SafeNet MobilePKI for BlackBerry V1.2. Administration Guide

Similar documents
SafeNet Authentication Client

SafeNet Authentication Client

SafeNet Authentication Client

SafeNet Authentication Client

SafeNet Authentication Client

SafeNet Authentication Client

SafeNet Authentication Client

SafeNet Authentication Client

SafeNet Authentication Client

SafeNet Authentication Service

SafeNet Authentication Client

SafeNet Authentication Service

SafeNet Authentication Service

SafeNet MobilePASS+ for Android. User Guide

SafeNet Authentication Service

SafeNet Authentication Service

SafeNet Authentication Service

SafeNet Authentication Service

SafeNet Authentication Manager

SafeNet Authentication Service

SafeNet Authentication Service (SAS) Service Provider Billing and Reporting Guide

SafeNet Authentication Service Agent for Cisco AnyConnect Client. Installation and Configuration Guide

SafeNet Authentication Client

SafeNet Authentication Service Token Validator Proxy Agent. Installation and Configuration Guide

SafeNet Authentication Service. Java Authentication API Developer Guide

SafeNet Authentication Service. Service Provider Billing and Reporting Guide

SafeNet Authentication Manager

SafeNet Authentication Manager

SafeNet Authentication Service Agent for Microsoft Outlook Web App. Installation and Configuration Guide

SafeNet Authentication Service

SafeNet Authentication Service

SafeNet Authentication Service

SafeNet Authentication Service

SafeNet Authentication Service Authentication API for Microsoft.Net. Developer Guide

Sentinel EMS 4.1. Release Notes

SafeNet Authentication Service. Push OTP Solution Guide

SafeNet Authentication Service (SAS) SAML Authentication Quick Start Guide

SafeNet Authentication Manager

SafeNet Authentication Service

SafeNet Authentication Client

EAM Portal User's Guide

Authentication Manager Self Service Password Request Administrator s Guide

SafeNet Authentication Manager

One Identity Starling Two-Factor Authentication. Administration Guide

One Identity Starling Two-Factor Authentication. Administrator Guide

Product Description. SafeSign Identity Client Standard Version 2.3 for MAC OS X 10.4

One Identity Starling Two-Factor AD FS Adapter 6.0. Administrator Guide

GCR410 / GCR410-P. Application Note. Version 1.0

One Identity Starling Two-Factor Desktop Login 1.0. Administration Guide

IDGo Middleware and SDK for Mobile Devices

Identity and Authentication PKI Portfolio

One Identity Starling Two-Factor HTTP Module 2.1. Administration Guide

One Identity Defender 5.9. Product Overview

SafeNet Authentication Service

SafeNet Authentication Service PCE/SPE with Support for HSM PSE 2 Integration. Feature Documentation

SafeSign Identity Client Standard

Release Notes. BlackBerry Enterprise Identity

Cloud Access Manager Configuration Guide

Terms of Use. Changes. General Use.

MyCreditChain Terms of Use

One Identity Authentication Manager for Windows User's Guide

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

The Privileged Appliance and Modules (TPAM) 1.0. Diagnostics and Troubleshooting Guide

White paper. April Security

SonicWall Mobile Connect ios 5.0.0

Secure Held Print Jobs

Secure Held Print Jobs. Administrator's Guide

Quick Reference. Good for Enterprise to BlackBerry Work Using Good Control Transition Guide

October J. Polycom Cloud Services Portal

Compatibility Matrix. BlackBerry UEM. March 26, 2018

One Identity Password Manager User Guide

Release Notes. BlackBerry UEM Client for Android Version

Security Guide Release 4.0

SafeNet Authentication Service Synchronization Agent. Configuration Guide

NetApp Cloud Volumes Service for AWS

SonicWall Global VPN Client Getting Started Guide

END OF SALE ANNOUNCEMENT

ESS Utility Android App User Guide

Quick Start Guide. BlackBerry Workspaces app for Android. Version 5.0

Sony Xperia Configurator Cloud User Instructions

One Identity Starling Two-Factor Authentication

Compatibility Matrix. Good Control and Good Proxy. June 4, 2018

Dell Statistica. Statistica Enterprise Server Installation Instructions

Lookout Mobile Endpoint Security. AirWatch Connector Guide

Rapid Recovery License Portal Version User Guide

SonicWall Mobile Connect for Chrome OS

Guide to Windows 2000 Kerberos Settings

Cloud Access Manager How to Deploy Cloud Access Manager in a Virtual Private Cloud

Installation and Configuration Guide

BlackBerry Enterprise Server for Microsoft Office 365. Version: 1.0 Maintenance Release: 1. Release Notes

Mobile Admin GETTING STARTED GUIDE. Version 8.2. Last Updated: Thursday, May 25, 2017

Cloud Access Manager Overview

Application Security for Java-based BlackBerry Handhelds

SonicWall Content Filtering Client for Windows and Mac OS

One Identity Management Console for Unix 2.5.1

BlackBerry Desktop Software Version 4.0 Service Pack 1 Release Notes

Compatibility Matrix. BlackBerry UEM. December 22, 2016

Integration Guide. BlackBerry Workspaces. Version 1.0

Authentication Services ActiveRoles Integration Pack 2.1.x. Administration Guide

NetApp SolidFire Element OS. Setup Guide. Version March _A0

Transcription:

SafeNet MobilePKI for BlackBerry V1.2 Administration Guide

All information herein is either public information or is the property of and owned solely by Gemalto NV and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto's information. This document can be used for informational, non-commercial, internal and personal use only provided that: The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies. This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made. Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided "AS IS" without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein. The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time. Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy. Copyright 2016 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners. Gemalto, B.P. 100, 13881 GEMENOS, FRANCE. +33 (0)4.42.36.50.00 Printed in France Document reference: Product version: 1.2.0 March 31, 2017 www.gemalto.com

Preface About This Guide...v Who Should Read this Guide...v For More Information...v Contact Us...vi Chapter 1 Introduction 1 About MobilePKI for BlackBerry...1 Requirements...1 Chapter 2 Adding a MobilePKI Configuration to the BlackBerry Server 3 Getting MobilePKI...3 Adding MobilePKI to an App Group...4 Creating a New App Group...4 Adding Users to an App Group...5 Adding MobilePKI to an App Group...7 Using MobilePKI as an Authenticator in BlackBerry Policy...8 v Contents Chapter 3 Managing MobilePKI Security Policy via Server Dashboard 11 Enrollment Settings...11 Bluetooth Smart Settings...12 Card Management Settings...13 Cert Management Settings...13 About...14 Terminology 15

About This Guide This guide contains information on configuring the MobilePKI for BlackBerry environment from the company's BlackBerry Control administration server. Who Should Read this Guide This guide is intended for administrators of the BlackBerry suite of apps. Administrators refer to the company's IT support team who manages the MobilePKI for BlackBerry environment from the administration server. Preface For More Information The following table contains information on related documents and references. Document or Reference SafeNet MobilePKI for BlackBerry User Guide for ios SafeNet MobilePKI for BlackBerry User Guide for Android SafeNet MobilePKI for BlackBerry Administration Guide SafeNet MobilePKI for BlackBerry Customer Release Notes http://www.gemalto.com/products/mobilepki/ http://www.good.com/admin Description Contains detailed information on setting up and managing MobilePKI for BlackBerry environment on an ios platform. Contains detailed information on setting up and managing MobilePKI for BlackBerry environment on an Android platform. Contains detailed information on configuring MobilePKI for BlackBerry on BlackBerry Control server. Contains package information such as the latest features, improvements, requirements, and others. The official MobilePKI for BlackBerry Web page where you can find a wide range of information. The BlackBerry's administrator resources page. In addition, you can refer to the following standards and specifications: Java cryptography engine on Android platform http://www.bouncycastle.org/ Android Developers Reference Site http://developer.android.com Intents and Intent Filters Developer Guide http://developer.android.com/guide/components/intents-filters.html Java Cryptography Architecture (JCA) Reference Guide http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/cryptospec.html AIDL Android API Guide http://developer.android.com/guide/components/aidl.htmlptospec.html

vi SafeNet MobilePKI for BlackBerry Administration Guide Java.security Package Summary http://developer.android.com/reference/java/security/package-summary.html. An Android documentation for JCE API support. OMAPI Standard http://simalliance.org/handset/handset-technical-releases/ Open Authentication web site at http://www.openauthentication.org/ Windows Smart Card Minidriver Specification, Version 7.07, October 19, 2012 from Microsoft at http://msdn.microsoft.com/en-us/windows/hardware/gg487500.aspx Contact Us For contractual customers, further help is provided in the Gemalto Self Support portal at http://support.gemalto.com or you can contact your Gemalto representative. Gemalto makes every effort to prevent errors in its documentation. However, if you discover any errors or inaccuracies in this document, please inform your Gemalto representative.

1 Introduction About MobilePKI for BlackBerry SafeNet MobilePKI for BlackBerry is a mobile application that provides seamless Single Sign-On (SSO) capability to BlackBerry Dynamics applications. It enables the user to easily access all containerized apps on the mobile device as well as behind-the-firewall enterprise resources without the need for additional corporate credentials. When a user launches a BlackBerry Dynamics application, the user is automatically redirected to the MobilePKI for BlackBerry application for authentication. After successfully logging in, the user can proceed with the initial application. MobilePKI for BlackBerry transparently addresses all the various Gemalto secure elements form factors with the use of its embedded IDGo 800 for Mobile cryptographic middleware in the form of smart cards (inserted in Blueooth smart readers), tokens, secure MicroSD cards, NFC cards, UICC-SIM cards, and others. Based on the BlackBerry Trusted Authentication Framework (TAF), MobilePKI provides the highest possible security level for the BlackBerry Dynamics applications with the use of 2 Factor-Authentication (2FA) and the PKI technology. For security reasons, Gemalto strongly recommends that you use separate PKI certificates and keys for the digital signature and encryption. Requirements MobilePKI for BlackBerry generally runs on Android and ios mobile devices. Authentication usually requires your smart card badge or token, which connects to your mobile device via Bluetooth or NFC. Also, be sure that your device is connected to the Internet. For more details regarding the operating requirements, read the Technical Specifications and Compatibility sections in http://www.gemalto.com/products/mobilepki/. For information specific to a package release version, refer to the corresponding MobilePKI for BlackBerry Customer Release Notes. For the requirements to set up the BlackBerry Control server and the steps to configure BlackBerry Control server, refer to http://www.good.com/admin for more information or contact your BlackBerry support.

Adding a MobilePKI Configuration to the BlackBerry Server 2 This chapter describes the procedure on adding a MobilePKI configuration to the BlackBerry server so that it can be used on the client devices. This requires a two-step process to do it: 1 Getting MobilePKI from the official online marketplace. 2 Setting the MobilePKI app as the authenticator for BlackBerry apps. Getting MobilePKI Go to official online marketplace, https://apps.good.com/pce/#/apps/391936731, click START TRIAL and follow the subsequent instructions. Note: SafeNet MobilePKI for Good will be rebranded into SafeNet MobilePKI for BlackBerry.

4 SafeNet MobilePKI for BlackBerry Administration Guide Adding MobilePKI to an App Group To enable MobilePKI as the authenticator for BlackBerry apps, it must be added to an app group by using the administration console. Depending on your organization policy, you can either: Add MobilePKI to the default Everyone group, which makes it accessible to all users within your organization, or Create a new app group where you can add MobilePKI and manage user access. Before performing the any of the following procedures, log in to the BlackBerry server with your user name, password and domain settings. Creating a New App Group To create a new app group, perform the following steps: 1 In the dashboard, go to APPS > App Groups.

Adding a MobilePKI Configuration to the BlackBerry Server 5 2 Click the add ( ) icon. 3 Type a descriptive name for the new app group, for example, MobilePKI. 4 Click Create Group. A new app group page is created, for example: The group name is subsequently added to group list. If you want to remove the group from the list, click its Remove ( ) icon. Adding Users to an App Group To enable certain users to access a custom app group, perform the following steps: 1 In the dashboard, go to APPS > App Groups.

6 SafeNet MobilePKI for BlackBerry Administration Guide 2 Select the app group from the list. 3 Under the MEMBERS tab, click Add. 4 Select the users that you want from the popup list, and click OK. The selected users are subsequently added to the member name list.

Adding a MobilePKI Configuration to the BlackBerry Server 7 If you want to remove a user name from the list, click its Remove ( ) icon. Adding MobilePKI to an App Group To add MobilePKI to an app group, perform the following steps: 1 In the dashboard, go to APPS > App Groups. 2 Select the app group from the list. 3 Select the APPS tab.

8 SafeNet MobilePKI for BlackBerry Administration Guide 4 In the ENTITLED ENTERPRISE APPS section, click Add More. 5 Select MobilePKI for BlackBerry from the popup list, and click OK. The MobilePKI app is subsequently added to the app list. Using MobilePKI as an Authenticator in BlackBerry Policy You can set MobilePKI as the authenticator for BlackBerry apps by performing the following steps. 1 Click POLICIES > Policy Sets in the dashboard. A list of policies appears.

Adding a MobilePKI Configuration to the BlackBerry Server 9 2 In Security Policies tab, scroll down to Authentication Delegation and click Add Application. 3 In the Select Authentication Delegation Application page, you can either click SafeNet MobilePKI for BlackBerry or the + icon to add. 4 Click Update to save the selections.

3 Managing MobilePKI Security Policy via Server Dashboard This chapter covers the management of Gemalto security policy used in SafeNet MobilePKI for BlackBerry application that is meant for administrators. To know the number of user accounts registered on BlackBerry's applications, security policies and number of devices connected per account, see USERS > Users and Groups in the dashboard. Attention: All applications incorporating BlackBerry Dynamics security features allow access to a server based solution (Saas) and backend Infrastructure (IaaS). The application does not offer a subscription and there is no in-app purchasing capability. If access to the backend infrastructure is desired, then enterprises may only order and purchase access licenses from Gemalto for its users using various negotiated business terms site licenses, perpetual licenses. Access licenses are device independent, transferable and can be used in connection with IOS and Android. The application can support a single user over several devices. The reason for a separate access code per device is because of BlackBerry's device management capability, where for example a customer administrator has the ability to remotely wipe the data within a BlackBerry Dynamics application on a specific device. Enrollment Settings Before using the SafeNet MobilePKI for BlackBerry app, the mobile device user must perform an enrollment process that sets up the app protection keys. There are two authentication ways to access the application: A PKI-based certificate which is obtained from your user's badge. This comes with a PIN, usually 4-digit long. Note: If this option is not selected, a keypair will be generated on the badge to be used for the enrollment.

12 SafeNet MobilePKI for BlackBerry Administration Guide A temporary password which expires after a configurable period. Note: This can be used as a backup password in cases where users lost their badges or due to certain conditions that the badges cannot be used. After the password expires or if the user wants to switch back to using smart card authentication method, you have to provide the unlock key to the user when an unlock request is submitted. To allow the user to switch between the authentication methods, use an unlock key. For more information on creating the unlock key for the device, refer to the related BlackBerry Dynamics documentation or support portals. To edit the Enrollment settings tab: 1 Select Use employee PKI certificate (when disabled, an authentication key is generated automatically instead) to use the PKI certificate found in the user's badge. 2 Select Allow temporary password to access the SafeNet MobilePKI for BlackBerry application when the PKI certificate fails to be authenticated or when the badge is lost. 3 Type the duration that the password remains valid. A default 7-day validity is automatically used unless you change the value. 4 Choose a smart device from the list of devices to pair with the mobile device by clicking Bluebooth Smart. Bluetooth Smart Settings This tab allows you to manage the Bluetooth connection options on the user's mobile device.

To configure the Bluetooth settings for a user account: 1 In PAIRING MANAGEMENT, select the option(s) required: Managing MobilePKI Security Policy via Server Dashboard 13 Select Allow multiple paired devices at same time check box to enable multiple connections to the Bluetooth devices. Depending on the type of reader used, a maximum number of five Bluetooth devices can be paired at the same time. Refer to the respective Bluetooth Low Energy reader manual for more information. Select Allow pairing before user authentication check box to allow pairing with a Bluetooth smart device before the user is authenticated. This is useful if the Bluetooth smart device is lost or spoilt, and a new device is to be used. If this is not enabled, the user will have to start a new enrollment to use the new device. 2 In POWER MANAGEMENT, select Bluetooth Smart Keep alive enabled to indicate the amount of time which MobilePKI will continually send commands to the reader to prevent it from entering the sleep mode. Type the duration to keep the Bluetooth Smart device from entering the sleep mode. Card Management Settings These are the options that are available on the MobilePKI application if they are enabled: To edit the Card Management settings tab: 1 Select Allow Change PIN to update the login PIN with another one. Note: It is a good security practice that the user changes the PIN often to reduce the risk that the PIN may be captured by the attackers. 2 Select Allow Unblock PIN to unlock the PIN when user has exceeded the maximum number of retries allowed for the login. The default maximum number of wrong PIN attempts to be set depends on the card configuration. Note: The Allow Unblock PIN option is only available on certain badges/cards. 3 Select Force Change PIN during enrollment to force the user to reset the PIN the first time the badge/card is used. Cert Management Settings These settings enable you to set the trusted CA certificate to validate and restrict client certificates used in enrolling the MobilePKI application. To enable the certificate validation and restriction: 1 Select Enable Trusted CA Certificate Check. 2 Paste the trusted CA certificate string in the Trusted CA Certificate String field. The CA Certificate must be in Base-64 encoded X.509 (CER) format.

14 SafeNet MobilePKI for BlackBerry Administration Guide You can put more than one certificate entry, and each certificate must be enclosed by -----BEGIN CERTIFICATE----- to denote start of the certificate data and -----END CERTIFICATE----- to denote end of the certificate data. The following snapshot shows a sample certificate string: Note: Trusted CA certificate checking requires enrollment using the employee PKI certificate. About This tab shows the security policy that is applied to the Safenet MobilePKI application.

This section contains abbreviations and terms found in this document or related documents. Abbreviations App NFC OS PKI SE Glossary of Terms Near Field Communication (NFC) Secure Element (SE) Application Near Field Communication Operating System Public Key Infrastructure Secure Element Standards for smart phones and similar devices to establish radio communication with each other by touching them together or bringing them into close proximity. Tamper-resistant platform that can take one of the following form factors: UICC SIM card embedded SE MicroSD card Terminology

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback