Policy and Profile Reference Guide. BES10 Cloud Market Preview

Transcription

1 Policy and Profile Reference Guide BES10 Cloud Market Preview

2 Published: SWD

3 Contents About this guide What is BES10 Cloud? Key features of BES10 Cloud...14 IT policy rules BlackBerry IT policy rules...15 Password rule group Password required for work space rule...15 Apply work space password to full device rule Minimum password length rule Minimum password complexity rule Security timeout rule Maximum password attempts rule Maximum password history rule...17 Maximum password age rule Device functionality rule group Restrict development mode rule Allow transfer of work files using Bluetooth OPP rule Allow transfer of work messages using Bluetooth MAP without prompt rule...19 Allow transfer of work contacts using Bluetooth PBAP or HFP rule...19 Allow transfer of work messages using Bluetooth MAP rule...19 Allow voice control rule Allow voice dictation in work apps rule Allow roaming rule...20 Allow transfer of work data using NFC rule Allow development mode access to work space rule...21 Allow mobile hotspot mode and tethering rule Apps rule group Allow cloud storage access from work space rule Allow BBM Video access to work network rule Allow work network usage for personal apps rule Allow wireless service provider billing rule Allow work apps to access shared files or content in the personal space rule...22

4 Allow BlackBerry Bridge access to the work space rule Allow work apps to use personal networks rule Display warning message for external addresses rule Allow forwarding or adding recipients to private messages rule Security and privacy rule group Force personal space data encryption rule...24 Submit logs to BlackBerry rule Force media card encryption rule Wipe the work space without network connectivity rule Allow personal apps to access work contacts rule...25 Allow sharing work data during BBM Video screen sharing rule...25 Work domains rule...25 Allow app security timer reset rule Allow unified view for work and personal accounts and messages rule Allow opening links in work messages in the personal browser rule Allow CCL data collection rule Force WPA2-Personal security for mobile hotspot connections rule Smart card password caching rule Smart password entry rule Lock on smart card removal rule Smart card reader maximum Bluetooth range rule Smart card reader PIN entry mode rule External domain allowed list rule...29 External domain restricted list rule...30 Display indicator for external addresses rule Allow Find More Contact Details rule...30 Allow IRM-protected messages rule...30 Allow lock screen preview of work content rule ios IT policy rules Password rule group Password required for device rule Allow simple value rule Require alphanumeric value rule Minimum passcode length rule Minimum number of complex characters rule Maximum passcode age rule Maximum auto-lock rule Passcode history rule...33

5 Maximum grace period for device lock rule Maximum number of failed attempts rule...34 Device functionality rule group...35 Allow installing apps rule Allow use of camera rule...35 Allow FaceTime rule Allow screen capture rule Allow automatic sync while roaming rule Allow voice dialing rule Allow Passbook while device locked rule Allow in-app purchase rule Force user to enter itunes Store password for all purchases rule Allow multiplayer gaming rule Allow adding Game Center friends rule...37 Allow apps using cellular data rule Allow pairing with non-configurator hosts rule Autonomous apps in single app mode rule Allow ibooks Store rule Allow installing configuration profiles rule...38 Show Today view in lock screen rule...38 Show Notification Center in lock screen rule...38 Show Control Center in lock screen rule Allow Touch ID to unlock device rule Show user-generated content in Siri rule Apps rule group Allow use of itunes Store rule Allow use of YouTube rule...39 Force limited ad tracking rule Allow Siri rule...40 Allow Siri while device locked rule Allow use of Safari rule...40 Enable autofill rule...40 Force fraud warning rule...41 Enable JavaScript rule Block pop-ups rule Accept cookies rule Allow modifying Find My Friends settings rule Allow use of Game Center rule... 42

6 Allow AirDrop rule...42 icloud rule group Allow backup rule Allow document sync rule Allow Photo Stream rule...43 Allow shared Photo Streams rule...43 Content ratings rule group...43 Allow explicit music, podcasts & itunes rule...43 Allow ibookstore erotica rule...43 Ratings region rule Allowed content ratings for movies rule Allowed content ratings for TV shows rule...45 Allowed content ratings for apps rule Security and privacy rule group Allow user to accept untrusted TLS certificates rule...46 Force encrypted backups rule Allow modifying account settings rule Allow over-the-air PKI updates rule Allow documents from managed apps in unmanaged apps rule...47 Allow documents from unmanaged apps in managed apps rule...47 Allow diagnostic data to be sent to Apple rule...47 Android IT policy rules...47 Password rule group Password requirements rule Maximum failed password attempts rule Maximum inactivity time lock rule Password expiration timeout rule Password history restriction rule Minimum password length rule Minimum uppercase letters required in password rule...50 Minimum lowercase letters required in password rule Minimum letters required in password rule...50 Minimum numerical digits required in password rule...51 Minimum symbols required in password rule...51 Device functionality rule group...51 Disable camera rule...51 Security and privacy rule group Require storage encryption rule... 52

7 Profile settings...53 Exchange ActiveSync profile settings...53 Common settings...53 Domain name setting address setting Host name or IP address setting...54 Use SSL setting Username setting BlackBerry settings...54 Account name setting...54 Push enabled setting Interval between synchronizations setting Calendar synchronization setting Contacts synchronization setting synchronization setting Memo synchronization setting Task synchronization setting...56 Days to synchronize setting Require manual synchronization when roaming setting S/MIME support setting Digitally signed S/MIME messages setting Encrypted S/MIME messages setting Encryption algorithms setting...59 ios settings Allow user to move messages from this account setting...59 Allow Recent Address syncing Send outgoing mail from this account only from mail app Use S/MIME setting Signing certificate setting Encryption certificate setting Days to synchronize setting Credentials setting...61 Shared certificate profile setting Android settings Days to synchronize setting Credentials setting...62 Shared certificate profile setting... 62

8 Wi-Fi profile settings Common settings...63 SSID setting...63 Hidden network setting...63 BlackBerry settings...63 Security type setting WEP key setting...64 Preshared key type setting...64 Preshared key setting Authentication protocol setting Inner authentication setting EAP-FAST provisioning method setting Username setting Password setting Band type setting Enable DHCP setting IP address setting...67 Subnet mask setting Primary DNS setting Secondary DNS setting...68 Default gateway setting Domain suffix setting Enable IPv6 setting...69 Enable access point handover setting User can edit setting...69 Client certificate source setting...70 Trusted certificate source setting...70 Associated VPN profile setting Associated proxy profile setting...71 ios settings Automatically join network setting...71 Associated proxy profile setting...71 Network type setting...71 Displayed operator name setting...72 Domain name setting...72 Roaming consortium OIs setting NAI realm names setting...72 MCC/MNCs setting... 73

9 Allow connecting to roaming partner networks setting Security type setting WEP key setting...74 Preshared key setting Authentication protocol setting Inner authentication setting Use PAC setting...75 Provision PAC setting...75 Provision PAC anonymously setting...76 Outer identity for TTLS, PEAP, and EAP-FAST setting Use password included in Wi-Fi profile setting...76 Password setting Username setting Authentication type setting Type of certificate linking setting...77 Shared certificate profile setting Client certificate name setting Certificate common names expected from authentication server setting...78 Type of certificate linking setting...79 CA certificate profiles setting Trusted certificate names setting...79 Trust user decisions setting Android settings BSSID setting Security type setting Personal security type setting WEP key setting...81 Preshared key setting Authentication protocol setting Inner authentication setting Outer identity for TTLS setting...82 Outer identity for PEAP setting...83 Username setting Use password included in Wi-Fi profile setting...83 Password setting Authentication type setting Type of certificate linking setting...84 Shared certificate profile setting... 84

10 Client certificate name setting Certificate common names expected from authentication server setting...85 Type of certificate linking setting...85 CA certificate profiles setting Trusted certificate names setting...86 VPN profile settings...86 BlackBerry settings...86 Server address setting Gateway type setting Authentication type setting Preshared key setting Username setting Hardware token setting Password setting EAP identity setting MS-CHAPv2 EAP identity setting...89 MS-CHAPv2 username setting...89 MS-CHAPv2 password setting...90 Authentication ID type setting...90 Authentication ID setting Gateway authentication type setting Gateway preshared key setting Gateway authentication ID type setting Gateway authentication ID setting...92 Automatically determine IP setting Private IP setting Private IP mask setting Subnet setting Subnet mask setting Automatically determine DNS setting...93 Primary DNS setting Secondary DNS setting...94 Domain suffix setting Perfect forward secrecy setting...94 Manual algorithm selection setting...94 IKE DH group setting Custom IKE DH provider setting IKE cipher setting... 95

11 IKE hash setting...96 IKE PRF setting IPsec DH group setting IPsec cipher setting IPsec hash setting IKE lifetime setting...98 IPsec lifetime setting NAT keepalive setting...99 DPD frequency setting...99 Split tunneling setting Disable banner setting...99 User can edit setting Display VPN information on device setting Client certificate source setting Trusted certificate source setting Associated proxy profile setting ios settings Connection type setting VPN bundle ID setting Host name or IP address of VPN server setting Username setting Custom key-value pairs setting Login group or domain setting Realm setting Role setting Authentication type setting Password setting Group name setting Shared secret setting Shared certificate profile setting Encryption level setting Route network traffic through VPN setting Associated proxy profile setting Product documentation Provide feedback Glossary

12 Legal notice...112

13 What is BES10 Cloud? About this guide This reference guide provides descriptions for each IT policy rule in BES10 Cloud and the settings for Exchange ActiveSync profiles, Wi-Fi profiles, and VPN profiles. This guide is intended for senior administrators who are responsible for setting up IT policies that govern device security and profiles that control how devices connect to your organization's network. For instructions on creating IT policies and profiles and assigning them to users and groups, see the BES10 Cloud Administration Guide. For more information about BlackBerry Enterprise Service 10 security and device security, see the BES10 Cloud Security Technical Overview. What is BES10 Cloud? BES10 Cloud is an enterprise mobility management solution from BlackBerry. EMM solutions help you manage mobile devices for your organization. You can manage BlackBerry, ios, and Android devices, all from a unified interface. EMM solutions from BlackBerry protect business information, keep mobile workers connected with the information they need, and provide administrators with efficient tools that help keep business moving. BES10 Cloud is an EMM solution that is available in the cloud. EMM solution BES10 Cloud BlackBerry Enterprise Service 10 An easy-to-use, low-cost, and secure solution. BlackBerry hosts this service over the Internet. You only need a supported web browser to access the service, and BlackBerry maintains high availability to minimize downtime. Optionally, you can connect your on-premises directory services to BES10 Cloud. A comprehensive, scalable, and secure solution. Your organization installs this service in its environment. The deployment can range in size from one server to many, and you can set up and maintain high availability to minimize downtime. 13

14 Key features of BES10 Cloud Key features of BES10 Cloud Feature Management of most types of devices Single, unified interface Trusted and secure experience Balance of work and personal needs High availability You can manage BlackBerry 10, ios, and Android devices. You can view all devices in one place and access all management tasks in a single, web-based interface. You can share administrative duties with multiple administrators who can access the administration consoles at the same time. Device controls give you precise management of how devices connect to your network, what capabilities are enabled, and what apps are available. Whether the devices are owned by your organization or your users, you can protect your organization's information. BlackBerry Balance technology is designed to ensure that personal and work information are kept separate and secure on BlackBerry devices. If the device is lost or the employee leaves the organization, you can delete only workrelated information or all information from the device. Instead of having to maintain your own highly available service for device management, with all the upfront and maintenance costs, BlackBerry maintains the service and maximizes uptime for you. 14

15 BlackBerry IT policy rules IT policy rules The IT policies in BES10 Cloud control features and functionality on BlackBerry 10, ios, and Android devices. In some cases, the minimum version of the device OS required to support a rule is a version not supported by BES10 Cloud. For more information on device OS support for BES10 Cloud, see the BES10 Cloud Compatibility Matrix available at BlackBerry IT policy rules Password rule group Password required for work space rule Related rules This rule specifies whether a BlackBerry device requires a password for the work space. Selecting the "Apply work space password to full device" rule applies the same password to both the work space and the device. If the work space and the device have the same password, unlocking the device also unlocks the work space. The work space can be locked without locking the device. Apply work space password to full device rule This rule specifies whether a BlackBerry device applies the work space password to the full device. If this rule is selected, the work space password becomes the device password. If this rule is not selected, a user can choose to set a different password for the device. If you want to protect only the work space, select the "Password required for work space" rule and do not select this rule. Related rules This rule takes effect only if the "Password required for work space" rule is selected. 15

16 BlackBerry IT policy rules Minimum password length rule Related rules Possible values This rule specifies the minimum length of the work space password. If you do not set a value for this rule and a work space password is required, the minimum password length is 4. This rule takes effect only if the "Password required for work space" rule is selected. 4 to 32 characters 4 Minimum password complexity rule Related rules This rule specifies the minimum complexity of the work space password. If you set this rule, a user must create a password that includes the types of characters that you specify. This rule takes effect only if the "Password required for work space" rule is selected. Possible values No restriction 1 letter, 1 number 1 letter, 1 number, 1 special character 1 uppercase and lowercase letter, 1 number, 1 special character No restriction Security timeout rule Related rules This rule specifies the maximum period of BlackBerry device user inactivity that can elapse before the work space locks. This rule takes effect only if the "Password required for work space" rule is selected. 16

17 BlackBerry IT policy rules If the "Allow app security timer reset" rule is selected, the device does not lock when apps that can reset the security timer are running. Possible values 5 to 60 minutes 30 minutes Maximum password attempts rule Related rules This rule specifies the number of times that a user can enter an incorrect password before a BlackBerry device deletes the data in the work space. This rule takes effect only if the "Password required for work space" rule is selected. If the "Apply work space password to full device" rule is selected, the device deletes all data. Possible values 3 to Maximum password history rule Related rules This rule specifies the maximum number of previous passwords that a BlackBerry device checks to prevent a user from reusing a previous password. If this rule is set to 0, the device does not check previous passwords. This rule takes effect only if the "Password required for work space" rule is selected. Possible values 0 to

18 BlackBerry IT policy rules Maximum password age rule Related rules Possible values This rule specifies the number of days that can elapse before a BlackBerry device password expires and a user must set a new password. If this rule is set to 0, the password does not expire. This rule takes effect only if the "Password required for work space" rule is selected. 0 to 365 days 0 Device functionality rule group Restrict development mode rule Related rules This rule specifies whether development mode is restricted for BlackBerry device users. Development mode allows software development tools to connect to a device and also allows you or a user to install apps directly on the device using a USB or Wi-Fi connection. If this rule is selected, users can only download and install apps from the BlackBerry World storefront and you can also send apps to devices using the administration console. If this rule is not selected, you can use the "Allow development mode access to work space" rule to prevent users who have devices with BlackBerry 10 OS version 10.2 and later from using development mode to install apps in the work space. Allow transfer of work files using Bluetooth OPP rule This rule specifies whether a BlackBerry device can send work files and objects such as contacts to another Bluetooth enabled device or NFC-enabled device using the Bluetooth OPP. 18

19 BlackBerry IT policy rules Allow transfer of work messages using Bluetooth MAP without prompt rule Related rules This rule specifies whether a user can transfer work messages to a Bluetooth enabled device using the Bluetooth MAP following a single password prompt to access the work space. If this rule is not selected, the user must unlock the work space each time the device connects to the Bluetooth enabled device before the device can transfer work messages using the Bluetooth MAP. This rule takes effect only if the "Allow transfer of work messages using Bluetooth MAP" rule is selected. If the "Allow transfer of work contacts using Bluetooth PBAP or HFP" rule is not selected, users can't send messages using the Bluetooth MAP, regardless of the setting for this rule. Minimum requirements BlackBerry 10 OS version 10.1 Allow transfer of work contacts using Bluetooth PBAP or HFP rule This rule specifies whether a BlackBerry device can send work contacts to another Bluetooth enabled device using the Bluetooth PBAP or HFP. If this rule is not selected, users can't transfer work contacts using the Bluetooth PBAP or HFP or transfer work messages using the Bluetooth MAP. Allow transfer of work messages using Bluetooth MAP rule Related rules This rule specifies whether a BlackBerry device can send messages from the work space (for example, messages and instant messages) to another Bluetooth enabled device using the Bluetooth MAP. If the "Allow transfer of work contacts using Bluetooth PBAP or HFP" rule is not selected, users can't send messages using the Bluetooth MAP, regardless of the setting for this rule. 19

20 BlackBerry IT policy rules Allow voice control rule This rule specifies whether a BlackBerry device user can use the voice control commands on the device. If you set this rule to "Allow all," the user can use all of the voice control commands on the device. If you set this rule to "Disallow for and calendar," the user can't use the and calendar voice control commands on the device. If you set this rule to "Allow only phone and device status," the user can use voice control commands only for voice dialing and, on devices with BlackBerry 10 OS version 10.2 and later, for checking device status. Possible values Allow all Disallow for and calendar Allow only phone and device status Allow all Allow voice dictation in work apps rule This rule specifies whether a BlackBerry device user can use voice dictation in work apps. If this rule is selected, the user can use voice dictation in all apps that support this feature. Allow roaming rule Minimum requirements This rule specifies whether a BlackBerry device can use data services over the wireless network when the device is roaming. If this rule is not selected, the device can still send and receive data over the Wi-Fi network when the device is roaming. BlackBerry 10 OS version 10.2 for BlackBerry Balance devices Allow transfer of work data using NFC rule This rule specifies whether a BlackBerry device can send work data to another NFC-enabled device using NFC. 20

21 BlackBerry IT policy rules Minimum requirements BlackBerry 10 OS version 10.2 Allow development mode access to work space rule Related rules This rule specifies whether development mode can be used to allow software development tools to connect to the work space on a BlackBerry device using a USB or Wi-Fi connection and install apps directly in the work space. This rule takes effect only if the "Restrict development mode" rule is not selected. Minimum requirements BlackBerry 10 OS version 10.2 Allow mobile hotspot mode and tethering rule This rule specifies whether to allow Mobile Hotspot mode, tethering using Bluetooth technology, and tethering using a USB cable on a BlackBerry device. If this rule is selected, all of these features are available in the settings on the device. If this rule is not selected, none of these features are available on the device. Apps rule group Allow cloud storage access from work space rule This rule specifies whether the cloud storage apps developed by BlackBerry are available in the work space on a BlackBerry device. If this rule is not selected, the cloud storage apps are removed from the work space on the device and they can be used only as personal apps. This rule is obsolete in BlackBerry 10 OS version Minimum requirements BlackBerry 10 OS version

22 BlackBerry IT policy rules Allow BBM Video access to work network rule Related rules This rule specifies whether the BBM Video feature on a BlackBerry device can use your VPN or Wi-Fi network for incoming and outgoing video chats. If the "Allow work network usage for personal apps" rule is not selected, users cannot use the BBM Video feature over work networks, even if this rule is selected. Allow work network usage for personal apps rule This rule specifies whether personal apps on a BlackBerry device can use your work VPN or Wi-Fi network to connect to the Internet. Allow wireless service provider billing rule This rule specifies whether a BlackBerry device user can purchase apps from the BlackBerry World storefront and the BlackBerry World for Work storefront using the purchasing plan for your organization's wireless service provider. If this rule is not selected, users must pay for app purchases using another payment method. Allow work apps to access shared files or content in the personal space rule This rule specifies whether work apps on a BlackBerry device can access shared files or content that is located in the personal space if a user permits it. When a user installs a work app, the device displays a message that provides the user with the option to allow or deny the app's request to access shared files or content. If this rule is not selected, work apps can't access shared personal files or content regardless of the user settings on the device, and users can't attach personal files to messages sent from a work account or share personal files or content with work apps using the Share option. Minimum requirements BlackBerry 10 OS version

23 BlackBerry IT policy rules Allow BlackBerry Bridge access to the work space rule This rule specifies whether a BlackBerry 10 device can allow a BlackBerry PlayBook tablet to access work data on the device using the BlackBerry Bridge app. Allow work apps to use personal networks rule This rule specifies whether work apps on a BlackBerry device, including organizer apps, can use personal networks. If this rule is selected, work apps can make connections using personal networks if a work Wi-Fi or work VPN connection is not available or if your organization doesn't send any work Wi-Fi or work VPN profiles to the device. Minimum requirements BlackBerry 10 OS version 10.1 Display warning message for external addresses rule This rule specifies whether a BlackBerry device displays a warning message when a user attempts to send a work message to external recipients. If this rule is selected, the device displays a warning message that lists all external recipients unless the recipient s domain is listed in the "External domain allowed list" rule. Minimum requirements BlackBerry 10 OS version Allow forwarding or adding recipients to private messages rule This rule specifies whether a BlackBerry device user can forward, or add new recipients when replying to, messages with "(PRIVATE )" in the subject line. If this rule is not selected and the user attempts to forward or send a private message to a new recipient, the device displays a warning and does not send the message. Minimum requirements BlackBerry 10 OS version

24 BlackBerry IT policy rules Security and privacy rule group Force personal space data encryption rule This rule specifies whether a BlackBerry device must encrypt all data in the personal space. If this rule is not selected, the user can choose whether to encrypt data in the personal space on the device. Submit logs to BlackBerry rule This rule specifies whether a BlackBerry device can generate and send log files to the BlackBerry Technical Solution Center. Force media card encryption rule This rule specifies whether a BlackBerry device must encrypt all data on the media card that is inserted in the device. Wipe the work space without network connectivity rule Possible values This rule specifies the time in hours that must elapse without a BlackBerry device connecting to your organization's network before the device deletes the data in the work space. Use this rule to make the device delete the data in the work space if the device can't receive updates or commands. If this rule is not set, the device does not delete data from the work space if it can't connect to your organization's network. 2 to 8760 hours 24

25 BlackBerry IT policy rules Allow personal apps to access work contacts rule This rule specifies whether personal apps can access required data for work contacts on a BlackBerry device. If you set this rule to "All," all personal apps can access required data for work contacts. If you set this rule to "Only BlackBerry apps," some apps developed by BlackBerry (Phone, BBM, Text Messages, Smart Tags, visual voice mail, and voice dialing) can access required data for work contacts. If you set this rule to "None," personal apps cannot access data for work contacts. On devices with BlackBerry 10 OS version and later, if you set this rule to "All," users can use the "Copy to" and "Save to" options for work contacts in the Contacts app. Possible values All Only BlackBerry apps None All Allow sharing work data during BBM Video screen sharing rule This rule specifies whether a BlackBerry device user can share work data on a device using the BBM Video with Screen Share feature. If this rule is not selected, the device locks the work space when the user uses BBM Video with Screen Share and the user cannot unlock the work space until the screen sharing part of the BBM Video chat is complete. Work domains rule This rule specifies a list of domain names that a BlackBerry device identifies as work resources. If you specify domain names in this rule, the device identifies data from a computer in these domains as work data. Data sent from these domains to the device using the Print To Go app will be stored in the work space on the device. All of the subdomains of the domain are included automatically. If you list multiple domain names, separate the domain names with a comma (,), semicolon (;), or space. 25

26 BlackBerry IT policy rules Allow app security timer reset rule This rule specifies whether apps can reset the security timer on a BlackBerry device to prevent the device from locking after the period of user inactivity that you specify in the "Security timeout" rule or the user specifies in the Password Lock settings on the device elapses. If this rule is not selected, the device locks without user interaction when running apps that try to reset the security timer, such as apps that display navigation information, slideshows, and videos. Allow unified view for work and personal accounts and messages rule This rule specifies whether the BlackBerry Hub displays work and personal accounts and messages together in a single view. If this rule is not selected, the device must display work accounts and messages in a separate view from personal accounts and messages in the BlackBerry Hub. Minimum requirements BlackBerry 10 OS version Allow opening links in work messages in the personal browser rule This rule specifies whether BlackBerry device users can use the browser in the personal space to open links in work messages. If this rule is selected, links in work messages open in the browser in the personal space by default and the device displays a message that provides the user with the option to open the link in the browser in the work space instead. Your organization may require users to open intranet links in the browser in the work space. If this rule is not selected, links in work messages always open in the browser in the work space. Allow CCL data collection rule This rule specifies whether a BlackBerry device allows CCL data collection across all apps. CCL allows apps to collect rich data related to app usage and to carry out deep crossapplication analysis. 26

27 BlackBerry IT policy rules Minimum requirements BlackBerry 10 OS version 10.1 Force WPA2-Personal security for mobile hotspot connections rule This rule specifies whether a BlackBerry device that is in Mobile Hotspot mode requires other devices that connect to it to use the WPA2-Personal security type. This rule is obsolete in BlackBerry 10 OS version Smart card password caching rule This rule specifies whether a BlackBerry device can cache the smart card password. If you set this rule to "Allow," the user can choose to cache the smart card password. If you set this rule to "Required," the smart card password is always cached. The cached password is stored in the BlackBerry device keystore. Possible values Allow Disallow Required Allow Minimum requirements BlackBerry 10 OS version 10.1 Smart password entry rule This rule specifies whether a BlackBerry device can use smart password entry with two-factor authentication. Smart password entry allows a user to enter numeric passwords on the device without pressing the Alt key and automatically fills the device or work space password field if the device password or work space password and the smart card password are the same. If you set this rule to "Allow," the user can use smart password entry with two-factor authentication. If you set this rule to "Required," the device always uses smart password entry with two-factor authentication. Possible values Allow 27

28 BlackBerry IT policy rules Disallow Required Allow Minimum requirements BlackBerry 10 OS version 10.1 Lock on smart card removal rule Related rules This rule specifies whether the work space locks when a user removes the smart card from the supported smart card reader or disconnects the supported smart card reader from the device. If you set this rule to "Allow" or "Required," a user might need the driver for the smart card reader. Not all smart card reader drivers support smart card removal detection. This rule takes effect only if the "Password required for work space" rule is selected. Possible values No Allow Required Allow Minimum requirements BlackBerry 10 OS version 10.1 Smart card reader maximum Bluetooth range rule This rule specifies the maximum power range that a BlackBerry Smart Card Reader uses to send Bluetooth packets to a BlackBerry device or a computer. The permitted range is between 30% and 100%. You can configure a higher power range to allow a BlackBerry Smart Card Reader to send Bluetooth packets to a BlackBerry device or computer over a greater distance. Possible values 30% 40% 50% 60% 70% 28

29 BlackBerry IT policy rules 80% 90% 100% 100% Minimum requirements BlackBerry 10 OS version 10.1 Smart card reader PIN entry mode rule This rule specifies the PIN entry mode that is required during the Bluetooth connection process when a BlackBerry Smart Card Reader connects to a BlackBerry device or a computer. The user must use the specified PIN format when typing the smart card password during the Bluetooth connection process. Possible values Numeric Alphanumeric lowercase Alphanumeric mixed case Numeric Minimum requirements BlackBerry 10 OS version 10.1 External domain allowed list rule Related rules This rule specifies a list of external domains that BlackBerry device users can send work messages to without the device displaying a warning. If you list multiple domain names, separate the domain names with a comma (,), semicolon (;), or space. This rule takes effect only if the "Display indicator for external addresses" rule or "Display warning message for external addresses" rule is selected. Minimum requirements BlackBerry 10 OS version

30 BlackBerry IT policy rules External domain restricted list rule This rule specifies a list of domains that BlackBerry device users are not allowed to send work messages to. If a user attempts to send an message to a recipient with an domain in this list, the user is notified that the message cannot be sent to that recipient and is returned to the message to edit the recipient list. If you list multiple domain names, separate the domain names with a comma (,), semicolon (;), or space. Minimum requirements BlackBerry 10 OS version Display indicator for external addresses rule This rule specifies whether a BlackBerry device displays a warning indicator in work messages when a user adds an external address as a recipient. If this rule is selected, the device displays a warning indicator for external addresses. Minimum requirements BlackBerry 10 OS version 10.1 Allow Find More Contact Details rule This rule specifies whether a BlackBerry device user can use the Find More Contact Details setting in the Contacts app to allow the device to use cloud services to search for additional contact information when saving a contact. Minimum requirements BlackBerry 10 OS version 10.1 Allow IRM-protected messages rule This rule specifies whether a BlackBerry device user can read IRM-protected messages. If this rule is selected, the user can read IRM-protected messages and the device enforces the rights given by the sender. If this rule is not selected, the user cannot read IRM-protected messages on the device. Minimum requirements BlackBerry 10 OS version

31 ios IT policy rules Allow lock screen preview of work content rule This rule specifies whether a BlackBerry device displays a preview of work content when the device is locked. If this rule is selected, the lock screen displays a preview of work content when the work space is unlocked in the background. After the security timeout locks the work space, the lock screen displays a notification that locked items are available. If this rule is not selected, the lock screen displays only a notification that locked items are available, regardless of whether the work space is unlocked in the background. Minimum requirements BlackBerry 10 OS version ios IT policy rules The mobile operating system defines the rules that a device supports. For more information on the settings for ios devices, visit the Apple Configurator Help. Password rule group Password required for device rule This rule specifies whether an ios device user must set a password. Allow simple value rule Related rules This rule specifies whether an ios device user can use sequential or repeated characters, such as "3333" or "CDEFG," in a password. This rule takes effect only if the "Password required for device" rule is selected. 31

32 ios IT policy rules Require alphanumeric value rule Related rules This rule specifies whether an ios device user must create a password that contains at least one letter and one number. This rule takes effect only if the "Password required for device" rule is selected. Minimum passcode length rule Related rules This rule specifies the minimum number of characters that an ios device password can contain. This rule takes effect only if the "Password required for device" rule is selected. Possible values A number equal to or greater than 4. 4 Minimum number of complex characters rule This rule specifies the minimum number of non-alphanumeric characters (such as $, &, and!) that an ios device password can contain. Related rules This rule takes effect only if the "Password required for device" rule is selected. 0 Maximum passcode age rule Related rules This rule specifies the maximum number of days that can elapse before an ios device user must set a new password. This rule takes effect only if the "Password required for device" rule is selected. 32

33 ios IT policy rules Possible values 1 to 730 days Maximum auto-lock rule Related rules This rule specifies the maximum number of minutes of user inactivity that can elapse before an ios device locks. This rule takes effect only if the "Password required for device" rule is selected. Possible values None None Passcode history rule Related rules This rule specifies the number of previous passwords that an ios device checks to prevent a user from reusing a previous password. This rule takes effect only if the "Password required for device" rule is selected. Possible values 1 to 50 33

34 ios IT policy rules Maximum grace period for device lock rule Related rules This rule specifies how soon an ios device can be unlocked again after use without prompting again for the password. This setting specifies the maximum value the user is allowed to configure. Setting this rule to "None" allows the user to choose any of the intervals available. This rule takes effect only if the "Password required for device" rule is selected. Possible values None 1 minute 5 minutes 15 minutes 1 hour 4 hours None Maximum number of failed attempts rule Related rules This rule specifies how many failed password attempts an ios device user can make before the device is wiped. After six failed password attempts, the device imposes a time delay before a password can be entered again. The time delay increases with each failed attempt. After the final failed attempt, all data and settings are deleted from the device. If you set this value to 6 or lower, no time delay is imposed and the device is wiped when the attempt limit is exceeded. This rule takes effect only if the "Password required for device" rule is selected. Possible values 1 to

35 ios IT policy rules Device functionality rule group Allow installing apps rule This rule specifies whether the App Store is enabled on an ios device and its icon is on the Home screen. When this option is not selected, users are unable to install or update apps using the App Store or itunes. Allow use of camera rule This rule specifies whether the cameras are enabled on an ios device and whether the Camera icon appears on the Home screen. When this option is not selected, users can't take photos or videos, or use FaceTime. Allow FaceTime rule Related rules This rule specifies whether ios device users can make and receive FaceTime video calls. This rule takes effect only if the "Allow use of camera" rule is selected. Allow screen capture rule This rule specifies whether ios device users can save a screen capture of the display. Allow automatic sync while roaming rule This rule specifies whether an ios device that is roaming will sync only when an account is accessed by the user. 35

36 ios IT policy rules Allow voice dialing rule This rule specifies whether an ios device user can initiate phone calls using voice commands. Allow Passbook while device locked rule This rule specifies whether an ios device displays Passbook notifications while locked. Minimum requirements ios 6.0 Allow in-app purchase rule Related rules This rule specifies whether an ios device user can make in-app purchases. This rule takes effect only if the "Allow use of itunes Store" rule is selected. Force user to enter itunes Store password for all purchases rule Related rules This rule specifies whether an ios device user must enter an Apple ID password before every purchase. Normally, there's a brief grace period after a purchase is made before a user must authenticate for subsequent purchases. This rule takes effect only if the "Allow use of itunes Store" rule is selected. Allow multiplayer gaming rule This rule specifies whether an ios device user can play multiplayer games in Game Center. 36

37 ios IT policy rules Related rules On devices that are supervised using Apple Configurator, if the "Allow use of Game Center" rule is not selected, Game Center is disabled on the device. Allow adding Game Center friends rule Related rules This rule specifies whether an ios device user can add friends in Game Center. This rule takes effect only if the "Allow multiplayer gaming" rule is selected. On devices that are supervised using Apple Configurator, if the "Allow use of Game Center" rule is not selected, Game Center is disabled on the device. Allow apps using cellular data rule This rule specifies whether an ios device user can change the wireless data usage for apps. This rule applies only to devices that are supervised using Apple Configurator. Minimum requirements ios 7.0 Allow pairing with non-configurator hosts rule This rule specifies whether an ios device can pair with a computer other than the Apple Configurator host. This rule applies only to devices that are supervised using Apple Configurator. Minimum requirements ios 7.0 Autonomous apps in single app mode rule This rule specifies apps that can run in single app mode using Guided Access on an ios device. When an app is running in single app mode, no other apps can run at the same time. You must provide the Bundle Identifier for each app that you want to specify. This rule applies only to devices that are supervised using Apple Configurator. 37

38 ios IT policy rules Minimum requirements ios 7.0 Allow ibooks Store rule This rule specifies whether the ibooks Store is enabled on an ios device. When this option is not selected, users can't access the ibooks Store from the ibooks app. This rule applies only to devices that are supervised using Apple Configurator. Minimum requirements ios 6.0 Allow installing configuration profiles rule This rule specifies whether an ios device user can install additional configuration profiles onto the device. This rule applies only to devices that are supervised using Apple Configurator. Minimum requirements ios 6.0 Show Today view in lock screen rule This rule specifies whether an ios device user can swipe down to see the Notification Center using the Today view when the screen is locked. Minimum requirements ios 7.0 Show Notification Center in lock screen rule This rule specifies whether an ios device user can receive notifications while the screen is locked. Minimum requirements ios 7.0 Show Control Center in lock screen rule This rule specifies whether an ios device user can swipe up to view the Control Center while the screen is locked. 38

39 ios IT policy rules Minimum requirements ios 7.0 Allow Touch ID to unlock device rule This rule specifies whether an ios device user can use Touch ID to unlock the device. When this option is not selected, the user must use a password to unlock the device. Minimum requirements ios 7.0 Show user-generated content in Siri rule Related rules This rule specifies whether an ios device user can add their own content to Siri. This rule applies only to devices that are supervised using Apple Configurator. This rule takes effect only if the "Allow Siri" rule is selected. Minimum requirements ios 7.0 Apps rule group Allow use of itunes Store rule This rule specifies whether the itunes Store is enabled on an ios device and whether its icon appears on the Home screen. When this option is not selected, users can't preview, purchase, or download content. Allow use of YouTube rule This rule specifies whether the YouTube app is enabled on an ios device and whether its icon appears on the Home screen. The YouTube app is included with ios 5. 39

40 ios IT policy rules Force limited ad tracking rule This rule specifies whether apps on an ios device can use the Advertising Identifier (a nonpermanent device identifier) to serve targeted ads. Minimum requirements ios 7.0 Allow Siri rule This rule specifies whether an ios device user can use Siri, voice commands, and dictation. Allow Siri while device locked rule Related rules This rule specifies whether an ios device user can use Siri voice commands to unlock the device. This rule applies only if the user has set a password for the device. This rule takes effect only if the "Allow Siri" rule is selected. Allow use of Safari rule This rule specifies whether the Safari web browser app is enabled on an ios device and its icon is on the Home screen. When this option is not selected, users also can't open web clips. Enable autofill rule Related rules This rule specifies whether Safari remembers what an ios device user enters in web forms. This rule takes effect only if the "Allow use of Safari" rule is selected. 40

41 ios IT policy rules Force fraud warning rule Related rules This rule specifies whether Safari attempts to prevent an ios device user from visiting websites that are identified as fraudulent or compromised. This rule takes effect only if the "Allow use of Safari" rule is selected. Enable JavaScript rule Related rules This rule specifies whether Safari supports JavaScript on websites. This rule takes effect only if the "Allow use of Safari" rule is selected. Block pop-ups rule Related rules This rule specifies whether Safari's pop-up blocking feature is enabled on an ios device. This rule takes effect only if the "Allow use of Safari" rule is selected. Accept cookies rule Related rules This rule specifies whether the Safari web browser on an ios device accepts all cookies, accepts no cookies, or rejects cookies from sites not directly accessed. This rule takes effect only if the "Allow use of Safari" rule is selected. Possible values Never From visited websites Always Always 41

42 ios IT policy rules Allow modifying Find My Friends settings rule This rule specifies whether an ios device user can change the settings for the Find My Friends app. This rule applies only to devices that are supervised using Apple Configurator. Minimum requirements ios 7.0 Allow use of Game Center rule This rule specifies whether Game Center is enabled on an ios device and its icon is on the Home screen. This rule applies only to devices that are supervised using Apple Configurator. Minimum requirements ios 6.0 Allow AirDrop rule This rule specifies whether an ios user can use AirDrop to share data with other devices. This rule applies only to devices that are supervised using Apple Configurator. Minimum requirements ios 7.0 icloud rule group Allow backup rule This rule specifies whether an ios device user can back up the device to icloud. Allow document sync rule This rule specifies whether an ios device user can store documents in icloud. 42