based on the source of the data For example if data comes from a work-related source it is stored in the devicersquos Work Space Personal and Work Spaces can have different rules for data storage application permissions and network routing The separate spaces help users to avoid activities such as accidentally copying work data into a personal application or displaying confidential work data IT administrators have the option of managing and securing data in a Personal Space
Work Personal
Encrypt
App App
Data
Work Space
Base file system Encrypt (optional)
App App
Data
Personal Space
13 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Back to the Contents
Enforcing Strong Access ControlsBlackBerry security gives you greater control over how and when mobile devices connect to your network infrastructure and access data
BlackBerry security delivers multiple access control features such as device authentication anti-counterfeiting manufacturing controls and device OS protection that verify and maintain device integrity These features help ensure only authorized devices used by authorized employees gain entry into your network use network services and access data
BlackBerry Hardware Root of Trust BlackBerry takes specific steps to help ensure the integrity of its devices and prevent counterfeit devices from connecting to the BlackBerry infrastructure
Security is built into each major BlackBerry device component making it more difficult for unauthorized users to remove or circumvent security on a BlackBerry device than on other mobile operating systems Plus all parts of the BlackBerry supply chain from its manufacturing partners to the BlackBerry
infrastructure and devices are securely connected which means trusted BlackBerry devices can be built around the world
This secure manufacturing model helps prevent the impersonation of authentic BlackBerry devices and ensures that only authentic BlackBerry devices can connect to the BlackBerry infrastructure Any device trying to connect to the BlackBerry infrastructure must complete the self-verification process before access is granted
Authentication Multiple forms of authentication take place within the BlackBerry system to minimize the possibility of data loss and outside attack First the BlackBerry infrastructure and BES10 authenticate with each other by sharing a Server Routing Protocol (SRP) authentication key before a connection takes place
The second level of authentication takes place between BES10 and the activated BlackBerry 10 device When the device is activated it generates a key pair and sends the public key to BES10 The BES10 server then creates a client certificate and sends an enterprise management root certificate and client certificate back to the device It uses the enterprise management root certificate to authenticate the server certificate for the enterprise management Web service BES10 and the BlackBerry 10 device use the client certificate to authenticate users their Work Spaces and their devices
BlackBerry 10 Operating System
CPU Embedded Boot ROM
Boot ROM digital signature
bull Application 4
bull Application 3
bull Application 2
bull Application 1
Boot ROM
Public EC 521 Key of OS Signature
Verified
BlackBerry 10 OS
SHA256 hash of Base File System (Signed with EC 521
Verified
Base File System (Read only)
XML Manifest of loaded applications (Cryptographically hashed)
Verified
Software Upgrades and Application Downloads from BlackBerry World All downloads verified with ECC signed SHA-2 hashes
14
Back to the Contents
BlackBerry 10 Device OS Security Features Protecting the devicersquos OS is one of the most important functions of mobile device security However itrsquos sometimes neglected by other manufacturers focused on consumer devices since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code a common characteristic of many devicesrsquo OSs The BlackBerry 10 OS includes security features for OS protection including
Microkernel Implementation The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150000 lines of code With fewer lines of code the BlackBerry OS is less susceptible to vulnerabilities than other platforms As a result rigorous security verification and testing are achieved even with a fixed amount of IT resources
Resilient Design To reduce risks the microkernel contains processes associated with personal use Any unresponsive or misbehaving process is automatically restarted or killed respectively without impacting other processes
Root Process Minimization To reduce security risks only the most essential BlackBerry processes are run in root mode This mode is never available to third parties
Blackberry World Application Stores Once a BlackBerry 10 device is activated on BES10 it has access to two separate BlackBerry World application storefronts BlackBerry World for personal use and BlackBerry World for Work for enterprise use
Within the Work Space only applications approved by the BES 10 administrator are permitted to be installed Work applications can either be ldquopushedrdquo to users based on policy or ldquopulledrdquo by users for optional use Within the Personal Space users are free to download any application available through BlackBerry World
15 Enforcing Strong Access Controls cont
Back to the Contents
For the large majority of organizations BlackBerry Balance available via the BES10 Silver EMM4 configuration optimizes the balance between security and employee expectations for a compelling work and life end-user experience Some highly sensitive regulated environments however may not permit personal use on employee devices due to established risk management policies For these organizations often operating in government financial services or healthcare sectors for example BlackBerry offers the BES10 Gold EMM5 configuration which gives administrators the ability to disable personal use as well as impose device application and content controls that exceeded the granularity of the BES10 Silver EMM configuration No other mobile platform offers this unique capability
The BES10 regulated-level device management control features enable large enterprises and government and regulated industries to manage fully locked-down devices with a set of controls unmatched in their level of granularity
Gold level device management capabilities include
BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure government and regulated environments
Enforcement of corporate-only use and granular controls to manage use of camera storage WiFi Bluetooth and other device features
Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space
User friendly and intuitive management console to manage your devices users groups apps and services including reporting and dashboard capabilities
Sampling of Regulated-level BlackBerry 10 Device Management Controls
Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode tethering using Bluetooth technology and tethering using a USB cable on a BlackBerry 10 device
Wireless Service Provider Billing Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organizationrsquos wireless service provider
Maximum Password Age Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password
Wipe the Work Space without Network Connectivity Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organizationrsquos network before wiping the entire device
Non-Email Accounts Specify whether a BlackBerry 10 device user can add third-party accounts for services such as Facebook Twitter LinkedIn and Evernote to the device
Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device must connect to your organizationrsquos network through BES10
Log Submission Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center
Bluetooth Specify whether a BlackBerry 10 device can use Bluetooth technology
SMSMMS Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages
Camera Specify whether a BlackBerry 10 device can use the camera
BES10rsquos Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments
16 Enforcing Strong Access Controls cont
Leaders in innovation
Largest Research amp Development sta ofany EMM vendor3
Expansion of security modelto iOS and Android
Scalability Devices per server
100KBES10 servers globally
30K+44K
PATENTS1 1
Back to the Contents
17
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Back to the Contents
An unavoidable consequence of the explosive expansion of mobile devices within businesses and organization of all sizes is a proportional elevation in vulnerability to security breaches and data leakage To protect your information from increased exposure to attacks or data loss through accidental or malicious means IT administrators require a comprehensive security solution but one that does not sacrifice business productivity or end-user satisfaction BlackBerry end-to-end security is purpose built to deliver optimal protection for work-related content both on devices and in transit BlackBerry security delivers fast integrated device application and content management and fully encrypted behind-the-firewall access to corporate data without the need for 3rd-party VPNs or add-on security
The BlackBerry network combined with its infrastructure authentication device management capabilities and hardened BlackBerryreg 10 operating system is the ultimate end-to-end mobile security solution
BlackBerry Security A fully integrated end-to-end enterprise mobility security solution
BlackBerry security focuses on four critical areas
bull Protecting data in motion
bull Protecting work data on personal-use-enabled devices
bull Enforcing strong access controls
bull Managing devices
These four functions protect your data from breaches losses or alteration as it transits the end-to-end path from your enterprise BES10 server the BlackBerry network and ultimately your employeesrsquo BlackBerry devices
All G7GOVERNMENTSand 16 of the G20 governments rely on BlackBerry security1
5
Security certificatesMore than any other mobile vendor3
per month on averageMoves more secure mobile datathrough its infrastructure thanany other EMM vendor3
Only MDM providerto obtain ATO on US Defense networks2
The ultimate standard for end-to-end mobile security
45 35PB
Dedicated Security Team
FIPS 140-2
AES256
Back to the Contents
6
Back to the Contents
Because many of your employees work outside the office itrsquos critical that you have strong security measures in place ndash both on employeesrsquo devices and across internal network infrastructure ndash to protect data in transit A key element of the BlackBerry solution for in-transit data security is the BlackBerry Enterprise Service 10 BlackBerrys device and application management platform BES10 offers built-in data encryption to help both enterprises and government agencies protect sensitive information and minimize data loss or alteration
BES10 Overview BlackBerry has long-been the ultimate in mobile security An integral component of the BlackBerry solution is BES10 which secures in-transit data using transport layer security over the BlackBerry infrastructure BES10 encrypts data using AES 256-bit encryption prior to transmission while message keys are encrypted by the device transport key BES10 also protects and manages devices and applications within the end-to-end BlackBerry security solution
Protecting Data in MotionA key element of the BlackBerry solution for in-transit data security in BES10
Secure Enterprise Connectivity
Wi Fi
BlackBerryMobile Data and ConnectionService
Work Personal
BlackBerry Enterprise Service 10
BlackBerryDispatcher
EnerpriseManagementWeb Service
Content servers
Web servers
Microsoft ActiveSync
BlackBerryInfrastructure
BlackBerry 10
BlackBerry 10Firewall withVPN Gateway
Firewall
Firewall withVPN Gateway
PrivateNetwork
Wi Fi
or 3G4G
SSL (Optional)
Wi Fi
or 3G4G
TLS over
Wi Fi
or 3G4G
VPN over
AES
Wi Fi
or 3G4G
VPN over
Enable Work NetworkFor Personal Use (EnableDisable)
Enable Work NetworkFor Personal Use (EnableDisable)
SSL (Optional)
SSL
Wi Fi
VPN IPSec or SSL
TLS BlackBerry infrastructure authenticatedwith self certification
AES 256 Encrypted with device transport keygenerated during activation
SSL (Optional) Authenticated with server specific certificate
SSL Authenicated with clientserver certificates generatedduring activation
Wi-Fi IEE 80211i with 802 1x(EAP-FAST EAP-TLS EAP-TTLS PEAP and LEAP)
7
BES10 Security Philosophy
Integrity Authenticity
Confidentiality
The security features found in BES10 are built upon a foundation of confidentiality integrity and authenticity
Confidentiality BES10s encryption capabilities ensures that only intended recipients can view corporate data
Integrity All email sent over a secure network is strongly encrypted to keep third parties from decrypting or altering the message
Authenticity BES10 provides two-way authentication upon pairing with the device helping reduce the possibility of counterfeit devices accessing your infrastructure
8 Protecting Data in Motion cont
Back to the Contents
Back to the Contents
BlackBerry 10BES10 FIPS 140-2 CertificationBusinesses and government agencies alike need to feel confident that their highly sensitive data ndash whether itrsquos in storage or in transit ndash stays secure from would-be attackers The US government created and implemented the FIPS 140-2 computer security standard and uses it to accredit file encryption modules
Both the BlackBerry 10 OS and BES10 software are FIPS 140-2 certified which means that your organizationrsquos data is strongly encrypted and the corresponding encryption keys are rigorously protected BlackBerry 10 devices controlled by BES10 are the only mobile devices to be given Authority to Operate (ATO) on Department of Defense networks
SMIME Messaging Encryption BES10 gives you the option of using digital certificates to sign and encrypt email and file attachments using industry standard SMIME encryption When IT personnel activate a mobile device on BES10 the device can be configured to sign and encrypt messages using SMIME whenever the employee sends emails via his or her work account SMIME encryption keeps messages secure by using recipientsrsquo public keys to encrypt the message and their private key to decrypt it Often overlooked as a security agent SMIME is a cost-effective productivity tool for enabling highly secure email communications with business partners and contractors outside of your organization
Encryption OptionsBES10 uses a technique called tunneling to protect data in transit over a secure network Tunneling incorporates multiple layers of encryption between devices BES10 and the wireless resource for additional data protection
For example when employees access the corporate Wi-Fi network data transmissions between their device and BES10 are secured first by AES encryption and then by Wi-Fi encryption
Wi-Fi Encryption (IEEE 80211) Encrypts data transmitted between mobile devices and wireless access points set up to use Wi-Fi encryption
VPN Encryption Encrypts data transmitted between mobile devices and VPN servers
AES Encryption Encrypts data transmitted between mobile devices the BlackBerry infrastructure and BES10
SSLTLS Encryption Encrypts data transmitted between mobile devices and content servers Web servers or messaging servers that use Microsoft ActiveSync
BES10 Layers of ProtectionBES10 contains multiple layers of protection so data stays secure both in transit and on devices
In-transit Data Protection BES10 protects data transmissions using transport layer security
Work Data Device Protection Work file systems and applications are kept separate from personal data and encrypted
Personal Data Device Protection IT managers can create policy rules to encrypt data within the personal file system
Device Access Control Work Wi-Fi and VPN profiles may be delivered remotely via BES10 to enable corporate network access
Device Behavior Control IT managers can remotely lock mobile devices enforce policies and wipe workpersonal data from devices
Device User Information Protection Users can delete all their information and application data from device memory
BlackBerry 10 OS Protection BlackBerry 10 devices conduct integrity tests to detect kernel damage and restart processes that stop responding
Application Data Protection Via Sandboxing Sandboxing separates and restricts the capabilities and permissions of applications running on the device
Resource Protection Adaptive partitioning is used to allocate unused resources during typical operating conditions to help ensure resources are available during peak conditions
Access Capabilities Permissions Management The BlackBerry 10 OS evaluates each device capability request made by an application then grants access accordingly
Boot Rom Code Verification The device verifies that the boot ROM code is authentic unmodified and has permission to run on the device
9 Protecting Data in Motion cont
Tech Talk 2SMIME Keys Certificates and Encryption Algorithms
BlackBerry devices support keys and certificates for the following file format and file name extensions
bull PEM (pem cer) bull DER (der cer)bull PFX (pfx p12)
A private key and certificate must be stored on the device for each recipient of an encrypted email message Keys and certificates can be stored simply by importing the files from a work email message To send encrypted messages your employees must use their work email accounts
The following encryption algorithms can be used by BlackBerry devices to encrypt SMIME-protected messages
bull AES (256-bit) bull AES (192-bit)bull AES (128-bit) bull Triple DESbull RC2
Tech Talk 1FIPS 140-2 Certification Details
The FIPS 140-2 certification was implemented by the National Institute of Standards and Technology to govern cryptography modules that involve both hardware and software components
The BlackBerry OS cryptographic kernel which received FIPS 140-2 certification for the BlackBerry 10 OS and BES10 generates the file encryption keys the work domain key the work master key and the system master key to provide a strong layer of security to protect data
The FIPS 140-2 certificate for BlackBerry 10 and BES10 BlackBerry Enterprise Service 10 FIPS-1402 Certificate no 1765 Consolidated Certificate no 0019 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0019pdf
BlackBerry 10 FIPS 140-2 Certificate no 1578 Consolidated Certificate no 0007 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0007pdf
10 Protecting Data in Motion cont
Back to the Contents
Protecting Work Data on Personal-Use-Enabled DevicesBlackBerry Balance and BES10 protect sensitive data
Protecting work data accessible over the corporate Intranet or stored on employeesrsquo devices is a critical part of any comprehensive mobile data security plan The widespread use of employee-owned and personal-use-enabled devices in corporate environments ndash Bring Your Own Device (BYOD) and Corporate Owned Personally Enabled (COPE) movements ndash creates major data security challenges Without a heavy-duty security architecture in place one designed for work and personal use it is easy for employees to leak sensitive work data through personal use such as webmail and browsing social networking and media and untrusted personal applications
With BlackBerry BalanceTM a feature of BES10 you can create a ldquodual-personardquo environment on employeesrsquo mobile devices by establishing a separate secure environment for work-related applications and associated sensitive data This work environment leverages integrated cryptographically partitioned file systems to protect sensitive work data while delivering a compelling ldquowork-liferdquo user experience
BlackBerry Balance Seamless Separation of Personal amp Work Data
BlackBerry Balance identifies and tags data and processes that originate from your companyrsquos Wi-Fi VPN access or Intranet and routes it to the employeersquos work profile on the device Other personal data and activities including third-party applications public Web browsing and personal email are contained within the personal profile
BlackBerry Balance Overview and Features BlackBerry Balance keeps employeesrsquo work and personal information separate and secure on BlackBerry 10 devices using specifically designated areas called Spaces Within each of these Spaces data applications and network connections can be safely stored Individual Spaces can be governed by their own rules for data storage application permissions and network routing Using separate Spaces for work and personal activities helps keep sensitive data secure by preventing employees from copying work data into personal email or displaying information during video chats
Back to the Contents
11
Built-in Password Protection BES10 allows you to establish and enforce password policies quickly and easily to better protect data stored in employeesrsquo devices IT policies can be set to require your employees to enter a password or use their corporate single sign-on using Active Directoryreg services to gain access to Spaces containing work-related data This keeps data at rest on employee devices safe and protected
BlackBerry Balance in action After eight years of employment at your company a salesperson is leaving to take a leadership role at a startup business that will share the same competitive space as your company Looking to jumpstart the customer acquisition process the departing salesperson who has access to the corporate customer relationship
management (CRM) system attempts to send your companyrsquos customer list and deal status to his personal email account before leaving the company
The soon-to-be former employee accesses the CRM application from his BlackBerry 10 device and tries to paste the list and deal information into his personal email account Because BlackBerry Balance prevents copy and paste functions between employeesrsquo work profiles and personal profiles the employee is unable to move data into his personal email or copy files from his Work Space to his Personal Space Your companyrsquos sales information stays safe In addition BES10 allows you to wipe all corporate information from an employee-owned device after the employee has left the company without impacting personal data
Using BlackBerry Balance you can
Control employee access to company data and applications on their devices
Prevent company data from becoming compromised
Provide employees a unified and consistent user experience with a core set of applications when accessing personal or work data
Install and manage company applications on employeesrsquo devices remotely
Remove company data and applications from employee-owned devices when needed without impacting personal configuration and data
Control network connections for work and personal applications remotely
BlackBerry Balance lets you control how devices separate secure and protect company data and resources
12 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Tech Talk 3Work SpacePersonal Space in Detail
BlackBerry Balance and BES10 provide a work environment that securely separates work and personal information on mobile devices Devices classify data as work data or personal data based on the source of the data For example if data comes from a work-related source it is stored in the devicersquos Work Space Personal and Work Spaces can have different rules for data storage application permissions and network routing The separate spaces help users to avoid activities such as accidentally copying work data into a personal application or displaying confidential work data IT administrators have the option of managing and securing data in a Personal Space
Work Personal
Encrypt
App App
Data
Work Space
Base file system Encrypt (optional)
App App
Data
Personal Space
13 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Back to the Contents
Enforcing Strong Access ControlsBlackBerry security gives you greater control over how and when mobile devices connect to your network infrastructure and access data
BlackBerry security delivers multiple access control features such as device authentication anti-counterfeiting manufacturing controls and device OS protection that verify and maintain device integrity These features help ensure only authorized devices used by authorized employees gain entry into your network use network services and access data
BlackBerry Hardware Root of Trust BlackBerry takes specific steps to help ensure the integrity of its devices and prevent counterfeit devices from connecting to the BlackBerry infrastructure
Security is built into each major BlackBerry device component making it more difficult for unauthorized users to remove or circumvent security on a BlackBerry device than on other mobile operating systems Plus all parts of the BlackBerry supply chain from its manufacturing partners to the BlackBerry
infrastructure and devices are securely connected which means trusted BlackBerry devices can be built around the world
This secure manufacturing model helps prevent the impersonation of authentic BlackBerry devices and ensures that only authentic BlackBerry devices can connect to the BlackBerry infrastructure Any device trying to connect to the BlackBerry infrastructure must complete the self-verification process before access is granted
Authentication Multiple forms of authentication take place within the BlackBerry system to minimize the possibility of data loss and outside attack First the BlackBerry infrastructure and BES10 authenticate with each other by sharing a Server Routing Protocol (SRP) authentication key before a connection takes place
The second level of authentication takes place between BES10 and the activated BlackBerry 10 device When the device is activated it generates a key pair and sends the public key to BES10 The BES10 server then creates a client certificate and sends an enterprise management root certificate and client certificate back to the device It uses the enterprise management root certificate to authenticate the server certificate for the enterprise management Web service BES10 and the BlackBerry 10 device use the client certificate to authenticate users their Work Spaces and their devices
BlackBerry 10 Operating System
CPU Embedded Boot ROM
Boot ROM digital signature
bull Application 4
bull Application 3
bull Application 2
bull Application 1
Boot ROM
Public EC 521 Key of OS Signature
Verified
BlackBerry 10 OS
SHA256 hash of Base File System (Signed with EC 521
Verified
Base File System (Read only)
XML Manifest of loaded applications (Cryptographically hashed)
Verified
Software Upgrades and Application Downloads from BlackBerry World All downloads verified with ECC signed SHA-2 hashes
14
Back to the Contents
BlackBerry 10 Device OS Security Features Protecting the devicersquos OS is one of the most important functions of mobile device security However itrsquos sometimes neglected by other manufacturers focused on consumer devices since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code a common characteristic of many devicesrsquo OSs The BlackBerry 10 OS includes security features for OS protection including
Microkernel Implementation The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150000 lines of code With fewer lines of code the BlackBerry OS is less susceptible to vulnerabilities than other platforms As a result rigorous security verification and testing are achieved even with a fixed amount of IT resources
Resilient Design To reduce risks the microkernel contains processes associated with personal use Any unresponsive or misbehaving process is automatically restarted or killed respectively without impacting other processes
Root Process Minimization To reduce security risks only the most essential BlackBerry processes are run in root mode This mode is never available to third parties
Blackberry World Application Stores Once a BlackBerry 10 device is activated on BES10 it has access to two separate BlackBerry World application storefronts BlackBerry World for personal use and BlackBerry World for Work for enterprise use
Within the Work Space only applications approved by the BES 10 administrator are permitted to be installed Work applications can either be ldquopushedrdquo to users based on policy or ldquopulledrdquo by users for optional use Within the Personal Space users are free to download any application available through BlackBerry World
15 Enforcing Strong Access Controls cont
Back to the Contents
For the large majority of organizations BlackBerry Balance available via the BES10 Silver EMM4 configuration optimizes the balance between security and employee expectations for a compelling work and life end-user experience Some highly sensitive regulated environments however may not permit personal use on employee devices due to established risk management policies For these organizations often operating in government financial services or healthcare sectors for example BlackBerry offers the BES10 Gold EMM5 configuration which gives administrators the ability to disable personal use as well as impose device application and content controls that exceeded the granularity of the BES10 Silver EMM configuration No other mobile platform offers this unique capability
The BES10 regulated-level device management control features enable large enterprises and government and regulated industries to manage fully locked-down devices with a set of controls unmatched in their level of granularity
Gold level device management capabilities include
BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure government and regulated environments
Enforcement of corporate-only use and granular controls to manage use of camera storage WiFi Bluetooth and other device features
Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space
User friendly and intuitive management console to manage your devices users groups apps and services including reporting and dashboard capabilities
Sampling of Regulated-level BlackBerry 10 Device Management Controls
Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode tethering using Bluetooth technology and tethering using a USB cable on a BlackBerry 10 device
Wireless Service Provider Billing Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organizationrsquos wireless service provider
Maximum Password Age Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password
Wipe the Work Space without Network Connectivity Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organizationrsquos network before wiping the entire device
Non-Email Accounts Specify whether a BlackBerry 10 device user can add third-party accounts for services such as Facebook Twitter LinkedIn and Evernote to the device
Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device must connect to your organizationrsquos network through BES10
Log Submission Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center
Bluetooth Specify whether a BlackBerry 10 device can use Bluetooth technology
SMSMMS Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages
Camera Specify whether a BlackBerry 10 device can use the camera
BES10rsquos Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments
16 Enforcing Strong Access Controls cont
Leaders in innovation
Largest Research amp Development sta ofany EMM vendor3
Expansion of security modelto iOS and Android
Scalability Devices per server
100KBES10 servers globally
30K+44K
PATENTS1 1
Back to the Contents
17
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Security certificatesMore than any other mobile vendor3
per month on averageMoves more secure mobile datathrough its infrastructure thanany other EMM vendor3
Only MDM providerto obtain ATO on US Defense networks2
The ultimate standard for end-to-end mobile security
45 35PB
Dedicated Security Team
FIPS 140-2
AES256
Back to the Contents
6
Back to the Contents
Because many of your employees work outside the office itrsquos critical that you have strong security measures in place ndash both on employeesrsquo devices and across internal network infrastructure ndash to protect data in transit A key element of the BlackBerry solution for in-transit data security is the BlackBerry Enterprise Service 10 BlackBerrys device and application management platform BES10 offers built-in data encryption to help both enterprises and government agencies protect sensitive information and minimize data loss or alteration
BES10 Overview BlackBerry has long-been the ultimate in mobile security An integral component of the BlackBerry solution is BES10 which secures in-transit data using transport layer security over the BlackBerry infrastructure BES10 encrypts data using AES 256-bit encryption prior to transmission while message keys are encrypted by the device transport key BES10 also protects and manages devices and applications within the end-to-end BlackBerry security solution
Protecting Data in MotionA key element of the BlackBerry solution for in-transit data security in BES10
Secure Enterprise Connectivity
Wi Fi
BlackBerryMobile Data and ConnectionService
Work Personal
BlackBerry Enterprise Service 10
BlackBerryDispatcher
EnerpriseManagementWeb Service
Content servers
Web servers
Microsoft ActiveSync
BlackBerryInfrastructure
BlackBerry 10
BlackBerry 10Firewall withVPN Gateway
Firewall
Firewall withVPN Gateway
PrivateNetwork
Wi Fi
or 3G4G
SSL (Optional)
Wi Fi
or 3G4G
TLS over
Wi Fi
or 3G4G
VPN over
AES
Wi Fi
or 3G4G
VPN over
Enable Work NetworkFor Personal Use (EnableDisable)
Enable Work NetworkFor Personal Use (EnableDisable)
SSL (Optional)
SSL
Wi Fi
VPN IPSec or SSL
TLS BlackBerry infrastructure authenticatedwith self certification
AES 256 Encrypted with device transport keygenerated during activation
SSL (Optional) Authenticated with server specific certificate
SSL Authenicated with clientserver certificates generatedduring activation
Wi-Fi IEE 80211i with 802 1x(EAP-FAST EAP-TLS EAP-TTLS PEAP and LEAP)
7
BES10 Security Philosophy
Integrity Authenticity
Confidentiality
The security features found in BES10 are built upon a foundation of confidentiality integrity and authenticity
Confidentiality BES10s encryption capabilities ensures that only intended recipients can view corporate data
Integrity All email sent over a secure network is strongly encrypted to keep third parties from decrypting or altering the message
Authenticity BES10 provides two-way authentication upon pairing with the device helping reduce the possibility of counterfeit devices accessing your infrastructure
8 Protecting Data in Motion cont
Back to the Contents
Back to the Contents
BlackBerry 10BES10 FIPS 140-2 CertificationBusinesses and government agencies alike need to feel confident that their highly sensitive data ndash whether itrsquos in storage or in transit ndash stays secure from would-be attackers The US government created and implemented the FIPS 140-2 computer security standard and uses it to accredit file encryption modules
Both the BlackBerry 10 OS and BES10 software are FIPS 140-2 certified which means that your organizationrsquos data is strongly encrypted and the corresponding encryption keys are rigorously protected BlackBerry 10 devices controlled by BES10 are the only mobile devices to be given Authority to Operate (ATO) on Department of Defense networks
SMIME Messaging Encryption BES10 gives you the option of using digital certificates to sign and encrypt email and file attachments using industry standard SMIME encryption When IT personnel activate a mobile device on BES10 the device can be configured to sign and encrypt messages using SMIME whenever the employee sends emails via his or her work account SMIME encryption keeps messages secure by using recipientsrsquo public keys to encrypt the message and their private key to decrypt it Often overlooked as a security agent SMIME is a cost-effective productivity tool for enabling highly secure email communications with business partners and contractors outside of your organization
Encryption OptionsBES10 uses a technique called tunneling to protect data in transit over a secure network Tunneling incorporates multiple layers of encryption between devices BES10 and the wireless resource for additional data protection
For example when employees access the corporate Wi-Fi network data transmissions between their device and BES10 are secured first by AES encryption and then by Wi-Fi encryption
Wi-Fi Encryption (IEEE 80211) Encrypts data transmitted between mobile devices and wireless access points set up to use Wi-Fi encryption
VPN Encryption Encrypts data transmitted between mobile devices and VPN servers
AES Encryption Encrypts data transmitted between mobile devices the BlackBerry infrastructure and BES10
SSLTLS Encryption Encrypts data transmitted between mobile devices and content servers Web servers or messaging servers that use Microsoft ActiveSync
BES10 Layers of ProtectionBES10 contains multiple layers of protection so data stays secure both in transit and on devices
In-transit Data Protection BES10 protects data transmissions using transport layer security
Work Data Device Protection Work file systems and applications are kept separate from personal data and encrypted
Personal Data Device Protection IT managers can create policy rules to encrypt data within the personal file system
Device Access Control Work Wi-Fi and VPN profiles may be delivered remotely via BES10 to enable corporate network access
Device Behavior Control IT managers can remotely lock mobile devices enforce policies and wipe workpersonal data from devices
Device User Information Protection Users can delete all their information and application data from device memory
BlackBerry 10 OS Protection BlackBerry 10 devices conduct integrity tests to detect kernel damage and restart processes that stop responding
Application Data Protection Via Sandboxing Sandboxing separates and restricts the capabilities and permissions of applications running on the device
Resource Protection Adaptive partitioning is used to allocate unused resources during typical operating conditions to help ensure resources are available during peak conditions
Access Capabilities Permissions Management The BlackBerry 10 OS evaluates each device capability request made by an application then grants access accordingly
Boot Rom Code Verification The device verifies that the boot ROM code is authentic unmodified and has permission to run on the device
9 Protecting Data in Motion cont
Tech Talk 2SMIME Keys Certificates and Encryption Algorithms
BlackBerry devices support keys and certificates for the following file format and file name extensions
bull PEM (pem cer) bull DER (der cer)bull PFX (pfx p12)
A private key and certificate must be stored on the device for each recipient of an encrypted email message Keys and certificates can be stored simply by importing the files from a work email message To send encrypted messages your employees must use their work email accounts
The following encryption algorithms can be used by BlackBerry devices to encrypt SMIME-protected messages
bull AES (256-bit) bull AES (192-bit)bull AES (128-bit) bull Triple DESbull RC2
Tech Talk 1FIPS 140-2 Certification Details
The FIPS 140-2 certification was implemented by the National Institute of Standards and Technology to govern cryptography modules that involve both hardware and software components
The BlackBerry OS cryptographic kernel which received FIPS 140-2 certification for the BlackBerry 10 OS and BES10 generates the file encryption keys the work domain key the work master key and the system master key to provide a strong layer of security to protect data
The FIPS 140-2 certificate for BlackBerry 10 and BES10 BlackBerry Enterprise Service 10 FIPS-1402 Certificate no 1765 Consolidated Certificate no 0019 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0019pdf
BlackBerry 10 FIPS 140-2 Certificate no 1578 Consolidated Certificate no 0007 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0007pdf
10 Protecting Data in Motion cont
Back to the Contents
Protecting Work Data on Personal-Use-Enabled DevicesBlackBerry Balance and BES10 protect sensitive data
Protecting work data accessible over the corporate Intranet or stored on employeesrsquo devices is a critical part of any comprehensive mobile data security plan The widespread use of employee-owned and personal-use-enabled devices in corporate environments ndash Bring Your Own Device (BYOD) and Corporate Owned Personally Enabled (COPE) movements ndash creates major data security challenges Without a heavy-duty security architecture in place one designed for work and personal use it is easy for employees to leak sensitive work data through personal use such as webmail and browsing social networking and media and untrusted personal applications
With BlackBerry BalanceTM a feature of BES10 you can create a ldquodual-personardquo environment on employeesrsquo mobile devices by establishing a separate secure environment for work-related applications and associated sensitive data This work environment leverages integrated cryptographically partitioned file systems to protect sensitive work data while delivering a compelling ldquowork-liferdquo user experience
BlackBerry Balance Seamless Separation of Personal amp Work Data
BlackBerry Balance identifies and tags data and processes that originate from your companyrsquos Wi-Fi VPN access or Intranet and routes it to the employeersquos work profile on the device Other personal data and activities including third-party applications public Web browsing and personal email are contained within the personal profile
BlackBerry Balance Overview and Features BlackBerry Balance keeps employeesrsquo work and personal information separate and secure on BlackBerry 10 devices using specifically designated areas called Spaces Within each of these Spaces data applications and network connections can be safely stored Individual Spaces can be governed by their own rules for data storage application permissions and network routing Using separate Spaces for work and personal activities helps keep sensitive data secure by preventing employees from copying work data into personal email or displaying information during video chats
Back to the Contents
11
Built-in Password Protection BES10 allows you to establish and enforce password policies quickly and easily to better protect data stored in employeesrsquo devices IT policies can be set to require your employees to enter a password or use their corporate single sign-on using Active Directoryreg services to gain access to Spaces containing work-related data This keeps data at rest on employee devices safe and protected
BlackBerry Balance in action After eight years of employment at your company a salesperson is leaving to take a leadership role at a startup business that will share the same competitive space as your company Looking to jumpstart the customer acquisition process the departing salesperson who has access to the corporate customer relationship
management (CRM) system attempts to send your companyrsquos customer list and deal status to his personal email account before leaving the company
The soon-to-be former employee accesses the CRM application from his BlackBerry 10 device and tries to paste the list and deal information into his personal email account Because BlackBerry Balance prevents copy and paste functions between employeesrsquo work profiles and personal profiles the employee is unable to move data into his personal email or copy files from his Work Space to his Personal Space Your companyrsquos sales information stays safe In addition BES10 allows you to wipe all corporate information from an employee-owned device after the employee has left the company without impacting personal data
Using BlackBerry Balance you can
Control employee access to company data and applications on their devices
Prevent company data from becoming compromised
Provide employees a unified and consistent user experience with a core set of applications when accessing personal or work data
Install and manage company applications on employeesrsquo devices remotely
Remove company data and applications from employee-owned devices when needed without impacting personal configuration and data
Control network connections for work and personal applications remotely
BlackBerry Balance lets you control how devices separate secure and protect company data and resources
12 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Tech Talk 3Work SpacePersonal Space in Detail
BlackBerry Balance and BES10 provide a work environment that securely separates work and personal information on mobile devices Devices classify data as work data or personal data based on the source of the data For example if data comes from a work-related source it is stored in the devicersquos Work Space Personal and Work Spaces can have different rules for data storage application permissions and network routing The separate spaces help users to avoid activities such as accidentally copying work data into a personal application or displaying confidential work data IT administrators have the option of managing and securing data in a Personal Space
Work Personal
Encrypt
App App
Data
Work Space
Base file system Encrypt (optional)
App App
Data
Personal Space
13 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Back to the Contents
Enforcing Strong Access ControlsBlackBerry security gives you greater control over how and when mobile devices connect to your network infrastructure and access data
BlackBerry security delivers multiple access control features such as device authentication anti-counterfeiting manufacturing controls and device OS protection that verify and maintain device integrity These features help ensure only authorized devices used by authorized employees gain entry into your network use network services and access data
BlackBerry Hardware Root of Trust BlackBerry takes specific steps to help ensure the integrity of its devices and prevent counterfeit devices from connecting to the BlackBerry infrastructure
Security is built into each major BlackBerry device component making it more difficult for unauthorized users to remove or circumvent security on a BlackBerry device than on other mobile operating systems Plus all parts of the BlackBerry supply chain from its manufacturing partners to the BlackBerry
infrastructure and devices are securely connected which means trusted BlackBerry devices can be built around the world
This secure manufacturing model helps prevent the impersonation of authentic BlackBerry devices and ensures that only authentic BlackBerry devices can connect to the BlackBerry infrastructure Any device trying to connect to the BlackBerry infrastructure must complete the self-verification process before access is granted
Authentication Multiple forms of authentication take place within the BlackBerry system to minimize the possibility of data loss and outside attack First the BlackBerry infrastructure and BES10 authenticate with each other by sharing a Server Routing Protocol (SRP) authentication key before a connection takes place
The second level of authentication takes place between BES10 and the activated BlackBerry 10 device When the device is activated it generates a key pair and sends the public key to BES10 The BES10 server then creates a client certificate and sends an enterprise management root certificate and client certificate back to the device It uses the enterprise management root certificate to authenticate the server certificate for the enterprise management Web service BES10 and the BlackBerry 10 device use the client certificate to authenticate users their Work Spaces and their devices
BlackBerry 10 Operating System
CPU Embedded Boot ROM
Boot ROM digital signature
bull Application 4
bull Application 3
bull Application 2
bull Application 1
Boot ROM
Public EC 521 Key of OS Signature
Verified
BlackBerry 10 OS
SHA256 hash of Base File System (Signed with EC 521
Verified
Base File System (Read only)
XML Manifest of loaded applications (Cryptographically hashed)
Verified
Software Upgrades and Application Downloads from BlackBerry World All downloads verified with ECC signed SHA-2 hashes
14
Back to the Contents
BlackBerry 10 Device OS Security Features Protecting the devicersquos OS is one of the most important functions of mobile device security However itrsquos sometimes neglected by other manufacturers focused on consumer devices since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code a common characteristic of many devicesrsquo OSs The BlackBerry 10 OS includes security features for OS protection including
Microkernel Implementation The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150000 lines of code With fewer lines of code the BlackBerry OS is less susceptible to vulnerabilities than other platforms As a result rigorous security verification and testing are achieved even with a fixed amount of IT resources
Resilient Design To reduce risks the microkernel contains processes associated with personal use Any unresponsive or misbehaving process is automatically restarted or killed respectively without impacting other processes
Root Process Minimization To reduce security risks only the most essential BlackBerry processes are run in root mode This mode is never available to third parties
Blackberry World Application Stores Once a BlackBerry 10 device is activated on BES10 it has access to two separate BlackBerry World application storefronts BlackBerry World for personal use and BlackBerry World for Work for enterprise use
Within the Work Space only applications approved by the BES 10 administrator are permitted to be installed Work applications can either be ldquopushedrdquo to users based on policy or ldquopulledrdquo by users for optional use Within the Personal Space users are free to download any application available through BlackBerry World
15 Enforcing Strong Access Controls cont
Back to the Contents
For the large majority of organizations BlackBerry Balance available via the BES10 Silver EMM4 configuration optimizes the balance between security and employee expectations for a compelling work and life end-user experience Some highly sensitive regulated environments however may not permit personal use on employee devices due to established risk management policies For these organizations often operating in government financial services or healthcare sectors for example BlackBerry offers the BES10 Gold EMM5 configuration which gives administrators the ability to disable personal use as well as impose device application and content controls that exceeded the granularity of the BES10 Silver EMM configuration No other mobile platform offers this unique capability
The BES10 regulated-level device management control features enable large enterprises and government and regulated industries to manage fully locked-down devices with a set of controls unmatched in their level of granularity
Gold level device management capabilities include
BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure government and regulated environments
Enforcement of corporate-only use and granular controls to manage use of camera storage WiFi Bluetooth and other device features
Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space
User friendly and intuitive management console to manage your devices users groups apps and services including reporting and dashboard capabilities
Sampling of Regulated-level BlackBerry 10 Device Management Controls
Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode tethering using Bluetooth technology and tethering using a USB cable on a BlackBerry 10 device
Wireless Service Provider Billing Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organizationrsquos wireless service provider
Maximum Password Age Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password
Wipe the Work Space without Network Connectivity Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organizationrsquos network before wiping the entire device
Non-Email Accounts Specify whether a BlackBerry 10 device user can add third-party accounts for services such as Facebook Twitter LinkedIn and Evernote to the device
Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device must connect to your organizationrsquos network through BES10
Log Submission Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center
Bluetooth Specify whether a BlackBerry 10 device can use Bluetooth technology
SMSMMS Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages
Camera Specify whether a BlackBerry 10 device can use the camera
BES10rsquos Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments
16 Enforcing Strong Access Controls cont
Leaders in innovation
Largest Research amp Development sta ofany EMM vendor3
Expansion of security modelto iOS and Android
Scalability Devices per server
100KBES10 servers globally
30K+44K
PATENTS1 1
Back to the Contents
17
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Back to the Contents
Because many of your employees work outside the office itrsquos critical that you have strong security measures in place ndash both on employeesrsquo devices and across internal network infrastructure ndash to protect data in transit A key element of the BlackBerry solution for in-transit data security is the BlackBerry Enterprise Service 10 BlackBerrys device and application management platform BES10 offers built-in data encryption to help both enterprises and government agencies protect sensitive information and minimize data loss or alteration
BES10 Overview BlackBerry has long-been the ultimate in mobile security An integral component of the BlackBerry solution is BES10 which secures in-transit data using transport layer security over the BlackBerry infrastructure BES10 encrypts data using AES 256-bit encryption prior to transmission while message keys are encrypted by the device transport key BES10 also protects and manages devices and applications within the end-to-end BlackBerry security solution
Protecting Data in MotionA key element of the BlackBerry solution for in-transit data security in BES10
Secure Enterprise Connectivity
Wi Fi
BlackBerryMobile Data and ConnectionService
Work Personal
BlackBerry Enterprise Service 10
BlackBerryDispatcher
EnerpriseManagementWeb Service
Content servers
Web servers
Microsoft ActiveSync
BlackBerryInfrastructure
BlackBerry 10
BlackBerry 10Firewall withVPN Gateway
Firewall
Firewall withVPN Gateway
PrivateNetwork
Wi Fi
or 3G4G
SSL (Optional)
Wi Fi
or 3G4G
TLS over
Wi Fi
or 3G4G
VPN over
AES
Wi Fi
or 3G4G
VPN over
Enable Work NetworkFor Personal Use (EnableDisable)
Enable Work NetworkFor Personal Use (EnableDisable)
SSL (Optional)
SSL
Wi Fi
VPN IPSec or SSL
TLS BlackBerry infrastructure authenticatedwith self certification
AES 256 Encrypted with device transport keygenerated during activation
SSL (Optional) Authenticated with server specific certificate
SSL Authenicated with clientserver certificates generatedduring activation
Wi-Fi IEE 80211i with 802 1x(EAP-FAST EAP-TLS EAP-TTLS PEAP and LEAP)
7
BES10 Security Philosophy
Integrity Authenticity
Confidentiality
The security features found in BES10 are built upon a foundation of confidentiality integrity and authenticity
Confidentiality BES10s encryption capabilities ensures that only intended recipients can view corporate data
Integrity All email sent over a secure network is strongly encrypted to keep third parties from decrypting or altering the message
Authenticity BES10 provides two-way authentication upon pairing with the device helping reduce the possibility of counterfeit devices accessing your infrastructure
8 Protecting Data in Motion cont
Back to the Contents
Back to the Contents
BlackBerry 10BES10 FIPS 140-2 CertificationBusinesses and government agencies alike need to feel confident that their highly sensitive data ndash whether itrsquos in storage or in transit ndash stays secure from would-be attackers The US government created and implemented the FIPS 140-2 computer security standard and uses it to accredit file encryption modules
Both the BlackBerry 10 OS and BES10 software are FIPS 140-2 certified which means that your organizationrsquos data is strongly encrypted and the corresponding encryption keys are rigorously protected BlackBerry 10 devices controlled by BES10 are the only mobile devices to be given Authority to Operate (ATO) on Department of Defense networks
SMIME Messaging Encryption BES10 gives you the option of using digital certificates to sign and encrypt email and file attachments using industry standard SMIME encryption When IT personnel activate a mobile device on BES10 the device can be configured to sign and encrypt messages using SMIME whenever the employee sends emails via his or her work account SMIME encryption keeps messages secure by using recipientsrsquo public keys to encrypt the message and their private key to decrypt it Often overlooked as a security agent SMIME is a cost-effective productivity tool for enabling highly secure email communications with business partners and contractors outside of your organization
Encryption OptionsBES10 uses a technique called tunneling to protect data in transit over a secure network Tunneling incorporates multiple layers of encryption between devices BES10 and the wireless resource for additional data protection
For example when employees access the corporate Wi-Fi network data transmissions between their device and BES10 are secured first by AES encryption and then by Wi-Fi encryption
Wi-Fi Encryption (IEEE 80211) Encrypts data transmitted between mobile devices and wireless access points set up to use Wi-Fi encryption
VPN Encryption Encrypts data transmitted between mobile devices and VPN servers
AES Encryption Encrypts data transmitted between mobile devices the BlackBerry infrastructure and BES10
SSLTLS Encryption Encrypts data transmitted between mobile devices and content servers Web servers or messaging servers that use Microsoft ActiveSync
BES10 Layers of ProtectionBES10 contains multiple layers of protection so data stays secure both in transit and on devices
In-transit Data Protection BES10 protects data transmissions using transport layer security
Work Data Device Protection Work file systems and applications are kept separate from personal data and encrypted
Personal Data Device Protection IT managers can create policy rules to encrypt data within the personal file system
Device Access Control Work Wi-Fi and VPN profiles may be delivered remotely via BES10 to enable corporate network access
Device Behavior Control IT managers can remotely lock mobile devices enforce policies and wipe workpersonal data from devices
Device User Information Protection Users can delete all their information and application data from device memory
BlackBerry 10 OS Protection BlackBerry 10 devices conduct integrity tests to detect kernel damage and restart processes that stop responding
Application Data Protection Via Sandboxing Sandboxing separates and restricts the capabilities and permissions of applications running on the device
Resource Protection Adaptive partitioning is used to allocate unused resources during typical operating conditions to help ensure resources are available during peak conditions
Access Capabilities Permissions Management The BlackBerry 10 OS evaluates each device capability request made by an application then grants access accordingly
Boot Rom Code Verification The device verifies that the boot ROM code is authentic unmodified and has permission to run on the device
9 Protecting Data in Motion cont
Tech Talk 2SMIME Keys Certificates and Encryption Algorithms
BlackBerry devices support keys and certificates for the following file format and file name extensions
bull PEM (pem cer) bull DER (der cer)bull PFX (pfx p12)
A private key and certificate must be stored on the device for each recipient of an encrypted email message Keys and certificates can be stored simply by importing the files from a work email message To send encrypted messages your employees must use their work email accounts
The following encryption algorithms can be used by BlackBerry devices to encrypt SMIME-protected messages
bull AES (256-bit) bull AES (192-bit)bull AES (128-bit) bull Triple DESbull RC2
Tech Talk 1FIPS 140-2 Certification Details
The FIPS 140-2 certification was implemented by the National Institute of Standards and Technology to govern cryptography modules that involve both hardware and software components
The BlackBerry OS cryptographic kernel which received FIPS 140-2 certification for the BlackBerry 10 OS and BES10 generates the file encryption keys the work domain key the work master key and the system master key to provide a strong layer of security to protect data
The FIPS 140-2 certificate for BlackBerry 10 and BES10 BlackBerry Enterprise Service 10 FIPS-1402 Certificate no 1765 Consolidated Certificate no 0019 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0019pdf
BlackBerry 10 FIPS 140-2 Certificate no 1578 Consolidated Certificate no 0007 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0007pdf
10 Protecting Data in Motion cont
Back to the Contents
Protecting Work Data on Personal-Use-Enabled DevicesBlackBerry Balance and BES10 protect sensitive data
Protecting work data accessible over the corporate Intranet or stored on employeesrsquo devices is a critical part of any comprehensive mobile data security plan The widespread use of employee-owned and personal-use-enabled devices in corporate environments ndash Bring Your Own Device (BYOD) and Corporate Owned Personally Enabled (COPE) movements ndash creates major data security challenges Without a heavy-duty security architecture in place one designed for work and personal use it is easy for employees to leak sensitive work data through personal use such as webmail and browsing social networking and media and untrusted personal applications
With BlackBerry BalanceTM a feature of BES10 you can create a ldquodual-personardquo environment on employeesrsquo mobile devices by establishing a separate secure environment for work-related applications and associated sensitive data This work environment leverages integrated cryptographically partitioned file systems to protect sensitive work data while delivering a compelling ldquowork-liferdquo user experience
BlackBerry Balance Seamless Separation of Personal amp Work Data
BlackBerry Balance identifies and tags data and processes that originate from your companyrsquos Wi-Fi VPN access or Intranet and routes it to the employeersquos work profile on the device Other personal data and activities including third-party applications public Web browsing and personal email are contained within the personal profile
BlackBerry Balance Overview and Features BlackBerry Balance keeps employeesrsquo work and personal information separate and secure on BlackBerry 10 devices using specifically designated areas called Spaces Within each of these Spaces data applications and network connections can be safely stored Individual Spaces can be governed by their own rules for data storage application permissions and network routing Using separate Spaces for work and personal activities helps keep sensitive data secure by preventing employees from copying work data into personal email or displaying information during video chats
Back to the Contents
11
Built-in Password Protection BES10 allows you to establish and enforce password policies quickly and easily to better protect data stored in employeesrsquo devices IT policies can be set to require your employees to enter a password or use their corporate single sign-on using Active Directoryreg services to gain access to Spaces containing work-related data This keeps data at rest on employee devices safe and protected
BlackBerry Balance in action After eight years of employment at your company a salesperson is leaving to take a leadership role at a startup business that will share the same competitive space as your company Looking to jumpstart the customer acquisition process the departing salesperson who has access to the corporate customer relationship
management (CRM) system attempts to send your companyrsquos customer list and deal status to his personal email account before leaving the company
The soon-to-be former employee accesses the CRM application from his BlackBerry 10 device and tries to paste the list and deal information into his personal email account Because BlackBerry Balance prevents copy and paste functions between employeesrsquo work profiles and personal profiles the employee is unable to move data into his personal email or copy files from his Work Space to his Personal Space Your companyrsquos sales information stays safe In addition BES10 allows you to wipe all corporate information from an employee-owned device after the employee has left the company without impacting personal data
Using BlackBerry Balance you can
Control employee access to company data and applications on their devices
Prevent company data from becoming compromised
Provide employees a unified and consistent user experience with a core set of applications when accessing personal or work data
Install and manage company applications on employeesrsquo devices remotely
Remove company data and applications from employee-owned devices when needed without impacting personal configuration and data
Control network connections for work and personal applications remotely
BlackBerry Balance lets you control how devices separate secure and protect company data and resources
12 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Tech Talk 3Work SpacePersonal Space in Detail
BlackBerry Balance and BES10 provide a work environment that securely separates work and personal information on mobile devices Devices classify data as work data or personal data based on the source of the data For example if data comes from a work-related source it is stored in the devicersquos Work Space Personal and Work Spaces can have different rules for data storage application permissions and network routing The separate spaces help users to avoid activities such as accidentally copying work data into a personal application or displaying confidential work data IT administrators have the option of managing and securing data in a Personal Space
Work Personal
Encrypt
App App
Data
Work Space
Base file system Encrypt (optional)
App App
Data
Personal Space
13 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Back to the Contents
Enforcing Strong Access ControlsBlackBerry security gives you greater control over how and when mobile devices connect to your network infrastructure and access data
BlackBerry security delivers multiple access control features such as device authentication anti-counterfeiting manufacturing controls and device OS protection that verify and maintain device integrity These features help ensure only authorized devices used by authorized employees gain entry into your network use network services and access data
BlackBerry Hardware Root of Trust BlackBerry takes specific steps to help ensure the integrity of its devices and prevent counterfeit devices from connecting to the BlackBerry infrastructure
Security is built into each major BlackBerry device component making it more difficult for unauthorized users to remove or circumvent security on a BlackBerry device than on other mobile operating systems Plus all parts of the BlackBerry supply chain from its manufacturing partners to the BlackBerry
infrastructure and devices are securely connected which means trusted BlackBerry devices can be built around the world
This secure manufacturing model helps prevent the impersonation of authentic BlackBerry devices and ensures that only authentic BlackBerry devices can connect to the BlackBerry infrastructure Any device trying to connect to the BlackBerry infrastructure must complete the self-verification process before access is granted
Authentication Multiple forms of authentication take place within the BlackBerry system to minimize the possibility of data loss and outside attack First the BlackBerry infrastructure and BES10 authenticate with each other by sharing a Server Routing Protocol (SRP) authentication key before a connection takes place
The second level of authentication takes place between BES10 and the activated BlackBerry 10 device When the device is activated it generates a key pair and sends the public key to BES10 The BES10 server then creates a client certificate and sends an enterprise management root certificate and client certificate back to the device It uses the enterprise management root certificate to authenticate the server certificate for the enterprise management Web service BES10 and the BlackBerry 10 device use the client certificate to authenticate users their Work Spaces and their devices
BlackBerry 10 Operating System
CPU Embedded Boot ROM
Boot ROM digital signature
bull Application 4
bull Application 3
bull Application 2
bull Application 1
Boot ROM
Public EC 521 Key of OS Signature
Verified
BlackBerry 10 OS
SHA256 hash of Base File System (Signed with EC 521
Verified
Base File System (Read only)
XML Manifest of loaded applications (Cryptographically hashed)
Verified
Software Upgrades and Application Downloads from BlackBerry World All downloads verified with ECC signed SHA-2 hashes
14
Back to the Contents
BlackBerry 10 Device OS Security Features Protecting the devicersquos OS is one of the most important functions of mobile device security However itrsquos sometimes neglected by other manufacturers focused on consumer devices since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code a common characteristic of many devicesrsquo OSs The BlackBerry 10 OS includes security features for OS protection including
Microkernel Implementation The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150000 lines of code With fewer lines of code the BlackBerry OS is less susceptible to vulnerabilities than other platforms As a result rigorous security verification and testing are achieved even with a fixed amount of IT resources
Resilient Design To reduce risks the microkernel contains processes associated with personal use Any unresponsive or misbehaving process is automatically restarted or killed respectively without impacting other processes
Root Process Minimization To reduce security risks only the most essential BlackBerry processes are run in root mode This mode is never available to third parties
Blackberry World Application Stores Once a BlackBerry 10 device is activated on BES10 it has access to two separate BlackBerry World application storefronts BlackBerry World for personal use and BlackBerry World for Work for enterprise use
Within the Work Space only applications approved by the BES 10 administrator are permitted to be installed Work applications can either be ldquopushedrdquo to users based on policy or ldquopulledrdquo by users for optional use Within the Personal Space users are free to download any application available through BlackBerry World
15 Enforcing Strong Access Controls cont
Back to the Contents
For the large majority of organizations BlackBerry Balance available via the BES10 Silver EMM4 configuration optimizes the balance between security and employee expectations for a compelling work and life end-user experience Some highly sensitive regulated environments however may not permit personal use on employee devices due to established risk management policies For these organizations often operating in government financial services or healthcare sectors for example BlackBerry offers the BES10 Gold EMM5 configuration which gives administrators the ability to disable personal use as well as impose device application and content controls that exceeded the granularity of the BES10 Silver EMM configuration No other mobile platform offers this unique capability
The BES10 regulated-level device management control features enable large enterprises and government and regulated industries to manage fully locked-down devices with a set of controls unmatched in their level of granularity
Gold level device management capabilities include
BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure government and regulated environments
Enforcement of corporate-only use and granular controls to manage use of camera storage WiFi Bluetooth and other device features
Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space
User friendly and intuitive management console to manage your devices users groups apps and services including reporting and dashboard capabilities
Sampling of Regulated-level BlackBerry 10 Device Management Controls
Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode tethering using Bluetooth technology and tethering using a USB cable on a BlackBerry 10 device
Wireless Service Provider Billing Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organizationrsquos wireless service provider
Maximum Password Age Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password
Wipe the Work Space without Network Connectivity Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organizationrsquos network before wiping the entire device
Non-Email Accounts Specify whether a BlackBerry 10 device user can add third-party accounts for services such as Facebook Twitter LinkedIn and Evernote to the device
Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device must connect to your organizationrsquos network through BES10
Log Submission Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center
Bluetooth Specify whether a BlackBerry 10 device can use Bluetooth technology
SMSMMS Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages
Camera Specify whether a BlackBerry 10 device can use the camera
BES10rsquos Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments
16 Enforcing Strong Access Controls cont
Leaders in innovation
Largest Research amp Development sta ofany EMM vendor3
Expansion of security modelto iOS and Android
Scalability Devices per server
100KBES10 servers globally
30K+44K
PATENTS1 1
Back to the Contents
17
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
BES10 Security Philosophy
Integrity Authenticity
Confidentiality
The security features found in BES10 are built upon a foundation of confidentiality integrity and authenticity
Confidentiality BES10s encryption capabilities ensures that only intended recipients can view corporate data
Integrity All email sent over a secure network is strongly encrypted to keep third parties from decrypting or altering the message
Authenticity BES10 provides two-way authentication upon pairing with the device helping reduce the possibility of counterfeit devices accessing your infrastructure
8 Protecting Data in Motion cont
Back to the Contents
Back to the Contents
BlackBerry 10BES10 FIPS 140-2 CertificationBusinesses and government agencies alike need to feel confident that their highly sensitive data ndash whether itrsquos in storage or in transit ndash stays secure from would-be attackers The US government created and implemented the FIPS 140-2 computer security standard and uses it to accredit file encryption modules
Both the BlackBerry 10 OS and BES10 software are FIPS 140-2 certified which means that your organizationrsquos data is strongly encrypted and the corresponding encryption keys are rigorously protected BlackBerry 10 devices controlled by BES10 are the only mobile devices to be given Authority to Operate (ATO) on Department of Defense networks
SMIME Messaging Encryption BES10 gives you the option of using digital certificates to sign and encrypt email and file attachments using industry standard SMIME encryption When IT personnel activate a mobile device on BES10 the device can be configured to sign and encrypt messages using SMIME whenever the employee sends emails via his or her work account SMIME encryption keeps messages secure by using recipientsrsquo public keys to encrypt the message and their private key to decrypt it Often overlooked as a security agent SMIME is a cost-effective productivity tool for enabling highly secure email communications with business partners and contractors outside of your organization
Encryption OptionsBES10 uses a technique called tunneling to protect data in transit over a secure network Tunneling incorporates multiple layers of encryption between devices BES10 and the wireless resource for additional data protection
For example when employees access the corporate Wi-Fi network data transmissions between their device and BES10 are secured first by AES encryption and then by Wi-Fi encryption
Wi-Fi Encryption (IEEE 80211) Encrypts data transmitted between mobile devices and wireless access points set up to use Wi-Fi encryption
VPN Encryption Encrypts data transmitted between mobile devices and VPN servers
AES Encryption Encrypts data transmitted between mobile devices the BlackBerry infrastructure and BES10
SSLTLS Encryption Encrypts data transmitted between mobile devices and content servers Web servers or messaging servers that use Microsoft ActiveSync
BES10 Layers of ProtectionBES10 contains multiple layers of protection so data stays secure both in transit and on devices
In-transit Data Protection BES10 protects data transmissions using transport layer security
Work Data Device Protection Work file systems and applications are kept separate from personal data and encrypted
Personal Data Device Protection IT managers can create policy rules to encrypt data within the personal file system
Device Access Control Work Wi-Fi and VPN profiles may be delivered remotely via BES10 to enable corporate network access
Device Behavior Control IT managers can remotely lock mobile devices enforce policies and wipe workpersonal data from devices
Device User Information Protection Users can delete all their information and application data from device memory
BlackBerry 10 OS Protection BlackBerry 10 devices conduct integrity tests to detect kernel damage and restart processes that stop responding
Application Data Protection Via Sandboxing Sandboxing separates and restricts the capabilities and permissions of applications running on the device
Resource Protection Adaptive partitioning is used to allocate unused resources during typical operating conditions to help ensure resources are available during peak conditions
Access Capabilities Permissions Management The BlackBerry 10 OS evaluates each device capability request made by an application then grants access accordingly
Boot Rom Code Verification The device verifies that the boot ROM code is authentic unmodified and has permission to run on the device
9 Protecting Data in Motion cont
Tech Talk 2SMIME Keys Certificates and Encryption Algorithms
BlackBerry devices support keys and certificates for the following file format and file name extensions
bull PEM (pem cer) bull DER (der cer)bull PFX (pfx p12)
A private key and certificate must be stored on the device for each recipient of an encrypted email message Keys and certificates can be stored simply by importing the files from a work email message To send encrypted messages your employees must use their work email accounts
The following encryption algorithms can be used by BlackBerry devices to encrypt SMIME-protected messages
bull AES (256-bit) bull AES (192-bit)bull AES (128-bit) bull Triple DESbull RC2
Tech Talk 1FIPS 140-2 Certification Details
The FIPS 140-2 certification was implemented by the National Institute of Standards and Technology to govern cryptography modules that involve both hardware and software components
The BlackBerry OS cryptographic kernel which received FIPS 140-2 certification for the BlackBerry 10 OS and BES10 generates the file encryption keys the work domain key the work master key and the system master key to provide a strong layer of security to protect data
The FIPS 140-2 certificate for BlackBerry 10 and BES10 BlackBerry Enterprise Service 10 FIPS-1402 Certificate no 1765 Consolidated Certificate no 0019 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0019pdf
BlackBerry 10 FIPS 140-2 Certificate no 1578 Consolidated Certificate no 0007 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0007pdf
10 Protecting Data in Motion cont
Back to the Contents
Protecting Work Data on Personal-Use-Enabled DevicesBlackBerry Balance and BES10 protect sensitive data
Protecting work data accessible over the corporate Intranet or stored on employeesrsquo devices is a critical part of any comprehensive mobile data security plan The widespread use of employee-owned and personal-use-enabled devices in corporate environments ndash Bring Your Own Device (BYOD) and Corporate Owned Personally Enabled (COPE) movements ndash creates major data security challenges Without a heavy-duty security architecture in place one designed for work and personal use it is easy for employees to leak sensitive work data through personal use such as webmail and browsing social networking and media and untrusted personal applications
With BlackBerry BalanceTM a feature of BES10 you can create a ldquodual-personardquo environment on employeesrsquo mobile devices by establishing a separate secure environment for work-related applications and associated sensitive data This work environment leverages integrated cryptographically partitioned file systems to protect sensitive work data while delivering a compelling ldquowork-liferdquo user experience
BlackBerry Balance Seamless Separation of Personal amp Work Data
BlackBerry Balance identifies and tags data and processes that originate from your companyrsquos Wi-Fi VPN access or Intranet and routes it to the employeersquos work profile on the device Other personal data and activities including third-party applications public Web browsing and personal email are contained within the personal profile
BlackBerry Balance Overview and Features BlackBerry Balance keeps employeesrsquo work and personal information separate and secure on BlackBerry 10 devices using specifically designated areas called Spaces Within each of these Spaces data applications and network connections can be safely stored Individual Spaces can be governed by their own rules for data storage application permissions and network routing Using separate Spaces for work and personal activities helps keep sensitive data secure by preventing employees from copying work data into personal email or displaying information during video chats
Back to the Contents
11
Built-in Password Protection BES10 allows you to establish and enforce password policies quickly and easily to better protect data stored in employeesrsquo devices IT policies can be set to require your employees to enter a password or use their corporate single sign-on using Active Directoryreg services to gain access to Spaces containing work-related data This keeps data at rest on employee devices safe and protected
BlackBerry Balance in action After eight years of employment at your company a salesperson is leaving to take a leadership role at a startup business that will share the same competitive space as your company Looking to jumpstart the customer acquisition process the departing salesperson who has access to the corporate customer relationship
management (CRM) system attempts to send your companyrsquos customer list and deal status to his personal email account before leaving the company
The soon-to-be former employee accesses the CRM application from his BlackBerry 10 device and tries to paste the list and deal information into his personal email account Because BlackBerry Balance prevents copy and paste functions between employeesrsquo work profiles and personal profiles the employee is unable to move data into his personal email or copy files from his Work Space to his Personal Space Your companyrsquos sales information stays safe In addition BES10 allows you to wipe all corporate information from an employee-owned device after the employee has left the company without impacting personal data
Using BlackBerry Balance you can
Control employee access to company data and applications on their devices
Prevent company data from becoming compromised
Provide employees a unified and consistent user experience with a core set of applications when accessing personal or work data
Install and manage company applications on employeesrsquo devices remotely
Remove company data and applications from employee-owned devices when needed without impacting personal configuration and data
Control network connections for work and personal applications remotely
BlackBerry Balance lets you control how devices separate secure and protect company data and resources
12 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Tech Talk 3Work SpacePersonal Space in Detail
BlackBerry Balance and BES10 provide a work environment that securely separates work and personal information on mobile devices Devices classify data as work data or personal data based on the source of the data For example if data comes from a work-related source it is stored in the devicersquos Work Space Personal and Work Spaces can have different rules for data storage application permissions and network routing The separate spaces help users to avoid activities such as accidentally copying work data into a personal application or displaying confidential work data IT administrators have the option of managing and securing data in a Personal Space
Work Personal
Encrypt
App App
Data
Work Space
Base file system Encrypt (optional)
App App
Data
Personal Space
13 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Back to the Contents
Enforcing Strong Access ControlsBlackBerry security gives you greater control over how and when mobile devices connect to your network infrastructure and access data
BlackBerry security delivers multiple access control features such as device authentication anti-counterfeiting manufacturing controls and device OS protection that verify and maintain device integrity These features help ensure only authorized devices used by authorized employees gain entry into your network use network services and access data
BlackBerry Hardware Root of Trust BlackBerry takes specific steps to help ensure the integrity of its devices and prevent counterfeit devices from connecting to the BlackBerry infrastructure
Security is built into each major BlackBerry device component making it more difficult for unauthorized users to remove or circumvent security on a BlackBerry device than on other mobile operating systems Plus all parts of the BlackBerry supply chain from its manufacturing partners to the BlackBerry
infrastructure and devices are securely connected which means trusted BlackBerry devices can be built around the world
This secure manufacturing model helps prevent the impersonation of authentic BlackBerry devices and ensures that only authentic BlackBerry devices can connect to the BlackBerry infrastructure Any device trying to connect to the BlackBerry infrastructure must complete the self-verification process before access is granted
Authentication Multiple forms of authentication take place within the BlackBerry system to minimize the possibility of data loss and outside attack First the BlackBerry infrastructure and BES10 authenticate with each other by sharing a Server Routing Protocol (SRP) authentication key before a connection takes place
The second level of authentication takes place between BES10 and the activated BlackBerry 10 device When the device is activated it generates a key pair and sends the public key to BES10 The BES10 server then creates a client certificate and sends an enterprise management root certificate and client certificate back to the device It uses the enterprise management root certificate to authenticate the server certificate for the enterprise management Web service BES10 and the BlackBerry 10 device use the client certificate to authenticate users their Work Spaces and their devices
BlackBerry 10 Operating System
CPU Embedded Boot ROM
Boot ROM digital signature
bull Application 4
bull Application 3
bull Application 2
bull Application 1
Boot ROM
Public EC 521 Key of OS Signature
Verified
BlackBerry 10 OS
SHA256 hash of Base File System (Signed with EC 521
Verified
Base File System (Read only)
XML Manifest of loaded applications (Cryptographically hashed)
Verified
Software Upgrades and Application Downloads from BlackBerry World All downloads verified with ECC signed SHA-2 hashes
14
Back to the Contents
BlackBerry 10 Device OS Security Features Protecting the devicersquos OS is one of the most important functions of mobile device security However itrsquos sometimes neglected by other manufacturers focused on consumer devices since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code a common characteristic of many devicesrsquo OSs The BlackBerry 10 OS includes security features for OS protection including
Microkernel Implementation The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150000 lines of code With fewer lines of code the BlackBerry OS is less susceptible to vulnerabilities than other platforms As a result rigorous security verification and testing are achieved even with a fixed amount of IT resources
Resilient Design To reduce risks the microkernel contains processes associated with personal use Any unresponsive or misbehaving process is automatically restarted or killed respectively without impacting other processes
Root Process Minimization To reduce security risks only the most essential BlackBerry processes are run in root mode This mode is never available to third parties
Blackberry World Application Stores Once a BlackBerry 10 device is activated on BES10 it has access to two separate BlackBerry World application storefronts BlackBerry World for personal use and BlackBerry World for Work for enterprise use
Within the Work Space only applications approved by the BES 10 administrator are permitted to be installed Work applications can either be ldquopushedrdquo to users based on policy or ldquopulledrdquo by users for optional use Within the Personal Space users are free to download any application available through BlackBerry World
15 Enforcing Strong Access Controls cont
Back to the Contents
For the large majority of organizations BlackBerry Balance available via the BES10 Silver EMM4 configuration optimizes the balance between security and employee expectations for a compelling work and life end-user experience Some highly sensitive regulated environments however may not permit personal use on employee devices due to established risk management policies For these organizations often operating in government financial services or healthcare sectors for example BlackBerry offers the BES10 Gold EMM5 configuration which gives administrators the ability to disable personal use as well as impose device application and content controls that exceeded the granularity of the BES10 Silver EMM configuration No other mobile platform offers this unique capability
The BES10 regulated-level device management control features enable large enterprises and government and regulated industries to manage fully locked-down devices with a set of controls unmatched in their level of granularity
Gold level device management capabilities include
BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure government and regulated environments
Enforcement of corporate-only use and granular controls to manage use of camera storage WiFi Bluetooth and other device features
Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space
User friendly and intuitive management console to manage your devices users groups apps and services including reporting and dashboard capabilities
Sampling of Regulated-level BlackBerry 10 Device Management Controls
Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode tethering using Bluetooth technology and tethering using a USB cable on a BlackBerry 10 device
Wireless Service Provider Billing Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organizationrsquos wireless service provider
Maximum Password Age Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password
Wipe the Work Space without Network Connectivity Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organizationrsquos network before wiping the entire device
Non-Email Accounts Specify whether a BlackBerry 10 device user can add third-party accounts for services such as Facebook Twitter LinkedIn and Evernote to the device
Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device must connect to your organizationrsquos network through BES10
Log Submission Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center
Bluetooth Specify whether a BlackBerry 10 device can use Bluetooth technology
SMSMMS Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages
Camera Specify whether a BlackBerry 10 device can use the camera
BES10rsquos Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments
16 Enforcing Strong Access Controls cont
Leaders in innovation
Largest Research amp Development sta ofany EMM vendor3
Expansion of security modelto iOS and Android
Scalability Devices per server
100KBES10 servers globally
30K+44K
PATENTS1 1
Back to the Contents
17
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Back to the Contents
BlackBerry 10BES10 FIPS 140-2 CertificationBusinesses and government agencies alike need to feel confident that their highly sensitive data ndash whether itrsquos in storage or in transit ndash stays secure from would-be attackers The US government created and implemented the FIPS 140-2 computer security standard and uses it to accredit file encryption modules
Both the BlackBerry 10 OS and BES10 software are FIPS 140-2 certified which means that your organizationrsquos data is strongly encrypted and the corresponding encryption keys are rigorously protected BlackBerry 10 devices controlled by BES10 are the only mobile devices to be given Authority to Operate (ATO) on Department of Defense networks
SMIME Messaging Encryption BES10 gives you the option of using digital certificates to sign and encrypt email and file attachments using industry standard SMIME encryption When IT personnel activate a mobile device on BES10 the device can be configured to sign and encrypt messages using SMIME whenever the employee sends emails via his or her work account SMIME encryption keeps messages secure by using recipientsrsquo public keys to encrypt the message and their private key to decrypt it Often overlooked as a security agent SMIME is a cost-effective productivity tool for enabling highly secure email communications with business partners and contractors outside of your organization
Encryption OptionsBES10 uses a technique called tunneling to protect data in transit over a secure network Tunneling incorporates multiple layers of encryption between devices BES10 and the wireless resource for additional data protection
For example when employees access the corporate Wi-Fi network data transmissions between their device and BES10 are secured first by AES encryption and then by Wi-Fi encryption
Wi-Fi Encryption (IEEE 80211) Encrypts data transmitted between mobile devices and wireless access points set up to use Wi-Fi encryption
VPN Encryption Encrypts data transmitted between mobile devices and VPN servers
AES Encryption Encrypts data transmitted between mobile devices the BlackBerry infrastructure and BES10
SSLTLS Encryption Encrypts data transmitted between mobile devices and content servers Web servers or messaging servers that use Microsoft ActiveSync
BES10 Layers of ProtectionBES10 contains multiple layers of protection so data stays secure both in transit and on devices
In-transit Data Protection BES10 protects data transmissions using transport layer security
Work Data Device Protection Work file systems and applications are kept separate from personal data and encrypted
Personal Data Device Protection IT managers can create policy rules to encrypt data within the personal file system
Device Access Control Work Wi-Fi and VPN profiles may be delivered remotely via BES10 to enable corporate network access
Device Behavior Control IT managers can remotely lock mobile devices enforce policies and wipe workpersonal data from devices
Device User Information Protection Users can delete all their information and application data from device memory
BlackBerry 10 OS Protection BlackBerry 10 devices conduct integrity tests to detect kernel damage and restart processes that stop responding
Application Data Protection Via Sandboxing Sandboxing separates and restricts the capabilities and permissions of applications running on the device
Resource Protection Adaptive partitioning is used to allocate unused resources during typical operating conditions to help ensure resources are available during peak conditions
Access Capabilities Permissions Management The BlackBerry 10 OS evaluates each device capability request made by an application then grants access accordingly
Boot Rom Code Verification The device verifies that the boot ROM code is authentic unmodified and has permission to run on the device
9 Protecting Data in Motion cont
Tech Talk 2SMIME Keys Certificates and Encryption Algorithms
BlackBerry devices support keys and certificates for the following file format and file name extensions
bull PEM (pem cer) bull DER (der cer)bull PFX (pfx p12)
A private key and certificate must be stored on the device for each recipient of an encrypted email message Keys and certificates can be stored simply by importing the files from a work email message To send encrypted messages your employees must use their work email accounts
The following encryption algorithms can be used by BlackBerry devices to encrypt SMIME-protected messages
bull AES (256-bit) bull AES (192-bit)bull AES (128-bit) bull Triple DESbull RC2
Tech Talk 1FIPS 140-2 Certification Details
The FIPS 140-2 certification was implemented by the National Institute of Standards and Technology to govern cryptography modules that involve both hardware and software components
The BlackBerry OS cryptographic kernel which received FIPS 140-2 certification for the BlackBerry 10 OS and BES10 generates the file encryption keys the work domain key the work master key and the system master key to provide a strong layer of security to protect data
The FIPS 140-2 certificate for BlackBerry 10 and BES10 BlackBerry Enterprise Service 10 FIPS-1402 Certificate no 1765 Consolidated Certificate no 0019 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0019pdf
BlackBerry 10 FIPS 140-2 Certificate no 1578 Consolidated Certificate no 0007 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0007pdf
10 Protecting Data in Motion cont
Back to the Contents
Protecting Work Data on Personal-Use-Enabled DevicesBlackBerry Balance and BES10 protect sensitive data
Protecting work data accessible over the corporate Intranet or stored on employeesrsquo devices is a critical part of any comprehensive mobile data security plan The widespread use of employee-owned and personal-use-enabled devices in corporate environments ndash Bring Your Own Device (BYOD) and Corporate Owned Personally Enabled (COPE) movements ndash creates major data security challenges Without a heavy-duty security architecture in place one designed for work and personal use it is easy for employees to leak sensitive work data through personal use such as webmail and browsing social networking and media and untrusted personal applications
With BlackBerry BalanceTM a feature of BES10 you can create a ldquodual-personardquo environment on employeesrsquo mobile devices by establishing a separate secure environment for work-related applications and associated sensitive data This work environment leverages integrated cryptographically partitioned file systems to protect sensitive work data while delivering a compelling ldquowork-liferdquo user experience
BlackBerry Balance Seamless Separation of Personal amp Work Data
BlackBerry Balance identifies and tags data and processes that originate from your companyrsquos Wi-Fi VPN access or Intranet and routes it to the employeersquos work profile on the device Other personal data and activities including third-party applications public Web browsing and personal email are contained within the personal profile
BlackBerry Balance Overview and Features BlackBerry Balance keeps employeesrsquo work and personal information separate and secure on BlackBerry 10 devices using specifically designated areas called Spaces Within each of these Spaces data applications and network connections can be safely stored Individual Spaces can be governed by their own rules for data storage application permissions and network routing Using separate Spaces for work and personal activities helps keep sensitive data secure by preventing employees from copying work data into personal email or displaying information during video chats
Back to the Contents
11
Built-in Password Protection BES10 allows you to establish and enforce password policies quickly and easily to better protect data stored in employeesrsquo devices IT policies can be set to require your employees to enter a password or use their corporate single sign-on using Active Directoryreg services to gain access to Spaces containing work-related data This keeps data at rest on employee devices safe and protected
BlackBerry Balance in action After eight years of employment at your company a salesperson is leaving to take a leadership role at a startup business that will share the same competitive space as your company Looking to jumpstart the customer acquisition process the departing salesperson who has access to the corporate customer relationship
management (CRM) system attempts to send your companyrsquos customer list and deal status to his personal email account before leaving the company
The soon-to-be former employee accesses the CRM application from his BlackBerry 10 device and tries to paste the list and deal information into his personal email account Because BlackBerry Balance prevents copy and paste functions between employeesrsquo work profiles and personal profiles the employee is unable to move data into his personal email or copy files from his Work Space to his Personal Space Your companyrsquos sales information stays safe In addition BES10 allows you to wipe all corporate information from an employee-owned device after the employee has left the company without impacting personal data
Using BlackBerry Balance you can
Control employee access to company data and applications on their devices
Prevent company data from becoming compromised
Provide employees a unified and consistent user experience with a core set of applications when accessing personal or work data
Install and manage company applications on employeesrsquo devices remotely
Remove company data and applications from employee-owned devices when needed without impacting personal configuration and data
Control network connections for work and personal applications remotely
BlackBerry Balance lets you control how devices separate secure and protect company data and resources
12 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Tech Talk 3Work SpacePersonal Space in Detail
BlackBerry Balance and BES10 provide a work environment that securely separates work and personal information on mobile devices Devices classify data as work data or personal data based on the source of the data For example if data comes from a work-related source it is stored in the devicersquos Work Space Personal and Work Spaces can have different rules for data storage application permissions and network routing The separate spaces help users to avoid activities such as accidentally copying work data into a personal application or displaying confidential work data IT administrators have the option of managing and securing data in a Personal Space
Work Personal
Encrypt
App App
Data
Work Space
Base file system Encrypt (optional)
App App
Data
Personal Space
13 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Back to the Contents
Enforcing Strong Access ControlsBlackBerry security gives you greater control over how and when mobile devices connect to your network infrastructure and access data
BlackBerry security delivers multiple access control features such as device authentication anti-counterfeiting manufacturing controls and device OS protection that verify and maintain device integrity These features help ensure only authorized devices used by authorized employees gain entry into your network use network services and access data
BlackBerry Hardware Root of Trust BlackBerry takes specific steps to help ensure the integrity of its devices and prevent counterfeit devices from connecting to the BlackBerry infrastructure
Security is built into each major BlackBerry device component making it more difficult for unauthorized users to remove or circumvent security on a BlackBerry device than on other mobile operating systems Plus all parts of the BlackBerry supply chain from its manufacturing partners to the BlackBerry
infrastructure and devices are securely connected which means trusted BlackBerry devices can be built around the world
This secure manufacturing model helps prevent the impersonation of authentic BlackBerry devices and ensures that only authentic BlackBerry devices can connect to the BlackBerry infrastructure Any device trying to connect to the BlackBerry infrastructure must complete the self-verification process before access is granted
Authentication Multiple forms of authentication take place within the BlackBerry system to minimize the possibility of data loss and outside attack First the BlackBerry infrastructure and BES10 authenticate with each other by sharing a Server Routing Protocol (SRP) authentication key before a connection takes place
The second level of authentication takes place between BES10 and the activated BlackBerry 10 device When the device is activated it generates a key pair and sends the public key to BES10 The BES10 server then creates a client certificate and sends an enterprise management root certificate and client certificate back to the device It uses the enterprise management root certificate to authenticate the server certificate for the enterprise management Web service BES10 and the BlackBerry 10 device use the client certificate to authenticate users their Work Spaces and their devices
BlackBerry 10 Operating System
CPU Embedded Boot ROM
Boot ROM digital signature
bull Application 4
bull Application 3
bull Application 2
bull Application 1
Boot ROM
Public EC 521 Key of OS Signature
Verified
BlackBerry 10 OS
SHA256 hash of Base File System (Signed with EC 521
Verified
Base File System (Read only)
XML Manifest of loaded applications (Cryptographically hashed)
Verified
Software Upgrades and Application Downloads from BlackBerry World All downloads verified with ECC signed SHA-2 hashes
14
Back to the Contents
BlackBerry 10 Device OS Security Features Protecting the devicersquos OS is one of the most important functions of mobile device security However itrsquos sometimes neglected by other manufacturers focused on consumer devices since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code a common characteristic of many devicesrsquo OSs The BlackBerry 10 OS includes security features for OS protection including
Microkernel Implementation The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150000 lines of code With fewer lines of code the BlackBerry OS is less susceptible to vulnerabilities than other platforms As a result rigorous security verification and testing are achieved even with a fixed amount of IT resources
Resilient Design To reduce risks the microkernel contains processes associated with personal use Any unresponsive or misbehaving process is automatically restarted or killed respectively without impacting other processes
Root Process Minimization To reduce security risks only the most essential BlackBerry processes are run in root mode This mode is never available to third parties
Blackberry World Application Stores Once a BlackBerry 10 device is activated on BES10 it has access to two separate BlackBerry World application storefronts BlackBerry World for personal use and BlackBerry World for Work for enterprise use
Within the Work Space only applications approved by the BES 10 administrator are permitted to be installed Work applications can either be ldquopushedrdquo to users based on policy or ldquopulledrdquo by users for optional use Within the Personal Space users are free to download any application available through BlackBerry World
15 Enforcing Strong Access Controls cont
Back to the Contents
For the large majority of organizations BlackBerry Balance available via the BES10 Silver EMM4 configuration optimizes the balance between security and employee expectations for a compelling work and life end-user experience Some highly sensitive regulated environments however may not permit personal use on employee devices due to established risk management policies For these organizations often operating in government financial services or healthcare sectors for example BlackBerry offers the BES10 Gold EMM5 configuration which gives administrators the ability to disable personal use as well as impose device application and content controls that exceeded the granularity of the BES10 Silver EMM configuration No other mobile platform offers this unique capability
The BES10 regulated-level device management control features enable large enterprises and government and regulated industries to manage fully locked-down devices with a set of controls unmatched in their level of granularity
Gold level device management capabilities include
BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure government and regulated environments
Enforcement of corporate-only use and granular controls to manage use of camera storage WiFi Bluetooth and other device features
Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space
User friendly and intuitive management console to manage your devices users groups apps and services including reporting and dashboard capabilities
Sampling of Regulated-level BlackBerry 10 Device Management Controls
Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode tethering using Bluetooth technology and tethering using a USB cable on a BlackBerry 10 device
Wireless Service Provider Billing Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organizationrsquos wireless service provider
Maximum Password Age Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password
Wipe the Work Space without Network Connectivity Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organizationrsquos network before wiping the entire device
Non-Email Accounts Specify whether a BlackBerry 10 device user can add third-party accounts for services such as Facebook Twitter LinkedIn and Evernote to the device
Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device must connect to your organizationrsquos network through BES10
Log Submission Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center
Bluetooth Specify whether a BlackBerry 10 device can use Bluetooth technology
SMSMMS Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages
Camera Specify whether a BlackBerry 10 device can use the camera
BES10rsquos Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments
16 Enforcing Strong Access Controls cont
Leaders in innovation
Largest Research amp Development sta ofany EMM vendor3
Expansion of security modelto iOS and Android
Scalability Devices per server
100KBES10 servers globally
30K+44K
PATENTS1 1
Back to the Contents
17
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Tech Talk 2SMIME Keys Certificates and Encryption Algorithms
BlackBerry devices support keys and certificates for the following file format and file name extensions
bull PEM (pem cer) bull DER (der cer)bull PFX (pfx p12)
A private key and certificate must be stored on the device for each recipient of an encrypted email message Keys and certificates can be stored simply by importing the files from a work email message To send encrypted messages your employees must use their work email accounts
The following encryption algorithms can be used by BlackBerry devices to encrypt SMIME-protected messages
bull AES (256-bit) bull AES (192-bit)bull AES (128-bit) bull Triple DESbull RC2
Tech Talk 1FIPS 140-2 Certification Details
The FIPS 140-2 certification was implemented by the National Institute of Standards and Technology to govern cryptography modules that involve both hardware and software components
The BlackBerry OS cryptographic kernel which received FIPS 140-2 certification for the BlackBerry 10 OS and BES10 generates the file encryption keys the work domain key the work master key and the system master key to provide a strong layer of security to protect data
The FIPS 140-2 certificate for BlackBerry 10 and BES10 BlackBerry Enterprise Service 10 FIPS-1402 Certificate no 1765 Consolidated Certificate no 0019 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0019pdf
BlackBerry 10 FIPS 140-2 Certificate no 1578 Consolidated Certificate no 0007 httpcsrcnistgovgroupsSTMcmvpdocuments140-1140crtFIPS140ConsolidatedCertList0007pdf
10 Protecting Data in Motion cont
Back to the Contents
Protecting Work Data on Personal-Use-Enabled DevicesBlackBerry Balance and BES10 protect sensitive data
Protecting work data accessible over the corporate Intranet or stored on employeesrsquo devices is a critical part of any comprehensive mobile data security plan The widespread use of employee-owned and personal-use-enabled devices in corporate environments ndash Bring Your Own Device (BYOD) and Corporate Owned Personally Enabled (COPE) movements ndash creates major data security challenges Without a heavy-duty security architecture in place one designed for work and personal use it is easy for employees to leak sensitive work data through personal use such as webmail and browsing social networking and media and untrusted personal applications
With BlackBerry BalanceTM a feature of BES10 you can create a ldquodual-personardquo environment on employeesrsquo mobile devices by establishing a separate secure environment for work-related applications and associated sensitive data This work environment leverages integrated cryptographically partitioned file systems to protect sensitive work data while delivering a compelling ldquowork-liferdquo user experience
BlackBerry Balance Seamless Separation of Personal amp Work Data
BlackBerry Balance identifies and tags data and processes that originate from your companyrsquos Wi-Fi VPN access or Intranet and routes it to the employeersquos work profile on the device Other personal data and activities including third-party applications public Web browsing and personal email are contained within the personal profile
BlackBerry Balance Overview and Features BlackBerry Balance keeps employeesrsquo work and personal information separate and secure on BlackBerry 10 devices using specifically designated areas called Spaces Within each of these Spaces data applications and network connections can be safely stored Individual Spaces can be governed by their own rules for data storage application permissions and network routing Using separate Spaces for work and personal activities helps keep sensitive data secure by preventing employees from copying work data into personal email or displaying information during video chats
Back to the Contents
11
Built-in Password Protection BES10 allows you to establish and enforce password policies quickly and easily to better protect data stored in employeesrsquo devices IT policies can be set to require your employees to enter a password or use their corporate single sign-on using Active Directoryreg services to gain access to Spaces containing work-related data This keeps data at rest on employee devices safe and protected
BlackBerry Balance in action After eight years of employment at your company a salesperson is leaving to take a leadership role at a startup business that will share the same competitive space as your company Looking to jumpstart the customer acquisition process the departing salesperson who has access to the corporate customer relationship
management (CRM) system attempts to send your companyrsquos customer list and deal status to his personal email account before leaving the company
The soon-to-be former employee accesses the CRM application from his BlackBerry 10 device and tries to paste the list and deal information into his personal email account Because BlackBerry Balance prevents copy and paste functions between employeesrsquo work profiles and personal profiles the employee is unable to move data into his personal email or copy files from his Work Space to his Personal Space Your companyrsquos sales information stays safe In addition BES10 allows you to wipe all corporate information from an employee-owned device after the employee has left the company without impacting personal data
Using BlackBerry Balance you can
Control employee access to company data and applications on their devices
Prevent company data from becoming compromised
Provide employees a unified and consistent user experience with a core set of applications when accessing personal or work data
Install and manage company applications on employeesrsquo devices remotely
Remove company data and applications from employee-owned devices when needed without impacting personal configuration and data
Control network connections for work and personal applications remotely
BlackBerry Balance lets you control how devices separate secure and protect company data and resources
12 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Tech Talk 3Work SpacePersonal Space in Detail
BlackBerry Balance and BES10 provide a work environment that securely separates work and personal information on mobile devices Devices classify data as work data or personal data based on the source of the data For example if data comes from a work-related source it is stored in the devicersquos Work Space Personal and Work Spaces can have different rules for data storage application permissions and network routing The separate spaces help users to avoid activities such as accidentally copying work data into a personal application or displaying confidential work data IT administrators have the option of managing and securing data in a Personal Space
Work Personal
Encrypt
App App
Data
Work Space
Base file system Encrypt (optional)
App App
Data
Personal Space
13 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Back to the Contents
Enforcing Strong Access ControlsBlackBerry security gives you greater control over how and when mobile devices connect to your network infrastructure and access data
BlackBerry security delivers multiple access control features such as device authentication anti-counterfeiting manufacturing controls and device OS protection that verify and maintain device integrity These features help ensure only authorized devices used by authorized employees gain entry into your network use network services and access data
BlackBerry Hardware Root of Trust BlackBerry takes specific steps to help ensure the integrity of its devices and prevent counterfeit devices from connecting to the BlackBerry infrastructure
Security is built into each major BlackBerry device component making it more difficult for unauthorized users to remove or circumvent security on a BlackBerry device than on other mobile operating systems Plus all parts of the BlackBerry supply chain from its manufacturing partners to the BlackBerry
infrastructure and devices are securely connected which means trusted BlackBerry devices can be built around the world
This secure manufacturing model helps prevent the impersonation of authentic BlackBerry devices and ensures that only authentic BlackBerry devices can connect to the BlackBerry infrastructure Any device trying to connect to the BlackBerry infrastructure must complete the self-verification process before access is granted
Authentication Multiple forms of authentication take place within the BlackBerry system to minimize the possibility of data loss and outside attack First the BlackBerry infrastructure and BES10 authenticate with each other by sharing a Server Routing Protocol (SRP) authentication key before a connection takes place
The second level of authentication takes place between BES10 and the activated BlackBerry 10 device When the device is activated it generates a key pair and sends the public key to BES10 The BES10 server then creates a client certificate and sends an enterprise management root certificate and client certificate back to the device It uses the enterprise management root certificate to authenticate the server certificate for the enterprise management Web service BES10 and the BlackBerry 10 device use the client certificate to authenticate users their Work Spaces and their devices
BlackBerry 10 Operating System
CPU Embedded Boot ROM
Boot ROM digital signature
bull Application 4
bull Application 3
bull Application 2
bull Application 1
Boot ROM
Public EC 521 Key of OS Signature
Verified
BlackBerry 10 OS
SHA256 hash of Base File System (Signed with EC 521
Verified
Base File System (Read only)
XML Manifest of loaded applications (Cryptographically hashed)
Verified
Software Upgrades and Application Downloads from BlackBerry World All downloads verified with ECC signed SHA-2 hashes
14
Back to the Contents
BlackBerry 10 Device OS Security Features Protecting the devicersquos OS is one of the most important functions of mobile device security However itrsquos sometimes neglected by other manufacturers focused on consumer devices since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code a common characteristic of many devicesrsquo OSs The BlackBerry 10 OS includes security features for OS protection including
Microkernel Implementation The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150000 lines of code With fewer lines of code the BlackBerry OS is less susceptible to vulnerabilities than other platforms As a result rigorous security verification and testing are achieved even with a fixed amount of IT resources
Resilient Design To reduce risks the microkernel contains processes associated with personal use Any unresponsive or misbehaving process is automatically restarted or killed respectively without impacting other processes
Root Process Minimization To reduce security risks only the most essential BlackBerry processes are run in root mode This mode is never available to third parties
Blackberry World Application Stores Once a BlackBerry 10 device is activated on BES10 it has access to two separate BlackBerry World application storefronts BlackBerry World for personal use and BlackBerry World for Work for enterprise use
Within the Work Space only applications approved by the BES 10 administrator are permitted to be installed Work applications can either be ldquopushedrdquo to users based on policy or ldquopulledrdquo by users for optional use Within the Personal Space users are free to download any application available through BlackBerry World
15 Enforcing Strong Access Controls cont
Back to the Contents
For the large majority of organizations BlackBerry Balance available via the BES10 Silver EMM4 configuration optimizes the balance between security and employee expectations for a compelling work and life end-user experience Some highly sensitive regulated environments however may not permit personal use on employee devices due to established risk management policies For these organizations often operating in government financial services or healthcare sectors for example BlackBerry offers the BES10 Gold EMM5 configuration which gives administrators the ability to disable personal use as well as impose device application and content controls that exceeded the granularity of the BES10 Silver EMM configuration No other mobile platform offers this unique capability
The BES10 regulated-level device management control features enable large enterprises and government and regulated industries to manage fully locked-down devices with a set of controls unmatched in their level of granularity
Gold level device management capabilities include
BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure government and regulated environments
Enforcement of corporate-only use and granular controls to manage use of camera storage WiFi Bluetooth and other device features
Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space
User friendly and intuitive management console to manage your devices users groups apps and services including reporting and dashboard capabilities
Sampling of Regulated-level BlackBerry 10 Device Management Controls
Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode tethering using Bluetooth technology and tethering using a USB cable on a BlackBerry 10 device
Wireless Service Provider Billing Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organizationrsquos wireless service provider
Maximum Password Age Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password
Wipe the Work Space without Network Connectivity Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organizationrsquos network before wiping the entire device
Non-Email Accounts Specify whether a BlackBerry 10 device user can add third-party accounts for services such as Facebook Twitter LinkedIn and Evernote to the device
Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device must connect to your organizationrsquos network through BES10
Log Submission Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center
Bluetooth Specify whether a BlackBerry 10 device can use Bluetooth technology
SMSMMS Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages
Camera Specify whether a BlackBerry 10 device can use the camera
BES10rsquos Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments
16 Enforcing Strong Access Controls cont
Leaders in innovation
Largest Research amp Development sta ofany EMM vendor3
Expansion of security modelto iOS and Android
Scalability Devices per server
100KBES10 servers globally
30K+44K
PATENTS1 1
Back to the Contents
17
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Protecting Work Data on Personal-Use-Enabled DevicesBlackBerry Balance and BES10 protect sensitive data
Protecting work data accessible over the corporate Intranet or stored on employeesrsquo devices is a critical part of any comprehensive mobile data security plan The widespread use of employee-owned and personal-use-enabled devices in corporate environments ndash Bring Your Own Device (BYOD) and Corporate Owned Personally Enabled (COPE) movements ndash creates major data security challenges Without a heavy-duty security architecture in place one designed for work and personal use it is easy for employees to leak sensitive work data through personal use such as webmail and browsing social networking and media and untrusted personal applications
With BlackBerry BalanceTM a feature of BES10 you can create a ldquodual-personardquo environment on employeesrsquo mobile devices by establishing a separate secure environment for work-related applications and associated sensitive data This work environment leverages integrated cryptographically partitioned file systems to protect sensitive work data while delivering a compelling ldquowork-liferdquo user experience
BlackBerry Balance Seamless Separation of Personal amp Work Data
BlackBerry Balance identifies and tags data and processes that originate from your companyrsquos Wi-Fi VPN access or Intranet and routes it to the employeersquos work profile on the device Other personal data and activities including third-party applications public Web browsing and personal email are contained within the personal profile
BlackBerry Balance Overview and Features BlackBerry Balance keeps employeesrsquo work and personal information separate and secure on BlackBerry 10 devices using specifically designated areas called Spaces Within each of these Spaces data applications and network connections can be safely stored Individual Spaces can be governed by their own rules for data storage application permissions and network routing Using separate Spaces for work and personal activities helps keep sensitive data secure by preventing employees from copying work data into personal email or displaying information during video chats
Back to the Contents
11
Built-in Password Protection BES10 allows you to establish and enforce password policies quickly and easily to better protect data stored in employeesrsquo devices IT policies can be set to require your employees to enter a password or use their corporate single sign-on using Active Directoryreg services to gain access to Spaces containing work-related data This keeps data at rest on employee devices safe and protected
BlackBerry Balance in action After eight years of employment at your company a salesperson is leaving to take a leadership role at a startup business that will share the same competitive space as your company Looking to jumpstart the customer acquisition process the departing salesperson who has access to the corporate customer relationship
management (CRM) system attempts to send your companyrsquos customer list and deal status to his personal email account before leaving the company
The soon-to-be former employee accesses the CRM application from his BlackBerry 10 device and tries to paste the list and deal information into his personal email account Because BlackBerry Balance prevents copy and paste functions between employeesrsquo work profiles and personal profiles the employee is unable to move data into his personal email or copy files from his Work Space to his Personal Space Your companyrsquos sales information stays safe In addition BES10 allows you to wipe all corporate information from an employee-owned device after the employee has left the company without impacting personal data
Using BlackBerry Balance you can
Control employee access to company data and applications on their devices
Prevent company data from becoming compromised
Provide employees a unified and consistent user experience with a core set of applications when accessing personal or work data
Install and manage company applications on employeesrsquo devices remotely
Remove company data and applications from employee-owned devices when needed without impacting personal configuration and data
Control network connections for work and personal applications remotely
BlackBerry Balance lets you control how devices separate secure and protect company data and resources
12 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Tech Talk 3Work SpacePersonal Space in Detail
BlackBerry Balance and BES10 provide a work environment that securely separates work and personal information on mobile devices Devices classify data as work data or personal data based on the source of the data For example if data comes from a work-related source it is stored in the devicersquos Work Space Personal and Work Spaces can have different rules for data storage application permissions and network routing The separate spaces help users to avoid activities such as accidentally copying work data into a personal application or displaying confidential work data IT administrators have the option of managing and securing data in a Personal Space
Work Personal
Encrypt
App App
Data
Work Space
Base file system Encrypt (optional)
App App
Data
Personal Space
13 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Back to the Contents
Enforcing Strong Access ControlsBlackBerry security gives you greater control over how and when mobile devices connect to your network infrastructure and access data
BlackBerry security delivers multiple access control features such as device authentication anti-counterfeiting manufacturing controls and device OS protection that verify and maintain device integrity These features help ensure only authorized devices used by authorized employees gain entry into your network use network services and access data
BlackBerry Hardware Root of Trust BlackBerry takes specific steps to help ensure the integrity of its devices and prevent counterfeit devices from connecting to the BlackBerry infrastructure
Security is built into each major BlackBerry device component making it more difficult for unauthorized users to remove or circumvent security on a BlackBerry device than on other mobile operating systems Plus all parts of the BlackBerry supply chain from its manufacturing partners to the BlackBerry
infrastructure and devices are securely connected which means trusted BlackBerry devices can be built around the world
This secure manufacturing model helps prevent the impersonation of authentic BlackBerry devices and ensures that only authentic BlackBerry devices can connect to the BlackBerry infrastructure Any device trying to connect to the BlackBerry infrastructure must complete the self-verification process before access is granted
Authentication Multiple forms of authentication take place within the BlackBerry system to minimize the possibility of data loss and outside attack First the BlackBerry infrastructure and BES10 authenticate with each other by sharing a Server Routing Protocol (SRP) authentication key before a connection takes place
The second level of authentication takes place between BES10 and the activated BlackBerry 10 device When the device is activated it generates a key pair and sends the public key to BES10 The BES10 server then creates a client certificate and sends an enterprise management root certificate and client certificate back to the device It uses the enterprise management root certificate to authenticate the server certificate for the enterprise management Web service BES10 and the BlackBerry 10 device use the client certificate to authenticate users their Work Spaces and their devices
BlackBerry 10 Operating System
CPU Embedded Boot ROM
Boot ROM digital signature
bull Application 4
bull Application 3
bull Application 2
bull Application 1
Boot ROM
Public EC 521 Key of OS Signature
Verified
BlackBerry 10 OS
SHA256 hash of Base File System (Signed with EC 521
Verified
Base File System (Read only)
XML Manifest of loaded applications (Cryptographically hashed)
Verified
Software Upgrades and Application Downloads from BlackBerry World All downloads verified with ECC signed SHA-2 hashes
14
Back to the Contents
BlackBerry 10 Device OS Security Features Protecting the devicersquos OS is one of the most important functions of mobile device security However itrsquos sometimes neglected by other manufacturers focused on consumer devices since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code a common characteristic of many devicesrsquo OSs The BlackBerry 10 OS includes security features for OS protection including
Microkernel Implementation The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150000 lines of code With fewer lines of code the BlackBerry OS is less susceptible to vulnerabilities than other platforms As a result rigorous security verification and testing are achieved even with a fixed amount of IT resources
Resilient Design To reduce risks the microkernel contains processes associated with personal use Any unresponsive or misbehaving process is automatically restarted or killed respectively without impacting other processes
Root Process Minimization To reduce security risks only the most essential BlackBerry processes are run in root mode This mode is never available to third parties
Blackberry World Application Stores Once a BlackBerry 10 device is activated on BES10 it has access to two separate BlackBerry World application storefronts BlackBerry World for personal use and BlackBerry World for Work for enterprise use
Within the Work Space only applications approved by the BES 10 administrator are permitted to be installed Work applications can either be ldquopushedrdquo to users based on policy or ldquopulledrdquo by users for optional use Within the Personal Space users are free to download any application available through BlackBerry World
15 Enforcing Strong Access Controls cont
Back to the Contents
For the large majority of organizations BlackBerry Balance available via the BES10 Silver EMM4 configuration optimizes the balance between security and employee expectations for a compelling work and life end-user experience Some highly sensitive regulated environments however may not permit personal use on employee devices due to established risk management policies For these organizations often operating in government financial services or healthcare sectors for example BlackBerry offers the BES10 Gold EMM5 configuration which gives administrators the ability to disable personal use as well as impose device application and content controls that exceeded the granularity of the BES10 Silver EMM configuration No other mobile platform offers this unique capability
The BES10 regulated-level device management control features enable large enterprises and government and regulated industries to manage fully locked-down devices with a set of controls unmatched in their level of granularity
Gold level device management capabilities include
BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure government and regulated environments
Enforcement of corporate-only use and granular controls to manage use of camera storage WiFi Bluetooth and other device features
Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space
User friendly and intuitive management console to manage your devices users groups apps and services including reporting and dashboard capabilities
Sampling of Regulated-level BlackBerry 10 Device Management Controls
Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode tethering using Bluetooth technology and tethering using a USB cable on a BlackBerry 10 device
Wireless Service Provider Billing Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organizationrsquos wireless service provider
Maximum Password Age Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password
Wipe the Work Space without Network Connectivity Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organizationrsquos network before wiping the entire device
Non-Email Accounts Specify whether a BlackBerry 10 device user can add third-party accounts for services such as Facebook Twitter LinkedIn and Evernote to the device
Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device must connect to your organizationrsquos network through BES10
Log Submission Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center
Bluetooth Specify whether a BlackBerry 10 device can use Bluetooth technology
SMSMMS Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages
Camera Specify whether a BlackBerry 10 device can use the camera
BES10rsquos Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments
16 Enforcing Strong Access Controls cont
Leaders in innovation
Largest Research amp Development sta ofany EMM vendor3
Expansion of security modelto iOS and Android
Scalability Devices per server
100KBES10 servers globally
30K+44K
PATENTS1 1
Back to the Contents
17
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Built-in Password Protection BES10 allows you to establish and enforce password policies quickly and easily to better protect data stored in employeesrsquo devices IT policies can be set to require your employees to enter a password or use their corporate single sign-on using Active Directoryreg services to gain access to Spaces containing work-related data This keeps data at rest on employee devices safe and protected
BlackBerry Balance in action After eight years of employment at your company a salesperson is leaving to take a leadership role at a startup business that will share the same competitive space as your company Looking to jumpstart the customer acquisition process the departing salesperson who has access to the corporate customer relationship
management (CRM) system attempts to send your companyrsquos customer list and deal status to his personal email account before leaving the company
The soon-to-be former employee accesses the CRM application from his BlackBerry 10 device and tries to paste the list and deal information into his personal email account Because BlackBerry Balance prevents copy and paste functions between employeesrsquo work profiles and personal profiles the employee is unable to move data into his personal email or copy files from his Work Space to his Personal Space Your companyrsquos sales information stays safe In addition BES10 allows you to wipe all corporate information from an employee-owned device after the employee has left the company without impacting personal data
Using BlackBerry Balance you can
Control employee access to company data and applications on their devices
Prevent company data from becoming compromised
Provide employees a unified and consistent user experience with a core set of applications when accessing personal or work data
Install and manage company applications on employeesrsquo devices remotely
Remove company data and applications from employee-owned devices when needed without impacting personal configuration and data
Control network connections for work and personal applications remotely
BlackBerry Balance lets you control how devices separate secure and protect company data and resources
12 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Tech Talk 3Work SpacePersonal Space in Detail
BlackBerry Balance and BES10 provide a work environment that securely separates work and personal information on mobile devices Devices classify data as work data or personal data based on the source of the data For example if data comes from a work-related source it is stored in the devicersquos Work Space Personal and Work Spaces can have different rules for data storage application permissions and network routing The separate spaces help users to avoid activities such as accidentally copying work data into a personal application or displaying confidential work data IT administrators have the option of managing and securing data in a Personal Space
Work Personal
Encrypt
App App
Data
Work Space
Base file system Encrypt (optional)
App App
Data
Personal Space
13 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Back to the Contents
Enforcing Strong Access ControlsBlackBerry security gives you greater control over how and when mobile devices connect to your network infrastructure and access data
BlackBerry security delivers multiple access control features such as device authentication anti-counterfeiting manufacturing controls and device OS protection that verify and maintain device integrity These features help ensure only authorized devices used by authorized employees gain entry into your network use network services and access data
BlackBerry Hardware Root of Trust BlackBerry takes specific steps to help ensure the integrity of its devices and prevent counterfeit devices from connecting to the BlackBerry infrastructure
Security is built into each major BlackBerry device component making it more difficult for unauthorized users to remove or circumvent security on a BlackBerry device than on other mobile operating systems Plus all parts of the BlackBerry supply chain from its manufacturing partners to the BlackBerry
infrastructure and devices are securely connected which means trusted BlackBerry devices can be built around the world
This secure manufacturing model helps prevent the impersonation of authentic BlackBerry devices and ensures that only authentic BlackBerry devices can connect to the BlackBerry infrastructure Any device trying to connect to the BlackBerry infrastructure must complete the self-verification process before access is granted
Authentication Multiple forms of authentication take place within the BlackBerry system to minimize the possibility of data loss and outside attack First the BlackBerry infrastructure and BES10 authenticate with each other by sharing a Server Routing Protocol (SRP) authentication key before a connection takes place
The second level of authentication takes place between BES10 and the activated BlackBerry 10 device When the device is activated it generates a key pair and sends the public key to BES10 The BES10 server then creates a client certificate and sends an enterprise management root certificate and client certificate back to the device It uses the enterprise management root certificate to authenticate the server certificate for the enterprise management Web service BES10 and the BlackBerry 10 device use the client certificate to authenticate users their Work Spaces and their devices
BlackBerry 10 Operating System
CPU Embedded Boot ROM
Boot ROM digital signature
bull Application 4
bull Application 3
bull Application 2
bull Application 1
Boot ROM
Public EC 521 Key of OS Signature
Verified
BlackBerry 10 OS
SHA256 hash of Base File System (Signed with EC 521
Verified
Base File System (Read only)
XML Manifest of loaded applications (Cryptographically hashed)
Verified
Software Upgrades and Application Downloads from BlackBerry World All downloads verified with ECC signed SHA-2 hashes
14
Back to the Contents
BlackBerry 10 Device OS Security Features Protecting the devicersquos OS is one of the most important functions of mobile device security However itrsquos sometimes neglected by other manufacturers focused on consumer devices since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code a common characteristic of many devicesrsquo OSs The BlackBerry 10 OS includes security features for OS protection including
Microkernel Implementation The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150000 lines of code With fewer lines of code the BlackBerry OS is less susceptible to vulnerabilities than other platforms As a result rigorous security verification and testing are achieved even with a fixed amount of IT resources
Resilient Design To reduce risks the microkernel contains processes associated with personal use Any unresponsive or misbehaving process is automatically restarted or killed respectively without impacting other processes
Root Process Minimization To reduce security risks only the most essential BlackBerry processes are run in root mode This mode is never available to third parties
Blackberry World Application Stores Once a BlackBerry 10 device is activated on BES10 it has access to two separate BlackBerry World application storefronts BlackBerry World for personal use and BlackBerry World for Work for enterprise use
Within the Work Space only applications approved by the BES 10 administrator are permitted to be installed Work applications can either be ldquopushedrdquo to users based on policy or ldquopulledrdquo by users for optional use Within the Personal Space users are free to download any application available through BlackBerry World
15 Enforcing Strong Access Controls cont
Back to the Contents
For the large majority of organizations BlackBerry Balance available via the BES10 Silver EMM4 configuration optimizes the balance between security and employee expectations for a compelling work and life end-user experience Some highly sensitive regulated environments however may not permit personal use on employee devices due to established risk management policies For these organizations often operating in government financial services or healthcare sectors for example BlackBerry offers the BES10 Gold EMM5 configuration which gives administrators the ability to disable personal use as well as impose device application and content controls that exceeded the granularity of the BES10 Silver EMM configuration No other mobile platform offers this unique capability
The BES10 regulated-level device management control features enable large enterprises and government and regulated industries to manage fully locked-down devices with a set of controls unmatched in their level of granularity
Gold level device management capabilities include
BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure government and regulated environments
Enforcement of corporate-only use and granular controls to manage use of camera storage WiFi Bluetooth and other device features
Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space
User friendly and intuitive management console to manage your devices users groups apps and services including reporting and dashboard capabilities
Sampling of Regulated-level BlackBerry 10 Device Management Controls
Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode tethering using Bluetooth technology and tethering using a USB cable on a BlackBerry 10 device
Wireless Service Provider Billing Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organizationrsquos wireless service provider
Maximum Password Age Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password
Wipe the Work Space without Network Connectivity Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organizationrsquos network before wiping the entire device
Non-Email Accounts Specify whether a BlackBerry 10 device user can add third-party accounts for services such as Facebook Twitter LinkedIn and Evernote to the device
Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device must connect to your organizationrsquos network through BES10
Log Submission Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center
Bluetooth Specify whether a BlackBerry 10 device can use Bluetooth technology
SMSMMS Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages
Camera Specify whether a BlackBerry 10 device can use the camera
BES10rsquos Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments
16 Enforcing Strong Access Controls cont
Leaders in innovation
Largest Research amp Development sta ofany EMM vendor3
Expansion of security modelto iOS and Android
Scalability Devices per server
100KBES10 servers globally
30K+44K
PATENTS1 1
Back to the Contents
17
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Tech Talk 3Work SpacePersonal Space in Detail
BlackBerry Balance and BES10 provide a work environment that securely separates work and personal information on mobile devices Devices classify data as work data or personal data based on the source of the data For example if data comes from a work-related source it is stored in the devicersquos Work Space Personal and Work Spaces can have different rules for data storage application permissions and network routing The separate spaces help users to avoid activities such as accidentally copying work data into a personal application or displaying confidential work data IT administrators have the option of managing and securing data in a Personal Space
Work Personal
Encrypt
App App
Data
Work Space
Base file system Encrypt (optional)
App App
Data
Personal Space
13 Protecting Work Data on Personal-Use-Enabled Devices cont
Back to the Contents
Back to the Contents
Enforcing Strong Access ControlsBlackBerry security gives you greater control over how and when mobile devices connect to your network infrastructure and access data
BlackBerry security delivers multiple access control features such as device authentication anti-counterfeiting manufacturing controls and device OS protection that verify and maintain device integrity These features help ensure only authorized devices used by authorized employees gain entry into your network use network services and access data
BlackBerry Hardware Root of Trust BlackBerry takes specific steps to help ensure the integrity of its devices and prevent counterfeit devices from connecting to the BlackBerry infrastructure
Security is built into each major BlackBerry device component making it more difficult for unauthorized users to remove or circumvent security on a BlackBerry device than on other mobile operating systems Plus all parts of the BlackBerry supply chain from its manufacturing partners to the BlackBerry
infrastructure and devices are securely connected which means trusted BlackBerry devices can be built around the world
This secure manufacturing model helps prevent the impersonation of authentic BlackBerry devices and ensures that only authentic BlackBerry devices can connect to the BlackBerry infrastructure Any device trying to connect to the BlackBerry infrastructure must complete the self-verification process before access is granted
Authentication Multiple forms of authentication take place within the BlackBerry system to minimize the possibility of data loss and outside attack First the BlackBerry infrastructure and BES10 authenticate with each other by sharing a Server Routing Protocol (SRP) authentication key before a connection takes place
The second level of authentication takes place between BES10 and the activated BlackBerry 10 device When the device is activated it generates a key pair and sends the public key to BES10 The BES10 server then creates a client certificate and sends an enterprise management root certificate and client certificate back to the device It uses the enterprise management root certificate to authenticate the server certificate for the enterprise management Web service BES10 and the BlackBerry 10 device use the client certificate to authenticate users their Work Spaces and their devices
BlackBerry 10 Operating System
CPU Embedded Boot ROM
Boot ROM digital signature
bull Application 4
bull Application 3
bull Application 2
bull Application 1
Boot ROM
Public EC 521 Key of OS Signature
Verified
BlackBerry 10 OS
SHA256 hash of Base File System (Signed with EC 521
Verified
Base File System (Read only)
XML Manifest of loaded applications (Cryptographically hashed)
Verified
Software Upgrades and Application Downloads from BlackBerry World All downloads verified with ECC signed SHA-2 hashes
14
Back to the Contents
BlackBerry 10 Device OS Security Features Protecting the devicersquos OS is one of the most important functions of mobile device security However itrsquos sometimes neglected by other manufacturers focused on consumer devices since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code a common characteristic of many devicesrsquo OSs The BlackBerry 10 OS includes security features for OS protection including
Microkernel Implementation The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150000 lines of code With fewer lines of code the BlackBerry OS is less susceptible to vulnerabilities than other platforms As a result rigorous security verification and testing are achieved even with a fixed amount of IT resources
Resilient Design To reduce risks the microkernel contains processes associated with personal use Any unresponsive or misbehaving process is automatically restarted or killed respectively without impacting other processes
Root Process Minimization To reduce security risks only the most essential BlackBerry processes are run in root mode This mode is never available to third parties
Blackberry World Application Stores Once a BlackBerry 10 device is activated on BES10 it has access to two separate BlackBerry World application storefronts BlackBerry World for personal use and BlackBerry World for Work for enterprise use
Within the Work Space only applications approved by the BES 10 administrator are permitted to be installed Work applications can either be ldquopushedrdquo to users based on policy or ldquopulledrdquo by users for optional use Within the Personal Space users are free to download any application available through BlackBerry World
15 Enforcing Strong Access Controls cont
Back to the Contents
For the large majority of organizations BlackBerry Balance available via the BES10 Silver EMM4 configuration optimizes the balance between security and employee expectations for a compelling work and life end-user experience Some highly sensitive regulated environments however may not permit personal use on employee devices due to established risk management policies For these organizations often operating in government financial services or healthcare sectors for example BlackBerry offers the BES10 Gold EMM5 configuration which gives administrators the ability to disable personal use as well as impose device application and content controls that exceeded the granularity of the BES10 Silver EMM configuration No other mobile platform offers this unique capability
The BES10 regulated-level device management control features enable large enterprises and government and regulated industries to manage fully locked-down devices with a set of controls unmatched in their level of granularity
Gold level device management capabilities include
BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure government and regulated environments
Enforcement of corporate-only use and granular controls to manage use of camera storage WiFi Bluetooth and other device features
Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space
User friendly and intuitive management console to manage your devices users groups apps and services including reporting and dashboard capabilities
Sampling of Regulated-level BlackBerry 10 Device Management Controls
Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode tethering using Bluetooth technology and tethering using a USB cable on a BlackBerry 10 device
Wireless Service Provider Billing Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organizationrsquos wireless service provider
Maximum Password Age Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password
Wipe the Work Space without Network Connectivity Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organizationrsquos network before wiping the entire device
Non-Email Accounts Specify whether a BlackBerry 10 device user can add third-party accounts for services such as Facebook Twitter LinkedIn and Evernote to the device
Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device must connect to your organizationrsquos network through BES10
Log Submission Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center
Bluetooth Specify whether a BlackBerry 10 device can use Bluetooth technology
SMSMMS Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages
Camera Specify whether a BlackBerry 10 device can use the camera
BES10rsquos Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments
16 Enforcing Strong Access Controls cont
Leaders in innovation
Largest Research amp Development sta ofany EMM vendor3
Expansion of security modelto iOS and Android
Scalability Devices per server
100KBES10 servers globally
30K+44K
PATENTS1 1
Back to the Contents
17
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Back to the Contents
Enforcing Strong Access ControlsBlackBerry security gives you greater control over how and when mobile devices connect to your network infrastructure and access data
BlackBerry security delivers multiple access control features such as device authentication anti-counterfeiting manufacturing controls and device OS protection that verify and maintain device integrity These features help ensure only authorized devices used by authorized employees gain entry into your network use network services and access data
BlackBerry Hardware Root of Trust BlackBerry takes specific steps to help ensure the integrity of its devices and prevent counterfeit devices from connecting to the BlackBerry infrastructure
Security is built into each major BlackBerry device component making it more difficult for unauthorized users to remove or circumvent security on a BlackBerry device than on other mobile operating systems Plus all parts of the BlackBerry supply chain from its manufacturing partners to the BlackBerry
infrastructure and devices are securely connected which means trusted BlackBerry devices can be built around the world
This secure manufacturing model helps prevent the impersonation of authentic BlackBerry devices and ensures that only authentic BlackBerry devices can connect to the BlackBerry infrastructure Any device trying to connect to the BlackBerry infrastructure must complete the self-verification process before access is granted
Authentication Multiple forms of authentication take place within the BlackBerry system to minimize the possibility of data loss and outside attack First the BlackBerry infrastructure and BES10 authenticate with each other by sharing a Server Routing Protocol (SRP) authentication key before a connection takes place
The second level of authentication takes place between BES10 and the activated BlackBerry 10 device When the device is activated it generates a key pair and sends the public key to BES10 The BES10 server then creates a client certificate and sends an enterprise management root certificate and client certificate back to the device It uses the enterprise management root certificate to authenticate the server certificate for the enterprise management Web service BES10 and the BlackBerry 10 device use the client certificate to authenticate users their Work Spaces and their devices
BlackBerry 10 Operating System
CPU Embedded Boot ROM
Boot ROM digital signature
bull Application 4
bull Application 3
bull Application 2
bull Application 1
Boot ROM
Public EC 521 Key of OS Signature
Verified
BlackBerry 10 OS
SHA256 hash of Base File System (Signed with EC 521
Verified
Base File System (Read only)
XML Manifest of loaded applications (Cryptographically hashed)
Verified
Software Upgrades and Application Downloads from BlackBerry World All downloads verified with ECC signed SHA-2 hashes
14
Back to the Contents
BlackBerry 10 Device OS Security Features Protecting the devicersquos OS is one of the most important functions of mobile device security However itrsquos sometimes neglected by other manufacturers focused on consumer devices since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code a common characteristic of many devicesrsquo OSs The BlackBerry 10 OS includes security features for OS protection including
Microkernel Implementation The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150000 lines of code With fewer lines of code the BlackBerry OS is less susceptible to vulnerabilities than other platforms As a result rigorous security verification and testing are achieved even with a fixed amount of IT resources
Resilient Design To reduce risks the microkernel contains processes associated with personal use Any unresponsive or misbehaving process is automatically restarted or killed respectively without impacting other processes
Root Process Minimization To reduce security risks only the most essential BlackBerry processes are run in root mode This mode is never available to third parties
Blackberry World Application Stores Once a BlackBerry 10 device is activated on BES10 it has access to two separate BlackBerry World application storefronts BlackBerry World for personal use and BlackBerry World for Work for enterprise use
Within the Work Space only applications approved by the BES 10 administrator are permitted to be installed Work applications can either be ldquopushedrdquo to users based on policy or ldquopulledrdquo by users for optional use Within the Personal Space users are free to download any application available through BlackBerry World
15 Enforcing Strong Access Controls cont
Back to the Contents
For the large majority of organizations BlackBerry Balance available via the BES10 Silver EMM4 configuration optimizes the balance between security and employee expectations for a compelling work and life end-user experience Some highly sensitive regulated environments however may not permit personal use on employee devices due to established risk management policies For these organizations often operating in government financial services or healthcare sectors for example BlackBerry offers the BES10 Gold EMM5 configuration which gives administrators the ability to disable personal use as well as impose device application and content controls that exceeded the granularity of the BES10 Silver EMM configuration No other mobile platform offers this unique capability
The BES10 regulated-level device management control features enable large enterprises and government and regulated industries to manage fully locked-down devices with a set of controls unmatched in their level of granularity
Gold level device management capabilities include
BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure government and regulated environments
Enforcement of corporate-only use and granular controls to manage use of camera storage WiFi Bluetooth and other device features
Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space
User friendly and intuitive management console to manage your devices users groups apps and services including reporting and dashboard capabilities
Sampling of Regulated-level BlackBerry 10 Device Management Controls
Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode tethering using Bluetooth technology and tethering using a USB cable on a BlackBerry 10 device
Wireless Service Provider Billing Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organizationrsquos wireless service provider
Maximum Password Age Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password
Wipe the Work Space without Network Connectivity Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organizationrsquos network before wiping the entire device
Non-Email Accounts Specify whether a BlackBerry 10 device user can add third-party accounts for services such as Facebook Twitter LinkedIn and Evernote to the device
Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device must connect to your organizationrsquos network through BES10
Log Submission Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center
Bluetooth Specify whether a BlackBerry 10 device can use Bluetooth technology
SMSMMS Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages
Camera Specify whether a BlackBerry 10 device can use the camera
BES10rsquos Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments
16 Enforcing Strong Access Controls cont
Leaders in innovation
Largest Research amp Development sta ofany EMM vendor3
Expansion of security modelto iOS and Android
Scalability Devices per server
100KBES10 servers globally
30K+44K
PATENTS1 1
Back to the Contents
17
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Back to the Contents
BlackBerry 10 Device OS Security Features Protecting the devicersquos OS is one of the most important functions of mobile device security However itrsquos sometimes neglected by other manufacturers focused on consumer devices since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code a common characteristic of many devicesrsquo OSs The BlackBerry 10 OS includes security features for OS protection including
Microkernel Implementation The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150000 lines of code With fewer lines of code the BlackBerry OS is less susceptible to vulnerabilities than other platforms As a result rigorous security verification and testing are achieved even with a fixed amount of IT resources
Resilient Design To reduce risks the microkernel contains processes associated with personal use Any unresponsive or misbehaving process is automatically restarted or killed respectively without impacting other processes
Root Process Minimization To reduce security risks only the most essential BlackBerry processes are run in root mode This mode is never available to third parties
Blackberry World Application Stores Once a BlackBerry 10 device is activated on BES10 it has access to two separate BlackBerry World application storefronts BlackBerry World for personal use and BlackBerry World for Work for enterprise use
Within the Work Space only applications approved by the BES 10 administrator are permitted to be installed Work applications can either be ldquopushedrdquo to users based on policy or ldquopulledrdquo by users for optional use Within the Personal Space users are free to download any application available through BlackBerry World
15 Enforcing Strong Access Controls cont
Back to the Contents
For the large majority of organizations BlackBerry Balance available via the BES10 Silver EMM4 configuration optimizes the balance between security and employee expectations for a compelling work and life end-user experience Some highly sensitive regulated environments however may not permit personal use on employee devices due to established risk management policies For these organizations often operating in government financial services or healthcare sectors for example BlackBerry offers the BES10 Gold EMM5 configuration which gives administrators the ability to disable personal use as well as impose device application and content controls that exceeded the granularity of the BES10 Silver EMM configuration No other mobile platform offers this unique capability
The BES10 regulated-level device management control features enable large enterprises and government and regulated industries to manage fully locked-down devices with a set of controls unmatched in their level of granularity
Gold level device management capabilities include
BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure government and regulated environments
Enforcement of corporate-only use and granular controls to manage use of camera storage WiFi Bluetooth and other device features
Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space
User friendly and intuitive management console to manage your devices users groups apps and services including reporting and dashboard capabilities
Sampling of Regulated-level BlackBerry 10 Device Management Controls
Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode tethering using Bluetooth technology and tethering using a USB cable on a BlackBerry 10 device
Wireless Service Provider Billing Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organizationrsquos wireless service provider
Maximum Password Age Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password
Wipe the Work Space without Network Connectivity Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organizationrsquos network before wiping the entire device
Non-Email Accounts Specify whether a BlackBerry 10 device user can add third-party accounts for services such as Facebook Twitter LinkedIn and Evernote to the device
Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device must connect to your organizationrsquos network through BES10
Log Submission Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center
Bluetooth Specify whether a BlackBerry 10 device can use Bluetooth technology
SMSMMS Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages
Camera Specify whether a BlackBerry 10 device can use the camera
BES10rsquos Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments
16 Enforcing Strong Access Controls cont
Leaders in innovation
Largest Research amp Development sta ofany EMM vendor3
Expansion of security modelto iOS and Android
Scalability Devices per server
100KBES10 servers globally
30K+44K
PATENTS1 1
Back to the Contents
17
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Back to the Contents
For the large majority of organizations BlackBerry Balance available via the BES10 Silver EMM4 configuration optimizes the balance between security and employee expectations for a compelling work and life end-user experience Some highly sensitive regulated environments however may not permit personal use on employee devices due to established risk management policies For these organizations often operating in government financial services or healthcare sectors for example BlackBerry offers the BES10 Gold EMM5 configuration which gives administrators the ability to disable personal use as well as impose device application and content controls that exceeded the granularity of the BES10 Silver EMM configuration No other mobile platform offers this unique capability
The BES10 regulated-level device management control features enable large enterprises and government and regulated industries to manage fully locked-down devices with a set of controls unmatched in their level of granularity
Gold level device management capabilities include
BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure government and regulated environments
Enforcement of corporate-only use and granular controls to manage use of camera storage WiFi Bluetooth and other device features
Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space
User friendly and intuitive management console to manage your devices users groups apps and services including reporting and dashboard capabilities
Sampling of Regulated-level BlackBerry 10 Device Management Controls
Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode tethering using Bluetooth technology and tethering using a USB cable on a BlackBerry 10 device
Wireless Service Provider Billing Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organizationrsquos wireless service provider
Maximum Password Age Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password
Wipe the Work Space without Network Connectivity Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organizationrsquos network before wiping the entire device
Non-Email Accounts Specify whether a BlackBerry 10 device user can add third-party accounts for services such as Facebook Twitter LinkedIn and Evernote to the device
Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device must connect to your organizationrsquos network through BES10
Log Submission Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center
Bluetooth Specify whether a BlackBerry 10 device can use Bluetooth technology
SMSMMS Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages
Camera Specify whether a BlackBerry 10 device can use the camera
BES10rsquos Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments
16 Enforcing Strong Access Controls cont
Leaders in innovation
Largest Research amp Development sta ofany EMM vendor3
Expansion of security modelto iOS and Android
Scalability Devices per server
100KBES10 servers globally
30K+44K
PATENTS1 1
Back to the Contents
17
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Leaders in innovation
Largest Research amp Development sta ofany EMM vendor3
Expansion of security modelto iOS and Android
Scalability Devices per server
100KBES10 servers globally
30K+44K
PATENTS1 1
Back to the Contents
17
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Back to the Contents
Managing Devices With BES10 you can also easily manage iOS and Androidtrade devices from a central location
A typical enterprise may contain hundreds of devices each one a potential unauthorized entry point into your corporate servers To help IT departments get a handle on the large number and diversity of devices attached to your network BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10 With the ability to use BES10 to manage multiple types of devices from a single platform and management console IT administrators are able to strike the perfect balance between corporate and end user needs
Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices Secure Work Space is a containerization application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console Managed applications are secured and separated from personal apps and data providing an integrated email calendar and contacts app an enterprise-level secure browser and secure document viewing and editing User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space ndash no VPN needed
18
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
BlackBerry Mobile Device Management in Action
Your company has hired several new employees ndash each due to receive a BlackBerry 10 smartphone The IT department quickly and easily adds a user account for each employee into BES10 using information from your companyrsquos Microsoft Active Directory An activation password for each account is created along with the Server Routing Protocol (SRP) ID of the BES10 and delivered to the respective employee
The new employees type their user IDs passwords and SRP IDs into their BlackBerry 10 devices to activate them The smartphonersquos enterprise management agent establishes a secure connection through the BlackBerry infrastructure
over the network to BES10 Encryption keys based on IT department policies are generated Work Spaces are created and profiles and software configurations are sent to each smartphone In just a few short steps the incoming employees are empowered with fully functional and secure mobile devices
19 Managing Devices cont
Back to the Contents
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Back to the Contents
Managing Devices Using Device Wipe With BES10 and BlackBerry Balance you can keep company data safe while leaving employee personal data intact Using BES10 you can remotely wipe an employeersquos Work Space and all its content leaving all personal data on the device in place
You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met For example you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection
Device Wipe in Action An employee has just received a job offer from a competitor This employee works in your companyrsquos procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device Using the ERP system application the employee can see the companyrsquos suppliers vendors parts inventory backlogs sales projections and more
The employee accepts the job offer and gives a two-week notice Her manager alerts HR and IT departments about her upcoming departure On her last day IT wipes the employeersquos work profile from her BlackBerry 10 device which prevents her from accessing the ERP and email systems However all of her personal information remains intact on her device as she moves on to her next job
Distribution and Application Security Using Blackberry World for Work A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store called BlackBerry World for Work With BlackBerry World for Work you can push install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10
Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications BlackBerry 10 also protects employeesrsquo personal data by allowing them to configure their devicesrsquo application controls and limit application access to their personal information
Sandboxing separates and restricts an applicationrsquos capabilities and permissions The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time Applications can have sandboxes in both an employeersquos Work Space and Personal Space yet each remains isolated from the other The BlackBerry 10 OS monitors application process requests for memory outside its sandbox If the application attempts to access memory outside its sandbox the BlackBerry 10 OS will stop the process and reclaim the memory it uses then restart the process without impacting other processes operating at the same time In addition each application is assigned its own specific group identification which cannot be shared or reused by another application Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data
Malware Controls The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks including a lsquocontain-and-constrainrsquo strategy that minimizes risks Application process requests are constrained within employeesrsquo Personal Space on the device and the BlackBerry OS microkernel monitors inter-process communications for potential issues The microkernel also monitors memory access by the Personal Space and authorizes its use as needed Any application process that attempts an unauthorized memory access request is automatically restarted or shut down protecting your company data In the employeersquos Personal Space application permissions are used to protect personal data from potential malware attacks
Malware Protection in Action Instead of downloading an application to the device from the prescribed channel an employee downloads an application from the Internet to her personal computer then moves the application which contains malware to the devices Personal Space The malware scans the employeersquos device for names phone numbers credit card numbers or any other bits of identity information that can be stolen and misused
Work-related information is not impacted as all company information remains isolated and locked down on the devicersquos Work Space fully protected and secure
20 Managing Devices cont
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Back to the Contents
End-to-end Security
Securing and protecting corporate data is of paramount concern for all enterprises As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction however protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen either by the device user or by any untrusted application that is installed on the device Accordingly todayrsquos resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks while delivering the compelling work and life experience that employees demand
But protecting corporate data from misuse and loss is only half of the story A mobile security solution even an ironclad one must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers
BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity BlackBerry 10 BES10 the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce
21 Managing Devices cont
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Back to the Contents
BlackBerryreg Z30 Smartphone BlackBerryreg Z10 Smartphone BlackBerryreg Q10 Smartphone BlackBerryreg Q5 Smartphone
Size 1407mm x 72mm x 94mm 130mm x 656mm x 9mm 1196mm x 668mm x 1035mm 120mm x 66mm x 108mm
Display 5super AMOLED display 24 bit color1280 x 720 resolution at 295 PPI
42 4-point multi-touch LCD display1280 x 768 resolution at 356 DPI
31 Super AMO LED display720 x720 resolution at 330 PPI
31 Capacitive multi-touch LCD display720x720 resolution at 329 PPI
Software BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS BlackBerryreg 10 OS
Memory 2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 16GB Flashreghot-swappable Micro SD slot
2GB RAM 8GB Flashreghot-swappable Micro SD slot
Processor Dual Core 17 GHz Qualcomm MSM8960Quad-core GPU
Dual Core 15 GHz Texas Instruments OMAP 4470
Dual-core 15 GHz Qualcommreg MSM8960
Dual Core 12 GHz Qualcommreg MSM8960
Battery Life1 Mixed use Up to 25 hours
Talk time Up to 18 hours UMTS14 hours GSM
Standby time Up to 16 days
Music Up to 90 hours
Video Up to 12 hours
Talk Time up to 11 hours on 3G
Standby Time up to 408 hours on 3G up to 397 hours on 2G
Music up to 51 hours
Video up to 10 hours
Talk Time up to 135 hours on 3G
Standby Time up to 345 hours on 3G up to 324 hours on 2G
Music up to 62 hours
Video up to 9 hours
Talk Time 3G - up to 125 hours 2G - up to 10 hours
Standby Time up to 14 days on 3G up to 13 days on 4G
Music up to 62 hours
Video up to 9 hours
Camera 8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
8 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
5 MP rear-facing camera
5x digital zoom
1080p HDvideo recording 2MP front-facing camera
3x digital zoom
720p HD video recording
GPS GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
GPS-enabled with preloadedBlackBerryreg Maps application
Blueteoothreg Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy Bluetooth 40 Low Energy
Wi-Fireg2 80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
80211 abgn enabled 4G Mobile Hotspot
80211 bgn enabled Mobile Hotspot
1 Many factors affect battery life including but not limited to network transmission environment battery age usage location software and feature configuration 2 WiFi availability may vary between country and mobile network operators
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
Back to the Contents
BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy Implementing BES10 is easier than ever but having a strategic support partner is still essential to assist you in delivering your mobility objectives BlackBerry Technical Support Services offers a unique blend of technical expertise rapid issue resolution and proactive relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure For more information visit blackberrycombtss
Learn more at BES10comsecurity
1 February 20142 August 20133 November 2013 4 Silver level EMM provides the management and control feature set for iOS Android and BlackBerry 10 devices previously
known as BES10 EMM Corporate5 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name
EMM Regulated and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android
Screen images simulated
copy 2014 BlackBerry All rights reserved BlackBerryreg and related trademarks names and logos are the property of BlackBerry Limited and are registered andor used in the US and countries around the world All other trademarks are the property of their respective owners iOS is a registered trademark of Cisco Systems Inc andor its affiliates in the US and certain other countries iOS is used under license by Apple Inc Apple Inc does not sponsor authorize or endorse this brochure Android is a trademark of Google Inc which does not sponsor authorize or endorse this brochure
EZ PASSFREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses plus receive world class BlackBerry Advantage Level Technical Support FREE of charge
Learn more at blackberrycomezpass
Additional Terms and Conditions will apply
