Advanced Administration

(1)

BlackBerry Device Service

Version: 10.2

(2)

(3)

1 Introduction...11

About this guide...12

What is BlackBerry Enterprise Service 10?...13

Key features of BlackBerry Enterprise Service 10...13

About the BlackBerry Device Service...15

Log in to the BlackBerry Device Service console...15

About BES10 Self-Service... 17

2 Setting up administrator accounts...19

Defining different types of administrators... 20

Preconfigured roles... 20

View the permission of a role... 20

Create a role...21

Copy a role...21

Change a role...22

Delete a role...22

Permissions for preconfigured roles...22

Creating and managing administrator accounts...30

Create an administrator account...30

Change an administrator account...31

Delete an administrator account...31

Remove an administrator account from the BlackBerry Device Service... 31

Add an administrator account to the BlackBerry Device Service...32

Add an administrator account to a group... 32

Delete administrator accounts from a group... 33

Add a role to an administrator account... 33

Delete roles from an administrator account...34

3 Setting up device controls...35

Controlling how devices can connect to your organization's network... 36

Managing Wi-Fi profiles... 36

Managing VPN profiles... 39

Managing email profiles... 42

Managing SCEP profiles... 49

Managing proxy profiles...50

Accessing network drives from devices...53

(4)

Create an IT policy...55 Copy an IT policy... 56 Import IT policies... 56 Export IT policies...56 Change an IT policy... 57 Delete an IT policy...57

View the IT policies assigned to user accounts and administrator accounts...57

Resolving IT policy conflicts...58

Managing work and personal spaces... 60

Configuring the default device activation type for all new users...61

Enforcing your organization's device compliance requirements... 63

Update the template for the device compliance notification... 64

Select an enforcement action for devices that are not in compliance... 65

Managing app availability on devices...67

Preparing an app for delivery... 67

Sending and removing apps from devices... 71

Reconciling multiple software configurations that are assigned to a user account... 74

4 Managing groups, users, and device controls... 79

Creating and managing groups...80

About preconfigured groups... 80

Create a group... 80

Change a group...81

Delete a group...81

Add child groups to a group...81

Delete child groups from a parent group... 82

Add roles to a group... 82

Delete roles from a group... 83

Applying device controls to a group... 84

Add software configurations to a group... 84

Delete software configurations from a group... 84

Add an IT policy to a group... 85

Delete an IT policy from a group...85

Add Wi-Fi profiles to a group...85

Delete Wi-Fi profiles from a group... 86

Add VPN profiles to a group...86

Delete VPN profiles from a group... 87

Creating and changing user accounts...88

(5)

Synchronize new or updated user information with a company directory ...92

Change a user account...92

Create user accounts from a .csv file...92

Create local user accounts from a .csv file...94

Change the user accounts in a .csv file...95

Create a list of all user accounts and their associated devices...96

Create a list of selected user accounts and their associated devices... 96

Move a user account from one BlackBerry Device Service instance to another... 96

Delete a user account...97

Managing groups and roles for user accounts... 99

Add user accounts to groups... 99

Delete user accounts from groups... 99

Add roles to user accounts... 100

Delete roles from user accounts... 100

Applying device controls to user accounts... 102

Add software configurations to user accounts... 102

Delete software configurations from user accounts... 102

Add an IT policy to a user account... 103

Delete an IT policy from a user account... 103

Add Wi-Fi profiles to user accounts...103

Delete Wi-Fi profiles from user accounts... 104

Add VPN profiles to user accounts...104

Delete VPN profiles from user accounts... 105

Add an email profile to a user account... 105

Delete an email profile from a user account... 105

5 Activating and managing devices... 107

Activating devices...108

Preparing to assign devices... 108

Activate a device using the BlackBerry Administration Service... 109

Setting an activation password using BES10 Self-Service... 110

Activating a device over the wireless network...111

Prevent wireless activation over the BlackBerry infrastructure...114

Managing devices... 116

Sending CA certificates to devices... 116

Sending work space wallpaper to devices... 117

Assign a user a different device... 119

Specify a new device password and lock the device... 119

(6)

Deactivating a device... 124

Reactivate a device... 124

Create a list of all user accounts and their associated devices... 125

Create a list of selected user accounts and their associated devices... 125

Troubleshooting devices... 126

The computer blocks incoming connections from a device...126

The computer uses an incorrect certificate template for the SCEP...126

The service plan on your SIM card doesn’t support your organization’s activation requirements...127

6 Maintaining and monitoring... 129

Maintaining and monitoring the health of the BlackBerry Device Service...130

Change how the BlackBerry Controller restarts a BlackBerry Device Service component... 130

Managing log files for server components... 132

Change the location for log files... 132

Change the folder for log files...132

Change the name of a log file...133

Add a prefix to the file name of a log file... 133

Change the maximum size of a log file...133

Change the logging level of a log file...134

Specify how the BlackBerry Device Service manages a log file that reaches its maximum size...134

Specify when the BlackBerry Device Service creates a log file... 135

Set the maximum age for a log file... 135

Change the encoding of the log file... 135

Restore default settings for log files...136

Changing how the BlackBerry MDS Connection Service creates a log file...136

Sending device log files to the BlackBerry Technical Solution Center...139

7 Profile settings...141

Email profile settings...142

Type setting... 142

Server Name setting...142

Server Port setting...143

Use SSL setting... 143

SyncML server... 143

SyncML server port... 144

Use SSL to connect to SyncML... 144

Push Enabled setting...145

Days to Synchronize setting...145

(7)

Contact Synchronization setting... 148

Memo Synchronization setting...148

Task Synchronization setting... 149

To Do list synchronization...149

SCEP Profile setting...149

S/MIME Messages setting...150

Digitally Signed S/MIME Messages setting... 150

Encrypted S/MIME Messages setting... 151

Allowed Content Ciphers setting... 152

SCEP profile settings...153

SCEP Service URL setting...153

Certificate Thumbprint setting...153

Key Algorithm setting... 154

RSA Strength setting... 154

ECC Strength setting... 155

Specify Encryption Algorithm setting... 155

Specify Hash Function setting... 156

Certification Authority Identifier setting...156

Certification Authority Challenge Password setting...157

Automatic Renewal setting...157

Wi-Fi profile settings...158

SSID setting... 158

Hidden SSID setting... 158

Link Security setting... 159

EAP Security setting... 159

EAP-FAST Provisioning Method setting...160

EAP Inner Link Security setting... 160

WEP Key setting... 161

Preshared Key Type setting... 161

Preshared Key setting... 162

User Name setting... 162

User Password setting...162

Band Type setting... 163

Enable DHCP setting...163

IP Address setting... 164

Subnet Mask setting...164

Primary DNS setting...165

(8)

Domain Suffix setting... 166

Access Point Handover setting... 167

User Can Edit setting...167

Trusted Certificate Source setting...168

Client Certificate Source setting...168

Data Security Level setting... 169

Use HTTP Proxy setting...169

Proxy Server setting...170

Proxy Port setting... 170

Proxy User Name setting... 171

Proxy Password setting...171

Associated SCEP Profile setting... 172

VPN Profile setting... 172

Associated Proxy Profile setting... 172

VPN profile settings...174

Server Address setting...174

Gateway Type setting... 174

Authentication Type setting...175

Authentication ID Type setting...175

Authentication ID setting...176

Group User Name setting... 176

Preshared Key setting... 177

Group Password setting...177

Hard Token setting...178

User Name setting... 178

Password setting...179

EAP Identity setting...179

MSCHAPv2 EAP Identity setting... 180

MSCHAPv2 User Name setting...180

MSCHAPv2 Password setting... 180

Gateway Authentication Type setting...181

Gateway Preshared Key setting... 181

Gateway Authentication ID Type setting...182

Gateway Authentication ID setting... 182

Automatically Determine IP setting...183

Private IP setting... 183

Private IP Mask setting... 184

(9)

Primary DNS setting...185

Secondary DNS setting...186

Domain Suffix setting... 186

Perfect Forward Secrecy setting... 187

Manual Algorithm Selection setting...187

IKE DH Group setting... 188

IKE Cipher setting...188

IKE Hash setting...189

IKE PRF setting... 189

IPSEC DH Group setting... 190

IPSEC Cipher setting... 191

IPSEC Hash setting... 191

IKE Lifetime setting... 192

IPSEC Lifetime setting... 192

NAT Keep Alive setting... 193

DPD Frequency setting...193

Split Tunneling setting...194

Disable Banner setting... 194

User Can Edit setting...194

Trusted Certificate Source setting...195

Display VPN Information on Device setting...195

Custom IKE DH Provider setting...196

Client Certificate Source setting...196

Data Security Level setting... 197

Use HTTP Proxy setting...198

Proxy Server setting...198

Proxy Port setting... 199

Proxy User Name setting... 199

Associated SCEP Profile setting... 200

Associated Proxy Profile setting... 201

Proxy profile settings...202

Exclusion List setting... 202

Host setting...202

PAC URL setting...203

Password setting...203

Port setting... 203

Type setting... 204

(10)

(11)

(12)

About this guide

The BlackBerry Device Service allows you to manage BlackBerry devices in your organization's environment. This guide provides instructions on how to manage user accounts and devices after the BlackBerry Device Service is installed and configured.

(13)

What is BlackBerry Enterprise Service 10?

BlackBerry Enterprise Service 10 helps you manage mobile devices for your organization. You can manage BlackBerry devices and BlackBerry PlayBook tablets, as well as iOS and Android devices, all from a unified interface. BlackBerry Enterprise Service 10 is designed to help protect business information, keep mobile workers connected with the information they need, and provide administrators with efficient tools that help keep business moving forward. BlackBerry Enterprise Service 10 includes the following components:

Component Description

BlackBerry Device Service Provides advanced administration for BlackBerry 10 devices and BlackBerry PlayBook tablets

Universal Device Service Provides advanced administration for iOS and Android devices

BlackBerry Management Studio Provides a unified interface to administer common tasks for BlackBerry 10 devices, BlackBerry PlayBook tablets, BlackBerry 7.1 and earlier devices, iOS devices, and Android devices

BES10 Self-Service Provides a console to users so that they can perform some self-service tasks. For example, users can create activation passwords, remotely change the password on their device, or delete data from the device.

Key features of BlackBerry Enterprise Service 10

The table below describes some of the key features for BlackBerry Enterprise Service 10.

Feature Description

Management of most types of devices BlackBerry Enterprise Service 10 supports all types of BlackBerry devices and tablets, as well as iOS devices and Android devices.

Single, unified interface BlackBerry Management Studio is a single, web-based interface where you can view all devices in one place and access the most common

management tasks across multiple domains. These tasks include creating and managing groups, managing device controls, and activating mobile devices.

(14)

Feature Description

(15)

About the BlackBerry Device Service

The BlackBerry Device Service permits you to manage BlackBerry 10 OS devices and BlackBerry PlayBook tablets that run BlackBerry Tablet OS 2.0 or later.

As an administrator, the BlackBerry Device Service allows you to:

• Provision devices in an enterprise environment by providing Microsoft ActiveSync configuration information that the device uses to synchronize email, calendar and tasks

• Support a work and life balance by separating work and personal data using BlackBerry Balance technology • Audit devices and users by being able to view user and tablet information

• Protect your organization's data by managing work data on devices using BlackBerry Balance, set contact information on the home screen when users connect to the network, and use IT policies to manage access to your organization's data

• Manage mandatory and optional applications by creating a catalog of optional applications on the device, and manage the installation and update of mandatory applications

• Increase productivity because of familiar user interfaces which include BlackBerry Administration Service and BES10 Self-Service

To provide a single interface for helpdesk administrators to manage all the devices in your organization's environment, you can connect BlackBerry Management Studio to the BlackBerry Device Service.

Log in to the BlackBerry Device Service console

Also known as the BlackBerry Administration Service, you can use the BlackBerry Device Service console to manage the BlackBerry Device Service and the user accounts and devices that are associated with it. To open the console, you can use a browser on a computer that can access the computer that hosts the BlackBerry Administration Service. You can use a Microsoft Active Directory, LDAP, or BlackBerry Administration Service username and password to log in.

When you install BlackBerry Enterprise Service 10, you specify the username and password that you use to log in for the first time.

1. In the browser, type https://<server_name>:<port>/webconsole/login, where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. The default port for the BlackBerry Administration Service is port 38443.

2. In the User name field, type your username. 3. In the Password field, type your password. 4. Perform one of the following actions:

(16)

• In the Log in using drop-down list, click Active Directory and type the Microsoft Active Directory domain in the Domain field.

• In the Log in using drop-down list, click LDAP. 5. Click Log in.

(17)

About BES10 Self-Service

BES10 Self-Service is a web-based application that you can make available to users so that they can perform certain tasks such as creating activation passwords, remotely locking their devices, or deleting data from their devices. Users do not need to install any software on their computers to use BES10 Self-Service.

You must provide the BES10 Self-Service web address and login information to users. You can send this information in an email message, or edit the activation email template to include the information. Provide the following information: • Web address. The web address for BES10 Self-Service is https://<server_name>:7445, where <server_name> is the

FQDN of the computer that hosts the console, and 7445 is the default port. You can change the port in the BES10 Configuration Tool.

• Username and password. Company directory users can log in with their organization usernames and passwords. For local users that have BlackBerry 10 devices, you must create their usernames and passwords in the BlackBerry Device Service. Local users that have iOS or Android devices cannot use BES10 Self-Service.

(18)

(19)

(20)

Defining different types of administrators

You can use roles to specify the information that an administrator can view and the tasks that an administrator can perform in the BlackBerry Device Service. Each role consists of a set of permissions that are assigned to an administrator account. The permissions do not apply to the BES10 Configuration Tool tool.

You can use a preconfigured role or create a role to meet your organization's requirements. You can assign a role to an administrator account to manage permissions for a single administrator account or you can assign a role to a group to manage permissions for all of the administrator accounts in the group. If you assign a role to a user account, the user account becomes an administrator account.

You can assign multiple roles to an administrator account (both directly and by assigning the roles to the group that the administrator account belongs to). If you assign multiple roles to an administrator account, the administrator has all of the permissions that are turned on for each of the assigned roles.

Preconfigured roles

The BlackBerry Device Service includes preconfigured roles. You can use a preconfigured role, change the preconfigured role and then use it, or copy the preconfigured role and use it as a template for a new role.

Preconfigured role name Description

Security Administrator This role has permission to perform all tasks in the BlackBerry Device Service. Enterprise Administrator This role has permission to perform all tasks in the BlackBerry Device Service except changing role assignments. This role can only view role assignments. Senior Helpdesk Administrator This role has permission to perform advanced administrative tasks in the

BlackBerry Device Service.

Junior Helpdesk Administrator This role has permission to perform basic administrative tasks in the BlackBerry Device Service.

Server Only Administrator This role has permissions to perform system management tasks in the BlackBerry Device Service.

User Only Administrator This role has permission to perform user management tasks in the BlackBerry Device Service.

View the permission of a role

(21)

2. Click Manage roles. 3. Click the role.

4. View the permission for the role on the appropriate tabs.

Create a role

You can make changes to roles or create custom roles and specify permissions for those custom roles. By default, administrators assigned to the Security Administrator role are the only administrators with permissions to create or make changes to roles.

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Role. 2. Click Create a role.

3. In the Name field, type a name for the role.

4. In the Description field, type a description for the role. 5. Click Save.

After you finish:

Change a role to configure the properties of the role.

Copy a role

You can create a role by copying the permissions from an existing role. Copying a role allows you to use a role as a template for a new role.

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Role. 2. Click Manage roles.

3. In the list of roles, click the name of the role that you want to copy. 4. Click Copy role.

5. In the Name field, type a name for the role.

6. In the Description field, type a description for the role. 7. Click Copy role.

After you finish:

(22)

Change a role

You change a role to configure the properties of the role.

3. In the list of roles, click the name of the role. 4. Click Edit role.

5. Make the changes on the appropriate tabs. 6. Click Save all.

Delete a role

If you delete a role that you assigned to an administrator account or a group, the administrator account or group no longer has the permissions that are associated with the role.

3. In the list of roles, click the name of the role that you want to delete. 4. Click Delete role.

5. Click Yes - Delete the role.

Permissions for preconfigured roles

The following table lists the permissions for each preconfigured role. Permission name _{Administrator}Security _{Administrator}Enterprise Helpdesk Senior

Administrator

Junior Helpdesk Administrator

Server Only

Administrator AdministratorUser Only User and device group

Create a group √ √ √ √

Delete a group √ √ √

(23)

Permission name _{Administrator}Security _{Administrator}Enterprise Helpdesk Senior Administrator Junior Helpdesk Administrator Server Only

Administrator AdministratorUser Only

(24)

Administrator AdministratorUser Only Delete a software configuration √ √ √ Create an application √ √ √ View an application √ √ √ √ √ Edit an application √ √ √ Delete an application √ √ √ Create an administrator user √ Add or remove user

configuration

√ √ √ √

Import or export users

√ √ √

Import user updates √ √ √

Assign the current device to a user

√ √ √ √ √

Delete all device data and remove device

√ √ √ √ √

Delete only the organization data and remove device

(25)

Administrator AdministratorUser Only View a company directory connection √ √ √ √ Edit a company directory connection √ √ √ √ View user authentication √ Create an email profile √ √ √ Edit user authentication √ Delete an email profile √ √ √

View an email profile √ √ √ √ √

Edit an email profile √ √ √

Create a SCEP profile

√ √ √

Delete a SCEP profile √ √ √

View a SCEP profile √ √ √ √ √

Edit a SCEP profile √ √ √

Create a proxy profile

√ √ √

Delete a proxy profile √ √ √

Create a company directory connection

√ √ √

View a proxy profile √ √ √ √ √ √

Delete a company directory connection

√ √ √

(26)

Administrator AdministratorUser Only View enterprise authentication √ √ √ Import an enterprise authentication file √ √ √ Remove enterprise authentication file √ √ √

View device backup encryption keys

√ Edit device backup

encryption keys √ View compliance rules √ √ Edit compliance rules √ √ View certificate retrieval settings √ √ Edit certificate retrieval settings √ √

BlackBerry Device Service permissions Specify an activation password √ √ √ √ √ Generate an activation email √ √ √ √ √

Enterprise Management Web Service permissions

Import new users √ √ √

Topology group

View a server √ √ √

Edit a server √ √ √

(27)

Administrator AdministratorUser Only

Edit a component √ √ √

View an instance √ √ √

Edit an instance √ √ √

Change the status of an instance √ √ √ Edit an instance relationship √ √ √ View a job √ √ √ Edit a job √ √ √ View default distribution settings for a job √ √ √ Edit default distribution settings for a job √ √ √ Manage deployment job tasks √ √ √ √

Change the status of a job task

√ √ √

Delete an instance √ √ √

Edit license keys √ √ √

View license keys √ √ √

(28)

Administrator AdministratorUser Only View BlackBerry Enterprise Service 10 license information √ √ √ √ √ √ Edit BlackBerry Enterprise Service 10 license information √ View an organization notice √ √ √ √ Edit an organization notice √ √

View wireless service plan

√ √ √ √

Edit wireless service plan

√ √

BlackBerry MDS Connection Service permissions View rules for the

BlackBerry MDS Connection Service

√ √ √ √

BlackBerry Administration Service setup group

Create a role √

Delete a role √

View a role √ √ √

Edit a role √

Add or remove a role √

View BlackBerry Administration Service software management

(29)

Administrator AdministratorUser Only Edit BlackBerry Administration Service software management √ √ Import or export groups within roles

(30)

Creating and managing administrator

accounts

You can use administrator accounts to control who can view information and perform tasks in the BlackBerry

Administration Service. You can create an administrator account that only exists on the BlackBerry Device Service or you can assign a role to a user account that exists in your organization's user directory.

Create an administrator account

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Administrator user.

2. Click Create an administrator user.

3. In the Display name field, type a name for the administrator account.

4. To configure the login information that the administrator account uses to log in to the BlackBerry Administration Service, complete one of the following tasks:

Task Steps

Configure Microsoft Active

Directory authentication. 1. In the Authentication type drop-down list, select Active Directory._{2. In the User name field, type the username for the administrator account.} 3. In the Domain field, type the domain for the administrator account. 4. In the Administrator password field, type your password.

Configure LDAP authentication. _{1. In the Authentication type drop-down list, select LDAP.}

2. In the User name field, type the username for the administrator account. 3. In the Administrator password field, type your password.

Configure BlackBerry Administration Service authentication

1. In the Authentication type drop-down list, select BlackBerry Administration Service.

2. In the User name field, type the username for the administrator account. 3. In the Password and Confirm password field, type the password for the

administrator account.

(31)

5. In the Role drop-down list, click the role that you want to assign to the administrator account. 6. Click Create an administrator user.

After you finish: Change the administrator account to set the account properties.

Change an administrator account

2. Click Manage users.

3. Search for an administrator account.

4. In the search results, click the display name of the administrator account. 5. Click Edit user.

6. Make the changes on the appropriate tabs. 7. Click Save all.

Delete an administrator account

4. In the search results, click the display name of the administrator account. 5. In the Status list, click Delete user.

6. Click Yes - Delete the user.

Remove an administrator account from the BlackBerry

Device Service

(32)

Administrator accounts with no associated devices are the only user accounts that can be removed from the BlackBerry Device Service and added back in. All other user accounts must be deleted and then added as new user accounts. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Administrator

user.

4. In the search results, click the display name of the administrator account. 5. Click Remove from BlackBerry Device Service.

6. Click Yes – Remove from BlackBerry Device Service.

Add an administrator account to the BlackBerry Device

Service

You can add an administrator account that was removed from the BlackBerry Device Service back to the BlackBerry Device Service.

3. Search for the administrator account.

4. In the search results, click the display name of the administrator account. 5. Click Add to BlackBerry Device Service.

6. Click Save.

Add an administrator account to a group

When you add an administrator account to a group, the administrator account inherits the roles, configurations, IT policies, and profiles of the group.

(33)

6. On the Groups tab, in the Available groups list, click the group that you want to add the administrator account to. 7. Click Add.

8. Click Save all.

Delete administrator accounts from a group

1. In the BlackBerry Administration Service on the BlackBerry solution management menu, expand Administrator user.

3. Search for the administrator account that you want to delete.

6. On the Groups tab, perform one of the following actions:

• To delete the administrator account from one group, select the group in the Current groups list and click Remove.

• To delete the administrator account from more than one group, select multiple groups in the Current groups list and click Remove.

• To delete the administrator account from all of the groups, click Remove all. 7. Click Save all.

Add a role to an administrator account

4. In the search results, click the display name for the administrator account. 5. Click Edit user.

(34)

Delete roles from an administrator account

1. In the BlackBerry Administration Service on the BlackBerry solution management menu, expand Administrator user.

3. Search for the administrator account.

6. On the Roles tab, perform one of the following actions:

• To delete one role from the administrator account, select the group in the Current roles list and click Remove. • To delete more than one role from the administrator account, select multiple roles in the Current roles list and

click Remove.

(35)

(36)

Controlling how devices can connect to your

organization's network

You can specify how users' devices can connect to your organization's network, messaging and proxy servers, and the settings for enrolling certificates to devices. You can also use the BlackBerry Work Drives app to allow BlackBerry 10 devices to access files and folders on your organization's network.

The following profiles allow you to control how devices can connect through these communication paths:

Profile Description Can be applied to

SCEP profiles SCEP profiles can be added to Wi-Fi profiles, VPN profiles, and email profiles to use certificate-based authentication for Wi-Fi connections, VPN connections, and messaging server connections.

• Wi-Fi profiles • VPN profiles • Email profiles Proxy profiles _{Specify how users use a proxy server to access}

web services on the Internet or in your organization's network.

• Wi-Fi profiles • VPN profiles

• BlackBerry Device Service domain Wi-Fi profiles Specify how users connect to your organization's

Wi-Fi network. • Users_{• Groups}

VPN profiles Specify how users connect to your organization's

VPN. • Wi-Fi profiles_{• Users}

• Groups

Email profiles Specify how devices connect to your

organization's messaging server and synchronize email messages and organizer data using Exchange ActiveSync or IBM Notes Traveler.

• Users

Managing Wi-Fi profiles

(37)

Note: When you add a Wi-Fi profile to a user account, both personal and work apps on the device can use the profile settings to access your organization's network. To prevent personal apps from connecting to your organization's network, set the Work Network Usage for Personal Apps IT policy rule.

For more information about the profile settings, see Wi-Fi profile settings.

Create a Wi-Fi profile

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Create Wi-Fi profile.

3. Type a name and description for the Wi-Fi profile. 4. Click Save.

After you finish: Change a Wi-Fi profile to set the Wi-Fi profile settings.

Copy a Wi-Fi profile

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage Wi-Fi profiles.

3. Click the name of the Wi-Fi profile. 4. Click Copy profile.

5. Type a name and description for the Wi-Fi profile. 6. Click Save.

After you finish:

Change a Wi-Fi profile to configure the profile settings.

Change a Wi-Fi profile

3. Click the name of the Wi-Fi profile. 4. Click Edit profile.

5. Make changes on the appropriate tabs. 6. Click Save all.

Delete a Wi-Fi profile

(38)

3. Click Manage Wi-Fi profiles. 4. Click the name of the Wi-Fi profile. 5. Click Delete profile.

6. Click Yes - Delete the profile.

Add a VPN profile to a Wi-Fi profile

5. On the Wi-Fi profile settings tab, in the Wi-Fi associations section, in the VPN Profile drop-down list, select the VPN profile.

6. Click Save all.

Delete a VPN profile from a Wi-Fi profile

5. On the Wi-Fi profile settings tab, in the Wi-Fi associations section, in the VPN Profile drop-down list, select the blank field.

6. Click Save all.

Add a SCEP profile to a Wi-Fi profile

5. On the Wi-Fi profile settings tab, in the Wi-Fi associations section, in the Associated SCEP Profile drop-down list, click the SCEP profile.

(39)

Delete a SCEP profile from a Wi-Fi profile

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Expand Wi-Fi configuration.

3. Click Manage Wi-Fi profiles. 4. Click the name of the Wi-Fi profile. 5. Click Edit profile.

6. On the Wi-Fi profile settings tab, in the Associated SCEP Profile field, delete the name of the SCEP profile. 7. Click Save all.

Add a proxy profile to a Wi-Fi profile

If you want devices that run BlackBerry 10 OS to use a proxy server when they use a work Wi-Fi connection, you must add a proxy profile to a Wi-Fi profile.

3. Click the name of a Wi-Fi profile. 4. Click Edit profile.

5. On the Wi-Fi profile settings tab, in the Proxy associations section, in the Associated Proxy Profile drop-down list, select a proxy profile.

6. Click Save all.

Delete a proxy profile from a Wi-Fi profile

3. Click the name of a Wi-Fi profile. 4. Click Edit profile.

5. On the Wi-Fi profile settings tab, in the Proxy associations section, in the Associated Proxy Profile drop-down list, select the blank value.

6. Click Save all.

Managing VPN profiles

(40)

Note: When you add a VPN profile to a user account, based on IT policy rules and device settings, both personal and work apps on a device may be able to use the VPN profile to access your organization’s network. For more information, see the

BlackBerry Device Service Solution Security Technical Overview.

Note: If you allow devices to connect to your organization’s network using a VPN, you must make sure that your VPN network is set up to have access to BlackBerry Enterprise Service 10 to ensure that devices can communicate with BlackBerry Enterprise Service 10 while they are connected to your VPN Network.

For more information about profile settings, see the VPN profile settings and the BlackBerry Enterprise Service 10

Configuration Guide.

Create a VPN profile

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Create VPN profile.

3. Type a name and description for the VPN profile. 4. Click Save.

After you finish:

Change a VPN profile to set the VPN profile settings.

Copy a VPN profile

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage VPN profiles.

3. Click the name of the VPN profile. 4. Click Copy profile.

5. Type a name and description for the VPN profile. 6. Click Save.

After you finish:

Change a VPN profile to configure the profile settings.

Change a VPN profile

3. Click the name of the VPN profile. 4. Click Edit profile.

(41)

Delete a VPN profile

3. Click the name of the VPN profile. 4. Click Delete profile.

Add a SCEP profile to a VPN profile

3. Click the name of the VPN profile. 4. Click Edit profile.

5. On the VPN profile settings tab, in the VPN associations section, in the Associated SCEP Profile drop-down list, click the SCEP profile.

6. Click Save all.

Delete a SCEP profile from a VPN profile

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Expand Wi-Fi configuration.

3. Click Manage VPN profiles. 4. Click the name of the VPN profile. 5. Click Edit profile.

6. On the VPN profile settings tab, in the Associated SCEP Profile field, delete the name of the SCEP profile. 7. Click Save all.

Add a proxy profile to a VPN profile

If you want devices that run BlackBerry 10 OS to use a proxy server when they use a VPN connection, you must add a proxy profile to a VPN profile.

(42)

4. Click Edit profile.

5. On the VPN profile settings tab, in the Proxy associations section, in the Associated Proxy Profile drop-down list, select a proxy profile.

6. Click Save all.

Delete a proxy profile from a VPN profile

3. Click the name of a VPN profile. 4. Click Edit profile.

5. On the VPN profile settings tab, in the Proxy associations section, in the Associated Proxy Profile drop-down list, select the blank value.

6. Click Save all.

Managing email profiles

You can use email profiles to specify how devices connect to your organization's messaging server and synchronize email messages and organizer data using Microsoft ActiveSync or IBM Notes Traveler. You can add email profiles to user accounts.

Extending messaging security on BlackBerry 10 devices using S/MIME

protection

You can extend messaging security for the BlackBerry Device Service solution and permit users to send and receive S/ MIME-protected email messages on BlackBerry 10 devices. Digitally signing or encrypting messages adds another level of security to email messages that users send or receive from their devices. If they use a work email account that supports S/ MIME-protected messages on devices, users can digitally sign or encrypt messages using S/MIME encryption. When a device is activated on the BlackBerry Device Service, you can require the device to sign, encrypt, or sign and encrypt messages using S/MIME encryption when users send email messages using a work email address.

Digital signatures help recipients verify the authenticity and integrity of messages that users send. When a user digitally signs a message with their private key, recipients use the sender's public key to verify that the message is from the sender and that the message has not changed.

Encryption keeps messages confidential. When a user encrypts a message, the device uses the recipient's public key to encrypt the message. The recipient's device uses the recipient's private key to decrypt the message.

Devices support keys and certificates in the following file formats and file name extensions: • PEM (.pem, .cer)

(43)

• PFX (.pfx, .p12)

Users can store their private keys on their devices or a smart card. For devices that are running BlackBerry 10 OS version 10.2.1 or later, you can use the BlackBerry Device Service to configure LDAP-enabled server settings and send them to devices so that devices can automatically retrieve the recipient's public key and users don't need to import public keys from work email messages manually. You can require that devices use either simple authentication or Kerberos to authenticate with LDAP-enabled servers. If you require that devices use Kerberos authentication, if a valid TGT is available on a user's device, the user isn't prompted for login information.

Users don't have to install additional software on devices to support S/MIME protection. Users can configure S/MIME preferences on devices in the BlackBerry Hub settings, including choosing certificates and encoding methods. Users can manage certificates on their devices in the Security and Privacy section of the System Settings.

BlackBerry 10 devices support attachments in S/MIME-protected email messages. Users can view, send, and forward attachments in S/MIME-protected email messages.

Users can configure the S/MIME settings on the device to send either clear-signed messages that any email application can open, or opaque-signed messages that only email applications that support encryption can open.

If devices do not have S/MIME support turned on, devices cannot send signed or encrypted email messages. To send encrypted email messages, a user must have the recipient's public key on their device. To read encrypted email messages, a user must have their private key on their device or on a smart card. If users do not have their private keys on their devices, the devices cannot read S/MIME-encrypted messages, and the devices display the message, "Unable to decode the message because you do not have the corresponding private key."

Retrieving S/MIME certificates

For devices that are running a version of BlackBerry 10 OS that is 10.2.1 or later, you can use the BlackBerry Device Service to configure LDAP-enabled server settings and send them to BlackBerry devices so that devices can search for and retrieve recipients' S/MIME certificates from LDAP-enabled servers over the wireless network. If a required S/MIME certificate isn't already in a device's certificate store, the device retrieves it and imports it into the certificate store automatically.

A device searches each LDAP-enabled server and retrieves the S/MIME certificate. If there is more than one S/MIME certificate and the device is unable to determine the preferred one, the device displays all of the S/MIME certificates so that the user can choose which one to use.

If you don't configure certificate retrieval settings, users must manually import S/MIME certificates from a work email attachment or a computer.

To allow BlackBerry devices to trust the network and servers when making secure connections, you will need to distribute root and intermediate CA certificates to the devices. For more information, see Sending CA certificates to devices. For more information about certificates, see the BlackBerry Device Service Solution Security Technical Overview.

Retrieve public keys over the wireless network from LDAP-enabled servers

For devices running BlackBerry 10 OS version 10.2.1 or later, you can use the BlackBerry Device Service to configure LDAP-enabled server settings and send them to devices so that devices can search for and retrieve S/MIME certificates from LDAP-enabled servers.

(44)

1. In the BlackBerry Administration Service, on the Devices menu, expand Device settings. 2. Click Certificate retrieval settings.

3. Click Edit settings.

4. On the LDAP tab, type a name and description for the LDAP certificate retrieval setting.

5. In the Service URL field, type the web address for the server using the following format LDAP://<FQDN>:<port> (for example, LDAP://server01.blackberry.com:123).

6. In the Default server base query field, type the query that you would like to use for the LDAP-enabled server. 7. Optionally, in the User search scope drop-down list, perform one of the following actions:

• To search the base object, click Base. This is the default setting. • To search the base object and one level below it, click One level. • To search the base object and all levels below it, click Subtree. • To search for a particular object, click Children.

8. In the Secure connection turned on drop-down list, perform one of the following actions: • Click Yes if you want to use a secure connection.

• Click No if you do not want to use a secure connection. 9. Perform one of the following actions:

Option Step

Use no authentication when connecting to the LDAP-enabled server.

In the Authentication type drop-down list, click None.

Use simple authentication when connecting to the LDAP-enabled server.

1. In the Authentication type drop-down list, click Simple. 2. In the LDAP user ID field, type the username for authentication 3. In the LDAP password and Confirm LDAP password fields, type the

password for authentication. Use Kerberos authentication when

connecting to the LDAP-enabled server.

In the Authentication type drop-down list, click Kerberos.

10. In the Connection timeout field, type the time in seconds that the device waits for the LDAP-enabled server response. 11. Click Save all.

After you finish: For devices running a version of BlackBerry 10 OS that is later than 10.2.1, do one of the following to verify the status of S/MIME certificates:

(45)

• Configure the Enterprise Management Web Service to search for the status of S/MIME certificates using HTTP, HTTPS, or LDAP.

Determining the status of S/MIME certificates

For devices running a version of BlackBerry 10 OS that is later than 10.2.1, you can use the BlackBerry Device Service to configure OCSP server settings and send them to BlackBerry devices to determine the status of S/MIME certificates. A device searches each OCSP server and retrieves the S/MIME certificate status.

To allow BlackBerry devices to trust the network and servers when making secure connections, you will need to distribute root and intermediate CA certificates to the devices. For more information, see Sending CA certificates to devices. For devices that are running a version of BlackBerry 10 OS that is later than 10.2.1, you can configure the Enterprise Management Web Service to search for the status of S/MIME certificates using HTTP, HTTPS, or LDAP.

For more information about certificates, see the BlackBerry Device Service Solution Security Technical Overview. For more information about secure email icons, see the user guide for the device.

Configure the OCSP servers that devices use to retrieve the status of S/MIME

certificates

OCSP server configuration is available for devices running a BlackBerry 10 OS version that is later than 10.2.1. 1. In the BlackBerry Administration Service, on the Devices menu, expand Device settings.

2. Click Certificate retrieval settings. 3. Click Edit settings.

4. On the OCSP tab, type a name and description for the OCSP certificate retrieval setting. 5. In the Service URL field, type the web address for the server.

6. In the Connection timeout field, type the time in seconds that the device waits for the OCSP server response. 7. Click Save all.

Configure the HTTP servers that the Enterprise Management Web Service uses to

retrieve the status of S/MIME certificates

HTTP server configuration is available for devices running a BlackBerry 10 OS version that is later than 10.2.1. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution

topology > BlackBerry Domain > Component view. 2. Click Enterprise Management Web Service. 3. On the CRL tab, click Edit component. 4. Click Edit settings.

(46)

• Click No if you do not want to use responder URLs defined in the certificate.

6. In the Service URL field, type the web address for the server using the following format HTTP://<FQDN>:<port>/* or HTTPS://<FQDN>:<port>/*, (for example, HTTP://server01.blackberry.com:1234/dsml/adssoap.dsmlx).

7. Click Save all.

Configure the LDAP-enabled servers that the Enterprise Management Web Service

uses to retrieve the status of S/MIME certificates

LDAP-enabled servers that the Enterprise Management Web Service uses to retrieve the status of certificates are available for devices running a BlackBerry 10 OS version that is later than 10.2.1.

Before you begin: If the secure connection is used, you must add the certificates to the Enterprise trusted certificate store folder on the shared drive.

1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.

2. Click Enterprise Management Web Service. 3. On the LDAP for CRL tab, click Edit component.

4. Type a name and description for the LDAP-enabled server. 5. In the Service host field, type the web address for the server.

6. In the Default server base query field, type the query that you would like to use for the LDAP-enabled server. 7. In the Secure connection turned on drop-down list, perform one of the following actions:

• Click Yes if you want to use a secure connection. • Click No if you do not want to use a secure connection. 8. In the LDAP user ID field, type the user name for authentication.

9. In the LDAP password and Confirm LDAP password fields, type the password for authentication. 10. Click Save all.

Create an email profile

You can use email profiles to specify how devices connect to your organization's mail server and synchronize email messages, calendar entries and organizer data using Exchange ActiveSync or IBM Notes Traveler.

If you want to use Exchange ActiveSync, you should note the following:

• If you require support for extended email security, you can enable S/MIME or PGP.

(47)

• To Do data synchronization is supported on BlackBerry 10 devices. It uses the SyncML communication protocol on the Notes Traveler server.

• If you require support for extended email security, only IBM Notes encryption is supported (S/MIME and PGP are not supported).

For more information about the profile settings, see Email profile settings.

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Email profiles. 2. Click Create an email profile.

3. Type a name and description for the email profile. 4. In the Type drop-down list, select the email profile type. 5. Click Continue.

6. Specify the appropriate settings for the profile. 7. Click Save.

Email profile settings by messaging server

The following table outlines the email profile settings that specific messaging servers require.

Email profile setting Microsoft Exchange IBM Domino Novell GroupWise

Account name Not required Not required Not required

Email address Required Required Required

Domain Required Do not use Do not use

Username Required Required Required

Server name Required

messagingservername.addr ess.com Required messagingserver.address.co m/servlet/traveler Required

Copy an email profile

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Email profiles. 2. Click Manage email profiles.

3. Click the email profile. 4. Click Copy profile.

(48)

7. Specify the appropriate settings for the profile. 8. Click Save.

Change an email profile

3. Click the email profile. 4. Click Edit profile.

5. Specify the appropriate settings for the profile. 6. Click Save all.

Delete an email profile

When you delete an email profile, you might prevent devices from connecting to messaging servers.

3. Click the email profile. 4. Click Delete profile.

Add a SCEP profile to an email profile

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage email profiles.

3. Click the email profile. 4. Click Edit profile.

5. On the Email profile settings tab, in the Profile associations section, in the SCEP profile drop-down list, click the SCEP profile.

6. Click Save all.

Delete a SCEP profile from an email profile

(49)

4. Click Edit profile.

5. On the Email profile settings tab, in the Associated SCEP Profile field, delete the name of the SCEP profile. 6. Click Save all.

Managing SCEP profiles

You can use SCEP profiles to specify settings for enrolling certificates to devices. SCEP profiles can be associated with Wi-Fi profiles, VPN profiles, and email profiles. Devices can use the certificates obtained using SCEP for certificate-based authentication with a work Wi-Fi network, work VPN, or work messaging server.

Certificate enrollment using SCEP starts after the device receives the SCEP profile that you configure using the BlackBerry Device Service. The device can download CA profiles during the activation process, when you change a SCEP profile, or when you assign another SCEP profile to a user account.

After the certificate enrollment completes, the client certificate and its certificate chain and private key are stored in the work keystore on the device. The SCEP component monitors the expiry date of any certificate that was obtained using SCEP. When the expiry date of a certificate approaches, the SCEP component starts the certificate enrollment process for a new certificate. You can use the Automatic Renewal SCEP profile setting to configure how many days before the certificate expires that automatic renewal occurs.

The certificate enrollment process can also start again if you change the following IT policy rules: • Certification Authority Identifier

• Certificate Thumbprint • ECC Strength

• Key Algorithm • RSA Strength

A certificate enrollment process does not delete the existing certificate from the device or notify the CA that the certificate is no longer in use. If a SCEP profile is removed from the BlackBerry Device Service, the corresponding certificate is not removed from the device.

For more information about the profile settings, see SCEP profile settings.

Create a SCEP profile

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Create a SCEP profile.

3. Type a name and description for the SCEP profile. 4. Click Continue.

(50)

Copy a SCEP profile

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage SCEP profiles.

3. Click the SCEP profile. 4. Click Copy profile.

5. Type a name and description for the SCEP profile. 6. Click Continue.

7. If required, change the information for the CA that you are using and the certificate settings. 8. Click Save.

Change a SCEP profile

3. Click the SCEP profile. 4. Click Edit profile.

5. Change the information for the CA that you are using and the certificate settings as necessary. 6. Click Save all.

Delete a SCEP profile

3. Click the SCEP profile. 4. Click Delete profile.

Managing proxy profiles

(51)

Devices that run BlackBerry 10 OS use the proxy settings that you specify in a proxy profile. Devices that run BlackBerry PlayBook OS 2.1 or earlier use the proxy settings that you specify directly in a Wi-Fi profile or VPN profile.

For more information about the profile settings, see Proxy profile settings.

Create a proxy profile

You can configure a proxy profile to use a PAC file or a single proxy server with an optional exclusion list (for example, a list of websites that users can access directly from their devices without using a proxy server). Proxy profiles support basic authentication with a proxy server (for example, authentication using a username and password).

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Create a proxy profile.

3. Type a name and description for the proxy profile.

4. If your organization uses a PAC file to define proxy rules, select PAC configuration, otherwise select Manual configuration.

5. Click Continue.

6. In the Profile settings section, complete one of the following tasks:

Task Steps

Specify PAC configuration settings 1. Type the URL for the web server that hosts the PAC file and include the PAC file name (for example, http://www.example.com/PACfile.pac). 2. If necessary, specify the username and password to authenticate with

the proxy server. Specify manual configuration

settings 1. In the Host field, type the FQDN or IP address of the proxy server._{2. In the Port field, type the port number of the proxy server.} 3. If necessary, specify the username and password to authenticate with

the proxy server.

4. If you want to use an exclusion list, type the FQDNs or IP addresses that users can access directly from their devices. Use a semicolon (;) to separate the values in the list.

7. Click Save.

Copy a proxy profile

If you want to create a proxy profile with settings that are similar to the settings for an existing proxy profile, you can copy a proxy profile.

(52)

3. Click the name of the proxy profile. 4. Click Copy profile.

5. Type a name and description for the proxy profile. 6. Click Continue.

7. In the Profile settings section, configure the proxy settings. 8. Click Save.

Change the settings for a proxy profile

You can change the settings for an existing proxy profile but you cannot change the proxy type (for example, you cannot change manual configuration to PAC configuration).

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage proxy profiles.

3. Click the name of the proxy profile. 4. Click Edit profile.

5. Make changes on the appropriate tabs. 6. Click Save all.

Delete a proxy profile

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Profiles. 2. Click Manage proxy profiles.

3. Click the name of the proxy profile. 4. Click Delete profile.

Add a proxy profile to a BlackBerry Device Service instance

If you add a proxy profile to a BlackBerry Device Service instance, all devices that run BlackBerry 10 OS that are associated with the instance use the proxy profile when they access web services on the Internet or on your organization's network using the BlackBerry Infrastructure. Devices can use the BlackBerry Infrastructure if a VPN or Wi-Fi connection is not available.

1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > BlackBerry Device Service.

(53)

4. In the Instance associations section, in the Proxy profile drop-down list, select a proxy profile. 5. Click Save all.

Delete a proxy profile from a BlackBerry Device Service instance

1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > BlackBerry Device Service.

2. Click the name of the BlackBerry Device Service instance. 3. Click Edit instance.

4. In the Instance associations section, in the Proxy profile drop-down list, select the blank value. 5. Click Save all.

Accessing network drives from devices

The BlackBerry Work Drives app allows BlackBerry 10 devices managed by the BlackBerry Device Service to access files and folders on your organization's network. After users add a network drive in the BlackBerry Work Drives app, they can use apps in the work space such as Documents To Go and File Manager to create, edit, and manage network files. Users can also access network files from their work email accounts.

To make this public app available in the work space on devices, you must add it to the BlackBerry Administration Service. You must specify the URL of the app from the BlackBerry World storefront, add the app to a software configuration, and assign the software configuration to users or groups. For more information, see Preparing an app for delivery.

Allow devices to have single sign-on access to your

organization's network

You can allow devices to have single sign-on access to your organization’s network from the browser in the work space using the following authentication protocols:

• Kerberos • NTLM

BlackBerry Enterprise Service 10 uses the same Kerberos configuration file that your organization uses to authenticate users with their desktop computers.

(54)

Import your organization's Kerberos configuration file

Before you begin: Locate your organization’s Kerberos configuration file. The default file name is krb5.conf. 1. In the BlackBerry Administration Service, on the Devices menu, expand Device settings.

2. Click Enterprise authentication.

3. On the Kerberos tab, click Import new file. 4. Browse to the Kerberos configuration file. 5. Click Save.

Kerberos configuration file settings

BlackBerry Device Service uses the Heimdal implementation of Kerberos. To allow single sign-on access, you must set up the Kerberos configuration file as follows:

• To ensure that TCP is used by default instead of UDP, use the prefix tcp/ for KDC hosts. • If your organization uses VPN, configure the VPN gateway to allow traffic through to the KDCs.

Specify trusted domains

Specifying trusted domains is available for devices running a BlackBerry 10 OS version that is 10.2.1 or later. 1. In the BlackBerry Administration Service, on the Devices menu, expand Device settings.

2. Click Enterprise authentication.

3. On the Trusted domains tab, click Edit settings.

4. Enter the domain name that users will see on their devices when prompted for their corporate credentials. 5. In the Domain field, do one or more of the following:

(55)

Managing device security features and

behaviors

You can use IT policies to control and manage devices in your organization's environment. An IT policy consists of multiple IT policy rules that manage the security and behavior of the BlackBerry Device Service and devices. For example, you can use IT policy rules to manage the following security features and behaviors of the device:

• Encryption

• Use of a password or passphrase

• Connections that use Bluetooth wireless technology

The Default IT policy includes IT policy rules that are configured to indicate the default behavior of the device.

After a user activates a device, the BlackBerry Device Service automatically sends the IT policy that you assigned to the user account or group to the device. By default, if you do not assign an IT policy to the user account or group, the BlackBerry Device Service sends the Default IT policy. If you delete an IT policy that you assigned to the user account or group, the BlackBerry Device Service automatically reassigns the Default IT policy to the user account and resends the Default IT policy to the device.

For more information, see the BlackBerry Device Service Policy Reference Sheet

Preconfigured IT policy

The BlackBerry Device Service includes the following preconfigured IT policy. You can change the preconfigured IT policy to meet the requirements of your organization or copy this IT policy to create new IT policies.

Preconfigured IT policy Description

Default This policy includes all the standard IT policy rules that are set on the

BlackBerry Device Service.

Create an IT policy

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Click Create an IT policy.

(56)

4. In the Description field, type a description for the IT policy. 5. Click Save.

After you finish: Change an IT policy to set the IT policy rules.

Copy an IT policy

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Click Manage IT policies .

3. Click the name of the IT policy. 4. Click Copy IT policy.

5. In the Name field, type a name for the IT policy.

6. In the Description field, type a description for the IT policy. 7. Click Save.

After you finish: Change an IT policy to set the IT policy rules.

Import IT policies

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Click Manage IT policies.

3. Click Import IT policy list.

4. Click Browse and navigate to the location of the IT policy export file.

5. Type the password for the IT policy export file in the File encryption password field. 6. Click Next.

7. Click Add all IT policies.

Export IT policies

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Click Manage IT policies.

3. Click Export IT policy list.