How to Enable PGP on BES12

Last updated:

PGP (Pretty Good Privacy) is a data encryption and decryption technology that provides cryptographic privacy and authentication for data communications.

BES12 can utilize PGP point to point encryption within an email profile for BlackBerry 10 smartphones running BlackBerry 10 OS version 10.3.1 and later.

Note: PGP keys never synchronize to the BlackBerry smartphone. When BlackBerry smartphone requires the key(s), a call is placed to the Symantec Encryption Management server and the server will parse and deliver the applicable key to the smartphone.

Keys manually imported onto the smartphone using device options SettingsSystem SettingsSecurity and PrivacyPGP Keys do not take presidence over the BES12 PGP key distribution and as such, key(s) obtained from the Symantec Encryption Management server will be the ones utilized.

To enable PGP for point to point encryption service on the BES12 it is necessary to edit an existing mail profile or create a new one and enable the option.

  1. Open Policies and Profiles and listed under Email, click Add an email profile.
  2. Enter the email profile information applicable to the BlackBerry platform, scroll down to the PGP settings.
  3. To enable, select the dropdown box Allow, or Required. An available Disallow option also exists if PGP is explicitly denied in an organization.
  4. In the Symantec Encryption Management Server address input field, specify the FQDN or IP address of the organizations Symantec Encryption Management Server (this will allow BlackBerry 10 OS version 10.3 and later devices to enroll against the PGP server).
  5. Select the dropdown box for Symantec Encryption Management Server enrollment method and select either Email authentication or Microsoft Active Directory Authentication.
  6. These same options can also be changed within an existing Email profile to enable PGP.
  7. Click Add.

The PGP interface SSL certificate is not required but the issuing root and intermediate cert (if necessary) must also be trusted by the BlackBerry 10 smartphone. They can be delivered by way of a  CA certificate profile(s),

Instructions to create the profile are included in the BES12 Administration Guide under Creating CA certificate profiles.  This profile must be assigned to users/devices who will utilize PGP service.

To create a CA Certificate Profile in BES12 UI:

  1. On the menu bar, click Policies and Profiles.
  2. Click (+) beside CA certificate.
  3. Type a unique name and description for the profile.
  4. In the Certificate file field, click Browse to locate the Certificate Authority root certificate.
  5. Specify Browser certificate store and  Enterprise certificate store.
  6. Click Add.

Apply the profile to PGP enabled users on the BES12.

PGP is not currently available in BES12 for iOS, Android or Windows platforms.