Friday, March 28, 2008

IT Policy Removal Options

For security reasons, the IT Policy assigned to a device cannot be removed, even if the device is wiped. It is like a permanent tattoo. Like tattoos, however, they can be removed with a long and painful procedure. At least that is the way it used to be, nowadays we have more options. Let's go over them.

1) Wipe the device. Although the IT policy still exists on the device, the wipe process opens a "window" where an activation against another corporate BES server can overwrite the IT Policy with the new one. So for moves between organizations, you can only replace one policy with another, you cannot overwrite. For people who purchase previously corporate BlackBerry's on EBay for personal use this has been quite a hassle, as they are stuck with the old corporate policy which may be locked down significantly.

Which leads to...

2) Use the policy.bin file to clear the policy. This is a long and messy procedure (which I will not get into here) which mostly gets rid of the old policy, using the pre 4.0 method of a policy.bin file and Desktop Manager. I don't like this method because of the time it takes, and the lack of being in a known consistent state at the end. It is not really "just like new" when this is done, but can be enough for most people.

3) This is a new one. With a device OS later than 4.2.2, you can use the "Remote Wipe Reset to Factory Defaults" procedure documented in an older post here:

http://besdomino.blogspot.com/2007/10/remove-it-policy-new-feature-of-41-sp4.html

4) This is also a new method, which does not require an IT Policy assignment or a BES server at all, just the Javaloader utility in the RIM developer tools download. Note that an OS of 4.3.0 or higher is required, and the Javaloader utility itself must be the latest version.

Strangely, the utility does not list version numbers, so you just have to look for the available option:

resettofactory
Reset IT policy to factory settings

...when you run the executable without parameters to see if it supports it. If it does, then this command will wipe the IT Policy right off, and set it back to default:

c:\javaloader -u resettofactory

The future of IT policy removal is a bright one, indeed.

1 comment:

Luc Pâquet said...

Hi

Is there a way to email you a question ? We are a huge NOtes shop (100 000 users) with 1500 Blackberry users. Those 1500 users are divided by 3 cellular providers. I have to create 3 separates BES environment, one per provider. All this without disturbing the users with a new activation. My though is : 1- copy my BESMGNT into 3 instance, 2 - renamce those as BESMGNTA, B and C, 3 - Run an SQL script in each DB to remove the 2 providers that don't belong there.

What do you think ? I'm looking for the SQL script ?