Configuring BlackBerry Devices to Work with PGP Universal and BlackBerry Enterprise Server 5.0.x

Article:TECH199169  |  Created: 2012-10-31  |  Updated: 2012-11-06  |  Article URL http://www.symantec.com/docs/TECH199169
Article Type
Technical Solution


Issue



If your organization's environment includes a PGP Universal Server, you can connect the BlackBerry® Enterprise Server to PGP Universal Server, so that a BlackBerry device can send and receive PGP encrypted messages.

BlackBerry Devices are managed by the BlackBerry Enterprise Server (BES) IT Policies and these policies contain settings and preferences for BlackBerry mobile device including settings for the PGP Support Package for BlackBerry. In recent BlackBerry versions, the PGP Support Package for BlackBerry is included in the BlackBerry® Device Software. However, always use the latest version of software available for your BlackBerry mobile device.

 


Environment



PGP® Universal Server version 3.x

BlackBerry® Enterprise Server version 5.0.x

BlackBerry® Device Software version 4.2.2+


Solution



If you do not have a PGP Universal server or if you are using, a CKM key (CKM keys are not stored on PGP Universal Server), send an email to BlackBerry device with your keypair attached to an email, as this keypair will be used as a part of PGP Universal enrollment process.  If you have a PGP Universal Server, please note that PGP user accounts will NOT be created on PGP Universal Server when enrolling from a BlackBerry device.  Hence, you must create internal user accounts on PGP Universal Server prior to enrolling a BlackBerry device to use PGP encryption. For creation of internal user accounts on PGP Universal Server, enroll through bound PGP Desktop client or upload the keypair to server prior to further actions.

Note: The BlackBerry Enterprise Server communicates with the PGP Universal server over port 443.

1. Start BlackBerry mobile device and complete Enterprise Activation process if using BlackBerry mobile device for the first time.  Enterprise Activation process is described on the following page http://us.blackberry.com/support/business/enterprise-activation.html

2. If you have already used the device with a BlackBerry Enterprise Server (BES) and completed the Enterprise Activation process, then make sure that the BlackBerry device appears in the proper policy on the BES.  You may view IT Policy Name on your BlackBerry device in Options menu following Security options > General Settings.

3. Configure settings on the PGP Application tab in the respective IT Policy rule on the BES. Use following guide for this process http://www.symantec.com/docs/HOWTO59333. A detailed policy reference guide can be found here.

4. Install the PGP Support Package for BlackBerry via Device Manager (Device must be plugged to a computer with latest BlackBerry Handheld Software package which includes Applications and Operation Software - http://www.symantec.com/docs/TECH148931) or install PGP Support Package for BlackBerry via the BES (aka "Over-The-Air" (OTA).  Device must be connected wirelessly to a BlackBerry Enterprise Server - http://www.symantec.com/docs/TECH149101)

5. Re synchronize IT Policy on BlackBerry device with the BES. For this, restart the the device and pull the battery out, or use Resend IT Policy action on BlackBerry Server - http://docs.blackberry.com/en/admin/deliverables/12107/Resend_IT_policy_to_device_manually_193559_11.jsp

6. The BlackBerry mobile device should prompt the user to enroll and authenticate with PGP Universal Server after restarting the device or when you attempt to send email from the device. Perform enrollment as described in User Guide for the PGP Support Package for BlackBerry http://www.symantec.com/docs/DOC3694

When enrollment completes, you should be able to send and receive PGP encrypted mail.

General security information and features description of PGP Support Package for BlackBerry is available in the Security Technical Overview.

The following ports have to be opened for communication between PGP® Universal Server and BlackBerry® Enterprise Server

 

Port Number
Protocol Name
Purpose
80 HTTP Certificate Revocation Checks (CRC) using Certificate Revocation List (CRL) or over Online Certificate Status Protocol (OCSP)
443
HTTPS / SSL
Key Search Communication with PGP Universal Server over Universal Server Protocol (USP)
389
LDAP
Key Search Communication and retrieval. Certificate Search.
636
LDAPS
Key Search Communication and retrieval. Certificate Search.
110
POP
Mail retrieval (only in case of Internal Placement of bound PGP Universal Server)
143
IMAP
Mail retrieval (only in case of Internal Placement of bound PGP Universal Server)
25
SMTP
Mail delivery (only in case of Internal Placement of bound PGP Universal Server)




Article URL http://www.symantec.com/docs/TECH199169


Terms of use for this information are found in Legal Notices