Blackberry & Microsoft Exchange Email Encryption How To

Integrating a Blackberry With The Enterprise

Several steps are required to properly enable Microsoft Exchange email encryption certificates on a Blackberry, but this guide should provide clear, effective instructions and assumes the following:

• Microsoft Active Directory Environment
• Blackberry 7520 (should work with other models)
• Blackberry Enterprise Server v4.0 or Later
• Microsoft Windows XP Professional Workstations
• Blackberry User has Outlook Configured for Email Encryption

Install Proper Desktop Management Software

For the purpose of this guide, I’m going to suggest desktop manager version 4.1 or 4.2, but the choice is ultimately yours. Visit the download site and choose the version you think is most appropriate. Once downloaded, start a custom installation and make sure Certificate Synchronization is selected.

Next, tell the installation your organization makes use of a BES (Blackberry Enterprise Server) so your email will integrate with Exchange. The caption reads:

Blackberry Enterprise Server or Blackberry Desktop Redirector

This option integrates your message account with Blackberry using the Blackberry Enterprise Server or Blackberry Desktop Redirector.

Click Next > and proceed to tell the installation a Microsoft Exchange environment is used. The caption reads:

Microsoft Exchange (typically used with Microsoft Outlook client)

Now tell the installation to Redirect messages using the Blackberry Enterprise Server, click Next >, don’t install any additional shortcuts on the desktop (your choice of course), and finally, click Next >.

Install Proper Device Management Software

The corresponding device software is available on the same downloads page mentioned above. Select the desired desktop manager version, and the appropriate device software should become available on that same page. Device software installation is a typical Microsoft software installation, just click next until finished.

Install S/MIME Support For The Blackberry

According to Blackberry’s web-site, this package is a component of the Blackberry Enterprise Server, so you’ll need to contact your Systems Administrator to obtain the software. If you’re the sysadmin and don’t recall ever seeing the S/MIME package, contact Blackberry. They’ll either provide a link to download the software, or send the software package via mail on a CD. Once again, the installation is pretty straight forward, just click next until finished.

Configuring LDAP Settings

Dock the device to the user’s workstation while they’re logged into the domain, then enter the device password (you do have a 10 minute lockout security policy, don’t you?). The Desktop Manager will inform you new software is available, click Next >. On the next screen, make sure everything is checked including DOD root certificates and S/MIME support. Whether or not you decide to save and restore the device info is up to you, but remember, some of the data is stored in Exchange so you’re not putting contacts, emails, and calendar appointments at risk. If those items are all you’re worried about, I’d suggest not saving the current data and performing a fresh upgrade. Once upgrade options are configured, the process will take anywhere from 15 to 30 minutes, depending on workstation speed.

After the upgrade is complete, navigate to Certificate Server/LDAP server settings on the device. You’ll need to obtain this information from a network/system administrator, and if you are the system administrator but don’t know this information, what the hell kind of admin are you? Here’s an example entry.

LDAP Server Friendly Name: YourOrg Server Name: bbldap.your.org.domain.com Base Query: dc=your,dc=org,dc=domain,dc=com Port: 389 Authentication Type: Simple

Certificate Syncronization With The Desktop Manager

Double click Certificate Sync in the desktop manager. In the Personal Certificates tab select the user’s corresponding certificate - the Certificate Label should display the user’s name. Under Options, select the LDAP Servers tab, click Add…, and populate the text boxes with the information above. Test the connection, and once confirmed, click OK, OK, Synchronize.

Blackberry Email Encryption Conclusion

You’re now ready to test the newly configured certificate. Send a test email and open it. The Blackberry will ask for the certificate key store password and allow viewing once supplied. To send an encrypted email, compose the message like normal, push the trackwheel in and select S/MIME [Encrypt]. After composition, attempting to send the email will result in a username and password prompt. Provide the necessary credentials (DOMAIN\Username & Active Directory Password), then you’re prompted for the key store password. Once the certificate status is checked, select OK, and if all is well, the message is sent encrypted.

This process is obviously a pain, and if there’s an easier way, please provide a link in the comments.