You are on page 1of 20

iLane Admin Guide

WHITEPAPER for SECURITY and BES

TABLE of CONTENTS

Section 1

ADMINISTRATORS OVERVIEW 1.0 Introduction 1.1 About This Guide iLANE 2.0 2.1 2.2 CONNECTIVITY iLane Components iLane Connections iLane and the Internet

3 3 3 5 5 5 8 9 9 9 11 11 11 12 13 15 15 15 16 16 17

Section 2

Section 3

iLANE SECURITY 3.0 Authentication 3.1 Encryption BLACKBERRY ENTERPRISE SERVER (BES) SETTINGS 4.0 iLane and BES: Introduction 4.1 Required IT Configurations / Policies 4.2 Using BES Application Control Policies 4.3 BlackBerry Settings for Your End Users MAINTAINING A SECURE ENVIRONMENT 5.0 iLane Installations and Upgrades 5.1 Controlling Bluetooth Access 5.2 iLane and Your Network 5.3 If an iLane is Lost or Stolen APPENDIX: TYPICAL BES SCREEN SHOTS

Section 4

Section 5

Section 6

Due to continuous advancements, all information is subject-to-change. Please consult my.ilane.com for revisions.

DOC-00047-01 (2-3-09)

iLane Admin Guide

ADMINISTRATORS OVERVIEW
SECTION

1.0 Introduction
This guide explains how network administrators and other IT professionals can prepare for adding iLane to a corporate email environment such as those operating under a BlackBerry Enterprise Server (BES). You will learn how iLane communications are managed and safely transported, both within a vehicle and beyond to the Internet. With a good understanding of a few basic IT policy requirements and recommendations for integrating iLane, you can help ensure successful setup of your iLane users.

1.1 About This Guide


This guide assumes general awareness of iLane functionality and operation. It will be useful for IT administrators who need to prepare for iLane users whose BlackBerry is part of a corporate BES network. This is not an iLane setup guide. To get iLane up-and-running with a BlackBerry, or to learn more about how iLane works, consult the iLane Quick Start 1-2-3 and the iLane Users Guide provided with the product. Please also visit my.ilane.com for all current documentation updates or other supporting materials available over the life of the product. We want to help you get the most out of iLane!

iLane Admin Guide

ADMINISTRATORS OVERVIEW

GRAPHIC CONVENTIONS USED IN THIS GUIDE

= NOTE or TIP for exceptions, emphasis and/or help


iLane and its related marks, logos, images and symbols are the exclusive property and trademarks of Intelligent Mechatronic Systems, Inc. Bluetooth is a registered trademark of Bluetooth SIG, Inc. BlackBerry and RIM families of related marks, images, and symbols are the exclusive properties of Research in Motion Limited. All other trademarks are the property of their respective owners.

DISCLAIMER

While every effort has been made to ensure that all information published and provided in support of iLane is accurate, complete and up-to-date, IMS can accept no liability for possible errors or omissions. Due to continuing research, please note that all iLane information is subject to change without notice.
COPYRIGHT NOTICE

No part of this guide or other IMS publications may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without prior written permission of IMS.

iLane Admin Guide

iLANE CONNECTIVITY
SECTION

This overview describes iLane and how it interconnects.

2.0 iLane Components


iLane is designed for in-vehicle use. Its 3 main system components are:
the iLane device

(running iLane Platform firmware) the iLane headset the iLane Gateway software application installed on a users BlackBerry
A NOTE ABOUT BLUETOOTH COMPATIBILITY

The original iLane Platform firmware (v1.0.5) released in Fall 2008 is optimized for use with the iLane headset, the BlueAnt Z9i. As other compatible Bluetooth hands-free audio systems or Bluetooth-enabled vehicles complete testing and are verified for use with iLane, they are added to the Bluetooth Compatibility List at my.iLane.com. Please consult this list if you are interested in using your own Bluetooth audio device with iLane.

2.1 iLane Connections


As shown in Figure 1, the Bluetooth wireless communications between iLane components are local within the vehicle. Other communications outside the vehicle environment, which allow the BlackBerry to receive and send information, utilize your pre-existing Internet connections. See 2.2, iLane and the Internet on page 8.

iLane Admin Guide

iLANE CONNECTIVITY

Figure 1. iLane Connectivity

Since messages flow directly between iLane and the smartphone without passing through any additional servers, the driver receives iLane communications securely and without delay.
iLane Admin Guide

iLANE CONNECTIVITY

ESTABLISHING iLANE'S BLUETOOTH LINKS

When the user first sets up their iLane system, the two Bluetooth wireless connections are established between 1) iLane and the users BlackBerry and 2) iLane and the iLane headset. In this pairing process, iLane is discoverable only by Bluetooth devices within range of the iLane transceiver. This pairing mode is possible only under certain conditions:
if you have a new iLane, or if you have done a Factory Reset on

iLane to delete previous pairings and restore factory defaults


if you have physical access to iLane (for pressing the required

button during the pairing process).


NOTE: A successfully paired iLane is no longer discoverable by other Bluetooth devices. The smartphone, however, does not have to be discoverable in order to be successfully paired to iLane.
THE HANDS-FREE PROFILE (BETWEEN iLANE AND BOTH COMPONENTS)

As shown in Figure 1, all communications between iLane and the headset use the industry-standard Bluetooth Hands-Free Profile (HFP). This profile is also used for audio and call status exchanges between iLane and the BlackBerry.
THE SERIAL PORT PROFILE (BETWEEN iLANE AND THE BLACKBERRY ONLY)

As shown in Figure 1, a Bluetooth Serial Port Profile (SPP) is used between iLane and the BlackBerry. This additional profile enables the secure exchange of messages and other information which iLane reads aloud and manages using a voice-based interface. After authentication, AES-256 transport level encryption is applied to information within the SPP link. The BlackBerrys access to the SPP interface is established and controlled by the iLane Gateway application.

iLane Admin Guide

iLANE CONNECTIVITY

2.2 iLane and the Internet


Every iLane user needs external web access on their BlackBerry. This internet connection is required in order to:
Create an iLane account Download and install iLane Gateway software on a BlackBerry Authenticate and activate iLane Configure personal preferences available at my.iLane.com Receive on-demand custom content such as the Associated Press

news and The Weather Network forecasts available with a paid iLane subscription

iLane Admin Guide

iLANE SECURITY
SECTION

This section summarizes iLane security measures.

3.0 Authentication
iLANE GATEWAY AUTHENTICATION

iLane Gateway, the software application installed on every iLane users BlackBerry, is a digitally signed and validated application. This status grants iLane Gateway access to the required RIMcontrolled APIs.
BLACKBERRY AUTHENTICATION

Every iLane users BlackBerry is associated with a registered iLane account on my.iLane.com. This association is based on the email address and phone number configured on the BlackBerry. The manager of an iLane account can approve or deny the use of specific email addresses and phone numbers with a given iLane.
iLANE DEVICE AUTHENTICATION

Public key cryptography with device-unique key pairs authenticates each iLane device. This approach ensures that all access to iLane Gateway is controlled through the Bluetooth SPP link. Any device lacking the complementary portion of the asymmetric key cannot use the SPP link to reach iLane Gateway on the smartphone.

3.1 Encryption
During any iLane session, two secure tunnels prevent eavesdroppingone tunnel is between iLane and the smartphone, and one is between iLane and the my.iLane.com server. Each tunnel is authenticated using RSA and encrypted using AES256, and does not rely on existing Bluetooth encryption.

iLane Admin Guide

BLACKBERRY ENTERPRISE SERVER (BES) SETTINGS


SECTION

This section specifies how to configure your BES policies for successful iLane setup and/or operation. See also Section 6, Appendix.

4.0 iLane and BES: Introduction


Settings for corporate IT security policies, Bluetooth access, and application controls all need to be properly configured before iLane can be set up and used with a BlackBerry email account residing in a BES environment.
NOTE: Your text, displays and prompts may not be exactly as shown. See also Section 6, Appendix.

4.1 Required BES IT Configurations / Policies


IT security and Bluetooth requirements are listed below.
GENERAL SECURITY (IT)

Enable 3rd-party downloads


iLane Gateway software is typically deployed over-the-air, so is considered a 3rd-party download. If necessary, this ability to download may be temporarily granted just for the time required to install iLane Gateway.

Enable external connections


External connections are required to activate iLane, access on-demand content (such as news and weather), and manage iLane preferences.

Enable internal downloads (optional)


Enable internal downloads if you wish to route network communications from iLane Gateway through the BES rather than directly to a carrier network.

Allow outgoing calls when locked


iLane is typically used while the smartphone is holstered or otherwise stored. Drivers need the ability to place a call without access to their smartphone.

iLane Admin Guide

11

BLACKBERRY ENTERPRISE SERVER (BES) SETTINGS

BLUETOOTH (IT)

Enable Bluetooth
Bluetooth technology is used for communications between iLane and the smartphone.

Enable pairing
As part of the iLane setup procedure, the smartphone must be paired to iLane. This establishes the secure Bluetooth link between the two devices.

Enable Serial Port Profile


The Bluetooth Serial Port Profile (SPP) is used to exchange information between iLane and the smartphone.

Enable Hands-Free Profile (HFP)


iLane uses the Hands-Free Profile (HFP) for managing voice calls.

4.2 Using BES Application Control Policies


If desired, a BES administrator can whitelist iLane Gateway so that special application control privileges (such as connections that iLane requires) apply only when the smartphone is used with iLane. Other applications on the users smartphone would still be controlled by default application control policies. Keep in mind that general BES IT policies (see 4.1, Required BES IT Configurations / Policies on page 11) override all application control policies. Suggested application control policies for iLane are listed below: Allow Bluetooth Serial Profile
The Bluetooth Serial Port Profile (SPP) is used to exchange information between iLane and the smartphone.

iLane Admin Guide

12

BLACKBERRY ENTERPRISE SERVER (BES) SETTINGS

Allow / prompt phone access


iLane requires phone access in order to obtain caller information and add entries to the BlackBerrys diagnostic log.

Allow external domain my.iLane.com


Set to null or my.iLane.com so that iLane can access the iLane servers for device authentication, activation, preferences and on-demand content such as subscription news and weather reports.

Allow / prompt interprocess communication


As processes unfold, iLane Gateway requires certain data exchanges (hand-shaking) with other BlackBerry applications.

Allow / prompt external network connections


An external network connection enables iLane to access my.iLane.com directly using the carrier network infrastructure.

Allow / prompt message access


This enables the flow of email messages between iLane and the BlackBerry. Note this is a local transfer within the vehicle only.

Allow / prompt PIM data access


iLane must access Personal Information Manager data such as Calendar and Contact details in order to place outbound calls, call back an email sender, and to review scheduled events.

See also 5.1, Controlling Bluetooth Access on page 15 for an example of how application control policies are used.

4.3 BlackBerry Settings for Your End Users


Depending on general IT policies and application control policies, certain application settings and options are visible to end users within a BES environment. See the following examples:

iLane Admin Guide

13

BLACKBERRY ENTERPRISE SERVER (BES) SETTINGS

CONNECTIONS

Enable Bluetooth
Bluetooth technology is used for communications between iLane and the smartphone.

Enable message access


iLane requires phone access in order to obtain caller information and add entries to the BlackBerrys diagnostic log.

Enable company network access


If enabled, iLane can access my.iLane.com using the BES as a proxy server.

Enable carrier internet access


If enabled, iLane can access my.iLane.com directly using the carrier network infrastructure.
INTERACTIONS

Enable interprocess communication


As processes unfold, iLane Gateway requires certain data exchanges (hand-shaking) with other BlackBerry applications.

USER DATA

Enable email / messaging


This enables the flow of email messages between iLane and the BlackBerry. Note this is a local transfer within the vehicle only, and that no messages are actually stored in iLane memory.

Enable PIM data access


iLane must access Personal Information Manager data such as Calendar and Contact details in order to place outbound calls, call back an email sender, and to review scheduled events.

iLane Admin Guide

14

MAINTAINING A SECURE ENVIRONMENT


SECTION

This section describes general security parameters over the life of iLane.

5.0 iLane Installation and Upgrades


Depending on the situation and/or your preference, iLane Gateway software may be installedor upgradedon a smartphone using any of the standard BlackBerry deployment methods:
Over-the-air (OTA) wireless download USB (requires a USB connection to a PC) Administrative application push using BlackBerry Manager

5.1 Controlling Bluetooth Access


If your general IT policy is to restrict users Bluetooth access whenever possible, it is recommended that this limitation instead be applied as an application control policy. This method allows you to grant Bluetooth privileges on a case-by-case basis, such as enabling Bluetooth use for iLane Gateway only. For example: (1) Set the IT Bluetooth policy disable serial port to false. This fully enables the serial port. (2) Set the default application control policy Bluetooth Serial Port Profile to disabled. (3) Enable the application control policy Bluetooth Serial Port Profile for iLane Gateway only. This overrides the default set in Step 2, but just for iLane. (4) iLane Gateway can now use the Bluetooth Serial Port Profile, but the disabled default is enforced for other applications.

iLane Admin Guide

15

MAINTAINING A SECURE ENVIRONMENT

5.2 iLane and Your Network


If your IT requirements include restricting users access to external domains whenever possible, it is recommended this limit be controlled on a case-by-case basis using application control policies. This grants the necessary domain privileges to iLane (my.iLane.com) without affecting other BlackBerry applications.

5.3 If an iLane is Lost or Stolen


If any iLane device is lost or stolen, please contact iLane Technical Support immediately. The device can be remotely deactivated by the account manager if necessary. Note: iLane does not store any email, SMS, or other transient content in memory.

iLane Admin Guide

16

APPENDIX: TYPICAL BES SCREEN SHOTS


SECTION

This section repeats the required BES settings as discussed in Section 4, but with the typical text you will likely see.
NOTE: Your text, displays and prompts may not be exactly as shown.

Figure 2. IT BES Settings


iLane Admin Guide

17

APPENDIX: TYPICAL BES SCREEN SHOTS

Figure 3. End-user Device Settings

iLane Admin Guide

18

2009 Intelligent Mechatronic Systems Inc. All rights reserved. iLane and its related marks, logos, slogans, images and symbols are the exclusive property and trademarks of Intelligent Mechatronic Systems Inc. Patents Pending. Intelligent Mechatronic Systems Inc. 161 Roger Street Waterloo, ON N2J 1B1 Canada TECHNICAL SUPPORT: help@iLane.com 1-866-818-6637 GENERAL INQUIRIES: iLane@intellimec.com

www.iLane.com
Bluetooth is a registered trademark of Bluetooth SIG, Inc.

You might also like