THERE S GOOD SECURITY AND THEN THERE S NATIONAL SECURITY

THERE’S GOOD SECURITY

AND THEN THERE’S

NATIONAL SECURITY

BlackBerry 10 and BES10

Contents

BlackBerry 10 & BES10 3

Corporate Networks Under Attack 4

BlackBerry Security 5

Protecting Data in Motion 7

BES10 Security Philosophy 8

BES10 Certification & Encryption 9

BES10 Layers of Protection 9

Tech Talk 1 & 2 10

Protecting Work Data on Personal-Use-Enabled Devices 11

BlackBerry Balance 12

Tech Talk 3 13

Enforcing Strong Access Controls 14

BlackBerry 10 Device OS Security Features 15

BES10’s Gold level Controls and Settings 16

Manging Devices 18

BlackBerry Mobile Device Management in Action 19

End-to-end Security 21

THE PERFECT BALANCE OF

BlackBerry 10 & BES10

End-to-end mobile data security without compromising business productivity or user satisfaction

any organization. After all, a data breach can cause significant financial losses, expose executives to legal actions, damage your company's reputation and weaken or eliminate competitive business advantage.

As more employees access your corporate network through mobile devices to communicate, collaborate and share data, your infrastructure becomes increasingly vulnerable to outside attacks and harder to secure and protect. The mixing of personal and work email accounts, apps and data, as well as the proliferation of employee-owned devices, increases the chance of major data leaks. Rivaling the importance of information security,

however, is business-user productivity and satisfaction. A mobilized workforce is only effective if the end-user experience is uncompromised and critical applications and productivity tools operate as efficiently from a mobile device as they do from a PC attached directly to the corporate network. An effective mobile security solution is one that imposes no limitations on end-user productivity.

The BlackBerry end-to-end enterprise security solution secures data from would-be attacks and loss without requiring you to compromise productivity or user satisfaction.

IT managers must now consider a highly complex

corporate network infrastructure, accessible to a growing number and diversity of devices and applications, when devising a plan to protect corporate information and maintain worker productivity.

The entryways for potential attacks, data loss and productivity compromises include:

Employees maintaining a mix of corporate and third-party applications on the same device and exchanging information between the two domains

The installation of threat-vulnerable containerization on mobile devices

Employees visiting sites where they encounter malware or malicious threats

The use of employee-owned devices to access enterprise resources and information

IT managers need a solution that helps them:

Deliver transparent security for an optimal user experience Provide integrated containerization that enables simple enterprise application development and deployment Reduce employee misuse of devices

Keep personal and work information separate

Ensure that network data, both in transit and at rest, are kept secure

BlackBerry delivers a security solution that

satisfies the needs of both enterprises and

government agencies. The solution provides

the confidentiality, integrity and authenticity to

help protect your organization from data loss

and theft while delivering a seamless, simple

and uncompromised end-user experience.

Corporate Networks

Under Attack

*

*Verizon 2013 Data Breach Investigations Report

71

%

of breaches targeted user devices...

54

%

of breaches compromised servers....

78

%

of intrusions rated as low difficulty...

66

%

of breaches go undetected for six months or longer...

An unavoidable consequence of the explosive expansion of mobile devices within businesses and organization of all sizes is a proportional elevation in vulnerability to security breaches and data leakage. To protect your information from increased exposure to attacks or data loss through accidental or malicious means, IT administrators require a comprehensive security solution, but one that does not sacrifice business productivity or end-user satisfaction. BlackBerry end-to-end security is purpose built to deliver optimal protection for work-related content, both on devices and in transit. BlackBerry security delivers fast, integrated device, application and content management and fully encrypted behind-the-firewall access to corporate data without the need for 3rd-party VPNs or add-on security.

The BlackBerry network, combined with its infrastructure authentication, device management capabilities and hardened BlackBerry® 10 operating system, is the ultimate end-to-end mobile security solution.

BlackBerry Security

A fully integrated end-to-end enterprise

mobility security solution

BlackBerry security focuses on four critical areas:

• Protecting data in motion

• Protecting work data on personal-use-enabled devices • Enforcing strong access controls

• Managing devices

These four functions protect your data from

breaches, losses or alteration as it transits

the end-to-end path from your enterprise,

BES10 server, the BlackBerry network and,

ultimately, your employees’ BlackBerry

devices.

All G7

GOVERNMENTS

and 16 of the G20 governments rely on BlackBerry security1

Security certificates

More than any other mobile vendor3

per month on average. Moves more secure mobile data through its infrastructure than any other EMM vendor3

Only MDM provider

to obtain ATO on U.S.

Defense networks

The ultimate standard for end-to-end mobile security

45

35PB

Because many of your employees work outside the office, it’s critical that you have strong security measures in place – both on employees’ devices and across internal network infrastructure – to protect data in transit. A key element of the BlackBerry solution for in-transit data security is the BlackBerry Enterprise Service 10, BlackBerry's device and application management platform. BES10 offers built-in data encryption to help both enterprises and government agencies protect sensitive information and minimize data loss or alteration.

BES10 Overview

BlackBerry has long-been the ultimate in mobile security. An integral component of the BlackBerry solution is BES10, which secures in-transit data using transport layer security over the BlackBerry infrastructure. BES10 encrypts data using AES 256-bit encryption prior to transmission, while message keys are encrypted by the device transport key. BES10 also protects and manages devices and applications within the end-to-end BlackBerry security solution.

Protecting Data in Motion

A key element of the BlackBerry solution for in-transit data security in BES10

Secure Enterprise Connectivity

Wi Fi BlackBerry Mobile Data and Connection Service Work Personal

BlackBerry Enterprise Service 10

BlackBerry Dispatcher Enerprise Management Web Service Content servers Web servers Microsoft ActiveSync BlackBerry Infrastructure BlackBerry 10 BlackBerry 10 Firewall with VPN Gateway Firewall Firewall with VPN Gateway Private Network Wi Fi or 3G/4G SSL (Optional) Wi Fi or 3G/4G TLS over Wi Fi or 3G/4G VPN over AES Wi Fi or 3G/4G VPN over Enable Work Network For Personal Use (Enable/Disable)

Enable Work Network For Personal Use (Enable/Disable)

SSL (Optional) SSL

Wi Fi

VPN: IPSec or SSL

TLS: BlackBerry infrastructure authenticated with self certification

AES 256: Encrypted with device transport key generated during activation

SSL (Optional): Authenticated with server specific certificate SSL: Authenicated with client/server certificates generated during activation

Wi-Fi: IEE 802.11.i with 802. 1x

BES10 Security Philosophy

Integrity Authenticity Confidentiality

The security features found in BES10 are built upon a foundation of confidentiality, integrity and authenticity. Confidentiality

BES10's encryption capabilities ensures that only intended recipients can view corporate data. Integrity

All email sent over a secure network is strongly encrypted to keep third parties from decrypting or altering the message.

Authenticity

BES10 provides two-way authentication upon pairing with the device, helping reduce the possibility of counterfeit devices accessing your infrastructure.

BlackBerry 10/BES10 FIPS 140-2 Certification

Businesses and government agencies alike need to feel confident that their highly sensitive data – whether it’s in storage or in transit – stays secure from would-be attackers. The U.S. government created and implemented the FIPS 140-2 computer security standard and uses it to accredit file encryption modules. Both the BlackBerry 10 OS and BES10 software are FIPS 140-2 certified, which means that your organization’s data is strongly encrypted and the corresponding encryption keys are rigorously protected. BlackBerry 10 devices, controlled by BES10, are the only mobile devices to be given Authority to Operate (ATO) on Department of Defense networks.

S/MIME Messaging Encryption

BES10 gives you the option of using digital certificates to sign and encrypt email and file attachments using industry standard S/MIME encryption. When IT personnel activate a mobile device on BES10, the device can be configured to sign and encrypt messages using S/MIME whenever the employee sends emails via his or her work account. S/MIME encryption keeps messages secure by using recipients’ public keys to encrypt the message and their private key to decrypt it. Often overlooked as a security agent, S/MIME is a cost-effective productivity tool for enabling highly secure email communications with business partners and contractors outside of your organization.

Encryption Options

BES10 uses a technique called tunneling to protect data in transit over a secure network. Tunneling incorporates multiple layers of encryption between devices, BES10 and the wireless resource for additional data protection.

For example, when employees access the corporate Wi-Fi network, data transmissions between their device and BES10 are secured first by AES encryption and then by Wi-Fi encryption.

Wi-Fi Encryption (IEEE 802.11)

Encrypts data transmitted between mobile devices and wireless access points set up to use Wi-Fi encryption.

VPN Encryption

Encrypts data transmitted between mobile devices and VPN servers.

AES Encryption

Encrypts data transmitted between mobile devices, the BlackBerry infrastructure and BES10.

SSL/TLS Encryption

Encrypts data transmitted between mobile devices and content servers, Web servers or messaging servers that use Microsoft ActiveSync.

BES10 Layers of Protection

BES10 contains multiple layers of protection, so data stays secure both in transit and on devices

In-transit Data Protection

BES10 protects data transmissions using transport layer security.

Work Data Device Protection

Work file systems and applications are kept separate from personal data and encrypted.

Personal Data Device Protection

IT managers can create policy rules to encrypt data within the personal file system.

Device Access Control

Work Wi-Fi and VPN profiles may be delivered remotely via BES10 to enable corporate network access.

Device Behavior Control

IT managers can remotely lock mobile devices, enforce policies and wipe work/personal data from devices.

Device User Information Protection

Users can delete all their information and application data from device memory.

BlackBerry 10 OS Protection

BlackBerry 10 devices conduct integrity tests to detect kernel damage and restart processes that stop responding.

Application Data Protection Via Sandboxing

Sandboxing separates and restricts the capabilities and permissions of applications running on the device.

Resource Protection

Adaptive partitioning is used to allocate unused resources during typical operating conditions, to help ensure resources are available during peak conditions.

Access Capabilities Permissions Management

The BlackBerry 10 OS evaluates each device capability request made by an application, then grants access accordingly.

Boot Rom Code Verification

The device verifies that the boot ROM code is authentic, unmodified and has permission to run on the device.

Tech Talk 2

S/MIME Keys, Certificates and Encryption Algorithms

BlackBerry devices support keys and certificates for the following file format and file name extensions:

• PEM (.pem, .cer) • DER (.der, .cer) • PFX (.pfx, .p12)

A private key and certificate must be stored on the device for each recipient of an encrypted email message. Keys and certificates can be stored simply by importing the files from a work email message. To send encrypted messages, your employees must use their work email accounts. The following encryption algorithms can be used by BlackBerry devices to encrypt S/MIME-protected messages: • AES (256-bit) • AES (192-bit) • AES (128-bit) • Triple DES • RC2 Tech Talk 1

FIPS 140-2 Certification Details

The FIPS 140-2 certification was implemented by the National Institute of Standards and Technology to govern cryptography modules that involve both hardware and software components.

The BlackBerry OS cryptographic kernel, which received FIPS 140-2 certification for the BlackBerry 10 OS and BES10, generates the file encryption keys, the work domain key, the work master key and the system master key to provide a strong layer of security to protect data.

The FIPS 140-2 certificate for BlackBerry 10 and BES10

BlackBerry Enterprise Service 10 FIPS-1402 Certificate no. 1765 Consolidated Certificate no. 0019 http://csrc. nist.gov/groups/STM/cmvp/documents/140-1/140crt/ FIPS140ConsolidatedCertList0019.pdf

BlackBerry 10

FIPS 140-2 Certificate no. 1578 Consolidated Certificate no. 0007 http://csrc.nist.gov/ groups/STM/cmvp/documents/140-1/140crt/ FIPS140ConsolidatedCertList0007.pdf

Protecting Work Data on

Personal-Use-Enabled Devices

BlackBerry Balance and BES10 protect sensitive data

Protecting work data accessible over the corporate Intranet or stored on employees’ devices is a critical part of any comprehensive mobile data security plan. The widespread use of employee-owned and personal-use-enabled devices in corporate environments – Bring Your Own Device (BYOD) and Corporate Owned, Personally Enabled (COPE) movements – creates major data security challenges. Without a heavy-duty security architecture in place, one designed for work and personal use, it is easy for employees to leak sensitive work data through personal use, such as: webmail and browsing, social networking and media, and untrusted personal applications. With BlackBerry BalanceTM_{, a feature of BES10, you can create}

a “dual-persona” environment on employees’ mobile devices by establishing a separate, secure environment for work-related applications and associated sensitive data. This work environment leverages integrated, cryptographically partitioned file systems to protect sensitive work data, while delivering a compelling “work-life” user experience.

BlackBerry Balance:

Seamless Separation of Personal & Work Data

BlackBerry Balance identifies and tags data and processes that originate from your company’s Wi-Fi, VPN access or Intranet, and routes it to the employee’s work profile on the device. Other personal data and activities, including third-party applications, public Web browsing and personal email, are contained within the personal profile.

BlackBerry Balance Overview and Features

BlackBerry Balance keeps employees’ work and personal information separate and secure on BlackBerry 10 devices using specifically designated areas called Spaces. Within each of these Spaces, data, applications and network connections can be safely stored. Individual Spaces can be governed by their own rules for data storage, application permissions and network routing. Using separate Spaces for work and personal activities helps keep sensitive data secure by preventing employees from copying work data into personal email, or displaying information during video chats.

Built-in Password Protection

BES10 allows you to establish and enforce password policies quickly and easily to better protect data stored in employees’ devices. IT policies can be set to require your employees to enter a password or use their corporate single sign-on using Active Directory® services to gain access to Spaces containing work-related data. This keeps data at rest on employee devices safe and protected.

BlackBerry Balance in action

After eight years of employment at your company, a salesperson is leaving to take a leadership role at a startup business that will share the same competitive space as your company. Looking to jumpstart the customer acquisition process, the departing salesperson, who has access to the corporate customer relationship

management (CRM) system, attempts to send your company’s customer list and deal status to his personal email account before leaving the company. The soon-to-be former employee accesses the CRM application from his BlackBerry 10 device and tries to paste the list and deal information into his personal email account. Because BlackBerry Balance prevents copy and paste functions between employees’ work profiles and personal profiles, the employee is unable to move data into his personal email or copy files from his Work Space to his Personal Space. Your company’s sales information stays safe. In addition, BES10 allows you to wipe all corporate information from an employee-owned device after the employee has left the company, without impacting personal data.

Using BlackBerry Balance, you can:

Control employee access to company data and applications on their devices Prevent company data from becoming compromised

Provide employees a unified and

consistent user experience with a core set of applications when accessing personal or work data

Install and manage company applications on employees’ devices remotely

Remove company data and applications from employee-owned devices when needed without impacting personal configuration and data

Control network connections for work and personal applications remotely

BlackBerry Balance lets you control how devices separate,

secure and protect company data and resources

Tech Talk 3

Work Space/Personal Space in Detail

BlackBerry Balance and BES10 provide a work environment that securely separates work and personal information on mobile devices. Devices classify data as work data or personal data based on the source of the data. For example, if data comes from a work-related source it is stored in the device’s Work Space. Personal and Work Spaces can have different rules for data storage, application permissions, and network routing. The separate spaces help users to avoid activities such as accidentally copying work data into a personal application, or displaying confidential work data. IT administrators have the option of managing and securing data in a Personal Space.

Work Personal

Encrypt App App

Data

Work Space

Base file system Encrypt (optional) App App

Data

Back to the Contents

Enforcing Strong Access Controls

BlackBerry security gives you greater control over

how and when mobile devices connect to your network

infrastructure and access data

BlackBerry security delivers

multiple access control features,

such as device authentication,

anti-counterfeiting manufacturing

controls and device OS protection,

that verify and maintain device

integrity. These features help

ensure only authorized devices

used by authorized employees

gain entry into your network,

use network services and

access data.

BlackBerry Hardware Root of Trust

BlackBerry takes specific steps to help ensure the integrity of its devices and prevent counterfeit devices from

connecting to the BlackBerry infrastructure. Security is built into each major

BlackBerry device component, making it more difficult for unauthorized users to remove or circumvent security on a BlackBerry device than on other mobile operating systems. Plus, all parts of the BlackBerry supply chain, from its

manufacturing partners to the BlackBerry

infrastructure and devices, are securely connected, which means trusted BlackBerry devices can be built around the world.

This secure manufacturing model helps prevent the impersonation of authentic BlackBerry devices and ensures that only authentic BlackBerry devices can connect to the BlackBerry infrastructure. Any device trying to connect to the BlackBerry infrastructure must complete the self-verification process before access is granted.

Authentication

Multiple forms of authentication take place within the BlackBerry system to minimize the possibility of data loss and outside attack. First, the BlackBerry infrastructure and BES10 authenticate with each other by sharing a Server Routing Protocol (SRP) authentication key before a connection takes place. The second level of authentication takes place between BES10 and the activated BlackBerry 10 device. When the device is activated, it generates a key pair and sends the public key to BES10. The BES10 server then creates a client certificate and sends an enterprise management root certificate and client certificate back to the device. It uses the enterprise management root certificate to authenticate the server certificate for the enterprise management Web service. BES10 and the BlackBerry 10 device use the client certificate to authenticate users, their Work Spaces and their devices.

BlackBerry 10 Operating System

CPU Embedded Boot ROM

Boot ROM digital signature

• Application 4 • Application 3 • Application 2 • Application 1 Boot ROM Public EC 521 Key of OS Signature Verified BlackBerry 10 OS

SHA256 hash of Base File System (Signed with EC 521

Verified

Base File System (Read only)

XML Manifest of loaded applications (Cryptographically hashed)

Verified

Software Upgrades and Application Downloads from BlackBerry World. All downloads verified with ECC signed SHA-2 hashes.

BlackBerry 10 Device OS Security Features

Protecting the device’s OS is one of the most important functions of mobile device security. However, it’s

sometimes neglected by other manufacturers focused on consumer devices, since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code, a common characteristic of many devices’ OSs. The BlackBerry 10 OS includes security features for OS protection, including:

Microkernel Implementation

The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150,000 lines of code. With fewer lines of code, the BlackBerry OS is less susceptible to vulnerabilities than other platforms. As a result, rigorous security verification and testing are achieved, even with a fixed amount of IT resources.

Resilient Design

To reduce risks, the microkernel contains processes associated with personal use. Any unresponsive or misbehaving process is automatically restarted or killed, respectively, without impacting other processes.

Root Process Minimization

To reduce security risks, only the most essential

BlackBerry processes are run in root mode. This mode is never available to third parties.

Blackberry World Application Stores

Once a BlackBerry 10 device is activated on BES10, it has access to two separate BlackBerry World application storefronts: BlackBerry World for personal use and BlackBerry World for Work for enterprise use.

Within the Work Space, only applications approved by the BES 10 administrator are permitted to be installed. Work applications can either be “pushed” to users based on policy, or “pulled” by users for optional use. Within the Personal Space, users are free to download any application available through BlackBerry World.

Back to the Contents

For the large majority of organizations, BlackBerry

Balance, available via the BES10 Silver EMM

configuration, optimizes the balance between

security and employee expectations for a

compelling work and life end-user experience.

Some highly sensitive, regulated environments,

however, may not permit personal use on employee

devices due to established risk management

policies. For these organizations, often operating

in government, financial services or healthcare

sectors, for example, BlackBerry offers the

BES10 Gold EMM

_{configuration, which gives}

administrators the ability to disable personal

use, as well as impose device, application and

content controls that exceeded the granularity

of the BES10 Silver EMM configuration. No other

mobile platform offers this unique capability.

The BES10 regulated-level device management

control features enable large enterprises and

government and regulated industries to manage

fully locked-down devices with a set of controls

unmatched in their level of granularity.

Gold level device management capabilities include:

BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure, government and regulated environments Enforcement of corporate-only use and granular controls to manage use of camera, storage, WiFi, Bluetooth and other device features

Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space

User friendly and intuitive management console to manage your devices, users, groups, apps and services, including reporting and dashboard capabilities

Sampling of Regulated-level BlackBerry 10 Device Management Controls

Mobile Hotspot Mode and Tethering

Specify whether to allow Mobile Hotspot mode, tethering using Bluetooth technology, and tethering using a USB cable on a BlackBerry 10 device.

Wireless Service Provider Billing

Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organization’s wireless service provider.

Maximum Password Age

Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password.

Wipe the Work Space without Network Connectivity

Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organization’s network before wiping the entire device.

Non-Email Accounts

Specify whether a BlackBerry 10 device user can add third-party accounts for services, such as Facebook, Twitter, LinkedIn and Evernote to the device.

Network Access Control for Work Applications

Specify whether work applications on a BlackBerry 10 device must connect to your organization’s network through BES10.

Log Submission

Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center.

Bluetooth

Specify whether a BlackBerry 10 device can use Bluetooth technology.

SMS/MMS

Specify whether a BlackBerry 10 device

can send SMS text messages and MMS messages.

Camera

Specify whether a BlackBerry 10 device can use the camera.

BES10’s Gold level EMM controls and settings deliver

the ultimate security solution for government and other

high-security environments

Leaders in innovation

Largest Research & Development staff of any EMM vendor3

Expansion of security model to iOS and Android

Scalability. Devices per server

100K

30K+

44

K

Back to the Contents

Managing

Devices

With BES10 you can also

easily manage iOS and

Android™ devices from

a central location

A typical enterprise may contain

hundreds of devices, each one a potential unauthorized entry point into your corporate servers. To help IT departments get a handle on the large number and diversity of devices attached to your network, BlackBerry has extended its security model to iOS and Android smartphones and tablets through BES10. With the ability to use BES10 to manage multiple types of devices from a single platform and management console, IT administrators are able to strike the perfect balance between corporate and end user needs.

Secure Work Space for iOS and Android

BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices. Secure Work Space is a containerization, application-wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console. Managed applications are secured and separated from personal apps and data, providing an integrated email, calendar and contacts app, an enterprise-level secure browser and secure document viewing and editing. User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space. The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space – no VPN needed.

BlackBerry Mobile Device Management in Action

Your company has hired several new employees – each due to receive a BlackBerry 10 smartphone. The IT department quickly and easily adds a user account for each employee into BES10, using information from your company’s Microsoft Active Directory. An activation password for each account is created, along with the Server Routing Protocol (SRP) ID of the BES10, and delivered to the respective employee.

The new employees type their user IDs, passwords and SRP IDs into their BlackBerry 10 devices to activate them. The smartphone’s enterprise management agent establishes a secure connection through the BlackBerry infrastructure

over the network to BES10. Encryption keys, based on IT department policies, are generated, Work Spaces are created and profiles and software configurations are sent to each smartphone. In just a few short steps, the incoming employees are empowered with fully functional and secure mobile devices.

Back to the Contents

Managing Devices Using Device Wipe

With BES10 and BlackBerry Balance, you can keep company data safe while leaving employee personal data intact. Using BES10, you can remotely wipe an employee’s Work Space and all its content, leaving all personal data on the device in place. You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met. For example, you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed. You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection.

Device Wipe in Action

An employee has just received a job offer from a competitor. This employee works in your company’s procurement department and has access to the company enterprise resource planning (ERP) system via her BlackBerry 10 device. Using the ERP system application, the employee can see the company’s suppliers, vendors, parts inventory, backlogs, sales projections and more. The employee accepts the job offer and gives a two-week notice. Her manager alerts HR and IT departments about her upcoming departure. On her last day, IT wipes the employee’s work profile from her BlackBerry 10 device, which prevents her from accessing the ERP and email systems. However, all of her personal information remains intact on her device as she moves on to her next job.

Distribution and Application Security Using Blackberry World for Work

A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store, called BlackBerry World for Work. With BlackBerry World for Work, you can push, install and manage business and productivity applications over the network to BlackBerry 10 device Work Spaces via BES10.

Application Sandboxing

The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications. BlackBerry 10 also protects employees’ personal data by allowing them to configure their devices’ application controls and limit application access to their personal information.

Sandboxing separates and restricts an application’s capabilities and permissions. The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time. Applications can have sandboxes in both an employee’s Work Space and Personal Space, yet each remains isolated from the other. The BlackBerry 10 OS monitors application process requests for memory outside its sandbox. If the application attempts to access memory outside its sandbox, the BlackBerry 10 OS will stop the process and reclaim the memory it uses, then restart the process without impacting other processes operating at the same time. In addition, each application is assigned its own specific group identification, which cannot be shared or reused by another application. Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other applications from accessing this specific data.

Malware Controls

The BlackBerry 10 OS includes tight controls to reduce the possibility of malware attacks, including a ‘contain-and-constrain’ strategy that minimizes risks. Application process requests are constrained within employees’ Personal Space on the device, and the BlackBerry OS microkernel monitors inter-process communications for potential issues. The microkernel also monitors memory access by the Personal Space and authorizes its use as needed. Any application process that attempts an unauthorized memory access request is automatically restarted or shut down, protecting your company data. In the employee’s Personal Space, application permissions are used to protect personal data from potential malware attacks.

Malware Protection in Action

Instead of downloading an application to the device from the prescribed channel, an employee downloads an application from the Internet to her personal computer, then moves the application, which contains malware, to the device's Personal Space. The malware scans the employee’s device for names, phone numbers, credit card numbers or any other bits of identity information that can be stolen and misused. Work-related information is not impacted, as all company information remains isolated and locked down on the device’s Work Space, fully protected and secure.

End-to-end Security

Securing and protecting corporate data is of paramount concern for all enterprises. As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction, however, protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments. Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen, either by the device user or by any untrusted application that is installed on the device. Accordingly, today’s resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks, while delivering the compelling work and life experience that employees demand. But protecting corporate data from misuse and loss is only half of the story. A mobile security solution, even an ironclad one, must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications. BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers.

BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity. BlackBerry 10, BES10, the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce.

Back to the Contents

Size 140.7mm x 72mm x 9.4mm 130mm x 65.6mm x 9mm 119.6mm x 66.8mm x 10.35mm 120mm x 66mm x 10.8mm

Display 5"super AMOLED display, 24 bit color 1280 x 720 resolution at 295 PPI 4.2" 4-point multi-touch LCD display 1280 x 768 resolution at 356 DPI 3.1" Super AMO LED display 720 x720 resolution at 330 PPI 3.1" Capacitive multi-touch LCD display 720x720 resolution at 329 PPI

Software BlackBerry® 10 OS BlackBerry® 10 OS BlackBerry® 10 OS BlackBerry® 10 OS

Memory 2GB RAM, 16GB Flash®,

hot-swappable Micro SD slot 2GB RAM, 16GB Flash®,hot-swappable Micro SD slot 2GB RAM, 16GB Flash®,hot-swappable Micro SD slot 2GB RAM, 8GB Flash®,hot-swappable Micro SD slot

Processor Dual Core 1.7 GHz Qualcomm MSM8960 Quad-core GPU

Dual Core 1.5 GHz

Texas Instruments OMAP 4470 Dual-core 1.5 GHz Qualcomm® MSM8960 Dual Core 1.2 GHz Qualcomm® MSM8960

Battery Life1 _{Mixed use: Up to 25 hours}

Talk time: Up to 18 hours UMTS/14 hours GSM Standby time: Up to 16 days Music: Up to 90 hours Video: Up to 12 hours

Talk Time: up to 11 hours on 3G Standby Time: up to 408 hours on 3G, up to 397 hours on 2G Music: up to 51 hours Video: up to 10 hours

Talk Time: up to 13.5 hours on 3G Standby Time: up to 345 hours on 3G, up to 324 hours on 2G Music: up to 62 hours Video: up to 9 hours

Talk Time: 3G - up to 12.5 hours 2G - up to 10 hours

Standby Time: up to 14 days on 3G, up to 13 days on 4G Music: up to 62 hours Video: up to 9 hours

Camera 8 MP rear-facing camera 5x digital zoom 1080p HDvideo recording 2MP front-facing camera 3x digital zoom 720p HD video recording 8 MP rear-facing camera 5x digital zoom 1080p HDvideo recording 2MP front-facing camera 3x digital zoom 720p HD video recording 8 MP rear-facing camera 5x digital zoom 1080p HDvideo recording 2MP front-facing camera 3x digital zoom 720p HD video recording 5 MP rear-facing camera 5x digital zoom 1080p HDvideo recording 2MP front-facing camera 3x digital zoom 720p HD video recording

GPS GPS-enabled with preloaded

BlackBerry® Maps application GPS-enabled with preloadedBlackBerry® Maps application GPS-enabled with preloadedBlackBerry® Maps application GPS-enabled with preloadedBlackBerry® Maps application

Blueteooth® Bluetooth 4.0 Low Energy Bluetooth 4.0 Low Energy Bluetooth 4.0 Low Energy Bluetooth 4.0 Low Energy

Wi-Fi®2 _{802.11 a/b/g/n enabled,}

4G Mobile Hotspot 802.11 b/g/n enabled, Mobile Hotspot 802.11 a/b/g/n enabled, 4G Mobile Hotspot 802.11 b/g/n enabled, Mobile Hotspot

1 _{Many factors affect battery life including but not limited to network, transmission environment, battery age, usage, location, software and feature configuration.} 2 _{WiFi availability may vary between country and mobile network operators.}

BlackBerry Technical Support Services

Support is a key component of your Enterprise Mobility Management strategy. Implementing BES10 is easier than ever, but having a strategic support partner is still essential to assist you in delivering your mobility objectives. BlackBerry Technical Support Services offers a unique blend of technical expertise, rapid issue resolution and proactive, relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure.

For more information visit blackberry.com/btss

Learn more at

BES10.com/security

1 _{February 2014} 2 _{August 2013} 3 _{November 2013}

4 _{Silver level EMM provides the management and control feature set for iOS, Android and BlackBerry 10 devices previously} known as BES10 EMM Corporate.

5 _{Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name} EMM Regulated, and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android.

Screen images simulated.

© 2014 BlackBerry. All rights reserved. BlackBerry® and related trademarks, names and logos are the property of BlackBerry Limited and are registered and/or used in the U.S. and countries around the world. All other trademarks are the property of their respective owners. iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

EZ

PASS

FREE perpetual BES10 licenses for all existing

BlackBerry and other active MDM licenses, plus

receive world class BlackBerry Advantage Level

Technical Support FREE of charge!*

Learn more at:

blackberry.com/ezpass