Security Module Overview

In the Security module of the Enterprise Admin Console, you can add or modify password policies, configure Single Sign-On (SSO) authentication for your domain users, and configure and install the Connector Agent for bot communications between and your on-premises applications using custom bots. Also, you can review and manage your domain verification with for non-trial version Enterprise Admin Console instances.

About Encryption

To secure your data, uses data encryption to collect, store, and send data while the data is in transit, using Transport Layer Security (TLS) with Advanced Encryption Standard (AES) 256-bit key encryption. Server Encryption

Once data is stored on servers, the data, plus any related search indexes, and SAN storage is encrypted using Encryption at Rest. uses two keys, the master key that is provisioned and stored using a Key Management Service (KMS) service and backed by Hardware Security Modules (HSM) for physical security.

The second key is the Enterprise Key. Enterprise Keys are rotated every 60 days, or as manually rotated by the Enterprise Admin on the Enterprise Key page in the Security Module in the Enterprise Admin Console. Application data is encrypted with the Enterprise Key using AES 256-bit Cipher Block Chaining and a 16-bit random initialization vector (IV).

Client Data Encryption

The Messaging native application uses AES 256-bit Cipher Block Chaining encryption for data stored for offline use.

For the Android Messaging client, database-level encryption is used.

For the iOS Messaging client, message-level encryption is used.

Message Control Policy Encryption

In Messaging, additional encryption is applied to messages using any type of Message Control, such a Delivery Policy, Access Policy, Action Policy, and Expire Policy. Messages with policy control are encrypted using:

AES 32-bit symmetric-key encryption with a content-encryption key (CEK) provisioned by a NaCl library for white-box cryptology and a 16-bit random IV. The CEK is encrypted with the public key of the message recipient based on the Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES+A256KW) standard with a 16-bit random IV.

Each Messenger user has a public and private key generated and stored on the device at first log on. The client application, mobile or native, can decrypt the CEK using the message recipient private key. When the CEK is decrypted, the client application can decrypt the message.

The following illustration shows an example of the Password Policy page in the Security module in the Enterprise Admin Console.

In This Module

The Security module is comprised of the following pages:

  • Password Policy Page

    On the Password Policy page, in the Security module of the Enterprise Admin Console, you can define and enable minimum password length, requirement for inclusion of special characters, and password expiration policies for Messenger account passwords used to log on when Single Sign-On is not used.
  • Single Sign-On Page

    On the Single Sign-On page, in the Security module of the Enterprise Admin Console, you can configure SSO authentication for your Messenger users using either the Open ID Connect, Security Assertion Markup Language (SAML), or WS-Federation sign-on protocol. With SSO, your users can log on once, for example, to your company account, and when accessing their Messenger application, the same logon credentials can be used automatically by the system.

  • Domain Management Page

    To use Messenger in your Enterprise domain, you must first verify your domain. When you, as the Enterprise Admin, verify your domain, you are validating that you own the domain and are registering your account to your domain. Until your domain is verified, you cannot control any Messenger users in your domain. This topic describes how to initially verify your domain and to access your domain verification information on the Domain Management page in the Security module of the Enterprise Admin Console.

  • Restrict Access Page

    On the Restrict Access page, in the Security module of the Enterprise Admin Console, you can enable and define one or more IP addresses, or range of IP addresses that can access your Enterprise Admin Console. When enabled, only Enterprise Admins or Custom Admins using the defined IP addresses can access the Enterprise Admin Console.

  • Mobile Device Management (MDM) Control Page

    On the MDM Control page in the Security module of the Enterprise Admin Console, you can enable and define user settings for mobile device management to include, smartphones, tablets, laptops, and even desktop computers. When enabled, the Messenger users specified for mobile device management (MDM) control must log on to Messenger through the third-party MDM company defined in the Enterprise Admin Console. 

  • Enterprise Key Page

    On the Enterprise Key page in the Security module of the Enterprise Admin Console, you can view, or regenerate your enterprise data encryption key.

Next Steps

To get started with security policies, you need to decide if you want to setup user password policies to log on to Messenger or enable users to access Messenger using SSO authentication. For more information, see Defining a Password Policy and Using Single Sign-On.