3

We manage our Blackberry devices from the BlackBerry Manager (with a "BlackBerry Professional Software" license), but I'm sure it's somewhat similar to the enterprise edition/solution.

What steps should we take for securing (via server policies) our devices from rogue software updates, evil 3rd party applications, spyware, viruses and such? (or are the latter types of attacks on Blackberry devices only 'proof of concepts' at this point?)

What security policies are recommended for keeping Blackberry devices secured?

l0c0b0x
  • 11,697
  • 6
  • 46
  • 76
  • 1
    AFAIK Blackberry Professional is basically a license quantity-limited version of Blackberry Enterprise Server. I'll be interested to see what comes of this question. I manage a couple of these servers, too, and I probably need to be thinking more about the device security (since they're really a kind of client computer w/ the user being an "Administrator", presumably) than I have been. – Evan Anderson Jul 24 '09 at 19:15

3 Answers3

2

First thing to do is make sure that the phones lock automatically. These phones are effectively within your network so they should be locked when not in use.

There are policies which can be put in place to prevent the user from installing software onto the phone.

I don't think there's much you can do to stop the provider from pushing updates to the phone though. I've got to run at the moment, when I get back I'll hope onto my BES server and figure out a good baseline.

mrdenny
  • 27,074
  • 4
  • 40
  • 68
  • 1
    Here is more information about that http://www.theglobeandmail.com/globe-investor/uae-blackberry-update-was-spyware-rim/article1227310/ It was something the user needed to install – SpaceManSpiff Jul 25 '09 at 02:16
2

Make sure your BES box can't access any other servers it doesn't need.

I have a slew of Unix boxes on the LAN which now use tcpwrappers to deny any kind of access from the BES machine. This stops a Blackberry user installing a terminal emulator and telnetting to random boxes on the LAN.

dr-jan
  • 434
  • 7
  • 16
1

For preventing unauthorized 3rd party applications, etc there are 2 ways you can do this. The first is using an IT policy called disallow 3rd party applications (I think thats it, might be similiar in name) That will prevent ALL 3rd party applications from being installed. The other way is you can white list applications you want to allow to install. This is done by creating allow lists using software deployment setup. Here is a link for it. The 3rd party application block will override the whitelist.

The MDS-CS service will give the devices access to the local LAN the server is on. If this is the same subnet already as your workstations, likely is since you are using the professional version this doesn't matter. But larger organizations will have the BES server in a different network segment then the workstations so this service can be secured. You can setup a proxy connection on the MDS-CS to send the BB requests to a different gateway as well.

For device policies, you can use the included ones with the server as a starting point for the various levels. Then look though the other policies to see what else you might want to lock down on the phones

SpaceManSpiff
  • 2,547
  • 18
  • 19