Policy and Profile Reference Guide. BES10 Cloud Market Preview

Transcription

1 Policy and Profile Reference Guide BES10 Cloud Market Preview

2 Published: SWD

3 Contents About this guide What is BES10 Cloud? Key features of BES10 Cloud...14 IT policy rules BlackBerry IT policy rules...15 Password rule group Password required for work space rule...15 Apply work space password to full device rule Minimum password length rule Minimum password complexity rule Security timeout rule Maximum password attempts rule Maximum password history rule...17 Maximum password age rule Device functionality rule group Restrict development mode rule Allow transfer of work files using Bluetooth OPP rule Allow transfer of work messages using Bluetooth MAP without prompt rule...19 Allow transfer of work contacts using Bluetooth PBAP or HFP rule...19 Allow transfer of work messages using Bluetooth MAP rule...19 Allow voice control rule Allow voice dictation in work apps rule Allow roaming rule...20 Allow transfer of work data using NFC rule Allow development mode access to work space rule...21 Allow mobile hotspot mode and tethering rule Apps rule group Allow cloud storage access from work space rule Allow BBM Video access to work network rule Allow work network usage for personal apps rule Allow wireless service provider billing rule Allow work apps to access shared files or content in the personal space rule...22

4 Allow BlackBerry Bridge access to the work space rule Allow work apps to use personal networks rule Display warning message for external addresses rule Allow forwarding or adding recipients to private messages rule Security and privacy rule group Force personal space data encryption rule...24 Submit logs to BlackBerry rule Force media card encryption rule Wipe the work space without network connectivity rule Allow personal apps to access work contacts rule...25 Allow sharing work data during BBM Video screen sharing rule...25 Work domains rule...25 Allow app security timer reset rule Allow unified view for work and personal accounts and messages rule Allow opening links in work messages in the personal browser rule Allow CCL data collection rule Force WPA2-Personal security for mobile hotspot connections rule Smart card password caching rule Smart password entry rule Lock on smart card removal rule Smart card reader maximum Bluetooth range rule Smart card reader PIN entry mode rule External domain allowed list rule...29 External domain restricted list rule...30 Display indicator for external addresses rule Allow Find More Contact Details rule...30 Allow IRM-protected messages rule...30 Allow lock screen preview of work content rule ios IT policy rules Password rule group Password required for device rule Allow simple value rule Require alphanumeric value rule Minimum passcode length rule Minimum number of complex characters rule Maximum passcode age rule Maximum auto-lock rule Passcode history rule...33

5 Maximum grace period for device lock rule Maximum number of failed attempts rule...34 Device functionality rule group...35 Allow installing apps rule Allow use of camera rule...35 Allow FaceTime rule Allow screen capture rule Allow automatic sync while roaming rule Allow voice dialing rule Allow Passbook while device locked rule Allow in-app purchase rule Force user to enter itunes Store password for all purchases rule Allow multiplayer gaming rule Allow adding Game Center friends rule...37 Allow apps using cellular data rule Allow pairing with non-configurator hosts rule Autonomous apps in single app mode rule Allow ibooks Store rule Allow installing configuration profiles rule...38 Show Today view in lock screen rule...38 Show Notification Center in lock screen rule...38 Show Control Center in lock screen rule Allow Touch ID to unlock device rule Show user-generated content in Siri rule Apps rule group Allow use of itunes Store rule Allow use of YouTube rule...39 Force limited ad tracking rule Allow Siri rule...40 Allow Siri while device locked rule Allow use of Safari rule...40 Enable autofill rule...40 Force fraud warning rule...41 Enable JavaScript rule Block pop-ups rule Accept cookies rule Allow modifying Find My Friends settings rule Allow use of Game Center rule... 42

6 Allow AirDrop rule...42 icloud rule group Allow backup rule Allow document sync rule Allow Photo Stream rule...43 Allow shared Photo Streams rule...43 Content ratings rule group...43 Allow explicit music, podcasts & itunes rule...43 Allow ibookstore erotica rule...43 Ratings region rule Allowed content ratings for movies rule Allowed content ratings for TV shows rule...45 Allowed content ratings for apps rule Security and privacy rule group Allow user to accept untrusted TLS certificates rule...46 Force encrypted backups rule Allow modifying account settings rule Allow over-the-air PKI updates rule Allow documents from managed apps in unmanaged apps rule...47 Allow documents from unmanaged apps in managed apps rule...47 Allow diagnostic data to be sent to Apple rule...47 Android IT policy rules...47 Password rule group Password requirements rule Maximum failed password attempts rule Maximum inactivity time lock rule Password expiration timeout rule Password history restriction rule Minimum password length rule Minimum uppercase letters required in password rule...50 Minimum lowercase letters required in password rule Minimum letters required in password rule...50 Minimum numerical digits required in password rule...51 Minimum symbols required in password rule...51 Device functionality rule group...51 Disable camera rule...51 Security and privacy rule group Require storage encryption rule... 52

7 Profile settings...53 Exchange ActiveSync profile settings...53 Common settings...53 Domain name setting address setting Host name or IP address setting...54 Use SSL setting Username setting BlackBerry settings...54 Account name setting...54 Push enabled setting Interval between synchronizations setting Calendar synchronization setting Contacts synchronization setting synchronization setting Memo synchronization setting Task synchronization setting...56 Days to synchronize setting Require manual synchronization when roaming setting S/MIME support setting Digitally signed S/MIME messages setting Encrypted S/MIME messages setting Encryption algorithms setting...59 ios settings Allow user to move messages from this account setting...59 Allow Recent Address syncing Send outgoing mail from this account only from mail app Use S/MIME setting Signing certificate setting Encryption certificate setting Days to synchronize setting Credentials setting...61 Shared certificate profile setting Android settings Days to synchronize setting Credentials setting...62 Shared certificate profile setting... 62

8 Wi-Fi profile settings Common settings...63 SSID setting...63 Hidden network setting...63 BlackBerry settings...63 Security type setting WEP key setting...64 Preshared key type setting...64 Preshared key setting Authentication protocol setting Inner authentication setting EAP-FAST provisioning method setting Username setting Password setting Band type setting Enable DHCP setting IP address setting...67 Subnet mask setting Primary DNS setting Secondary DNS setting...68 Default gateway setting Domain suffix setting Enable IPv6 setting...69 Enable access point handover setting User can edit setting...69 Client certificate source setting...70 Trusted certificate source setting...70 Associated VPN profile setting Associated proxy profile setting...71 ios settings Automatically join network setting...71 Associated proxy profile setting...71 Network type setting...71 Displayed operator name setting...72 Domain name setting...72 Roaming consortium OIs setting NAI realm names setting...72 MCC/MNCs setting... 73

9 Allow connecting to roaming partner networks setting Security type setting WEP key setting...74 Preshared key setting Authentication protocol setting Inner authentication setting Use PAC setting...75 Provision PAC setting...75 Provision PAC anonymously setting...76 Outer identity for TTLS, PEAP, and EAP-FAST setting Use password included in Wi-Fi profile setting...76 Password setting Username setting Authentication type setting Type of certificate linking setting...77 Shared certificate profile setting Client certificate name setting Certificate common names expected from authentication server setting...78 Type of certificate linking setting...79 CA certificate profiles setting Trusted certificate names setting...79 Trust user decisions setting Android settings BSSID setting Security type setting Personal security type setting WEP key setting...81 Preshared key setting Authentication protocol setting Inner authentication setting Outer identity for TTLS setting...82 Outer identity for PEAP setting...83 Username setting Use password included in Wi-Fi profile setting...83 Password setting Authentication type setting Type of certificate linking setting...84 Shared certificate profile setting... 84

10 Client certificate name setting Certificate common names expected from authentication server setting...85 Type of certificate linking setting...85 CA certificate profiles setting Trusted certificate names setting...86 VPN profile settings...86 BlackBerry settings...86 Server address setting Gateway type setting Authentication type setting Preshared key setting Username setting Hardware token setting Password setting EAP identity setting MS-CHAPv2 EAP identity setting...89 MS-CHAPv2 username setting...89 MS-CHAPv2 password setting...90 Authentication ID type setting...90 Authentication ID setting Gateway authentication type setting Gateway preshared key setting Gateway authentication ID type setting Gateway authentication ID setting...92 Automatically determine IP setting Private IP setting Private IP mask setting Subnet setting Subnet mask setting Automatically determine DNS setting...93 Primary DNS setting Secondary DNS setting...94 Domain suffix setting Perfect forward secrecy setting...94 Manual algorithm selection setting...94 IKE DH group setting Custom IKE DH provider setting IKE cipher setting... 95

11 IKE hash setting...96 IKE PRF setting IPsec DH group setting IPsec cipher setting IPsec hash setting IKE lifetime setting...98 IPsec lifetime setting NAT keepalive setting...99 DPD frequency setting...99 Split tunneling setting Disable banner setting...99 User can edit setting Display VPN information on device setting Client certificate source setting Trusted certificate source setting Associated proxy profile setting ios settings Connection type setting VPN bundle ID setting Host name or IP address of VPN server setting Username setting Custom key-value pairs setting Login group or domain setting Realm setting Role setting Authentication type setting Password setting Group name setting Shared secret setting Shared certificate profile setting Encryption level setting Route network traffic through VPN setting Associated proxy profile setting Product documentation Provide feedback Glossary

12 Legal notice...112

13 What is BES10 Cloud? About this guide This reference guide provides descriptions for each IT policy rule in BES10 Cloud and the settings for Exchange ActiveSync profiles, Wi-Fi profiles, and VPN profiles. This guide is intended for senior administrators who are responsible for setting up IT policies that govern device security and profiles that control how devices connect to your organization's network. For instructions on creating IT policies and profiles and assigning them to users and groups, see the BES10 Cloud Administration Guide. For more information about BlackBerry Enterprise Service 10 security and device security, see the BES10 Cloud Security Technical Overview. What is BES10 Cloud? BES10 Cloud is an enterprise mobility management solution from BlackBerry. EMM solutions help you manage mobile devices for your organization. You can manage BlackBerry, ios, and Android devices, all from a unified interface. EMM solutions from BlackBerry protect business information, keep mobile workers connected with the information they need, and provide administrators with efficient tools that help keep business moving. BES10 Cloud is an EMM solution that is available in the cloud. EMM solution BES10 Cloud BlackBerry Enterprise Service 10 An easy-to-use, low-cost, and secure solution. BlackBerry hosts this service over the Internet. You only need a supported web browser to access the service, and BlackBerry maintains high availability to minimize downtime. Optionally, you can connect your on-premises directory services to BES10 Cloud. A comprehensive, scalable, and secure solution. Your organization installs this service in its environment. The deployment can range in size from one server to many, and you can set up and maintain high availability to minimize downtime. 13

14 Key features of BES10 Cloud Key features of BES10 Cloud Feature Management of most types of devices Single, unified interface Trusted and secure experience Balance of work and personal needs High availability You can manage BlackBerry 10, ios, and Android devices. You can view all devices in one place and access all management tasks in a single, web-based interface. You can share administrative duties with multiple administrators who can access the administration consoles at the same time. Device controls give you precise management of how devices connect to your network, what capabilities are enabled, and what apps are available. Whether the devices are owned by your organization or your users, you can protect your organization's information. BlackBerry Balance technology is designed to ensure that personal and work information are kept separate and secure on BlackBerry devices. If the device is lost or the employee leaves the organization, you can delete only workrelated information or all information from the device. Instead of having to maintain your own highly available service for device management, with all the upfront and maintenance costs, BlackBerry maintains the service and maximizes uptime for you. 14

15 BlackBerry IT policy rules IT policy rules The IT policies in BES10 Cloud control features and functionality on BlackBerry 10, ios, and Android devices. In some cases, the minimum version of the device OS required to support a rule is a version not supported by BES10 Cloud. For more information on device OS support for BES10 Cloud, see the BES10 Cloud Compatibility Matrix available at BlackBerry IT policy rules Password rule group Password required for work space rule Related rules This rule specifies whether a BlackBerry device requires a password for the work space. Selecting the "Apply work space password to full device" rule applies the same password to both the work space and the device. If the work space and the device have the same password, unlocking the device also unlocks the work space. The work space can be locked without locking the device. Apply work space password to full device rule This rule specifies whether a BlackBerry device applies the work space password to the full device. If this rule is selected, the work space password becomes the device password. If this rule is not selected, a user can choose to set a different password for the device. If you want to protect only the work space, select the "Password required for work space" rule and do not select this rule. Related rules This rule takes effect only if the "Password required for work space" rule is selected. 15

16 BlackBerry IT policy rules Minimum password length rule Related rules Possible values This rule specifies the minimum length of the work space password. If you do not set a value for this rule and a work space password is required, the minimum password length is 4. This rule takes effect only if the "Password required for work space" rule is selected. 4 to 32 characters 4 Minimum password complexity rule Related rules This rule specifies the minimum complexity of the work space password. If you set this rule, a user must create a password that includes the types of characters that you specify. This rule takes effect only if the "Password required for work space" rule is selected. Possible values No restriction 1 letter, 1 number 1 letter, 1 number, 1 special character 1 uppercase and lowercase letter, 1 number, 1 special character No restriction Security timeout rule Related rules This rule specifies the maximum period of BlackBerry device user inactivity that can elapse before the work space locks. This rule takes effect only if the "Password required for work space" rule is selected. 16

17 BlackBerry IT policy rules If the "Allow app security timer reset" rule is selected, the device does not lock when apps that can reset the security timer are running. Possible values 5 to 60 minutes 30 minutes Maximum password attempts rule Related rules This rule specifies the number of times that a user can enter an incorrect password before a BlackBerry device deletes the data in the work space. This rule takes effect only if the "Password required for work space" rule is selected. If the "Apply work space password to full device" rule is selected, the device deletes all data. Possible values 3 to Maximum password history rule Related rules This rule specifies the maximum number of previous passwords that a BlackBerry device checks to prevent a user from reusing a previous password. If this rule is set to 0, the device does not check previous passwords. This rule takes effect only if the "Password required for work space" rule is selected. Possible values 0 to

18 BlackBerry IT policy rules Maximum password age rule Related rules Possible values This rule specifies the number of days that can elapse before a BlackBerry device password expires and a user must set a new password. If this rule is set to 0, the password does not expire. This rule takes effect only if the "Password required for work space" rule is selected. 0 to 365 days 0 Device functionality rule group Restrict development mode rule Related rules This rule specifies whether development mode is restricted for BlackBerry device users. Development mode allows software development tools to connect to a device and also allows you or a user to install apps directly on the device using a USB or Wi-Fi connection. If this rule is selected, users can only download and install apps from the BlackBerry World storefront and you can also send apps to devices using the administration console. If this rule is not selected, you can use the "Allow development mode access to work space" rule to prevent users who have devices with BlackBerry 10 OS version 10.2 and later from using development mode to install apps in the work space. Allow transfer of work files using Bluetooth OPP rule This rule specifies whether a BlackBerry device can send work files and objects such as contacts to another Bluetooth enabled device or NFC-enabled device using the Bluetooth OPP. 18

19 BlackBerry IT policy rules Allow transfer of work messages using Bluetooth MAP without prompt rule Related rules This rule specifies whether a user can transfer work messages to a Bluetooth enabled device using the Bluetooth MAP following a single password prompt to access the work space. If this rule is not selected, the user must unlock the work space each time the device connects to the Bluetooth enabled device before the device can transfer work messages using the Bluetooth MAP. This rule takes effect only if the "Allow transfer of work messages using Bluetooth MAP" rule is selected. If the "Allow transfer of work contacts using Bluetooth PBAP or HFP" rule is not selected, users can't send messages using the Bluetooth MAP, regardless of the setting for this rule. Minimum requirements BlackBerry 10 OS version 10.1 Allow transfer of work contacts using Bluetooth PBAP or HFP rule This rule specifies whether a BlackBerry device can send work contacts to another Bluetooth enabled device using the Bluetooth PBAP or HFP. If this rule is not selected, users can't transfer work contacts using the Bluetooth PBAP or HFP or transfer work messages using the Bluetooth MAP. Allow transfer of work messages using Bluetooth MAP rule Related rules This rule specifies whether a BlackBerry device can send messages from the work space (for example, messages and instant messages) to another Bluetooth enabled device using the Bluetooth MAP. If the "Allow transfer of work contacts using Bluetooth PBAP or HFP" rule is not selected, users can't send messages using the Bluetooth MAP, regardless of the setting for this rule. 19

20 BlackBerry IT policy rules Allow voice control rule This rule specifies whether a BlackBerry device user can use the voice control commands on the device. If you set this rule to "Allow all," the user can use all of the voice control commands on the device. If you set this rule to "Disallow for and calendar," the user can't use the and calendar voice control commands on the device. If you set this rule to "Allow only phone and device status," the user can use voice control commands only for voice dialing and, on devices with BlackBerry 10 OS version 10.2 and later, for checking device status. Possible values Allow all Disallow for and calendar Allow only phone and device status Allow all Allow voice dictation in work apps rule This rule specifies whether a BlackBerry device user can use voice dictation in work apps. If this rule is selected, the user can use voice dictation in all apps that support this feature. Allow roaming rule Minimum requirements This rule specifies whether a BlackBerry device can use data services over the wireless network when the device is roaming. If this rule is not selected, the device can still send and receive data over the Wi-Fi network when the device is roaming. BlackBerry 10 OS version 10.2 for BlackBerry Balance devices Allow transfer of work data using NFC rule This rule specifies whether a BlackBerry device can send work data to another NFC-enabled device using NFC. 20

21 BlackBerry IT policy rules Minimum requirements BlackBerry 10 OS version 10.2 Allow development mode access to work space rule Related rules This rule specifies whether development mode can be used to allow software development tools to connect to the work space on a BlackBerry device using a USB or Wi-Fi connection and install apps directly in the work space. This rule takes effect only if the "Restrict development mode" rule is not selected. Minimum requirements BlackBerry 10 OS version 10.2 Allow mobile hotspot mode and tethering rule This rule specifies whether to allow Mobile Hotspot mode, tethering using Bluetooth technology, and tethering using a USB cable on a BlackBerry device. If this rule is selected, all of these features are available in the settings on the device. If this rule is not selected, none of these features are available on the device. Apps rule group Allow cloud storage access from work space rule This rule specifies whether the cloud storage apps developed by BlackBerry are available in the work space on a BlackBerry device. If this rule is not selected, the cloud storage apps are removed from the work space on the device and they can be used only as personal apps. This rule is obsolete in BlackBerry 10 OS version Minimum requirements BlackBerry 10 OS version

22 BlackBerry IT policy rules Allow BBM Video access to work network rule Related rules This rule specifies whether the BBM Video feature on a BlackBerry device can use your VPN or Wi-Fi network for incoming and outgoing video chats. If the "Allow work network usage for personal apps" rule is not selected, users cannot use the BBM Video feature over work networks, even if this rule is selected. Allow work network usage for personal apps rule This rule specifies whether personal apps on a BlackBerry device can use your work VPN or Wi-Fi network to connect to the Internet. Allow wireless service provider billing rule This rule specifies whether a BlackBerry device user can purchase apps from the BlackBerry World storefront and the BlackBerry World for Work storefront using the purchasing plan for your organization's wireless service provider. If this rule is not selected, users must pay for app purchases using another payment method. Allow work apps to access shared files or content in the personal space rule This rule specifies whether work apps on a BlackBerry device can access shared files or content that is located in the personal space if a user permits it. When a user installs a work app, the device displays a message that provides the user with the option to allow or deny the app's request to access shared files or content. If this rule is not selected, work apps can't access shared personal files or content regardless of the user settings on the device, and users can't attach personal files to messages sent from a work account or share personal files or content with work apps using the Share option. Minimum requirements BlackBerry 10 OS version

23 BlackBerry IT policy rules Allow BlackBerry Bridge access to the work space rule This rule specifies whether a BlackBerry 10 device can allow a BlackBerry PlayBook tablet to access work data on the device using the BlackBerry Bridge app. Allow work apps to use personal networks rule This rule specifies whether work apps on a BlackBerry device, including organizer apps, can use personal networks. If this rule is selected, work apps can make connections using personal networks if a work Wi-Fi or work VPN connection is not available or if your organization doesn't send any work Wi-Fi or work VPN profiles to the device. Minimum requirements BlackBerry 10 OS version 10.1 Display warning message for external addresses rule This rule specifies whether a BlackBerry device displays a warning message when a user attempts to send a work message to external recipients. If this rule is selected, the device displays a warning message that lists all external recipients unless the recipient s domain is listed in the "External domain allowed list" rule. Minimum requirements BlackBerry 10 OS version Allow forwarding or adding recipients to private messages rule This rule specifies whether a BlackBerry device user can forward, or add new recipients when replying to, messages with "(PRIVATE )" in the subject line. If this rule is not selected and the user attempts to forward or send a private message to a new recipient, the device displays a warning and does not send the message. Minimum requirements BlackBerry 10 OS version

24 BlackBerry IT policy rules Security and privacy rule group Force personal space data encryption rule This rule specifies whether a BlackBerry device must encrypt all data in the personal space. If this rule is not selected, the user can choose whether to encrypt data in the personal space on the device. Submit logs to BlackBerry rule This rule specifies whether a BlackBerry device can generate and send log files to the BlackBerry Technical Solution Center. Force media card encryption rule This rule specifies whether a BlackBerry device must encrypt all data on the media card that is inserted in the device. Wipe the work space without network connectivity rule Possible values This rule specifies the time in hours that must elapse without a BlackBerry device connecting to your organization's network before the device deletes the data in the work space. Use this rule to make the device delete the data in the work space if the device can't receive updates or commands. If this rule is not set, the device does not delete data from the work space if it can't connect to your organization's network. 2 to 8760 hours 24

25 BlackBerry IT policy rules Allow personal apps to access work contacts rule This rule specifies whether personal apps can access required data for work contacts on a BlackBerry device. If you set this rule to "All," all personal apps can access required data for work contacts. If you set this rule to "Only BlackBerry apps," some apps developed by BlackBerry (Phone, BBM, Text Messages, Smart Tags, visual voice mail, and voice dialing) can access required data for work contacts. If you set this rule to "None," personal apps cannot access data for work contacts. On devices with BlackBerry 10 OS version and later, if you set this rule to "All," users can use the "Copy to" and "Save to" options for work contacts in the Contacts app. Possible values All Only BlackBerry apps None All Allow sharing work data during BBM Video screen sharing rule This rule specifies whether a BlackBerry device user can share work data on a device using the BBM Video with Screen Share feature. If this rule is not selected, the device locks the work space when the user uses BBM Video with Screen Share and the user cannot unlock the work space until the screen sharing part of the BBM Video chat is complete. Work domains rule This rule specifies a list of domain names that a BlackBerry device identifies as work resources. If you specify domain names in this rule, the device identifies data from a computer in these domains as work data. Data sent from these domains to the device using the Print To Go app will be stored in the work space on the device. All of the subdomains of the domain are included automatically. If you list multiple domain names, separate the domain names with a comma (,), semicolon (;), or space. 25

26 BlackBerry IT policy rules Allow app security timer reset rule This rule specifies whether apps can reset the security timer on a BlackBerry device to prevent the device from locking after the period of user inactivity that you specify in the "Security timeout" rule or the user specifies in the Password Lock settings on the device elapses. If this rule is not selected, the device locks without user interaction when running apps that try to reset the security timer, such as apps that display navigation information, slideshows, and videos. Allow unified view for work and personal accounts and messages rule This rule specifies whether the BlackBerry Hub displays work and personal accounts and messages together in a single view. If this rule is not selected, the device must display work accounts and messages in a separate view from personal accounts and messages in the BlackBerry Hub. Minimum requirements BlackBerry 10 OS version Allow opening links in work messages in the personal browser rule This rule specifies whether BlackBerry device users can use the browser in the personal space to open links in work messages. If this rule is selected, links in work messages open in the browser in the personal space by default and the device displays a message that provides the user with the option to open the link in the browser in the work space instead. Your organization may require users to open intranet links in the browser in the work space. If this rule is not selected, links in work messages always open in the browser in the work space. Allow CCL data collection rule This rule specifies whether a BlackBerry device allows CCL data collection across all apps. CCL allows apps to collect rich data related to app usage and to carry out deep crossapplication analysis. 26

27 BlackBerry IT policy rules Minimum requirements BlackBerry 10 OS version 10.1 Force WPA2-Personal security for mobile hotspot connections rule This rule specifies whether a BlackBerry device that is in Mobile Hotspot mode requires other devices that connect to it to use the WPA2-Personal security type. This rule is obsolete in BlackBerry 10 OS version Smart card password caching rule This rule specifies whether a BlackBerry device can cache the smart card password. If you set this rule to "Allow," the user can choose to cache the smart card password. If you set this rule to "Required," the smart card password is always cached. The cached password is stored in the BlackBerry device keystore. Possible values Allow Disallow Required Allow Minimum requirements BlackBerry 10 OS version 10.1 Smart password entry rule This rule specifies whether a BlackBerry device can use smart password entry with two-factor authentication. Smart password entry allows a user to enter numeric passwords on the device without pressing the Alt key and automatically fills the device or work space password field if the device password or work space password and the smart card password are the same. If you set this rule to "Allow," the user can use smart password entry with two-factor authentication. If you set this rule to "Required," the device always uses smart password entry with two-factor authentication. Possible values Allow 27

28 BlackBerry IT policy rules Disallow Required Allow Minimum requirements BlackBerry 10 OS version 10.1 Lock on smart card removal rule Related rules This rule specifies whether the work space locks when a user removes the smart card from the supported smart card reader or disconnects the supported smart card reader from the device. If you set this rule to "Allow" or "Required," a user might need the driver for the smart card reader. Not all smart card reader drivers support smart card removal detection. This rule takes effect only if the "Password required for work space" rule is selected. Possible values No Allow Required Allow Minimum requirements BlackBerry 10 OS version 10.1 Smart card reader maximum Bluetooth range rule This rule specifies the maximum power range that a BlackBerry Smart Card Reader uses to send Bluetooth packets to a BlackBerry device or a computer. The permitted range is between 30% and 100%. You can configure a higher power range to allow a BlackBerry Smart Card Reader to send Bluetooth packets to a BlackBerry device or computer over a greater distance. Possible values 30% 40% 50% 60% 70% 28

29 BlackBerry IT policy rules 80% 90% 100% 100% Minimum requirements BlackBerry 10 OS version 10.1 Smart card reader PIN entry mode rule This rule specifies the PIN entry mode that is required during the Bluetooth connection process when a BlackBerry Smart Card Reader connects to a BlackBerry device or a computer. The user must use the specified PIN format when typing the smart card password during the Bluetooth connection process. Possible values Numeric Alphanumeric lowercase Alphanumeric mixed case Numeric Minimum requirements BlackBerry 10 OS version 10.1 External domain allowed list rule Related rules This rule specifies a list of external domains that BlackBerry device users can send work messages to without the device displaying a warning. If you list multiple domain names, separate the domain names with a comma (,), semicolon (;), or space. This rule takes effect only if the "Display indicator for external addresses" rule or "Display warning message for external addresses" rule is selected. Minimum requirements BlackBerry 10 OS version

30 BlackBerry IT policy rules External domain restricted list rule This rule specifies a list of domains that BlackBerry device users are not allowed to send work messages to. If a user attempts to send an message to a recipient with an domain in this list, the user is notified that the message cannot be sent to that recipient and is returned to the message to edit the recipient list. If you list multiple domain names, separate the domain names with a comma (,), semicolon (;), or space. Minimum requirements BlackBerry 10 OS version Display indicator for external addresses rule This rule specifies whether a BlackBerry device displays a warning indicator in work messages when a user adds an external address as a recipient. If this rule is selected, the device displays a warning indicator for external addresses. Minimum requirements BlackBerry 10 OS version 10.1 Allow Find More Contact Details rule This rule specifies whether a BlackBerry device user can use the Find More Contact Details setting in the Contacts app to allow the device to use cloud services to search for additional contact information when saving a contact. Minimum requirements BlackBerry 10 OS version 10.1 Allow IRM-protected messages rule This rule specifies whether a BlackBerry device user can read IRM-protected messages. If this rule is selected, the user can read IRM-protected messages and the device enforces the rights given by the sender. If this rule is not selected, the user cannot read IRM-protected messages on the device. Minimum requirements BlackBerry 10 OS version

31 ios IT policy rules Allow lock screen preview of work content rule This rule specifies whether a BlackBerry device displays a preview of work content when the device is locked. If this rule is selected, the lock screen displays a preview of work content when the work space is unlocked in the background. After the security timeout locks the work space, the lock screen displays a notification that locked items are available. If this rule is not selected, the lock screen displays only a notification that locked items are available, regardless of whether the work space is unlocked in the background. Minimum requirements BlackBerry 10 OS version ios IT policy rules The mobile operating system defines the rules that a device supports. For more information on the settings for ios devices, visit the Apple Configurator Help. Password rule group Password required for device rule This rule specifies whether an ios device user must set a password. Allow simple value rule Related rules This rule specifies whether an ios device user can use sequential or repeated characters, such as "3333" or "CDEFG," in a password. This rule takes effect only if the "Password required for device" rule is selected. 31

32 ios IT policy rules Require alphanumeric value rule Related rules This rule specifies whether an ios device user must create a password that contains at least one letter and one number. This rule takes effect only if the "Password required for device" rule is selected. Minimum passcode length rule Related rules This rule specifies the minimum number of characters that an ios device password can contain. This rule takes effect only if the "Password required for device" rule is selected. Possible values A number equal to or greater than 4. 4 Minimum number of complex characters rule This rule specifies the minimum number of non-alphanumeric characters (such as $, &, and!) that an ios device password can contain. Related rules This rule takes effect only if the "Password required for device" rule is selected. 0 Maximum passcode age rule Related rules This rule specifies the maximum number of days that can elapse before an ios device user must set a new password. This rule takes effect only if the "Password required for device" rule is selected. 32

33 ios IT policy rules Possible values 1 to 730 days Maximum auto-lock rule Related rules This rule specifies the maximum number of minutes of user inactivity that can elapse before an ios device locks. This rule takes effect only if the "Password required for device" rule is selected. Possible values None None Passcode history rule Related rules This rule specifies the number of previous passwords that an ios device checks to prevent a user from reusing a previous password. This rule takes effect only if the "Password required for device" rule is selected. Possible values 1 to 50 33

34 ios IT policy rules Maximum grace period for device lock rule Related rules This rule specifies how soon an ios device can be unlocked again after use without prompting again for the password. This setting specifies the maximum value the user is allowed to configure. Setting this rule to "None" allows the user to choose any of the intervals available. This rule takes effect only if the "Password required for device" rule is selected. Possible values None 1 minute 5 minutes 15 minutes 1 hour 4 hours None Maximum number of failed attempts rule Related rules This rule specifies how many failed password attempts an ios device user can make before the device is wiped. After six failed password attempts, the device imposes a time delay before a password can be entered again. The time delay increases with each failed attempt. After the final failed attempt, all data and settings are deleted from the device. If you set this value to 6 or lower, no time delay is imposed and the device is wiped when the attempt limit is exceeded. This rule takes effect only if the "Password required for device" rule is selected. Possible values 1 to

35 ios IT policy rules Device functionality rule group Allow installing apps rule This rule specifies whether the App Store is enabled on an ios device and its icon is on the Home screen. When this option is not selected, users are unable to install or update apps using the App Store or itunes. Allow use of camera rule This rule specifies whether the cameras are enabled on an ios device and whether the Camera icon appears on the Home screen. When this option is not selected, users can't take photos or videos, or use FaceTime. Allow FaceTime rule Related rules This rule specifies whether ios device users can make and receive FaceTime video calls. This rule takes effect only if the "Allow use of camera" rule is selected. Allow screen capture rule This rule specifies whether ios device users can save a screen capture of the display. Allow automatic sync while roaming rule This rule specifies whether an ios device that is roaming will sync only when an account is accessed by the user. 35

36 ios IT policy rules Allow voice dialing rule This rule specifies whether an ios device user can initiate phone calls using voice commands. Allow Passbook while device locked rule This rule specifies whether an ios device displays Passbook notifications while locked. Minimum requirements ios 6.0 Allow in-app purchase rule Related rules This rule specifies whether an ios device user can make in-app purchases. This rule takes effect only if the "Allow use of itunes Store" rule is selected. Force user to enter itunes Store password for all purchases rule Related rules This rule specifies whether an ios device user must enter an Apple ID password before every purchase. Normally, there's a brief grace period after a purchase is made before a user must authenticate for subsequent purchases. This rule takes effect only if the "Allow use of itunes Store" rule is selected. Allow multiplayer gaming rule This rule specifies whether an ios device user can play multiplayer games in Game Center. 36

37 ios IT policy rules Related rules On devices that are supervised using Apple Configurator, if the "Allow use of Game Center" rule is not selected, Game Center is disabled on the device. Allow adding Game Center friends rule Related rules This rule specifies whether an ios device user can add friends in Game Center. This rule takes effect only if the "Allow multiplayer gaming" rule is selected. On devices that are supervised using Apple Configurator, if the "Allow use of Game Center" rule is not selected, Game Center is disabled on the device. Allow apps using cellular data rule This rule specifies whether an ios device user can change the wireless data usage for apps. This rule applies only to devices that are supervised using Apple Configurator. Minimum requirements ios 7.0 Allow pairing with non-configurator hosts rule This rule specifies whether an ios device can pair with a computer other than the Apple Configurator host. This rule applies only to devices that are supervised using Apple Configurator. Minimum requirements ios 7.0 Autonomous apps in single app mode rule This rule specifies apps that can run in single app mode using Guided Access on an ios device. When an app is running in single app mode, no other apps can run at the same time. You must provide the Bundle Identifier for each app that you want to specify. This rule applies only to devices that are supervised using Apple Configurator. 37

38 ios IT policy rules Minimum requirements ios 7.0 Allow ibooks Store rule This rule specifies whether the ibooks Store is enabled on an ios device. When this option is not selected, users can't access the ibooks Store from the ibooks app. This rule applies only to devices that are supervised using Apple Configurator. Minimum requirements ios 6.0 Allow installing configuration profiles rule This rule specifies whether an ios device user can install additional configuration profiles onto the device. This rule applies only to devices that are supervised using Apple Configurator. Minimum requirements ios 6.0 Show Today view in lock screen rule This rule specifies whether an ios device user can swipe down to see the Notification Center using the Today view when the screen is locked. Minimum requirements ios 7.0 Show Notification Center in lock screen rule This rule specifies whether an ios device user can receive notifications while the screen is locked. Minimum requirements ios 7.0 Show Control Center in lock screen rule This rule specifies whether an ios device user can swipe up to view the Control Center while the screen is locked. 38

39 ios IT policy rules Minimum requirements ios 7.0 Allow Touch ID to unlock device rule This rule specifies whether an ios device user can use Touch ID to unlock the device. When this option is not selected, the user must use a password to unlock the device. Minimum requirements ios 7.0 Show user-generated content in Siri rule Related rules This rule specifies whether an ios device user can add their own content to Siri. This rule applies only to devices that are supervised using Apple Configurator. This rule takes effect only if the "Allow Siri" rule is selected. Minimum requirements ios 7.0 Apps rule group Allow use of itunes Store rule This rule specifies whether the itunes Store is enabled on an ios device and whether its icon appears on the Home screen. When this option is not selected, users can't preview, purchase, or download content. Allow use of YouTube rule This rule specifies whether the YouTube app is enabled on an ios device and whether its icon appears on the Home screen. The YouTube app is included with ios 5. 39

40 ios IT policy rules Force limited ad tracking rule This rule specifies whether apps on an ios device can use the Advertising Identifier (a nonpermanent device identifier) to serve targeted ads. Minimum requirements ios 7.0 Allow Siri rule This rule specifies whether an ios device user can use Siri, voice commands, and dictation. Allow Siri while device locked rule Related rules This rule specifies whether an ios device user can use Siri voice commands to unlock the device. This rule applies only if the user has set a password for the device. This rule takes effect only if the "Allow Siri" rule is selected. Allow use of Safari rule This rule specifies whether the Safari web browser app is enabled on an ios device and its icon is on the Home screen. When this option is not selected, users also can't open web clips. Enable autofill rule Related rules This rule specifies whether Safari remembers what an ios device user enters in web forms. This rule takes effect only if the "Allow use of Safari" rule is selected. 40

41 ios IT policy rules Force fraud warning rule Related rules This rule specifies whether Safari attempts to prevent an ios device user from visiting websites that are identified as fraudulent or compromised. This rule takes effect only if the "Allow use of Safari" rule is selected. Enable JavaScript rule Related rules This rule specifies whether Safari supports JavaScript on websites. This rule takes effect only if the "Allow use of Safari" rule is selected. Block pop-ups rule Related rules This rule specifies whether Safari's pop-up blocking feature is enabled on an ios device. This rule takes effect only if the "Allow use of Safari" rule is selected. Accept cookies rule Related rules This rule specifies whether the Safari web browser on an ios device accepts all cookies, accepts no cookies, or rejects cookies from sites not directly accessed. This rule takes effect only if the "Allow use of Safari" rule is selected. Possible values Never From visited websites Always Always 41

42 ios IT policy rules Allow modifying Find My Friends settings rule This rule specifies whether an ios device user can change the settings for the Find My Friends app. This rule applies only to devices that are supervised using Apple Configurator. Minimum requirements ios 7.0 Allow use of Game Center rule This rule specifies whether Game Center is enabled on an ios device and its icon is on the Home screen. This rule applies only to devices that are supervised using Apple Configurator. Minimum requirements ios 6.0 Allow AirDrop rule This rule specifies whether an ios user can use AirDrop to share data with other devices. This rule applies only to devices that are supervised using Apple Configurator. Minimum requirements ios 7.0 icloud rule group Allow backup rule This rule specifies whether an ios device user can back up the device to icloud. Allow document sync rule This rule specifies whether an ios device user can store documents in icloud. 42

43 ios IT policy rules Allow Photo Stream rule This rule specifies whether to allow Photo Stream on an ios device. If you disallow Photo Stream, existing Photo Stream photos are deleted from the user's device and photos from the Camera Roll can't be sent to Photo Stream. If there are no other copies of these photos, they may be lost. Allow shared Photo Streams rule Related rules This rule specifies whether an ios device user can invite others to view Photo Stream photos and can view Photo Stream photos shared by others. This rule takes effect only if the "Allow Photo Stream" rule is selected. Minimum requirements ios 6.0 Content ratings rule group Allow explicit music, podcasts & itunes rule Related rules This rule specifies whether explicit music or video content in the itunes Store is available on an ios device. Explicit content is flagged by content providers, such as record labels, when listed on the itunes Store. This rule takes effect only if the "Allow use of itunes Store" rule is selected. Allow ibookstore erotica rule This rule specifies whether an ios device user can download media that has been tagged as erotica from the ibooks Store. 43

44 ios IT policy rules Related rules On devices that are supervised using Apple Configurator, if the "Allow ibooks Store" rule is not selected, the ibooks Store is disabled on the device. Minimum requirements ios 6.0 Ratings region rule Related rules This rule specifies which country's rating system to use when you set the allowed content ratings for movies, TV shows, and apps. This rule takes effect only if the "Allow use of itunes Store" rule is selected. The options displayed for the Allowed content ratings rules depend on the option selected for this rule. Possible values United States Australia Canada France Germany Ireland Japan New Zealand United Kingdom United States Allowed content ratings for movies rule Related rules This rule specifies the maximum allowed content rating for movies that a user can download to an ios device from the itunes Store. This rule takes effect only if the "Allow use of itunes Store" rule is selected. The options displayed depend on the option selected in the "Ratings region" rule. 44

45 ios IT policy rules Possible values Do not allow movies Rating options, depending on the selected ratings region. Allow all movies Allow all movies Allowed content ratings for TV shows rule Related rules This rule specifies the maximum allowed content rating for TV shows that a user can download to an ios device from the itunes Store. This rule takes effect only if the "Allow use of itunes Store" rule is selected. The options displayed depend on the option selected in the "Ratings region" rule. Possible values Do not allow TV shows Rating options, depending on the selected ratings region. Allow all TV shows Allow all TV shows Allowed content ratings for apps rule Related rules This rule specifies the maximum allowed content rating for apps that a user can download to an ios device from the App Store or the itunes Store. This rule takes effect only if the "Allow installing apps" rule or the "Allow use of itunes Store" rule is selected. The options displayed depend on the option selected in the "Ratings region" rule. Possible values Do not allow apps Rating options, depending on the selected ratings region. Allow all apps 45

46 ios IT policy rules Allow all apps Security and privacy rule group Allow user to accept untrusted TLS certificates rule This rule specifies whether an ios device user can choose to trust certificates that cannot be verified. This setting applies to Safari and to Mail, Contacts, and Calendar accounts. Force encrypted backups rule This rule specifies whether an ios device user can choose if device backups performed in itunes are stored in encrypted format on their computer. If any profile is encrypted and this option is selected, encryption of backups is required and enforced by itunes. Allow modifying account settings rule This rule specifies whether an ios device user can add, change, or delete accounts on the device. This rule applies only to devices that are supervised using Apple Configurator. Minimum requirements ios 7.0 Allow over-the-air PKI updates rule This rule specifies whether certificate updates on an ios device can occur over a wireless connection. Minimum requirements ios

47 Android IT policy rules Allow documents from managed apps in unmanaged apps rule This rule specifies whether an ios device user can open data from work apps in a personal app. Minimum requirements ios 7.0 Allow documents from unmanaged apps in managed apps rule This rule specifies whether an ios device user can open data from personal apps in a work app. Safari and AirDrop will continue to display all apps and accounts as possible destinations. Minimum requirements ios 7.0 Allow diagnostic data to be sent to Apple rule This rule specifies whether an ios device sends diagnostic information to Apple. Minimum requirements ios 6.0 Android IT policy rules The mobile operating system defines the rules that a device supports. For more information on the settings for Android devices, visit the Android Developers website. Password rule group For some Android device models, if a user did not previously have a password set for a device and an IT policy that requires the user to set a password is pushed to the device, the user cannot set a password. For more information, please see the support information for the device. Password requirements rule This rule specifies the minimum requirements for an Android device password. If you set this rule to "Unspecified," the user does not need to set a password. If you set this rule to 47

48 Android IT policy rules "Something," the password must be at least 4 characters. If you set this rule to "Numeric," "Alphabetic," or "Alphanumeric," the password must also contain the specified character types and may include other characters. If you set this rule to "Complex," you can set specific requirements for different characters types. Possible values Unspecified Something Numeric Alphabetic Alphanumeric Complex Unspecified Minimum requirements Android OS 2.3 Maximum failed password attempts rule Related rules This rule specifies the number of times that an Android device user can enter an incorrect password before the device deletes all user information and app data. If the user enters an incorrect password of less than four characters, it will not be counted as an attempt. This rule takes effect only if the "Password requirements" rule is set to something other than "Unspecified." Minimum requirements Android OS 2.3 Maximum inactivity time lock rule Related rules Possible values This rule specifies the maximum number of minutes of user inactivity that can elapse before an Android device locks. This rule takes effect only if the "Password requirements" rule is set to something other than "Unspecified." 1 to 60 minutes 48

49 Android IT policy rules 15 minutes Minimum requirements Android OS 2.3 Password expiration timeout rule Related rules Possible values This rule specifies the maximum period that can elapse before an Android device password expires and a user must set a new password. If you do not set a value for this rule, the password does not expire. This rule takes effect only if the "Password requirements" rule is set to something other than "Unspecified." A number greater than 0 and a period of days, hours, minutes, or seconds. Minimum requirements Android OS 3.0 Password history restriction rule Related rules This rule specifies the maximum number of previous passwords that an Android device checks to prevent a user from reusing a previous password. If you do not set a value for this rule, the device does not check previous passwords. This rule takes effect only if the "Password requirements" rule is set to "Numeric," "Alphabetic," "Alphanumeric," or "Complex." Minimum requirements Android OS 3.0 Minimum password length rule Related rules This rule specifies the minimum length of the device password. If you do not set a value for this rule and a password is required, the minimum password length is 4. This rule takes effect only if the "Password requirements" rule is set to "Numeric," "Alphabetic," "Alphanumeric," or "Complex." 49

50 Android IT policy rules Possible values A number equal to or greater than 4. 4 Minimum requirements Android OS 2.3 Minimum uppercase letters required in password rule This rule specifies the minimum number of uppercase letters required in an Android device password. If you specify a minimum number of uppercase letters, a user must create a password that includes at least the number of uppercase letters that you specify. Related rules This rule takes effect only if you set the "Password requirements" rule to "Complex." 0 Minimum requirements Android OS 3.0 Minimum lowercase letters required in password rule This rule specifies the minimum number of lowercase letters required in an Android device password. If you specify a minimum number of lowercase letters, a user must create a password that includes at least the number of lowercase letters that you specify. Related rules This rule takes effect only if you set the "Password requirements" rule to "Complex." 0 Minimum requirements Android OS 3.0 Minimum letters required in password rule This rule specifies the minimum number of letters required in an Android device password. If you specify a minimum number of letters, a user must create a password that includes at least the number of letters that you specify. 50

51 Android IT policy rules Related rules This rule takes effect only if you set the "Password requirements" rule to "Complex." 0 Minimum requirements Android OS 3.0 Minimum numerical digits required in password rule This rule specifies the minimum number of numerals required in an Android device password. If you specify a minimum number of numerals, a user must create a password that includes at least the number of numerals that you specify. Related rules This rule takes effect only if you set the "Password requirements" rule to "Complex." 0 Minimum requirements Android OS 3.0 Minimum symbols required in password rule This rule specifies the minimum number of special characters required in an Android device password. If you specify a minimum number of symbols, a user must create a password that includes at least the number of special characters that you specify. Related rules This rule takes effect only if you set the "Password requirements" rule to "Complex." 0 Minimum requirements Android OS 3.0 Device functionality rule group Disable camera rule This rule specifies whether the cameras on an Android device are disabled. If this rule is selected, users cannot take pictures or videos. 51

52 Android IT policy rules Minimum requirements Android OS 4.0 Security and privacy rule group Require storage encryption rule This rule specifies whether the data storage on an Android device is encrypted. Minimum requirements Android OS

53 Exchange ActiveSync profile settings Profile settings The profiles in BES10 Cloud control various features on BlackBerry 10, ios, and Android devices. This section describes the settings for Exchange ActiveSync profiles, Wi-Fi profiles, and VPN profiles. Profiles that have only a small number of settings are described in the documentation for the profile in the BES10 Cloud Administration Guide. In some cases, the minimum version of the device OS required to support a setting is a version not supported by BES10 Cloud. For more information on device OS support for BES10 Cloud, see the BES10 Cloud Compatibility Matrix available at Exchange ActiveSync profile settings Common settings Domain name setting This setting specifies the domain name of the mail server. Minimum requirements BlackBerry 10 OS version 10.0 ios 5.0 Android OS 2.3 address setting This setting specifies the user's address. If the profile is for multiple users, you can use the %User Address% variable. Minimum requirements BlackBerry 10 OS version 10.0 ios 5.0 Android OS

54 Exchange ActiveSync profile settings Host name or IP address setting This setting specifies the host name or IP address of the mail server. Minimum requirements BlackBerry 10 OS version 10.0 ios 5.0 Android OS 2.3 Use SSL setting This setting specifies whether a device must use SSL to connect to the mail server. Minimum requirements BlackBerry 10 OS version 10.0 ios 5.0 Android OS 2.3 Username setting This setting specifies the user's username. If the profile is for multiple users, you can use the %UserName% variable. Minimum requirements BlackBerry 10 OS version 10.0 ios 5.0 Android OS 2.3 BlackBerry settings Account name setting This setting specifies the work account name that appears in the BlackBerry Hub and in the device settings. You can use a variable, such as %User Address%. 54

55 Exchange ActiveSync profile settings Push enabled setting This setting specifies whether the mail server can push messages to a BlackBerry device. Interval between synchronizations setting This setting specifies how often a BlackBerry device checks the mail server for new messages. This setting is valid only if the "Push enabled" setting is not selected. Possible values Manual 5 minutes 15 minutes 30 minutes 1 hour 2 hours 4 hours 24 hours 15 minutes Calendar synchronization setting This setting specifies whether a BlackBerry device synchronizes calendar entries with the mail server. 55

56 Exchange ActiveSync profile settings Contacts synchronization setting This setting specifies whether a BlackBerry device synchronizes contacts with the mail server. synchronization setting This setting specifies whether a BlackBerry device synchronizes messages with the mail server. Memo synchronization setting This setting specifies whether a BlackBerry device synchronizes memo data with the mail server. Task synchronization setting This setting specifies whether a BlackBerry device synchronizes task data with the mail server. Days to synchronize setting This setting specifies the number of days in the past to synchronize messages and organizer data to a BlackBerry device. Possible values 1 day 3 days 7 days 14 days 56

57 Exchange ActiveSync profile settings 1 month Forever 1 month Require manual synchronization when roaming setting This setting specifies whether a user must start synchronization between a BlackBerry device and the mail server when the user is roaming. S/MIME support setting This setting specifies whether S/MIME is enabled on a BlackBerry device. If you set this setting to Allow, a user can choose whether or not to enable S/MIME on the device. If you set this setting to Required, S/MIME is enabled on the device and the user can't disable it. If you set this setting to Disallow, S/MIME is disabled on the device and the user can't enable it. To send encrypted messages, a user must have the recipient's public key on the device. To send digitally signed messages, the user's private key must be on the device. This setting takes precedence over the "Digitally signed S/MIME messages" setting and the "Encrypted S/MIME messages" setting. Possible values Allow Required Disallow Allow Minimum requirements BlackBerry 10 OS version

58 Exchange ActiveSync profile settings Digitally signed S/MIME messages setting This setting specifies whether a BlackBerry device sends outgoing messages with a digital signature. If you set this setting to Allow, a user can choose whether to digitally sign outgoing messages. If you set this setting to Required, a user must digitally sign outgoing messages. If you set this setting to Disallow, a user can't digitally sign outgoing messages To send digitally signed messages, the user's private key must be on the device. This setting is valid only if the "S/MIME support" setting is set to Allow or Required. If the "S/MIME support" setting is set to Required, and both this setting and the "Encrypted S/ MIME messages" setting are set to Disallow, the "Encrypted S/MIME messages" setting and this setting are ignored and the default setting of Allow is used for both settings. Possible values Allow Required Disallow Allow Encrypted S/MIME messages setting This setting specifies whether a BlackBerry device encrypts outgoing messages using S/ MIME encryption. If you set this setting to Allow, a user can choose whether or not to encrypt outgoing messages. If you set this setting to Required, a user must encrypt outgoing messages. If you set this setting to Disallow, a user can't encrypt outgoing messages. To send encrypted messages, a user must have the recipient's public key on the device. This setting is valid only if the "S/MIME support" setting is set to Allow or Required. If the "S/MIME support" setting is set to Required, and both this setting and the "Digitally signed S/MIME messages" setting are set to Disallow, the "Digitally signed S/MIME messages" setting and this setting are ignored and the default setting of Allow is used for both settings. Possible values Allow Required Disallow 58

59 Exchange ActiveSync profile settings Allow Encryption algorithms setting This setting specifies the encryption algorithms that a BlackBerry device can use to encrypt S/ MIME-protected messages. Possible values AES (256-bit) AES (192-bit) AES (128-bit) Triple DES RC2 ios settings Allow user to move messages from this account setting This setting specifies whether users can move messages from this account to another existing account on an ios device. Allow Recent Address syncing This setting specifies whether an ios device user can sync recently used addresses across devices. 59

60 Exchange ActiveSync profile settings Send outgoing mail from this account only from mail app This setting specifies whether apps other than the Mail app on an ios device can use this account to send messages. Use S/MIME setting This setting specifies whether an ios device user can send S/MIME protected messages. Signing certificate setting This setting specifies the shared certificate profile for a client certificate that an ios device uses to sign messages. If you do not specify a signing certificate, the device user can configure the appropriate certificate. This setting takes effect only if the "Use S/MIME" setting is selected. Encryption certificate setting This setting specifies the shared certificate profile for a client certificate that an ios device can use to encrypt messages. Devices choose the appropriate certificate for the recipient to encrypt messages using S/ MIME. This setting takes effect only if the "Use S/MIME" setting is selected. 60

61 Exchange ActiveSync profile settings Days to synchronize setting This setting specifies the number of days in the past to synchronize messages and organizer data to an ios device. Possible values 1 day 3 days 7 days 14 days 1 month Forever 3 days Credentials setting This setting specifies the type of authentication an ios device uses to connect to the mail server. Possible values None Certificate None Shared certificate profile setting This setting specifies the shared certificate profile for the client certificate that an ios device uses to connect to the mail server. 61

62 Exchange ActiveSync profile settings Android settings Days to synchronize setting This setting specifies the number of days in the past to synchronize messages and organizer data to an Android device. Possible values Unlimited 1 day 3 days 7 days 14 days 1 month 1 month Minimum requirements Android OS 2.3 Credentials setting This setting specifies the type of authentication an Android device uses to connect to the mail server. Possible values None Certificate None Minimum requirements Android OS 2.3 Shared certificate profile setting This setting specifies the shared certificate profile for the client certificate that an Android device uses to connect to the mail server. Minimum requirements Android OS

63 Wi-Fi profile settings Wi-Fi profile settings Common settings SSID setting This setting specifies the network name of a Wi-Fi network and its wireless access points. The SSID is case sensitive and must contain alphanumeric characters. Minimum requirements BlackBerry 10 OS version 10.0 ios 5.0 Android OS 2.3 Hidden network setting This setting specifies whether the Wi-Fi network hides the SSID. Minimum requirements BlackBerry 10 OS version 10.0 ios 5.0 Android OS 2.3 BlackBerry settings Security type setting This setting specifies the type of security that the Wi-Fi network uses. Possible values None 63

64 Wi-Fi profile settings WEP personal WPA-Personal WPA-Enterprise WPA2-Personal WPA2-Enterprise None WEP key setting This setting specifies the WEP key for the Wi-Fi network. The WEP key must be 10 or 26 hexadecimal characters (0-9, A-F) or 5 or 13 alphanumeric characters (0-9, A-Z). Examples of hexadecimal key values are ABCDEF0123 or ABCDEF ABCDEF0123. Examples of alphanumeric key values are abcd5 or abcdefghijkl1. This setting is valid only if the "Security type" setting is set to WEP personal. Preshared key type setting This setting specifies the type of preshared key for the Wi-Fi network. This setting is valid only if the "Security type" setting is set to WPA-Personal or WPA2- Personal. Possible values ASCII HEX ASCII 64

65 Wi-Fi profile settings Preshared key setting This setting specifies the preshared key for the Wi-Fi network. This setting is valid only if the "Security type" setting is set to WPA-Personal or WPA2- Personal. Authentication protocol setting This setting specifies the EAP method that the Wi-Fi network uses. This setting is valid only if the "Security type" setting is set to WPA-Enterprise or WPA2- Enterprise. Possible values PEAP TTLS EAP-FAST TLS PEAP Inner authentication setting This setting specifies the inner authentication method used with a TLS tunnel. If you want to use PAP for inner authentication, set this setting to Auto. This setting is valid only if the "Authentication protocol" setting is set to PEAP or TTLS. Possible values Auto MS-CHAPv2 GTC 65

66 Wi-Fi profile settings Auto EAP-FAST provisioning method setting This setting specifies the provisioning method for EAP-FAST authentication. This setting is valid only if the "Authentication protocol" setting is set to EAP-FAST. Possible values Anonymous Authenticated Anonymous Username setting This setting specifies the username that a BlackBerry device uses to authenticate with the Wi- Fi network. This setting is valid only if the "Authentication protocol" setting is set to PEAP, TTLS, EAP- FAST, or TLS. Password setting This setting specifies the password that a BlackBerry device uses to authenticate with the Wi- Fi network. This setting is valid only if the "Authentication protocol" setting is set to PEAP, TTLS, or EAP- FAST. 66

67 Wi-Fi profile settings Band type setting This setting specifies the frequency band that the Wi-Fi network uses. Possible values Dual 2.4 GHz 5.0 GHz Dual Enable DHCP setting This setting specifies whether the Wi-Fi network uses DHCP. IP address setting This setting specifies the IP address of the host for the Wi-Fi network. This setting is valid only if the "Enable DHCP" setting is not selected. Subnet mask setting This setting specifies the subnet mask in dot-decimal notation (for example, ). This setting is valid only if the "Enable DHCP" setting is not selected. 67

68 Wi-Fi profile settings Primary DNS setting This setting specifies the primary DNS server in dot-decimal notation (for example, ). This setting is valid only if the "Enable DHCP" setting is not selected. Secondary DNS setting This setting specifies the secondary DNS server in dot-decimal notation (for example, ). This setting is valid only if the "Enable DHCP" setting is not selected. Default gateway setting This setting specifies the default gateway in dot-decimal notation (for example, ). This setting is valid only if the "Enable DHCP" setting is not selected. 68

69 Wi-Fi profile settings Domain suffix setting This setting specifies the FQDN of the DNS suffix. This setting is valid only if the "Enable DHCP" setting is not selected. Enable IPv6 setting This setting specifies whether the Wi-Fi network supports IPv6. Enable access point handover setting This setting specifies whether a BlackBerry device can perform Wi-Fi handovers between wireless access points. User can edit setting This setting specifies the Wi-Fi settings that a BlackBerry device user can change. If you select Read only, the user cannot change any settings. If you select Credentials only, the user can change the username and password. Possible values Read only Credentials only Read only 69

70 Wi-Fi profile settings Client certificate source setting This setting specifies the source of the client certificate. If you select Other, a BlackBerry device uses a certificate that the user added to the device. If you select Smart card, a device uses a certificate from a smart card. Smart card support is available for devices that run a version of BlackBerry 10 OS that is later than Possible values Other Smart card Other Minimum requirements BlackBerry 10 OS version 10.2 Trusted certificate source setting This setting specifies the source of the trusted certificate. If you select Trusted certificate store, a BlackBerry device can connect to a Wi-Fi network that uses any certificate in the Wi-Fi certificate store. Possible values None Trusted certificate store None Associated VPN profile setting This setting specifies the associated VPN profile that a BlackBerry device uses to make Wi-Fi connections through a VPN. 70

71 Wi-Fi profile settings Associated proxy profile setting This setting specifies the associated proxy profile that a BlackBerry device uses to make Wi-Fi connections through a proxy server. ios settings Automatically join network setting This setting specifies whether an ios device can automatically join the Wi-Fi network. Associated proxy profile setting This setting specifies the associated proxy profile that an ios device uses to make Wi-Fi connections through a proxy server. Network type setting This setting specifies a configuration for the Wi-Fi network. Hotspot 2.0 requires ios 7.0 and later. Hotspot configurations apply only to ios devices. To configure Wi-Fi settings for BlackBerry and Android devices, create a separate Wi-Fi profile. Possible values Standard Legacy hotspot Hotspot 2.0 Standard 71

72 Wi-Fi profile settings Displayed operator name setting This setting specifies the friendly name of the hotspot operator. This setting is valid only if the "Network type" setting is set to Hotspot 2.0. Minimum requirements ios 7.0 Domain name setting This setting specifies the domain name of the hotspot operator. This setting is valid only if the "Network type" setting is set to Hotspot 2.0. The "SSID" setting is not required when you use this setting. Minimum requirements ios 7.0 Roaming consortium OIs setting This setting specifies the organization identifiers of roaming consortiums and service providers that are accessible through the hotspot. This setting is valid only if the "Network type" setting is set to Hotspot 2.0. Minimum requirements ios 7.0 NAI realm names setting This setting specifies the NAI realm names that can authenticate an ios device. This setting is valid only if the "Network type" setting is set to Hotspot

73 Wi-Fi profile settings Minimum requirements ios 7.0 MCC/MNCs setting This setting specifies the MCC/MNC combinations that identify mobile network operators. Each value must contain exactly six digits. This setting is valid only if the "Network type" setting is set to Hotspot 2.0. Minimum requirements ios 7.0 Allow connecting to roaming partner networks setting This setting specifies whether an ios device can connect to roaming partners for the hotspot. This setting is valid only if the "Network type" setting is set to Hotspot 2.0. Minimum requirements ios 7.0 Security type setting This setting specifies the type of security that the Wi-Fi network uses. If the "Network type" setting is set to Hotpost 2.0, WPA2-Enterprise is used for this setting. Possible values None WEP personal WEP enterprise WPA-Personal WPA-Enterprise WPA2-Personal WPA2-Enterprise None 73

74 Wi-Fi profile settings WEP key setting This setting specifies the WEP key for the Wi-Fi network. This setting is valid only if the "Security type" setting is set to WEP personal. Preshared key setting This setting specifies the preshared key for the Wi-Fi network. This setting is valid only if the "Security type" setting is set to WPA-Personal or WPA2- Personal. Authentication protocol setting This setting specifies the EAP methods that the Wi-Fi network supports. You can select multiple EAP methods. This setting is valid only if the "Security type" setting is set to WEP enterprise, WPA-Enterprise, or WPA2-Enterprise. Possible values TLS TTLS LEAP PEAP EAP-FAST EAP-SIM 74

75 Wi-Fi profile settings Inner authentication setting This setting specifies the inner authentication method for use with TTLS. This setting is valid only if the "Authentication protocol" setting is set to TTLS. Possible values None PAP CHAP MS-CHAP MS-CHAPv2 MS-CHAPv2 Use PAC setting This setting specifies whether the EAP-FAST method uses a Protected Access Credential. This setting is valid only if the "Authentication protocol" setting is set to EAP-FAST. Provision PAC setting This setting specifies whether the EAP-FAST method allows PAC provisioning. This setting is valid only if the "Authentication protocol" setting is set to EAP-FAST and the "Use PAC" setting is selected. 75

76 Wi-Fi profile settings Provision PAC anonymously setting This setting specifies whether the EAP-FAST method allows anonymous PAC provisioning. This setting is valid only if the "Authentication protocol" setting is set to EAP-FAST, the "Use PAC" setting is selected, and the "Provision PAC" setting is selected. Outer identity for TTLS, PEAP, and EAP-FAST setting This setting specifies the outer identity for a user that is sent in clear text. You can specify an anonymous username to hide the user's real identity (for example, anonymous). The encrypted tunnel is used to send the real username to authenticate with the Wi-Fi network. If the outer identity includes the realm name to route the request, it must be the user's actual realm (for example, [email protected]). This setting is valid only if the "Authentication protocol" setting is set to TTLS, PEAP, or EAP- FAST. Use password included in Wi-Fi profile setting This setting specifies whether the Wi-Fi profile includes the password for authentication. This setting is valid only if the "Security type" setting is set to WEP enterprise, WPA-Enterprise, or WPA2-Enterprise. Password setting This setting specifies the password that an ios device uses to authenticate with the Wi-Fi network. This setting is valid only if the "Use password included in Wi-Fi profile" setting is selected. 76

77 Wi-Fi profile settings Username setting This setting specifies the username that an ios device uses to authenticate with the Wi-Fi network. This setting is valid only if the "Security type" setting is set to WEP enterprise, WPA-Enterprise, or WPA2-Enterprise. Authentication type setting This setting specifies the type of authentication that an ios device uses to connect to the Wi-Fi network. This setting is valid only if the "Security type" setting is set to WEP enterprise, WPA-Enterprise, or WPA2-Enterprise. Possible values None Certificate None Type of certificate linking setting This setting specifies the type of linking for the client certificate associated with the Wi-Fi profile. This setting is valid only if the "Authentication type" setting is set to Certificate. 77

78 Wi-Fi profile settings Possible values Single reference Variable injection Single reference Shared certificate profile setting This setting specifies the shared certificate profile with the client certificate that an ios device uses to authenticate with the Wi-Fi network. This setting is valid only if the "Type of certificate linking" setting is set to Single reference. Client certificate name setting This setting specifies the name of the client certificate that an ios device uses to authenticate with the Wi-Fi network. This setting is valid only if the "Type of certificate linking" setting is set to Variable injection. Certificate common names expected from authentication server setting This setting specifies the common names in the certificate that the authentication server sends to the device (for example, *.example.com). This setting is valid only if the "Security type" setting is set to WEP enterprise, WPA-Enterprise, or WPA2-Enterprise. 78

79 Wi-Fi profile settings Type of certificate linking setting This setting specifies the type of linking for the trusted certificates associated with the Wi-Fi profile. This setting is valid only if the "Security type" setting is set to WEP enterprise, WPA-Enterprise, or WPA2-Enterprise. Possible values Single reference Variable injection Single reference CA certificate profiles setting This setting specifies the CA certificate profiles with the trusted certificates that an ios device uses to establish trust with the Wi-Fi network. This setting is valid only if the "Type of certificate linking" setting is set to Single reference. Trusted certificate names setting This setting specifies the names of the trusted certificates that an ios device uses to establish trust with the Wi-Fi network. This setting is valid only if the "Type of certificate linking" setting is set to Variable injection. 79

80 Wi-Fi profile settings Trust user decisions setting This setting specifies whether an ios device prompts the user to trust a server when the chain of trust cannot be established. If this setting is not selected, only connections to trusted servers that you specify are allowed. This setting is valid only if the "Security type" setting is set to WEP enterprise, WPA-Enterprise, or WPA2-Enterprise. Android settings BSSID setting This setting specifies the MAC address of a wireless access point in the Wi-Fi network. Minimum requirements Android OS 2.3 Security type setting This setting specifies the type of security that the Wi-Fi network uses. Possible values None Personal Enterprise None Minimum requirements Android OS 2.3 Personal security type setting This setting specifies the type of personal security that the Wi-Fi network uses. 80

81 Wi-Fi profile settings This setting is valid only if the "Security type" setting is set to Personal. Possible values None WEP personal WPA-Personal/WPA2-Personal None Minimum requirements Android OS 2.3 WEP key setting This setting specifies the WEP key for the Wi-Fi network. This setting is valid only if the "Personal security type" setting is set to WEP personal. Minimum requirements Android OS 2.3 Preshared key setting This setting specifies the preshared key for the Wi-Fi network. This setting is valid only if the "Personal security type" setting is set to WPA-Personal/WPA2- Personal. Minimum requirements Android OS 2.3 Authentication protocol setting This setting specifies the EAP method that the Wi-Fi network uses. This setting is valid only if the "Security type" setting is set to Enterprise. Possible values TLS 81

82 Wi-Fi profile settings TTLS PEAP LEAP TLS Minimum requirements Android OS 2.3 Inner authentication setting This setting specifies the inner authentication method for use with TTLS. This setting is valid only if the "Authentication protocol" setting is set to TTLS. Possible values None PAP CHAP MS-CHAP MS-CHAPv2 GTC MS-CHAPv2 Minimum requirements Android OS 2.3 Outer identity for TTLS setting This setting specifies the outer identity for a user that is sent in clear text. You can specify an anonymous username to hide the user's real identity (for example, anonymous). The encrypted tunnel is used to send the real username to authenticate with the Wi-Fi network. If the outer identity includes the realm name to route the request, it must be the user's actual realm (for example, [email protected]). This setting is valid only if the "Authentication protocol" setting is set to TTLS. Minimum requirements Android OS

83 Wi-Fi profile settings Outer identity for PEAP setting This setting specifies the outer identity for a user that is sent in clear text. You can specify an anonymous username to hide the user's real identity (for example, anonymous). The encrypted tunnel is used to send the real username to authenticate with the Wi-Fi network. If the outer identity includes the realm name to route the request, it must be the user's actual realm (for example, [email protected]). This setting is valid only if the "Authentication protocol" setting is set to PEAP. Minimum requirements Android OS 2.3 Username setting This setting specifies the username that an Android device uses to authenticate with the Wi-Fi network. This setting is valid only if the "Security type" setting is set to Enterprise. Minimum requirements Android OS 2.3 Use password included in Wi-Fi profile setting This setting specifies whether the Wi-Fi profile includes the password for authentication. This setting is valid only if the "Security type" setting is set to Enterprise. Minimum requirements Android OS 2.3 Password setting This setting specifies the password that an Android device uses to authenticate with the Wi-Fi network. This setting is valid only if the "Use password included in Wi-Fi profile" setting is selected. 83

84 Wi-Fi profile settings Minimum requirements Android OS 2.3 Authentication type setting This setting specifies the type of authentication that an Android device uses to connect to the Wi-Fi network. This setting is valid only if the "Security type" setting is set to Enterprise. Possible values None Certificate None Minimum requirements Android OS 2.3 Type of certificate linking setting This setting specifies the type of linking for the client certificate associated with the Wi-Fi profile. This setting is valid only if the "Authentication type" setting is set to Certificate. Possible values Single reference Variable injection Single reference Minimum requirements Android OS 2.3 Shared certificate profile setting This setting specifies the shared certificate profile with the client certificate that an Android device uses to authenticate with the Wi-Fi network. This setting is valid only if the "Type of certificate linking" setting is set to Single reference. 84

85 Wi-Fi profile settings Minimum requirements Android OS 2.3 Client certificate name setting This setting specifies the name of the client certificate that an Android device uses to authenticate with the Wi-Fi network. This setting is valid only if the "Type of certificate linking" setting is set to Variable injection. Minimum requirements Android OS 2.3 Certificate common names expected from authentication server setting This setting specifies the common names in the certificate that the authentication server sends to the device (for example, *.example.com). This setting is valid only if the "Security type" setting is set to Enterprise. Minimum requirements Android OS 2.3 Type of certificate linking setting This setting specifies the type of linking for the trusted certificates associated with the Wi-Fi profile. This setting is valid only if the "Security type" setting is set to Enterprise. Possible values Single reference Variable injection Single reference Minimum requirements Android OS

86 VPN profile settings CA certificate profiles setting This setting specifies the CA certificate profiles with the trusted certificates that an Android device uses to establish trust with the Wi-Fi network. This setting is valid only if the "Type of certificate linking" setting is set to Single reference. Minimum requirements Android OS 2.3 Trusted certificate names setting This setting specifies the names of the trusted certificates that an Android device uses to establish trust with the Wi-Fi network. This setting is valid only if the "Type of certificate linking" setting is set to Variable injection. Minimum requirements Android OS 2.3 VPN profile settings BlackBerry settings Server address setting This setting specifies the FQDN or IP address of a VPN server. 86

87 VPN profile settings Gateway type setting This setting specifies the type of VPN client that the VPN client on a BlackBerry device emulates. Possible values Check Point VPN-1 Cisco VPN 3000 Series Concentrator Cisco Secure PIX Firewall Cisco IOS Easy VPN Cisco ASA Series Juniper SRX Series (IPsec VPN) Juniper MAG Series or Juniper SA Series (SSL VPN) Microsoft IKEv2 VPN server Generic IKEv2 VPN server Check Point VPN-1 Authentication type setting This setting specifies the authentication type for the VPN gateway. The "Gateway type" setting determines which authentication types are supported. Possible values PSK PKI XAUTH-PSK XAUTH-PKI EAP-TLS EAP-MS-CHAPv2 PSK 87

88 VPN profile settings Preshared key setting This setting specifies the preshared key for the VPN gateway. This setting is valid only if the "Authentication type" setting is set to PSK or XAUTH-PSK. Username setting This setting specifies the username that a BlackBerry device uses to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" setting is set to XAUTH-PSK or XAUTH- PKI. Hardware token setting This setting specifies whether a user must use a hardware token to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" setting is set to XAUTH-PSK or XAUTH- PKI. Password setting Possible values This setting specifies the password that a BlackBerry device uses to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" setting is set to XAUTH-PSK or XAUTH- PKI and the "Hardware token" setting is not selected. 88

89 VPN profile settings EAP identity setting This setting specifies the EAP identity that a BlackBerry device uses to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" setting is set to EAP-TLS. MS-CHAPv2 EAP identity setting This setting specifies the MS-CHAPv2 EAP identity that a BlackBerry device uses to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" setting is set to EAP-MS-CHAPv2. MS-CHAPv2 username setting This setting specifies the MS-CHAPv2 username that a BlackBerry device uses to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" setting is set to EAP-MS-CHAPv2. 89

90 VPN profile settings MS-CHAPv2 password setting This setting specifies the MS-CHAPv2 password that a BlackBerry device uses to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" setting is set to EAP-MS-CHAPv2. Authentication ID type setting This setting specifies the authentication ID type for the VPN gateway. This setting is valid only if the "Gateway type" setting is set to Juniper MAG Series or Juniper SA Series (SSL VPN), Microsoft IKEv2 VPN server, or Generic IKEv2 VPN server. The "Gateway type" setting determines which authentication ID types are supported. Possible values IPv4 Fully qualified domain name address IPv4 Authentication ID setting This setting specifies the authentication ID for the VPN gateway. This setting is valid only if the "Gateway type" setting is set to Juniper MAG Series or Juniper SA Series (SSL VPN), Microsoft IKEv2 VPN server, or Generic IKEv2 VPN server, or if the "Authentication type" setting is set to PSK or XAUTH-PSK. 90

91 VPN profile settings Gateway authentication type setting This setting specifies the gateway authentication type for the VPN gateway. This setting is valid only if the "Gateway type" setting is set to Juniper MAG Series or Juniper SA Series (SSL VPN), Microsoft IKEv2 VPN server, or Generic IKEv2 VPN server. Possible values None PSK PKI None Gateway preshared key setting This setting specifies the gateway preshared key for the VPN gateway. This setting is valid only if the "Gateway authentication type" setting is set to PSK. Gateway authentication ID type setting This setting specifies the gateway authentication ID type for the VPN gateway. This setting is valid only if the "Gateway type" setting is set to Juniper MAG Series or Juniper SA Series (SSL VPN), Microsoft IKEv2 VPN server, or Generic IKEv2 VPN server. Possible values IPv4 Fully qualified domain name address Identity certificate distinguished name Identity certificate general name 91

92 VPN profile settings IPv4 Gateway authentication ID setting This setting specifies the gateway authentication ID for the VPN gateway. This setting is valid only if the "Gateway authentication ID type" setting is set to Fully qualified domain name or address. Automatically determine IP setting This setting specifies whether a BlackBerry device automatically determines the IP configuration of the VPN gateway. Private IP setting This setting specifies the private IP of the VPN gateway. This setting is valid only if the "Automatically determine IP" setting is not selected. Private IP mask setting This setting specifies the private IP mask of the VPN gateway. This setting is valid only if the "Automatically determine IP" setting is not selected. 92

93 VPN profile settings Subnet setting This setting specifies the subnet of the VPN gateway. This setting is valid only if the "Automatically determine IP" setting is not selected. Subnet mask setting This setting specifies the subnet mask of the VPN gateway. This setting is valid only if the "Automatically determine IP" setting is not selected. Automatically determine DNS setting This setting specifies whether a BlackBerry device automatically determines the DNS configuration of the VPN gateway. Primary DNS setting This setting specifies the primary DNS server in dot-decimal notation (for example, ). This setting is valid only if the "Automatically determine DNS" setting is not selected. 93

94 VPN profile settings Secondary DNS setting This setting specifies the secondary DNS server in dot-decimal notation (for example, ). This setting is valid only if the "Automatically determine DNS" setting is not selected. Domain suffix setting This setting specifies the FQDN of the DNS suffix. This setting is valid only if the "Automatically determine DNS" setting is not selected. Perfect forward secrecy setting This setting specifies whether the VPN gateway supports PFS. If this setting is selected, the "IPsec DH group" setting must not be set to 0. Manual algorithm selection setting This setting specifies whether you must set the cryptographic algorithms for the VPN gateway. 94

95 VPN profile settings IKE DH group setting This setting specifies the DH group that a BlackBerry device uses to generate key material. This setting is valid only if the "Manual algorithm selection" setting is selected. Possible values 1 to 26, except 3, 4, and 6 Custom 1 to Custom 5 1 Custom IKE DH provider setting This setting specifies the name of the provider for custom IKE DH. This setting is valid only if the "IKE DH group" setting is set to one of the Custom values. Minimum requirements BlackBerry 10 OS version 10.1 IKE cipher setting This setting specifies the algorithm that a BlackBerry device uses to generate a shared secret key. This setting is valid only if the "Manual algorithm selection" setting is selected. Possible values None DES (56-bit key) Triple DES (168-bit key) AES (128-bit key) AES (192-bit key) AES (256-bit key) None 95

96 VPN profile settings IKE hash setting This setting specifies the hash function that a BlackBerry device uses with IKE. This setting is valid only if the "Manual algorithm selection" setting is selected. Possible values None MD5 AES-XCBC SHA-1 SHA-256 SHA-384 SHA-512 None IKE PRF setting This setting specifies the PRF that a BlackBerry device uses with IKE. This setting is valid only if the "Manual algorithm selection" setting is selected. Possible values None HMAC HMAC-MD5 AES-XCBC HMAC-SHA-1 HMAC-SHA-256 HMAC-SHA-384 HMAC-SHA-512 None 96

97 VPN profile settings IPsec DH group setting This setting specifies the DH group that a BlackBerry device uses with IPsec. This setting is valid only if the "Manual algorithm selection" setting is selected. Possible values 0 to 26, except 3, 4, and 6 0 IPsec cipher setting This setting specifies the algorithm that a BlackBerry device uses with IPsec. This setting is valid only if the "Manual algorithm selection" setting is selected. Possible values None DES (56-bit key) Triple DES (168-bit key) AES (128-bit key) AES (192-bit key) AES (256-bit key) None IPsec hash setting This setting specifies the hash function that a BlackBerry device uses with IPsec. This setting is valid only if the "Manual algorithm selection" setting is selected. 97

98 VPN profile settings Possible values None MD5 AES-XCBC SHA-1 SHA-256 SHA-384 SHA-512 None IKE lifetime setting Possible values This setting specifies the lifetime of the IKE connection. If you set an unsupported value or a null value, the BlackBerry device default value is used. 1 to seconds IPsec lifetime setting Possible values This setting specifies the lifetime of the IPsec connection. If you set an unsupported value or a null value, the BlackBerry device default value is used. 1 to seconds 98

99 VPN profile settings NAT keepalive setting Possible values This setting specifies how often a device sends a NAT keepalive packet. If you set an unsupported value or a null value, the BlackBerry device default value is used. 1 to seconds DPD frequency setting Possible values This setting specifies the DPD frequency. A BlackBerry device supports a minimum setting of 10 seconds. If you set an unsupported value or a null value, the device default value is used. 1 to seconds Split tunneling setting This setting specifies whether a BlackBerry device can use split tunneling to bypass the VPN gateway. Disable banner setting This setting specifies whether a BlackBerry device blocks the VPN banner. 99

100 VPN profile settings User can edit setting This setting specifies the VPN settings that a BlackBerry device user can change. If you select Read only, the user cannot change any settings. If you select Credentials only, the user can change the username and password. Possible values Read only Credentials only Read only Display VPN information on device setting This setting specifies whether VPN information is displayed on a BlackBerry device. If you select Visible, most of the VPN profile information appears on the device. If you select Invisible, only the profile name appears on the device. If you select Credentials only, the profile name and the credential fields appear on the device. Possible values Visible Invisible Credentials only Visible Minimum requirements BlackBerry 10 OS version 10.1 Client certificate source setting This setting specifies the source of the client certificate. If you select Other, a BlackBerry device uses a certificate that the user added to the device. If you select Smart card, a device uses a certificate from a smart card. Smart card support is available for devices that run a version of BlackBerry 10 OS that is later than This setting is valid only if the "Authentication type" setting is set to PKI or XAUTH-PKI. 100

101 VPN profile settings Possible values Other Smart card Other Minimum requirements BlackBerry 10 OS version 10.2 Trusted certificate source setting This setting specifies the source of the trusted certificate. If you select Trusted certificate store, a BlackBerry device can connect to a VPN that uses any certificate in the VPN certificate store. This setting is valid only if the "Authentication type" setting is set to PKI or XAUTH-PKI. Possible values None Trusted certificate store None Associated proxy profile setting This setting specifies the associated proxy profile that a BlackBerry device uses to make VPN connections through a proxy server. ios settings Connection type setting This setting specifies the connection type that an ios device uses for a VPN gateway. Some connection types also require users to install the appropriate VPN app on the device. 101

102 VPN profile settings Possible values L2TP PPTP IPsec Cisco AnyConnect Juniper F5 SonicWALL Mobile Connect Aruba VIA Check Point Mobile OpenVPN Custom L2TP VPN bundle ID setting This setting specifies the bundle ID of the VPN app for a custom SSL VPN. The bundle ID is in reverse-dns format (for example, com.example.vpnapp). This setting is valid only if the "Connection type" setting is set to Custom. Host name or IP address of VPN server setting This setting specifies the FQDN or IP address of a VPN server. 102

103 VPN profile settings Username setting This setting specifies the username that an ios device uses to authenticate with the VPN gateway. Custom key-value pairs setting This setting specifies the keys and associated values for the custom SSL VPN. The configuration information is specific to the vendor's VPN app. This setting is valid only if the "Connection type" setting is set to Custom. Login group or domain setting This setting specifies the login group or domain that the VPN gateway uses to authenticate an ios device. This setting is valid only if the "Connection type" setting is set to SonicWALL Mobile Connect. Realm setting This setting specifies the name of the authentication realm that the VPN gateway uses to authenticate an ios device. This setting is valid only if the "Connection type" setting is set to Juniper. 103

104 VPN profile settings Role setting This setting specifies the name of the user role that the VPN gateway uses to verify the network resources that an ios device can access. This setting is valid only if the "Connection type" setting is set to Juniper. Authentication type setting This setting specifies the authentication type for the VPN gateway. The "Connection type" setting determines which authentication types are supported. Possible values Password RSA SecurID Shared secret/group name Certificate Password Password setting This setting specifies the password that an ios device uses to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" setting is set to Password. 104

105 VPN profile settings Group name setting This setting specifies the group name for the VPN gateway. This setting is valid only if the "Connection type" setting is set to Cisco AnyConnect, or if the "Connection type" setting is set to IPsec and the "Authentication type" setting is set to Shared secret/group name. Shared secret setting This setting specifies the shared secret for the VPN gateway. This setting is valid only if the "Connection type" setting is set to L2TP, or if the "Connection type" setting is set to IPsec and the "Authentication type" setting is set to Shared secret/ Group name. Shared certificate profile setting This setting specifies the shared certificate profile with the client certificate that an ios device uses to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" setting is set to Certificate. Encryption level setting This setting specifies the level of data encryption for the VPN connection. If you select Automatic, all available encryption strengths are allowed. If you select Maximum, only the maximum encryption strength is allowed. 105

106 VPN profile settings This setting is valid only if the "Connection type" setting is set to PPTP. Possible values None Automatic Maximum None Route network traffic through VPN setting This setting specifies whether to send all network traffic through the VPN connection. This setting is valid only if the "Connection type" setting is set to L2TP or PPTP. Associated proxy profile setting This setting specifies the associated proxy profile that an ios device uses to make VPN connections through a proxy server. 106

107 Product documentation Resource BES10 Cloud Product Overview Introduction to BES10 Cloud and its features Finding your way through the documentation Architecture BES10 Cloud Release Notes s of known issues and potential workarounds BES10 Cloud Compatibility Matrix Software that is compatible with BES10 Cloud BES10 Cloud Administration Guide s of different types of licenses Instructions for activating licenses Instructions to connect BES10 Cloud to your company directory Instructions for creating user accounts, groups, roles, and administrator accounts Instructions for activating devices Instructions for creating and sending IT policies and profiles Instructions for managing apps on devices BES10 Cloud Policy and Profile Reference Guide BES10 Cloud Solution Security Technical Overview s of IT policy rules and profile settings for devices of the security maintained by BES10 Cloud, the BlackBerry Infrastructure, and devices to protect data and connections of device operating systems of how work data is protected on BlackBerry 10 devices when you use BES10 Cloud 107

108 Provide feedback To provide feedback on this content, visit 108

109 Glossary AES AES-XCBC ASCII BSSID CA CCL CHAP DES DH DHCP DNS DPD EAP EAP-FAST EAP-MS-CHAP EAP-SIM EAP-TLS FAST FQDN GTC HFP HMAC IKE IP IPsec IRM L2TP Advanced Encryption Standard Advanced Encryption Standard extended cipher block chaining American Standard Code for Information Interchange Basic Service Set Identifier certification authority context collection library Challenge Handshake Authentication Protocol Data Encryption Standard Diffie-Hellman Dynamic Host Configuration Protocol Domain Name System Dead Peer Detection Extensible Authentication Protocol Extensible Authentication Protocol Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol Extensible Authentication Protocol Subscriber Identity Module Extensible Authentication Protocol Transport Layer Security Flexible Authentication via Secure Tunneling fully qualified domain name Generic Token Card Hands-Free Profile keyed-hash message authentication code Internet Key Exchange Internet Protocol Internet Protocol Security information rights management Layer 2 Tunneling Protocol 109

110 LEAP MAC MAP MCC Lightweight Extensible Authentication Protocol Media Access Control Message Access Profile mobile country code MD5 Message-Digest Algorithm, version 5 MNC MS-CHAP NAI NAT NFC OPP PAC PAP PBAP PEAP PFS PIN PKI PPTP PRF PSK RC SHA SIM S/MIME space SSID SSL TLS mobile network code Microsoft Challenge Handshake Authentication Protocol Network Access Identifier network address translation Near Field Communication Object Push Profile Protected Access Credential Push Access Protocol Phone Book Access Profile Protected Extensible Authentication Protocol Perfect Forward Secrecy personal identification number Public Key Infrastructure Point-to-Point Tunneling Protocol pseudorandom function family pre-shared key Rivest's Cipher Secure Hash Algorithm Subscriber Identity Module Secure Multipurpose Internet Mail Extensions A space is a distinct area of the device that enables the segregation and management of different types of data, applications, and network connections. Different spaces can have different rules for data storage, application permissions, and network routing. Spaces were formerly known as perimeters. service set identifier Secure Sockets Layer Transport Layer Security 110

111 TTLS USB VIA VPN WEP WPA xauth Tunneled Transport Layer Security Universal Serial Bus Virtual Intranet Access virtual private network Wired Equivalent Privacy Wi-Fi Protected Access Extended Authentication 111

112 Legal notice 2014 BlackBerry. All rights reserved. BlackBerry and related trademarks, names, and logos are the property of BlackBerry Limited and are registered and/or used in the U.S. and countries around the world. Android and YouTube are trademarks of Google Inc. Apple, App Store, Apple Configurator, FaceTime, icloud, itunes, itunes Store, Passbook, Safari, and Siri are trademarks of Apple Inc. Aruba, VIA, and Virtual Intranet Acess are trademarks of Aruba Networks, Inc. Bluetooth is a trademark of Bluetooth SIG. Check Point and VPN-1 are trademarks of Check Point Software Technologies Ltd. Cisco, Cisco AnyConnect, Cisco IOS, and PIX are trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. F5 is a trademark of F5 Networks, Inc. ios is a trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. ios is used under license by Apple Inc. Juniper is a trademark of Juniper Networks, Inc. Microsoft and ActiveSync are trademarks of Microsoft Corporation. OpenVPN is a trademark of OpenVPN Technologies, Inc. RSA SecurID is a trademark of RSA Security. SonicWALL and Mobile Connect are trademarks of Dell, Inc. Wi-Fi, WPA, and WPA2 are trademarks of the Wi-Fi Alliance. All other trademarks are the property of their respective owners. This documentation including all documentation incorporated by reference herein such as documentation provided or made available at is provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its affiliated companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of BlackBerry technology in generalized terms. BlackBerry reserves the right to periodically change information that is contained in this documentation; however, BlackBerry makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all. This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or third-party websites (collectively the "Third Party Products and Services"). BlackBerry does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the third party in any way. EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON- INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON- PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE 112

113 DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON- PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY. THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS. IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION. Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with BlackBerry's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with BlackBerry's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with BlackBerry. 113

114 Certain features outlined in this documentation require a minimum version of BlackBerry Enterprise Server, BlackBerry Desktop Software, and/or BlackBerry Device Software. The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION. BlackBerry Limited 2200 University Avenue East Waterloo, Ontario Canada N2K 0A7 BlackBerry UK Limited 200 Bath Road Slough, Berkshire SL1 3XE United Kingdom Published in Canada 114