BROCHURE

THERE’S GOOD SECURITY AND THEN THERE’S NATIONAL SECURITY BlackBerry 10 and BES10 The perfect balance of protection and productivity

Back to the Contents THE PERFECT BALANCE OF PROTECTION AND PRODUCTIVITY

Contents

BlackBerry 10 & BES10 3

Corporate Networks Under Attack 4

BlackBerry Security 5

Protecting Data in Motion 7 BES10 Security Philosophy 8 BES10 Certification & Encryption 9 BES10 Layers of Protection 9 Tech Talk 1 & 2 10

Protecting Work Data on Personal-Use-Enabled Devices 11 BlackBerry Balance 12 Tech Talk 3 13

Enforcing Strong Access Controls 14 BlackBerry 10 Device OS Security Features 15 BES10’s Gold level Controls and Settings 16

Manging Devices 18 BlackBerry Management in Action 19

End-to-end Security 21 3 BlackBerry 10 & BES10 End-to-end mobile data security without compromising business productivity or user satisfaction

Keeping corporate data secure is a top priority for The entryways for potential attacks, data loss and productivity any organization. After all, a data breach can cause compromises include: significant financial losses, expose executives to legal Employees maintaining a mix of corporate and third-party actions, damage your company's reputation and weaken applications on the same device and exchanging information or eliminate competitive business advantage. between the two domains

As more employees access your corporate network The installation of threat-vulnerable containerization through mobile devices to communicate, collaborate on mobile devices and share data, your infrastructure becomes increasingly Employees visiting sites where they encounter malware or vulnerable to outside attacks and harder to secure and malicious threats protect. The mixing of personal and work email accounts, apps and data, as well as the proliferation of employee- The use of employee-owned devices to access enterprise owned devices, increases the chance of major data leaks. resources and information

Rivaling the importance of information security, IT managers need a solution that helps them: however, is business-user productivity and satisfaction. Deliver transparent security for an optimal user experience A mobilized workforce is only effective if the end-user experience is uncompromised and critical applications Provide integrated containerization that enables simple and productivity tools operate as efficiently from a enterprise application development and deployment mobile device as they do from a PC attached directly Reduce employee misuse of devices to the corporate network. An effective solution is one that imposes no limitations on end-user Keep personal and work information separate productivity. Ensure that network data, both in transit and at rest, are kept secure The BlackBerry end-to-end enterprise security solution secures data from would-be attacks and loss without requiring you to compromise productivity or user BlackBerry delivers a security solution that satisfaction. satisfies the needs of both enterprises and government agencies. The solution provides IT managers must now consider a highly complex the confidentiality, integrity and authenticity to corporate network infrastructure, accessible to a growing number and diversity of devices and applications, when help protect your organization from data loss devising a plan to protect corporate information and and theft while delivering a seamless, simple maintain worker productivity. and uncompromised end-user experience.

Back to the Contents 4 Corporate Networks Under Attack*

71% 54%

Of breaches targeted Of breaches compromised user devices... servers....

78% 66%

Of intrusions rated as low Of breaches go undetected difficulty... for six months or longer...

*Verizon 2013 Data Breach Investigations Report

Back to the Contents 5 An unavoidable consequence of the explosive expansion of BlackBerry Security mobile devices within businesses and organization of all sizes is a proportional elevation in vulnerability to security breaches A fully integrated end-to-end enterprise and data leakage. To protect your information from increased mobility security solution exposure to attacks or data loss through accidental or malicious means, IT administrators require a comprehensive security solution, but one that does not sacrifice business productivity or end-user satisfaction. BlackBerry end-to-end security is purpose built to deliver optimal protection for work- related content, both on devices and in transit. BlackBerry security delivers fast, integrated device, application and content management and fully encrypted behind-the-firewall access to corporate data without the need for 3rd-party VPNs or add-on security.

The BlackBerry network, combined with its infrastructure authentication, device management capabilities and hardened BlackBerry® 10 , is the ultimate end-to-end mobile security solution.

BlackBerry security focuses on four critical areas: • Protecting data in motion • Protecting work data on personal-use-enabled devices • Enforcing strong access controls • Managing devices

All G7 These four functions protect your data from GOVERNMENTS breaches, losses or alteration as it transits and 16 of the G20 governments the end-to-end path from your enterprise, rely on BlackBerry security BES10 server, the BlackBerry network and, ultimately, your employees’ BlackBerry devices.

Back to the Contents 6

The ultimate standard for end-to-end mobile security 45 35PB Security certificates per month on average. Only MDM provider More than any other mobile vendor Moves more secure mobile data through its infrastructure than to obtain ATO on U.S. any other EMM vendor Defense networks

AES FIPS Dedicated 256 140-2 Security Team

Back to the Contents 7 Protecting Data in Motion A key element of the BlackBerry solution for in-transit data security in BES10

Because many of your employees work outside the office, BES10 Overview it’s critical that you have strong security measures in place BlackBerry has long-been the ultimate in mobile security. – both on employees’ devices and across internal network An integral component of the BlackBerry solution is BES10, infrastructure – to protect data in transit. A key element of the which secures in-transit data using security BlackBerry solution for in-transit data security is the BlackBerry over the BlackBerry infrastructure. BES10 encrypts data using Enterprise Service 10, BlackBerry's device and application AES 256-bit encryption prior to transmission, while message management platform. BES10 offers built-in data encryption keys are encrypted by the device transport key. BES10 also to help both enterprises and government agencies protect protects and manages devices and applications within the sensitive information and minimize data loss or alteration. end-to-end BlackBerry security solution.

Secure Enterprise Connectivity

Work Personal BlackBerry Enterprise Service 10

Enable Work Network TLS over For Personal Use (Enable/Disable)

AES BlackBerry BlackBerry SSL (Optional) Mobile Data Dispatcher and Connection BlackBerry Wi Fi Wi Fi Infrastructure Service Firewall or / BlackBerry 10 or 3G/4G

Enerprise Management Web Service SSL Enable Work Network For Personal Use (Enable/Disable)

VPN over Private Network Content servers Wi Fi VPN over Firewall with Firewall with SSL (Optional) or 3G/4G BlackBerry 10 Wi Fi VPN Gateway VPN Gateway or 3G/4G Web servers

Wi Fi Microsoft ActiveSync

VPN: IPSec or SSL SSL (Optional): Authenticated with server specific certificate TLS: BlackBerry infrastructure authenticated SSL: Authenicated with client/server certificates generated with self certification during activation AES 256: Encrypted with device transport key Wi Fi Wi-Fi: IEE 802.11.i with 802. 1x generated during activation (EAP-FAST, EAP-TLS. EAP-TTLS, PEAP and LEAP)

Back to the Contents 8 Protecting Data in Motion cont.

BES10 Security Philosophy

Confidentiality

Integrity Authenticity

The security features found in BES10 are built upon a foundation of confidentiality, integrity and authenticity.

Confidentiality BES10's encryption capabilities ensures that only intended recipients can view corporate data.

Integrity All email sent over a secure network is strongly encrypted to keep third parties from decrypting or altering the message.

Authenticity BES10 provides two-way authentication upon pairing with the device, helping reduce the possibility of counterfeit devices accessing your infrastructure.

Back to the Contents 9 Protecting Data in Motion cont.

BlackBerry 10/BES10 FIPS 140-2 Certification Encryption Options Businesses and government agencies alike need to feel confident BES10 uses a technique called tunneling to protect data in that their highly sensitive data – whether it’s in storage or transit over a secure network. Tunneling incorporates multiple in transit – stays secure from would-be attackers. The U.S. layers of encryption between devices, BES10 and the wireless government created and implemented the FIPS 140-2 computer resource for additional data protection. security standard and uses it to accredit file encryption modules. For example, when employees access the corporate Wi-Fi Both the BlackBerry 10 OS and BES10 are FIPS 140-2 network, data transmissions between their device and certified, which means that your organization’s data is strongly BES10 are secured first by AES encryption and then by encrypted and the corresponding encryption keys are rigorously Wi-Fi encryption. protected. BlackBerry 10 devices, controlled by BES10, are the only mobile devices to be given Authority to Operate (ATO) on Wi-Fi Encryption (IEEE 802.11) Department of Defense networks. Encrypts data transmitted between mobile devices and wireless access points set up to use Wi-Fi encryption. S/MIME Messaging Encryption VPN Encryption BES10 gives you the option of using digital certificates to sign Encrypts data transmitted between mobile devices and and encrypt email and file attachments using industry standard VPN servers. S/MIME encryption. When IT personnel activate a mobile device on BES10, the device can be configured to sign and encrypt AES Encryption messages using S/MIME whenever the employee sends emails Encrypts data transmitted between mobile devices, via his or her work account. S/MIME encryption keeps messages the BlackBerry infrastructure and BES10. secure by using recipients’ public keys to encrypt the message and their private key to decrypt it. Often overlooked as a security SSL/TLS Encryption agent, S/MIME is a cost-effective productivity tool for enabling Encrypts data transmitted between mobile devices and highly secure email communications with business partners content servers, Web servers or messaging servers that use and contractors outside of your organization. Microsoft ActiveSync.

BES10 Layers of Protection BES10 contains multiple layers of protection, so data stays secure both in transit and on devices

In-transit Data Protection BlackBerry 10 OS Protection BES10 protects data transmissions using transport layer security. BlackBerry 10 devices conduct integrity tests to detect kernel damage and restart processes that stop responding. Work Data Device Protection Work file systems and applications are kept separate from Application Data Protection Via Sandboxing personal data and encrypted. Sandboxing separates and restricts the capabilities and permissions of applications running on the device. Personal Data Device Protection IT managers can create policy rules to encrypt data within the Resource Protection personal file system. Adaptive partitioning is used to allocate unused resources during typical operating conditions, to help ensure resources Device Access Control are available during peak conditions. Work Wi-Fi and VPN profiles may be delivered remotely via BES10 to enable corporate network access. Access Capabilities Permissions Management The BlackBerry 10 OS evaluates each device capability request Device Behavior Control made by an application, then grants access accordingly. IT managers can remotely lock mobile devices, enforce policies and wipe work/personal data from devices. Boot Rom Code Verification The device verifies that the boot ROM code is authentic, Device User Information Protection unmodified and has permission to run on the device. Users can delete all their information and application data from device memory.

Back to the Contents 10 Protecting Data in Motion cont.

Tech Talk 1 Tech Talk 2 FIPS 140-2 Certification Details S/MIME Keys, Certificates and Encryption Algorithms

The FIPS 140-2 certification was implemented by the BlackBerry devices support keys and certificates for the National Institute of Standards and Technology to govern following file format and file name extensions: cryptography modules that involve both hardware and software components. • PEM (.pem, .cer) • DER (.der, .cer) The BlackBerry OS cryptographic kernel, which received • PFX (.pfx, .p12) FIPS 140-2 certification for the BlackBerry 10 OS and BES10, generates the file encryption keys, the work A private key and certificate must be stored on the device domain key, the work master key and the system master for each recipient of an encrypted email message. Keys key to provide a strong layer of security to protect data. and certificates can be stored simply by importing the files from a work email message. To send encrypted messages, The FIPS 140-2 certificate for BlackBerry 10 and BES10 your employees must use their work email accounts. BlackBerry Enterprise Service 10 FIPS-1402 Certificate no. 1765 Consolidated Certificate no. 0019http://csrc. The following encryption algorithms can be used by nist.gov/groups/STM/cmvp/documents/140-1/140crt/ BlackBerry devices to encrypt S/MIME-protected FIPS140ConsolidatedCertList0019.pdf messages:

BlackBerry 10 • AES (256-bit) FIPS 140-2 Certificate no. 1578 Consolidated • AES (192-bit) Certificate no. 0007http://csrc.nist.gov/ • AES (128-bit) groups/STM/cmvp/documents/140-1/140crt/ • Triple DES FIPS140ConsolidatedCertList0007.pdf • RC2

Back to the Contents 11 Protecting Work Data on Personal-Use-Enabled Devices BlackBerry Balance and BES10 protect sensitive data

Protecting work data accessible over the corporate Intranet BlackBerry Balance identifies and tags data and processes or stored on employees’ devices is a critical part of any that originate from your company’s Wi-Fi, VPN access or comprehensive mobile data security plan. The widespread Intranet, and routes it to the employee’s work profile on the use of employee-owned and personal-use-enabled devices in device. Other personal data and activities, including third- corporate environments – Bring Your Own Device (BYOD) and party applications, public Web browsing and personal email, Corporate Owned, Personally Enabled (COPE) movements – are contained within the personal profile. creates major data security challenges. Without a heavy-duty security architecture in place, one designed for work and BlackBerry Balance Overview and Features personal use, it is easy for employees to leak sensitive work data BlackBerry Balance keeps employees’ work and personal through personal use, such as: webmail and browsing, social information separate and secure on BlackBerry 10 devices networking and media, and untrusted personal applications. using specifically designated areas called Spaces. Within each of these Spaces, data, applications and network connections With BlackBerry BalanceTM, a feature of BES10, you can create can be safely stored. Individual Spaces can be governed by a “dual-persona” environment on employees’ mobile devices their own rules for data storage, application permissions and by establishing a separate, secure environment for work- network routing. Using separate Spaces for work and personal related applications and associated sensitive data. This work activities helps keep sensitive data secure by preventing environment leverages integrated, cryptographically partitioned employees from copying work data into personal email, file systems to protect sensitive work data, while delivering a or displaying information during video chats. compelling “work-life” user experience.

BlackBerry Balance: Seamless Separation of Personal & Work Data

Back to the Contents 12 Protecting Work Data on Personal-Use-Enabled Devices cont.

BlackBerry Balance lets you control how devices separate, secure and protect company data and resources

Using BlackBerry Balance, you can: Built-in Password Protection management (CRM) system, attempts BES10 allows you to establish and to send your company’s customer list Control employee access to company enforce password policies quickly and and deal status to his personal email data and applications on their devices easily to better protect data stored in account before leaving the company. Prevent company data from becoming employees’ devices. IT policies can be compromised set to require your employees to enter a The soon-to-be former employee password or use their corporate single accesses the CRM application from his Provide employees a unified and sign-on using Active Directory® services to BlackBerry 10 device and tries to paste the consistent user experience with a core set gain access to Spaces containing work- list and deal information into his personal of applications when accessing personal related data. This keeps data at rest on email account. Because BlackBerry or work data employee devices safe and protected. Balance prevents copy and paste functions between employees’ work profiles and Install and manage company applications BlackBerry Balance in action personal profiles, the employee is unable to on employees’ devices remotely After eight years of employment at your move data into his personal email or copy Remove company data and applications company, a salesperson is leaving to take files from his Work Space to his Personal from employee-owned devices when a leadership role at a startup business that Space. Your company’s sales information needed without impacting personal will share the same competitive space stays safe. In addition, BES10 allows you configuration and data as your company. Looking to jumpstart to wipe all corporate information from an the customer acquisition process, the employee-owned device after the employee Control network connections for work and departing salesperson, who has access has left the company, without impacting personal applications remotely to the corporate customer relationship personal data.

Back to the Contents 13 Protecting Work Data on Personal-Use-Enabled Devices cont.

Tech Talk 3 Work Space/Personal Space in Detail

BlackBerry Balance and BES10 provide a work environment that securely separates work and personal information on mobile devices. Devices classify data as work data or personal data based on the source of the data. For example, if data comes from a work-related source it is stored in the device’s Work Space. Personal and Work Spaces can have different rules for data storage, application permissions, and network routing. The separate spaces help users to avoid activities such as accidentally copying work data into a personal application, or displaying confidential work data. IT administrators have the option of managing and securing data in a Personal Space.

Work Personal

Data Data

App App App App

Work Space Personal Space

Encrypt Base file system Encrypt (optional)

Back to the Contents 14 Enforcing Strong Access Controls BlackBerry security gives you greater control over how and when mobile devices connect to your network infrastructure and access data

BlackBerry security delivers BlackBerry Hardware Root of Trust infrastructure and devices, are securely multiple access control features, BlackBerry takes specific steps to help connected, which means trusted such as device authentication, ensure the integrity of its devices and BlackBerry devices can be built around prevent counterfeit devices from the world. anti-counterfeiting manufacturing connecting to the BlackBerry infrastructure. controls and device OS protection, This secure manufacturing model helps that verify and maintain device Security is built into each major prevent the impersonation of authentic integrity. These features help BlackBerry device component, making it BlackBerry devices and ensures that only ensure only authorized devices more difficult for unauthorized users to authentic BlackBerry devices can remove or circumvent security on a connect to the BlackBerry infrastructure. used by authorized employees BlackBerry device than on other mobile Any device trying to connect to the gain entry into your network, operating systems. Plus, all parts of the BlackBerry infrastructure must complete use network services and BlackBerry supply chain, from its the self-verification process before access data. manufacturing partners to the BlackBerry access is granted.

Authentication BlackBerry 10 Operating System Multiple forms of authentication take place within the BlackBerry system to minimize the possibility of data loss and CPU Embedded Boot ROM Boot ROM outside attack. First, the BlackBerry infrastructure and BES10 authenticate Boot ROM digital signature Public EC 521 Key of OS with each other by sharing a Server Signature Routing Protocol (SRP) authentication Verified key before a connection takes place.

The second level of authentication Software Upgrades and Application Downloads from BlackBerry World. BlackBerry 10 OS takes place between BES10 and the All downloads verified with ECC activated BlackBerry 10 device. When SHA256 hash of Base File signed SHA-2 hashes. the device is activated, it generates System (Signed with EC 521 a key pair and sends the public key Verified • Application 1 to BES10. The BES10 server then creates a client certificate and sends an enterprise management root certificate • Application 2 Base File System (Read only) and client certificate back to the device. XML Manifest of loaded It uses the enterprise management • Application 3 applications (Cryptographically root certificate to authenticate the hashed) server certificate for the enterprise • Application 4 Verified management Web service. BES10 and the BlackBerry 10 device use the client certificate to authenticate users, their Work Spaces and their devices.

Back to the Contents 15 Enforcing Strong Access Controls cont.

BlackBerry 10 Device OS Security Features Protecting the device’s OS is one of the most important functions of mobile device security. However, it’s sometimes neglected by other manufacturers focused on consumer devices, since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code, a common characteristic of many devices’ OSs. The BlackBerry 10 OS includes security features for OS protection, including:

 Implementation The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150,000 lines of code. With fewer lines of code, the BlackBerry OS is less susceptible to vulnerabilities than other platforms. As a result, rigorous security verification and testing are achieved, even with a fixed amount of IT resources.

Resilient Design To reduce risks, the microkernel contains processes associated with personal use. Any unresponsive or misbehaving process is automatically restarted or killed, respectively, without impacting other processes.

Root process Minimization To reduce security risks, only the most essential BlackBerry processes are run in root mode. This mode is never available to third parties.

Blackberry World Application Stores Once a BlackBerry 10 device is activated on BES10, it has access to two separate BlackBerry World application storefronts: BlackBerry World for personal use and BlackBerry World for Work for enterprise use.

Within the Work Space, only applications approved by the BES 10 administrator are permitted to be installed. Work applications can either be “pushed” to users based on policy, or “pulled” by users for optional use. Within the Personal Space, users are free to download any application available through BlackBerry World.

Back to the Contents 16 Enforcing Strong Access Controls cont.

BES10’s Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments

For the large majority of organizations, BlackBerry Sampling of Regulated-level BlackBerry 10 Balance, available via the BES10 Silver EMM1 Device Management Controls configuration, optimizes the balance between Mobile Hotspot Mode and security and employee expectations for a Specify whether to allow Mobile Hotspot mode, tethering compelling work and life end-user experience. using technology, and tethering using a USB cable on a BlackBerry 10 device. Some highly sensitive, regulated environments, however, may not permit personal use on employee Wireless Service Provider Billing devices due to established risk management Specify whether a BlackBerry 10 device user can purchase policies. For these organizations, often operating applications from the BlackBerry World app storefront using the in government, financial services or healthcare purchasing plan for your organization’s wireless service provider. sectors, for example, BlackBerry offers the Maximum Password Age BES10 Gold EMM2 configuration, which gives Specify the maximum number of days that can elapse before a administrators the ability to disable personal BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password. use, as well as impose device, application and content controls that exceeded the granularity Wipe the Work Space without Network Connectivity of the BES10 Silver EMM configuration. No other Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organization’s network before mobile platform offers this unique capability. wiping the entire device.

The BES10 regulated-level device management Non-Email Accounts control features enable large enterprises and Specify whether a BlackBerry 10 device user can add third- government and regulated industries to manage party accounts for services, such as , Twitter, LinkedIn and to the device. fully locked-down devices with a set of controls unmatched in their level of granularity. Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device Gold level device management capabilities include: must connect to your organization’s network through BES10.

BlackBerry 10 Mobile Device Management (MDM) capabilities Log Submission designed for secure, government and regulated environments Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center. Enforcement of corporate-only use and granular controls to manage use of camera, storage, WiFi, Bluetooth and other Bluetooth device features Specify whether a BlackBerry 10 device can use Bluetooth technology. Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully SMS/MMS protected within the Work Space Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages. User friendly and intuitive management console to manage your devices, users, groups, apps and services, including reporting Camera and dashboard capabilities Specify whether a BlackBerry 10 device can use the camera.

Back to the Contents 17

Leaders in innovation

Largest Research & Expansion of security model Development sta of to iOS and Android any EMM vendor

22K Scalability. Devices per server BES10 servers globally PATENTS 100K 30K+

Back to the Contents 18 Managing Devices

With BES10 you can also easily manage iOS and Android™ devices from a central location

A typical enterprise may contain hundreds of devices, each one a potential unauthorized entry point into your corporate servers. To help IT departments get a handle on the large number and diversity of devices attached to your network, BlackBerry has extended its security model to iOS and Android and tablets through BES10. With the ability to use BES10 to manage multiple types of devices from a single platform and management console, IT administrators are able to strike the perfect balance between corporate and end user needs.

Secure Work Space for iOS and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to iOS and Android devices. Secure Work Space is a containerization, application- wrapping and secure connectivity option for iOS and Android smartphones and tablets that is managed through the BES10 administration console. Managed applications are secured and separated from personal apps and data, providing an integrated email, calendar and contacts app, an enterprise-level secure browser and secure document viewing and editing. User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space. The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space – no VPN needed.

Back to the Contents 19 Managing Devices cont.

BlackBerry Mobile Device Management in Action

Your company has hired several new employees – each due over the network to BES10. Encryption keys, based on IT to receive a BlackBerry 10 . The IT department department policies, are generated, Work Spaces are created quickly and easily adds a user account for each employee and profiles and software configurations are sent to each into BES10, using information from your company’s Microsoft smartphone. In just a few short steps, the incoming employees Active Directory. An activation password for each account is are empowered with fully functional and secure mobile devices. created, along with the Server Routing Protocol (SRP) ID of the BES10, and delivered to the respective employee.

The new employees type their user IDs, passwords and SRP IDs into their BlackBerry 10 devices to activate them. The smartphone’s enterprise management agent establishes a secure connection through the BlackBerry infrastructure

Back to the Contents 20 Managing Devices cont.

Managing Devices Using Device Wipe Application Sandboxing With BES10 and BlackBerry Balance, you can keep company The application sandboxing and malware controls found in data safe while leaving employee personal data intact. Using BlackBerry 10 help keep company data safe and secure from BES10, you can remotely wipe an employee’s Work Space and potentially malicious applications. BlackBerry 10 also protects all its content, leaving all personal data on the device in place. employees’ personal data by allowing them to configure their devices’ application controls and limit application access to You can also use BES10 to create policies that delete the their personal information. Work Space from the device if certain events occur or specific conditions are met. For example, you can create a policy Sandboxing separates and restricts an application’s capabilities to delete the Work Space if the number of failed password and permissions. The sandbox is a virtual container that uses attempts exceeds the maximum number allowed. You can device memory and part of the file system and grants access to the also wipe the device if employees exceed their allotment of application at a specific time. Applications can have sandboxes permitted hours or days since the last network connection. in both an employee’s Work Space and Personal Space, yet each remains isolated from the other. The BlackBerry 10 OS monitors Device Wipe in Action application process requests for memory outside its sandbox. If An employee has just received a job offer from a competitor. This the application attempts to access memory outside its sandbox, employee works in your company’s procurement department and the BlackBerry 10 OS will stop the process and reclaim the has access to the company enterprise resource planning (ERP) memory it uses, then restart the process without impacting other system via her BlackBerry 10 device. Using the ERP system processes operating at the same time. In addition, each application application, the employee can see the company’s suppliers, is assigned its own specific group identification, which cannot be vendors, parts inventory, backlogs, sales projections and more. shared or reused by another application. Each application stores The employee accepts the job offer and gives a two-week data in its own sandbox and the BlackBerry 10 OS prevents other notice. Her manager alerts HR and IT departments about her applications from accessing this specific data. upcoming departure. On her last day, IT wipes the employee’s Malware Controls work profile from her BlackBerry 10 device, which prevents her The BlackBerry 10 OS includes tight controls to reduce the from accessing the ERP and email systems. However, all of her possibility of malware attacks, including a ‘contain-and-constrain’ personal information remains intact on her device as she moves strategy that minimizes risks. Application process requests are on to her next job. constrained within employees’ Personal Space on the device, Distribution and Application Security and the BlackBerry OS microkernel monitors inter-process Using Blackberry World for Work communications for potential issues. The microkernel also A benefit of BlackBerry Balance is that it allows IT to create and monitors memory access by the Personal Space and authorizes deploy a customized business application store, called BlackBerry its use as needed. Any application process that attempts an World for Work. With BlackBerry World for Work, you can push, unauthorized memory access request is automatically restarted install and manage business and productivity applications over the or shut down, protecting your company data. In the employee’s network to BlackBerry 10 device Work Spaces via BES10. Personal Space, application permissions are used to protect personal data from potential malware attacks.

Malware Protection in Action Instead of downloading an application to the device from the prescribed channel, an employee downloads an application from the Internet to her personal computer, then moves the application, which contains malware, to the device's Personal Space. The malware scans the employee’s device for names, phone numbers, credit card numbers or any other bits of identity information that can be stolen and misused. Work-related information is not impacted, as all company information remains isolated and locked down on the device’s Work Space, fully protected and secure.

Back to the Contents 21 Managing Devices cont.

End-to-end Security

Securing and protecting corporate data is of paramount concern for all enterprises. As businesses continue to adopt and expand mobility options as a means of improving worker productivity and end-user satisfaction, however, protecting corporate information and guarding against data loss becomes an increasingly complex challenge for IT departments. Underlining the situation is the fact that each personal-enabled device added to the corporate network brings with it a new opportunity in which sensitive enterprise data can be disclosed accidentally or intentionally stolen, either by the device user or by any untrusted application that is installed on the device. Accordingly, today’s resource-challenged IT departments require proven and comprehensive enterprise mobility management solutions that have integrated security designs and controls necessary to protect against these new risks, while delivering the compelling work and life experience that employees demand.

But protecting corporate data from misuse and loss is only half of the story. A mobile security solution, even an ironclad one, must also secure work applications while delivering an environment that enables developers to quickly and effectively create enterprise applications. BlackBerry 10 delivers on this promise with a highly functional application environment that is transparent to developers.

BlackBerry 10 was designed from the ground up to provide enterprises with the optimal balance of protection and productivity. BlackBerry 10, BES10, the BlackBerry infrastructure and BlackBerry 10 devices constitute an ironclad security solution that spans your entire business and delivers a productive and feature-rich work environment with an integrated suite of productivity applications for your increasingly mobilized workforce.

Back to the Contents BlackBerry® Z30 Smartphone BlackBerry® Z10 Smartphone BlackBerry® Q10 Smartphone BlackBerry® Q5 Smartphone

Size 140.7mm x 72mm x 9.4mm 130mm x 65.6mm x 9mm 119.6mm x 66.8mm x 10.35mm 120mm x 66mm x 10.8mm

Display 5"super AMOLED display, 4.2" 4-point multi-touch 3.1" Super AMO 3.1" Capacitive multi-touch 24 bit color LCD display LED display LCD display 1280 x 720 resolution at 295 PPI 1280 x 768 resolution at 356 DPI 720 x720 resolution at 330 PPI 720x720 resolution at 329 PPI

Software BlackBerry® 10 OS BlackBerry® 10 OS BlackBerry® 10 OS BlackBerry® 10 OS

Memory 2GB RAM, 16GB Flash®, 2GB RAM, 16GB Flash®, 2GB RAM, 16GB Flash®, 2GB RAM, 8GB Flash®, hot-swappable Micro SD slot hot-swappable Micro SD slot hot-swappable Micro SD slot hot-swappable Micro SD slot

Processor Dual Core 1.7 GHz Dual Core 1.5 GHz Dual-core 1.5 GHz Dual Core 1.2 GHz Qualcomm MSM8960 Texas Instruments OMAP 4470 Qualcomm® MSM8960 Qualcomm® MSM8960 Quad-core GPU

Battery Life1 Mixed use: Up to 25 hours Talk Time: up to 11 hours on 3G Talk Time: up to 13.5 hours on 3G Talk Time: 3G - up to 12.5 hours - up to 10 hours Talk time: Up to 18 hours Standby Time: up to 408 hours Standby Time: up to 345 hours UMTS/14 hours GSM on 3G, up to 397 hours on 2G on 3G, up to 324 hours on 2G Standby Time: up to 14 days on 3G, up to 13 days on 4G Standby time: Up to 16 days : up to 51 hours Music: up to 62 hours Music: up to 62 hours Music: Up to 90 hours Video: up to 10 hours Video: up to 9 hours Video: up to 9 hours Video: Up to 12 hours

Camera 8 MP rear-facing camera 8 MP rear-facing camera 8 MP rear-facing camera 5 MP rear-facing camera 5x digital zoom 5x digital zoom 5x digital zoom 5x digital zoom 1080p HDvideo recording 2MP 1080p HDvideo recording 2MP 1080p HDvideo recording 2MP 1080p HDvideo recording 2MP front-facing camera front-facing camera front-facing camera front-facing camera 3x digital zoom 3x digital zoom 3x digital zoom 3x digital zoom 720p HD video recording 720p HD video recording 720p HD video recording 720p HD video recording

GPS GPS-enabled with preloaded GPS-enabled with preloaded GPS-enabled with preloaded GPS-enabled with preloaded BlackBerry® Maps application BlackBerry® Maps application BlackBerry® Maps application BlackBerry® Maps application

Blueteooth® Bluetooth 4.0 Low Energy Bluetooth 4.0 Low Energy Bluetooth 4.0 Low Energy Bluetooth 4.0 Low Energy

Wi-Fi®2 802.11 a/b/g/n enabled, 802.11 b/g/n enabled, 802.11 a/b/g/n enabled, 802.11 b/g/n enabled, 4G Mobile Hotspot Mobile Hotspot 4G Mobile Hotspot Mobile Hotspot

1 Many factors affect battery life including but not limited to network, transmission environment, battery age, usage, location, software and feature configuration. 2 WiFi availability may vary between country and mobile network operators.

Back to the Contents BlackBerry Technical Support Services Support is a key component of your Enterprise Mobility Management strategy. Implementing BES10 is easier than ever, but having a strategic support partner is still essential to assist you in delivering your mobility objectives. BlackBerry Technical Support Services offers a unique blend of technical expertise, rapid issue resolution and proactive, relationship-based support to help you realise the full potential of your BES10 multi-platform management infrastructure. For more information visit .com/btss EZ PASS FREE perpetual BES10 licenses for all existing BlackBerry and other active MDM licenses, plus receive world class BlackBerry Advantage Level Technical Support FREE of charge!*

Learn more at: blackberry.com/ezpass

*Additional Terms and Conditions will apply

Learn more at BES10.com/security

1 Silver level EMM provides the management and control feature set for BlackBerry 10, iOS and Android devices previously known as BES10 EMM Corporate. 2 Gold level EMM provides the management and control feature set for BlackBerry 10 devices previously known under the name EMM Regulated, and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android. Screen images simulated.

© 2014 BlackBerry. All rights reserved. BlackBerry® and related trademarks, names and logos are the property of BlackBerry Limited and are registered and/or used in the U.S. and countries around the world. All other trademarks are the property of their respective owners. iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. iOS is used under license by Apple Inc. Apple Inc does not sponsor, authorize or endorse this brochure. Android is a trademark of Google Inc. which does not sponsor, authorize or endorse this brochure. Back to the Contents