Installation and Configuration Guide

(1)

Installation and

Configuration Guide

VPN Authentication by BlackBerry

Virtual Appliance

(2)

Published: 2016-02-12 SWD-20160212131047819

(3)

What is VPN Authentication by BlackBerry?... 5

Architecture: VPN Authentication by BlackBerry ... 5

VPN authentication options...6

Connecting to a VPN network... 7

Data flow: Connecting to a VPN network using a BlackBerry OS device as the second factor...8

Data flow: Connecting to a VPN network using a BlackBerry 10 device as the second factor...9

Data flow: Connecting to a VPN network using an iOS or Android device as the second factor...10

How second-factor authentication with VPN Authentication by BlackBerry works...11

Installing the VPN Authentication server... 13

Environment requirements...13

Hardware requirements... 13

Software requirements...14

Install the VPN Authentication server... 14

VPN Authentication server ports...15

Configuring VPN Authentication for the first time...17

Confirm virtual machine and networking setup... 18

Configure Samba for the VPN Authentication server... 18

Start the configuration tool...19

Turn off the configuration tool...20

Start the VPN Authentication server... 20

Turn off the VPN Authentication server... 20

Configuring VPN server connectivity... 21

Supported authentication protocols for each authentication option...21

Configuring connectivity to the VPN Authentication server on a Cisco ASA Series VPN gateway... 22

Configuring connectivity to the VPN Authentication server on Citrix NetScaler...23

Configuring connectivity to the VPN Authentication server on a strongSwan server...23

Configure VPN gateway connectivity in the VPN Authentication server...25

Connecting the VPN Authentication server to Microsoft Active Directory...27

(4)

Configuring the connection to an EMM solution from BlackBerry... 29

Configuring support for high availability of an EMM solution from BlackBerry ...29

Prerequisites: Connecting the VPN Authentication server to BES12... 30

Connect the VPN Authentication server to BES12... 30

Connect the VPN Authentication server to BES10... 32

Connect the VPN Authentication server to BES5...34

Configure the VPN Authentication server to listen for responses from devices... 35

Configure a TLS connection for responses from BlackBerry 10 devices... 35

Customize the VPN Authentication app...37

Sending the VPN Authentication app to devices... 38

Sending the VPN Authentication app to BlackBerry 10 devices using BES12... 38

Sending the VPN Authentication app to BlackBerry 10 devices using BES10... 38

Sending the VPN Authentication app to BlackBerry OS devices using BES12... 39

Sending the VPN Authentication app to BlackBerry OS devices using BES5... 39

Sending the VPN Authentication app to iOS or Android devices using BES12... 40

Architecture: VPN Authentication high availability...41

Configuring high availability...41

Logging and reporting...43

Auditing authentication transactions... 43

Centralize logging or auditing using syslog... 44

Product documentation...46

Glossary... 47

(5)

What is VPN Authentication by

BlackBerry?

A VPN is one of the key methods that your users use to access your organization’s content when they’re on the go. When you permit users to connect to your network from the outside, you must make sure that only authenticated users can access content freely. In the past, security conscious organizations implemented two-factor authentication using hardware tokens to strongly authenticate users. However, hardware tokens can be costly to implement, are difficult to use, and aren’t well-aligned with mobility or cloud-based trends.

VPN Authentication by BlackBerry takes a different approach to VPN authentication. It uses your users’ BlackBerry 10, BlackBerry OS (version 6.0 to 7.1), iOS, or Android devices as the second-factor for authentication. By using the devices that users have already activated, VPN Authentication provides the following benefits:

• Strong security based on PKI authentication and, for BlackBerry 10 and BlackBerry OS devices, hardware root of trust • Better user experience because users don't need a hardware token and don't need to remember additional shared

secrets or passcodes

• Improved cost structure because you can use something users already have, reduced support costs, and you don't need to purchase or replace additional hardware

For more information about VPN Authentication, visit http://www.blackberry.com/vpnauthentication.

Architecture: VPN Authentication by BlackBerry

VPN Authentication by BlackBerry consists of two components: • A server that you install on your network

• An app that runs on users' devices

1

(6)

Component Description

Computer The computer is any device (for example, tablet, desktop, or laptop) that has a VPN profile installed and that a user wants to connect to your organization’s network. VPN gateway The VPN gateway is a computer that accepts VPN connections.

VPN Authentication server The VPN gateway and devices connect to the VPN Authentication server to provide second-factor authentication. The VPN Authentication server connects to the EMM solutions from BlackBerry that are installed in your environment to find the devices associated with a user and to send authentication requests to the VPN

Authentication app that's installed on devices.

You can install multiple instances of the server to set up active-active high availability.

BES5, BES10, or BES12 BES5, BES10, and BES12 are the EMM solutions from BlackBerry that allow you to manage devices. The EMM solutions from BlackBerry provide the connection to the devices that are used as the second factor for VPN authentication.

Devices with VPN Authentication app The devices are the smartphones or tablets that include the VPN Authentication app and are the second factor for VPN authentication.

The devices are associated with users and managed by BES5, BES10, or BES12. They can be BlackBerry 10, BlackBerry OS (version 6 to 7.1), iOS, or Android devices.

For iOS and Android devices, the VPN Authentication app is part of the BES12 Client.

Related information

Architecture: VPN Authentication high availability, on page 41

Sending the VPN Authentication app to devices, on page 38

VPN authentication options

VPN Authentication by BlackBerry offers the following three authentication options:

Authentication option Description Useful when

Normal device password When a user connects to the VPN, the user is prompted to accept the VPN connection on the device. If the device is locked, the user must provide the device password.

Your organization places usability as its most important goal for any deployment.

(7)

Authentication option Description Useful when For BlackBerry 10 devices, users must provide

the work space password if the work space is locked.

This option is supported on all devices. Forced device password When a user connects to the VPN, the user is

always prompted to provide the device password, even if the device is unlocked. For BlackBerry 10 devices, users must provide the work space password. Users can accept the VPN connection on the device after they log in.

This option is supported for BlackBerry 10 and BlackBerry OS (version 6.0 to 7.1) devices only.

Your organization stresses usability but wants to guard against someone picking up an unlocked device and accepting the VPN challenge.

Microsoft Active Directory password

When a user connects to the VPN, the user is always prompted for the Windows password. After users log in, they can accept the connection on the device.

This option is supported on all devices.

Your organization places security as its most important goal for any deployment.

If users forget their devices, VPN Authentication includes a bypass option that allows users to log in to your network using Microsoft Active Directory authentication only.

VPN Authentication uses Microsoft Active Directory groups to determine which authentication option to use. For example, if you want to use the "Forced device password" option, you can create a Microsoft Active Directory group called

"ActiveDeviceAuthGroup" and add the user account to that group. Related information

Supported authentication protocols for each authentication option, on page 21

Connecting to a VPN network

To authenticate users so that they can connect to a VPN network, VPN Authentication by BlackBerry completes the following tasks:

• Authenticates the user's device

• Acts as a proxy for password authentication

(8)

• Combines the two results to determine whether authentication is successful

The connection between the VPN gateway and the VPN Authentication server is established using RADIUS.

Data flow: Connecting to a VPN network using a BlackBerry OS

device as the second factor

Note: For authentication to work, the BlackBerry OS device must be connected to a mobile network.

1. A user opens the VPN client on a computer or tablet, selects the appropriate VPN profile, and provides their username and password.

2. The VPN client makes the connection request to the VPN gateway. 3. The VPN gateway forwards the request to the VPN Authentication server.

4. The VPN Authentication server connects to Microsoft Active Directory to determine which authentication group the user account is in.

5. The VPN Authentication server connects to BES5 or BES12 to find the devices that are associated with the user.

6. BES5 or BES12 returns information about the devices that are associated with the user to the VPN Authentication server. 7. For each device that is associated with the user, the VPN Authentication server creates and sends a device authentication

request to BES5 or BES12.

8. BES5 or BES12 encrypts the request using AES-256 encryption and forwards the request to the list of devices that are associated with the user. The request is a push request that the BlackBerry MDS Connection Service sends through the BlackBerry Infrastructure.

9. If required by the authentication option that you chose or if the device is locked, the device prompts the user to log in. 10. The VPN Authentication app opens a dialog box on the device asking the user to accept or deny the request.

(9)

11. After the user accepts or denies the request, the device forwards the response to the VPN Authentication server. The response is protected with SHA-256 hashing and a digital signature. The response is sent through the BlackBerry Infrastructure directly to the VPN Authentication server on port 8805.

12. The VPN Authentication server performs the following actions:

• Sends a notification to the device that it received the response.

• Informs the VPN gateway whether the device authentication process was successful.

13. If the user accepts the request and if required by the authentication option that you chose, the VPN Authentication server connects to Microsoft Active Directory to authenticate the user. User authentication can occur using PAP or MS-CHAP. 14. The VPN Authentication server notifies the VPN gateway whether the authentication process was successful.

15. If the authentication process was successful, the VPN gateway permits the user to access the network. Note: If you are using bypass authentication, steps 5 to 12 are not completed.

Data flow: Connecting to a VPN network using a BlackBerry 10

device as the second factor

5. The VPN Authentication server connects to BES10 or BES12 to find the devices that are associated with the user.

6. BES10 or BES12 returns information about the devices that are associated with the user to the VPN Authentication server. 7. For each device that is associated with the user, the VPN Authentication server creates and sends a device authentication

request to BES10 or BES12.

(10)

8. BES10 or BES12 encrypts the request using AES-256 encryption and forwards the request to the list of devices that are associated with the user. The request is a push request that the BlackBerry MDS Connection Service sends through the BlackBerry Infrastructure.

9. If required by the authentication option that you chose or if the device is locked, the device prompts the user to log in. 10. The VPN Authentication app opens a dialog box on the device asking the user to accept or deny the request.

11. After the user accepts or denies the request, the device forwards the response to the VPN Authentication server. The response is encrypted using AES-256 encryption and sent through the BlackBerry Infrastructure.

12. The VPN Authentication server performs the following actions:

• Sends a notification to the device that it received the response

• Informs the VPN gateway whether the authentication process was successful

13. If the user accepts the request and if required by the authentication option that you chose, the VPN Authentication server connects to Microsoft Active Directory to authenticate the user. User authentication can occur using PAP or MS-CHAP. 14. The VPN Authentication server notifies the VPN gateway whether the authentication process was successful.

Data flow: Connecting to a VPN network using an iOS or Android

device as the second factor

(11)

5. The VPN Authentication server connects to BES12 to find the devices that are associated with the user.

6. BES12 returns information about the devices that are associated with the user to the VPN Authentication server.

7. For each device that is associated with the user, the VPN Authentication server creates and sends a device authentication request to BES12.

8. BES12 forwards the request to the list of devices that are associated with the user. BES12 protects the request using TLS. The request is sent through the BlackBerry Infrastructure and the BlackBerry Infrastructure uses the APNs or GCM to notify the device of the request.

9. If required by the authentication option that you chose or if the device is locked, the device prompts the user to log in. 10. The BES12 Client opens a dialog box on the device asking the user to accept or deny the request.

11. After the user accepts or denies the request, the device forwards the response to the VPN Authentication server. The response is protected using TLS and proxied through BES12.

12. The VPN Authentication server performs the following actions: • Sends a notification to BES12 that it received the response

• Informs the VPN gateway whether the authentication process was successful

13. If the user accepts the request and if required by the authentication option that you choose, the VPN Authentication server connects to Microsoft Active Directory to authenticate the user. User authentication can occur using PAP or MS-CHAP. 14. The VPN Authentication server notifies the VPN gateway whether the authentication process was successful.

How second-factor authentication with VPN

Authentication by BlackBerry works

The process that VPN Authentication by BlackBerry uses to verify the second-factor is different depending on the device. In all instances, trust is established because an EMM solution from BlackBerry manages the device. The activation process between the device and the EMM solution from BlackBerry sets up a trusted connection between the user and the device that the VPN Authentication can use. For information about the trust established during the activation process, see the BES12 Security content.

To verify the response from BlackBerry OS, the following actions occur:

• The BlackBerry Infrastructure must authenticate the device and send the device ID to the VPN Authentication server. • The VPN Authentication server must verify the device ID by validating that it came from the BlackBerry Infrastructure

as a trusted source.

• The VPN Authentication server must verify that the device ID that the BlackBerry Infrastructure adds to the response matches the device ID that the server received from BES5 or BES12 when it requested information about the devices

(12)

To verify the response from BlackBerry 10 devices, the following actions occur:

• The VPN Authentication server must verify that the response was signed by the device private key. The response includes the device certificate, which the server can verify was signed by the BlackBerry signing authority system. • The VPN Authentication server must verify that the device ID that the device sends in its response matches the device

ID that the server received from BES10 or BES12 when it requested information about the devices associated with the user.

To verify the response from iOS and Android devices, the following actions occur:

• BES12 must verify that the device signed the response with the private key of the device certificate. After verification, BES12 forwards the response to the VPN Authentication server over a mutually authenticated TLS connection. • The VPN Authentication server must verify that the device ID included with the response matches the device ID that

the server received from BES12 when it requested information about the devices associated with the user.

(13)

Installing the VPN Authentication

server

For information about software requirements and supported mobile device operating systems, see the Compatibility Matrix content.

You can install VPN Authentication on the same computer as an EMM solution from BlackBerry, but, for maintainance and availability reasons, this configuration is not recommended.

Environment requirements

Item Requirement

VPN gateway Any of the VPN gateways listed in the Compatibility Matrix content. EMM solution from BlackBerry Any of the EMM solutions listed in the Compatibility Matrix content. Virtual environment VMware vSphere hypervisor

Company directory Microsoft Active Directory and users with Microsoft Active Directory accounts and valid email addresses.

Hardware requirements

Item Requirement

RAM 2 GB

CPU 2 cores

Both the RAM and CPU requirements are designed to allow for a connection to one instance of BES5, BES10, or BES12 and a sustained rate of approximately 30 requests per minute.

Virtual machines The VPN Authentication server is packaged inside a virtual appliance. Due to known issues generating random numbers on virtual machines, you must configure the

2

(14)

Item Requirement

hypervisor to provide access to hardware sources of randomness to the guest virtual machine that runs the VPN Authentication server. Otherwise, you may see delays in secure transactions between the VPN Authentication server and the EMM solution from BlackBerry.

Port to Internet To support BlackBerry OS (version 6.0 to 7.1) devices, a port must be accesible from the Internet to permit an inbound connection from the BlackBerry Infrastructure. By default, the VPN Authentication by BlackBerry server uses port 8805. If you do not want to configure direct access from the Internet to this computer, you can configure a proxy server in the DMZ.

For more information, visit www.blackberry.com/go/kbhelp to read KB03735.

Software requirements

For more information about software requirements, ee the Compatibility Matrix content.

Item Requirement

Domain The computer must be part of the domain that users are authenticated on. Browser Any of the browsers listed in the Compatibility Matrix content.

Virtual appliance Any of the virtual appliances listed in the Compatibility Matrix content. Other considerations VPN Authentication supports IPv4 for TCP/IP connections only.

Install the VPN Authentication server

Before you begin:

• Download the VPN Authentication by BlackBerry for Virtual Appliance software from https:// myaccount.blackberry.com/myaccount/account/accountdownloads.

• Save the software package to a computer or network drive that is accessible by VMware vSphere Client. • Untar the software package using a file archive utility.

The VPN Authentication by BlackBerry for Virtual Appliance software is deployed as a virtual machine. It is packaged as an OVF template file and is deployed using the VMware vSphere Client.

1. Log in to the computer running the VMware vSphere Client using an account with local administrator privileges.

(15)

2. Open the VMware vSphere Client and select File > Deploy OVF Template. 3. Select the source location of the OVF template file and click Next. 4. Verify the OVF template file details and click Next.

5. Specify a name and folder location for your virtual appliance machine and click Next. 6. Specify a host or cluster where your virtual appliance machine is to run and click Next. 7. Specify a datastore for your virtual appliance machine's disk file and click Next.

8. Select a disk format for your virtual appliance machine. Thin Provision is recommended. 9. Specify a bridged network for your virtual appliance machine to use and click Next.

10. Verify all options configured for your virtual appliance machine, select Power on after deployment, and then click Finish.

VPN Authentication server ports

The following table provides a list of the default ports that the VPN Authentication by BlackBerry server uses. Unless specified, you can change them when you configure the VPN Authentication server using the configuration tool.

When you install several VPN Authentication servers to configure high availability, you can specify the same ports for each server. If a defined listening port is not available, the VPN Authentication server writes an error message to the log file after you configure and start the server.

Port Purpose

389 or 636 This is the outbound port that the VPN Authentication server uses to connect to Microsoft Active Directory. Port 389 is the default LDAP port and port 636 is the default LDAPS port.

443 This is the outbound port that the VPN Authentication server uses to report license compliance to the BlackBerry Infrastructure.

This is also the outbound port that the VPN Authentication server uses to query for user information from BlackBerry Web Services in BES5 environments.

You cannot change this port.

1433 This is the outbound port that the VPN Authentication server uses to connect to the BES12 database.

1812 This is the inbound UDP port that the VPN Authentication server uses as the primary port for RADIUS communication with the VPN gateway.

(16)

Port Purpose

3443 This is the inbound HTTPS port that the VPN Authentication server uses to receive responses from BlackBerry 10 devices through BES10 or BES12.

4443 This is the inbound HTTPS port that the VPN Authentication server uses to receive responses from iOS and Android devices through BES12.

8080 This is the outbound HTTP port that the VPN Authentication server uses to send push data to the BlackBerry MDS Connection Service for BlackBerry OS devices.

This port applies when connecting to BES5 or BES12.

8805 This is the inbound HTTP port that the VPN Authentication server uses to receive responses from BlackBerry OS devices through the BlackBerry Infrastructure. You must open this port in your firewall or configure a proxy server in the DMZ. 8827 This is the HTTP inbound port that the configuration tool uses.

8887 This is the outbound port that the VPN Authentication server uses to query BES12 for information about which devices are associated with a user and to push data to iOS and Android devices.

9080 This is the outbound HTTP port that the VPN Authentication server uses to send push data to the BlackBerry MDS Connection Service for BlackBerry 10 devices.

This port applies when connecting to BES10.

10080 This is the outbound HTTP port that the VPN Authentication server uses to send push data to the BlackBerry MDS Connection Service for BlackBerry 10 devices.

This port applies when connecting to BES12.

11000 and above This is the inbound port that the VPN Authentication server uses to receive push notifications from BES5, BES10, or BES12.

Push notifications apply for BlackBerry 10 or BlackBerry OS devices only.

The VPN Authentication server uses port 11000 for the first BES5, BES10, or BES12 instance that you add, and then increments by one for each additional instance. You cannot change these ports.

38443 This is the outbound port that the VPN Authentication server uses to query for user information from BlackBerry Web Services in BES10 environments.

(17)

Configuring VPN Authentication for

the first time

When you configure VPN Authentication by BlackBerry for the first time, you perform the following actions. Task Description

Confirm virtual machine and networking setup.

For more information, see Confirm virtual machine and networking setup. Configure Samba.

For more information, see Configure Samba for the VPN Authentication server. Start the configuration tool.

For more information, see Start the configuration tool. Connect the VPN Authentication server to your VPN gateway. For more information, see Configuring VPN server connectivity.

Connect the VPN Authentication server to your Microsoft Active Directory.

For more information, see Connecting the VPN Authentication server to Microsoft Active Directory. Connect the VPN Authentication server to BES5, BES10, or BES12.

For more information, see Configuring the connection to an EMM solution from BlackBerry. Customize the VPN Authentication app message.

For more information, see Customize the VPN Authentication app. Turn off the configuration tool.

For more information, see Turn off the configuration tool. Start the VPN Authentication server.

For more information, see Start the VPN Authentication server. Send the VPN Authentication app to devices.

For more information, see Sending the VPN Authentication app to devices.

3

(18)

Task Description

Optionally, turn off the VPN Authentication server.

For more information, see Turn off the VPN Authentication server.

Confirm virtual machine and networking setup

Before you start the VPN Authentication server, perform the following steps to confirm your virtual machine and networking setup.

1. Log in to your virtual machine with the bb2fa_admin administrator account using the default password: pass_2fa_2. When booting up, the virtual machine will automatically try to acquire an IP address from the network.

2. Make sure that your virtual machine has acquired an IP address from the network by running the following command: ip addr. Check the command response that the IP address assigned to interface "ens33."

3. Pick a host name that belongs to the Microsoft Active Directory domain.

4. Set the host name of your virtual machine by running the following command: sudo hostnamectl set-hostname

<new hostname>

5. Follow the menu prompts to set a host name for the domain to which your computer belongs: a. Select Set system hostname and press Enter.

b. Enter a new host name. Make sure to select a host name that belongs to the Microsoft Active Directory domain. c. Select OK and press Enter.

6. Make sure that the host name has been set by running the following command: hostname

7. Restart your virtual machine for the host name change to take effect by running the following command: sudo reboot 8. Log back in to the virtual machine.

9. Verify your DNS configuration by running the following command: sudo cat /etc/resolv.conf The virtual machine should pick up the DNS servers in the network automatically.

Configure Samba for the VPN Authentication

server

Before you start the VPN Authentication server, complete the following steps to configure Samba.

(19)

1. Log in to the virtual machine you created for VPN Authentication using the bb2fa_admin administrator account. 2. At the command prompt, change to the home/bb2fa/bb2fa folder.

3. Run the config-samba.sh script using the following command: sudo ./config-samba.sh 4. Enter your domain information for the following parameters:

• Workgroup: Enter the Windows Workgroup name, a shorthand for the FQDN of the authentication domain. • Realm: Enter the FQDN of the authentication domain.

• Service account name: Enter the username and password of an account with sufficient permissions to join the virtual machine to the Microsoft Active Directory domain. This account can be the same account that is used to query Microsoft Active Directory during VPN Authentication operation (see Connecting the VPN Authentication server to Microsoft Active Directory. Alternatively, enter a separate account that is used solely for this join operation.

• Service account password: The password for the user. 5. Press Enter.

6. In the command prompt window, verify that a message confirming that Samba configuration is complete and successful appears. If the configuration fails, the script provides instructions to cancel the configuration changes so that you can start over.

Start the configuration tool

You use configuration tool to configure VPN Authentication by BlackBerry. You can access it from a browser. For information about the browsers that the configuration tool supports, see the Compatibility Matrix content.

Before you begin:

• Make sure JavaScript or Active scripting (depending on your browser) is turned on.

• Make sure "Allow websites to prompt for information using scripted windows" is turned on in Windows Internet Explorer.

1. Log into the virtual machine you created for VPN Authentication. 2. From the command prompt, change to the home/bb2fa/bb2fa folder.

3. Generate a password obfuscation keystore by running the following command: ./keysetup.sh. This generates a passwordKeystore.pk12 file in the home/bb2fa/bb2fa folder.

4. Run the configurator-start.sh script using the following command: ./configurator-start.sh <ip address> <port>. Specifying the port number is optional (defaulting to 8827), but the IP address is required to make sure that the webpage is accessible outside the virtual machine.

5. Check the <install_dir>/logs.txt file to verify that a message similar to "Started ServerConnector@61decc8c{HTTP/1.1} {<ip address>:8827}" message appears.

(20)

After you finish: You can access the configuration tool in one of the following ways:

• On any computer that can access the virtual machine you created for VPN Authentication, open a browser and browse to http://<computername>:<port>, where <computername> is the FQDN or IP address and <port> is the port number that you specified in step 3.

Note: After you configure VPN Authentication, it is recommended that you turn off the configuration tool. Related information

Turn off the configuration tool, on page 20

Turn off the configuration tool

After you configure VPN Authentication by BlackBerry, you can turn off the configuration tool so that unauthorized users can't access it.

1. From the command prompt window that you are running the configuration tool in, press the X key.. 2. Close the command prompt window.

Start the VPN Authentication server

1. Log in to the virtual machine you created for VPN Authentication using the bb2fa_admin administrator account.. 2. From the command prompt, change to the home/bb2fa/bb2fa folder.

3. Run the following command: bb2fa start

After you finish: Check the bb2fa.log file in <install_dir>/logs to determine if the server started correctly. The following message should appear "com.blackberry.bb2fa.Launcher - BlackBerry VPN Authentication server waiting for requests..."

Related information

Configuring VPN Authentication for the first time, on page 17

Turn off the VPN Authentication server

1. Log in to the virtual machine you created for VPN Authentication using the bb2fa_admin administrator account.. 2. From the command prompt, change to the home/bb2fa/bb2fa folder.

3. Run the following command: bb2fa stop

After you finish: Check the bb2fa.log file in <install_dir>/logs to determine if the server stopped

(21)

Configuring VPN server connectivity

On your VPN server, the VPN Authentication by BlackBerry server must be configured as a RADIUS server to which authentication requests are forwarded. You must also configure a VPN profile or client that permits users to select VPN Authentication when they log in to VPN from their computers.

For each VPN Authentication server in your environment, the RADIUS server must have the following options: • IP address or FQDN of the computer that hosts the VPN Authentication server

• Timeout between 60 and 90 seconds for the connection between the VPN server and the VPN Authentication server • Unique shared secret

• Authentication port set to 1812

• Depending on the available authentication options, one of PAP, MS-CHAP v1, MS-CHAP v2, or EAP-MSCHAP The VPN profile must have the timeout set between 30 and 60 seconds for the connection between the VPN client on user’s computers and the VPN server.

For instructions on how to configure a RADIUS server or VPN profile, see the documentation for the VPN server that you are using.

For a list of supported VPN servers, see the Compatibility Matrix content. Related information

Supported authentication protocols for each

authentication option

The following table shows the authentication protocols that the VPN authentication options available with VPN Authentication by BlackBerry support.

VPN authentication option Supported authentication protocols

Normal device password PAP

Forced device password PAP

Microsoft Active Directory password MS-CHAP v1, MS-CHAP v2, PAP, EAP-MSCHAP

Bypass option MS-CHAP v1, MS-CHAP v2, PAP, EAP-MSCHAP

4

(22)

Related information

VPN authentication options, on page 6

Connecting the VPN Authentication server to Microsoft Active Directory, on page 27

Configuring connectivity to the VPN

Authentication server on a Cisco ASA Series VPN

gateway

If you are using a Cisco ASA Series VPN gateway, you can create the VPN profile using the information below.

For detailed instructions on how to configure the VPN profile, visit http://www.cisco.com to read the Cisco ASA Series documentation.

When you create the profile, you must set the following options to support VPN Authentication:

• For each VPN Authentication server in your environment, create a RADIUS AAA Server Group with the following options:

◦ IP address or FQDN of the computer that hosts VPN Authentication

◦ Timeout between 60 and 90 seconds for the connection between the VPN gateway and VPN Authentication ◦ Unique shared secret

◦ Authentication port set to 1812 ◦ MS-CHAP v2 compatible

• For the connection between the VPN client on user’s computers and the VPN gateway, set the timeout between 30 and 60 seconds. You must configure the timeout in the Cisco AnyConnect VPN client profile file (an XML file) that must be installed on users' computers.

• Password management option, if you are configuring the profile to support MS-CHAP v2 authentication You must complete the following actions to finish the profile creation process:

• Enable the VPN tunnel payload encapsulation protocol (for example, the IPSEC-IKE v2 protocol) • All the commands that are required for the associated VPN policy group

• All the commands that are required for the associated Cisco AnyConnect VPN client profile and the creation of the XML file itself

• All the commands that are required for the associated VPN tunnel group You do not need to configure additional certificate authentication.

When you configure VPN gateway connectivity in the VPN Authentication server, you must provide the RADIUS shared secret that you create in the VPN profile.

(23)

Configuring connectivity to the VPN

Authentication server on Citrix NetScaler

If you are using Citrix NetScaler, you can configure the connection to the VPN Authentication by BlackBerry server by adding it as a RADIUS server. If you have more than one VPN Authentication server in your environment, you must configure a separate RADIUS server for each.

For detailed instructions on how to configure NetScaler, visit http://support.citrix.com/proddocs/topic/netscaler/ns-gen-netscaler-wrapper-con.html to read the NetScaler documentation.

For example, you can configure a connection to one VPN Authentication server and use VPN Authentication as the default authentication method. If you want to configure this example, in the configuration utility for NetScaler, you must set the authentication settings under the global settings as follows:

• "Maximum Number of Users", "Max Login Attempts" and "Failed Login Timeout" as required by your organization • Authentication type set to RADIUS

• IP address set to the VPN Authentication server • Port set to 1812

• Timeout between 60 and 90 seconds for the connection between NetScaler and the VPN Authentication server (this value must match the timeout value that you specify in the VPN Authentication server configuration tool)

• Unique shared secret

• "Enable NAS IP address extraction" selected

• "Password Encoding" set to the authentication protocol supported by the VPN authentication option you've chosen (VPN Authentication does not support the "chap" option)

• Accounting set to Off

Configuring connectivity to the VPN

Authentication server on a strongSwan server

To configure connectivity to the VPN Authentication by BlackBerry server on a strongSwan server, you must modify the ipsec.conf and the eap-radius.conf files.

For more information about these files and how to configure strongSwan, visit https://www.strongswan.org/.

(24)

ipsec.conf configuration

The ipsec.conf file is located in the /etc directory. You must add a new “conn” section for the VPN Authentication server. For example: conn <name> keyexchange=ikev2 rightauth=eap-radius rightsendcert=never eap_identity=%any auto=add Setting Description

<name> The unique name for the new connection section. It is a common practice for that name to reflect some key characteristics of the connection itself (for example, IPSec-IKEv2-radius).

keyexchange=ikev2 This setting specifies the key exchange method (for example, IKEv1, IKEv2). The VPN Authentication server does not use this setting, but you must include it in the conn section to enable proper key exchange with VPN clients. You must make sure that the VPN clients that connect to the strongSwan server use the same key exchange method.

rightauth=eap-radius This setting specifies that the strongSwan server must use EAP over RADIUS to authenticate VPN clients for this type of connection.

rightsendcert=never This setting specifies that user certificates are not used for client authentication. eap_identity=%any This setting specifies the identity of the VPN client to use for authentication. The VPN Authentication server does not use this setting, but you must include it in the conn section. The "%any" value instructs the strongSwan server to pass the identity provided by the VPN client.

auto=add This setting specifies that this connection section is active. The VPN Authentication server does not use this setting, but you must include it in the conn section.

eap-radius.conf configuration

The eap-radius.conf file is located in the /etc/strongswan.d/charon directory. It specifies the details for EAP over RADIUS authentication. The default configuration file has all the settings that you must configure, but most of them are commented out and some of them do not have any value assigned. You must modify the required settings by removing the number sign (#) and setting their values as described in the following table.

(25)

Setting Description

accounting=no This setting prevents strongSwan from sending RADIUS accounting information to the VPN Authentication server.

nas_identifier This optional setting specifies the NAS-Identifier to include in RADIUS messages. You can use this setting if multiple strongSwan servers are using the same VPN Authentication server.

port=1812 This setting specifies the port used by the VPN Authentication server to receive RADIUS requests for authentication.

secret=<shared secret> This setting specifies the shared secret between strongSwan and the VPN Authentication server. When you configure VPN server connectivity in the VPN Authentication server, you must type the RADIUS shared secret that you specify here.

server=<IP of VPNAuth server> This setting specifies the IP address or FQDN of the VPN Authentication server. ike_to_radius=1, 2, 311:1, 311:11,

311:25

This setting specifies a comma-separated list of numbers that represent the list of RADIUS attributes that strongSwan needs to forward to the VPN Authentication server.

Numbers separated by colons indicate vendor-specific attributes. The first number identifies the vendor (for example, 311 is the number for Microsoft), and the second number identifies the attribute type.

This setting is in the “forward” section of the configuration file.

radius_to_ike=311:26, 311:17, 311:16 This setting specifies a comma-separated list of numbers that represent the list of RADIUS attributes that the VPN Authentication server needs to forward to strongSwan.

Numbers separated by colons indicate vendor-specific attributes. The first number identifies the vendor (for example, 311 is the number for Microsoft), and the second number identifies the attribute type.

This setting is in the “forward” section of the configuration file.

Configure VPN gateway connectivity in the VPN

Authentication server

Before you begin: Obtain the IP address and shared secret for the VPN gateways.

(26)

1. In the configuration tool, on the menu bar, click VPN. 2. Click Add new VPN server.

3. In the VPN server friendly name field, type a unique name for the VPN gateway that you are connecting to. 4. In the VPN server IP address field, type the IP address of the VPN gateway.

5. In the Shared secret and Confirm shared secret fields, type and confirm the shared secret of the VPN gateway. 6. Click Add VPN server.

7. Repeat these steps for each VPN gateway that you want to add. 8. Click Commit changes.

After you finish: Delete the example VPN gateways.

(27)

Connecting the VPN Authentication

server to Microsoft Active Directory

You can connect VPN Authentication by BlackBerry to one or more servers in your Microsoft Active Directory domain. VPN Authentication uses Microsoft Active Directory to determine which authentication option is supported by a particular user. The supported authentication option is determined by group membership. You must create the following groups in Microsoft Active Directory and add the appropriate user accounts to each group:

• A bypass group that you can use for users who might have lost their devices or forgotten them. This group permits users to still log in to your VPN network using Microsoft Active Directory authentication only. The default name that VPN Authentication uses for this group is "BypassSecondFactorGroup".

• A group for each authentication option your organization supports. The available authentication methods are: ◦ Forced Microsoft Active Directory password authentication on the computer (the default name that VPN

Authentication uses for this group is "EnterpriseAuthGroup")

◦ For BlackBerry 10 and BlackBerry OS only, forced password authentication on the device (the default name that VPN Authentication uses for this group is "ActiveDeviceAuthGroup")

◦ Password authentication on the device only when the device is locked (the default name that VPN Authentication uses for this group is "PassiveDeviceAuthGroup")

If required, you can change the group names. If you are not using one of the authentication options, do not create the group in Microsoft Active Directory.

VPN Authentication by BlackBerry supports subgroups, nested to the third level.

Note: Each user can only belong to one authentication group. If a user belongs to the bypass group and another authentication group, VPN Authentication uses bypass authentication.

Related information

Connect the VPN Authentication server to

Microsoft Active Directory

Before you begin: To permit VPN Authentication to find user accounts in Microsoft Active Directory, you must create an LDAP user account and password that VPN Authentication can use to connect to Microsoft Active Directory.

1. In the configuration tool, on the menu bar, click Active Directory.

5

(28)

2. In the Server name field, type the FQDN or IP address of the Microsoft Active Directory server or the FQDN of the DNS pool.

3. In the Port field, type the port that the Microsoft Active Directory server uses.

4. In the Security drop-down list, select the security method that Microsoft Active Directory uses.

5. In the UserID and Domain of service account field, type the name of the LDAP user account that VPN Authentication can use to connect to Microsoft Active Directory. You can use the <userid>@<domain> or <domain>/<userid> formats. 6. In the Password and Confirm password fields, type the password of the LDAP user account.

7. In the Query DN field, type the DN to the area in the Microsoft Active Directory tree where VPN Authentication can start searching for user accounts.

8. In the Windows domain field, type the domain that user accounts exist in.

9. In the Microsoft Active Directory groups for VPN Authentication options section, type the names of the groups that you created in Microsoft Active Directory.

Note: The group name fields cannot be blank. If you are not using one of the authentication options, leave the group name at its default value and do not create the group in Microsoft Active Directory.

10. Click Update settings. 11. Click Commit changes. Related information

VPN authentication options, on page 6

(29)

Configuring the connection to an

EMM solution from BlackBerry

This section outlines how you configure connections to EMM solutions from BlackBerry.

Configuring support for high availability of an

EMM solution from BlackBerry

If you configured high availability for BES5, BES10, or BES12, VPN Authentication by BlackBerry can connect to multiple servers in a single EMM domain to increase fault tolerance and perform load-balancing. For BES5 and BES10, VPN Authentication supports separate pools for the connections to the BlackBerry Administration Service (for user-to-device mapping) and BlackBerry MDS Connection Service (for push requests to devices).

For BES5 and BES10, you must verify the following:

• When you configure the DNS pool for the BES5 or BES10 instances in the DNS server, all instances must have an assigned host name and must be resolvable using reverse DNS.

• The SSL certificate that is in the BES5 or BES10 keystores must establish trust for all the BES5 or BES10 instances and the BlackBerry Administration Service pool. You can use a wildcard certificate (for example, *.example.com) or a certificate that includes the FQDNs of all the servers and the FQDN of the BlackBerry Administration Service pool in the SAN field.

For information on how to import SSL certificates into the keystores, see the BES10 Configuration content or the BES5 Administration content.

For BES12, note the following:

• Currently, users cannot activate a device managed by BES12 Cloud to use VPN Authentication. For environments with BES12 Cloud, a separate on-premises BES12 instance is required to manage this product.

• In environments with both cloud and on-premises BES12 instances, the same device cannot be managed by both solutions. However, a single user with different devices (for example, a work device and a personal device) on each BES12 solution is supported.

• Future versions of VPN Authentication will directly support cloud solution users.

6

(30)

Prerequisites: Connecting the VPN

Authentication server to BES12

Note:

• Currently, users cannot activate a device managed by BES12 Cloud to use VPN Authentication. For environments with BES12 Cloud, a separate on-premises BES12 instance is required to manage this product.

• In environments with both cloud and on-premises BES12 instances, the same device cannot be managed by both solutions. However, a single user with different devices (for example, a work device and a personal device) on each BES12 solution is supported.

• Future versions of VPN Authentication will directly support cloud solution users. Obtain the following information from all BES12 domains that you want to connect to:

• FQDN of the BES12 server or pool

• FQDN of the Microsoft SQL Server that hosts the BES12 database

• If the database is using static ports, the port of the Microsoft SQL Server (by default, 1433) • Name of the BES12 database

• For SQL authentication with the BES12 server, username and password of a Microsoft SQL Server account that can access the BES12 database (this account can be the account you specified when you installed BES12, or a Microsoft SQL Server account with the db_datareader role that you created specifically for VPN Authentication)

• In environments where the VPN Authentication server is deployed as a virtual appliance, the account password used by VPN Authentication to access the BES12 database cannot contain special characters. Only alphanumeric characters are supported. This applies to both SQL Server authentication and Microsoft Active Directory authentication.

• For NTLM authentication with the BES12 database server:

◦ Verify that the Active Directory service account that VPN Authentication uses is in the same Microsoft Active Directory domain as the BES12 database server.

◦ Verify that the Active Directory service account can access the BES12 database.

• Optionally, the FQDN and port of the BlackBerry MDS Connection Service instance or pool that BlackBerry 10 devices use

• Optionally, the FQDN and port of the BlackBerry MDS Connection Service instance or pool that BlackBerry OS (version 6.0 to 7.1) devices use

Connect the VPN Authentication server to BES12

Complete this task for each BES12 domain that you want to connect VPN Authentication by BlackBerry to.

(31)

1. In the configuration tool, on the menu bar, click BlackBerry EMM. 2. Click Add BlackBerry EMM.

3. In the EMM server friendly name field, type a unique, descriptive name for the BES12 instance or domain. 4. Under EMM solution type, select BES12.

5. In the EMM server FQDN field, type the FQDN of the computer that hosts BES12 or the FQDN of the BES12 pool. 6. In the BES12 database FQDN field, type the FQDN of the database server.

7. In the BES12 database port field, type the port number for the database server. If your database uses dynamic ports (for example, it is a named instance of SQL), type 0.

8. Select the Use SSL? option if the VPN Authentication server must connect to the database server using SSL. 9. Optionally, in the BES12 database instance field, type the instance name of the BES12 database.

10. In the BES12 database name field, type the name of the BES12 database. 11. Perform one of the following tasks:

Task Steps

Configure support for SQL

authentication 1. In the BES12 database username field, type the name of the Microsoft SQL Server account that can access the BES12 database. 2. In the BES12 database password and Confirm BES12 database

password fields, type the password for the account. Configure support for NTLM

authentication

Select the Use NTLM authentication option. Selecting this option enables three fields: username, password and domain. Enter your Active Directory information in these fields.

12. In the Push for BlackBerry 10 devices section, perform the following tasks:

a. In the Hostname field, type the FQDN for the BlackBerry MDS Connection Service instance or pool that sends push requests to BlackBerry 10 devices.

b. In the Port field, type the port that BlackBerry MDS Connection Service uses. By default, the HTTP port is 10080. 13. In the Push for BlackBerry OS devices section, perform the following tasks:

a. In the Hostname field, type the FQDN for the BlackBerry MDS Connection Service instance or pool that sends push requests to BlackBerry OS devices.

b. In the Port field, type the port that BlackBerry MDS Connection Service uses. By default, the HTTP port is 8080. 14. In the Response port for iOS and Android, type the port number that iOS and Android devices can use to send responses

to the VPN Authentication server. The default port is 4443. The port increments by one for each BES12 domain that you add.

(32)

15. Click Add server. 16. Click Commit changes.

After you finish: Delete the examples.

Prerequisites: Connecting the VPN

Authentication server to BES10

Obtain the following information from all BES10 domains that you want to connect to:

• BlackBerry Administration Service pool name or the FQDN of the computer that hosts the BlackBerry Administration Service

• One of the following:

◦ To use native BlackBerry Administration Service authentication to connect to the BlackBerry Web Services for BlackBerry Device Service, administrator account and password in BlackBerry Administration Service with BlackBerry Administration Service authentication configured and either the Security Administrator or the Enterprise Administrator role

◦ To use Microsoft Active Directory authentication to connect to the BlackBerry Web Services for BlackBerry Device Service, a Microsoft Active Directory account and password in BlackBerry Administration Service with either the Security Administrator or the Enterprise Administrator role

• FQDN and port number of the BlackBerry MDS Connection Service central push server or pool

Connect the VPN Authentication server to BES10

Complete this task for each BES10 domain that you want to connect VPN Authentication by BlackBerry to. 1. In the configuration tool, on the menu bar, click BlackBerry EMM.

2. Click Add BlackBerry EMM.

5. In the EMM server FQDN field, type the FQDN of the computer that hosts a BlackBerry Administration Service or the BlackBerry Administration Service pool name.

6. In the BlackBerry Web Services port field, type the port number that the BlackBerry Web Services uses. The default port is 38443.

7. Perform one of the following tasks:

(33)

Task Steps Configure support for BlackBerry

Administration Service authentication

In the Authentication method list, select Direct authentication. Configure support for Microsoft Active

Directory authentication

In the Authentication method list, select Microsoft Active Directory authentication.

8. In the BlackBerry Web Services username field, type the administrator account that you created for VPN Authentication in the BlackBerry Administration Service.

9. In the BlackBerry Web Services password field, type the password for the administrator account. 10. In the Push for BlackBerry 10 devices section, perform the following tasks:

a. In the Hostname field, type the FQDN for the BlackBerry MDS Connection Service instance or pool that sends push requests to BlackBerry 10 devices.

b. In the Port field, type the port that BlackBerry MDS Connection Service uses. By default, the HTTP port is 9080. 11. Click Add server.

12. Click Commit changes.

Prerequisites: Connecting the VPN

Authentication server to BES5

Obtain the following information from all BES5 domains that you want to connect to:

• BlackBerry Administration Service pool name or the FQDN of the computer that hosts the BlackBerry Administration Service

• Port that the BlackBerry Web Services uses (by default, 443) • One of the following:

◦ To use native BlackBerry Administration Service authentication to connect to the BlackBerry Web Services, administrator account and password in BlackBerry Administration Service with BlackBerry Administration Service authentication configured and either the Security Administrator or the Enterprise Administrator role ◦ To use Microsoft Active Directory authentication to connect to the BlackBerry Web Services, a Microsoft

Active Directory account and password in BlackBerry Administration Service with either the Security Administrator or the Enterprise Administrator role

(34)

Connect the VPN Authentication server to BES5

Complete this task for each BES5 domain that you want to connect VPN Authentication by BlackBerry to. 1. In the configuration tool, on the menu bar, click BlackBerry EMM.

2. Click Add BlackBerry EMM.

5. In the EMM server FQDN field, type the FQDN of the computer that hosts a BlackBerry Administration Service or the BlackBerry Administration Service pool name.

6. In the BlackBerry Web Services port field, type the port number that the BlackBerry Web Services uses. The default port is 443.

7. Perform one fo the following tasks:

Task Steps

Configure support for BlackBerry Administration Service authentication

In the Authentication method list, select Direct authentication. Configure support for Microsoft Active

Directory authentication

In the Authentication method list, select Microsoft Active Directory authentication.

8. In the BlackBerry Web Services username field, type the administrator account that you created for VPN Authentication in the BlackBerry Administration Service.

9. In the BlackBerry Web Services password field, type the password for the administrator account. 10. In the Push for BlackBerry OS devices section, perform the following tasks:

a. In the Hostname field, type the FQDN for the BlackBerry MDS Connection Service instance or pool that sends push requests to BlackBerry OS devices.

b. In the Port field, type the port that BlackBerry MDS Connection Service uses. By default, the HTTP port is 8080. 11. Click Add server.

(35)

Configure the VPN Authentication

server to listen for responses from

devices

You must set up VPN Authentication by BlackBerry so that devices know where to send their responses.

Note: You configure the response port for iOS and Android devices when you connect VPN Authentication to BES12. 1. In the configuration tool, on the menu bar, click General.

2. In the VPN Authentication FQDN (for BlackBerry 10, iOS and Android devices) field, type the FQDN of the computer that hosts the VPN Authentication server.

3. In the Server FQDN for Internet access (BlackBerry OS only) field, type the FQDN of the computer that hosts the VPN Authentication server or the FQDN of a proxy server in the DMZ that can forward responses from BlackBerry OS devices. 4. Verify that the default port numbers in the VPN Authentication response ports section are not in use by another

application. If there are conflicts, update the port numbers. 5. Click Update settings.

6. Click Commit changes. Related information

Connect the VPN Authentication server to BES12, on page 30

Configure a TLS connection for responses from

BlackBerry 10 devices

Before you begin: On BlackBerry 10 devices, in the Browser certificate store in the work space, install the root certificate of the CA that you’re using to generate the signing certificate. For information on how to send CA certificates to devices, see the

BES12 Administration content or the BES10 BDS Administration content and BES10 UDS Administration content.

You can complete the following task to configure TLS for the connection between the VPN Authentication by BlackBerry server and BlackBerry 10 devices when the devices forward their responses to the VPN Authentication server.

1. Generate a private signing key and place it in the keystore used by the VPN Authentication server. a. Open a command prompt window.

b. Change to the <install_dir>/bb2fa-config/listeners/bb10 folder. c. Run the following command:

7

(36)

../../../jdk/jre/bin/keytool -genkey -keyalg RSA -alias bb2fa -keystore bb10_server.jks

d. At the Enter keystore password prompt, type password. Press Enter.

e. At the What is your first and last name? prompt, type the FQDN or IP address of the computer that hosts the VPN Authentication server. This entry must match the VPN Authentication FQDN (for BlackBerry 10, iOS and Android devices) field that you configured in step 2 of Configure the VPN Authentication server to listen for responses from devices.

f. Press Enter.

g. Proceed through the remaining prompts.

h. Verify that the CN matches the VPN Authentication FQDN (for BlackBerry 10, iOS and Android devices) field that you configured in step 2 of Configure the VPN Authentication server to listen for responses from devices.

i. Type yes. Press Enter.

2. To generate a CSR, run the following command:

../../../jdk/jre/bin/keytool -certreq -alias bb2fa -keystore bb10_server.jks –file <mycsrfile.csr>

3. Use the CSR file to obtain a signed certificate from your organization’s CA. 4. Add the signed certificate to the keystore used by the VPN Authentication server.

a. Open a command prompt window.

b. Change to the <install_dir>\bb2fa-config\listeners\bb10 folder. c. Run the following command:

../../../jdk/jre/bin/keytool -keystore bb10_server.jks -import -alias bb2fa -file <yourcertfile.p7b> -trustcacerts

d. At the Enter keystore password prompt, type password. Press Enter.

e. If a message that asks whether to install the certificate even though it isn't trusted appears, type yes. Press Enter. f. Proceed through the remaining prompts.

5. In the configuration tool, in the General tab, in the VPN Authentication response ports section, select the Use TLS? option.

6. Click Update settings. 7. Click Commit changes.

(37)

Customize the VPN Authentication

app

You can update the message that the VPN Authentication by BlackBerry app displays to users when they connect to your VPN network. A number of factors limit the text in the message. The configuration tool lets you know how many characters you can use in the message.

Note: Messages to iOS devices are limited to 255 characters. If the size of your message is greater than 255 characters, the configuration tool displays a warning that you cannot send messages to iOS devices. This limitation does not affect other device types. To reduce the message size, you can leave the "Confirm button text" and "Decline button text" fields blank. The app on the device uses the default "Confirm" and "Decline" text if the message does not include the button text.

1. In the configuration tool, on the menu bar, click General.

2. In the Message title field, type the title that you want the app to display in its message. For example, "Example Organization's VPN."

3. In the Message field, type the message that you want the app to display to users. This message explains to users what is required from them.

4. In the Confirm button text field, type the text that appears on the button users can tap to confirm second-factor authentication.

5. In the Decline button text field, type the text that appears on the button users can tap to decline second-factor authentication.

6. In the Timeout (seconds) field, type the amount of time, in seconds, before the authentication transaction expires. 7. Click Update settings.

8

(38)

Sending the VPN Authentication app

to devices

The app is available for any BlackBerry 10, BlackBerry OS (version 6 to 7.1), iOS, or Android device that an EMM solution from BlackBerry manages.

Sending the VPN Authentication app to

BlackBerry 10 devices using BES12

The VPN Authentication by BlackBerry app is included in the installation folder. You must perform the following actions to send the app to BlackBerry 10 devices when you are using BES12:

• Copy the .bar file from the software bundle to a location that the BES12 management console can access.

• If you have not yet completed this task, use the BES12 management console to specify a shared network location for internal apps.

• In the BES12 management console, add the .bar file as an internal app. • In the BES12 management console, assign the app to user accounts or groups.

For devices with a work space, the app is installed in the work space. Users can install it using BlackBerry World for Work if you do not make the installation mandatory.

For more information, see the BES12 Administration content.

Sending the VPN Authentication app to

BlackBerry 10 devices using BES10

The VPN Authentication by BlackBerry app is included in the installation folder. You must perform the following actions to send the app to devices:

• Copy the .bar file from the software bundle to a location that BlackBerry Administration Service can access.

• If you have not yet completed this task, use the BlackBerry Administration Service to specify a shared network folder for apps.

• In the BlackBerry Administration Service, add the app to the BlackBerry Administration Service app repository.

9

(39)

• In the BlackBerry Administration Service, create a software configuration.

• In the BlackBerry Administration Service, add the app to the software configuration.

• In the BlackBerry Administration Service, assign the software configuration to user accounts or groups.

For devices with a work space, the app is installed in the work space. Users can install it using BlackBerry World for Work if you do not make the installation mandatory.

For more information, see the BES10 BDS Administration content and BES10 UDS Administration content.

Sending the VPN Authentication app to

BlackBerry OS devices using BES12

The VPN Authentication by BlackBerry app is included in the installation folder. You must perform the following actions to send the app to BlackBerry OS (version 6.0 to 7.1) devices over the wireless network when you are using BES12. The app is a BlackBerry Java Application.

• Copy the BlackBerryVPNAuthentication_OTA.zip file from the software bundle to a location that the BES12 management console can access.

• If you have not yet completed this task, use the BES12 management console to specify a shared network location for internal apps.

• In the BES12 management console, add the app to the shared network folder, following the instructions for BlackBerry OS devices.

• In the BES12 management console, create a software configuration. You can use the Standard Required or Standard Optional application control policy.

• In the BES12 management console, add the app to the software configuration.

• In the BES12 management console, assign the software configuration to a user account or user group. To distribute the app using BlackBerry Web Desktop Manager, use the BlackBerryVPNAuthentication_Desktop.zip in

<install_dir>/DeviceApp/bbos instead.

Sending the VPN Authentication app to

BlackBerry OS devices using BES5

The VPN Authentication by BlackBerry app is included in the installation folder. You must perform the following actions to send the app to BlackBerry OS (version 6.0 to 7.1) devices over the wireless network when you are using BES5. The app is a

BlackBerry Java Application.

(40)

• Copy the BlackBerryVPNAuthentication_OTA.zip file from the software bundle to a location that the BlackBerry Administration Service management console can access.

• If you have not yet completed this task, use the BlackBerry Administration Service to specify a shared network folder for apps.

• In the BlackBerry Administration Service, add the app to the application repository.

• In the BlackBerry Administration Service, create a software configuration. You can use the Standard Required or Standard Optional application control policy.

• In the BlackBerry Administration Service, add the app to the software configuration.

• In the BlackBerry Administration Service, assign the software configuration to user accounts or groups. To distribute the app using BlackBerry Web Desktop Manager, use the BlackBerryVPNAuthentication_Desktop.zip in

<install_dir>/DeviceApp/bbos instead.

Sending the VPN Authentication app to iOS or

Android devices using BES12

The VPN Authentication by BlackBerry app is packaged with the BES12 Client. The BES12 Client is installed on any iOS or Android device that is managed by BES12.

You do not need to perform any additional tasks to send the app to iOS or Android devices. Any updates made to the app are pushed to the devices using the app stores.

For more information about the BES12 Client, see the BES12 Administration content.

Installation and Configuration Guide