Policy and Profile Reference Guide

Transcription

1 BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 10.2 Policy and Profile Reference Guide

2 Published: SWD

3 Contents 1 About this guide New IT policy rules and profile settings in this release New IT policy rules IT policy rules General rule group Rules for all activation Hotspot WPA2-Personal Security Type rule Mobile Hotspot Mode and Tethering rule Roaming rule...14 Wireless Service Provider Billing rule...14 Rules for Regulated activation type...15 Custom Name for "Switch to Personal" Setting rule Hardware rule group Rules for Corporate and Regulated activation...16 Transfer Work Contacts Using Bluetooth PBAP or HFP rule Transfer Work Data Using NFC rule...16 Transfer Work Files Using Bluetooth OPP or a Wi-Fi Direct Connection rule...17 Transfer Work Messages Using Bluetooth MAP rule Transfer Work Messages Using Bluetooth MAP Without Prompt rule...18 Rules for Work space only and Regulated activation...19 Bluetooth rule Bluetooth A2DP rule...20 Bluetooth AVRCP rule...20 Bluetooth Contacts Transfer Using PBAP rule Bluetooth Discoverable Mode rule Bluetooth File Transfer Using OBEX rule Bluetooth HFP rule...22 Bluetooth MAP rule Bluetooth Pairing rule Bluetooth PAN Profile rule Bluetooth SPP rule Camera rule Enforce Bluetooth Secure Simple Pairing Numeric Comparison rule Enforce Minimum Bluetooth Passkey Length rule...26 FM Radio rule...27

4 HDMI rule Location Services rule...28 Minimum Bluetooth Encryption Key Length rule...28 NFC rule...29 Wi-Fi rule...30 Logging rule group Rules for all activation CCL Data Collection rule Log Submission rule Rules for Work space only and Regulated activation...32 BBM Log Wireless Synchronization rule Phone Log Wireless Synchronization rule PIN to PIN Log Wireless Synchronization rule SMS/MMS Log Wireless Synchronization rule Video Chat Log Wireless Synchronization rule...34 Password rule group Rules for all activation Maximum Password Age rule Maximum Password Attempts rule...35 Maximum Password History rule Minimum Password Complexity rule...36 Minimum Password Length rule...37 Security Timeout rule...37 Rules for Corporate and Regulated activation...38 Apply Work Space Password to Full Device rule...38 Password Required for Work Space rule Security rule group...40 Rules for all activation Application Security Timer Reset rule...40 BlackBerry Bridge rule Development Mode Access to Work Space rule Display Owner Information on Lock Screen rule...42 IRM-Protected Messages rule...42 Lock on Smart Card Removal rule Lock Screen Preview of Work Content rule...43 Maximum Bluetooth Range rule...44 Media Card Encryption rule...45 Network Access Control for Work Apps rule...46 PIN Entry Mode rule Restrict Development Mode rule...47

5 Smart Card Password Caching rule Smart Password Entry rule Use BBM Protected rule Voice Control rule Work Domains rule Rules for Corporate activation type Two-Factor Encryption Key Generation rule...51 WebGL rule Rules for Corporate and Regulated activation...52 Backup and Restore Work Space rule Personal Apps Access to Work Contacts rule...53 Personal Space Data Encryption rule Share Work Data During BBM Video Screen Sharing rule...54 Voice Dictation in Work Apps rule...55 Wipe the Work Space Without Network Connectivity rule Work Apps Access to Shared Files or Content in the Personal Space rule Work Network Usage for Personal Apps rule...56 Rules for Work space only and Regulated activation...57 Backup and Restore Device rule Computer Access to Device rule Display Organization Notice After Device Restart rule...58 Media Card rule...59 SMS/MMS Signature rule Two-Factor Authentication rule...60 Two-Factor Authentication Only for Work Space rule Voice Dictation rule Wipe the Device Without Network Connectivity rule...62 Rules for Regulated activation type...62 Advanced Data at Rest Protection rule Advanced Data at Rest Protection Timeout rule Assign Two-Factor Authentication for Work rule Two-Factor Authentication for Advanced Data at Rest Protection rule Software rule group...65 Rules for all activation External Address Indicator rule...65 External Address Warning Message rule External Domain Allowed List rule...66 External Domain Restricted List rule Find More Contact Details rule...67 Forward or Add Recipients to Private Messages rule...68

6 Rules for Corporate and Regulated activation...68 BBM Video Access to Work Network rule...68 Cloud Storage Access from Work Space rule Open Links in Work Messages in the Personal Browser rule...70 Unified View for Work and Personal Accounts and Messages rule Rules for Work space only and Regulated activation...71 BBM rule...71 BBM Video/BBM Voice rule BlackBerry Maps rule BlackBerry Protect rule Hotspot Browser rule joyn rule Media Sharing rule Miracast rule Non- Accounts rule Other Messaging Services rule...76 PIN Messages rule...76 SMS/MMS rule User-Created VPN Profiles rule Wireless Service Provider Apps rule Wireless Software Updates rule...78 YouTube for BlackBerry Devices rule Rules for Regulated activation type...79 Install Apps From Other Sources rule Profile settings profile settings...81 Allowed Content Ciphers setting Calendar Synchronization setting...81 Contact Synchronization setting Days to Synchronize setting...82 Digitally Signed S/MIME Messages setting Synchronization setting...84 Encrypted S/MIME Messages setting Interval Between Synchronizations setting Memo Synchronization setting...86 Push Enabled setting...86 Require Manual Synchronization When Roaming setting SCEP Profile setting...87 Server Name setting...87 Server Port setting...88

7 S/MIME Messages setting...88 Task Synchronization setting Type setting Use SSL setting SCEP profile settings Automatic Renewal setting Certificate Thumbprint setting Certification Authority Challenge Password setting...91 Certification Authority Identifier setting...92 ECC Strength setting Key Algorithm setting Private Key Export setting RSA Strength setting SCEP Service URL setting...94 Specify Encryption Algorithm setting...95 Specify Hash Function setting Wi-Fi profile settings...96 Access Point Handover setting Associated Proxy Profile setting Associated SCEP Profile setting Band Type setting Client Certificate Source setting...98 Data Security Level setting Default Gateway setting...99 Domain Suffix setting EAP Inner Link Security setting EAP Security setting EAP-FAST Provisioning Method setting Enable DHCP setting Enable IPv6 setting Hidden SSID setting IP Address setting Link Security setting Preshared Key setting Preshared Key Type setting Primary DNS setting Proxy Password setting Proxy Port setting Proxy Server setting Proxy User Name setting

8 Secondary DNS setting SSID setting Subnet Mask setting Trusted Certificate Source setting Use HTTP Proxy setting User Can Edit setting User Name setting User Password setting VPN Profile setting WEP Key setting VPN profile settings Associated Proxy Profile setting Associated SCEP Profile setting Authentication ID setting Authentication ID Type setting Authentication Type setting Automatically Determine IP setting Client Certificate Source setting Custom IKE DH Provider setting Data Security Level setting Disable Banner setting Display VPN Information on Device setting Domain Suffix setting DPD Frequency setting Dynamically Determine DNS setting EAP Identity setting Gateway Authentication ID setting Gateway Authentication ID Type setting Gateway Authentication Type setting Gateway Preshared Key setting Gateway Type setting Group Password setting Group User Name setting Hard Token setting IKE Cipher setting IKE DH Group setting IKE Hash setting IKE Lifetime setting IKE PRF setting IPSEC Cipher setting

9 IPSEC DH Group setting IPSEC Hash setting IPSEC Lifetime setting Manual Algorithm Selection setting MSCHAPv2 EAP Identity setting MSCHAPv2 Password setting MSCHAPv2 User Name setting NAT Keep Alive setting Password setting Perfect Forward Secrecy setting Preshared Key setting Primary DNS setting Private IP setting Private IP Mask setting Proxy Password setting Proxy Port setting Proxy Server setting Proxy User Name setting Secondary DNS setting Server Address setting Split Tunneling setting Subnet setting Subnet Mask setting Trusted Certificate Source setting Use HTTP Proxy setting User Can Edit setting User Name setting Proxy profile settings Exclusion List setting Host setting PAC URL setting Password setting Port setting Type setting User setting User Can Edit setting Product documentation Provide feedback Glossary Legal notice...150

10 About this guide 1 The BlackBerry Device Service is a component of BlackBerry Enterprise Service 10 that helps you manage BlackBerry devices for your organization. This reference guide provides descriptions for each IT policy rule and profile setting in the BlackBerry Device Service. This guide is intended for senior administrators who are responsible for setting up IT policies that govern device security and profiles that control how devices connect to your organization's network. For instructions on creating IT policies and profiles and assigning them to users and groups, see the BlackBerry Device Service Advanced Administration Guide. For more information about BlackBerry Device Service security and device security, see the BlackBerry Device Service Solution Security Technical Overview. 10

11 New IT policy rules New IT policy rules and profile settings in this release 2 New IT policy rules Policy group Rule BlackBerry 10 OS minimum requirement Hardware FM Radio A version later than

12 General rule group IT policy rules 3 This section describes all the IT policy rules available in the BlackBerry Device Service. The list of rules for each rule group is divided according to the activation that the rules apply to. Many of the IT policy rules do not apply to tablets running the BlackBerry PlayBook OS. If a rule does apply to the PlayBook OS, the PlayBook OS version is included in the minimum requirements for the rule. The following activation are available in the BlackBerry Device Service: Activation type Work and personal - Corporate Work space only Work and personal - Regulated This option activates a BlackBerry Balance device that separates work and personal data. Your organization only has control over the work space. You can use this option to activate BlackBerry 10 devices and BlackBerry PlayBook tablets. This option activates a device that only has a work space. You can use this option to activate devices running BlackBerry 10 OS version 10.1 and later. This option activates a regulated BlackBerry Balance device that separates work and personal data and gives your organization additional control over device features. You can use this option to activate devices running BlackBerry 10 OS version and later. General rule group Rules for all activation Hotspot WPA2-Personal Security Type rule This rule specifies whether a BlackBerry device must use the WPA2-Personal security type to connect to a hotspot. If you set this rule to Yes, the user cannot select a different security type to connect the device to a hotspot. This rule is obsolete in BlackBerry 10 OS version

13 General rule group Work and personal - Corporate Possible values Yes No Default value No Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Mobile Hotspot Mode and Tethering rule This rule specifies whether to allow Mobile Hotspot mode, tethering using Bluetooth technology, and tethering using a USB cable on a BlackBerry device. If you set this rule to Allow, all of these features are available in the settings on the device. If you set this rule to Disallow, none of these features are available in the settings on the device. Work and personal - Corporate Possible values Allow Disallow Default value Allow Minimum requirements Rule introduction BlackBerry Enterprise Service 10 version

14 General rule group Roaming rule This rule specifies whether a BlackBerry device can use data services over the wireless network when the device is roaming. If you set this rule to Disallow, the device cannot use data services over the wireless network when the device is roaming. If the device is connected to a Wi-Fi network, the device can send and receive data over the Wi-Fi network when the device is roaming, even if you change the value for this rule to Disallow. Work and personal - Corporate Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version 10.1 for work space only devices BlackBerry 10 OS version 10.2 for BlackBerry Balance devices BlackBerry 10 OS version for regulated BlackBerry Balance devices Rule introduction BlackBerry Enterprise Service 10 version 10.1 Wireless Service Provider Billing rule This rule specifies whether a BlackBerry device user can purchase apps from the BlackBerry World storefront and the BlackBerry World for Work storefront using the purchasing plan for your organization's wireless service provider. If you set this rule to Disallow, users must pay for app purchases using another payment method. Work and personal - Corporate Possible values Allow Disallow 14

15 General rule group Default value Allow Minimum requirements Rule introduction BlackBerry Enterprise Service 10 version 10.0 Rules for Regulated activation type Custom Name for "Switch to Personal" Setting rule This rule specifies a name for the device setting that allows a user to switch from the work space to the personal space on a BlackBerry device. The device displays the custom name in the Quick Settings menu when the user swipes down from the top of the home screen. The custom name is not localized, so you must use the appropriate language for users when you specify the name. If you do not set this rule, the device displays the default name, "Switch to Personal," in the Quick Settings menu. Possible values 1 to 20 characters Minimum requirements BlackBerry 10 OS version Rule introduction BlackBerry Enterprise Service 10 version 10.2 MR2 15

16 Hardware rule group Hardware rule group Rules for Corporate and Regulated activation Transfer Work Contacts Using Bluetooth PBAP or HFP rule Related rules This rule specifies whether a BlackBerry device can send work contacts to another Bluetooth enabled device using the Bluetooth PBAP or HFP. If you set this rule to Disallow, users cannot transfer work contacts using the Bluetooth PBAP or HFP. Setting this rule to Disallow also prevents users from transferring work messages using the Bluetooth MAP. On regulated BlackBerry Balance devices, this rule takes effect only if the Bluetooth rule is set to Allow and the Bluetooth Contacts Transfer Using PBAP rule or the Bluetooth HFP rule is set to Allow. Work and personal - Corporate Possible values Allow Disallow Default value Allow Minimum requirements Rule introduction BlackBerry Enterprise Service 10 version 10.0 Transfer Work Data Using NFC rule This rule specifies whether a BlackBerry device can send work data to another NFCenabled device using NFC. If you set this rule to Disallow, the device cannot send work data to another device using NFC. 16

17 Hardware rule group Related rules Setting this rule to Disallow also prevents an NFC-enabled device from using NFC to initiate work data transfers using the Bluetooth OPP. On regulated BlackBerry Balance devices, if the NFC rule is set to Disallow, this rule does not apply. Work and personal - Corporate Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version 10.2 Rule introduction BlackBerry Enterprise Service 10 version Transfer Work Files Using Bluetooth OPP or a Wi-Fi Direct Connection rule Related rules This rule specifies whether a BlackBerry device can transfer work files to another Bluetooth enabled device or NFC-enabled device using the Bluetooth OPP or, if a device is running a version of BlackBerry 10 OS that is later than , transfer work files over a Wi-Fi Direct connection. Setting the Transfer Work Data Using NFC rule to Disallow also prevents an NFC-enabled device from using NFC to initiate work data transfers using the Bluetooth OPP, regardless of the setting for this rule. On regulated BlackBerry Balance devices, this rule takes effect only if the Bluetooth rule or the Wi-Fi rule is set to Allow. Work and personal - Corporate Possible values Allow Disallow 17

18 Hardware rule group Default value Allow Minimum requirements Rule introduction BlackBerry Enterprise Service 10 version 10.0 Transfer Work Messages Using Bluetooth MAP rule Related rules This rule specifies whether a BlackBerry device can send messages from the work space (for example, messages and instant messages) to another Bluetooth enabled device using the Bluetooth MAP. Setting the Transfer Work Contacts Using Bluetooth PBAP or HFP rule to Disallow also prevents users from sending messages using the Bluetooth MAP, regardless of the setting for this rule. On regulated BlackBerry Balance devices, this rule takes effect only if the Bluetooth rule and the Bluetooth MAP rule are set to Allow. Work and personal - Corporate Possible values Allow Disallow Default value Allow Minimum requirements Rule introduction BlackBerry Enterprise Service 10 version 10.0 Transfer Work Messages Using Bluetooth MAP Without Prompt rule This rule specifies whether a user can transfer work messages to a Bluetooth enabled device using the Bluetooth MAP following a single password prompt to access the work space. If you set this rule to Disallow, the user must unlock the work space each time the device connects to the Bluetooth enabled device before the device can transfer work messages using the Bluetooth MAP. 18

19 Hardware rule group Related rules If the Transfer Work Messages Using Bluetooth MAP rule is set to Disallow, this rule does not apply. On regulated BlackBerry Balance devices, if the Bluetooth rule is set to Disallow, this rule does not apply. Work and personal - Corporate Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Rules for Work space only and Regulated activation Bluetooth rule This rule specifies whether a BlackBerry device can use Bluetooth technology. If you set this rule to Disallow, the device cannot use Bluetooth technology. Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version

20 Hardware rule group Rule introduction BlackBerry Enterprise Service 10 version 10.1 Bluetooth A2DP rule Related rules This rule specifies whether a BlackBerry device can use the Bluetooth A2DP. A device can use the Bluetooth A2DP to stream audio files to another Bluetooth enabled device (for example, a headset). If you set this rule to Disallow, the device cannot use the Bluetooth A2DP. If the Bluetooth rule is set to Disallow, this rule does not apply. Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Bluetooth AVRCP rule Related rules This rule specifies whether a BlackBerry device can use the Bluetooth AVRCP. A device can use the Bluetooth AVRCP to allow a Bluetooth enabled device (for example, a headset) to control the device's media apps. If you set this rule to Disallow, the device cannot use the Bluetooth AVRCP. If the Bluetooth rule is set to Disallow, this rule does not apply. Possible values Allow Disallow 20

21 Hardware rule group Default value Allow Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Bluetooth Contacts Transfer Using PBAP rule Related rules This rule specifies whether a BlackBerry device can exchange Contacts data with other Bluetooth enabled devices using the Bluetooth PBAP. If you set this rule to Disallow, the device cannot exchange Contacts data with other Bluetooth enabled devices. If the Bluetooth rule is set to Disallow, this rule does not apply. Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Bluetooth Discoverable Mode rule Related rules This rule specifies whether a BlackBerry device can use Bluetooth discoverable mode. A device that is discoverable can be found by other Bluetooth enabled devices within range of the device. If you set this rule to Disallow, the device cannot use Bluetooth discoverable mode. If the Bluetooth rule is set to Disallow, this rule does not apply. 21

22 Hardware rule group Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Bluetooth File Transfer Using OBEX rule Related rules This rule specifies whether a BlackBerry device can exchange files with other supported Bluetooth OBEX devices. If you set this rule to Disallow, the device cannot exchange files with other supported Bluetooth OBEX devices. If the Bluetooth rule is set to Disallow, this rule does not apply. Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Bluetooth HFP rule Related rules This rule specifies whether a BlackBerry device can use the Bluetooth HFP. A device can use the Bluetooth HFP to allow a Bluetooth enabled device (for example, a car kit or a headset) to access the Contacts and Phone apps on the device to make phone calls. If you set this rule to Disallow, the device cannot use the Bluetooth HFP. If the Bluetooth rule is set to Disallow, this rule does not apply. 22

23 Hardware rule group Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Bluetooth MAP rule Related rules This rule specifies whether a BlackBerry device can use the Bluetooth MAP. A device can use the Bluetooth MAP to allow a Bluetooth enabled device to access messages. If you set this rule to Disallow, the device cannot use the Bluetooth MAP. If the Bluetooth rule is set to Disallow, this rule does not apply. Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Bluetooth Pairing rule This rule specifies whether a BlackBerry device can connect to another Bluetooth enabled device. If you set this rule to Disallow, the device cannot establish new connections with 23

24 Hardware rule group other Bluetooth enabled devices. After a device connects to another Bluetooth enabled device, you can use this rule to prevent the device from connecting to additional Bluetooth enabled devices. Related rules If the Bluetooth rule is set to Disallow, this rule does not apply. Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Bluetooth PAN Profile rule Related rules This rule specifies whether a BlackBerry device can use the Bluetooth PAN profile. A device can use the Bluetooth PAN profile to allow a Bluetooth enabled device to tether to it. If you set this rule to Disallow, the device cannot use the Bluetooth PAN profile. If the Bluetooth rule is set to Disallow, this rule does not apply. Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version

25 Hardware rule group Bluetooth SPP rule Related rules This rule specifies whether a BlackBerry device can use the Bluetooth SPP. If you set this rule to Disallow, the device cannot use the Bluetooth SPP. If the Bluetooth rule is set to Disallow, this rule does not apply. Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Camera rule This rule specifies whether a BlackBerry device can use the camera. If you set this rule to Disallow, the device cannot use the camera. Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version

26 Hardware rule group Enforce Bluetooth Secure Simple Pairing Numeric Comparison rule Related rules This rule specifies whether a BlackBerry device must use the numeric comparison mode if the device uses Bluetooth SSP to connect to another Bluetooth enabled device. If you set this rule to Yes, the device must use the numeric comparison mode if the device uses Bluetooth SSP to connect to another Bluetooth enabled device. If the Bluetooth rule is set to Disallow, this rule does not apply. Possible values Yes No Default value No Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Enforce Minimum Bluetooth Passkey Length rule Related rules This rule specifies whether a BlackBerry device must use a Bluetooth passkey that is at least 8 digits to connect to another Bluetooth enabled device. If you set this rule to Yes, the BlackBerry device cannot connect to another Bluetooth enabled device if the passkey that the Bluetooth enabled device requests or provides is less than 8 digits. If the Bluetooth rule is set to Disallow, this rule does not apply. Possible values Yes No Default value No 26

27 Hardware rule group Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 FM Radio rule This rule specifies whether a BlackBerry device user can use the FM Radio. Setting this rule to Disallow prevents a user from using the FM Radio on a device that supports it. After you set this rule to Disallow, if you change this rule to Allow, the user cannot use the FM Radio until apps that use it are restarted. Possible values Allow Disallow Default value Allow Minimum requirements A version of BlackBerry 10 OS later than Rule introduction BlackBerry Enterprise Service 10 version 10.2 MR3 HDMI rule Related rules This rule specifies whether a BlackBerry device can use the HDMI port. If you set this rule to Disallow, the device cannot use the HDMI port. Setting this rule to Disallow also prevents the device from sending streaming video over a Wi-Fi Direct connection to other Wi-Fi CERTIFIED Miracast devices. Possible values Allow Disallow 27

28 Hardware rule group Default value Allow Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Location Services rule This rule specifies whether a BlackBerry device can provide its geographic location to apps that are running on the device. If you set this rule to Disallow, apps on the device cannot use the GPS or geolocation service to determine the location of the device. Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Minimum Bluetooth Encryption Key Length rule Related rules This rule specifies the minimum encryption key length that a BlackBerry device uses to encrypt Bluetooth connections. If the Bluetooth rule is set to Disallow, this rule does not apply. Possible values 1 byte 2 bytes 28

29 Hardware rule group 3 bytes 4 bytes 5 bytes 6 bytes 7 bytes 8 bytes 9 bytes 10 bytes 11 bytes 12 bytes 13 bytes 14 bytes 15 bytes 16 bytes Default value 1 byte Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 NFC rule This rule specifies whether a BlackBerry device can use NFC. If you set this rule to Disallow, the device cannot use NFC. Possible values Allow Disallow Default value Allow 29

30 Logging rule group Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Wi-Fi rule This rule specifies whether a BlackBerry device can make Wi-Fi connections. If you set this rule to Disallow, the device cannot make Wi-Fi connections. After you set this rule to Disallow, if you change this rule to Allow, the device cannot use Wi-Fi until it is restarted. Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Logging rule group Rules for all activation CCL Data Collection rule This rule specifies whether a BlackBerry device allows CCL data collection across all apps. CCL allows apps to collect rich data related to app usage and to carry out deep cross-app analysis. If you set this rule to Disallow, the device does not allow CCL data collection. 30

31 Logging rule group Work and personal - Corporate Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Log Submission rule This rule specifies whether a BlackBerry device can generate and send log files to the BlackBerry Technical Solution Center. If you set this rule to No, the device cannot generate and send log files to the BlackBerry Technical Solution Center. Work and personal - Corporate Possible values Yes No Default value Yes Rule introduction BlackBerry Device Service

32 Logging rule group Rules for Work space only and Regulated activation BBM Log Wireless Synchronization rule This rule specifies whether a BlackBerry device synchronizes logs for BBM with your organization's BlackBerry Device Service. Possible values Yes No Default value No Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Phone Log Wireless Synchronization rule This rule specifies whether a BlackBerry device synchronizes the call log for the Phone app with your organization's BlackBerry Device Service. Possible values Yes No Default value No 32

33 Logging rule group Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 PIN to PIN Log Wireless Synchronization rule This rule specifies whether a BlackBerry device synchronizes logs for PIN messages with your organization's BlackBerry Device Service. Possible values Yes No Default value No Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 SMS/MMS Log Wireless Synchronization rule This rule specifies whether a BlackBerry device synchronizes logs for SMS text messages and MMS messages with your organization's BlackBerry Device Service. Possible values Yes No Default value No Minimum requirements BlackBerry 10 OS version

34 Password rule group Rule introduction BlackBerry Enterprise Service 10 version 10.1 Video Chat Log Wireless Synchronization rule This rule specifies whether a BlackBerry device synchronizes logs for the BBM Video feature with your organization's BlackBerry Device Service. Possible values Yes No Default value No Minimum requirements BlackBerry 10 OS version 10.1 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Password rule group Rules for all activation Maximum Password Age rule Related rules This rule specifies the number of days that can elapse before the work space password expires and a BlackBerry device user must set a new password. If you set this rule to 0, the password does not expire. On BlackBerry Balance and regulated BlackBerry Balance devices, this rule takes effect only if the Password Required for Work Space rule is set to Yes. Work and personal - Corporate 34

35 Password rule group Possible values 0 to 365 days Default value 0 Rule introduction BlackBerry Device Service 6.0 Maximum Password Attempts rule Related rules This rule specifies the number of times that a BlackBerry device user can enter an incorrect password before a device deletes the data in the work space. On BlackBerry Balance and regulated BlackBerry Balance devices, this rule takes effect only if the Password Required for Work Space rule is set to Yes. If the Apply Work Space Password to Full Device rule is also set to Yes, all data on the device is deleted. Work and personal - Corporate Possible values 3 to 10 Default value 10 Rule introduction BlackBerry Device Service

36 Password rule group Maximum Password History rule Related rules This rule specifies the maximum number of previous passwords that a BlackBerry device checks to prevent a user from reusing a work space password. If you set this rule to 0, the device does not check previous passwords. On BlackBerry Balance and regulated BlackBerry Balance devices, this rule takes effect only if the Password Required for Work Space rule is set to Yes. Work and personal - Corporate Possible values 0 to 15 Default value 0 Rule introduction BlackBerry Device Service 6.0 Minimum Password Complexity rule Related rules This rule specifies the minimum complexity of the work space password. If you set this rule, a user must create a password that includes the of characters that you specify. On BlackBerry Balance and regulated BlackBerry Balance devices, this rule takes effect only if the Password Required for Work Space rule is set to Yes. Work and personal - Corporate Possible values No restriction At least 1 letter and 1 number 36

37 Password rule group At least 1 letter, 1 number, and 1 special character At least 1 uppercase letter, 1 lowercase letter, 1 number, and 1 special character Default value No restriction Rule introduction BlackBerry Device Service 6.0 Minimum Password Length rule Related rules This rule specifies the minimum length of the work space password. On BlackBerry Balance and regulated BlackBerry Balance devices, this rule takes effect only if the Password Required for Work Space rule is set to Yes. Work and personal - Corporate Possible values 4 to 32 Default value 4 Rule introduction BlackBerry Device Service 6.0 Security Timeout rule Related rules This rule specifies the number of minutes of BlackBerry device user inactivity that must elapse before the work space locks. If the Application Security Timer Reset rule is set to Allow, the device does not lock when apps that can reset the security timer are running. 37

38 Password rule group On BlackBerry Balance and regulated BlackBerry Balance devices, this rule takes effect only if the Password Required for Work Space rule is set to Yes. Work and personal - Corporate Possible values 5 minutes 10 minutes 15 minutes 30 minutes 45 minutes 60 minutes Default value 30 minutes for devices running the BlackBerry 10 OS 45 minutes for tablets running the BlackBerry PlayBook OS Rule introduction BlackBerry Device Service 6.0 Rules for Corporate and Regulated activation Apply Work Space Password to Full Device rule Related rules This rule specifies whether a BlackBerry Balance or regulated BlackBerry Balance device applies the work space password to the full device. If you set this rule to Yes, the work space password becomes the device password. If you set this rule to No, a user can choose to set a different password for the device. If you want to protect only the work space, set the Password Required for Work Space rule to Yes and set this rule to No. This rule takes effect only if the Password Required for Work Space rule is set to Yes. 38

39 Password rule group Work and personal - Corporate Possible values Yes No Default value No Rule introduction BlackBerry Device Service 6.0 Password Required for Work Space rule Related rules This rule specifies whether a BlackBerry Balance or regulated BlackBerry Balance device requires a password for the work space. If you set this rule to Yes, a user must set a password for the work space on the device. Devices that only have a work space always require a password. Setting the Apply Work Space Password to Full Device rule to Yes applies the same password to both the work space and the device. If the work space and the device have the same password, unlocking the device also unlocks the work space but the work space can be locked without locking the device. Work and personal - Corporate Possible values Yes No Default value Yes for devices running the BlackBerry 10 OS No for tablets running the BlackBerry PlayBook OS 39

40 Security rule group Rule introduction BlackBerry Device Service 6.0 Security rule group Rules for all activation Application Security Timer Reset rule This rule specifies whether apps can reset the security timer on a BlackBerry device to prevent the device from locking after the period of user inactivity that you specify in the Security Timeout rule or the user specifies in the Password Lock settings on the device elapses. If you set this rule to Disallow, the device will lock without user interaction when running apps that attempt to reset the security timer, such as apps that display navigation information, slideshows, and videos. If you set this rule to Allow, the device will not lock after the period of user inactivity elapses when running apps that can reset the security timer. Work and personal - Corporate Possible values Allow Disallow Default value Allow Minimum requirements Rule introduction BlackBerry Enterprise Service 10 version

41 Security rule group BlackBerry Bridge rule This rule specifies whether a BlackBerry 10 device user can use a BlackBerry PlayBook tablet to access work data on a device using the BlackBerry Bridge app. If you set this rule to Disallow, the user cannot use the tablet to access work data on the device using the BlackBerry Bridge app. Work and personal - Corporate Possible values Allow Disallow Default value Allow Minimum requirements Rule introduction BlackBerry Enterprise Service 10 version 10.0 Development Mode Access to Work Space rule Related rules This rule specifies whether development mode can be used to allow software development tools to connect to the work space on a BlackBerry device using a USB or Wi-Fi connection and install apps directly in the work space. If you set this rule to Allow, users can use software development tools to connect to the work space on the device and install apps directly in the work space. This rule takes effect only if the Restrict Development Mode rule is set to No. Work and personal - Corporate Possible values Allow Disallow 41

42 Security rule group Default value Disallow Minimum requirements BlackBerry 10 OS version 10.2 Rule introduction BlackBerry Enterprise Service 10 version Display Owner Information on Lock Screen rule This rule specifies the owner information that a BlackBerry device displays when the device is locked. The lock screen can display up to two lines of text. Work and personal - Corporate Possible values 1 to 100 characters Minimum requirements BlackBerry 10 OS version Rule introduction BlackBerry Enterprise Service 10 version 10.2 IRM-Protected Messages rule This rule specifies whether a BlackBerry device user can read IRM-protected messages. If you set this rule to Allow, the user can read IRM-protected messages and the device enforces the rights given by the sender. If you set this rule to Disallow, the user cannot read IRM-protected messages on the device. Work and personal - Corporate Possible values Allow Disallow 42

43 Security rule group Default value Allow Minimum requirements BlackBerry 10 OS version Rule introduction BlackBerry Enterprise Service 10 version 10.2 Lock on Smart Card Removal rule Related rules This rule specifies whether the work space locks when a user removes the smart card from the supported smart card reader or disconnects the supported smart card reader from the device. If you set this rule to Allow or Required, a user might need the driver for the smart card reader. Not all smart card reader drivers support smart card removal detection. On BlackBerry Balance and regulated BlackBerry Balance devices, this rule takes effect only if the Password Required for Work Space rule is set to Yes. Work and personal - Corporate Possible values Allow No Required Default value Allow Minimum requirements BlackBerry 10 OS version 10.2 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Lock Screen Preview of Work Content rule This rule specifies whether a BlackBerry device displays a preview of work content when the device is locked. On BlackBerry Balance and regulated BlackBerry Balance devices, if you set this rule to Allow, the lock screen displays a preview of work content when the work space is unlocked in the background. After the security timeout locks the work space, the lock screen displays a notification that locked items are available. If you set this rule to 43

44 Security rule group Disallow, the lock screen displays only a notification that locked items are available, regardless of whether the work space is unlocked in the background. On work space only devices, if you set this rule to Allow, the lock screen displays a preview of work content. If you set this rule to Disallow, the lock screen displays only a notification that locked items are available. Work and personal - Corporate Possible values Allow Disallow Default value Allow Minimum requirements BlackBerry 10 OS version Rule introduction BlackBerry Enterprise Service 10 version 10.2 Maximum Bluetooth Range rule This rule specifies the maximum power range that a BlackBerry Smart Card Reader uses to send Bluetooth packets to a BlackBerry device or a computer. The permitted range is between 30% and 100%. You can configure a higher power range to allow a BlackBerry Smart Card Reader to send Bluetooth packets to a BlackBerry device or a computer over a greater distance. Work and personal - Corporate Possible values 30% 40% 50% 60% 70% 44

45 Security rule group 80% 90% 100% Default value 100% Minimum requirements BlackBerry 10 OS version 10.2 Rule introduction BlackBerry Enterprise Service 10 version 10.0 Media Card Encryption rule Related rules This rule specifies whether a BlackBerry device must encrypt all data on the media card that is inserted in the device. The media card is disabled if another device encrypted the data on it. If you set this rule to Yes, the device automatically encrypts all data on the media card. If you set this rule to No, the device stores all data in an unencrypted format on the media card. On work space only and regulated BlackBerry Balance devices, this rule takes effect only if the Media Card rule is set to Allow. Work and personal - Corporate Possible values Yes No Default value No Minimum requirements Rule introduction BlackBerry Enterprise Service 10 version

46 Security rule group Network Access Control for Work Apps rule This rule specifies whether work apps on a BlackBerry device must connect to your organization's network through the BlackBerry Device Service. Setting this rule to Yes also permits BlackBerry PlayBook tablets to connect to your organization's network through the BlackBerry Enterprise Server using a BlackBerry Bridge connection to a BlackBerry smartphone running BlackBerry Device Software 5.0 to 7.1. Work and personal - Corporate Possible values Yes No Default value No Rule introduction BlackBerry Device Service 6.0 PIN Entry Mode rule This rule specifies the PIN entry mode that is required when a BlackBerry Smart Card Reader connects to a BlackBerry device or a computer. The BlackBerry Device Service enforces the PIN format required when the user the smart card password during the Bluetooth connection process. Work and personal - Corporate Possible values Numeric Alphanumeric lowercase Alphanumeric mixed case 46

47 Security rule group Default value Numeric Minimum requirements BlackBerry 10 OS version 10.2 Rule introduction BlackBerry Enterprise Service 10 version 10.0 Restrict Development Mode rule Related rules This rule specifies whether development mode is restricted for BlackBerry device users. Development mode allows software development tools to connect to a device and also allows you or a user to install apps directly on the device using a USB or Wi-Fi connection. If you set this rule to Yes, users can only download and install apps from the BlackBerry World storefront and you can also send apps to devices using the BlackBerry Administration Service. If you set this rule to No, you can use the Development Mode Access to Work Space rule to prevent users who have devices that are running BlackBerry 10 OS version 10.2 and later from using development mode to install apps in the work space. On regulated BlackBerry Balance devices, you can use the Install Apps From Other Sources rule to prevent users from installing apps in the personal space from other sources such as attachments. Work and personal - Corporate Possible values Yes No Default value No Minimum requirements BlackBerry PlayBook OS 2.1 Rule introduction BlackBerry Device Service

48 Security rule group Smart Card Password Caching rule This rule specifies whether a BlackBerry device can cache the smart card password. If you set this rule to Allow, the user can choose to cache the smart card password. If you set this rule to Required, the smart card password is always cached. The cached password is stored in the BlackBerry device keystore. Work and personal - Corporate Possible values Allow Disallow Required Default value Allow Minimum requirements BlackBerry 10 OS version 10.2 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Smart Password Entry rule This rule specifies whether a BlackBerry device can use smart password entry with twofactor authentication. Smart password entry allows a user to enter numeric passwords on the device without pressing the Alt key and automatically fills the device or work space password field if the device password or work space password and the smart card password are the same. If you set this rule to Allow, the user can use smart password entry with two-factor authentication. If you set this rule to Required, the device always uses smart password entry with two-factor authentication. Work and personal - Corporate Possible values Allow 48

49 Security rule group Disallow Required Default value Allow Minimum requirements BlackBerry 10 OS version 10.2 Rule introduction BlackBerry Enterprise Service 10 version 10.1 Use BBM Protected rule Related rules This rule specifies whether BBM can use BBM Protected for message encryption. If you set this rule to Yes, BBM uses BBM Protected to encrypt and decrypt messages exchanged with contacts that have the Use BBM Protected rule enabled, and it uses default BBM encryption for messages exchanged with other contacts. If you set this rule to No, BBM always uses default BBM encryption. BBM Protected is part of the ebbm Suite of products and may only be used if your organization has purchased the required BBM Protected user licenses from BlackBerry or an authorized reseller. Before you enable the Use BBM Protected rule, you must verify that your organization has purchased the required BBM Protected user licenses. For more information, visit On work space only and regulated BlackBerry Balance devices, if the BBM rule is set to Disallow, this rule does not apply. Work and personal - Corporate Possible values Yes No Default value No Minimum requirements BlackBerry 10 OS version 10.2 BBM for work space only devices 49

50 Security rule group A version of BBM later than for BlackBerry Balance and regulated BlackBerry Balance devices Rule introduction BlackBerry Enterprise Service 10 version 10.2 MR2 Voice Control rule This rule specifies whether a BlackBerry device user can use the voice control commands on a device. If you set this rule to Allow all, the user can use all of the voice control commands on the device. If you set this rule to Disallow for and calendar, the user cannot use any of the and calendar voice control commands on the device. If you set this rule to Allow only phone and device status, the user can use voice control commands only for voice dialing and, on devices that are running BlackBerry 10 OS version 10.2 and later, for checking device status. For more information about voice control commands, see the user guide for the BlackBerry device. Work and personal - Corporate Possible values Allow all Disallow for and calendar Allow only phone and device status Default value Allow all Minimum requirements Rule introduction BlackBerry Enterprise Service 10 version 10.0 Work Domains rule This rule specifies a list of domain names that a BlackBerry device identifies as work resources. If you specify domain names in this rule, the device identifies data from a computer in these domains as work data. Data sent from these domains to the device using the Print To Go app is stored in the work space on the device. All of the subdomains 50