BBM Enterprise FAQ
BBM Enterprise FAQ
BBM Enterprise FAQ
BBM Enterprise is the cross-platform instant messaging solution for text, voice, video, and group chat–on any and multiple devices, including smartphones and desktops. This document aims to address some of the most frequently asked questions about BBM Enterprise; what it is, how it works, and what requirements are needed. Click on the question to arrive directly at the answer. Learn more at www.blackberry.com/bbmenterprise
BBM Enterprise uses the following standards for signing, encrypting, and hashing, which meet or exceed the NIST Suite B cryptographic guidelines:
- Digital signature standard FIPS 186-4: provides a means of guaranteeing the authenticity and non-repudiation
- AES symmetric encryption standard FIPS 197: uses agreed symmetric keys to guarantee the confidentiality of messages
- HMAC standard FIPS 198-1: based on SHA2-256 and uses agreed symmetric keys to guarantee the integrity of messages
- Cryptographic key generation standard NIST SP 800-133: generates the cryptographic keys that are needed to employ algorithms that provide confidentiality and integrity protection for messages
- Secure Hash standard FIPS 180-4: provides preimage and collision resistant hash functions that are required for secure HMACs, digital signatures, key derivation, and key exchange
BBM Enterprise algorithms and functions
To protect the connection between BBM Enterprise users during a chat, BBM Enterprise users exchange public signing and encryption keys using an in-band or out-of-band shared secret and EC-SPEKE. For details, see Key
exchange process. These keys are then used to encrypt and digitally sign messages between the devices. BBM Enterprise uses the following algorithms that are based on NIST standards with 256-bit equivalent security:
- EC-SPEKE: securely exchanges a symmetric key by protecting the exchange with a password
- KDF: securely derives message keys from shared secrets
- One-Pass DH: using one user’s private key and another user’s public key, derives a new shared secret between the users
The algorithms and associated key strengths that BBM Enterprise implements are:
- AES-256 for symmetric encryption
- ECDSA with NIST curve P-521 for signing
- One-Pass ECDH with NIST curve P-521 for symmetric key agreement
- SHA2-512 for hashing and key derivation
- SHA2-256-128 HMAC for message authentication codes
BBM Enterprise voice and video calling uses SRTP media streaming and implements the following algorithms and associated key strengths:
- AES-256 in GCM mode for symmetric encryption
- 112-bit salting keys
- BBM Enterprise messaging for symmetric key transfer
- SHA1 80-bit tag for message authentication and integrity
- How does BBM Enterprise to add additional encryption to BBM messages?
BBM Protected works by adding an additional level of encryption to messages sent between BBM Protected users by securing exchanging a set of public keys that are unique to those two users. The first time two BBM Protected users attempt to message each other, a secret passphrase shared by email, SMS, phone or in person. Once the secret passphrase is verified, public signing and ecryption keys are exchanged between the two users allowing for this advanced encryption of messages.
- Does this mean that regular or personal BBM Chats are not secure?
Not at all. The default level of security offered by BBM today is already very secure offering two layers of encryption for messages sent between BBM contacts. First, BBM uses a TLS to establish a secure connection between the smartphone and the server. TLS is a common web standard that is used for online shopping and internet banking. Additionally, BBM messages are encrypted using a triple DES 168-bit BBM scrambling key which encrypts messages leaving the sender’s phone, and authenticates and decrypts messages on the recipient’s phone. These two layers working together mean that you have secure messages flowing through a secure pipe. BBM Protected ads yet an additional layer of advanced encryption to this security model helping to meet the needs of the most security conscious organizations.
- Can a BBM Protected user only talk to BBM Protected users within the company?
When a company has enabled BBM Protected for a user, BBM messages sent to any other BBM Protected users will be secured at this higher level of encryption – these could be other BBM Protected users within the same organization, or BBM Protected users at another organization on a completely different BES. This is one of the advantages offered by BBM Protected; out of the box secure messaging between organizations without the need for any federation or configuration. Plus, BBM Protected users can continue to use the same app to chat and share with other BBM contacts like family and friends.
- Can BlackBerry read BBM Protected messages?
No, BlackBerry cannot read BBM Protected messages. The encryption keys used to secure messages sent between BBM protected users are generated by the phones and controlled by the BES server. BlackBerry is not the broker in this public key exchange.
- Does BBM Protected mean that BBM messages are automatically logged?
No, BBM Protected is not a supervisory feature like logging or auditing. BBM Protected is a security feature separate from other supervisory features available with the Gold Tier of BES.
- What version of BlackBerry software is required for BBM Protected? BBM Protected FAQs
- For BlackBerry OS devices, BBM Protected will work with BlackBerry OS version 6.0, 7.0, or 7.1
- For BlackBerry 10 devices, BBM Protected will work on BlackBerry 10 v 10.2, 10.2.1, or 10.3
- What version of BBM is required for BBM Protected?
- For BlackBerry OS devices, BBM Protected requires BBM version 8.5 or higher
- For BlackBerry 10 devices, BBM Protected requires BBM version 10.3.30 or higher
- What version of BlackBerry Enterprise Server is required for BBM Protected?
- For BlackBerry Enterprise Server 5.0 or later (you need to apply the BBM Protected IT Policy pack; it can be applied to any BlackBerry Enterprise Server 5 version)
- BlackBerry Enterprise Service 10 version 10.2.2 or higher
- How do I purchase BBM Protected User licenses?
Contact us for more information on this. You may add this feature to any email address on our Hosted Exchange plans.
- Is the price per user or per device (for example if a user has multiple devices)?
A BBM Protected User License is valid for 1 user on 1 device. If a user leaves the company, or an administrator wants to apply the BBM Protected User License to another user at the company, they can re-assign it at any time.
- How do I enable BBM Protected for users at my organization?
If the BBM app is not installed on the BlackBerry devices, install the app on the devices. We are also able to push the app to your device.
- When will BBM Protected be available for Balance regulated?
BBM Protected FAQs BBM Protected will be available for BlackBerry 10 smartphones running in work / personal regulated mode with BlackBerry Balance in the fall of 2014. Please fill out this form to be contacted by BlackBerry about your interested in BBM Protected for Balance regulated devices.
- Does the added encryption offered by BBM Protected apply to BBM Voice and BBM Video calls? BBM Protected encryption applies to BBM messages, attachments and files sent between BBM Protected users. It also applies to multi-person BBM chats where all participants are BBM Protected users and BBM Groups that have been established as Protected BBM Groups. It does not apply to BBM Voice and BBM Video calls at this time. More information on the security model used for BBM Voice and BBM Video calls can be found in the BBM Security Note available here.
- My company already uses Microsoft Lync, why would I want BBM Protected?
While many organizations have invested in UCC solutions like Microsoft Lync, mobile adoption of these solutions is often low. These desktop based enterprise IM solutions often deliver a poor mobile user experience and frequently limit employees to communicating with other employees inside the organization. As a result, employees are going outside their corporate deployed EIM apps, communicating through unsanctioned 3rd party applications. BBM Protected allows users to use a single app to securely message contacts inside the company as well family and friends outside the company. Plus, it offers a user experience built from the ground up for mobile. Lastly, BBM Protected is a cloud based solution, deployed, managed and controlled from BES but residing in BBM Protected FAQs BlackBerry’s secure, scalable and reliable infrastructure. BBM Protected will continue to work if an organizations own IT infrastructure has experienced a server outage or a full on catastrophic crash. By comparison, Microsoft Lync and Lotus Sametime are on premise IM platforms that rely on licensed client / server software that is deployed, managed and controlled from within the firewall of the organization.
- How do I know if I am in a BBM Protected chat?
While the aim is to make BBM Protected as seamless and transparent as possible for BBM users, there are a few ways to tell when you are having a BBM Protected chat. In the field where you type your message you will see that it says ‘Protected. Enter a message’. You will also find that as you type your message, it appears in blue whereas text in a chat using default BBM encryption will appear in black. When you’re in a BBM Protected Group, you will see a small lock symbol that appears at the top of the group lobby next to the BBM Group name. This serves as a reminder that this is a BBM Protected Group meaning that all messages between all participants are encrypted using the advanced public / private key and only other BBM Protected users will be permitted to join the group.
- How do you know which of your BBM contacts are also using BBM Protected?
BBM Protected aims to make chatting with other BBM Protected users seamless by moving the security to the background so that it doesn’t get in the way of the user – therefore we don’t put a lot of emphasis on who is and isn’t a BBM Protected user. That said, when you go to start a new BBM chat, you will see that a small lock appears next to the names of other BBM Protected users on your BBM Contact list.
- Can I cut and paste copy in to a BBM Protected chat from another application?
Yes, BBM users can cut and paste freely in to a BBM Protected conversation. BBM Protected offers enhanced encryption of the chat without limiting in any way what kind of content can be shared. For instance, a BBM user can copy a phone number from a BBM Protected chat in to a chat with a non-BBM Protected user. This is yet another example of the seamless user experience plays an important role in the BBM Protected offering.
- Does BBM Enterprise only support mobile devices?
No, BBM Enterprise supports smartphones, tablets, as well as desktops.
- What platforms do BBM Enterprise support?
BBM Enterprise supports Android, iOS, BlackBerry 10, Windows, and macOS.
- Can I extend BBM Enterprise chats to non-BBM Enterprise users?
Yes, BBM Enterprise users can extend chats to users using BBM consumer. Chats will still be protected.
- Do I need to install anything to deploy BBM Enterprise to my users?
No, BBM Enterprise is cloud-based and requires no additional installations. You can deploy the app to your users easily from a single console, BlackBerry Enterprise Identity.
- Does BBM Enterprise meet regulatory compliance requirements?
Yes, BBM Enterprise protects data in transit and at rest by adding an additional layer of encryption. It meets HIPAA standards and has integrated auditing and archiving services available.
- Can I only run BBM Enterprise on one device?
No, you can have BBM Enterprise installed on up to 3 devices
- Can a BBM Enterprise user only talk to BBM Enterprise users within the company?
No, BBM Enterprise users can continue to use the same app to chat and share with other contacts like family and friends who are using BBM consumer.
- What privacy features are available for an end-user?
In addition to the rich, user-centric features of BBM Enterprise, users can also control their chats with edit, retract, and timed message capabilities.
- How do I know which of myBBM contacts are also using BBM Enterprise and which are using BBM consumer?
BBM Enterprise aims to make chatting with all other BBM users seamless by moving the security to the background so that it doesn’t get in the way of the user – therefore we don’t put a lot of emphasis on who is and isn’t a BBM Enterprise user.
- Can I cut and paste copy in to a BBM Enterprise chat from another application?
BBM Enterprise has an IT policy that prevents copying and pasting from BBM Enterprise. If this is enabled, you cannot copy or share information from within BBM Enterprise.
- What is the auto-passphrase capability that is available for BBM Enterprise?
The auto-passphrase feature simplifies the invocation of BBM Enterprise chats by making the passphrase exchange happen automatically and seamlessly between two parties in a conversation. This feature can be turned on (or off) by an IT Admin via a BlackBerry Enterprise Identity Console, and switched to a manual out of band passphrase exchange.
- What happens if my organization does not turn on the auto-passphrase policy but the organization in which I am interacting with has the auto-passphrase policy turned on?
In a situation where one organization has the auto-passphrase policy turned on and the other does not, BBM Enterprise defaults to the highest level of security, so the manual passphrase model is used.
- Is BlackBerry UEM required to use BBM Enterprise?
No, BBM Enterprise does not require BlackBerry UEM. Customers looking to use BBM Enterprise with Android, iOS, BlackBerry 10 OS, Windows, or Mac do not require UEM. The IT Administrator user management of BBM Enterprise is done through the BlackBerry Enterprise Identity console – a service that comes along with your BBM Enterprise subscription.
- Do I have to purchase BlackBerry Enterprise Identity separately?
The BlackBerry Enterprise Identity management console is included with BBM Enterprise at no additional cost when purchasing licenses.
- My company already uses Skype for Business, why would I want BBM Enterprise?
While many organizations have invested in Unified Communication and Collaboration solutions like Skype for Business, mobile adoption of these solutions is often low. These desktop-based enterprise Instant Messaging (IM) solutions often deliver a poor mobile user experience and frequently limit employees to communicating only with other employees inside the organization. As a result, employees are going outside their corporate deployed IM apps, communicating through unsanctioned 3rd-party applications (such as Facebook Messenger and SMS). BBM Enterprise allows users to use a single app to securely message contacts inside the company, as well clients, family, and friends outside the company. Plus, it offers a user experience built from the ground up for mobile. BBM Enterprise works with BlackBerry’s secure, scalable and reliable infrastructure. BBM Enterprise will continue to work if an organization’s own IT infrastructure has experienced a server outage or a catastrophic crash.
- How does BBM Enterprise work with BlackBerry Enterprise Identity?
BlackBerry Enterprise Identity provides cross-platform user and entitlement management of the BBM Enterprise service for IT Administrators. BlackBerry Enterprise Identity provides a simplified, cloud-based admin console to manage, entitle, and set user policies for BBM Enterprise and other enterprise applications.
- How does BBM Enterprise work to add encryption to communications?
BBM Enterprise works by adding an additional level of encryption to messages sent between BBM Enterprise users by securely exchanging a set of public keys that are unique to those two users. The first time two BBM Enterprise users initiate a chat, a secret passphrase is shared by email, SMS, phone or in person. The passphrase can also be exchanged automatically using the auto-passphrase feature (configured by IT). Once the secret passphrase is verified, public signing and encryption keys are generated client-side on device, and exchanged between the two users allowing for this advanced encryption of messages moving forward.
- Does the added encryption apply beyond messaging to voice and video?
Yes, the encryption applies to all communications data sent from BBM Enterprise including voice and video if BBM Enterprise voice and video are purchased.
- Can BlackBerry read BBM Enterprise messages?
No, BlackBerry cannot read BBM Enterprise messages. The encryption keys used to secure messages sent between BBM Enterprise users are generated client-side and stored on the device. BlackBerry is not the broker in this public key exchange. The enterprise also does not have access to the encryption keys outside of the mobile device itself.
- Does BBM Enterprise automatically log messages?
No, BBM Enterprise does not automatically log and audit communications but enterprises can choose to deploy archiving. BBM Enterprise customers may integrate archiving with BlackBerry Auditing and Archiving Services, which enables an admin to turn on message logging and store those messages on premise behind the company’s firewall, or in the cloud.
- What are the client minimum system requirements for the latest version of BBM Enterprise (v1.2)?
- For BlackBerry® 10 devices, BBM Enterprise will work on BlackBerry v10.3+
- For iOS, BBM Enterprise will work on iOS 9.0+
- For Android, BBM Enterprise will work on Android 4.4+
- For Windows, BBM Enterprise will work on Windows 7 Pro, Windows 8, Windows 8.1, Windows 10
- For macOS, BBM Enterprise will work on OS 10.7+