Howto: Remove BlackBerry’s IT Policy

WARNING!
Follow these instructions only if you know what you are doing.
These instructions can actually downgrade certain BlackBerry’s abilities (i.e. permanent loss of support for Bluetooth keyboards) if your BlackBerry actually does not already have an IT policy installed. These instructions are meant as a last resort to regain BlackBerry capabilities, in the event your BlackBerry is encumbered by a restrictive leftover IT policy after removal from a BES. (i.e. eBay purchased BlackBerry)

BlackBerry Secured

Removing IT Policy.

This is a How-To for removing IT policy from your BB. In essence, what this does is apply a blank IT policy to the device. The blank IT policy does, unfortunatly, leave some IT policy firewalls in place, however. For instance “keystroke injection” is set by default to “deny” on most IT policies. This blank policy won’t give back “allow” for this feature. This becomes a problem if you desire to use a Bluetooth keyboard. You’ll be unable to use the keyboard. If a way is found to get this back then I’ll edit this post accordingly. A quick check to see if your BB is under IT policy can be done by going to Options/Security on your Device. If you see any references to IT Policy whatsoever, then you have a potentially restrictive IT Policy that can be removed.

BlackBerry Security Software:
Emergency Wipe
Flashlight Pro
Password Generator
more…

The Disclaimer/Intended Use.

This guide is intended for use by people that own their own Blackberry, and for whatever reason, have inherited a company’s IT policy on their device. Really, there are two scenarios where this guide is useful. You bought a Blackberry on eBay and are unable to make changes to the settings or install Third Party Applications. You have a Blackberry that was previously connected to a company’s BES and, for whatever reason, you no longer intend to connect to that BES.
Important: If you’re still connected to a company BES, and simply want to install the latest and greatest third party application I would not recommend this approach. Talk to your BES administrators and ask them to grant you the appropriate rights. There are two problems in using this guide to bypass your company’s security policy. First, whenever you reconnect to the company server, your security settings will revert back to how they were. Second, and perhaps more importantly, you run the risk of getting fired.

Procedure:

  • Step 1
    Ensure the Blackberry Desktop Manager is installed using Blackberry Internet Service, and not Blackberry Enterprise Server. If you are unsure, it would probably be a good idea to uninstall the Desktop Manager and start again.
    If you don’t have the CD that came with your Blackberry, the Software can be downloaded here.
  • Step 2
    Download the file policy.bin and save it in your Blackberry installation directory (C:\Program Files\Research In Motion\BlackBerry).
  • Step 3
    Wipe your Blackberry, creating a backup if necessary. Select Options/Security/Wipe on the Device.
    If this option is unavailable, you may have to install the latest software on your Blackberry. You need to Download and install the latest OS for your device. Connect your device, open the Desktop Manager, select Application Loader, and follow the prompts.
  • Step 4
    Close the Desktop Manager if it is open.
  • Step 5
    From the Windows XP Start Menu select Run…, and at the prompt type regedit. In the tree on the left hand side, navigate to:

    HKEY_Current_Users\Software\Research In Motion\BlackBerry\PolicyManager

    Right-Click the Policy Manager Folder and select New/String Value. Name the value Path. Now, Double-Click the Path Subkey and set Value Data to:

    C:\Program Files\Research In Motion\BlackBerry\policy.bin

  • Step 6
    Open the Desktop Manager.
  • Step 7
    Connect the Device.
    Verification

    Once complete, the Options/Security screen on your Blackberry should not contain references to an IT Policy, you should now be able to change all settings (including password prompts), and install Third Party Applications.

Someone personally wrote this policy so that there would be no question as to what it does to your device. Here is the code included in the Policy.bin above: (If you have comments or questions or you see something that should be changed, please contact me in this thread or via PM.)

Note: After finishing placing this blank policy to the restricted BlackBerry I recommend removing the policy.bin and the registry entry you added. Basically go back and undo what you did. If you don’t then you risk plugging in a BB with NO policy and adding this blank policy to it as well.

; This setting controls whether or not Desktop add-ins are permitted.
; When set to false, no desktop add-in code will be executed.
AllowDesktopAddIns {policy} = true

; Indicates whether or not the desktop software will allow the user to switch devices.
AllowDeviceSwitch {policy} = true

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Synchronization
;; Synchronize for PIM,Email and Folder Management defaults.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; This setting allows you to specify whether or not you would like PIM
; information to be synchronized when the user selects the Synchronize Now
; button from the Intellisync dialog.
SynchronizeNowPIM = true

; This setting allows you to specify whether or not you would like Email
; information to be synchronized when the user selects the Synchronize Now
; button from the Intellisync dialog.
SynchronizeNowEmail = true

; This setting allows you to specify whether or not you would like the date and
; time to be synchronized when the user selects the Synchronize Now button from
; the Intellisync dialog.
SynchronizeNowDateTime = true

; This setting allows you to specify whether or not you would like PIM
; information to be to be automatically synchronized when the handheld
; is connected to the PC.
AutoSynchronizePIM = false

; This setting allows you to specify whether or not you would like Email
; information to be to be automatically synchronized when the handheld
; is connected to the PC.
AutoSynchronizeEmail = false

; This setting allows you to specify whether or not you would like Date and Time
; information to be to be automatically synchronized when the handheld
; is connected to the PC.
AutoSynchronizeDateTime = false

; This setting allows you to specify whether or not you would like to synchronize
; folders instead of performing an import.
SyncFoldersInsteadOfImport = true

; This setting allows you to specify how information conflicts between the handheld
; and the PC encountered during synchronization are handled. If set to true, desktop
; information is used. If set to false, handheld information is used.
FolderConflictDesktopWins = true

; This setting allows the enabling or disabling of wireless email reconcilation.
AllowWirelessEmailSynchronization = true

; This setting allows the wireless calendar synchronization functionality to be disabled.
DisableWirelessCalendar = false

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Redirector Settings
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; Append signature on out going messages
AutoSignature = -----------------\
Sent from my BlackBerry Handheld.

; Forwards messages to the handheld
ForwardMessagesToHandheld = true

; Allows user's to receive mail when handheld is connected to cradle
ForwardMessagesInCradle = true

; Setup filter rules for email redirection
FilterRuleFile = c:\myfilters.rfi
; When filter rules don't apply, forward or don't send messages
ForwardWhenRulesDontApply = true

; When sending a message from handheld, don't save a copy in my 'Sent Items' folder
DontSaveSentMessages = false

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Backup/Restore Configuration
;;
;; These value control the setting in "Backup and Restore Options" dialog
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; This value control the value of the "Automatically backup my handheld" setting
; in the options dialog, which is enables or disables prompted Automatic Backups.
AutoBackupEnabled = true

; This value indicates how often an AutoBackup is performed in days.
AutoBackupFrequency = 7

; This setting controls the exclusion of Email and synchronized data from the
; automatic backup. If set to true, the "Backup all handheld application data"
; radio button is selected.
AutoBackupIncludeAll = true

; This setting allows control over whether email is excluded from automatic backups
; (when AutoBackupIncludeAll is false).
AutoBackupExcludeEmail = false

; This setting allows control over whether synchronized application data is excluded
; from automatic backups (when AutoBackupIncludeAll is false). "Synchronized data" is
; that data which is configured for synchronization with Intellisync; this varies
; according to the user's preferences.
AutoBackupExcludeSync = false

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; WebLink Configuration
;;
;; These values control the appearance and behaviour of the WebLink extension.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; Setting this value to false prevents the WebLink icon from being displayed.
ShowWebLink = true

; This setting specifies the URL that will be used when the WebLink
; icon is activated.
WebLinkURL = www.your_network_here.com/go/downloads

; This setting controls the label that is displayed for the WebLink icon.
WebLinkLabel = Downloads

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Device Security Settings
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; Determine if the password is required on device
PasswordRequired {policy} = false

; Determine if the user can disable the password
UserCanDisablePassword {policy} = true

; Minimum length of the password.
; Valid range is 1 to 12 characters, inclusive.
;
; This value indicates the minimum length of an acceptable device
; security password.
MinPasswordLength {policy} = 1

; Password Pattern Checks
; Valid range is 0 or 1 at this time
; 0 -> no checks
; 1 -> ensure password has at least on letter and one digit
PasswordPatternChecks {policy} = 0

; Suppress Password Echo
;
; Option to disable password echo after x numbers of fail attempts to unlock handheld.
; false -> Disable
; true -> Enable
;
SuppressPasswordEcho {policy} = false

; Maximum device security timeout.
; Valid range is 1 to 60 minutes, inclusive.
;
; The handheld user is permitted to select any security timeout value
; less than this value.
MaxSecurityTimeout {policy} = 60

; Password Timeout
; Valid range is 0 to 60 minutes, inclusive.
;
; Set the effective password timeout on handheld. This value must be
; less than that of the MaxSecurityTimeout.
SetPasswordTimeout {policy} = 0

;
; If set, forces the device to the lock screen when it is holstered
ForceLockWhenHolstered {policy} = false

; Determine if the user can change the timeout
UserCanChangeTimeout {policy} = TRUE

; Password aging.
; Valid range is 0 to 365.
;
; Specifying a value of 0 indicates password aging is disabled. Other
; values specify the maximum age of the password before the handheld
; user is prompted to change it.
MaxPasswordAgeInDays {policy} = 0

; Password History
; Valid range is 0 to 15
;
; Specify the number of passwords to retain for checking. Passwords in password history cannot be used when
; setting a new handheld password.
;
MaximumPasswordHistory {policy} = 0

; Maximum Password Attempts
; Valid range is 3 to 10
;
; Set the maximum number of password attempts on handheld.
;
SetMaximumPasswordAttempts {policy} = 10

; Indicate if Long Term Security Timeout is enabled/disabled
;
; If true, handheld long term timeout is enabled
; If false, handheld long term timeout is disabled.
LongTermTimeoutEnable {policy} = false

; Attachment Viewing
;
; Controls the ability to view email attachments on the handheld.
; If set to true then users can view attachments on the handheld
AllowAttachmentViewing {policy} = true

; Policies that control the behaviour of third party applications
; on Java-based handhelds.
AllowThirdPartyUseSerialPort {policy} = true
AllowExternalConnections {policy} = true
AllowInternalConnections {policy} = true
AllowSplitPipeConnections {policy} = true
DisallowThirdPartyAppDownloads {policy} = false

; Policies that control the behaviour of the handheld Browser application
;
; DefaultBrowserConfigUID {default} = "BlackBerry Browser"
; MDSBrowserTitle {default} = "YourCompany Intranet"
; HomepageAddress {default} = www.your_network_here.com
; HomepageAddressReadOnly {policy} = true
; EnableWAPConfig {policy} = false

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
; Policies that apply to the TLS protocol.
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; TLS Disable Invalid Connection
; Disallow users to connect to a server with an invalid certificate (i.e revoked, expired, etc ).
; Value: 0=true,1=false,2=prompt on device
TLSDisableInvalidConnection {policy} = 1

; TLS Disable Untrusted Connection
; Prevent TLS connections to untrusted servers.
; Values: 0=true,1=false,2=prompt on device
TLSDisableUntrustedConnection {policy} = 2

; TLS Disable Weak Ciphers
; Disable use of weak ciphers during a TLS connection.
; Values: 0=true,1=false,2=prompt on device
TLSDisableWeakCiphers {policy} = 2

; TLS Minimum Strong DH Key Length,
; Valid range 512 to 4096
TLSMinimumStrongDHKeyLength {policy} = 1024

; TLS Minimum Strong ECC Key Length
; Valid range 160 to 571
TLSMinimumStrongECCKeyLength {policy} = 163

; TLS Minimum Strong RSA Key Length
; Valid range 512 to 4096
TLSMinimumStrongRSAKeyLength {policy} = 1024

; Disable the use of any cipher that is not FIPS compliant.
TLSRestrictFIPSCiphers {policy} = false

; TLS Minimum Strong DSA Key Length
;
; Set the minimum DSA key size allowed for use during a TLS connection.
; Range: 512 - 1024 bits in 64 bit increments
TLSMinimumStrongDSAKeyLength {policy} = 1024

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Messaging Settings.
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; Indicate if PIN to PIN messaging is permitted.
;
; If true, handheld users are permitted to use the PIN to PIN messaging
; feature. If false, this capability is hidden from the handheld user.
AllowPINtoPIN {policy} = true

; Indicate if the specification of BCC recipients is permitted.
;
; If true, handheld users can specify BCC recipients when composing messages.
; If false, this capability is unavailable to handheld users.
AllowBCCRecipients {policy} = true

; Indicate if SMS messaging is permitted.
;
; If true, handheld users are permitted to send SMS messages.
; If false, this capability is unavailable to handheld users.
AllowSMS {policy} = true

; Indicate if the RIM phone application can be used on the handheld.
;
; If true, handheld users are permitted to use the handheld's phone.
; If false, users are not permitted to use the handheld's phone.
AllowPhone {policy} = true

; Indicate if the RIM web browser can be used on the handheld.
;
; If true, handheld users are permitted to use the handheld's web browser.
; If false, users are not permitted to use the handheld's web browser.
AllowBrowser {policy} = true

; Indicate if other email services are permitted on the handheld.
;
; If false, no other email service books (other than the Enterprise
; edition one) are permitted on the handheld. Any other existing email
; service books are removed when the policy is installed; while the
; policy is in effect, other email service books will be rejected by the
; device. This forces all outbound email to be routed through the
; organization's BlackBerry Enterprise Server.
;
; If true, no restrictions are applied to email service books.
AllowOtherEmailServices {policy} = true

; Indicate if other browser transport services are permitted on the handheld.
;
; If false, no other browser transport service books (other than the
; Enterprise edition one) are permitted on the handheld. In this case,
; any other existing browser transport service books are removed when the
; policy is installed; while the policy is in effect, other browser transport
; service books will be rejected by the device. This forces all browser
; traffic to be routed through the organization's BlackBerry Enterprise Server.
;
; If true, no restrictions are applied to browser transport service books.
AllowOtherBrowserServices {policy} = true

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Owner Information
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; Owner Name - if value = '*' use the registry setting
OwnerName {default} = Research In Motion Ltd.

; Owner Info - if value = '*' use the registry setting
OwnerInfo {default} = This BB has Blank IT policy on it written by k from www.blackberryinsight.com
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Other Info
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

22 Responses to “Howto: Remove BlackBerry’s IT Policy”

  1. [...] Original post by BlackBerryInsight [...]

  2. [...] Read the rest of this great post here [...]

  3. d_fisher says:

    There is an alternate, and easier, solution for devices running OS 4.3 or higher. The latest version of Javaloader.exe has the ability to reset IT policy to factory settings. You can get correct version of Javaloader.exe from the BlackBerry JDE 4.3 or the BlackBerry JDE Component Package 4.3.

    To remove the policy use the following command:
    javaloader.exe -u resettofactory

    Or, you can download the batch file I wrote, JL_Cmder. Click the URL link to take you to the JL_Cmder download thread on BlackBerryForums.com.

    Enjoy,
    Doug

  4. resveratrol says:

    resveratrol…

    Send a message Subscribe to RSS feed Tell a friend Add to My MSN Add to Live….

  5. [...] permanent loss of support for Bluetooth keyboards if your BlackBerry actually does not already havehttp://www.blackberryinsight.com/2008/03/16/howto-remove-blackberrys-it-policy/Unlock Files or Folders on WinXP So You Can Delete Them&quotProbably the most useful software since [...]

  6. [...] permanent loss of support for Bluetooth keyboards if your BlackBerry actually does not already havehttp://www.blackberryinsight.com/2008/03/16/howto-remove-blackberrys-it-policy/Key Peninsula 5K to benefit foster parents Peninsula GatewayKaren Jorgenson and Carl Jones are [...]

  7. Lai Huu Duong says:

    In additional, please tell me how to generate a blank policy.bin file from your source code?

  8. [...] I have seen some tutorials on ways to clear out the blackberry IT policy by setting a blank one Howto: Remove BlackBerry’s IT Policy | BlackBerryInsight My question is: if i do this, will it clear the sync i have with my companies exchange server? [...]

  9. arxr says:

    does it useful?

  10. Raad says:

    I tried the above still does not work. Here is why:
    As soon as I connect the device to Desktop Manager I get this window;

    “Device Password Requiered, Device USB PIN 240884F8, Please Enter Device Password” (I do not know this password.)

    This password is NOT the same password that I put to UNLOCK the device at startup.

    Can anyone please help. If you can email me. Thank you so very much

  11. thehashcat says:

    Just removed IT policy from my 8310.

    Follow instructions by ‘Crackberry’ @ http://supportforums.blackberry.com/rim/board/message?board.id=9500&message.id=35599

  12. motlatsi says:

    magic thanks a lot

  13. [...] apply a blank IT policy to the device. The blank IT policy does, unfortunatly, leave some IT policy firewalls in place, however. For instance “keystroke injection” is set by default to “deny” on most [...]

  14. Bill says:

    If my company put my personal phone on the BES without my permission or knowledge (it can be done simply by me plugging in to go online from my work computer), what should I do?

    I learned of this and have sent over 3500 SMS texts to myself in seven months in an attempt to ‘convince’ my administrator to remove my personal phone from the work server. I am now attempting to remove the BES from my phone but I have a feeling that I will fail, just like all the rest of the new phones, security measures, password protection, etc. has failed.

  15. Sam says:

    can you please mssg me wen you can about the IT policy

  16. Ari says:

    check the application “UnlockIt” on App World

  17. jeseef says:

    Do we need to restore the back up after the verification ?
    if yes, should it be done bofore undoing the registry edit or after ? please make it clear

  18. lautoka says:

    I had a persistent password at startup that was a remnant of an IT Policy, and managed to remove it using JL_Cmder as recommended in comment #3 above by d_fisher, it works very well.
    Procedure was…
    (1) install “Blackberry Desktop Manager” onto PC (just download and run the .exe from BlackBerry.com)
    (2) install JL_Cmder onto PC (extract and install from .zip)
    (3) turn off handheld (BB-8820 in my case) and plug in to PC using usb cable
    (4) start BB-desktop manager and select upgrade all software (to ensure os is up to snuff)
    (5) Once upgrades are complete (approx 30 mins), close BB-desktop manager and start JL_Cmder
    (6) select “resettofactory” and let it run (a few mins)
    (7) Close JL_Cmder, unplug phone from usb, then remove and reinstall battery.

    That’s it! You should be free of the IP Policy and any password requirement.

    A side note: the default password is usually stated as “1234″, but since sequences are not allowed the password is actually “wers”. You will have to enter this sequence for both the desktop manager and the JL_Cmder programs.

    Thanks to all the folks that helped me by posting “how to” info online :-)

  19. zulky says:

    hi as raad has mentioned above..my problem is that..cant get past that 2 do anything..anyone able to master this? thanks

  20. Ed says:

    Does removing the IT Policy and password requirement with JL Loader also remove the user’s access to BES and corporate exchange email? Or would the user still be able to access BES and corporate exchange email?

  21. Vickoob4u says:

    It worked in my 8520 and 8700. Thank you so much

Leave a Reply