Mobile admin security

Technical White Paper Mobile Admin Security Technical White Paper Mobile Admin Security software version 3.3 document release 1.3 software version 3.3 document release 1.3ABOUT THIS DOCUMENT Rove Technical White Paper ‐Mobile Admin Security: How Mobile Admin provides secure mobile network management CONTACT INFORMATION Rove Inc. 60 George Street, suite 203 Ottawa, Ontario, Canada K1N 1J4 www.rovemobile.com Toll Free: +1‐888‐482‐3646 (North America) Tel: 1 613 789 1818 (International) Fax: 1 613 789 6739 General inquiries: info@rovemobile.com SALES Email: sales@rovemobile.com Toll‐Free: 1 888 482 3646, press 1 (North America) International: 1 613 789 1818, press 1 TECHNICAL SUPPORT Email: support@rovemobile.com Toll‐Free: 1 888 482 3646, press 2 (North America) International: 1 613 789 1818, press 2 TRADEMARKS Copyright © 2007 Rove Inc. All rights reserved. Rove, Mobile Admin, Mobile SSH, Mobile Desktop, Mobile Citrix Client, Mobile File Manager, and Rove’s logo are marks of Rove Inc. All rights reserved. The BlackBerry and RIM families of related marks, images and symbols are the exclusive properties of Research In Motion Limited. RIM, Research In Motion, and BlackBerry are registered with the U.S. Patent and Trademark Office and may be pending or registered in other countries. Adobe and Acrobat are registered trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Microsoft, Windows, Windows Server, and Windows Server are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. All other brands, product names, company names, trademarks, and service marks are the properties of their respective owners. This document is provided “as is” and Rove Inc. (Rove) assumes no responsibility for any typographical, technical, or other inaccuracies in this document. Rove reserves the right to periodically change information that is contained in this document; however, Rove makes no commitment to provide any such changes, updates, enhancements, or other additions to this document to you in a timely manner or at all. ROVE MAKES NO REPRESENTATIONS, WARRANTIES, CONDITIONS, OR COVENANTS, EITHER EXPRESS OR IMPLIED (INCLUDING, WITHOUT LIMITATION, ANY EXPRESS OR IMPLIED WARRANTIES OR CONDITIONS OF FITNESS FOR A PARTICULAR PURPOSE, NON‐INFRINGEMENT, MERCHANTABILITY, DURABILITY, TITLE, OR RELATED TO THE PERFORMANCE OR NON‐PERFORMANCE OF ANY SOFTWARE REFERENCED HEREIN, OR PERFORMANCE OF ANY SERVICES REFERENCED HEREIN). IN CONNECTION WITH YOUR USE OF THIS DOCUMENTATION, NEITHER ROVE NOR ITS AFFILIATED COMPANIES AND THEIR RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES, OR CONSULTANTS SHALL BE LIABLE TO YOU FOR ANY DAMAGES WHATSOEVER BE THEY DIRECT, ECONOMIC, COMMERCIAL, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR INDIRECT DAMAGES, EVEN IF ROVE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INCLUDING, WITHOUT LIMITATION, LOSS OF BUSINESS REVENUE OR EARNINGS, LOST DATA, DAMAGES CAUSED BY DELAYS, LOST PROFITS, OR A FAILURE TO REALIZE EXPECTED SAVINGS. This document might contain references to third‐party sources of information and/or third‐party web sites (“Third‐Party Information”). Rove does not control, and is not responsible for, any Third‐Party Information, including, without limitation, the content, accuracy, copyright compliance, legality, decency, links, or any other aspect of Third‐Party Information. The inclusion of Third‐Party Information in this document does not imply endorsement by Rove of the third party in any way. Any dealings with third parties, including, without limitation, compliance with applicable licenses, and terms and conditions are solely between you and the third party. Rove shall not be responsible or liable for any part of such dealings. Certain features outlined in this document may require additional development or third‐party products and/or services for access to corporate applications. Installation and use of third‐party products and services with Rove’s products and services may require one or more patent, trademark, or copyright licenses in order to avoid infringement of the intellectual property rights of others. You are solely responsible for acquiring any such licenses. To the extent that such intellectually property licenses may be required, Rove expressly recommends that you do not install or use these products until all such applicable licenses have been acquired by you or on your behalf. Your use of third‐party software shall be governed by and subject to you agreeing to the terms of separate software licenses, if any, for those products or services. Any third‐party products and services that are provided with Rove’s products and services are provided ʺas isʺ. Rove makes no representation, warranty, or guarantee whatsoever in relation to the third‐party products or services and Rove assumes no liability whatsoever in relation to the third‐party products and services even if Rove has been advised of the possibility of such damages or can anticipate such damages.Rove Technical White Paper Mobile Admin Security How Mobile Admin provides secure mobile network management i Contents Introduction 1 Mobile control of your network 1 Supported devices 1 Encryption 2 Encryption options for Mobile Admin on BlackBerry smartphones 2 Mobile Admin with BlackBerry smartphones and a BlackBerry Enterprise Server 2 Architecture overview—BlackBerry smartphones with a BlackBerry Enterprise Server 2 Protecting your network when a handheld device is lost 3 Mobile Admin with BlackBerry smartphones without a BlackBerry Enterprise Server 3 Architecture overview—BlackBerry smartphones without a BlackBerry Enterprise Server 4 Other considerations 4 Port and firewall configurations 5 Encryption options for Mobile Admin on Palm, Windows Mobile, Nokia, Sony Ericsson or Motorola devices 5 Architecture overview—Palm, Windows Mobile, Nokia, Sony Ericsson or Motorola devices 5 Other considerations—Nokia devices 6 Other considerations—Windows Mobile devices 6 Authentication 7 Primary login authentication 7 Windows user name and password authentication 7 Mobile Admin user name and password authentication 7 Mobile Admin LDAP authentication 8 Device‐level password authentication 9 BlackBerry smartphone password 9 Device‐level passwords for Palm, Windows Mobile, Nokia, Sony Ericsson or Motorola devices 10 RSA SecurID and RADIUS authentication 10 Index 11ii How Mobile Admin provides secure mobile network management Rove Technical White Paper Mobile Admin SecurityRove Technical White Paper Mobile Admin Security How Mobile Admin provides secure mobile network management 1 1 Introduction Mobile Admin is a client‐server application that allows you to manage servers and computers on your network using your wireless handheld device, or from any computer with an Internet connection (using the Mobile Admin web interface). This document provides detailed information about the security features available to protect your network data when you use Mobile Admin. Security is a fully‐integrated feature of Mobile Admin’s client‐server architecture, and is provided through both data encryption and user authentication. ∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴ Mobile control of your network This section provides an overview of Mobile Admin’s features to provide a context for how security works with the Mobile Admin system. Mobile Admin is a client‐server application. The Mobile Admin Server software is installed behind your corporate firewall on any one computer that has access to all the other servers in your network that you want to manage. The Mobile Admin Client software is installed on any number of wireless handheld devices. You can use Mobile Admin to manage a wide range of computers, servers, and systems in your network: including Microsoft Windows, Active Directory, Exchange, SQL Servers; IBM Lotus Domino; Novell eDirectory/NDS; Oracle; Citrix; BlackBerry Enterprise Servers; Veritas BackupExec; HP Integrated Lights Out (iLO); and much more. Mobile Admin allows you to use your wireless handheld device to perform a full range of administrative tasks on these servers, including: managing users and groups, event logs, services, print jobs; rebooting servers; resetting passwords; editing server documents; and deleting mailbox messages. Supported devices Mobile Admin can be used with any of the following wireless handheld devices: • BlackBerry smartphones • Palm devices (including Treo and Tungsten) • Windows Mobile (Pocket PC and Smartphone) • Nokia phones (Series 60 and 80) • Sony Ericsson phones • Motorola phonesEncryption Encryption options for Mobile Admin on BlackBerry smartphones 2 How Mobile Admin provides secure mobile network management Rove Technical White Paper Mobile Admin Security Encryption The types of data encryption available to you with Mobile Admin depends on the type of wireless handheld devices you use, including: • BlackBerry smartphones, with or without a BlackBerry Enterprise Server • Palm devices (such as Treo and Tungsten), Windows Mobile devices (including Pocket PC and Smartphone), Nokia phones (series 60 and 80), Sony Ericsson phones or Motorola phones, with or without a VPN ∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴ Encryption options for Mobile Admin on BlackBerry smartphones You can choose to use Mobile Admin on BlackBerry smartphones with or without a BlackBerry Enterprise Server. Mobile Admin with BlackBerry smartphones and a BlackBerry Enterprise Server When you choose to use Mobile Admin with a BlackBerry Enterprise Server, you are able to leverage the industry‐leading security infrastructure of the BlackBerry network. If you use a BlackBerry Enterprise Server, all your Mobile Admin data is sent over the Mobile Data Service (MDS), and is, by default, automatically encrypted using Triple Data Encryption Standard (TDES or 3DES). While TDES provides the highest industrystanndar encryption, you can also choose to add other layers of encryption. All versions of the BlackBerry Enterprise Server use TDES as the default encryption for all data. However, BlackBerry Enterprise Server 4.0 allows you to choose between using TDES, Advanced Encryption Standard (AES), or both. While TDES and AES are generally recognized as the most robust encryption methods available today, the US Government has also certified TDES and AES as compliant with Federal Information Processing Standards (FIPS). You can also choose to configure the Mobile Admin Server to add a layer of encryption with HyperText Transport Protocol – Secured (HTTPS). HTTPS is HTTP encrypted with Transport Layer Security (TLS). If you configure Mobile Admin to use HTTPS, all Mobile Admin data transmitted between the Mobile Admin Server and the wireless handheld is encrypted. Architecture overview—BlackBerry smartphones with a BlackBerry Enterprise Server Figure 1‐1 shows how Mobile Admin connects your wireless handheld device to your network if you are using a BlackBerry Enterprise Server. The Mobile Admin Server is connected to the servers and computers that you want to manage with Mobile Admin. Information about these servers and computers is sent through the Mobile Admin Server to the BlackBerry Enterprise Server. The BlackBerry Enterprise Server encrypts the data with Triple Data Encryption Standard (TDES) or Advanced Encryption Standard (AES) and sends it over the Internet and the wireless network to the BlackBerry smartphone. The Encryption Encryption options for Mobile Admin on BlackBerry smartphones Rove Technical White Paper Mobile Admin Security How Mobile Admin provides secure mobile network management 3 BlackBerry smartphone decrypts the data so that it can be viewed using the Mobile Admin Client. Similarly, Mobile Admin Client commands from the BlackBerry smartphone are encrypted then sent over the wireless network and the Internet to the BlackBerry Enterprise Server. The BlackBerry Enterprise Server decrypts the commands and sends them to the Mobile Admin Server, which then further decrypts the commands if required, and then performs the requested actions. If you configure Mobile Admin to use HTTPS, data is encrypted with TLS before it is transmitted between the Mobile Admin Servers and the BlackBerry smartphones. Figure 1-1 Mobile Admin architecture with BlackBerry smartphones and a BlackBerry Enterprise Server Protecting your network when a handheld device is lost If a BlackBerry smartphone device is lost, you can either use the BlackBerry Enterprise Server to “kill” it remotely, or use Mobile Admin on a BlackBerry to kill another BlackBerry smartphone. The “kill” command disables and deletes all stored information on the device, including everything related to the Mobile Admin application. Mobile Admin with BlackBerry smartphones without a BlackBerry Enterprise Server When you do not use a BlackBerry Enterprise Server, data sent between the Mobile Admin Server and BlackBerry smartphones is not encrypted by default. If you do not use Note Figure 1‐1 shows the Mobile Admin Server and the BlackBerry Enterprise Server installed on separate computers. However, the Mobile Admin Server can be installed on the same computer as the BlackBerry Enterprise Server. Note The ability to kill a BlackBerry smartphone from another BlackBerry smartphone using Mobile Admin is only available for users of BlackBerry Enterprise Server 4.0 and higher. *Optional -but recommended if not using a BlackBerry Enterprise Server BlackBerry Enterprise Server Corporate Firewall Internet Wireless Networks BlackBerry smartphones with Mobile Admin Client RSA Authentication Manager Authentication SRP through Port 3101 HTTP/XML Mail Server (Exchange, Domino, or GroupWise) TDES and/or AES TDES and/or AES Mobile Admin Server Servers and computers managed by Mobile Admin HTTPS* HTTPS*Encryption Encryption options for Mobile Admin on BlackBerry smartphones 4 How Mobile Admin provides secure mobile network management Rove Technical White Paper Mobile Admin Security a BlackBerry Enterprise Server with your BlackBerry smartphones, it is strongly recommended that you configure Mobile Admin to connect using HTTPS. Architecture overview—BlackBerry smartphones without a BlackBerry Enterprise Server Figure 1‐2 shows how Mobile Admin connects your wireless handheld device to your network if you are not using a BlackBerry Enterprise Server. The Mobile Admin Server is connected to the servers and computers that you want to manage with Mobile Admin. If you configure Mobile Admin to use HTTPS, then the Mobile Admin Server encrypts the data and sends it over the Internet and the wireless network to the BlackBerry smartphone. The BlackBerry smartphone decrypts the data so that it can be viewed using the Mobile Admin Client. Similarly, Mobile Admin Client commands from the BlackBerry smartphone are encrypted if you are using HTTPS, and then sent over the wireless network and the Internet. The Mobile Admin Server decrypts the commands if required, and then performs the requested actions. Figure 1-2 Mobile Admin architecture with BlackBerry smartphones Other considerations If you do not have a BlackBerry Enterprise Server, you can choose to either rent a BlackBerry Enterprise Server from a hosting company for a monthly fee, or to use Mobile Admin without one. To use Mobile Admin without a BlackBerry Enterprise Server, you must: • use a BlackBerry 6510, 7510 or 7520, or any BlackBerry with BlackBerry system software 4.0 • connect from the Mobile Admin Client handheld to the Mobile Admin Server using Internet TCP/IP • make sure that your carrier has the Internet Access Point Name (APN) enabled for your device Corporate Firewall Wireless Networks BlackBerry smartphones with Mobile Admin Client RSA Authentication Manager Authentication HTTP/XML HTTPS* Mobile Admin Server Servers and computers managed by Mobile Admin HTTPS* *Optional but highly recommended InternetEncryption Encryption options for Mobile Admin on Palm, Windows Mobile, Nokia, Sony Ericsson or Motorola devices Rove Technical White Paper Mobile Admin Security How Mobile Admin provides secure mobile network management 5 Port and firewall configurations Mobile Admin uses port 4054 to communicate between the BlackBerry Enterprise Server and the Mobile Admin Server. If you use a BlackBerry Enterprise Server hosting company or use Mobile Admin without a BlackBerry Enterprise Server, you will have to make sure that the gateway you use is able to contact your Mobile Admin Server through this port, which may require you to configure your firewall. You can also choose to change the port that Mobile Admin uses. If you change the port used by Mobile Admin, you must make sure that your gateway is able to contact your Mobile Admin Server through this alternative port. Encryption options for Mobile Admin on Palm, Windows Mobile, Nokia, Sony Ericsson or ∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴ Motorola devices You can choose to use Mobile Admin on Palm, Windows Mobile, Nokia, Sony Ericsson or Motorola handheld devices with or without a Virtual Private Network (VPN). If you use a VPN, all your Mobile Admin data is sent over the VPN, and is, by default, automatically encrypted. You can also choose to configure the Mobile Admin Server to add a layer of encryption with HyperText Transport Protocol – Secured (HTTPS). HTTPS is HTTP encrypted with Transport Layer Security (TLS). If you configure Mobile Admin to use HTTPS, all Mobile Admin data transmitted between the Mobile Admin Server and the wireless handheld is encrypted. If you are using Palm, Windows Mobile, Nokia, Sony Ericsson or Motorola handheld devices with Mobile Admin, it is strongly recommended that you connect to your network through a VPN. If you cannot use a VPN, it is strongly recommended that you configure Mobile Admin to use HTTPS. Architecture overview—Palm, Windows Mobile, Nokia, Sony Ericsson or Motorola devices Figure 1‐3 shows how Mobile Admin connects your wireless handheld device to your network using VPN and/or HTTPS. The Mobile Admin Server is connected to the servers and computers that you want to manage with Mobile Admin through a Virtual Private Network (VPN), which encrypts network data. If you configure Mobile Admin to use HTTPS instead, then the Mobile Admin Server encrypts the data. Mobile Admin sends the encrypted data over the Internet and the wireless network to the wireless handheld device. The Mobile Admin Client decrypts the data on the wireless handheld device so that it can be viewed. Similarly, Mobile Admin Client commands from the wireless handheld can be encrypted by the VPN or with HTTPS, then sent over the wireless network and the Internet. The Mobile Admin Server decrypts the commands if required, and then performs the requested actions.Encryption Encryption options for Mobile Admin on Palm, Windows Mobile, Nokia, Sony Ericsson or Motorola devices 6 How Mobile Admin provides secure mobile network management Rove Technical White Paper Mobile Admin Security Figure 1-3 Mobile Admin architecture with Palm, Windows Mobile, Nokia, Sony Ericsson or Motorola wireless handhelds Other considerations—Nokia devices Nokia Series 80 phones have a VPN client provided by default. VPN clients are available for installation on Nokia Series 60 phones. The VPN for Palm OS client offered by Mergic is recommended. For more information, please see: www.mergic.com. Other considerations—Windows Mobile devices A VPN client is provided by default on all Pocket PC devices. VPN Server Corporate Firewall Internet Wireless Networks Windows Mobile, Palm, Nokia, Sony Ericsson and Motorola devices with Mobile Admin Client RSA Authentication Manager Authentication HTTP/XML Mobile Admin Server VPN encryption* Servers and computers managed by Mobile Admin *Optional but at least one method of encryption is highly recommended HTTPS* HTTPS* VPN encryption*Authent i c a tion Primary login authentication Rove Technical White Paper Mobile Admin Security How Mobile Admin provides secure mobile network management 7 AuthenticationAs well as data encryption, Mobile Admin supports three different levels of authentication: • primary login authentication (required), from a choice of: -Windows user name and password -Mobile Admin-specific username and password -LDAP authentication • device‐level password (optional) • RSA SecurID (optional) ∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴ Primary login authentication Mobile Admin requires that you choose a primary form of authentication that each user must enter to log in to the Mobile Admin application, no matter what other forms of authentication (such as device‐level, or RSA SecurID) that you may have configured for the user. You can also configure how frequently the user is required to enter the primary login authentication. For example, you can configure Mobile Admin to require the primary login every time a user opens the Mobile Admin Client, or after time‐out intervals that you specify. Windows user name and password authentication Administrative access to servers with Mobile Admin can be configured to use the Windows user settings for your network. With this option, users must always provide their Windows network user name and password to login to Mobile Admin. If you choose to use the Windows network settings, you can configure Mobile Admin users to have access to either: • exactly the same servers and services in Mobile Admin as they do in your network; or • a subset of the servers and services they have permissions to manage in your network. Mobile Admin user name and password authentication Administrative access to servers with Mobile Admin can be configured to be specific to Mobile Admin, if you would rather not use Windows login data for Mobile Admin. Because Mobile Admin is fully integrated with Windows security, you must specify at least one Windows account for the Mobile Admin Server to use to authenticate Mobile Admin users when they login with their Mobile Admin‐specific username and password.Authent i c a tion Primary login authentication 8 How Mobile Admin provides secure mobile network management Rove Technical White Paper Mobile Admin Security If you specify one Windows account, Mobile Admin will use that as the default Windows authentication for all Mobile Admin users when they enter their Mobile Admin‐specific username password. However, for each user, you can choose to: • use the default Windows account, or use any other Windows account • further configure or limit access to specific network servers, as long as these servers are a subset of the servers that the associated Windows account has permission to manage Because of the many available choices, there are several ways to configure user access to your network if you choose to use Mobile Admin‐specific passwords. The following three examples are provided to illustrate some of the possibilities. Sample configuration #1: • In Mobile Admin, set up one existing Windows account as the default account for Mobile Admin with a wide range of permissions, such as a domain administrator or administrator account. • In Mobile Admin, add users, and set up Mobile Admin‐specific passwords for each user. • In Mobile Admin, configure access for each user to an appropriate subset of network servers. Sample configuration #2: • In Windows, create a specific Windows account that has the permissions that you want all Mobile Admin users to have. • In Mobile Admin, set up the new Windows account as the default account for Mobile Admin. • In Mobile Admin, add users, and set up Mobile Admin‐specific passwords for each. Sample configuration #3: • In Windows, create a specific Windows account that has the permissions that you want most Mobile Admin users to have. • In Mobile Admin, set up the new account as the default account for Mobile Admin. • In Mobile Admin, add users and set up Mobile Admin‐specific passwords for each. • For the small number of users who you want to have different permissions than the default Windows account, configure them to use different appropriate Windows accounts to authenticate with Mobile Admin. Mobile Admin LDAP authentication Administrative access to servers with Mobile Admin can be configured to use your network LDAP authentication, if you would rather not use Windows login data for Mobile Admin. Because Mobile Admin is fully integrated with Windows security, you must specify at least one Windows account for the Mobile Admin Server to use to authenticate Mobile Admin users when they login with their LDAP authentication information. If you specify one Windows account, Mobile Admin will use that as the default Windows authentication for all Mobile Admin users when they enter their LDAP authentication. However, for each user, you can choose to: • use the default Windows account, or use any other Windows accountAuthent i c a tion Device-level password authentication Rove Technical White Paper Mobile Admin Security How Mobile Admin provides secure mobile network management 9 • further configure or limit access to specific network servers, as long as these servers are a subset of the servers that the associated Windows account has permission to manage Because of the many available choices, there are many ways to configure user access to your network with LDAP authentication. The following three examples are provided to illustrate some of the possibilities. Sample configuration #1: • In Mobile Admin, set up one existing Windows account as the default account for Mobile Admin with a wide range of permissions, such as a domain administrator or administrator account. Mobile Admin will use this account to authenticate with the Windows network when users enter their LDAP authentication. • In Mobile Admin, add users. • In Mobile Admin, configure access for each user to an appropriate subset of network servers. Sample configuration #2: • In Windows, create a specific account that has the permissions that you want all Mobile Admin users to have. • In Mobile Admin, set up the new Windows account as the default account for Mobile Admin to authenticate with the Windows network when users enter their LDAP authentication. • In Mobile Admin, add users. Sample configuration #3: • In Windows, create a specific Windows account that has the permissions that you want most Mobile Admin users to have. • In Mobile Admin, set up the new account as the default account for Mobile Admin. • In Mobile Admin, add users. • For the small number of users who you want to have different permissions than the default Windows account, configure them to use different appropriate Windows accounts to authenticate with Mobile Admin when they enter their LDAP authentication. ∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴ Device-level password authentication Most wireless handheld devices and phones provide optional device‐level authentication. When the device password feature is enabled, you must enter a password before you can use the device and Mobile Admin. BlackBerry smartphone password The BlackBerry smartphone password provides device‐level authentication on BlackBerry smartphones. After ten failed attempts to enter the handheld password, all information on the handheld is erased for security purposes. By default, the handheld password feature is not enabled. The handheld password can be enabled at the device level by each user. Alternatively, your BlackBerry Enterprise Server Authent i c a tion RSA SecurID and RADIUS authentication 10 How Mobile Admin provides secure mobile network management Rove Technical White Paper Mobile Admin Security administrator can edit the IT Policy for the BlackBerry Enterprise Server to require a handheld password for some or all users. Security time‐out settings define how long a handheld device must be inactive before a user is required to enter the handheld password. These settings can also be configured at the device level by individual users, or by modifying the IT Policy on the BlackBerry Enterprise Server for some or all users. For extra security, it is recommended that you enable the BlackBerry smartphone password for all Mobile Admin users. For more information about how to enable the handheld password and to configure the security time‐out, please refer to the user documentation for your BlackBerry smartphone. Device-level passwords for Palm, Windows Mobile, Nokia, Sony Ericsson or Motorola devices By default, device‐level passwords are not usually enabled, and must be enabled at the device level by each user. For extra security, it is recommended that all Mobile Admin users enable the device‐level password. For more information about how to enable the device‐level password for your device, please refer to the user documentation that was provided with your device. ∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴∴ RSA SecurID and RADIUS authentication Mobile Admin also supports the option of using RSA SecurID authentication, and has been officially approved as an RSA‐Certified application. RSA SecurID provides “twofacctor authentication, which requires a user to enter a combination of a secret, personal identification number (PIN) and a code from a SecurID token. The token generates a new, unpredictable code every 60 seconds. These PIN and code combinations are synchronized with the RSA Authentication Manager, which is installed on your network and controls access to RSA‐protected applications and devices. If you choose to use RSA SecurID authentication with Mobile Admin, users will have to enter their PIN and token code before they can log in to Mobile Admin. For more information about using RSA SecurID authentication, please see www.rsasecurity.com. Mobile Admin also supports RADIUS authentication, which means that Mobile Admin can act as a RADIUS client or RADIUS device for whatever type of RADIUS server and authentication system you are using, such as SafeWord.Index Index AAdvanced Encryption Standard. See AES. AESencryption for Mobile Admin with a BlackBerry Enterprise Server 2 encryption for Mobile Admin with a BlackBerry smartphone 2 architecture with BlackBerry smartphones using a BlackBerry Enterprise Server 2 with BlackBerry smartphones without a BlackBerry Enterprise Server 3 with Nokia phones 5 with Palm devices 5 with Windows Mobile devices 5 authentication BlackBerry smartphone password 9 device‐level passwords 10 LDAP authentication 8 Mobile Admin‐specific authentication 7 Motorola phones, device‐level passwords 9 Nokia phones, device‐level passwords 9 Palm devices, device‐level passwords 9 RADIUS 10 RSA SecurID 10 Sony Ericsson phones, device‐level passwords 9 types available for Mobile Admin 7 Windows Mobile devices, device‐level passwords 9 Windows user name and password 7 BBlackBerry Enterprise Server kill command for lost BlackBerrry smartphones 3 options if you do not have a BlackBerry Enterprise Server 4 protecting data on lost BlackBerrry smartphones 3 using Mobile Admin with 2 using Mobile Admin without 4 BlackBerry smartphone passwords using with Mobile Admin 9 BlackBerry smartphones architecture with Mobile Admin using BlackBerry Enterprise Server 2 architecture with Mobile Admin without a BlackBerry Enterprise Server 3 killing when lost or stolen 3 supported types 1 Ddevice‐level passwords using with Mobile Admin 10 devices types of wireless handhelds supported by Mobile Admin 1 Eencryption AES encryption with a BlackBerry smartphone 2 AES for Mobile Admin with a BlackBerry Enterprise Server 2 HTTPS for Mobile Admin with a BlackBerry Enterprise Server 2 HTTPS for Mobile Admin without a BlackBerry Enterprise Server 4 options available with a BlackBerry Enterprise Server 2 options available without a BlackBerry Enterprise Server 3 TDES encryption with a BlackBerry smartphone 2 TDES for Mobile Admin with a BlackBerry Enterprise Server 2 TLS encryption with a BlackBerry smartphone 3, 4 TLS for Mobile Admin with a BlackBerry Enterprise Server 2, 5 with a VPN 5 with HTTPS over a VPN 5 Ffirewalls and using Mobile Admin without a BlackBerry Enterprise Server 5 configuring port to use Mobile Admin without a BlackBerry Enterprise Server 5 installing Mobile Admin behind 1 Hhandheld passwords enabling 9 timeout intervals 10 HTTPS encryption without a BlackBerry Enterprise Server 4, 5 Kkilling BlackBerry smartphones, when lost or stolen 3Index LLDAP authentication using with Mobile Admin 8 MMDSMobile Admin data sent over 2 Mobile Admin using without a BlackBerry Enterprise Server 4 Mobile Admin‐specific authentication using with Mobile Admin 7 Mobile Data Service. See MDS. Motorola phones supported types 1 using Mobile Admin with a VPN 5 NNokia phones architecture with Mobile Admin 5 device‐level passwords 9 supported types 1 using Mobile Admin with a VPN 5 VPN considerations 6 PPalm devices architecture with Mobile Admin 5 device‐level passwords 9 supported types 1 using Mobile Admin with a VPN 5 portsconfiguring for firewall if using Mobile Admin without a BlackBerry Enterprise Server 5 default used for Mobile Admin 5 RRADIUS using with Mobile Admin 10 RSA SecurID about two‐factor authentication 10 using with Mobile Admin 10 Ssecurity timeout. See timeout intervals. servers authentication required to access 7 authentication required to access, LDAP 8 authentication required to access, Mobile Admin‐specific 7 types you can manage with Mobile Admin 1 Sony Ericsson supported types 1 Sony Ericsson phones using Mobile Admin with a VPN 5 SSL/TLS encryption without a BES 4 TTDESencryption for Mobile Admin with a BlackBerry Enterprise Server 2 encryption for Mobile Admin with a BlackBerry smartphone 2 timeout intervals for handheld password 10 for Windows user name and password 7 TLS encryption for Mobile Admin with a BlackBerry smartphone 3, 4 encryption with a BES 2 encryption with a VPN 5 Transport Layer Security. See TLS. Triple Data Encryption Standard. See TDES. VVirtual Private Network. See VPN. VPNencryption 5 encryption for Mobile Admin with a Palm Windows Mobile, Nokia, Sony Ericsson or Motorola device 5 Nokia phones, considerations 6 Windows Mobile devices, considerations 6 WWindows Mobile using Mobile Admin with a VPN 5 Windows Mobile devices architecture with Mobile Admin 5 device‐level passwords 9 supported types 1 VPN considerations 6 Windows user name and password timeout intervals 7 using with Mobile Admin 7