Advanced Administration

Transcription

1 BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 10.2 Advanced Administration Guide

2 Published: SWD

3 Contents 1 Introduction...11 About this guide...12 What is BlackBerry Enterprise Service 10?...13 Key features of BlackBerry Enterprise Service About the BlackBerry Device Service...15 Log in to the BlackBerry Device Service console...15 About BES10 Self-Service Setting up administrator accounts...19 Defining different types of administrators Preconfigured roles View the permission of a role Create a role...21 Copy a role Change a role Delete a role...22 Permissions for preconfigured roles...22 Creating and managing administrator accounts Create an administrator account...30 Change an administrator account Delete an administrator account...31 Remove an administrator account from the BlackBerry Device Service Add an administrator account to the BlackBerry Device Service...32 Add an administrator account to a group Delete administrator accounts from a group Add a role to an administrator account Delete roles from an administrator account Setting up device controls...35 Controlling how devices can connect to your organization's network Managing Wi-Fi profiles Managing VPN profiles Managing profiles Managing SCEP profiles Managing proxy profiles...50 Accessing network drives from devices Allow devices to have single sign-on access to your organization's network...53

4 Managing device security features and behaviors Preconfigured IT policy...55 Create an IT policy...55 Copy an IT policy Import IT policies Export IT policies...56 Change an IT policy Delete an IT policy...57 View the IT policies assigned to user accounts and administrator accounts...57 Resolving IT policy conflicts Managing work and personal spaces Configuring the default device activation type for all new users...61 Enforcing your organization's device compliance requirements Update the template for the device compliance notification Select an enforcement action for devices that are not in compliance Managing app availability on devices...67 Preparing an app for delivery Sending and removing apps from devices Reconciling multiple software configurations that are assigned to a user account Managing groups, users, and device controls Creating and managing groups...80 About preconfigured groups Create a group Change a group...81 Delete a group...81 Add child groups to a group Delete child groups from a parent group Add roles to a group Delete roles from a group Applying device controls to a group Add software configurations to a group Delete software configurations from a group Add an IT policy to a group Delete an IT policy from a group...85 Add Wi-Fi profiles to a group...85 Delete Wi-Fi profiles from a group Add VPN profiles to a group Delete VPN profiles from a group Creating and changing user accounts...88 Creating organization notices... 88

5 Create a user account Create a local user account Synchronize new or updated user information with a company directory...92 Change a user account...92 Create user accounts from a.csv file...92 Create local user accounts from a.csv file...94 Change the user accounts in a.csv file...95 Create a list of all user accounts and their associated devices...96 Create a list of selected user accounts and their associated devices Move a user account from one BlackBerry Device Service instance to another Delete a user account...97 Managing groups and roles for user accounts Add user accounts to groups Delete user accounts from groups Add roles to user accounts Delete roles from user accounts Applying device controls to user accounts Add software configurations to user accounts Delete software configurations from user accounts Add an IT policy to a user account Delete an IT policy from a user account Add Wi-Fi profiles to user accounts Delete Wi-Fi profiles from user accounts Add VPN profiles to user accounts Delete VPN profiles from user accounts Add an profile to a user account Delete an profile from a user account Activating and managing devices Activating devices Preparing to assign devices Activate a device using the BlackBerry Administration Service Setting an activation password using BES10 Self-Service Activating a device over the wireless network Prevent wireless activation over the BlackBerry infrastructure Managing devices Sending CA certificates to devices Sending work space wallpaper to devices Assign a user a different device Specify a new device password and lock the device Specify a new work space password and lock the work space...120

6 Resend IT policies to a device Managing how device controls are sent to devices Deactivating a device Reactivate a device Create a list of all user accounts and their associated devices Create a list of selected user accounts and their associated devices Troubleshooting devices The computer blocks incoming connections from a device The computer uses an incorrect certificate template for the SCEP The service plan on your SIM card doesn t support your organization s activation requirements Maintaining and monitoring Maintaining and monitoring the health of the BlackBerry Device Service Change how the BlackBerry Controller restarts a BlackBerry Device Service component Managing log files for server components Change the location for log files Change the folder for log files Change the name of a log file Add a prefix to the file name of a log file Change the maximum size of a log file Change the logging level of a log file Specify how the BlackBerry Device Service manages a log file that reaches its maximum size Specify when the BlackBerry Device Service creates a log file Set the maximum age for a log file Change the encoding of the log file Restore default settings for log files Changing how the BlackBerry MDS Connection Service creates a log file Sending device log files to the BlackBerry Technical Solution Center Profile settings profile settings Type setting Server Name setting Server Port setting Use SSL setting SyncML server SyncML server port Use SSL to connect to SyncML Push Enabled setting Days to Synchronize setting Interval Between Synchronizations setting Require Manual Synchronization When Roaming setting

7 Synchronization setting Calendar Synchronization setting Contact Synchronization setting Memo Synchronization setting Task Synchronization setting To Do list synchronization SCEP Profile setting S/MIME Messages setting Digitally Signed S/MIME Messages setting Encrypted S/MIME Messages setting Allowed Content Ciphers setting SCEP profile settings SCEP Service URL setting Certificate Thumbprint setting Key Algorithm setting RSA Strength setting ECC Strength setting Specify Encryption Algorithm setting Specify Hash Function setting Certification Authority Identifier setting Certification Authority Challenge Password setting Automatic Renewal setting Wi-Fi profile settings SSID setting Hidden SSID setting Link Security setting EAP Security setting EAP-FAST Provisioning Method setting EAP Inner Link Security setting WEP Key setting Preshared Key Type setting Preshared Key setting User Name setting User Password setting Band Type setting Enable DHCP setting IP Address setting Subnet Mask setting Primary DNS setting Secondary DNS setting...165

8 Default Gateway setting Enable IPv6 setting Domain Suffix setting Access Point Handover setting User Can Edit setting Trusted Certificate Source setting Client Certificate Source setting Data Security Level setting Use HTTP Proxy setting Proxy Server setting Proxy Port setting Proxy User Name setting Proxy Password setting Associated SCEP Profile setting VPN Profile setting Associated Proxy Profile setting VPN profile settings Server Address setting Gateway Type setting Authentication Type setting Authentication ID Type setting Authentication ID setting Group User Name setting Preshared Key setting Group Password setting Hard Token setting User Name setting Password setting EAP Identity setting MSCHAPv2 EAP Identity setting MSCHAPv2 User Name setting MSCHAPv2 Password setting Gateway Authentication Type setting Gateway Preshared Key setting Gateway Authentication ID Type setting Gateway Authentication ID setting Automatically Determine IP setting Private IP setting Private IP Mask setting Subnet setting...184

9 Subnet Mask setting Dynamically Determine DNS setting Primary DNS setting Secondary DNS setting Domain Suffix setting Perfect Forward Secrecy setting Manual Algorithm Selection setting IKE DH Group setting IKE Cipher setting IKE Hash setting IKE PRF setting IPSEC DH Group setting IPSEC Cipher setting IPSEC Hash setting IKE Lifetime setting IPSEC Lifetime setting NAT Keep Alive setting DPD Frequency setting Split Tunneling setting Disable Banner setting User Can Edit setting Trusted Certificate Source setting Display VPN Information on Device setting Custom IKE DH Provider setting Client Certificate Source setting Data Security Level setting Use HTTP Proxy setting Proxy Server setting Proxy Port setting Proxy User Name setting Associated SCEP Profile setting Associated Proxy Profile setting Proxy profile settings Exclusion List setting Host setting PAC URL setting Password setting Port setting Type setting User setting

10 User Can Edit setting Product documentation Provide feedback Glossary Legal Notice

11 Introduction 1

12 Introduction About this guide The BlackBerry Device Service allows you to manage BlackBerry devices in your organization's environment. This guide provides instructions on how to manage user accounts and devices after the BlackBerry Device Service is installed and configured. This guide is intended for IT professionals who are responsible for activating devices and managing user accounts. Before you can use the tasks in this guide, you need to complete the tasks to configure the BlackBerry Device Service. You can find instructions on configuring the BlackBerry Device Service in the BlackBerry Enterprise Service 10 Configuration Guide. 12

13 Introduction What is BlackBerry Enterprise Service 10? BlackBerry Enterprise Service 10 helps you manage mobile devices for your organization. You can manage BlackBerry devices and BlackBerry PlayBook tablets, as well as ios and Android devices, all from a unified interface. BlackBerry Enterprise Service 10 is designed to help protect business information, keep mobile workers connected with the information they need, and provide administrators with efficient tools that help keep business moving forward. BlackBerry Enterprise Service 10 includes the following components: Component BlackBerry Device Service Universal Device Service Provides advanced administration for BlackBerry 10 devices and BlackBerry PlayBook tablets Provides advanced administration for ios and Android devices BlackBerry Management Studio Provides a unified interface to administer common tasks for BlackBerry 10 devices, BlackBerry PlayBook tablets, BlackBerry 7.1 and earlier devices, ios devices, and Android devices BES10 Self-Service Provides a console to users so that they can perform some self-service tasks. For example, users can create activation passwords, remotely change the password on their device, or delete data from the device. Key features of BlackBerry Enterprise Service 10 The table below describes some of the key features for BlackBerry Enterprise Service 10. Feature Management of most types of devices Single, unified interface Trusted and secure experience BlackBerry Enterprise Service 10 supports all types of BlackBerry devices and tablets, as well as ios devices and Android devices. BlackBerry Management Studio is a single, web-based interface where you can view all devices in one place and access the most common management tasks across multiple domains. These tasks include creating and managing groups, managing device controls, and activating mobile devices. Device controls give you precise management of how devices connect to your network, what capabilities are enabled, and what apps are available. Whether the devices are owned by your organization or your users, you can protect your organization's information. 13

14 Introduction Feature Balance of work and personal needs BlackBerry Balance and Secure Work Space technology are designed to ensure that personal and work information are kept separate and secure on devices. If the device is lost or the employee leaves the organization, you can delete only work-related information or all information from the device. Additional security features are available depending on the device type. 14

15 Introduction About the BlackBerry Device Service The BlackBerry Device Service permits you to manage BlackBerry 10 OS devices and BlackBerry PlayBook tablets that run BlackBerry Tablet OS 2.0 or later. As an administrator, the BlackBerry Device Service allows you to: Provision devices in an enterprise environment by providing Microsoft ActiveSync configuration information that the device uses to synchronize , calendar and tasks Support a work and life balance by separating work and personal data using BlackBerry Balance technology Audit devices and users by being able to view user and tablet information Protect your organization's data by managing work data on devices using BlackBerry Balance, set contact information on the home screen when users connect to the network, and use IT policies to manage access to your organization's data Manage mandatory and optional applications by creating a catalog of optional applications on the device, and manage the installation and update of mandatory applications Increase productivity because of familiar user interfaces which include BlackBerry Administration Service and BES10 Self-Service To provide a single interface for helpdesk administrators to manage all the devices in your organization's environment, you can connect BlackBerry Management Studio to the BlackBerry Device Service. Log in to the BlackBerry Device Service console Also known as the BlackBerry Administration Service, you can use the BlackBerry Device Service console to manage the BlackBerry Device Service and the user accounts and devices that are associated with it. To open the console, you can use a browser on a computer that can access the computer that hosts the BlackBerry Administration Service. You can use a Microsoft Active Directory, LDAP, or BlackBerry Administration Service username and password to log in. When you install BlackBerry Enterprise Service 10, you specify the username and password that you use to log in for the first time. 1. In the browser, type where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. The default port for the BlackBerry Administration Service is port In the User name field, type your username. 3. In the Password field, type your password. 4. Perform one of the following actions: In the Log in using drop-down list, click BlackBerry Administration Service. 15

16 Introduction In the Log in using drop-down list, click Active Directory and type the Microsoft Active Directory domain in the Domain field. In the Log in using drop-down list, click LDAP. 5. Click Log in. 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. 16

17 Introduction About BES10 Self-Service BES10 Self-Service is a web-based application that you can make available to users so that they can perform certain tasks such as creating activation passwords, remotely locking their devices, or deleting data from their devices. Users do not need to install any software on their computers to use BES10 Self-Service. You must provide the BES10 Self-Service web address and login information to users. You can send this information in an message, or edit the activation template to include the information. Provide the following information: Web address. The web address for BES10 Self-Service is where <server_name> is the FQDN of the computer that hosts the console, and 7445 is the default port. You can change the port in the BES10 Configuration Tool. Username and password. Company directory users can log in with their organization usernames and passwords. For local users that have BlackBerry 10 devices, you must create their usernames and passwords in the BlackBerry Device Service. Local users that have ios or Android devices cannot use BES10 Self-Service. Domain name (for Microsoft Active Directory users) 17

18

19 2 Setting up administrator accounts

20 Setting up administrator accounts Defining different types of administrators You can use roles to specify the information that an administrator can view and the tasks that an administrator can perform in the BlackBerry Device Service. Each role consists of a set of permissions that are assigned to an administrator account. The permissions do not apply to the BES10 Configuration Tool tool. You can use a preconfigured role or create a role to meet your organization's requirements. You can assign a role to an administrator account to manage permissions for a single administrator account or you can assign a role to a group to manage permissions for all of the administrator accounts in the group. If you assign a role to a user account, the user account becomes an administrator account. You can assign multiple roles to an administrator account (both directly and by assigning the roles to the group that the administrator account belongs to). If you assign multiple roles to an administrator account, the administrator has all of the permissions that are turned on for each of the assigned roles. Preconfigured roles The BlackBerry Device Service includes preconfigured roles. You can use a preconfigured role, change the preconfigured role and then use it, or copy the preconfigured role and use it as a template for a new role. Preconfigured role name Security Administrator Enterprise Administrator Senior Helpdesk Administrator Junior Helpdesk Administrator Server Only Administrator User Only Administrator This role has permission to perform all tasks in the BlackBerry Device Service. This role has permission to perform all tasks in the BlackBerry Device Service except changing role assignments. This role can only view role assignments. This role has permission to perform advanced administrative tasks in the BlackBerry Device Service. This role has permission to perform basic administrative tasks in the BlackBerry Device Service. This role has permissions to perform system management tasks in the BlackBerry Device Service. This role has permission to perform user management tasks in the BlackBerry Device Service. View the permission of a role 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Role. 20

21 Setting up administrator accounts 2. Click Manage roles. 3. Click the role. 4. View the permission for the role on the appropriate tabs. Create a role You can make changes to roles or create custom roles and specify permissions for those custom roles. By default, administrators assigned to the Security Administrator role are the only administrators with permissions to create or make changes to roles. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Role. 2. Click Create a role. 3. In the Name field, type a name for the role. 4. In the field, type a description for the role. 5. Click Save. After you finish: Change a role to configure the properties of the role. Copy a role You can create a role by copying the permissions from an existing role. Copying a role allows you to use a role as a template for a new role. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Role. 2. Click Manage roles. 3. In the list of roles, click the name of the role that you want to copy. 4. Click Copy role. 5. In the Name field, type a name for the role. 6. In the field, type a description for the role. 7. Click Copy role. After you finish: Change a role to configure the properties of the role. 21

22 Setting up administrator accounts Change a role You change a role to configure the properties of the role. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Role. 2. Click Manage roles. 3. In the list of roles, click the name of the role. 4. Click Edit role. 5. Make the changes on the appropriate tabs. 6. Click Save all. Delete a role If you delete a role that you assigned to an administrator account or a group, the administrator account or group no longer has the permissions that are associated with the role. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Role. 2. Click Manage roles. 3. In the list of roles, click the name of the role that you want to delete. 4. Click Delete role. 5. Click Yes - Delete the role. Permissions for preconfigured roles The following table lists the permissions for each preconfigured role. Permission name Security Administrator Enterprise Administrator Senior Helpdesk Administrator Junior Helpdesk Administrator Server Only Administrator User Only Administrator User and device group Create a group Delete a group View a group 22

23 Setting up administrator accounts Permission name Security Administrator Enterprise Administrator Senior Helpdesk Administrator Junior Helpdesk Administrator Server Only Administrator User Only Administrator Edit a group Create a user Delete a user View a user Edit a user View a device Edit a device View device activation settings Edit device activation settings Create an IT policy Delete an IT policy View an IT policy Edit an IT policy Import an IT policy Export an IT policy Resend data to devices Create a software configuration View a software configuration Edit a software configuration 23

24 Setting up administrator accounts Permission name Security Administrator Enterprise Administrator Senior Helpdesk Administrator Junior Helpdesk Administrator Server Only Administrator User Only Administrator Delete a software configuration Create an application View an application Edit an application Delete an application Create an administrator user Add or remove user configuration Import or export users Import user updates Assign the current device to a user Delete all device data and remove device Delete only the organization data and remove device View associated BlackBerry Device Service Override associated BlackBerry Device Service 24

25 Setting up administrator accounts Permission name Security Administrator Enterprise Administrator Senior Helpdesk Administrator Junior Helpdesk Administrator Server Only Administrator User Only Administrator View a company directory connection Edit a company directory connection View user authentication Create an profile Edit user authentication Delete an profile View an profile Edit an profile Create a SCEP profile Delete a SCEP profile View a SCEP profile Edit a SCEP profile Create a proxy profile Delete a proxy profile Create a company directory connection View a proxy profile Delete a company directory connection Edit a proxy profile 25

26 Setting up administrator accounts Permission name Security Administrator Enterprise Administrator Senior Helpdesk Administrator Junior Helpdesk Administrator Server Only Administrator User Only Administrator View enterprise authentication Import an enterprise authentication file Remove enterprise authentication file View device backup encryption keys Edit device backup encryption keys View compliance rules Edit compliance rules View certificate retrieval settings Edit certificate retrieval settings BlackBerry Device Service permissions Specify an activation password Generate an activation Enterprise Management Web Service permissions Import new users Topology group View a server Edit a server View a component 26

27 Setting up administrator accounts Permission name Security Administrator Enterprise Administrator Senior Helpdesk Administrator Junior Helpdesk Administrator Server Only Administrator User Only Administrator Edit a component View an instance Edit an instance Change the status of an instance Edit an instance relationship View a job Edit a job View default distribution settings for a job Edit default distribution settings for a job Manage deployment job tasks Change the status of a job task Delete an instance Edit license keys View license keys View reconciliation event status View SMTP configuration Edit SMTP configuration 27

28 Setting up administrator accounts Permission name Security Administrator Enterprise Administrator Senior Helpdesk Administrator Junior Helpdesk Administrator Server Only Administrator User Only Administrator View BlackBerry Enterprise Service 10 license information Edit BlackBerry Enterprise Service 10 license information View an organization notice Edit an organization notice View wireless service plan Edit wireless service plan BlackBerry MDS Connection Service permissions View rules for the BlackBerry MDS Connection Service BlackBerry Administration Service setup group Create a role Delete a role View a role Edit a role Add or remove a role View BlackBerry Administration Service software management 28

29 Setting up administrator accounts Permission name Security Administrator Enterprise Administrator Senior Helpdesk Administrator Junior Helpdesk Administrator Server Only Administrator User Only Administrator Edit BlackBerry Administration Service software management Import or export groups within roles View BlackBerry Administration Service certificate management Edit BlackBerry Administration Service certificate management Organizations View an organization Edit an organization 29

30 Setting up administrator accounts Creating and managing administrator accounts You can use administrator accounts to control who can view information and perform tasks in the BlackBerry Administration Service. You can create an administrator account that only exists on the BlackBerry Device Service or you can assign a role to a user account that exists in your organization's user directory. Create an administrator account 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Administrator user. 2. Click Create an administrator user. 3. In the Display name field, type a name for the administrator account. 4. To configure the login information that the administrator account uses to log in to the BlackBerry Administration Service, complete one of the following tasks: Task Configure Microsoft Active Directory authentication. Steps 1. In the Authentication type drop-down list, select Active Directory. 2. In the User name field, type the username for the administrator account. 3. In the Domain field, type the domain for the administrator account. 4. In the Administrator password field, type your password. Configure LDAP authentication. 1. In the Authentication type drop-down list, select LDAP. 2. In the User name field, type the username for the administrator account. 3. In the Administrator password field, type your password. Configure BlackBerry Administration Service authentication 1. In the Authentication type drop-down list, select BlackBerry Administration Service. 2. In the User name field, type the username for the administrator account. 3. In the Password and Confirm password field, type the password for the administrator account. 4. In the Administrator password field, type your password. 30

31 Setting up administrator accounts 5. In the Role drop-down list, click the role that you want to assign to the administrator account. 6. Click Create an administrator user. After you finish: Change the administrator account to set the account properties. Change an administrator account 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Administrator user. 2. Click Manage users. 3. Search for an administrator account. 4. In the search results, click the display name of the administrator account. 5. Click Edit user. 6. Make the changes on the appropriate tabs. 7. Click Save all. Delete an administrator account 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Administrator user. 2. Click Manage users. 3. Search for an administrator account. 4. In the search results, click the display name of the administrator account. 5. In the Status list, click Delete user. 6. Click Yes - Delete the user. Remove an administrator account from the BlackBerry Device Service You can remove an administrator account from the BlackBerry Device Service without deleting the account and group memberships. This allows an administrator without an active BlackBerry device to perform administrative tasks in the BlackBerry Administration Service. A device cannot be activated for the administrator account until the account is added back to the BlackBerry Device Service. 31

32 Setting up administrator accounts Administrator accounts with no associated devices are the only user accounts that can be removed from the BlackBerry Device Service and added back in. All other user accounts must be deleted and then added as new user accounts. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Administrator user. 2. Click Manage users. 3. Search for an administrator account. 4. In the search results, click the display name of the administrator account. 5. Click Remove from BlackBerry Device Service. 6. Click Yes Remove from BlackBerry Device Service. Add an administrator account to the BlackBerry Device Service You can add an administrator account that was removed from the BlackBerry Device Service back to the BlackBerry Device Service. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Administrator user. 2. Click Manage users. 3. Search for the administrator account. 4. In the search results, click the display name of the administrator account. 5. Click Add to BlackBerry Device Service. 6. Click Save. Add an administrator account to a group When you add an administrator account to a group, the administrator account inherits the roles, configurations, IT policies, and profiles of the group. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Administrator user. 2. Click Manage users. 3. Search for an administrator account. 4. In the search results, click the display name of the administrator account. 5. Click Edit user. 32

33 Setting up administrator accounts 6. On the Groups tab, in the Available groups list, click the group that you want to add the administrator account to. 7. Click Add. 8. Click Save all. Delete administrator accounts from a group 1. In the BlackBerry Administration Service on the BlackBerry solution management menu, expand Administrator user. 2. Click Manage users. 3. Search for the administrator account that you want to delete. 4. In the search results, click the display name of the administrator account. 5. Click Edit user. 6. On the Groups tab, perform one of the following actions: To delete the administrator account from one group, select the group in the Current groups list and click Remove. To delete the administrator account from more than one group, select multiple groups in the Current groups list and click Remove. To delete the administrator account from all of the groups, click Remove all. 7. Click Save all. Add a role to an administrator account 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Administrator user. 2. Click Manage users. 3. Search for an administrator account. 4. In the search results, click the display name for the administrator account. 5. Click Edit user. 6. On the Roles tab, select the role and click Add. 7. Click Save all. 33

34 Setting up administrator accounts Delete roles from an administrator account 1. In the BlackBerry Administration Service on the BlackBerry solution management menu, expand Administrator user. 2. Click Manage users. 3. Search for the administrator account. 4. In the search results, click the display name of the administrator account. 5. Click Edit user. 6. On the Roles tab, perform one of the following actions: To delete one role from the administrator account, select the group in the Current roles list and click Remove. To delete more than one role from the administrator account, select multiple roles in the Current roles list and click Remove. To delete all of the roles from the administrator account, click Remove all. 7. Click Save all. 34

35 Setting up device controls 3

36 Setting up device controls Controlling how devices can connect to your organization's network You can specify how users' devices can connect to your organization's network, messaging and proxy servers, and the settings for enrolling certificates to devices. You can also use the BlackBerry Work Drives app to allow BlackBerry 10 devices to access files and folders on your organization's network. The following profiles allow you to control how devices can connect through these communication paths: Profile Can be applied to SCEP profiles Proxy profiles SCEP profiles can be added to Wi-Fi profiles, VPN profiles, and profiles to use certificatebased authentication for Wi-Fi connections, VPN connections, and messaging server connections. Specify how users use a proxy server to access web services on the Internet or in your organization's network. Wi-Fi profiles VPN profiles profiles Wi-Fi profiles VPN profiles BlackBerry Device Service domain Wi-Fi profiles Specify how users connect to your organization's Wi-Fi network. Users Groups VPN profiles Specify how users connect to your organization's VPN. Wi-Fi profiles Users Groups profiles Specify how devices connect to your organization's messaging server and synchronize messages and organizer data using Exchange ActiveSync or IBM Notes Traveler. Users Managing Wi-Fi profiles You can create a Wi-Fi profile to specify how users connect to your organization's Wi-Fi network within the firewall. 36

37 Setting up device controls Note: When you add a Wi-Fi profile to a user account, both personal and work apps on the device can use the profile settings to access your organization's network. To prevent personal apps from connecting to your organization's network, set the Work Network Usage for Personal Apps IT policy rule. For more information about the profile settings, see Wi-Fi profile settings. Create a Wi-Fi profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Create Wi-Fi profile. 3. Type a name and description for the Wi-Fi profile. 4. Click Save. After you finish: Change a Wi-Fi profile to set the Wi-Fi profile settings. Copy a Wi-Fi profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage Wi-Fi profiles. 3. Click the name of the Wi-Fi profile. 4. Click Copy profile. 5. Type a name and description for the Wi-Fi profile. 6. Click Save. After you finish: Change a Wi-Fi profile to configure the profile settings. Change a Wi-Fi profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage Wi-Fi profiles. 3. Click the name of the Wi-Fi profile. 4. Click Edit profile. 5. Make changes on the appropriate tabs. 6. Click Save all. Delete a Wi-Fi profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Expand Wi-Fi configuration. 37

38 Setting up device controls 3. Click Manage Wi-Fi profiles. 4. Click the name of the Wi-Fi profile. 5. Click Delete profile. 6. Click Yes - Delete the profile. Add a VPN profile to a Wi-Fi profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage Wi-Fi profiles. 3. Click the name of the Wi-Fi profile. 4. Click Edit profile. 5. On the Wi-Fi profile settings tab, in the Wi-Fi associations section, in the VPN Profile drop-down list, select the VPN profile. 6. Click Save all. Delete a VPN profile from a Wi-Fi profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage Wi-Fi profiles. 3. Click the name of the Wi-Fi profile. 4. Click Edit profile. 5. On the Wi-Fi profile settings tab, in the Wi-Fi associations section, in the VPN Profile drop-down list, select the blank field. 6. Click Save all. Add a SCEP profile to a Wi-Fi profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage Wi-Fi profiles. 3. Click the name of the Wi-Fi profile. 4. Click Edit profile. 5. On the Wi-Fi profile settings tab, in the Wi-Fi associations section, in the Associated SCEP Profile drop-down list, click the SCEP profile. 6. Click Save all. 38

39 Setting up device controls Delete a SCEP profile from a Wi-Fi profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Expand Wi-Fi configuration. 3. Click Manage Wi-Fi profiles. 4. Click the name of the Wi-Fi profile. 5. Click Edit profile. 6. On the Wi-Fi profile settings tab, in the Associated SCEP Profile field, delete the name of the SCEP profile. 7. Click Save all. Add a proxy profile to a Wi-Fi profile If you want devices that run BlackBerry 10 OS to use a proxy server when they use a work Wi-Fi connection, you must add a proxy profile to a Wi-Fi profile. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage Wi-Fi profiles. 3. Click the name of a Wi-Fi profile. 4. Click Edit profile. 5. On the Wi-Fi profile settings tab, in the Proxy associations section, in the Associated Proxy Profile drop-down list, select a proxy profile. 6. Click Save all. Delete a proxy profile from a Wi-Fi profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage Wi-Fi profiles. 3. Click the name of a Wi-Fi profile. 4. Click Edit profile. 5. On the Wi-Fi profile settings tab, in the Proxy associations section, in the Associated Proxy Profile drop-down list, select the blank value. 6. Click Save all. Managing VPN profiles You can create a VPN profile to specify how users connect to your organization's VPN. 39

40 Setting up device controls Note: When you add a VPN profile to a user account, based on IT policy rules and device settings, both personal and work apps on a device may be able to use the VPN profile to access your organization s network. For more information, see the BlackBerry Device Service Solution Security Technical Overview. Note: If you allow devices to connect to your organization s network using a VPN, you must make sure that your VPN network is set up to have access to BlackBerry Enterprise Service 10 to ensure that devices can communicate with BlackBerry Enterprise Service 10 while they are connected to your VPN Network. For more information about profile settings, see the VPN profile settings and the BlackBerry Enterprise Service 10 Configuration Guide. Create a VPN profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Create VPN profile. 3. Type a name and description for the VPN profile. 4. Click Save. After you finish: Change a VPN profile to set the VPN profile settings. Copy a VPN profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage VPN profiles. 3. Click the name of the VPN profile. 4. Click Copy profile. 5. Type a name and description for the VPN profile. 6. Click Save. After you finish: Change a VPN profile to configure the profile settings. Change a VPN profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage VPN profiles. 3. Click the name of the VPN profile. 4. Click Edit profile. 5. Make changes on the appropriate tabs. 6. Click Save all. 40

41 Setting up device controls Delete a VPN profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage VPN profiles. 3. Click the name of the VPN profile. 4. Click Delete profile. 5. Click Yes - Delete the profile. Add a SCEP profile to a VPN profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage VPN profiles. 3. Click the name of the VPN profile. 4. Click Edit profile. 5. On the VPN profile settings tab, in the VPN associations section, in the Associated SCEP Profile drop-down list, click the SCEP profile. 6. Click Save all. Delete a SCEP profile from a VPN profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Expand Wi-Fi configuration. 3. Click Manage VPN profiles. 4. Click the name of the VPN profile. 5. Click Edit profile. 6. On the VPN profile settings tab, in the Associated SCEP Profile field, delete the name of the SCEP profile. 7. Click Save all. Add a proxy profile to a VPN profile If you want devices that run BlackBerry 10 OS to use a proxy server when they use a VPN connection, you must add a proxy profile to a VPN profile. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage VPN profiles. 3. Click the name of a VPN profile. 41

42 Setting up device controls 4. Click Edit profile. 5. On the VPN profile settings tab, in the Proxy associations section, in the Associated Proxy Profile drop-down list, select a proxy profile. 6. Click Save all. Delete a proxy profile from a VPN profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage VPN profiles. 3. Click the name of a VPN profile. 4. Click Edit profile. 5. On the VPN profile settings tab, in the Proxy associations section, in the Associated Proxy Profile drop-down list, select the blank value. 6. Click Save all. Managing profiles You can use profiles to specify how devices connect to your organization's messaging server and synchronize messages and organizer data using Microsoft ActiveSync or IBM Notes Traveler. You can add profiles to user accounts. Extending messaging security on BlackBerry 10 devices using S/MIME protection You can extend messaging security for the BlackBerry Device Service solution and permit users to send and receive S/ MIME-protected messages on BlackBerry 10 devices. Digitally signing or encrypting messages adds another level of security to messages that users send or receive from their devices. If they use a work account that supports S/ MIME-protected messages on devices, users can digitally sign or encrypt messages using S/MIME encryption. When a device is activated on the BlackBerry Device Service, you can require the device to sign, encrypt, or sign and encrypt messages using S/MIME encryption when users send messages using a work address. Digital signatures help recipients verify the authenticity and integrity of messages that users send. When a user digitally signs a message with their private key, recipients use the sender's public key to verify that the message is from the sender and that the message has not changed. Encryption keeps messages confidential. When a user encrypts a message, the device uses the recipient's public key to encrypt the message. The recipient's device uses the recipient's private key to decrypt the message. Devices support keys and certificates in the following file formats and file name extensions: PEM (.pem,.cer) DER (.der,.cer) 42

43 Setting up device controls PFX (.pfx,.p12) Users can store their private keys on their devices or a smart card. For devices that are running BlackBerry 10 OS version or later, you can use the BlackBerry Device Service to configure LDAP-enabled server settings and send them to devices so that devices can automatically retrieve the recipient's public key and users don't need to import public keys from work messages manually. You can require that devices use either simple authentication or Kerberos to authenticate with LDAP-enabled servers. If you require that devices use Kerberos authentication, if a valid TGT is available on a user's device, the user isn't prompted for login information. Users don't have to install additional software on devices to support S/MIME protection. Users can configure S/MIME preferences on devices in the BlackBerry Hub settings, including choosing certificates and encoding methods. Users can manage certificates on their devices in the Security and Privacy section of the System Settings. BlackBerry 10 devices support attachments in S/MIME-protected messages. Users can view, send, and forward attachments in S/MIME-protected messages. Users can configure the S/MIME settings on the device to send either clear-signed messages that any application can open, or opaque-signed messages that only applications that support encryption can open. If devices do not have S/MIME support turned on, devices cannot send signed or encrypted messages. To send encrypted messages, a user must have the recipient's public key on their device. To read encrypted messages, a user must have their private key on their device or on a smart card. If users do not have their private keys on their devices, the devices cannot read S/MIME-encrypted messages, and the devices display the message, "Unable to decode the message because you do not have the corresponding private key." Retrieving S/MIME certificates For devices that are running a version of BlackBerry 10 OS that is or later, you can use the BlackBerry Device Service to configure LDAP-enabled server settings and send them to BlackBerry devices so that devices can search for and retrieve recipients' S/MIME certificates from LDAP-enabled servers over the wireless network. If a required S/MIME certificate isn't already in a device's certificate store, the device retrieves it and imports it into the certificate store automatically. A device searches each LDAP-enabled server and retrieves the S/MIME certificate. If there is more than one S/MIME certificate and the device is unable to determine the preferred one, the device displays all of the S/MIME certificates so that the user can choose which one to use. If you don't configure certificate retrieval settings, users must manually import S/MIME certificates from a work attachment or a computer. To allow BlackBerry devices to trust the network and servers when making secure connections, you will need to distribute root and intermediate CA certificates to the devices. For more information, see Sending CA certificates to devices. For more information about certificates, see the BlackBerry Device Service Solution Security Technical Overview. Retrieve public keys over the wireless network from LDAP-enabled servers For devices running BlackBerry 10 OS version or later, you can use the BlackBerry Device Service to configure LDAP-enabled server settings and send them to devices so that devices can search for and retrieve S/MIME certificates from LDAP-enabled servers. Before you begin: If you use a secure connection, you must add the certificates to the Enterprise trusted certificate store folder on the shared drive. 43

44 Setting up device controls 1. In the BlackBerry Administration Service, on the Devices menu, expand Device settings. 2. Click Certificate retrieval settings. 3. Click Edit settings. 4. On the LDAP tab, type a name and description for the LDAP certificate retrieval setting. 5. In the Service URL field, type the web address for the server using the following format LDAP://<FQDN>:<port> (for example, LDAP://server01.blackberry.com:123). 6. In the Default server base query field, type the query that you would like to use for the LDAP-enabled server. 7. Optionally, in the User search scope drop-down list, perform one of the following actions: To search the base object, click Base. This is the default setting. To search the base object and one level below it, click One level. To search the base object and all levels below it, click Subtree. To search for a particular object, click Children. 8. In the Secure connection turned on drop-down list, perform one of the following actions: Click Yes if you want to use a secure connection. Click No if you do not want to use a secure connection. 9. Perform one of the following actions: Option Use no authentication when connecting to the LDAP-enabled server. Use simple authentication when connecting to the LDAP-enabled server. Use Kerberos authentication when connecting to the LDAP-enabled server. Step In the Authentication type drop-down list, click None. 1. In the Authentication type drop-down list, click Simple. 2. In the LDAP user ID field, type the username for authentication 3. In the LDAP password and Confirm LDAP password fields, type the password for authentication. In the Authentication type drop-down list, click Kerberos. 10. In the Connection timeout field, type the time in seconds that the device waits for the LDAP-enabled server response. 11. Click Save all. After you finish: For devices running a version of BlackBerry 10 OS that is later than , do one of the following to verify the status of S/MIME certificates: Configure the OCSP server settings and send them to BlackBerry devices. 44

45 Setting up device controls Configure the Enterprise Management Web Service to search for the status of S/MIME certificates using HTTP, HTTPS, or LDAP. Determining the status of S/MIME certificates For devices running a version of BlackBerry 10 OS that is later than , you can use the BlackBerry Device Service to configure OCSP server settings and send them to BlackBerry devices to determine the status of S/MIME certificates. A device searches each OCSP server and retrieves the S/MIME certificate status. To allow BlackBerry devices to trust the network and servers when making secure connections, you will need to distribute root and intermediate CA certificates to the devices. For more information, see Sending CA certificates to devices. For devices that are running a version of BlackBerry 10 OS that is later than , you can configure the Enterprise Management Web Service to search for the status of S/MIME certificates using HTTP, HTTPS, or LDAP. For more information about certificates, see the BlackBerry Device Service Solution Security Technical Overview. For more information about secure icons, see the user guide for the device. Configure the OCSP servers that devices use to retrieve the status of S/MIME certificates OCSP server configuration is available for devices running a BlackBerry 10 OS version that is later than In the BlackBerry Administration Service, on the Devices menu, expand Device settings. 2. Click Certificate retrieval settings. 3. Click Edit settings. 4. On the OCSP tab, type a name and description for the OCSP certificate retrieval setting. 5. In the Service URL field, type the web address for the server. 6. In the Connection timeout field, type the time in seconds that the device waits for the OCSP server response. 7. Click Save all. Configure the HTTP servers that the Enterprise Management Web Service uses to retrieve the status of S/MIME certificates HTTP server configuration is available for devices running a BlackBerry 10 OS version that is later than In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view. 2. Click Enterprise Management Web Service. 3. On the CRL tab, click Edit component. 4. Click Edit settings. 5. In the Use certificate extension responders drop-down list, perform one of the following actions: Click Yes if you want to use responder URLs defined in the certificate. 45

46 Setting up device controls Click No if you do not want to use responder URLs defined in the certificate. 6. In the Service URL field, type the web address for the server using the following format or (for example, 7. Click Save all. Configure the LDAP-enabled servers that the Enterprise Management Web Service uses to retrieve the status of S/MIME certificates LDAP-enabled servers that the Enterprise Management Web Service uses to retrieve the status of certificates are available for devices running a BlackBerry 10 OS version that is later than Before you begin: If the secure connection is used, you must add the certificates to the Enterprise trusted certificate store folder on the shared drive. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view. 2. Click Enterprise Management Web Service. 3. On the LDAP for CRL tab, click Edit component. 4. Type a name and description for the LDAP-enabled server. 5. In the Service host field, type the web address for the server. 6. In the Default server base query field, type the query that you would like to use for the LDAP-enabled server. 7. In the Secure connection turned on drop-down list, perform one of the following actions: Click Yes if you want to use a secure connection. Click No if you do not want to use a secure connection. 8. In the LDAP user ID field, type the user name for authentication. 9. In the LDAP password and Confirm LDAP password fields, type the password for authentication. 10. Click Save all. Create an profile You can use profiles to specify how devices connect to your organization's mail server and synchronize messages, calendar entries and organizer data using Exchange ActiveSync or IBM Notes Traveler. If you want to use Exchange ActiveSync, you should note the following: If you require support for extended security, you can enable S/MIME or PGP. If you enable S/MIME, you can allow devices to automatically retrieve S/MIME certificates and check certificate status. If you want to use Notes Traveler, you should note the following: 46

47 Setting up device controls To Do data synchronization is supported on BlackBerry 10 devices. It uses the SyncML communication protocol on the Notes Traveler server. If you require support for extended security, only IBM Notes encryption is supported (S/MIME and PGP are not supported). For more information about the profile settings, see profile settings. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand profiles. 2. Click Create an profile. 3. Type a name and description for the profile. 4. In the Type drop-down list, select the profile type. 5. Click Continue. 6. Specify the appropriate settings for the profile. 7. Click Save. profile settings by messaging server The following table outlines the profile settings that specific messaging servers require. profile setting Microsoft Exchange IBM Domino Novell GroupWise Account name Not required Not required Not required address Required Required Required Domain Required Do not use Do not use Username Required Required Required Server name Required Required Required messagingservername.addr ess.com messagingserver.address.co m/servlet/traveler Copy an profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand profiles. 2. Click Manage profiles. 3. Click the profile. 4. Click Copy profile. 5. Type a name and description for the profile. The description is optional. 6. Click Continue. 47

48 Setting up device controls 7. Specify the appropriate settings for the profile. 8. Click Save. Change an profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand profiles. 2. Click Manage profiles. 3. Click the profile. 4. Click Edit profile. 5. Specify the appropriate settings for the profile. 6. Click Save all. Delete an profile When you delete an profile, you might prevent devices from connecting to messaging servers. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand profiles. 2. Click Manage profiles. 3. Click the profile. 4. Click Delete profile. 5. Click Yes - Delete the profile. Add a SCEP profile to an profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage profiles. 3. Click the profile. 4. Click Edit profile. 5. On the profile settings tab, in the Profile associations section, in the SCEP profile drop-down list, click the SCEP profile. 6. Click Save all. Delete a SCEP profile from an profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand profiles. 2. Click Manage profiles. 3. Click the profile. 48

49 Setting up device controls 4. Click Edit profile. 5. On the profile settings tab, in the Associated SCEP Profile field, delete the name of the SCEP profile. 6. Click Save all. Managing SCEP profiles You can use SCEP profiles to specify settings for enrolling certificates to devices. SCEP profiles can be associated with Wi- Fi profiles, VPN profiles, and profiles. Devices can use the certificates obtained using SCEP for certificate-based authentication with a work Wi-Fi network, work VPN, or work messaging server. Certificate enrollment using SCEP starts after the device receives the SCEP profile that you configure using the BlackBerry Device Service. The device can download CA profiles during the activation process, when you change a SCEP profile, or when you assign another SCEP profile to a user account. After the certificate enrollment completes, the client certificate and its certificate chain and private key are stored in the work keystore on the device. The SCEP component monitors the expiry date of any certificate that was obtained using SCEP. When the expiry date of a certificate approaches, the SCEP component starts the certificate enrollment process for a new certificate. You can use the Automatic Renewal SCEP profile setting to configure how many days before the certificate expires that automatic renewal occurs. The certificate enrollment process can also start again if you change the following IT policy rules: Certification Authority Identifier Certificate Thumbprint ECC Strength Key Algorithm RSA Strength A certificate enrollment process does not delete the existing certificate from the device or notify the CA that the certificate is no longer in use. If a SCEP profile is removed from the BlackBerry Device Service, the corresponding certificate is not removed from the device. For more information about the profile settings, see SCEP profile settings. Create a SCEP profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Create a SCEP profile. 3. Type a name and description for the SCEP profile. 4. Click Continue. 5. Specify the information for the CA that you are using and the certificate settings. 6. Click Save. 49

50 Setting up device controls Copy a SCEP profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage SCEP profiles. 3. Click the SCEP profile. 4. Click Copy profile. 5. Type a name and description for the SCEP profile. 6. Click Continue. 7. If required, change the information for the CA that you are using and the certificate settings. 8. Click Save. Change a SCEP profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage SCEP profiles. 3. Click the SCEP profile. 4. Click Edit profile. 5. Change the information for the CA that you are using and the certificate settings as necessary. 6. Click Save all. Delete a SCEP profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage SCEP profiles. 3. Click the SCEP profile. 4. Click Delete profile. 5. Click Yes - Delete the profile. Managing proxy profiles You can create a proxy profile to specify how users use a proxy server to access web services on the Internet or on your organization's network. You can associate a proxy profile with a Wi-Fi profile or VPN profile. If you want users to use a proxy server when they connect to the Internet or your organization's network using the BlackBerry Infrastructure, you can associate a proxy profile with a BlackBerry Device Service instance. 50

51 Setting up device controls Devices that run BlackBerry 10 OS use the proxy settings that you specify in a proxy profile. Devices that run BlackBerry PlayBook OS 2.1 or earlier use the proxy settings that you specify directly in a Wi-Fi profile or VPN profile. For more information about the profile settings, see Proxy profile settings. Create a proxy profile You can configure a proxy profile to use a PAC file or a single proxy server with an optional exclusion list (for example, a list of websites that users can access directly from their devices without using a proxy server). Proxy profiles support basic authentication with a proxy server (for example, authentication using a username and password). 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Create a proxy profile. 3. Type a name and description for the proxy profile. 4. If your organization uses a PAC file to define proxy rules, select PAC configuration, otherwise select Manual configuration. 5. Click Continue. 6. In the Profile settings section, complete one of the following tasks: Task Steps Specify PAC configuration settings 1. Type the URL for the web server that hosts the PAC file and include the PAC file name (for example, 2. If necessary, specify the username and password to authenticate with the proxy server. Specify manual configuration settings 1. In the Host field, type the FQDN or IP address of the proxy server. 2. In the Port field, type the port number of the proxy server. 3. If necessary, specify the username and password to authenticate with the proxy server. 4. If you want to use an exclusion list, type the FQDNs or IP addresses that users can access directly from their devices. Use a semicolon (;) to separate the values in the list. 7. Click Save. Copy a proxy profile If you want to create a proxy profile with settings that are similar to the settings for an existing proxy profile, you can copy a proxy profile. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage proxy profiles. 51

52 Setting up device controls 3. Click the name of the proxy profile. 4. Click Copy profile. 5. Type a name and description for the proxy profile. 6. Click Continue. 7. In the Profile settings section, configure the proxy settings. 8. Click Save. Change the settings for a proxy profile You can change the settings for an existing proxy profile but you cannot change the proxy type (for example, you cannot change manual configuration to PAC configuration). 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage proxy profiles. 3. Click the name of the proxy profile. 4. Click Edit profile. 5. Make changes on the appropriate tabs. 6. Click Save all. Delete a proxy profile 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage proxy profiles. 3. Click the name of the proxy profile. 4. Click Delete profile. 5. Click Yes - Delete the profile. Add a proxy profile to a BlackBerry Device Service instance If you add a proxy profile to a BlackBerry Device Service instance, all devices that run BlackBerry 10 OS that are associated with the instance use the proxy profile when they access web services on the Internet or on your organization's network using the BlackBerry Infrastructure. Devices can use the BlackBerry Infrastructure if a VPN or Wi-Fi connection is not available. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > BlackBerry Device Service. 2. Click the name of the BlackBerry Device Service instance. 3. Click Edit instance. 52

53 Setting up device controls 4. In the Instance associations section, in the Proxy profile drop-down list, select a proxy profile. 5. Click Save all. Delete a proxy profile from a BlackBerry Device Service instance 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > BlackBerry Device Service. 2. Click the name of the BlackBerry Device Service instance. 3. Click Edit instance. 4. In the Instance associations section, in the Proxy profile drop-down list, select the blank value. 5. Click Save all. Accessing network drives from devices The BlackBerry Work Drives app allows BlackBerry 10 devices managed by the BlackBerry Device Service to access files and folders on your organization's network. After users add a network drive in the BlackBerry Work Drives app, they can use apps in the work space such as Documents To Go and File Manager to create, edit, and manage network files. Users can also access network files from their work accounts. To make this public app available in the work space on devices, you must add it to the BlackBerry Administration Service. You must specify the URL of the app from the BlackBerry World storefront, add the app to a software configuration, and assign the software configuration to users or groups. For more information, see Preparing an app for delivery. Allow devices to have single sign-on access to your organization's network You can allow devices to have single sign-on access to your organization s network from the browser in the work space using the following authentication protocols: Kerberos NTLM BlackBerry Enterprise Service 10 uses the same Kerberos configuration file that your organization uses to authenticate users with their desktop computers. For devices running a version of BlackBerry 10 OS that is or later, you can specify trusted domains that support NTLM for internal web sites that use password-based authentication. When a user enters their password in the work space browser for any site in the trusted domain, the device uses the same password for all specified sites in the domain. For more information, see the BlackBerry Device Service Solution Security Technical Overview. 53

54 Setting up device controls Import your organization's Kerberos configuration file Before you begin: Locate your organization s Kerberos configuration file. The default file name is krb5.conf. 1. In the BlackBerry Administration Service, on the Devices menu, expand Device settings. 2. Click Enterprise authentication. 3. On the Kerberos tab, click Import new file. 4. Browse to the Kerberos configuration file. 5. Click Save. Kerberos configuration file settings BlackBerry Device Service uses the Heimdal implementation of Kerberos. To allow single sign-on access, you must set up the Kerberos configuration file as follows: To ensure that TCP is used by default instead of UDP, use the prefix tcp/ for KDC hosts. If your organization uses VPN, configure the VPN gateway to allow traffic through to the KDCs. Specify trusted domains Specifying trusted domains is available for devices running a BlackBerry 10 OS version that is or later. 1. In the BlackBerry Administration Service, on the Devices menu, expand Device settings. 2. Click Enterprise authentication. 3. On the Trusted domains tab, click Edit settings. 4. Enter the domain name that users will see on their devices when prompted for their corporate credentials. 5. In the Domain field, do one or more of the following: To specify a list of trusted subdomains and individual hosts where the domain credentials can be used to authenticate automatically, click the Add icon. You can specify the server name as an FQDN, hostname, alias, or IP address. In addition, DNS names can contain wildcards (*) to represent the leftmost part of the domain name. To delete a subdomain or host from the list, click the Delete icon to the right of the subdomain or host in the list. 6. Click Save All. 54

55 Setting up device controls Managing device security features and behaviors You can use IT policies to control and manage devices in your organization's environment. An IT policy consists of multiple IT policy rules that manage the security and behavior of the BlackBerry Device Service and devices. For example, you can use IT policy rules to manage the following security features and behaviors of the device: Encryption Use of a password or passphrase Connections that use Bluetooth wireless technology The Default IT policy includes IT policy rules that are configured to indicate the default behavior of the device. After a user activates a device, the BlackBerry Device Service automatically sends the IT policy that you assigned to the user account or group to the device. By default, if you do not assign an IT policy to the user account or group, the BlackBerry Device Service sends the Default IT policy. If you delete an IT policy that you assigned to the user account or group, the BlackBerry Device Service automatically reassigns the Default IT policy to the user account and resends the Default IT policy to the device. For more information, see the BlackBerry Device Service Policy Reference Sheet Preconfigured IT policy The BlackBerry Device Service includes the following preconfigured IT policy. You can change the preconfigured IT policy to meet the requirements of your organization or copy this IT policy to create new IT policies. Preconfigured IT policy Default This policy includes all the standard IT policy rules that are set on the BlackBerry Device Service. Create an IT policy 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Click Create an IT policy. 3. In the Name field, type a name for the IT policy. 55

56 Setting up device controls 4. In the field, type a description for the IT policy. 5. Click Save. After you finish: Change an IT policy to set the IT policy rules. Copy an IT policy 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Click Manage IT policies. 3. Click the name of the IT policy. 4. Click Copy IT policy. 5. In the Name field, type a name for the IT policy. 6. In the field, type a description for the IT policy. 7. Click Save. After you finish: Change an IT policy to set the IT policy rules. Import IT policies 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Click Manage IT policies. 3. Click Import IT policy list. 4. Click Browse and navigate to the location of the IT policy export file. 5. Type the password for the IT policy export file in the File encryption password field. 6. Click Next. 7. Click Add all IT policies. Export IT policies 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Click Manage IT policies. 3. Click Export IT policy list. 4. Type and confirm a file encryption password. 56

57 Setting up device controls 5. Click Export. 6. Click Download file. Change an IT policy 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Click Manage IT policies. 3. Click the name of the IT policy. 4. Click Edit IT policy. 5. Make the changes on the appropriate tabs. 6. Click Save all. Delete an IT policy 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Click Manage IT policies. 3. Click the name of the IT policy. 4. Click Delete IT policy. 5. Click Yes - Delete the IT policy. View the IT policies assigned to user accounts and administrator accounts 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Click Manage IT policies. 3. Click the name of the IT policy. 4. Click View users with reconciled IT policy. 57

58 Setting up device controls Resolving IT policy conflicts If you add a user account to multiple groups, multiple IT policies can be added to the user account. You can control how the BlackBerry Device Service applies the correct IT policies and IT policy rules to the user account. The BlackBerry Device Service applies the IT policy that you assign directly to the user account first. If you do not assign an IT policy directly to the user account, the BlackBerry Device Service applies the IT policies that you assign to the group using one of the following methods: Method Apply one IT policy to a user account Apply multiple IT policies to a user account You can configure the BlackBerry Device Service to apply only one IT policy to a user account. If you select this method to resolve IT policy conflicts, the BlackBerry Device Service applies the IT policy with the highest ranking in the BlackBerry Administration Service. You can configure the BlackBerry Device Service to apply multiple IT policies to a user account. If you select this method to resolve IT policy conflicts, the BlackBerry Device Service combines the IT policies into one IT policy and applies it to the user account. A conflict occurs when you change an IT policy rule from the default value to different values in different IT policies. If there is a conflict between IT policy rules in different IT policies, the BlackBerry Device Service uses the IT policy rule from the IT policy with the highest ranking in the BlackBerry Administration Service. Preview IT policy resolution You can preview how the BlackBerry Device Service applies IT policies to user accounts that have multiple IT policies added to them. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Click Manage IT policies. 3. Click Preview resolved IT policies. 4. Select the conflicting IT policies. 5. Click Preview. Change how the BlackBerry Device Service resolves IT policy conflicts 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution topology > BlackBerry Domain > Component view. 2. Click BlackBerry Administration Service. 58

59 Setting up device controls 3. Click Switch method to resolve multiple IT policies. 4. Click Yes - Switch the method. Set the priority of IT policies The priority of IT policies determines when the BlackBerry Device Service applies IT policies and IT policy rules to user accounts. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Click Manage IT policies. 3. Click Set priority of IT policies. 4. Click the up arrow and down arrow icons to set the priority of IT policies. 5. Click Save. 59

60 Setting up device controls Managing work and personal spaces BlackBerry 10 devices can distinguish between data that is for work use and data that is for personal use. Devices classify data as work or personal based on the source of the data. The classifications determine how devices store, protect, and manage data. For example, if data comes from a work account, it is stored in the work space on the device, and if data comes from a personal account, it is stored in the personal space on the device. After devices classify data as work or personal, personal data cannot be reclassified as work data. You indicate how data is classified on a device by applying an activation type to the user account. Activation type License requirement Work and personal - Corporate Work and personal - Regulated Work space only BlackBerry Balance technology permits users to use BlackBerry 10 devices for both work and personal use. Devices have a work space and a personal space with different rules for data storage, app permission, and network routing. By default, devices have only a personal space. When you activate a device, a work space is created. The personal space remains intact during the activation process and any user data, apps, or network connections that the user was using before the device was activated are available in the personal space. Regulated BlackBerry Balance gives your organization full control over devices that have a work and a personal space. Users should be aware that all data on the device can be audited by their organization, even if they are using the device or application for personal use. Devices with BlackBerry 10 OS version or later can be activated using this option. The "work space only" activation type gives your organization full control over devices that are activated on the BlackBerry Device Service. Users should be aware that all data on the device can be audited by their organization, even if they are using the device or application for personal use. Devices with BlackBerry 10 OS version 10.1 or later can be activated using this option. One of the following: 1. SIM license 2. EMM - Corporate for BlackBerry license 3. Silver license 4. Gold - BlackBerry license One of the following: 1. SIM license 2. Gold - BlackBerry license One of the following: 1. SIM license 2. Gold - BlackBerry license 60

61 Setting up device controls For more information about license types, see the BlackBerry Enterprise Service 10 Licensing Guide. For more information about the IT policies specific to each activation type, see the BlackBerry Device Service Policy Reference Sheet. Related information Create a user account, 89 Create a local user account, 90 Configuring the default device activation type for all new users You can set the default device activation type for new user accounts at the domain level. When you create user accounts, you can specify whether the activation type for new and reactivated devices will be prepopulated with BlackBerry Balance technology, regulated BlackBerry Balance technology, or work space only. When you create a user account, you can override the default selection. Note: Regulated BlackBerry Balance is available for devices with BlackBerry 10 OS version or later. Related information Create a user account, 89 Create a local user account, 90 Configure the default device activation type for all new user accounts 1. In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution topology. 2. Select BlackBerry Domain. 3. Click Edit domain. 4. In the Activation information section, perform one of the following tasks: Task Create an account that has both a personal and a work space on the device. The organization has control over the work space only. Create an account that has only a work space on the device. Create an account that has both a personal and work space on the device. The organization has full control over the device. This option is available for devices with Steps In the Default activation type for new users drop-down list, click Work and personal - Corporate. In the Default activation type for new users drop-down list, click Work space only. In the Default activation type for new users drop-down list, click Work and personal - Regulated. 61

62 Setting up device controls Task Steps BlackBerry 10 OS version or later. 5. Click Save all. Related information Create a user account, 89 Create a local user account, 90 62

63 Setting up device controls Enforcing your organization's device compliance requirements You can use device compliance rules to encourage users to comply with the device conditions that your organization requires. The BlackBerry Device Service detects that a device is out of compliance when one of the following occurs: There is no SIM card in the device. The service plan on the SIM card does not support your organization s activation requirements. Someone ran software or performed an action on the device that gives a user access to the operating system of the device. If there is no SIM card in the device or the service plan on the SIM card does not support your organization s activation requirements, an automatic message displays on the device's home screen and all wireless communication is disabled on the workspace but the work space is not locked. When the user inserts the correct SIM card into the device, the work space is unlocked and the out-of-compliance status is cleared. For devices running a version of BlackBerry 10 OS that is or later, when a user gains unauthorized access to the operating system of the device, the result is an integrity alert and one of the following enforcement actions, that you configure, is carried out: Apply no enforcement action. Automatically send an message, a device notification message, or both to users that advises them of a compliance issue and of the consequences. Block users from accessing your organization's resources and applications from their device. Delete your organization's data from the device. The user receives an explaining that the data was deleted as the result of a compliance violation. Delete all data from the device. The user receives an explaining that the data was deleted as the result of a compliance violation. Users cannot access the work space on their devices if the devices are out of compliance. You can see the compliance status for a device in the Out of compliance column in the list of user accounts and on the User information and Device information tabs. 63

64 Setting up device controls Update the template for the device compliance notification You can use the BlackBerry Device Service to automatically send an message, a device notification, or both, to users when their device does not comply with your organization's requirements. The template includes default text but you can update the text. In the body of the message, you can advise users about the compliance issue and the consequences if they do not address it. 1. In the BlackBerry Administration Service, on the Devices menu, expand Device settings. 2. Click Compliance notifications. 3. To update one or both of the message and device notification templates, click Edit notification and complete one of the following tasks: Task Update the notification template Steps 1. On the notification tab, in the Subject field, update the default text if necessary. 2. In the Message field, update the default text if necessary. You can use any of the following variables in the body text: %DevicePIN% %DeviceModel% %ComplianceRule% %ComplianceAction% Update the Device notification template 1. On the Device notification tab, in the Notification field, update the default text if necessary. You can use any of the following variables in the body text: %ComplianceRule% %ComplianceAction% 4. Click Save all. Using variables in compliance notifications If you want to customize the compliance notifications that the BlackBerry Device Service sends to users, you can use any of the following variables to populate the message body with information about the user, the compliance rule that the user violated, and the enforcement action to be taken. 64

65 Setting up device controls Variable %DevicePin% %DeviceModel% %ComplianceRule% %ComplianceAction% The user's device PIN. The user's device model. The compliance rule that the user violated to make the device non-compliant with the BlackBerry Device Service. The enforcement action that the BlackBerry Device Service performs if the device is not in compliance. Select an enforcement action for devices that are not in compliance For devices running a BlackBerry 10 OS version that is or later, you can use device compliance rules to help enforce your organization's requirements. 1. In the BlackBerry Administration Service, on the Devices menu, expand Device settings. 2. Click Compliance rules. 3. Click Integrity Alert. 4. Click Edit rule. 5. In the Enforcement action drop-down list, select one of the following actions when user accounts do not meet your organization's requirements: Task Steps Apply no enforcement action. 1. Select None. 2. Click Save all. Automatically send an message, a device notification message, or both to users that advises them of a compliance issue and of the consequences. 1. Select Prompt for compliance. 2. In the Prompt method drop-down list, select the type of message that you want the BlackBerry Device Service to send. The message body comes from the compliance notification template, which you can update. Do one of the following: To send an message and a device notification message, select and notification. To send an message, select . 65

66 Setting up device controls Task Steps To send a device notification message, select Notification. Users can view the notification on the device. 3. In the Total number of prompts field, specify the number of times an message or a device notification message should be sent before the required action is enforced. 4. In the Prompt interval field, specify the time between prompts. 5. In the Prompt interval units field, select the interval units in minutes, hours, or days. 6. In the Action after final prompt drop-down list, select the action that you want the BlackBerry Device Service to take when the prompt period expires. For example, if the prompt count is three and the prompt interval is 10 minutes, the prompt period expires after 30 minutes. Do one of the following: If you do not want to choose any options, select None. To block users from accessing your organization's resources and applications from their device, select Quarantine. Data and applications are not deleted from the device. To delete your organization's data from the device, select Delete only the organization data. To delete all data from the device, select Delete all device data. 7. Click Save all. Block users from accessing your organization's resources and applications from their device. Delete your organization's data from the device. The user receives an explaining that the data was deleted as the result of a compliance violation. Delete all data from the device. The user receives an explaining that the data was deleted as the result of a compliance violation. 1. Select Quarantine. Data and applications are not deleted from the device. 2. Click Save all. 1. Select Delete only the organization data. 2. Click Save all. 1. Select Delete all device data. 2. Click Save all. 66

67 Setting up device controls Managing app availability on devices You can use the BlackBerry Device Service to install and manage work apps in the work space on devices. Work apps can only access work data and interact with other work apps. A work app can be either an internal app or a public app available from the BlackBerry World storefront. You can add an internal app to the BlackBerry Device Service by specifying the.bar file using the BlackBerry Administration Service. The BlackBerry Device Service then adds the internal app to your organization s shared network folder. You can specify the internal work apps that you want to install, update, or remove, and you can specify whether internal apps are required or optional on devices. You can also specify the BlackBerry device models that support an internal app so that the app is installed only on compatible devices. If you specify that an app is required, the app is automatically installed on the device and the user cannot remove it. For BlackBerry 10 devices, you can also specify apps that are available to the public in BlackBerry World as optional work apps. If you specify a public app as an optional work app, the app becomes available to the user in the Public Apps tab of the BlackBerry World for Work storefront and the user can choose to install the app. Public apps that are specified as optional work apps cannot be required. BlackBerry Balance devices (excluding BlackBerry PlayBook tablets) can have the same app installed separately in the work space and the personal space. Each instance of the app is kept separate from the other and each operates under the rules and restrictions that apply to the space that it is installed in. The apps can be configured, upgraded, or removed independently, and changes to one instance have no effect on the other instance. For example, an instant messaging app installed in the personal space might be restricted from adding work contacts, while the same instant messaging app installed in the work space does not have that restriction. App developers can use various development tools to create, test, and package apps so that you can install them on the devices in your organization's environment. For more information about the development tools, visit developers. Note: The work space on devices does not support BlackBerry Runtime for Android apps. Preparing an app for delivery To prepare required work apps for delivery to devices, you must perform the following actions: Obtain the.bar files from the application developers who compiled the apps. Specify a shared network folder for the apps using the BlackBerry Administration Service. Add the apps to the BlackBerry Administration Service app repository. Create a software configuration. Add the apps to the software configuration. Assign the software configuration to user accounts or groups. 67

68 Setting up device controls After you complete these tasks, the device downloads the apps for installation the next time that the device connects to the BlackBerry Device Service. To make optional work apps available for users to install in the work spaces on their devices, you must perform the following actions: Obtain the.bar files from the application developers who compiled the apps or locate the apps in the BlackBerry World storefront. Specify a shared network folder for the apps using the BlackBerry Administration Service. If you add an app from BlackBerry World, it is not added to the shared network folder for apps. Add the apps to the BlackBerry Administration Service app repository or specify the URL of the app from BlackBerry World. Create a software configuration. Add the apps to the software configuration. Assign the software configuration to user accounts or groups. After you complete these tasks, the BlackBerry Device Service makes the apps available to the user for installation in the work space on the device. For BlackBerry 10 OS devices, the apps are available in BlackBerry World for Work. For BlackBerry PlayBook tablets, the apps are available in the Work tab of the BlackBerry World storefront. Note: You can specify apps in the public BlackBerry World storefront as optional work apps for BlackBerry 10 OS devices only. Specify a shared network folder When you add the shared network folder location to the BlackBerry Administration Service, the folders for apps, wallpaper, and certificates are created automatically in the shared network folder. Before you begin: Create a shared network folder on the network that hosts the BlackBerry Device Service. This shared network folder must not be located in <drive>:\program Files (x86)\common Files\Research In Motion. If you configure a BlackBerry Administration Service pool, ensure that all BlackBerry Administration Service instances have access to the shared network folder location. All instances in a pool use the same shared network location. Verify that the service account for the BlackBerry Administration Service Application Server has write permissions for the shared network folder. Verify that the computer that hosts the BlackBerry Device Service has read and write access to the shared network folder. The BlackBerry Device Service requires write access to the shared network folder when apps are published. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view. 2. Click BlackBerry Administration Service. 3. Click Edit component. 4. In the Network drive section, in the BlackBerry Administration Service shared network drive field, type the path of the shared network folder using the following format: \\<BlackBerry_Administration_Service_computer_name>\<shared_network_folder> 68

69 Setting up device controls The shared network path must be typed in UNC format (for example, \\ComputerName\Applications\Testing). 5. Click Save all. After you finish: Back up the shared network folder. Add an internal app to the app repository To send an internal app to a device, you must first add the app to the app repository. The app repository is the shared network folder for apps. An internal app is an app that is internal to your organization and is not available from the public BlackBerry World storefront. Examples of internal apps include proprietary apps that were developed by your organization, or apps that were created by third-party developers for your organization's exclusive use. When you add an internal app, you can specify the devices that support it so that the app is installed only on compatible devices. You can also specify keywords to make the app easier to find in the repository. After the app is added, the app location is listed as "Internal" in the BlackBerry Administration Service. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software > Applications. 2. Click Add or update applications. 3. In the Application location section, click Browse. Navigate to the app bundle that you want to add to, or update in, the app repository. 4. Click Next. 5. Perform one of the following actions: Option Add information about the app, including keywords and device compatibility restrictions, and add the app to the repository. Step 1. Click the view icon. 2. Perform any of the following actions: In the Application keywords and Version keywords sections, specify keywords. In the Author field, specify information about the author. In the Device compatibility information section, if the app is supported on all devices, select All devices are supported. The app is installed on all devices. If the app is supported on specific devices, select Restricted to the following devices, click the device names in the Available devices field, and add them to the Current devices supported field. The app is installed only on the devices listed in the Current devices supported field. 3. Click Publish application. 69

70 Setting up device controls Option Add the app to the repository without adding keywords or device compatiblity restrictions. Step Click Publish application. Add a public app from the BlackBerry World storefront You can make public apps available for installation as optional work apps on BlackBerry 10 devices. A public app is an app that is available from the public BlackBerry World storefront. To make a public app available for installation in the work space, you must specify the app in the BlackBerry Administration Service. When you add the app, you can specify keywords to make the app easier to find in the BlackBerry Administration Service. After the app is added, the app location is listed as "BlackBerry World" in the BlackBerry Administration Service. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software > Applications. 2. Click Add BlackBerry World applications. 3. In the BlackBerry World URL field, specify the URL of the application from BlackBerry World. 4. Click Next. 5. If desired, click the view icon and specify keywords in the Application keywords field. 6. Click Publish application. Change device restrictions for internal apps You can change device restrictions for internal apps that have been added to the app repository. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software > Applications. 2. Click Manage applications. 3. Search for the app. 4. In the search results, click the name of the app. 5. In the Application versions section, click the app version. 6. Click Edit application. 7. In the Device compatibility information section, select Restricted to the following devices and change the device restrictions. If you remove a device from the Current devices supported field, work apps that are installed on those device models could be removed. 8. Click Save. 70

71 Setting up device controls Sending and removing apps from devices You can use software configurations to bundle applications so that the applications can be installed on devices. When you create a software configuration, you can specify the following: Versions of the applications that you want to install on devices Whether applications are required or optional After you create a software configuration, you can assign it to a group or individual user accounts. The BlackBerry Administration Service creates a deployment job to make the required applications available for devices to download and install. A deployment job consists of a number of tasks. Each task manages the delivery of a specific object (for example, an application) by communicating with the appropriate BlackBerry Device Service components. The device automatically installs required apps in the work space after the device downloads them. The BlackBerry Administration Service creates an application job task to install or remove required apps. The BlackBerry Administration Service does not create an application job task to install optional apps, but it does create an application job task to remove optional apps. Optional internal apps are made available on BlackBerry PlayBook tablets in the Work tab in the BlackBerry World storefront. Optional internal apps are made available on BlackBerry 10 devices in the Company Apps tab in BlackBerry World for Work storefront, and apps that are available in BlackBerry World that you specify as optional work apps are made available in the Public Apps tab of BlackBerry World. To remove an app from devices, you can remove the application from a software configuration. Create a software configuration 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software. 2. Click Create a software configuration. 3. In the Configuration information section, in the Name field, type a name for the software configuration. 4. Click Save. After you finish: Add apps to the software configuration. Change a software configuration 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software. 2. Click Manage software configurations. 3. Click the name of the software configuration. 4. Click Edit software configurations. 5. Make the changes on the appropriate tabs. 71

72 Setting up device controls 6. Click Save all. Add an app to a software configuration You must add an app to a software configuration to send the app to BlackBerry devices. If you want to upgrade an app, you must add the new version of the app to the appropriate software configuration. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software. 2. Click Manage software configurations. 3. Click the software configuration that you want to add an app to. 4. Click Edit software configuration. 5. On the Applications tab, click Add applications to software configuration. 6. Search for the app that you want to add to the software configuration. 7. In the search results, select an app that you want to add to the software configuration. 8. For apps in the applications repository, in the Disposition drop-down list for the app, perform one of the following actions: To install the app automatically on devices, and to prevent users from removing the app, select Required. To permit users to install and remove the app, and to add the app to the Work tab in the BlackBerry World storefront, select Optional. 9. Repeat steps 6 to 8 for each app that you want to add to the software configuration. 10. Click Add to software configuration. 11. Click Save all. Delete an app from a software configuration 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software. 2. Click Manage software configurations. 3. Click a software configuration. 4. Click Edit software configuration. 5. On the Applications tab, click the Delete icon for the app. 6. Click Save all. Change how to install, update, or remove required apps You can change the settings that the BlackBerry Administration Service uses to install and upgrade required apps on devices or remove required apps from devices. If you change the default application distribution settings, there might be a performance effect on your organization's environment. 1. In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs. 72

73 Setting up device controls 2. Click Specify application distribution settings. 3. Click Edit distribution settings. 4. Perform any of the following tasks: Task Change when the BlackBerry Administration Service can install, upgrade, or remove apps. Steps 1. On the Default schedule tab, click the Edit icon for the default schedule. 2. In the Scheduled deployment day(s) drop-down list, click the appropriate recurrence option. If necessary, select the days that the BlackBerry Administration Service can install, upgrade, or remove apps. 3. In the Start time drop-down list, click the appropriate option. If necessary, change the start time and end time. 4. Click the Update icon. By default, the BlackBerry Administration Service can install, upgrade, or remove apps every day. Add a new schedule for installing, upgrading, or removing apps. Any schedules that you add cannot overlap with other existing schedules. 1. On the Default schedule tab, in the Scheduled deployment day(s) dropdown list, click the appropriate recurrence option. If necessary, select the days that the BlackBerry Administration Service can install, upgrade, or remove apps. 2. In the Start time drop-down list, click the appropriate option. If necessary, change the start time and end time. 3. Click the Add icon. 5. On the System throttling tab, in the Maximum number of simultaneous tasks per BlackBerry Administration Service instance field, type the maximum number of tasks that you want the BlackBerry Administration Service to process at the same time. The default value is On the Job throttling tab, to turn on throttling for all application tasks in jobs, select Enabled to reduce load on system. 7. If necessary, in the Default throttling for all application tasks in each job in a time window section, in the Maximum number of simultaneous tasks per BlackBerry Administration Service instance field, type the maximum number of application tasks that you want the BlackBerry Administration Service to process at the same time. The default value is If necessary, in the Total number of tasks per time window per BlackBerry Administration Service instance field, type the total number of application tasks that you want the BlackBerry Administration Service to process during each processing interval. The default value is Click Save all. 73

74 Setting up device controls Make an app unavailable for installation You can delete an app and all versions of the app from the application repository if you do not want the app to be available to add to software configurations. You cannot delete an app from the application repository if the application is in a software configuration. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software > Applications. 2. Click Manage applications. 3. Search for an app. 4. In the search results, click the name of the app. 5. Click Delete application. 6. Click Yes - Delete the application and all application versions. Delete a software configuration 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software. 2. Click Manage software configurations. 3. Click the name of the software configuration. 4. Click Edit software configurations. 5. Click Delete software configuration. 6. Click Yes - Delete the software configuration. Reconciling multiple software configurations that are assigned to a user account If you assign multiple software configurations to user accounts or groups, the multiple software configurations might contain conflicting settings. For example, you might specify that an app is required in a software configuration that you assign to a user account, but you might also specify that the same app is optional in a software configuration that you assign to a group that the user account belongs to. The BlackBerry Administration Service uses predefined reconciliation rules to reconcile conflicting settings in multiple software configurations, and to determine which apps and settings the BlackBerry Administration Service applies to a device. The BlackBerry Administration Service reconciles conflicting settings as an asynchronous background activity. You can view the outcome of the reconciliation activities, reconciliation errors, and the applications and settings that the BlackBerry Administration Service applied to a device. The BlackBerry Administration Service might have to reconcile software configuration settings that conflict if you perform any of the following actions: 74

75 Setting up device controls Activate a device Assign a new device to a user Assign a user account to or remove a user account from a group Add a group to or remove a group from another group Add an app to or remove an app from a software configuration Change the settings for an app in a software configuration Reconciliation rules for apps Scenario Rule Multiple software configurations are assigned to a user account or the groups the user account belongs to. Multiple apps are contained in each software configuration. The apps in each software configuration are installed on the device. Multiple software configurations that contain different versions of the same app are assigned to a user account or the groups the user account belongs to. Multiple software configurations that contain the same app are assigned to a user account or the groups the user belongs to. The disposition of the app (required or optional) is different in each software configuration. One or more software configurations that include apps are assigned to a user account or the groups the user belongs When different versions of an app exist in the software configurations that are assigned to a user account, the latest version of the app is installed on the device. For example, if a software configuration with version 1.0 of an app is assigned to a user account, and another software configuration with version 2.0 of the application is assigned to a user account, version 2.0 of the application is installed on the device. The version of an app that is in a software configuration that is assigned to a user account takes precedence over the version of an app that is in a software configuration that is assigned to a group. For example, if version 1.0 of an app is in a software configuration that is assigned to a user account, and version 2.0 of an app is in a software configuration that is assigned to a group that the user belongs to, version 1.0 of the app is installed on the device. The disposition specified for an app in a software configuration that is assigned to a user account takes precedence over the disposition of the same app in any software configuration that is assigned to a group. If the app has different dispositions in multiple software configurations that are assigned at the same level (either to the user account or groups), the required disposition takes precedence over the optional disposition. The BlackBerry Administration Service checks the amount of available memory on the device after resolving 75

76 Setting up device controls Scenario to, but a limited amount of available memory remains on the device. A software configuration is assigned to a user account and it contains an app that has a dependency on another app. A software configuration is assigned to a user account and it contains an app that has a dependency on another app. The dependent app is not supported on the device. Rule application conflicts (for example, resolving conflicting disposition settings) and before installing an app. If there is not enough memory available on the device to support the app, the app is not installed. Required apps take precedence over optional apps. If an app in a software configuration has a dependency on another app, and the other app is not included in a software configuration that is assigned to the user account or a group that the user belongs to, the app is not installed on the device. If an app in a software configuration has a dependency on another app, and the dependent app is included in a software configuration that is assigned to the user account or a group the user belongs to, the dependent app is installed first. If the dependent app is installed successfully, the app with the dependency is then installed. If a dependent app is not supported by the device or was not installed successfully on the device, the app with the dependency is not installed on the user's device. Multiple apps have a circular dependency (for example, app A is dependent on app B, app B is dependent on app C, and app C is dependent on app A) and are included in the same application bundle. The application bundle is added to the application repository. The apps are added to a software configuration and assigned to a user account or a group the user belongs to. If multiple apps are included in the same application bundle and have a circular dependency, the applications are not installed on the device. If multiple applications have a circular dependency, they can only be installed if they exist in separate application bundles. View how the BlackBerry Administration Service resolved software configuration conflicts for a user account You can assign multiple software configurations to a user account or group. The BlackBerry Administration Service uses specific rules to resolve conflicting settings in the multiple software configurations that you assign to a user account or group. After the BlackBerry Administration Service applies software configurations to a device, you can view how the BlackBerry Administration Service resolved any of the conflicting settings in the multiple software configurations. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 76

77 Setting up device controls 4. Click a device PIN. 5. On the Applications tab, click View resolved applications. 6. View the appropriate information about how the BlackBerry Administration Service resolved the software configuration conflicts for the user account. 77

78

79 4 Managing groups, users, and device controls

80 Managing groups, users, and device controls Creating and managing groups You can manage multiple user accounts by adding the user accounts to a group and managing the group. A group is a collection of related BlackBerry device users who share commonly configured properties. Administering users as a group is more efficient than administering individual users because properties can be set, applied, or changed simultaneously for all members of the group. The BlackBerry Device Service includes preconfigured groups. You can also create groups to meet your organization's requirements. A group can contain user accounts, administrator accounts, and other groups (which are called child groups). When you configure properties for a group, the accounts and groups in the group inherit the properties. When you add a group to another group, you create a parent and child group relationship. The properties of the parent group are inherited by the user accounts in the child groups. About preconfigured groups The BlackBerry Device Service includes preconfigured groups and the preconfigured groups are assigned preconfigured roles. You can use the preconfigured groups in your organization's environment instead of creating new groups for administrators. Preconfigured group Administrators BES10 Self-Service users Help desk representatives This is a preconfigured group for administrators. The Enterprise Administrator role is assigned to this group. This is a preconfigured group for BES10 Self-Service users. A role is not assigned to this group. BES10 Self-Service allows BlackBerry device users to create an activation password and activate their devices over the wireless network. This is a preconfigured group for administrators. The Junior Helpdesk role is assigned to this group. Create a group 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Create a group. 80

81 Managing groups, users, and device controls 3. In the Name field, type a name for the group. 4. In the field, type a description for the group. 5. Click Save. After you finish: Change the group to configure the properties of the group. Change a group After you create a group, you can configure the properties for the group. When you add user accounts and administrator accounts to a group, the accounts inherit the properties of the group. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the group name. 4. Click Edit group. 5. Make the changes on the appropriate tabs. 6. Click Save all. Delete a group 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the group name. 4. Click Delete group. 5. Click Yes - Delete the group. Add child groups to a group 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the group name. 4. Click Edit group. 5. Click the Child groups tab. 6. Perform one of the following actions: 81

82 Managing groups, users, and device controls To add one child group to the group, select the child group in the Available groups list and click Add. To add more than one child group to the group, select multiple child groups in the Available groups list and click Add. To add all of the child groups to the group, click Add all. 7. Click Save all. Delete child groups from a parent group 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the group name. 4. Click Edit group. 5. Click the Child groups tab. 6. Perform one of the following actions: To delete one child group from the group, select the child group in the Current groups list and click Remove. To delete more than one child group from the group, select multiple child groups in the Current groups list and click Remove. To delete all of the child groups from the group, click Remove all. 7. Click Save all. Add roles to a group 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the group name. 4. Click Edit group. 5. Click the Roles tab. 6. Perform one of the following actions: To add one role to the group, select the role in the Available roles list and click Add. To add more than one role to the group, select multiple roles in the Available roles list and click Add. To add all of the roles to the group, click Add all. 7. Click Save all. 82

83 Managing groups, users, and device controls Delete roles from a group 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the group name. 4. Click Edit group. 5. Click the Roles tab. 6. Perform one of the following actions: To delete one role from the group, select the role in the Current roles list and click Remove. To delete more than one role from the group, select multiple roles in the Current roles list and click Remove. To delete all of the roles from the group, click Remove all. 7. Click Save all. 83

84 Managing groups, users, and device controls Applying device controls to a group Once you have created your groups, you then need to modify them in order to add your organization's specific policies and profiles to them. Add software configurations to a group You can add a software configuration to a group to control the apps that are optional and required on the BlackBerry devices that are associated with the user accounts in the group. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Software configurations tab. 6. Perform one of the following actions: To add one software configuration to the group, select the software configuration and click Add. To add more than one software configuration to the group, select multiple software configurations and click Add. To add all of the software configurations to the group, click Add all. 7. Click Save all. Delete software configurations from a group 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Software configurations tab. 6. Perform one of the following actions: To delete one software configuration from the group, select the software configuration and click Remove. 84

85 Managing groups, users, and device controls To delete more than one software configuration from the group, select multiple software configurations and click Remove. To delete all of the software configurations from the group, click Remove all. 7. Click Save all. Add an IT policy to a group 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. Delete an IT policy from a group 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. On the Policies tab, in the IT policy list, select the empty field. 6. Click Save all. Add Wi-Fi profiles to a group 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Wi-Fi profiles tab. 6. Perform one of the following actions: 85

86 Managing groups, users, and device controls To add one Wi-Fi profile to the group, select the profile in the Available Wi-Fi profiles list and click Add. To add more than one Wi-Fi profile to the group, select multiple profiles in the Available Wi-Fi profiles list and click Add. To add all of the Wi-Fi profiles to the group, click Add all. 7. Click Save all. Delete Wi-Fi profiles from a group 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the group name. 4. Click Edit group. 5. Click the Wi-Fi profiles tab. 6. Perform one of the following actions: To delete one Wi-Fi profile from the group, select the profile in the Wi-Fi profiles list and click Remove. To delete more than one Wi-Fi profile from the group, select multiple profile in the Current roles list and click Remove. To delete all of the Wi-Fi profiles from the group, click Remove all. 7. Click Save all. Add VPN profiles to a group 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the group name. 4. Click Edit group. 5. Click the VPN profiles tab. 6. Perform one of the following actions: To add one VPN profile to the group, select the profile in the Available VPN profiles list and click Add. To add more than one VPN profile to the group, select multiple profiles in the Available VPN profiles list and click Add. To add all of the VPN profiles to the group, click Add all. 7. Click Save all. 86

87 Managing groups, users, and device controls Delete VPN profiles from a group 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the group name. 4. Click Edit group. 5. Click the VPN profiles tab. 6. Perform one of the following actions: To delete one VPN profile from the group, select the profile in the Current VPN profile list and click Remove. To delete more than one VPN profile from the group, select multiple profiles in the Current roles list and click Remove. To delete all of the VPN profiles from the group, click Remove all. 7. Click Save all. 87

88 Managing groups, users, and device controls Creating and changing user accounts User accounts represent BlackBerry device users in your organization. You can create a user account from your company directory or you can create local user accounts on a computer that hosts the BlackBerry Device Service. After you create a user account, you can manage user accounts and their associated devices. You can manage user accounts by adding user accounts to a group so that the properties of the group are assigned to the user accounts automatically. A group can contain user accounts that you want to manage collectively. You can also assign an IT policy to a user account to control the actions users can perform using their devices. When you create user accounts, BlackBerry Balance technology allows the users' devices to have both a personal and work space. For more information on BlackBerry Balance, see the BlackBerry Device Service Security and Technical Overview. Creating organization notices You can display an organization notice that users must accept before they can complete device activation. You can specify what is displayed in the organization message. This notice can outline the terms and conditions the user must follow to comply with your organization's security requirements. You can specify whether the organization notice appears in the default language on the device or a different language. You can have more than one organization message, and each can appear in a different language, but you can have only one default language on the device. Create organization notices 1. In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution topology. 2. Select BlackBerry Domain. 3. Select the Organization notices tab. 4. Select Edit domain 5. In the first drop-down list, select the Device language for the notice. 6. Type the Organization notice message in the text box. 7. Select whether this notice is the Default language or not. 8. Select Save all 9. Repeat for any additional languages and organization notice messages that you want to add. 88

89 Managing groups, users, and device controls Create a user account Before you begin: Verify that the user account exists in your organization's user directory. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Create a user. 3. Search for a user account. 4. Select the check box beside the display name for the user account. 5. Click Continue. 6. In the Available BlackBerry Device Service instances list, click the BlackBerry Device Service instance for the user account. 7. In the Available groups list, perform one of the following actions: To add the user account to one group, select the group and click Add. To add the user account to more than one group, select multiple groups and click Add. To add the user account to all of the groups, click Add all. 8. To add an profile, in the profile drop-down list, select an profile. 9. In the Activation information section, perform one of the following tasks: Task Create an account that has both a personal and a work space on the device. The organization has control over the work space only. Create an account that has only a work space on the device. Create an account that has both a personal and work space on the device. The organization has full control over the device. This option is available for devices with BlackBerry 10 OS version or later. Steps In the Activation type for new and reactivated devices drop-down list, select Work and personal - Corporate. In the Activation type for new and reactivated devices drop-down list, select Work space only. In the Activation type for new and reactivated devices drop-down list, select Work and personal - Regulated. 10. Perform one of the following tasks: 89

90 Managing groups, users, and device controls Task Steps Specify a device activation password. 1. Click Create a user with an activation password. 2. Type and confirm an activation password. 3. To specify the length of time that the activation password exists before it expires, in the Password expiration (hours) field, type the number of hours. 4. Click Create user. Create a user with a generated activation password. For this task, the wireless device activation settings must be configured to allow activation information to be sent in an . Do not specify a device activation password. Click Create a user with a generated activation password. Click Create a user without an activation password. Related information Managing work and personal spaces, 60 Configuring the default device activation type for all new users, 61 Configure the default device activation type for all new user accounts, 61 Create a local user account 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Create a local user. 3. In the Display name field, type a name for the local user account. 4. In the Address field, type the address of the local user. 5. In the Authentication section, in the User name field, type the username for the local user account. 6. In the Password and Confirm password fields, type the password for the local user account. 7. Click Continue. 8. In the Available BlackBerry Device Service instances list, click the BlackBerry Device Service instance for the local user account. 9. In the Available groups list, perform one of the following actions: To add the local user account to one group, select the group and click Add. To add the local user account to more than one group, select multiple groups and click Add. 90

91 Managing groups, users, and device controls To add the local user account to all of the groups, click Add all. 10. To add an profile, in the profile drop-down list, select an profile. 11. In the Activation information section, perform one of the following tasks: Task Create an account that has both a personal and a work space on the device. The organization has control over the work space only. Create an account that has only a work space on the device. Steps In the Activation type for new and reactivated devices drop-down list, select Work and personal - Corporate. In the Activation type for new and reactivated devices drop-down list, select Work space only. Create an account that has both a personal and work space on the device. The organization has full control over the device. This option is available for devices with BlackBerry 10 OS version or later In the Activation type for new and reactivated devices drop-down list, select Work and personal - Regulated. 12. Perform one of the following tasks: Task Steps Specify a device activation password. 1. Click Create a user with an activation password. 2. Type and confirm an activation password. 3. To specify the length of time that the activation password exists before it expires, in the Password expiration (hours) field, type the number of hours. 4. Click Create user. Create a user with a generated activation password. For this task, an address is required and the wireless device activation settings must be configured to allow activation information to be sent in an . Do not specify a device activation password. Click Create a user with a generated activation password. Click Create a user without an activation password. Related information Managing work and personal spaces, 60 91

92 Managing groups, users, and device controls Configuring the default device activation type for all new users, 61 Configure the default device activation type for all new user accounts, 61 Synchronize new or updated user information with a company directory You can update user information in a company directory and synchronize the information manually with the BlackBerry Administration Service. For example, if a user changes his or her name, you can immediately update it in both the company directory and the BlackBerry Administration Service. 1. In the company directory, update the user account properties. 2. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 3. Click Manage users. 4. Search for the user account. 5. In the search results, click the display name for the user account. 6. Click Synchronize user. Change a user account 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, click the display name for the user account. 5. Click Edit user. 6. Make the changes on the appropriate tabs. 7. Click Save all. Create user accounts from a.csv file Before you begin: Export user accounts from the BlackBerry Administration Service. Verify that the user account exists in your organization's user directory. You can create a list of user accounts by importing information about the user accounts from a.csv file. 92

93 Managing groups, users, and device controls 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Create a user. 3. Click Import new users. 4. Click Browse. 5. Navigate to the.csv file and click Open. 6. Click Continue. 7. To add the user account to a group, in the Available groups list, select a group and click Add. 8. To add an profile, in the profile drop-down list, select an profile. 9. In the Activation information section, perform one of the following tasks: Task Create an account that has both a personal and a work space on the device. The organization has control over the work space only. Create an account that has only a work space on the device. Step In the Activation type for new and reactivated devices drop-down list, select Work and personal - Corporate. In the Activation type for new and reactivated devices drop-down list, select Work space only. Create an account that has both a personal and work space on the device. The organization has full control over the device. This option is available for devices with BlackBerry 10 OS version or later. In the Activation type for new and reactivated devices drop-down list, select Work and personal - Regulated. 10. Perform one of the following tasks: Task Steps Specify a device activation password. 1. Click Create a user with an activation password. 2. Type and confirm an activation password. 3. To specify the length of time that the activation password exists before it expires, in the Password expiration (hours) field, type the number of hours. 4. Click Create user. Do not specify a device activation password. Click Create a user without an activation password. 93

94 Managing groups, users, and device controls Create local user accounts from a.csv file Before you begin: Export user accounts from the BlackBerry Administration Service. Add columns named Login Name and Login Password to the exported.csv and populate those columns with the local users' usernames and passwords. You can create a list of local user accounts by importing information about the local user accounts from a.csv file. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Create a local user. 3. Click Import new users. 4. Click Browse. 5. Navigate to the.csv file and click Open. 6. Click Continue. 7. In the Available BlackBerry Device Service instances list, click the BlackBerry Device Service instance for the local user account. 8. In the Available groups list, perform one of the following actions: To add the local user account to one group, select the group and click Add. To add the local user account to more than one group, select multiple groups and click Add. To add the local user account to all of the groups, click Add all. 9. To add an profile, in the profile drop-down list, select an profile. 10. In the Activation information section, perform one of the following tasks: Task Create an account that has both a personal and a work space on the device. The organization has control over the work space only. Create an account that has only a work space on the device. Steps In the Activation type for new and reactivated devices drop-down list, select Work and personal - Corporate. In the Activation type for new and reactivated devices drop-down list, select Work space only. Create an account that has both a personal and work space on the device. The organization has full control over the device. This option is In the Activation type for new and reactivated devices drop-down list, select Work and personal - Regulated. 94

95 Managing groups, users, and device controls Task Steps available for devices with BlackBerry 10 OS version or later. 11. Perform one of the following tasks: Task Steps Specify a device activation password. 1. Click Create a user with an activation password. 2. Type and confirm an activation password. 3. To specify the length of time that the activation password exists before it expires, in the Password expiration (hours) field, type the number of hours. 4. Click Create user. Create a user with a generated activation password. For this task, an address is required and the wireless device activation settings must be configured to allow activation information to be sent in an . Do not specify a device activation password. Click Create a user with a generated activation password. Click Create a user without an activation password. Change the user accounts in a.csv file You can change all of the user accounts that you import from a.csv file. The BlackBerry Administration Service selects all of the user accounts in the.csv file automatically so that you do not need to manually search for and select each user account. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Click Manage multiple users from an import list. 4. Click Browse. 5. Navigate to the.csv file and click Open. 6. Click Next. 7. Select the user accounts that you want to change and make the appropriate changes. 95

96 Managing groups, users, and device controls 8. Click Save all. Create a list of all user accounts and their associated devices To create a list of user accounts and the devices associated with those accounts, export the information to a.csv file. You can use this list to determine what user s accounts are associated with which type of device or to perform an audit on the number of managed devices in your organization. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Click Search. 4. Click Export all results. 5. Click Download file. Create a list of selected user accounts and their associated devices To create a list of selected user accounts and the devices associated with those accounts, export the information to a.csv file. You can use this list to determine what user s accounts are associated with which type of device or to perform an audit on the number of managed devices in your organization. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for the user accounts. 4. In the search results, check the boxes next to the name you want to export. 5. In the Export users section, click Export selected users. 6. Click Download file. Move a user account from one BlackBerry Device Service instance to another You can use the BlackBerry Administration Service to move user accounts from one BlackBerry Device Service instance to another instance within the same BlackBerry Device Service domain. 96

97 Managing groups, users, and device controls If there are deployment tasks that are in process when you select to move user accounts to another instance, the BlackBerry Device Service prompts you to confirm the move. For information about deployment jobs, see Managing how device controls are sent to devices. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for one or more user accounts. 4. In the search results, select one or more user accounts. 5. In the BlackBerry Device Service status list, click Switch BlackBerry user to different BlackBerry Device Service. 6. In the Available BlackBerry Device Service instances list, click the BlackBerry Device Service instance that you want to move the user accounts to. 7. Click Next. 8. A message appears indicating that some of the user accounts might have pending deployment tasks. Perform one of the following actions: If you want to cancel any pending deployment tasks and move all of the user accounts, click Yes - Switch the users and fail the deployment tasks. If you do not want to move the user accounts that have pending deployment tasks, click No - Switch only the users that have no existing deployment tasks. Delete a user account When you delete a user account you remove the account and all devices associated with it from the BlackBerry Device Service. You can also delete data from the devices when the devices are removed. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, click the display name of the user account. 5. In the Status list, click Delete user. 6. Perform one of the following actions: Option Delete the user account and delete work data from all devices associated with the account. Step Click Yes - Delete the user and delete only the organization data for associated devices 97

98 Managing groups, users, and device controls Option Delete the user account and delete all data from all devices associated with the account. Delete the user account and remove all devices associated with the account, but do not delete any data from the devices. Step Click Yes - Delete the user and delete all device data for associated devices. Click Yes - Delete the user and remove the device without deleting device data. 98

99 Managing groups, users, and device controls Managing groups and roles for user accounts You can manage multiple user accounts by adding the user accounts to a group and managing the group. You can use roles to specify the information that an user can view and the tasks that a user can perform in the BlackBerry Device Service. Add user accounts to groups When you add a user account to a group, the user account inherits the roles, software configurations, IT policies, and profile settings of the group. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for the user account. 4. In the search results, select the check box for the user account. 5. Click Add group. 6. Perform one of the following actions: To add the user account to one group, select the group and click Add. To add the user account to more than one group, select multiple groups and click Add. To add the user account to all of the groups, click Add all. 7. Click Save. Delete user accounts from groups 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. Click Remove group. 99

100 Managing groups, users, and device controls 6. Perform one of the following actions: To delete the user account from one group, select the group and click Remove. To delete the user account from more than one group, select multiple groups and click Remove. To delete the user account from all of the groups, click Remove all. 7. Click Save. Add roles to user accounts You can add roles to user accounts to allow users to view information and perform tasks in the BlackBerry Administration Service. When you add a role to a user account, the account becomes an administrator account. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. Click Add role. 6. Perform one of the following actions: To add one role to the user account, select the role and click Add. To add more than one role to the user account, select multiple roles and click Add. To add all of the roles to the user account, click Add all. 7. Click Save. Delete roles from user accounts 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. Click Remove role. 6. Perform one of the following actions: To delete one role from the user account, select the role and click Remove. To delete more than one role from the user account, select multiple roles and click Remove. To delete all of the roles from the user account, click Remove all. 100

101 Managing groups, users, and device controls 7. Click Save. 101

102 Managing groups, users, and device controls Applying device controls to user accounts Once you have created your user accounts, you then need to modify them to ensure they meet your organization's security requirements and can access your company's required applications. Add software configurations to user accounts You can add a software configuration to a user account to control the apps on a BlackBerry device. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Add software configuration. 6. Perform one of the following actions: To add one software configuration to the user account, select the software configuration and click Add. To add more than one software configuration to the user account, select multiple software configurations and click Add. To add all of the software configurations to the user account, click Add all. 7. Click Save. Delete software configurations from user accounts 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Remove from user configuration list, click Remove software configuration. 6. Perform one of the following actions: To delete one software configuration from the user account, select the software configuration and click Remove. 102

103 Managing groups, users, and device controls To delete more than one software configuration from the user account, select multiple software configurations and click Remove. To delete all of the software configurations from the user account, click Remove all. 7. Click Save. Add an IT policy to a user account You can use IT policies to control and manage BlackBerry devices in your organization's environment. An IT policy consists of multiple IT policy rules that manage the security and behavior of the BlackBerry Device Service and devices. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. Delete an IT policy from a user account 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Remove from user configuration list, click Clear IT policy for user. Add Wi-Fi profiles to user accounts Wi-Fi profiles specify how BlackBerry device users connect to your organization's Wi-Fi network. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 103

104 Managing groups, users, and device controls 5. In the Add to user configuration list, click Add Wi-Fi profile. 6. Perform one of the following actions: To add one Wi-Fi profile to the user account, select the Wi-Fi profile and click Add. To add more than one Wi-Fi profile to the user account, select multiple Wi-Fi profiles and click Add. To add all of the Wi-Fi profiles to the user account, click Add all. 7. Click Save. Delete Wi-Fi profiles from user accounts 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Remove from user configuration list, click the Remove Wi-Fi profile. 6. Perform one of the following actions: To delete one Wi-Fi profile from the user account, select the Wi-Fi profile and click Remove. To delete more than one Wi-Fi profile from the user account, select multiple Wi-Fi profiles and click Remove. To delete all of the Wi-Fi profiles from the user account, click Remove all. 7. Click Save. Add VPN profiles to user accounts VPN profiles specify how BlackBerry device users connect to your organization's VPN. 1. In the BlackBerry Administration Service on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Add VPN profile. 6. Perform one of the following actions: To add one VPN profile to the user account, select the VPN profile and click Add. To add more than one VPN profile to the user account, select multiple VPN profiles and click Add. To add all of the VPN profiles to the user account, click Add all. 104

105 Managing groups, users, and device controls 7. Click Save. Delete VPN profiles from user accounts 1. In the BlackBerry Administration Service on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Remove from user configuration list, click Remove VPN profile. 6. Perform one of the following actions: To delete one VPN profile from the user account, select the VPN profile and click Remove. To delete more than one VPN profile from the user account, select multiple VPN profiles and click Remove. To delete all of the VPN profiles from the user account, click Remove all. 7. Click Save. Add an profile to a user account profiles specify how BlackBerry device connect to your organization's messaging server and synchronize messages and organizer data using Microsoft ActiveSync. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set profile. 6. Select the profile. 7. Click Save. Delete an profile from a user account 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 105

106 Managing groups, users, and device controls 4. In the search results, select the check box for the user account. 5. In the Remove from user configuration list, click Clear profile. 106

107 5 Activating and managing devices

108 Activating and managing devices Activating devices When you activate a BlackBerry device in the BlackBerry Device Service, you associate the device with your organization's environment so that users can access work data on their devices. To activate a device, you can use any of the following methods. Method Connecting devices to a computer that can access the BlackBerry Administration Service Using BES10 Self-Service Allowing activation over the wireless network You can activate devices by connecting them to a computer, logging in to the BlackBerry Administration Service, and manually activating the devices. After the devices are activated, you can distribute them to users. Users can create activation passwords in BES10 Self- Service and activate their devices over the wireless network. New users and users that receive replacement devices can activate their devices without requiring a physical connection to your organization's network. Preparing to assign devices Before you assign devices to user accounts, you might want to consider performing the following tasks to ensure the user accounts are prepared to activate devices and that they meet your organization's security requirements. Action Create a user account Add an IT policy to a user account Add a Wi-Fi profile to a user account Add a VPN profile to a user account Add an profile to a user account Create a user account in the BlackBerry Administration Service and configure the user account properties. You can use an IT policy to extend your organization's security policies to a BlackBerry device. A device can use a Wi-Fi profile to connect to your organization's Wi-Fi network. A device can use a VPN profile to connect to your organization's VPN gateway. A device can use an profile to connect to your organization's messaging system. 108

109 Activating and managing devices Action Provide BES10 Self-Service login information to a user. Configure the SMTP notication settings A user can set an activation password in BES10 Self- Service. You must configure the SMTP server settings and account information to receive notifcations. Activate a device using the BlackBerry Administration Service 1. Connect the BlackBerry device to a computer that can access the BlackBerry Administration Service. 2. In the BlackBerry Administration Service, on the Devices menu, expand Attached devices. 3. If multiple devices are connected, click Overview. Select the devices that you want to activate, and click Save. 4. Perform one of the following tasks: Task Assign a device that has never been activated on a user account. Steps 1. Click Manage current device. 2. Click Assign the current device to a user. 3. Search for a user account. 4. In the search results, select a user account. 5. Click Associate user. 6. Perform one of the following actions: If no other device is assigned to the user account, click Yes Assign the device. If at least one other device is assigned to the user account, in the Assign device to user section, specify if this is an additional device that are you activating for the user account or a replacement device. If it is a replacement device, specify which device you want to replace it with and click Yes Assign the device. If a work space exists on the device that you are replacing, the work space is deleted. Assign a previously activated device to a different user account. 1. Click Manage current device. 2. Click Assign the current device to a different user. 3. Click Yes Assign the device. The existing work space on the device is deleted. 4. Search for a user account. 109

110 Activating and managing devices Task Steps 5. In the search results, select a user account. 6. Click Associate user. 7. Perform one of the following actions: If no other devices are assigned to the user account, click Yes Assign the device. If at least one other device is assigned to the user account, in the Assign device to user section, specify if this is an additional device that are you activating for the user account or a replacement device. If it is a replacement device, specify which device you want to replace it with and click Yes Assign the device. Assign a user account that is associated with an existing activated device a different device. 1. Click Manage current device. 2. Click Assign the current user a different connected device. 3. In the Assign device to user section, perform one of the following actions: If this is an additional device, select New device. Click Continue. Select the device that you want to assign to the user account. If this is a replacement device, select Replacement device. Select the device that you want to replace and click Continue. Select the device that you want to assign to the user account. 4. Click Yes Assign the device. If a work space exists on the device, the work space is deleted. Click Yes Assign the device again. Setting an activation password using BES10 Self- Service Using BES10 Self-Service, BlackBerry Enterprise Service 10 users can create activation passwords so that they can activate their devices over the wireless network. Users can select the type of device that they want to activate and specify an activation password. Instructions for activating devices are also provided in BES10 Self-Service. The web address for BES10 Self-Service is where <server_name> is the FQDN of the computer that hosts the console. For more information about BES10 Self-Service, visit blackberry.com/go/docs to read the BES10 Self-Service User Guide. 110

111 Activating and managing devices Activating a device over the wireless network You can allow users to activate BlackBerry devices over the wireless network using one of the following methods: Register the activation information with the BlackBerry Infrastructure. If you register the activation information, the user's account information, including their username, required server address and SRP information will be sent to and stored in the BlackBerry Infrastructure. Users who activate a BlackBerry 10 device will not need to know the SRP ID of the BlackBerry Device Service and will only need to provide their work address and activation password to activate a device. Do not register the activation information with the BlackBerry Infrastructure. If you decide not to register the activation information, or if you are registering the activation information for local user accounts where the addresses have not been specified, users must enter their SRP address and server information manually during the activation process. Users can create activation passwords in BES10 Self-Service to activate devices over the wireless network. For more information about BES10 Self-Service, visit blackberry.com/go/docs to read the BES10 Self-Service User Guide. To allow users to activate a device over the wireless network, you must be assigned one of the following BlackBerry Administration Service preconfigured roles: Security role Enterprise role Senior Helpdesk role Junior Helpdesk role User only role If you are using a custom role that was created by your organization instead of a preconfigured role, you might not have the required permissions to activate a device over the wireless network using the BlackBerry Device Service. When the activation process completes, users can send and receive messages on their devices. Activation passwords You can send activation information to users so that they can activate BlackBerry devices. You can either generate an activation message that includes an automatically generated password, or specify an activation password that is unique to the user account. If you decide to send only one activation message, be sure to specify the activation password in the message. You must communicate the activation password to users with local user accounts that do not have an address by a means other than an activation message. Item Length of the activation password Typical activation passwords are four to eight characters long. Activation passwords are limited to 31 characters 111

112 Activating and managing devices Item Character support Security The password must not contain special characters. Some devices do not support special characters and do not unlock when a user types a password that contains special characters. Wireless activation is designed so that short activation passwords do not compromise the security of the protocol. You must distribute the activation password to the user securely. If the user receives the activation password, but does not activate the device on the BlackBerry Device Service, an attacker who can access the activation password can connect another device to the BlackBerry Device Service and assume the identity of the intended user. When a user activates a device on the BlackBerry Device Service, the activation password becomes inactive and a potentially malicious user cannot reuse it to activate another device. Expiry time An activation password is no longer valid if any of the following events occur: The user does not activate the device on the BlackBerry Device Service before the expiry time elapses (default 48 hours) The user types the activation password incorrectly five consecutive times The BlackBerry Device Service activates a device using the activation password Configure device activation over the wireless network You can allow users to activate BlackBerry devices over the wireless network. Before you begin: Create an account that the BlackBerry Administration Service can use to send system messages or activation passwords to user accounts. Verify that the system requirements are met for activating devices over a Wi-Fi network. For more information, see the BlackBerry Enterprise Service 10 Installation Guide. Configure the SMTP notication settings. 1. In the BlackBerry Administration Service, on the Devices menu, expand Wireless activations. 2. Click Device activation settings. 3. By default, BlackBerry Enterprise Service 10 registers users' activation information with the BlackBerry Infrastructure. As a result, users do not have to specify the SRP or server address during the activation process. If you do not want to register activation information, and you want users to enter the SRP or server address manually, click Stop registering activation information. Click Yes - Stop registering activation information to confirm. 112

113 Activating and managing devices 4. Click Edit activation settings. 5. In the Activation configuration section, verify that Allow activation over BlackBerry infrastructure is set to Yes. 6. To send users an activation message, in the Allow activation information to be ed drop-down list, click Yes. 7. Create an activation message that can be sent to users. In the First activation message section, in the Custom activation subject field, type a subject. 8. Customize the body text of the activation message. If you decide to send only one activation message, make sure you include the activation password. 9. Create a second activation message so that you can send the activation password separately from other activation instructions. In the Second activation message section, in the Send two separate activation s dropdown list, click Yes. 10. Customize the subject line and activation message. 11. In the Passwords settings section, in the Auto-generated password length field, type a character length. 12. In the Auto-generated password lifespan (hours) field, type the number of hours before the activation password expires. 13. In the Allowed user operations section, in the Maximum device activation attempts field, type the number of times a user can try to enter their activation password before the device locks. 14. Click Save. After you finish: If you stopped registering activation information with the BlackBerry Infrastructure and you want to start it again, on the Device activation settings page, click Start registering activation information. Click Yes - Start registering activation information to confirm. Send an activation to user accounts. Using variables in the activation template You can customize the activation that the BlackBerry Device Service sends to users. You can use any of the following variables in the message body. Variable %DisplayName% %ServerAddress% %UserName% %Password% %ExpiryHours% User's display name The Server address that is required to activate a BlackBerry PlayBook tablet User's username in the BlackBerry Device Service Activation password Number of hours before the activation password expires 113

114 Activating and managing devices Send an activation to user accounts To allow users to activate their devices over the wireless network, you must send them an activation message. The activation , at a minimum, must include an activation password that users must specify when they activate their devices. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for the user accounts that you want to send an activation password or message to. 4. Select the check boxes beside the display names of the user accounts. 5. In the Device activation list, perform one of the following tasks: Task Use an automatically generated activation password and send the password to the user accounts. Specify an activation password and send the password to the user accounts. Steps Click Generate activation Click Specify an activation password. 2. In the Activation password and Confirm password fields, type an activation password. 3. In the Password expiration (hours) field, type the amount of time, in hours, before the activation password expires. 4. In the password to user address drop-down list, select Yes. 5. Click Specify an activation password. Users receive an activation message and are prompted to type their activation passwords and the activation information that you specified when you configured wireless activation. Prevent wireless activation over the BlackBerry infrastructure You can prevent wireless activation over the BlackBerry Infrastructure. If you turn off the ability to activate devices wirelessly over the BlackBerry Infrastructure, users must specify their SRP address and server information manually during the activation process (for example, their username, activation password, required server address and SRP information). 1. In the BlackBerry Administration Service, on the Devices menu, expand Wireless activations. 2. Click Device activation settings. 3. Click Disallow activation over the BlackBerry infrastructure. 114

115 Activating and managing devices 4. Click Yes - Disallow activation over BlackBerry infrastructure. 115

116 Activating and managing devices Managing devices Sending CA certificates to devices You might need to distribute root and intermediate CA certificates to devices if the devices use certificate-based authentication to connect to a network or server in your organization s environment or if your organization uses S/MIME. Sending the CA certificates for your organization's network and server certificates to devices allows the devices to trust the network and servers when making secure connections. Sending CA certificates for your organization's S/MIME certificates allows devices to trust the sender's certificate when a secure message is received. You can send CA certificates to every device that is managed by the BlackBerry Device Service by copying the certificate to the appropriate subfolder in the BlackBerry Device Service shared network folder. If the contents of a certificate folder change, the Enterprise Management Web Service sends all certificates in the folder to the appropriate certificate store on every device to replace the previous set of certificates. Depending on the purpose of a certificate, you should copy a CA certificate to one of the following Certificates subfolders: Folder WIFI VPN WWW Enterprise The BlackBerry Device Service sends certificates in the WIFI folder to the Wi-Fi Trusted Certificates store on every device. Certificates in the Wi-Fi Trusted Certificates store can be used only for Wi-Fi connections. You must set the Wi-Fi profile Trusted Certificate Source configuration setting to Trusted Certificate Store to use certificates in the store for work Wi-Fi connections. The BlackBerry Device Service sends certificates in the VPN folder to the VPN Trusted Certificates store on every device. Certificates in the VPN Trusted Certificates store can be used only for VPN connections. You must set the VPN profile Trusted Certificate Source configuration setting to Trusted Certificate Store to use certificates in the store for work VPN connections. The BlackBerry Device Service sends certificates in the WWW folder to the Enterprise Root Certificates list on every device. The work browser uses these certificates to establish SSL connections with servers in your organization's environment. Devices running BlackBerry 10 OS version 10.0 also use certificates in this folder to authenticate with your work messaging server if it uses certificate-based authentication and to authenticate secure messages that have been received. The BlackBerry Device Service sends certificates in the Enterprise folder to the Enterprise Root Certificates list on devices running BlackBerry 10 OS version 10.1 and later. Devices use certificates in this folder to authenticate with your work messaging server if it uses certificatebased authentication and to authenticate secure messages that have been received. 116

117 Activating and managing devices Send certificates to every device that is managed by the BlackBerry Device Service The Certificates folders in the shared network folder for applications contains subfolders for root and intermediate CA certificates that the BlackBerry Device Service sends to BlackBerry devices. When the content of one of the certificate folders changes, all certificates in the folder are sent to every device to replace the previous set of certificates. 1. Obtain.cer,.der, or.pem files for the certificates. 2. Copy the certificate files to the correct folder. Copy web server certificates for all devices, and messaging server and S/MIME certificates for devices running BlackBerry 10 OS version 10.0 to the WWW folder. Copy messaging server and S/MIME certificates for devices running BlackBerry 10 OS version 10.1 and later to the Enterprise folder. Copy VPN certificates to the VPN folder. Copy Wi-Fi certificates to the WIFI folder. Remove certificates from every device that is managed by the BlackBerry Device Service The subfolders in the Certificates folder contain root and intermediate CA certificates that are stored on every BlackBerry device that is managed by the BlackBerry Device Service. When the content of one of the subfolders changes, all certificates in the folder are sent to every device to replace the previous set of certificates. In the WWW, VPN, WIFI, or Enterprise folder, remove the.pem file for the certificate. Sending work space wallpaper to devices To help users distinguish between the work space and the personal space on BlackBerry 10 devices, the home screen in each space displays different, visually distinct wallpapers by default. This gives users a strong visual indication of which space they are currently working in. You can also use a customized image, such as your organization's logo, for work space wallpaper. After you specify an image file for a device type, the Enterprise Management Web Service sends the work space wallpaper to the appropriate devices in the BlackBerry Device Service domain and users with that device type cannot change the wallpaper for the work space. If you do not set the work space wallpaper for a device type, users with that device type can configure the wallpaper for the work space. Work space wallpaper must be located in <drive>:\<shared_network_folder>\shared\wallpapers. The Wallpapers folder is created automatically in the shared network folder when you add the shared network folder location to the BlackBerry Administration Service. 117

118 Activating and managing devices When you delete an image file from the Wallpapers folder, or if you rename or delete the Wallpapers folder, the Enterprise Management Agent removes the work space wallpaper from any devices that use it and replaces it with the default wallpaper that is stored on devices. Specify an image file for work space wallpaper The image file that you specify for work space wallpaper can be any format that the device supports (for example,.bmp,.gif,.jpg, or.png files). The image displayed on the device is cropped to align it in the center of the display screen and you can find the width and height of the display screen when you view device information for a user in the BlackBerry Administration Service. Each type of device has a different hardware ID. You should specify only one image file for each type of device. Before you begin: In the BlackBerry Administration Service, specify a shared network folder. Verify that you have the hardware ID for each type of device. For more information, visit to read article KB Copy an image file to <drive>:\<shared_network_folder>\shared\wallpapers. 2. Change the file name to begin with the hardware ID and a hyphen ("-"). For example, image.jpg. 3. Repeat steps 1 and 2 for each type of device. Change an image file for work space wallpaper When the Enterprise Management Web Service detects a change in the Wallpapers folder, the update is sent to the appropriate devices based on the hardware ID. 1. Rename the new image file. The file name should match the name of the work space wallpaper that you want to replace, including the hardware ID (for example, image.jpg). 2. Copy the new image file to <drive>:\<shared_network_folder>\shared\wallpapers. Checking the delivery status of work space wallpaper To verify that the Enterprise Management Web Service sent the work space wallpaper to devices, you can check the Enterprise Management Web Service log file. The default location for the BlackBerry Device Service log files is <drive>: \Program Files (x86)\research In Motion\BlackBerry Enterprise Service 10\Logs. The component identifier for the Enterprise Management Web Service log file is EMWS. When you add, remove, or replace an image file in the Wallpapers folder, the Enterprise Management Web Service records the following information in the log file: EMWS:Wallpapers have changed in <shared_network_folder>\shared\wallpapers\ EMWS:Configuration being resent to x devices. If other tasks are in the process of being sent to users (for example, you activated their devices), the Enterprise Management Web Service sends the work space wallpaper with the other tasks and does not record the number of devices 118

119 Activating and managing devices in the log file. The Enterprise Management Web Service records the following information in the log file: "EMWS:Configuration being resent to 0 devices". Assign a user a different device You can change the BlackBerry device that is activated for a user account. When you switch devices for a user account, data is not transferred from one device to the other. 1. Connect the devices to a computer that can access the BlackBerry Administration Service. 2. In the BlackBerry Administration Service, on the Devices menu, expand Attached devices. 3. Click Manage current device. 4. Click Assign the current user a different connected device. 5. In the Assign device to user section, in the Device drop-down list, select the PIN of the device that you want to activate. 6. Click Continue. 7. Click Yes - Assign this device. Specify a new device password and lock the device If a device is lost or if a user forgets their password, you can remotely change its password and lock the device. Depending on the IT policy settings and the device settings, sending the command may also change the work space password. For more information, see the BlackBerry Device Service Solution Security Technical Overview. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, click a device PIN. 5. Click Specify new device password and lock device. 6. In the Device password and Confirm password fields, type a new password. 7. In the Message field, type a message that will appear on the device's home screen. 8. Click Specify new device password and lock device. 119

120 Activating and managing devices Specify a new work space password and lock the work space If a user forgets their password, you can remotely change the work space password and lock the work space. Depending on the IT policy settings and the device settings, sending the command may also change the device password. This command is available for devices running a BlackBerry 10 OS version that is 10.2 or later. For more information, see the BlackBerry Device Service Solution Security Technical Overview. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, click a device PIN. 5. Click Specify new work space password and lock the work space. 6. In the Work space password and Confirm password fields, type a new password. 7. Click Specify new work space password and lock the work space. After you finish: Send a message to the user informing them of the new work space password that they are required to use to unlock the work space. Resend IT policies to a device 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Resend changes list, click Resend IT policy to selected devices. Managing how device controls are sent to devices The BlackBerry Administration Service creates jobs to deliver applications, profiles, and IT policies to BlackBerry devices in the following scenarios: You create a software configuration, IT policy, or profile and assign it to user accounts or groups You change a software configuration, IT policy, or profile 120

121 Activating and managing devices A job consists of multiple tasks. Each task delivers a specific object or setting (for example, a required application or IT policy) to a device. You can change the default settings that control how the BlackBerry Administration Service creates jobs and delivers tasks to devices. You can also change the default settings that the BlackBerry Administration Service uses to deliver applications, IT policies, and profiles to devices. Specify job schedule settings You can change the default settings for a job to control how the BlackBerry Administration Service processes jobs. If you change the default settings for a job, there might be a performance effect on your organization's environment. 1. In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs. 2. Click Specify job schedule settings. 3. Click Edit job schedule settings. 4. In the Default delay for each job section, in the Default delay field, type the number of minutes that the BlackBerry Administration Service waits before it creates and processes a job. The default value is 15 minutes. 5. In the General section, in the Mark job as failed field, type the number of days that the BlackBerry Administration Service waits before it defines a job that was not delivered to BlackBerry devices as failed. The default value is 30 days. 6. In the Purge jobs field, type the number of days that the BlackBerry Administration Service waits before it deletes a failed job or a completed job. The default value is 7 days. 7. Click Save all. Specify IT policy distribution settings You can specify when the BlackBerry Administration Service sends IT policy information to BlackBerry devices. 1. In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs. 2. Click Specify profile and IT policy distribution settings. 3. Click Edit distribution settings. 4. On the Default schedule tab, set the default schedule for IT policy distribution. 5. On the System throttling tab, set the maximum number of tasks that the BlackBerry Administration Service attempts simultaneously. 6. On the Job throttling tab, select whether to enable the default throttling for IT policy tasks. 7. If necessary, in the Default throttling for all application tasks in each job in a time window section, in the Maximum number of simultaneous tasks per BlackBerry Administration Service instance field, type the maximum number of application tasks that you want the BlackBerry Administration Service to process at the same time. The default value is

122 Activating and managing devices 8. If necessary, in the Total number of tasks per time window per BlackBerry Administration Service instance field, type the total number of application tasks that you want the BlackBerry Administration Service to process during each processing interval. The default value is Click Save all. Specify application distribution settings You can change how the BlackBerry Administration Service installs, updates, or removes required applications in a specific job on BlackBerry devices. You can change a job's distribution settings for applications only if the job is not running. If you change the default application distribution settings, there might be a performance effect on your organization's environment. 1. In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs. 2. Click Specify application distribution settings. 3. Click Edit distribution settings. 4. On the Default schedule tab, set the default schedule for application distribution. 5. On the System throttling tab, set the maximum number of tasks that the BlackBerry Administration Service attempts simultaneously. 6. On the Job throttling tab, select whether to enable the default throttling for application distribution tasks. 7. If necessary, in the Default throttling for all application tasks in each job in a time window section, in the Maximum number of simultaneous tasks per BlackBerry Administration Service instance field, type the maximum number of application tasks that you want the BlackBerry Administration Service to process at the same time. The default value is If necessary, in the Total number of tasks per time window per BlackBerry Administration Service instance field, type the total number of application tasks that you want the BlackBerry Administration Service to process during each processing interval. The default value is Click Save all. View the status of a job You can view the status of a job to determine if it is ready to run, currently running, completed, or completed with task failures. 1. In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs. 2. Click Manage deployment jobs. 3. Search for a job. 4. In the search results, in the Status column, view the status of the job. 5. To view more information about a job or to change a job, click the ID of the job. 122

123 Activating and managing devices View the status of a task Each deployment job consists of multiple tasks. Each task delivers a specific object or setting to a BlackBerry device and completes an action (for example, installing or removing an application or applying updated IT policy settings). You can view the status of tasks. If the BlackBerry Device Service does not complete a task, you can view error messages that help you troubleshoot the task failure. 1. In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs. 2. Click Manage deployment job tasks. 3. Search for a task. 4. In the search results, in the Status column, view the status of the task. 5. To view more information about a task, click More. Stopping a job that is running When you stop a job, the following events occur: The BlackBerry Administration Service stops processing the remaining tasks in the job. The BlackBerry Administration Service changes the scheduled start time for the job to the following day. The job returns to Ready to run status. If you do not want the job to run again on the following day, you can make changes to the start time, priority, and distribution settings of the job after you stop it. When the job starts again, the BlackBerry Administration Service processes the remaining tasks in the job. If you want to delete a job, change the start date of the job to a date that exceeds the job failure period that you configured in the job schedule settings. The default job failure period is 30 days. Stop a job that is running 1. In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs. 2. Click Manage deployment jobs. 3. Search for the job that you want to stop. 4. In the search results, click the ID of the job that you want to stop. You can only stop jobs with a Running status. 5. Click Stop Current Execution. 6. Click Yes - Stop Current Execution. 123

124 Activating and managing devices Deactivating a device When you deactivate a BlackBerry device, the connection between the device and the user account in the BlackBerry Device Service is removed. You cannot manage the device and the device is not displayed in the BlackBerry Administration Service console. To protect your organization s data on work space only devices, you can remotely wipe a device if, for example, a user no longer works at your organization. Because these devices only have a work space, you can use either the Delete all device data and remove device, or Delete only the organization data and remove device options in theblackberry Administration Service to wipe these devices. Delete device data and deactivate a device 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, click the user's name. 5. On the User information tab, in the PIN section, perform one of the following actions: Option Remove the association between the device and the user account, but do not delete the data on the device. Remove the association between the device and the user account and delete all data on the device. Remove the association between the device and the user account and delete all work data on the device. Step 1. Click the Remove device icon. 2. Click Yes - Delete all device data and remove device. 1. Click Delete all device data and remove device. The device status is Delete pending until all data is deleted. 2. Click Yes - Delete all device data and remove device. 1. Click Delete only the organization data and remove device. The device status is Delete pending until all work data is deleted. 2. Click Yes - Delete only the organization data and remove device. Reactivate a device When you reactivate a BlackBerry device, the work space on the device is deleted but the device remains assigned to the same user account and a new work space is created. 1. Connect the device to a computer that can access the BlackBerry Administration Service. 124

125 Activating and managing devices 2. In the BlackBerry Administration Service, on the Devices menu, expand Attached devices. 3. If multiple devices are connected to the BlackBerry Administration Service, click Overview. 4. Select the device that you want to reactivate, and click Save. 5. Click Manage current device. 6. Click Reactivate the current device for the current user. 7. Click Yes - Reactivate the device. Create a list of all user accounts and their associated devices To create a list of user accounts and the devices associated with those accounts, export the information to a.csv file. You can use this list to determine what user s accounts are associated with which type of device or to perform an audit on the number of managed devices in your organization. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Click Search. 4. Click Export all results. 5. Click Download file. Create a list of selected user accounts and their associated devices To create a list of selected user accounts and the devices associated with those accounts, export the information to a.csv file. You can use this list to determine what user s accounts are associated with which type of device or to perform an audit on the number of managed devices in your organization. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for the user accounts. 4. In the search results, check the boxes next to the name you want to export. 5. In the Export users section, click Export selected users. 6. Click Download file. 125

126 Activating and managing devices Troubleshooting devices This section contains troubleshooting items for the BlackBerry Device Service. For more information about known issues in the BlackBerry Device Service software, see the BlackBerry Enterprise Service 10 Release Notes. The computer blocks incoming connections from a device Possible cause The Windows firewall on the computer that users connect their BlackBerry device to blocks communication from the device to the Enterprise Management Web Service. Possible solution Perform one of the following actions on users' computers: Create a firewall exception for incoming TCP traffic to RIMProxy.exe. The default port number for RIMProxy.exe is Create a firewall exception for incoming TCP traffic to the x.x subnet. In the Windows Registry Editor, add the registry key HKEY_LOCAL_MACHINE\Software\Research In Motion \SCDeviceController, create a DWORD value that is named HttpProxyPort, and set the value to the port number that you want to use for incoming TCP traffic from a device. The computer uses an incorrect certificate template for the SCEP Possible cause By default, Windows Server 2008 uses the IPSECIntermediateOffline template to generate a certificate using SCEP. This template does not provide the correct Extended Key Usage (also known as an Application Policy) for the signed certificate. The signed certificate is used for authenticating connections, VPN connections, and Wi-Fi connections. 126

127 Activating and managing devices Possible solution Change the certificate template that the Network Device Enrollment Service in Windows Server 2008 uses to generate the certificate using SCEP. For more information, visit technet.microsoft.com to read the article Administering Certificate Templates. The service plan on your SIM card doesn t support your organization s activation requirements Possible cause This message appears when a device is locked in quarantine mode because there is no SIM card in the device or if the service plan on the SIM card does not support your organization s activation requirements. Possible solution Verify that there is a SIM card in the device. Devices that are activated using the work space only option require a service plan that supports work space only activation. 127

128

129 6 Maintaining and monitoring

130 Maintaining and monitoring Maintaining and monitoring the health of the BlackBerry Device Service The BlackBerry Controller monitors the BlackBerry Device Service so that it can detect when to start, restart, or stop the BlackBerry Device Service services. Services that require database access are installed in manual start mode and the BlackBerry Controller starts the services when the BlackBerry Dispatcher verifies the connection to the database. Other services are installed in automatic start mode, and by default, the BlackBerry Controller restarts the services if the BlackBerry Controller detects that the services are inactive. By default, the BlackBerry Controller also restarts services if the BlackBerry Controller detects unresponsive threads or that a service is inactive for a long period of time. Registry keys determine how the BlackBerry Controller monitors the BlackBerry Device Service and restarts the BlackBerry Device Service services. You can change the default behavior of the BlackBerry Controller by creating new registry keys and changing the default values of the registry keys. Change how the BlackBerry Controller restarts a BlackBerry Device Service component By default, the BlackBerry Controller restarts a BlackBerry Device Service component if it stops responding. 1. On the computer that hosts the BlackBerry Device Service component that you want to change, open the Windows Registry Editor. 2. Navigate to HKEY_LOCAL_MACHINE\Software\WOW6432Node\Research In Motion. 3. Perform any of the following tasks: Task Change how the BlackBerry Controller restarts the BlackBerry MDS Connection Service. Steps 1. Expand BlackBerry Enterprise Server. 2. Click MDS. 3. Double-click the DWORD value that is named RestartOnCrash. 4. In the Value data field, perform one of the following actions: To prevent the BlackBerry Controller from restarting the BlackBerry MDS Connection Service if the service stops responding, type 0. To permit the BlackBerry Controller to restart the BlackBerry MDS Connection Service if the service stops responding, type

131 Maintaining and monitoring Task Change how the BlackBerry Controller restarts the Enterprise Management Web Service. Steps 1. Expand BlackBerry Enterprise Server. 2. Click EMWS. 3. Double-click the DWORD value that is named RestartOnCrash. 4. In the Value data field, perform one of the following actions: To prevent the BlackBerry Controller from restarting the Enterprise Management Web Service if the service stops responding, type 0. To permit the BlackBerry Controller to restart the Enterprise Management Web Service if the service stops responding, type 1. Change how the BlackBerry Controller restarts the BlackBerry Router. 1. Expand BlackBerry Enterprise Server. 2. Click Router. 3. Double-click the DWORD value that is named RestartOnCrash. 4. In the Value data field, perform one of the following actions: To prevent the BlackBerry Controller from restarting the BlackBerry Router if the service stops responding, type 0. To permit the BlackBerry Controller to restart the BlackBerry Router if the service stops responding, type Click OK. 131

132 Maintaining and monitoring Managing log files for server components You can use log files to record the activity of the BlackBerry Device Service components and troubleshoot issues with the components. The BlackBerry Device Service creates a log file for each component and saves the log files on the computer that hosts the BlackBerry Device Service. By default, the BlackBerry Device Service saves the log files in C:\Program Files (x86)\research In Motion\BlackBerry Enterprise Service 10\Logs\. Each BlackBerry Device Service instance saves the log files in folders that it creates daily and organizes by date. To prevent the log files from taking up too much disk space, you can change how BlackBerry Device Service components create and delete log files. The size of log files varies based on the number of users in your BlackBerry Device Service environment and the level of user activity. It is a best practice to monitor and control the amount of disk space taken up by the BlackBerry Device Service log files. By default, the BlackBerry Device Service names log files <server_name>_<component_identifier>_<instance>_<yyyymmdd>_<log_number>.txt (for example, BBServer01_MDAT_01_ _0001.txt). An event that the BlackBerry Device Service writes to a log file begins with a five-digit number, where the first digit represents the logging level. For example, the following log file entry logs level 3: [30000] (03/12 14:03:42.315):{0x18CC} [ENV] Computer Host Name: host_name. Change the location for log files The default file location for BlackBerry Device Service log files is C:\Program Files\Research In Motion\BlackBerry Enterprise Service 10\Logs\. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > Logging. 2. Click the BlackBerry Device Service instance. 3. On the Instance information tab, click Edit instance. 4. In the Log file path field, type the path where you want to save the log files. 5. Click Save all. 6. Restart the BlackBerry Device Service. Change the folder for log files By default, the BlackBerry Device Service stores log files in daily folders that it creates in the Logs folder. You can set the BlackBerry Device Service to store all log files in the Logs folder and not sort the logs in daily folders. 132

133 Maintaining and monitoring 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > Logging. 2. Click the BlackBerry Device Service instance. 3. On the Instance information tab, click Edit instance. 4. In the General section, in the Create folder for daily logs drop-down list, click False. 5. Click Save all. 6. Restart the BlackBerry Device Service. Change the name of a log file 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > Logging. 2. Click the BlackBerry Device Service instance. 3. On the Logging details tab, click Edit instance. 4. In the Log identifier field, type a new name. 5. Click Save all. 6. Restart the affected BlackBerry Device Service services. Add a prefix to the file name of a log file 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > Logging. 2. Click the BlackBerry Device Service instance. 3. On the Instance information tab, click Edit instance. 4. In the General section, in the Log file prefix field, type the prefix that you want to add to the log files. 5. Click Save all. 6. Restart the affected BlackBerry Device Service services. Change the maximum size of a log file You can specify the maximum size for each log file that the BlackBerry Device Service creates. When a log file reaches its maximum size, the BlackBerry Device Service either creates another log file or overwrites the existing one. 133

134 Maintaining and monitoring 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > Logging. 2. Click the BlackBerry Device Service instance. 3. On the Logging details tab, click Edit instance. 4. In the Maximum size of daily log files (MB) field for the log file, type the file size. 5. Click Save all. 6. Restart the affected BlackBerry Device Service services. Change the logging level of a log file 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > Logging. 2. Click the BlackBerry Device Service instance. 3. On the Logging details tab, click Edit instance. 4. In each section, in the Log level drop-down list, perform one of the following actions: To write error messages to the log file, click Error. To write warning messages and error messages to the log file, click Warning. To write daily activities messages, warning messages, and error messages to the log file, click Informational. To write all messages to the log file, click Debug. 5. Click Save all. 6. Restart the affected BlackBerry Device Service services. Specify how the BlackBerry Device Service manages a log file that reaches its maximum size When a log file reaches its maximum size, the BlackBerry Device Service either creates another log file or overwrites the existing one. If you turn on log auto-roll, the BlackBerry Device Service creates a new log file. If you turn off log auto-roll, the BlackBerry Device Service overwrites the existing log file. By default, log auto-roll is turned on for a log file. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > Logging. 2. Click the BlackBerry Device Service instance. 3. On the Logging details tab, click Edit instance. 4. In the Log auto-roll drop-down list for the log file, click True. 134

135 Maintaining and monitoring 5. Click Save all. 6. Restart the affected BlackBerry Device Service services. Specify when the BlackBerry Device Service creates a log file You can specify when the BlackBerry Device Service creates a log file. If you set the Daily file creation field to True, the BlackBerry Device Service creates a new log file every day. If you set the Daily file creation field to False, the BlackBerry Device Service creates a new log file only when the existing log file reaches it maximum size. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > Logging. 2. Click the BlackBerry Device Service instance. 3. On the Logging details tab, click Edit instance. 4. In the Daily file creation drop-down list, click False. 5. Click Save all. 6. Restart the affected BlackBerry Device Service services. Set the maximum age for a log file When you set the maximum age for a log file, the BlackBerry Device Service deletes the log file when it reaches that age. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > Logging. 2. Click the BlackBerry Device Service instance. 3. On the Logging details tab, click Edit instance. 4. In the Maximum age of daily log files field for the log file, type the maximum age in days for the log file. 5. Click Save all. 6. Restart the affected BlackBerry Device Service services. Change the encoding of the log file You can change the character encoding system that the BlackBerry Device Service uses for log files so that the log files support the tools that you use to parse and examine the log files. You can specify a different character encoding system for each of the log files. 135

136 Maintaining and monitoring 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > Logging. 2. Click the BlackBerry Device Service instance. 3. On the Logging details tab, click Edit instance. 4. In the Log encoding drop-down list, click one of the following character encoding systems: ANSI UTF-8 UTF-16LE 5. Click Save all. 6. Restart the affected BlackBerry Device Service services. Restore default settings for log files 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > Logging. 2. Click the BlackBerry Device Service instance. 3. On the Logging details tab, click Edit instance. 4. Click Reset logging defaults. 5. Click Save all. 6. Restart the BlackBerry Device Service. Changing how the BlackBerry MDS Connection Service creates a log file The BlackBerry MDS Connection Service uses different configuration settings to determine the logging level, when to write information to the log files, and what activities are included in the log files that it creates. You can customize the information that the BlackBerry MDS Connection Service writes to its log files to ensure that the activities and connections that your organization needs to monitor are included. The performance of the BlackBerry MDS Connection Service is impacted by the logging level that you choose and the number of activities and connections that you need to monitor. Change the logging level for BlackBerry MDS Connection Service log files You can change the logging level for the BlackBerry MDS Connection Service log file and event log. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service. 136

137 Maintaining and monitoring 2. Click an instance of the BlackBerry MDS Connection Service. 3. Click Edit instance. 4. On the Logging tab, in the File logging destination or EventLog logging destination sections, select one of the following logging levels from the Log level drop-down list: To write events to the log files, click Event. To write error messages to the log files, click Error. To write warning messages to the log files, click Warning. To write daily activities to the log files, click Informational. To write additional information to the log files that can help you troubleshoot issues with the BlackBerry MDS Connection Service, click Debug. 5. Click Save all. Change the interval that the BlackBerry MDS Connection Service writes information to a log file The interval that the BlackBerry MDS Connection Service writes information to a log file applies to all BlackBerry MDS Connection Service log files, including the event log. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service. 2. Click an instance of the BlackBerry MDS Connection Service. 3. Click Edit instance. 4. On the Logging tab, in the File logging destination section, in the Log timer interval field, type the interval in milliseconds. The default value is Click Save all. Change the activities that the BlackBerry MDS Connection Service writes to a log file The settings for the activities that the BlackBerry MDS Connection Service writes to a log file apply to all log files, including the event log. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service. 2. Click a BlackBerry MDS Connection Service instance. 3. Click Edit instance. 4. On the Logging tab, in the Logging section, perform any of the following tasks: 137

138 Maintaining and monitoring Task Do not trace how data packets travel inside the SRP network layer from the BlackBerry MDS Connection Service to the BlackBerry Dispatcher. Trace how data packets travel inside the gateway message envelope network layer from the BlackBerry MDS Connection Service to the BlackBerry Dispatcher. Do not trace how data packets travel inside the IPPP network layer from the BlackBerry MDS Connection Service to the BlackBerry Dispatcher. Monitor HTTP headers for request and response messages that the BlackBerry MDS Connection Service sends or receives when push initiators send push messages to BlackBerry devices. Monitor HTTP headers and the additional details of request and response messages that the BlackBerry MDS Connection Service sends or receives when push initiators send push messages to BlackBerry devices. Steps In the SRP logging turned on drop-down list, click No. In the GME logging turned on drop-down list, click Yes. In the IPPP logging turned on drop-down list, click No. In the Push logging turned on drop-down list, click Yes. In the Verbose push logging turned on drop-down list, click Yes. 5. Click Save all. Using the BlackBerry MDS Connection Service log files to view information for connections to BlackBerry devices The BlackBerry Device Service writes data for each BlackBerry device connection that the BlackBerry MDS Connection Service processes in the BlackBerry MDS Connection Service log files. You can find the BlackBerry MDS Connection Service log files on the computer that hosts the BlackBerry Device Service. You can identify BlackBerry MDS Connection Service log files by the component identifier MDAT in the log file name. Log file example: BlackBerry device user initiates the proxied connection <LAYER = IPPP, DEVICEPIN = u29, DOMAINNAME = test.rim.net, CONNECTION_TYPE = DEVICE_CONN, CONNECTIONID = , DURATION(ms) = 3500, MFH_KBytes = 0.908, MTH_KBytes = , MFH_PACKET_COUNT = 1, MTH_PACKET_COUNT = 2> Log file example: BlackBerry Device Service initiates the connection (push) <LAYER = IPPP, DEVICEPIN = <devicepin>, DOMAINNAME = kmtestd, CONNECTION_TYPE = PUSH_CONN, CONNECTIONID = , DURATION(ms) = 138

139 Maintaining and monitoring , MFH_KBytes = 0, MTH_KBytes = , MFH_PACKET_COUNT = 0, MTH_PACKET_COUNT = 4> Information in BlackBerry MDS Connection Service log files for connections to BlackBerry devices Attribute LAYER DEVICEPIN DOMAINNAME CONNECTION_TYPE CONNECTIONID DURATION(ms) MFH_KBytes MTH_KBytes MFH_PACKET_COUNT MTH_PACKET_COUNT Protocol layer that the BlackBerry MDS Connection Service uses to proxy BlackBerry device connections PIN or BlackBerry Device Service user ID of the BlackBerry device that connects using a proxy server Domain that requests the BlackBerry device connection Initiator of the proxied connection, which can be either the BlackBerry device user (DEVICE_CONN) or BlackBerry Device Service (PUSH_CONN ) Unique identifier for an IPPP connection, where - (minus sign) indicates a push connection Duration of the proxied BlackBerry device connection, in milliseconds Size of messages that the BlackBerry device sends, in KB Size of messages that the BlackBerry device receives, in KB Number of packets that the BlackBerry device sends Number of packets that the BlackBerry device receives Sending device log files to the BlackBerry Technical Solution Center You can configure a BlackBerry device to submit log files to the BlackBerry Technical Solution Center. You can use the Log Submission IT policy rule in the BlackBerry Device Service to control whether the device submits log files. If a BlackBerry PlayBook tablet is paired with a device running BlackBerry 7.1 or earlier using the BlackBerry Bridge app, the BlackBerry PlayBook Log Submission IT policy rule in BlackBerry Enterprise Server 5.0 SP3 or later also affects whether the tablet submits log files. The following table shows how the log submission IT policy rules in the BlackBerry Device Service and BlackBerry Enterprise Server 5 affect whether a tablet submits log files to the BlackBerry Technical Solution Center. 139

140 Maintaining and monitoring Log Submission IT policy rule BlackBerry PlayBook Log Submission IT policy rule Result Yes Yes The tablet sends log files No Yes The tablet does not send log files Yes No The tablet does not send log files No No The tablet does not send log files 140

141 Profile settings 7

142 Profile settings profile settings Type setting This setting specifies the data synchronization protocol. Possible values Microsoft ActiveSync IBM Notes Traveler Default value Microsoft ActiveSync Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Server Name setting This setting specifies the name of the messaging server. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service

143 Profile settings Server Port setting This setting specifies the port used to connect to the messaging service. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version 10.1 Use SSL setting This setting specifies whether a BlackBerry device must use SSL to connect to a messaging server. Possible values Yes No Default value Yes Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 SyncML server This setting specifies the FQDN of the IBM Notes Traveler server that a BlackBerry 10 device can use to synchronize To Do data. If you are using Notes Traveler and earlier, use the format <traveler_server_fqdn>/servlet/traveler 143

144 Profile settings Default values Null value If you are using Notes Traveler UP1 and later, use the format <traveler_server_fqdn>/traveler. This setting is valid only if the value for the "Type" setting is "IBM Notes Traveler." Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version 10.2 SyncML server port This setting specifies the port of the IBM Notes Traveler server that a BlackBerry 10 device can use to synchronize To Do data. This setting is valid only if the value for the "Type" setting is "IBM Notes Traveler." Default values Null value Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version 10.2 Use SSL to connect to SyncML This setting specifies whether a BlackBerry 10 device needs to make an SSL connection to the IBM Notes Traveler server. This setting is valid only if the value for the "Type" setting is "IBM Notes Traveler." Default values Null value Minimum requirements BlackBerry 10 OS version

145 Profile settings Setting introduction BlackBerry Enterprise Service 10 version 10.2 Push Enabled setting This setting specifies whether a messaging server can push messages to a BlackBerry device. Possible values Yes No Default value Yes Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Days to Synchronize setting The setting specifies the number of days in the past to synchronize messages and organizer data to a BlackBerry device. Possible values 1 day 3 days 7 days 14 days 30 days No limit Default value 30 days Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version

146 Profile settings Setting introduction BlackBerry Device Service 6.0 Interval Between Synchronizations setting Related settings This setting specifies how often a BlackBerry device checks the messaging server for new messages. This setting has an effect only if the Push Enabled setting is set to No. Possible values Manual 5 minutes 15 minutes 30 minutes 1 hour 2 hours 4 hours 24 hours Default value 15 minutes Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Require Manual Synchronization When Roaming setting This setting specifies whether a user must start synchronization between a BlackBerry device and a messaging server when the user is roaming. Possible values Yes No 146

147 Profile settings Default value No Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Synchronization setting This setting specifies whether a BlackBerry device synchronizes messages with the messaging server. Possible values Yes No Default value Yes Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Calendar Synchronization setting This setting specifies whether a BlackBerry device synchronizes calendar entries with the messaging server. Possible values Yes No Default value Yes Minimum requirements BlackBerry PlayBook OS

148 Profile settings BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Contact Synchronization setting This setting specifies whether a BlackBerry device synchronizes contacts with a messaging server. Possible values Yes No Default value Yes Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Memo Synchronization setting This setting specifies whether a BlackBerry device synchronizes memo data with the messaging server. Possible values Yes No Default value Yes Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version

149 Profile settings Task Synchronization setting This setting specifies whether a BlackBerry device synchronizes task data with the messaging server. Possible values Yes No Default value Yes Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version 10.0 To Do list synchronization This setting specifies whether a BlackBerry 10 device synchronizes the To Do data using Notes Traveler. This setting is valid only if the value for the "Type" setting is "IBM Notes Traveler." Default values Null value Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version 10.2 SCEP Profile setting This setting specifies the name of the SCEP profile associated with the profile that a BlackBerry device uses for certificate-based authentication with the messaging server. Default value Null value 149

150 Profile settings Minimum requirements BlackBerry PlayBook OS 2.1 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.1 S/MIME Messages setting Related settings This setting specifies whether S/MIME is enabled on a BlackBerry device. If you set this setting to Allowed, a user can choose whether or not to enable S/MIME on the device. If you set this setting to Required, S/MIME is enabled on the device and cannot be disabled by the user. If you set this setting to Disallowed, S/MIME is disabled on the device and cannot be enabled by the user. To send encrypted messages, a user must have the recipient's public key on the device. To send digitally signed messages, a user must have their private key on their device. This setting takes precedence over the Digitally Signed S/MIME Messages setting and the Encrypted S/MIME Messages setting. For more information on the relationship between these settings, see the BlackBerry Device Service Solution Security Technical Overview. Possible values Allowed Required Disallowed Default value Allowed Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version 10.0 Digitally Signed S/MIME Messages setting This setting specifies whether a BlackBerry device sends all outgoing messages with a digital signature. If you set this setting to Allowed, a user can choose whether to digitally sign outgoing messages. If you set this setting to Required, a user must digitally sign 150

151 Profile settings outgoing messages. If you set this setting to Disallowed, a user cannot digitally sign outgoing messages To send digitally signed messages, a user must have their private key on their device. Related settings If the S/MIME Messages setting is set to Disallowed, this setting is ignored. If the S/MIME Messages setting is set to Required, and both this setting and the Encrypted S/MIME Messages setting are set to Disallowed, the Encrypted S/MIME Messages setting and this setting are ignored and the default setting of Allowed is used for both settings. For more information about the relationship between these settings, see the BlackBerry Device Service Solution Security Technical Overview. Possible values Allowed Required Disallowed Default value Allowed Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version 10.0 Encrypted S/MIME Messages setting Related settings This setting specifies whether a BlackBerry device encrypts all outgoing messages using S/MIME encryption. If you set this setting to Allowed, a user can choose whether or not to encrypt outgoing messages. If you set this setting to Required, a user must encrypt outgoing messages. If you set this setting to Disallowed, a user cannot encrypt outgoing messages. To send encrypted messages, a user must have the recipient's public key on the device. If the S/MIME Messages setting is set to Disallowed, this setting is ignored. If the S/MIME Messages setting is set to Required, and both this setting and the Digitally Signed S/MIME Messages setting are set to Disallowed, the Digitally Signed S/MIME Messages setting and this setting are ignored and the default setting of Allowed is used for both settings. For more information on the relationship between these settings, see the BlackBerry Device Service Solution Security Technical Overview. 151

152 Profile settings Possible values Allowed Required Disallowed Default value Allowed Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version 10.0 Allowed Content Ciphers setting This setting specifies the encryption algorithms that a BlackBerry device can use to encrypt S/MIME-protected messages. Possible values AES (256-bit) AES (192-bit) AES (128-bit) Triple DES RC2 Default value Null value Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version

153 Profile settings SCEP profile settings SCEP Service URL setting This setting specifies the URL of the SCEP service. The URL should include the protocol, domain, port number, and SCEP path (CGI path that is defined in the SCEP specification). You must set a value for this setting to activate the BlackBerry device successfully. SCEP HTTPS URLs are not supported by current device OS versions but will be supported in a future BlackBerry 10 OS release. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.1 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.1 Certificate Thumbprint setting This setting specifies the hexadecimal-encoded hash of the root certificate for the CA. You can use the following algorithms to specify the thumbprint: MD5, SHA1, SHA-224, SHA-256, SHA-384, and SHA-512. You must set a value for this setting to activate a device successfully. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.1 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service

154 Profile settings Key Algorithm setting This setting specifies the algorithm that a BlackBerry device uses to generate the client key pair. You must select an algorithm that is supported by your CA. Possible values None RSA ECC Default value RSA Minimum requirements BlackBerry PlayBook OS 2.1 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.1 RSA Strength setting Related settings This setting specifies the RSA strength that a BlackBerry device uses to generate the client key pair. You must enter a key strength that is supported by your CA. The Key Algorithm setting affects this setting. The device uses this setting if you set the Key Algorithm setting to RSA. Default value 1024 Minimum requirements BlackBerry PlayBook OS 2.1 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service

155 Profile settings ECC Strength setting Related settings This setting specifies the elliptic curve that a BlackBerry device uses to generate a client key pair. The elliptic curve defines the strength of the client key pair. You must select an elliptic curve that is supported by your CA. The Key Algorithm setting affects this setting. The device uses this setting if you set the Key Algorithm setting to ECC. Possible values SECT163K1 SECT283K1 SECP192R1 SECP256R1 SECP384R1 SECP521R1 Default value SECP521R1 Minimum requirements BlackBerry PlayBook OS 2.1 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.1 Specify Encryption Algorithm setting This setting specifies the encryption algorithm that a BlackBerry device uses for the certificate enrollment request. Possible values None 3DES CBC AES 128 AES 196 AES

156 Profile settings Default value 3DES CBC Minimum requirements BlackBerry PlayBook OS 2.1 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.1 Specify Hash Function setting This setting specifies the hash function that a BlackBerry device uses for the certificate enrollment request. Possible values None SHA1 SHA-224 SHA-256 SHA-384 SHA-512 Default value SHA1 Minimum requirements BlackBerry PlayBook OS 2.1 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.1 Certification Authority Identifier setting This setting specifies the identifier for the CA instance. The CA that you use determines the required value. Default value Null value 156

157 Profile settings Minimum requirements BlackBerry PlayBook OS 2.1 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.1 Certification Authority Challenge Password setting This setting specifies the challenge password that a BlackBerry device uses for certificate enrollment. Enter the same value in the Confirm certification authority challenge password field. You must set a value for this setting to activate the device successfully. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.1 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.1 Automatic Renewal setting This setting specifies how many days before a certificate expires that automatic certificate renewal occurs. Default value 30 Minimum requirements BlackBerry PlayBook OS 2.1 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service

158 Profile settings Wi-Fi profile settings SSID setting This setting specifies the network name of a Wi-Fi network and its wireless access points. The SSID is case sensitive and must contain alphanumeric characters. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Rule introduction BlackBerry Device Service 6.0 Hidden SSID setting This setting specifies whether the Wi-Fi network hides the SSID. Possible values Yes No Default value No Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Rule introduction BlackBerry Device Service

159 Profile settings Link Security setting Related settings This setting specifies the type of security that the Wi-Fi network uses. The EAP Security setting affects this setting. If you set this setting to WPA-Enterprise or WPA2-Enterprise, the EAP Security setting must not be set to a null value. Possible values None WPA-Enterprise WPA-Personal WPA2-Enterprise WPA2-Personal WEP personal Default value None Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Rule introduction BlackBerry Device Service 6.0 EAP Security setting Related settings This setting specifies the EAP security method that a Wi-Fi network uses. The Link Security setting affects this setting. The BlackBerry device uses this setting only if you set the Link Security setting to WPA-Enterprise or WPA2-Enterprise. Possible values PEAP TTLS EAP-FAST TLS Default value Null value 159

160 Profile settings Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 EAP-FAST Provisioning Method setting Related settings This setting specifies the provisioning method for a Wi-Fi network that uses EAP-FAST security. The EAP Security setting affects this setting. A BlackBerry device uses this setting if you set the EAP Security setting to EAP-FAST. Possible values Anonymous Authenticated Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Rule introduction BlackBerry Device Service 6.0 EAP Inner Link Security setting Related settings This setting specifies the inner authentication that a Wi-Fi network uses. If you want to use PAP for inner authentication, set the value for this setting to Auto. The EAP Security setting affects this setting. A BlackBerry device uses this setting if you set the EAP Security setting to TTLS, PEAP, or EAP-FAST. Possible values Auto MS-CHAPv2 GTC 160

161 Profile settings Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Rule introduction BlackBerry Device Service 6.0 WEP Key setting Related settings This setting specifies a password for a WEP key. The Link Security setting affects this setting. A BlackBerry device uses this setting if you set the Link Security setting to WEP personal. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Preshared Key Type setting This setting specifies the preshared key type for a Wi-Fi network. Possible values ASCII HEX Default value ASCII Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service

162 Profile settings Preshared Key setting This setting specifies a preshared key for a Wi-Fi network. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 User Name setting Related settings This setting specifies a user name for a Wi-Fi network that uses EAP security. The EAP Security setting affects this setting. A BlackBerry device uses this setting if you set the EAP Security setting to TTLS. The EAP Inner Link Security setting affects this setting. The device uses this setting if you set the EAP Inner Link Security setting to Auto or GTC. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 User Password setting Related settings This setting specifies a password for a Wi-Fi network that uses EAP security. The EAP Security setting affects this setting. A BlackBerry device uses this setting if you set the EAP Security setting to TTLS. 162

163 Profile settings Default value Null value The EAP Inner Link Security setting affects this setting. The device uses this setting if you set the EAP Inner Link Security setting to Auto or GTC. Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Band Type setting This setting specifies the band of the Wi-Fi network. Possible values Dual 2.4 GHz 5.0 GHz Default value Dual Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Enable DHCP setting This setting specifies whether a Wi-Fi network supports DHCP. Possible values Yes No Default value Yes 163

164 Profile settings Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 IP Address setting Related settings This setting specifies the IP address of the host for the Wi-Fi network. The Enable DHCP setting affects this setting. A BlackBerry device uses this setting if you set the Enable DHCP setting. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Subnet Mask setting Related settings This setting specifies the subnet mask in dot-decimal notation. The Enable DHCP setting affects this setting. A BlackBerry device does not use this setting if you set the Enable DHCP setting to Yes. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service

165 Profile settings Primary DNS setting Related settings This setting specifies the address of the primary DNS in dot-decimal notation. The Enable DHCP setting affects this setting. Do not use this setting if you set the Enable DHCP setting to Yes. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Secondary DNS setting Related settings This setting specifies the address of the secondary DNS in dot-decimal notation. The Enable DHCP setting affects this setting. Do not use this setting if you set the Enable DHCP setting to Yes. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Default Gateway setting This setting specifies the default gateway in dot-decimal notation (for example, ). Related settings The Enable DHCP setting affects this setting. Do not use this setting if you set the Enable DHCP setting to Yes. 165

166 Profile settings Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Enable IPv6 setting This setting specifies whether IPv6 is enabled. Possible values Yes No Default value No Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Domain Suffix setting Related settings This setting specifies the FQDN of the DNS suffix. The Enable DHCP setting affects this setting. Do not use this setting if you set the Enable DHCP setting to Yes. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service

167 Profile settings Access Point Handover setting This setting specifies whether the Wi-Fi network supports access point handover. Possible values Yes No Default value Yes Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 User Can Edit setting This setting specifies the Wi-Fi settings that a BlackBerry device user can change. Possible values Read only Credentials only Default value Read only Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service

168 Profile settings Trusted Certificate Source setting This setting specifies the source of the trusted certificate. If you select Trusted certificate store, the BlackBerry device can connect to a Wi-Fi network that uses any certificate in the Wi-Fi Trusted Certificate store. Possible values None Trusted certificate store Default value None Minimum requirements BlackBerry PlayBook OS 2.1 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version 10.0 Client Certificate Source setting This setting specifies the source of the client certificate. If the Wi-Fi profile includes an associated SCEP profile, the device uses a certificate obtained using a SCEP profile. Otherwise, you can select Smart card or Other. If you select Smart card, the device uses a certificate from a smart card. If you select Other, the device uses a certificate that the user added to the device. Smart card support is available for devices that run a version of BlackBerry 10 OS that is later than Possible values SCEP Smart card Other Default value Other Minimum requirements BlackBerry 10 OS version

169 Profile settings Setting introduction BlackBerry Enterprise Service 10 version 10.2 Data Security Level setting This setting specifies the domain in the work space where the Wi-Fi profile is stored when the work space uses advanced data at rest protection. This setting is valid only if the Advanced Data at Rest Protection IT policy rule is set to Yes. If this setting is set to Always available, the profile is stored in the Startup domain and is available when the work space is locked. If this setting is set to Available after authentication, the profile is stored in the Operational domain and is available after the work space is unlocked once until the device restarts. If this setting is set to Available only when work space unlocked, the profile is stored in the Lock domain and can be used for Wi-Fi connections only when the work space is unlocked. Possible values Always available Available after authentication Available only when work space unlocked Default value Always available Minimum requirements A version of BlackBerry 10 OS later than Setting introduction BlackBerry Enterprise Service 10 version 10.2 Use HTTP Proxy setting This setting specifies whether a Wi-Fi connection uses an HTTP proxy. This setting only applies to Wi-Fi connections for tablets running BlackBerry PlayBook OS 2.1 and earlier. Use an associated proxy profile for proxy settings for devices running BlackBerry 10 OS. Possible values Yes No Default value No 169

170 Profile settings Minimum requirements BlackBerry PlayBook OS 2.0 Setting introduction BlackBerry Device Service 6.0 Proxy Server setting Related settings This setting specifies the address of the proxy server in dot-decimal format or as an FQDN. This setting only applies to Wi-Fi connections for tablets running BlackBerry PlayBook OS 2.1 and earlier. Use an associated proxy profile for proxy settings for devices running BlackBerry 10 OS. The Use HTTP Proxy setting affects this setting. A tablet uses this setting only if you set the Use HTTP Proxy setting to Yes. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 Setting introduction BlackBerry Device Service 6.0 Proxy Port setting Related settings This setting specifies the port that the proxy server uses. This setting only applies to Wi-Fi connections for tablets running BlackBerry PlayBook OS 2.1 and earlier. Use an associated proxy profile for proxy settings for devices running BlackBerry 10 OS. The Use HTTP Proxy setting affects this setting. A tablet uses this setting if you set the Use HTTP Proxy setting to Yes. Possible values 0 to Default value Null value Minimum requirements BlackBerry PlayBook OS

171 Profile settings Setting introduction BlackBerry Device Service 6.0 Proxy User Name setting Related settings This setting specifies the username that the proxy server uses to authenticate a BlackBerry PlayBook tablet. This setting only applies to Wi-Fi connections for tablets running BlackBerry PlayBook OS 2.1 and earlier. Use an associated proxy profile for proxy settings for devices running BlackBerry 10 OS. The Use HTTP Proxy setting affects this setting. The tablet uses this setting if you set the Use HTTP Proxy setting to Yes. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 Setting introduction BlackBerry Device Service 6.0 Proxy Password setting Related setting This setting specifies a password that a proxy server uses to authenticate a BlackBerry PlayBook tablet. This setting only applies to Wi-Fi connections for tablets running BlackBerry PlayBook OS 2.1 and earlier. Use an associated proxy profile for proxy settings for devices running BlackBerry 10 OS. The Use HTTP Proxy setting affects this setting. The tablet uses this setting if you set the Use HTTP Proxy setting to Yes. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 Setting introduction BlackBerry Device Service

172 Profile settings Associated SCEP Profile setting Related settings This setting specifies the name of the SCEP profile associated with the Wi-Fi profile that a BlackBerry device uses for certificate-based authentication. The EAP Security setting affects this setting. A device uses this setting if you set the EAP Security setting to PEAP, TTLS, or TLS. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.1 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.1 VPN Profile setting This setting specifies the name of the VPN profile associated with the Wi-Fi profile that a device uses to make connections through a VPN. Default value Null value Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry PlayBook OS 2.0 BlackBerry Device Service 6.0 Associated Proxy Profile setting This setting specifies the name of the proxy profile associated with the Wi-Fi profile that a device uses to make connections through a proxy server. This setting only applies to Wi-Fi connections for devices running BlackBerry 10 OS. Use the Wi-Fi profile proxy settings for tablets running BlackBerry PlayBook OS 2.1 and earlier. 172

173 Profile settings Default value Null value Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version

174 Profile settings VPN profile settings Server Address setting This setting specifies the address of a VPN gateway in dot-decimal notation or as an FQDN. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Gateway Type setting This setting specifies the type of VPN client that the VPN client on a BlackBerry device emulates. Possible values Check Point VPN-1 Cisco VPN 3000 Series Concentrator Cisco Secure PIX Firewall Cisco IOS Easy VPN Cisco ASA Series Juniper SRX Series (IPsec VPN) Juniper MAG Series or Juniper SA Series (SSL VPN) Microsoft IKEv2 VPN server Generic IKEv2 VPN server Default value Null value 174

175 Profile settings Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Authentication Type setting Related settings This setting specifies the authentication type for the VPN gateway. The Gateway Type setting affects this setting. The gateway type determines which authentication types are supported. Possible values PSK PKI XAUTH-PSK XAUTH-PKI EAP-TLS EAP-MS-CHAPv2 Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Authentication ID Type setting Related settings This setting specifies the authentication ID type for a VPN gateway. The Gateway Type setting affects this setting. The BlackBerry device uses this setting only if you set the Gateway Type setting to Juniper MAG Series or Juniper SA Series (SSL VPN), Microsoft IKEv2 VPN server, or Generic IKEv2 VPN server. 175

176 Profile settings Possible values IPv4 Fully qualified domain name address Identity certificate distinguished name Identity certificate general name Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Authentication ID setting Related settings This setting specifies the authentication ID for the VPN gateway. The Gateway Type setting affects this setting. The BlackBerry device uses this setting only if you set the Gateway Type setting to Juniper MAG Series or Juniper SA Series (SSL VPN), Microsoft IKEv2 VPN server, or Generic IKEv2 VPN server. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Group User Name setting Related settings This setting specifies the user name for the group that the VPN gateway uses to authenticate a BlackBerry device. The Authentication Type setting affects this setting. A device uses this setting if you set the Authentication Type setting to PSK or XAUTH-PSK. 176

177 Profile settings Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Preshared Key setting Related settings This setting specifies the preshared key that a VPN gateway uses to authenticate a BlackBerry device. The Authentication Type setting affects this setting. The device uses this setting if you set the Authentication Type setting to PSK. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Group Password setting Related settings This setting specifies the group password that a VPN gateway uses to authenticate a BlackBerry device. The Authentication Type setting affects this setting. The device uses this setting only if you set the Authentication Type setting to XAUTH-PSK. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version

178 Profile settings Setting introduction BlackBerry Device Service 6.0 Hard Token setting Related settings This setting specifies whether a user must use a hardware token to authenticate with a VPN gateway. The Authentication Type setting affects this setting. The BlackBerry device uses this setting if you set the Authentication Type setting to XAUTH-PSK or XAUTH-PKI. Possible values Yes No Default value No Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 User Name setting Related settings This setting specifies the user name that a BlackBerry device uses to authenticate with a VPN gateway. The Authentication Type setting affects this setting. The device uses this setting if you set the Authentication Type setting to XAUTH-PSK or XAUTH-PKI. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service

179 Profile settings Password setting Related settings This setting specifies the password that a BlackBerry device uses to authenticate with a VPN gateway. The Authentication Type setting affects this setting. The device uses this setting only if you set the Authentication Type setting to XAUTH-PSK or XAUTH-PKI. The Hard Token setting affects this setting. The device uses this setting only if you set the Hard Token setting to No. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 EAP Identity setting Related settings This setting specifies the EAP identity that a BlackBerry device uses to authenticate with a VPN gateway. The Authentication Type setting affects this setting. The device uses this setting if you set the Authentication Type setting to EAP-TLS. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service

180 Profile settings MSCHAPv2 EAP Identity setting Related settings This setting specifies the MS-CHAPv2 EAP identity that a BlackBerry device uses to authenticate with a VPN gateway. The Authentication Type setting affects this setting. The device uses this setting if you set the Authentication Type setting to EAP-MS-CHAPv2. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 MSCHAPv2 User Name setting Related settings This setting specifies the MS-CHAPv2 user name that a BlackBerry device uses to authenticate with a VPN gateway. The Authentication Type setting affects this setting. The device uses this setting if you set the Authentication Type setting to EAP-MS-CHAPv2. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 MSCHAPv2 Password setting This setting specifies the MS-CHAPv2 password that a BlackBerry device uses to authenticate with a VPN gateway. 180

181 Profile settings Related settings The Authentication Type setting affects this setting. The device uses this setting if you set the Authentication Type setting to EAP-MS-CHAPv2. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Gateway Authentication Type setting Related settings This setting specifies the gateway authentication type for the VPN gateway. The Gateway Type setting affects this setting. The BlackBerry device uses this setting only if you set the Gateway Type setting to Juniper MAG Series or Juniper SA Series (SSL VPN), Microsoft IKEv2 VPN server, or Generic IKEv2 VPN server. Possible values None PSK PKI Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Gateway Preshared Key setting Related settings This setting specifies the gateway preshared key for the VPN gateway. The Gateway Authentication Type setting affects this setting. The BlackBerry device uses this setting only if you set the Gateway Authentication Type setting to PSK. 181

182 Profile settings Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Gateway Authentication ID Type setting Related settings This setting specifies the gateway authentication ID type of a VPN gateway. The Gateway Type setting affects this setting. The BlackBerry device uses this setting only if you set the Gateway Type setting to Juniper MAG Series or Juniper SA Series (SSL VPN), Microsoft IKEv2 VPN server, or Generic IKEv2 VPN server. Possible values IPv4 Fully qualified domain name address Identity certificate distinguished name Identity certificate general name Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Gateway Authentication ID setting Related settings This setting specifies the Gateway Authentication ID for the VPN gateway. The Gateway Authentication ID Type setting affects this setting. The BlackBerry device uses this setting if you set the Gateway Authentication ID Type setting to Fully qualified domain name or address. 182

183 Profile settings Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Automatically Determine IP setting This setting specifies whether a BlackBerry device automatically determines the IP configuration for the VPN gateway. Possible values Yes No Default value No Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Private IP setting Related settings This setting specifies the private IP of the VPN gateway. The Automatically Determine IP setting affects this setting. A BlackBerry device uses this setting only if you set the Automatically Determine IP setting to No. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version

184 Profile settings Setting introduction BlackBerry Device Service 6.0 Private IP Mask setting Related settings This setting specifies the IP mask for the VPN gateway. The Automatically Determine IP setting affects this setting. A BlackBerry device uses this setting if you set the Automatically Determine IP setting to No. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Subnet setting Related settings This setting specifies the subnet of the VPN gateway. The Automatically Determine IP setting affects this setting. A BlackBerry device uses this setting if you set the Automatically Determine IP setting to No. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Subnet Mask setting This setting specifies the subnet mask for the VPN gateway. 184

185 Profile settings Related settings The Automatically Determine IP setting affects this setting. A BlackBerry device uses this rule if you set the Automatically Determine IP setting to No. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Dynamically Determine DNS setting This setting specifies whether a BlackBerry device dynamically determines the DNS of the VPN gateway. Possible values Yes No Default value No Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Primary DNS setting Related settings This setting specifies the primary DNS of the VPN gateway. The Dynamically Determine DNS setting affects this setting. A BlackBerry device uses this setting if you set the Dynamically Determine DNS setting to No. Default value Null value 185

186 Profile settings Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Secondary DNS setting Related settings This setting specifies the secondary DNS of the VPN gateway. The Dynamically Determine DNS setting affects this setting. A BlackBerry device uses this setting if you set the Dynamically Determine DNS setting to No. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Domain Suffix setting Related settings This setting specifies the domain suffix for the VPN gateway. The Dynamically Determine DNS setting affects this setting. A BlackBerry device uses this setting if you set the Dynamically Determine DNS setting to No. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service

187 Profile settings Perfect Forward Secrecy setting Related settings This setting specifies whether the VPN gateway supports PFS. The IPSEC DH Group setting affects this setting. If you set this setting to Yes, the IPSEC DH Group setting must not be set to 0 or a null value. Possible values Yes No Default value No Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Manual Algorithm Selection setting This setting specifies whether you must set the cryptographic algorithms for the VPN gateway. Possible values Yes No Default value No Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service

188 Profile settings IKE DH Group setting Related settings This setting specifies the DH group that a BlackBerry device uses to generate key material. The Manual Algorithm Selection setting affects this setting. The device uses this setting if you set the Manual Algorithm Selection setting to Yes. If you select one of the Custom settings, you must specify the provider in the Custom IKE DH Provider setting. Possible values 1 to 26, except 3, 4, and 6 Custom 1 to Custom 5 Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 IKE Cipher setting Related settings This setting specifies the algorithm that a BlackBerry device uses to generate a shared secret key. The Manual Algorithm Selection setting affects this setting. The device uses this setting if you set the Manual Algorithm Selection setting to Yes. Possible values None DES (56-bit key) Triple DES (168-bit key) AES (128-bit key) AES (192-bit key) AES (256-bit key) 188

189 Profile settings Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 IKE Hash setting Related settings This setting specifies the hash function that a BlackBerry device uses with IKE. The Manual Algorithm Selection setting affects this setting. The device uses this setting if you set the Manual Algorithm Selection setting to Yes. Possible values None MD5 AES-XCBC SHA-1 SHA-256 SHA-384 SHA-512 Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 IKE PRF setting This setting specifies the PRF that a BlackBerry device uses with IKE. 189

190 Profile settings Related settings The Manual Algorithm Selection setting affects this setting. The device uses this setting if you set the Manual Algorithm Selection setting to Yes. Possible values None HMAC HMAC-MD5 AES-XCBC HMAC-SHA-1 HMAC-SHA-256 HMAC-SHA-384 HMAC-SHA-512 Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 IPSEC DH Group setting Related settings This setting specifies the DH group that a BlackBerry device uses with IPsec. The Manual Algorithm Selection setting affects this setting. The device uses this setting if you set the Manual Algorithm Selection setting to Yes. Possible values 0 to 26, except 3, 4, and 6 Default value 0 Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service

191 Profile settings IPSEC Cipher setting Related settings This setting specifies the algorithm that a BlackBerry device uses with IPsec. The Manual Algorithm Selection setting affects this setting. The device uses this setting if you set the Manual Algorithm Selection setting to Yes. Possible values None DES (56-bit key) Triple DES (168-bit key) AES (128-bit key) AES (192-bit key) AES (256-bit key) Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 IPSEC Hash setting Related settings This setting specifies the hash function that a BlackBerry device uses with IPsec. The Manual Algorithm Selection setting affects this setting. The device uses this setting if you set the Manual Algorithm Selection setting to Yes. Possible values None MD5 AES-XCBC SHA-1 SHA

192 Profile settings SHA-384 SHA-512 Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 IKE Lifetime setting This setting specifies the lifetime of the IKE connection. If you set an unsupported value or a null value, the BlackBerry device default value is used. Possible values 1 to seconds Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 IPSEC Lifetime setting This setting specifies the lifetime of the IPsec connection. If you set an unsupported value or a null value, the BlackBerry device default value is used. Possible values 1 to seconds Default value Null value 192

193 Profile settings Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 NAT Keep Alive setting This setting specifies how often a device sends a NAT keep-alive packet. If you set an unsupported value or a null value, the BlackBerry device default value is used. Possible values 1 to seconds Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 DPD Frequency setting This setting specifies the DPD frequency. A BlackBerry device supports a minimum setting of 10 seconds. If you set an unsupported value or a null value, the device default value is used. Possible values 1 to seconds Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service

194 Profile settings Split Tunneling setting This setting specifies whether the VPN gateway supports split tunneling. Possible values Yes No Default value No Minimum requirements BlackBerry PlayBook OS 2.1 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Disable Banner setting This setting specifies whether a BlackBerry device blocks the VPN banner. Possible values Yes No Default value No Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 User Can Edit setting This setting specifies the VPN settings that a BlackBerry device user can change. 194

195 Profile settings Possible values Read only Credentials only Default value Read only Minimum requirements BlackBerry PlayBook OS 2.0 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service 6.0 Trusted Certificate Source setting Related settings This setting specifies the source of the trusted certificate. If you select Trusted certificate store, the BlackBerry device can connect to a VPN that uses any certificate in the VPN Trusted Certificate store. The Authentication Type setting affects this setting. The device uses this setting if you set the Authentication Type setting to PKI or XAUTH-PKI. Possible values None Trusted certificate store Default value None Minimum requirements BlackBerry PlayBook OS 2.1 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version 10.0 Display VPN Information on Device setting This setting specifies whether VPN information is displayed on the device. If you select Visible, most of the VPN profile information appears on the device. If you select Invisible, only the profile name appears on the device. If you select Credentials only, the profile name and the credential fields appear on the device. 195

196 Profile settings Possible values Visible Invisible Credentials only Default value Visible Minimum requirements BlackBerry 10 OS version 10.1 Setting introduction BlackBerry Enterprise Service 10 version 10.1 Custom IKE DH Provider setting Related settings This setting specifies the name of the provider for custom IKE DH. This setting applies only if you select one of the custom options in the IKE DH Group setting. Default value Null value Minimum requirements BlackBerry 10 OS version 10.1 Setting introduction BlackBerry Enterprise Service 10 version 10.1 Client Certificate Source setting Related settings This setting specifies the source of the client certificate. If the VPN profile includes an associated SCEP profile, the device uses a certificate obtained using a SCEP profile. Otherwise, you can select Smart card or Other. If you select Smart card, the device uses a certificate from a smart card. If you select Other, the device uses a certificate that the user added to the device. Smart card support is available for devices that run a version of BlackBerry 10 OS that is later than The Authentication Type setting affects this setting. The device uses this setting if you set the Authentication Type setting to PKI or XAUTH-PKI. 196

197 Profile settings Possible values SCEP Smart card Other Default value Other Minimum requirements BlackBerry 10 OS version 10.2 Setting introduction BlackBerry Enterprise Service 10 version 10.2 Data Security Level setting This setting specifies the domain in the work space where the VPN profile is stored when the work space uses advanced data at rest protection. This setting is valid only if the Advanced Data at Rest Protection IT policy rule is set to Yes. If this setting is set to Always available, the profile is stored in the Startup domain and is available when the work space is locked. If this setting is set to Available after authentication, the profile is stored in the Operational domain and is available after the work space is unlocked once until the device restarts. If this setting is set to Available only when work space unlocked, the profile is stored in the Lock domain and can be used for VPN connections only when the work space is unlocked. Possible values Always available Available after authentication Available only when work space unlocked Default value Always available Minimum requirements A version of BlackBerry 10 OS later than Setting introduction BlackBerry Enterprise Service 10 version

198 Profile settings Use HTTP Proxy setting This setting specifies whether the VPN gateway uses an HTTP proxy. This setting only applies to VPN connections for tablets running BlackBerry PlayBook OS 2.1 and earlier. Use an associated proxy profile for proxy settings for devices running BlackBerry 10 OS. Possible values Yes No Default value No Minimum requirements BlackBerry PlayBook OS 2.0 Setting introduction BlackBerry Device Service 6.0 Proxy Server setting Related settings This setting specifies the address of the proxy server in dot-decimal format or as an FQDN. This setting only applies to VPN connections for tablets running BlackBerry PlayBook OS 2.1 and earlier. Use an associated proxy profile for proxy settings for devices running BlackBerry 10 OS. The Use HTTP Proxy setting affects this setting. A tablet uses this setting if you set the Use HTTP Proxy setting to Yes. Default values Null value Minimum requirements BlackBerry PlayBook OS 2.0 Setting introduction BlackBerry Device Service

199 Profile settings Proxy Port setting Related settings This setting specifies the port of the VPN gateway proxy. This setting only applies to VPN connections for tablets running BlackBerry PlayBook OS 2.1 and earlier. Use an associated proxy profile for proxy settings for devices running BlackBerry 10 OS. The Use HTTP Proxy setting affects this setting. A tablet uses this setting if you set the Use HTTP Proxy setting to Yes. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 Setting introduction BlackBerry Device Service 6.0 Proxy User Name setting Related settings This setting specifies the user name that a BlackBerry PlayBook tablet uses with the VPN proxy. This setting only applies to VPN connections for tablets running BlackBerry PlayBook OS 2.1 and earlier. Use an associated proxy profile for proxy settings for devices running BlackBerry 10 OS. The Use HTTP Proxy setting affects this setting. The tablet uses this setting if you set the Use HTTP Proxy setting to Yes. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 Setting introduction BlackBerry Device Service

200 Profile settings Proxy Password setting Related settings This setting specifies the password that a BlackBerry PlayBook tablet uses with the VPN proxy. This setting only applies to VPN connections for tablets running BlackBerry PlayBook OS 2.1 and earlier. Use an associated proxy profile for proxy settings for devices running BlackBerry 10 OS. The Use HTTP Proxy setting affects this setting. The tablet uses this setting if you set the Use HTTP Proxy setting to Yes. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.0 Setting introduction BlackBerry Device Service 6.0 Associated SCEP Profile setting Related settings This setting specifies the name of the SCEP profile associated with the VPN profile that a BlackBerry device uses for certificate-based authentication. The Authentication Type setting affects this setting. The device uses this setting if you set the Authentication Type setting to PKI, XAUTH-PKI, or EAP-TLS. The Gateway Authentication Type setting affects this setting. The device uses this setting if you set the Gateway Authentication Type setting to PKI. Default value Null value Minimum requirements BlackBerry PlayBook OS 2.1 BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Device Service

201 Profile settings Associated Proxy Profile setting This setting specifies the name of the proxy profile associated with the VPN profile that a device uses to make connections through a proxy server. This setting only applies to VPN connections for devices running BlackBerry 10 OS. Use the VPN profile proxy settings for tablets running BlackBerry PlayBook OS 2.1 and earlier. Default value Null value Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version

202 Profile settings Proxy profile settings BlackBerry devices running BlackBerry 10 OS use the proxy profile settings. Tablets running the BlackBerry PlayBook OS use the proxy settings in a Wi-Fi profile or VPN profile. Exclusion List setting Related settings This setting specifies a list of addresses that are excluded from the proxy profile. BlackBerry devices can connect to these addresses directly without using the proxy server. Specify the addresses in IP format or FQDN format and separate the addresses with a semicolon (;). The Proxy Profile Type setting affects this setting. This setting is available only if the Proxy Profile Type setting is set to Manual configuration. Default value Null value Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version 10.0 Host setting Related settings This setting specifies the address of the proxy host server. The host can be specified in IP or FQDN format. The Proxy Profile Type setting affects this setting. This setting is available only if the Proxy Profile Type setting is set to Manual configuration. Default value Null value Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version

203 Profile settings PAC URL setting Related settings This setting specifies the URL for the PAC file. The Proxy Profile Type setting affects this setting. This setting is available only if the Proxy Profile Type setting is set to PAC configuration. Default value Null value Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version 10.0 Password setting This setting specifies the password required to access the HTTP proxy server. Enter the same value in the Confirm password field. Default value Null value Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version 10.0 Port setting Related settings This setting specifies the port used by the proxy host server. The Proxy Profile Type setting affects this setting. This setting is available only if the Proxy Profile Type setting is set to Manual configuration. Default value Null value Minimum requirements BlackBerry 10 OS version

204 Profile settings Setting introduction BlackBerry Enterprise Service 10 version 10.0 Type setting This setting specifies whether the profile uses a PAC file to set proxy information or whether the host, port, and exclusion list of the proxy server are set manually in the profile. Possible values Manual configuration PAC configuration Default value PAC configuration Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version 10.0 User setting This setting specifies the username required to access the HTTP proxy server. Default value Null value Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version 10.0 User Can Edit setting This setting specifies which fields the user can change. If you set this option to Credentials only, users can change the username and password. If you set this rule to Read only, users cannot change the settings. 204

205 Profile settings Possible values Credentials only Read only Default value Read only Minimum requirements BlackBerry 10 OS version 10.0 Setting introduction BlackBerry Enterprise Service 10 version

206

207 Product documentation Product documentation 8 To read the following guides or other related materials, visit docs.blackberry.com/bes10. Category Resource Overview Introduction to BlackBerry Enterprise Service 10 Quick, visual introduction to BlackBerry Enterprise Service 10 at a high level What's New in BlackBerry Enterprise Service 10 Quick Reference BlackBerry Enterprise Service 10 Product Overview Summary of new features, enhancements, and updates in BlackBerry Enterprise Service 10 Introduction to BlackBerry Enterprise Service 10 and its features Finding your way through the documentation Architecture Enterprise Solution Comparison Chart Comparison of what features are available across different BlackBerry enterprise solutions Supported Features by Device Type Comparison of what features are supported for each type of device in BlackBerry Enterprise Service 10 BlackBerry Enterprise Service 10 Architecture and Data Flow Quick Reference Guide s of BlackBerry Enterprise Service 10 components s of activation and data flows for different types of devices Release notes Installation and upgrade BlackBerry Enterprise Service 10 Release Notes BlackBerry Enterprise Service 10 Compatibility Matrix s of known issues and potential workarounds Software that is compatible with BlackBerry Enterprise Service 10

208 Product documentation Category Resource BlackBerry Enterprise Service 10 Performance Calculator Tool to estimate the hardware required to support a given workload for BlackBerry Enterprise Service 10 BlackBerry Enterprise Service 10 Installation Guide System requirements Installation instructions BlackBerry Enterprise Service 10 Upgrade Guide System requirements Upgrade instructions Configuration BlackBerry Enterprise Service 10 Licensing Guide s of different types of licenses Instructions for activating and managing licenses in BlackBerry Management Studio BlackBerry Enterprise Service 10 Configuration Guide Instructions for how to configure server components before you start administering users and their devices Administration BlackBerry Management Studio Basic Administration Guide Basic administration for all supported device types, including BlackBerry 10 devices, BlackBerry PlayBook tablets, ios devices, Android devices, and BlackBerry 7.1 and earlier devices Instructions for creating and managing user accounts in multiple Services Instructions for managing multiple devices for each user account BlackBerry Device Service Advanced Administration Guide Advanced administration for BlackBerry 10 devices and BlackBerry PlayBook tablets Instructions for creating user accounts, groups, roles, and administrator accounts Instructions for activating devices Instructions for creating and sending IT policies and profiles Instructions for managing apps on devices Universal Device Service Advanced Administration Guide Advanced administration for ios and Android devices 208

209 Product documentation Category Resource Instructions for creating user accounts, groups, and administrator accounts Instructions for activating devices Instructions for creating and sending IT policies and profiles Instructions for managing apps on devices s of IT policy rules for ios and Android devices BlackBerry Device Service Policy Reference Spreadsheet s of IT policy rules for BlackBerry 10 devices and BlackBerry PlayBook tablets Security BlackBerry Device Service Solution Security Technical Overview of the security maintained by the BlackBerry Device Service, BlackBerry Infrastructure, and BlackBerry 10 devices and BlackBerry PlayBook tablets to protect data and connections of the BlackBerry 10 OS of the BlackBerry PlayBook OS of how work data is protected on BlackBerry 10 devices and BlackBerry PlayBook tablets when you use the BlackBerry Device Service Secure Work Space for ios and Android Security Note of the security maintained by the Universal Device Service, BlackBerry Infrastructure, and work spaceenabled devices to protect work space data at rest and in transit of how work space apps are protected on work space-enabled devices when you use the Universal Device Service 209

210 Provide feedback Provide feedback 9 To provide feedback on this content, visit 210

211 Glossary Glossary 10 ANSI CA DNS EMM FQDN HTTP HTTPS IP KDC LDAP NTLM PAC PIN SCEP S/MIME SRP SSL TCP UDP UNC UTF-8 UTF-16LE VPN American National Standards Institute certification authority Domain Name System Enterprise Mobility Management fully qualified domain name Hypertext Transfer Protocol over Secure Sockets Layer Hypertext Transfer Protocol over Secure Sockets Layer Internet Protocol A Key Distribution Center (KDC) is a server that performs the trusted arbitrator role for the Kerberos protocol. The KDC issues service tickets and maintains a list of tickets that it issued. Domain controllers are KDCs. Lightweight Directory Access Protocol NT LAN Manager proxy auto-configuration personal identification number simple certificate enrollment protocol Secure Multipurpose Internet Mail Extensions Server Routing Protocol Secure Sockets Layer Transmission Control Protocol User Datagram Protocol Universal Naming Convention 8-bit UCS/Unicode Transformation Format UCS Transformation Format 16 Little Endian virtual private network

212 Glossary WEP Wired Equivalent Privacy 212

213 Legal Notice Legal Notice BlackBerry. All rights reserved. BlackBerry and related trademarks, names, and logos are the property of BlackBerry Limited and are registered and/or used in the U.S. and countries around the world. IBM and Domino are trademarks of International Business Machines Corporation. Heimdal is a trademark of CSIS Security Group A/S Private Limited. Java is a trademark of Oracle and/or its affiliates. Kerberos is a trademark of the Massachusetts Institute of Technology. Microsoft, ActiveSync, Active Directory, Windows, and Windows Server are trademarks of Microsoft Corporation. Novell and GroupWise are trademarks of Novell, Inc. Wi-Fi is a trademark of the Wi-Fi Alliance. All other trademarks are the property of their respective owners. This documentation including all documentation incorporated by reference herein such as documentation provided or made available at is provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its affiliated companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of BlackBerry technology in generalized terms. BlackBerry reserves the right to periodically change information that is contained in this documentation; however, BlackBerry makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all. This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or third-party websites (collectively the "Third Party Products and Services"). BlackBerry does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the third party in any way. EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM.

214 Legal Notice TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY. THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS. IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION. Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with BlackBerry's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with BlackBerry's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with BlackBerry. 214

215 Legal Notice Certain features outlined in this documentation require a minimum version of BlackBerry Enterprise Server, BlackBerry Desktop Software, and/or BlackBerry Device Software. The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION. Certain features outlined in this documentation might require additional development or Third Party Products and Services for access to corporate applications. BlackBerry Limited 2200 University Avenue East Waterloo, Ontario Canada N2K 0A7 BlackBerry UK Limited 200 Bath Road Slough, Berkshire SL1 3XE United Kingdom Published in Canada 215