Only Crippled iOS iPhone & iPad Approved by US DoD for Government Work

BlackBerry Q10 Z10

I have been hearing from a few people recently about how BlackBerry is getting squeezed on the government front due to the United States DoD approving iOS and Android devices for government use. I took that with a huge grain of salt since I was waiting for the DoD to release their STIG guidance for how these devices would have to be configured. In short government employees may be “able” to use an iPhone or iPad on the DoD networks but here is a short list of what they will have to sacrifice for that pleasure:

  • No Safari browser (you have to use a containerized browser that will have far fewer features)
  • No iMessage
  • No iTunes
  • No App Store (as in only apps the DoD allows on your device through their own App Store)
  • Containerized segregated email client
  • No Wi-Fi access on DoD Wi-Fi networks though you can use it at home or publicly
  • Must be connected to a MDM (Mobile Device Management) solution

The last point is one of the most interesting. To be able to use an iOS device or Android device on the DoD network it must be hooked up to an MDM. Currently the only approved MDM is BlackBerry Enterprise Service.

The other thing to note is that the DoD has approved BlackBerry Balance for using both personal and government data on one device. That means you can have all your personal email, music, apps, and other information while also having a secure work partition on the BlackBerry 10 device. You don’t even need to have a password on the personal partition only the work partition. Samsung is trying to do something similar but is having quite a bit of trouble trying to get their version of Dual Personas out the gate. Its also hard to compare the KNOX solution since Samsung keeps on delaying its release.

Either way both cases seem to show off the difference between security being bolted on and being baked in. BlackBerry 10 was designed for both enterprise/government and personal use on the same device. In short the playing field is nowhere near level when you compare BlackBerry vs other solutions for the enterprise. On the other hand the competition is starting to encroach on a territory BlackBerry has long dominated.

69 total comments on this postSubmit your comment!
  1. Aren’t those two already crippled compared to us? That list seems like an awful lot to lose to BYOD if you ask me.

  2. Good to know.
    I wish I could see a phone with such features/less working to actually compare. So what browser would work instead of Safari???

  3. Without the Apple Store and the apps the Iphone is d as in dud phone. It’s too much of trade off. Meanwhile, Android fares not much better with its numerous malware and other security issues. Blackbery is the only real true solution to both the. enterprise and consumer markets.

  4. Haha! Sounds a lot like the old bb o’s.

  5. I really think that Knox is delayed because Samsung knows that BB is going to get the DoD contract with BES10. It saves face for Samsung if they are not ready (delayed) rather than suffering an all out loss. A head to head loss would hurt Samsung’s chances in other areas of business and government work. It’s a stall tactic IMHO

  6. You should read the BB10 STIG as well, as that does change some of the things you are saying. Also of note is that Good for Government is still an approved solution (sort of) and that Fixmo Sentinel server is going through the paces.

    This is only a first step, and not the first time Android has been approved. The new SRG/STIG process puts the burden on the shoulders of the vendors, which means things could change very very rapidly.

    • Hey Sith it has been a long time! You should stick around.

      I actually did get a chance to read the BB10 STIG before writing this article and I was actually surprised. Its like the whole thing is written by a BlackBerry employee compared to the iOS and Android ones that are just chock full of restrictions. I feel bad for anyone who has to use it. Even the legacy BlackBerrys offer more functionality.

      I have never really understood how people survive with Good for Government. It does not even have basic features like Push email (only a push notification) since everything is just one uber app. BlackBerry is doing something similar with their “secure workspace” but the whole concept is weak especially from a security standpoint.

      The problem with most MDM’s currently is that they do not make the hardware they are supporting. I thought Google was going to change that with their Motorola acquisition and their security APIs but Samsung is beating them to the punch. Still if you look at the architecture of Samsung Knox you are just blown away by how the whole thing is put together with scotch tape and twine on top of secure linux. Hell they even packed in bloatware “Centrify” in the solution to plug another one of the vulnerability vectors.

      What do you think the vendors will do that will change things so rapidly for Android? The Android STIG requirements for Samsung Knox are still pretty vague since I do not think they have any solution for some of the MDM requirements yet. Still most of the hurdles are not big ones. The question is what the end result will look like and if it will be anything like the Android or iOS native experience they are used to. Sadly that is nowhere near the case now on every platform but BlackBerry.

      BTW were you surprised that they approved BB10 Balance segmentation for personal and government use on the same device?

      • Ronen,
        The BlackBerry STIG applies to the work space mostly, just as the Android and iOS STIG apply to the container “mostly”. There are restrictions on the BlackBerry side as well, but when compared to previous STIGs this one is MUCH more open. I think BlackBerry is going to lose quite a bit in the DoD, and unfortunately it will be for the wrong reasons. People will move to Apple and Android because that is what they want to have, not because it is what they need or should have.

        • You are right in suggesting that BB will lose some business in the DoD. I don’t think it will be “quite a bit” but it will be a good chunk, and only because people want to use iOS and Android devices. Even so, with these devices being so crippled I don’t believe BB will lose quite so much business. The new BB10 OS has given BB an incredible boost to remove most of the user resistance to the BlackBerry brand.

      • Good observations, Ronen, but I will add (stuff you already know) that Knox is a significant deviation from Android and won’t stand up to BB10 for support, functionality, and yes, even security – despite what some folks think. Knox is essentially vapourware – can’t buy it, can’t use it.

  7. Good for Goverment is not certified with Blackberry unless I missed an update?

  8. If Good for Government is still certified as an MDM (which I believe it is, but could be wrong), then they can handle iOS and Android through Good.

  9. What about the company called Fixmo (see link) as a competitor to BES 10? I believe BB BES 10 is superior but I’ve never actually heard of this company before today… Mostly I’ve heard about Good before. They mention being able to handle iOS, Android, and BB in their MDM solution.

    http://www.bloomberg.com/article/2013-05-28/aXayjMATJ64s.html

    • If I am not mistaken Samsung is actually an investor in Fixmo. They essentially do the same thing Good does. So much so that they sued each other over patent infringement early last year. They both do the “container-ized” take on security by trying to keep everything in a secure app though you lose all of the functionality of the native OS when it comes to your Work data.

      Solutions like Good and Fixmo are a good bandaid for BYOD but they are trying to expand beyond that.

    • Fixmo has worked closely with BB in the past on various apps, but perhaps seeing BB suffer the past year, they ventured into providing BES-type services on iOS.

  10. You could be wrong!!!!!!!!!! I don’t believe in hearing things!!!!!!!!!

  11. Is this the same as in Fixmo Tools?

  12. There are different versions of UNIX and the same goes for DBMS and ….!!!!!!! Some companies are using Oracle the others use Sybase or DB2 or …… Who cares!!!!!!!!

  13. Can it be with android devices like they made http://www.appostrophic.com/android-app-development/

  14. Samsung worked with General Dynamics for KNOX, don’t underestimate them and the security of that container. Fixmo’s solution is much more elegant than Good. RIM could lose this space if they don’t develop BES10 further. Also keep on mind that RIM’s iOS and Android solution is a container.

  15. Looks like the android and apple trolls are in a panic trying to spin how their old and outdated….. not to mention wide open to hackers OS are total and complete garbage. anyone in business who doesn’t use a BlackBerry is simply not a business person

    • Dom,
      hopefully you arent trying to refer to me with this. I would say, and it should be relatively easy to follow this, is that Apple and Android outnumber BlackBerry in business in the US at least. It is likely not even close. Do not be blinded by being a fan, it wont help you or the company in any way. Constructive criticism has gotten RIM/BB to step up their deliveries, and will only continue to help them in the long run.

      • We’ve lost many blackberrys to iphones in the past few years. Probably like 60 or more and I’m the only one with a playbook vs 10 or so ipads floating around.

      • Yeah Sith there are a preponderance of other phones invading the enterprise and government space. From what I read about the STIG especially for apple it applied to the whole device beyond the container for things as simple as killing off the App Store on the whole device.

        The main competition is Samsung dual persona or Knox lockdown but both of those are facing a huge uphill challenge of trying to patch Androids inherently insecure platform.

        What I think BlackBerry needs to do is essentially provide a more compelling cross platform mdm solution which they are already moving towards. They just need to catch up and start leading quickly.

        What I am curious about is the MDM requirements the DoD will set on each device. Right now they sort of just challenged MDMs to try and make something secure enough

        • KNOX and Android SE are something, and the STIG for iOS references both Fixmo and Good for Enterprise as valid MDM choices. I didnt think Fixmo has been approved yet, so it could be a forward looking thing.

          • Yup the stig does reference good and Fixmo but if I remember correctly neither have all the functionality required by the stig.

            Also what’s the point of an iPhone without its email, calendar, contacts, browser, app store, music store, etc. Is the alarm clock that nice?

            • the RIM/BB solution for iOS and Android is the same that Good and Fixmo are offering (container), at least for now. If you listen to RIM about the roadmap, that will change, but for now what will differentiate them from Good or Fixmo in this space? That is going to be the big thing going forward, WHY is RIM/BB better.

  16. Ronen,
    There are additional restrictions placed on the iOS devices (much of that has to do with iTunes being so terrible, also iMessage hasnt really been tested, but DOJ has had difficulties in cracking it), but Android with KNOX is based on Android SE, which NSA has helped design (on some levels). It is significantly more secure than your stock Android, though still has holes in it. NSA has a TON of money (something on the order of millions of dollars) invested in this, and will continue to stamp out these vulenerabilities until they can get a product that works, and works on the SIPR side as well.

    RIM/BB is going to face a massive challenge in this space, and I hope they have taken the warnings seriously. BES10 is a good start, but it is just a start, and needs alot more in terms of enhancement to be a great platform.

    • iMessage may be difficult to crack but the fundamental flaw with iMessage is that a message can be very easily sent unencrypted that was intended to be “private”. iMessage decides the method of transport (either via iMessage protocol or SMS), and the sender does not have any significant queues that the message being sent will use one method or another. Apple intended this to be transparent so that it would be easy for the user, but it does leave a more security conscious user guessing.

      • Very true about iMessage, but it can be treated just like texting and then the problem is solved from a security standpoint.

        • Also, if you want a secure connection with a group of folks, even if one doesn’t have an iOS device, the message will be sent unencrypted. That decision is made by iMessage on the fly so if someone had an iPhone this morning and switched to an Android this afternoon, any message sent is now in the clear to that user. Poof – no more privacy.

        • Sith… what you said (“just like texting”) throws out any hope of using iMessage as a secure transport :)

          It’s too bad the general public is so easily swayed by advertising. Most folks on blogs like this get far more info on how things work behind the scenes.

          • Keep in mind BBM is only secure if you use it within the same organization and encrypt it. But that means you cannot speak outside of your organization securely.

            • Normal BBM messages are still encrypted (BBRY likes to use the phrase “scrambled”) so it’s not quite like SMS. BES BBMs are very secure. Secure messaging is like shades of grey.

              I think you’ll see, as we move forward, that BBM may begin to support asymmetric keys as well, especially as it does multiplatform.

              • It is very easy for law enforcement or government to get a hold of your public BBM conversations. If they are S/MIME encrypted not so much. Remember, BBM has a universal key

                • You know this is a bit of an exaggeration. Many countries were threatening RIM the last few years because they did not have access to BBM messages. It’s like saying WPA2 is easily cracked – not many can do it.

    • With the scare of a possible demise of BlackBerry, NSA and others had little choice but to explore other avenues. Whether or not that effort will continue with massive government cuts forecasted over the next few years, and when BlackBerry does have a very good and secure platform today, will remain to be seen. I would put my bets on BlackBerry being successful in penetrating those markets and keeping much of what they have today. BES10′s interop with Apple and Android may appease many corporate customers, but most DoD departments will be less interested in such a solution. Many will likely go all BlackBerry for a more solid and secure platform – tighter coupling of MDM to the device.

      • You will be very surprised how many dont care. You have enough brass on your shoulder you can influence a great deal. Why do you think that DoD started this quest a few years back with iOS?

        • Those same brass will have their butts and careers on the line if sensitive material was leaked on their shift! Look what is happening in cyberspace with China and the DoD lately. While I agree that some are just playing politics, someone will have to take the fall if things go south.

    • Hey Sith,

      I actually have some experience with SE Linux and I think it’s an awesome idea especially trying to plug the inherent insecurity of Android with SE Android. I just have avoided commenting on it directly because I have seen very little documentation on Samsung’s implementation.

      First of all devices like the Galaxy S4 ship with SE Android enforcement turned off and in permissive mode. This mode just flags all the insecure permissions so that in the future you could potentially have an MDM that needs to profile each app and approve every single permission it needs. In other words SE Android will ship with a handful of apps if they actually enforce any of its protections. On top of that quite a bit of each device will need to be heavily modified for security since vendor added processes (think chipset code, touchscreen, gps, etc) that have access to certain permissions will need to be validated separately.

      This is just one of the major changes that will have to happen due to the inherent insecurity of the whole Android stack above the Kernel. The whole Dalvik VM is being sandboxed because it cannot be trusted.

      As I said I will reserve judgment until I actually see one with any of these permissions turned on but my guess is the SE Android will not perform or act anything like the Android you currently use as a consumer.

      • Oh you are very correct, but SE Android in its full implementation wouldnt be for consumers. Think of it as the work side only on BlackBerry 10 devices. Everything being locked down, and no apps unless whitelisted. This model is what Samsung and GD are trying to achieve, very very similar to Balance.

        • Exactly. SE Android will be sort of like the old Locked down Windows Mobile phones where the experience was totally different and crippled.

          Alternatively BlackBerry balance allows for all native BlackBerry apps in App World to work on the Work container. That means thousands of apps that are effortless for companies to bring into the fold. That is a huge benefit. Also apps will be able to access shared resources (something that is a HUGE no no on SE Android due to the insecurity of Dalvik)

          In short governments will be able to use Android and iOS but only after they remove all functionality that would make them want to use that platform. That is the BlackBerry edge.

          In the container space I think BlackBerry is going to have to work very hard to differentiate themselves. They can easily beat Good since they are held back by their legacy platform but Fixmo is moving quickly. If they can offer a much more powerful container (others are very limited) then maybe they have a good competitive advantage.

          Sith I know you are a die hard fan. That’s why I love discussing this stuff with you because you are frank and honest without bias.

          • Ronen,
            BB10 app limitations are the same as iOS or Android, no unapproved apps can be set, so you wont be allowed to just whitelist like you were. DoD wants their own app store, where they will likely host the BAR files.

            Also the Davlik VM is the same that BB has, which is why you cannot push android apps to the work side, it simply doesnt exist on that side of the device.

            Fixmo is definitely coming after RIM, and while they dont have the NOC, they do offer a few features that RIM does (being able to push documents into the secure container, etc). RIM needs to not sit back and definitely incorporate this, as well as things like pushing browser bookmarks, work drives being able to set from BES (not local), etc.

            • Yup all is lost on Android apps in terms of trying to secure them without creating a sandbox around them. It’s sort of like Adobe Flash.

              Yes it’s all about application whitelisting. What I was trying to point out is that for SE Android each app needs to be profiled for SE Android to be able to do anything. In other words apps won’t just work If they approve an APK.

              In terms of iOS apps I have not seen any solid whitelisting solution that does not require some weird hack with the app store. It’s almost like Apple is fighting it happening.

              Personally I think Fixmo is BlackBerrys biggest competitor in the MDM space since it’s hard to compete with a pure play mdm that is device agnostic. Still it will be an interesting competition.

              Personally what I think would be a big game changer would be Apple getting into the MDM space but they have always avoided that like the plague.

          • Actually, Ronen, you hit the nail on the head when you say that the tens of thousand of BB apps can now operation in the Work container all under MDM management. That is the true beauty of this solution! Balance makes this possible.

            Knox also includes a fair amount of unproven proprietary code from Samsung to attempt to beef up SE Android.

            Unfortunately, in today’s world, truth is how you spin it. Yes there will be marketing differentiation issues that are bound to sway users. But there is also a common misguided perception that security is an app – it’s an add-on. The reality is that security needs to be designed right into the core OS – from the ground up.

            Most OSs today have the concept of user space and kernel space, but QNX takes it further. Every app has its own space, eliminating buffer overflow issues and the typical domino effect of one app collapsing over others. Indeed, BBRY could not have found a better platform upon which to build BB10.

            • Security has always been an add on, an after thought, and users absolutely HATE security in general. Look at your desktop OS, and all the crap from antivirus vendors, and firewalls, etc that are added on. This is the IT culture, and this is what will persist in mobile. The mobile device should view, not store, sensitive information, so you only need to secure the least amount on the mobile device. If you dont have any persistent information, you dont have to worry about DAR encryption, secure containers, etc. You need to worry about the source data, and anything in transit. (Think a beefed up RDP). DoD will almost assuredly go that way at some point, can RIM/BB use QNX to provide this? Time will tell on that front.

  17. What?? No iTunes, no Safari, no iMessage, no App Store? That’s not an iPhone ;) Go BB!

  18. Ronen,
    not sure which version of the iOS STIG you read, but a new one was released on the 23rd.

  19. And before anyone doesnt realize it, I am a HUGE supporter of BB/RIM, and have been for many many years. I have had numerous discussions with senior RIM leadership about this and many many other issues over the last few years.

  20. The long list of Pentagon programs reported as targets of Chinese cyberattacks

    http://www.ctvnews.ca/sci-tech/the-long-list-of-pentagon-programs-reported-as-targets-of-chinese-cyberattacks-1.1301620

    how can DOD not choose blackberry ?

    • Because it is unlikely that had anything to do with hacking mobile, and had to do with hacking the back end. If you can get the back end, the mobile front doesnt matter.

      • That is the idea!!!!!!!!! Accessing The back end servers through secure front end devices!!!!!!!!!!!

        • What I meant was that the hackers accessed back end systems without going throug mobile (most likely). If your source is compromised, it doesnt matter how many layers of security you put on top, you are still toast. (Look at Android and previous secure container solutions). Root is ‘god’ in the case of Unix, well SA is but still you get my point.

          • If the back end is secure and the front end is not secure,
            Then the back end is exposed, while the front end accessing the back end!!!!!!!!!!!!!! I hope i got it right, too much to drink last night!!!!!!!!

  21. Btw seems like Fixmo just released their solution following the STIG for iOS yesterday.
    http://www.bloomberg.com/article/2013-05-28/aXayjMATJ64s.html

    You have to love how they gloss over the crippling parts of the stig. Still that’s the edge Fixmo has. They move very fast and while BlackBerry is moving must faster than before they need to hit ludicrous speed :)

    • When you’re playing catch-up you have to paddle fast or sink. BBRY has the reputation and a proven solution that millions rely on.

  22. BTW Sith the irony of this all is I am at a conference now with quite a few CSO and CISOs who will be deciding how many of these rollouts will happen.

  23. Ronen,
    You should convince them otherwise! Lol

  24. I really need to get into mobile consulting.

  25. http://www.electronista.com/articles/11/08/09/rim.promises.to.assist.police.in.wake.of.riots/

    Let me also say that law enforcement cam and has been able to intercept BBM messages. This goes for the US, and while I am sure it goes for other countries, I have no first hand knowledge of that.

  26. Military leadership has approved the devices and OS now, there is no one to take the fall. They use the terms acceptable risk and look to mitigate those risks. But the ones that are still there, those vulnerabilities, are now no one’s fault since it meets the baseline security configuration. Look at the report on how the army didn’t know about many thousand devices connected to their network. The inspection arm of the DoD did that investigation and nothing happened. It just had recommendations. That is all.

  27. Royal Bank of Canada Launching Mobile Payments System
    Q10 & Z10 on top of the list!!!!!!!!!!!!!!!!!!

    http://www.fool.com/investing/general/2013/05/10/royal-bank-of-canada-launching-mobile-payments-sys.aspx

  28. BYOD is for suckers that don’t really care about security and want their employees to pay for their own phones.

  29. Shorts sensationalists wants 2 talk BLACKBERRY down. They need 2 go back 2 school 2 learn how 2 write.

    http://watch.bnn.ca/#clip941085

3 total pingbacks on this post

Latest Articles from

AndroidEffect - Improving Android One Tip at a Time

BlackBerry© is a registered Trademark of BlackBerry Limited. BerryReview is in no way affiliated with BlackBerry Limited though sometimes their lawyers send us love letters...

Copyright © 2007-‘2014’ BerryReview LLC