How it Works
BlackBerry
Loading...
Access
Administration Guide
112 pgs503.25 Kb0
User Manual
30 pgs236.92 Kb0
Table of contents
Loading...

BlackBerry Access Administration Guide

Download
BlackBerry Access
Administration Guide
2020-05-12Z
||2

Contents

What is BlackBerry Access?..............................................................................5
Getting started with BlackBerry Access............................................................ 6
System requirements............................................................................................................................................. 6
DeployingBlackBerry Access................................................................................................................................6
Downloading and activatingBlackBerry Access..................................................................................................7
Managing BlackBerry Access............................................................................9
Making BlackBerry Access available to users..................................................................................................... 9
MakeBlackBerry Accessavailable to users inBlackBerry UEM............................................................. 9
Making BlackBerry Access available to users in Good Control.............................................................. 9
Configuring BlackBerry Access app settings.......................................................................................................9
Configure BlackBerry Access app settings in BlackBerry UEM...............................................................9
Configure BlackBerry Access app settings in Good Control.................................................................10
BlackBerry Accessapp configuration settings.......................................................................................10
Configuring the BlackBerry Dynamics Launcher............................................................................................... 28
Adding the work app catalog to the BlackBerry Dynamics Launcher...................................................28
Whitelist theBlackBerry UEM App Catalogin theBlackBerry DynamicsConnectivity profile........................ 29
Configure single sign-on for BlackBerry Access in Good Control.................................................................... 29
Configure single sign-on for BlackBerry Access in BlackBerry UEM............................................................... 30
Setting up a PAC file to manage a proxy infrastructure...................................................................................31
PAC file example...................................................................................................................................... 32
Configure PAC settings inBlackBerry UEM............................................................................................34
Configure PAC settings in Good Control................................................................................................ 34
Test a PAC configuration.........................................................................................................................35
Refreshing PAC configuration on devices.............................................................................................. 35
PAC file FAQ..............................................................................................................................................36
Configure RSA SecurID soft token authentication............................................................................................ 37
Configure an RSA SecurID application policy in BlackBerry UEM.........................................................38
Configure an RSA SecurID application policy in Good Control............................................................. 38
Kerberos authentication support........................................................................................................................ 38
Mapping domains to Kerberos realms................................................................................................... 39
Managing certificates.......................................................................................................................................... 40
Verify that BlackBerry Access can use certificates in BlackBerry UEM............................................... 40
Verify that BlackBerry Access can use certificates in Good Control....................................................40
Upload certificates for users inBlackBerry UEM................................................................................... 41
Upload certificates for users in Good Control........................................................................................41
Delete certificates for users in BlackBerry UEM.................................................................................... 41
Delete certificates for users in Good Control.........................................................................................41
Security features...................................................................................................................................................42
Remote data wipe.....................................................................................................................................42
Send device commands to BlackBerry Access in BlackBerry UEM......................................................42
Send device commands to BlackBerry Access in Good Control.......................................................... 43
Secure storage of browsing activity........................................................................................................44
||iii
SSL and TLS..............................................................................................................................................44
NTLMv2 authentication............................................................................................................................ 44
HTTP basic authentication.......................................................................................................................44
User passwords........................................................................................................................................ 44
Video support....................................................................................................................................................... 45
Video support FAQ....................................................................................................................................45
Configuring allowed Internet domains............................................................................................................... 46
Changing communications protocols.................................................................................................................47
Configure access to WebRTC-based destinations............................................................................................ 47
Allow users to open custom URL schemes.......................................................................................................48
Allow users to securely edit files within an app inBlackBerry Accesson Windows or macOS......................48
IdentifyingBlackBerry Accessin user agent..................................................................................................... 48
Good Control cloud deployments and intranet servers.................................................................................... 49
UsingBlackBerry Analyticsto collect app data.................................................................................................50
Configure a compliance rule for Windows antivirus detection in Good Control............................................. 50
Configure support for FQDN resolution in Good Control.................................................................................. 50
Troubleshooting.............................................................................................. 51
Diagnostics............................................................................................................................................................51
Generate a diagnostics report oniOSdevices....................................................................................... 51
Generate a diagnostics report onAndroiddevices................................................................................51
Troubleshoot issues using theBlackBerry Accessconsole.............................................................................51
Upload log files to BlackBerry Support.............................................................................................................. 52
Troubleshoot connectivity issues....................................................................................................................... 52
Troubleshoot routing issues................................................................................................................................52
Feature support...............................................................................................56
Browser support for HTML5 and CSS3........................................................... 58
BlackBerry Access for Android HTML and CSS3 support................................................................................ 58
BlackBerry Access for iOS HTML and CSS3 support....................................................................................... 70
BlackBerry Access for macOS HTML and CSS3 support................................................................................. 84
BlackBerry Access for Windows HTML and CSS3 support.............................................................................. 97
Legal notice.................................................................................................. 110
||iv

What is BlackBerry Access?

BlackBerry Access is a secure browser that allows users to access your organization's intranet and business applications through the work firewall, without using a VPN, on Android, iOS, Windows, and macOS devices.
BlackBerry Access is part of the suite of BlackBerry Dynamics mobile productivity apps. You deploy and manage BlackBerry Access using BlackBerry UEM or a standalone Good Control server. Both solutions give you the ability to configure app settings to meet the needs and standards of your organization.
The features offered by BlackBerry Access:
Feature Description
Secures data BlackBerry Access secures work web apps in containers, ensuring that data
is protected and never leaves your organization's control. All browsing data is encrypted with industry-leading FIPS-validated AES encryption, and BlackBerry Access uses PAC file URLs to route work data securely.
User authentication BlackBerry Access leverages standard user authentication methods, including
SSL, NTLM, and TLS, and supports credential persistence.
BlackBerry Access also supports single sign-on with Kerberos Constrained Delegation across realms and RSA soft token generation.
Intuitive browser features BlackBerry Access provides an intuitive interface that makes it easy to
download content, set bookmarks, and browse in multiple tabs. BlackBerry Access for iOS also captures and saves web clips, and allows users to view streaming video with intuitive player controls.
App deployment BlackBerry Access supports pop-ups that streamline the deployment of web
apps, including Cisco WebEx, Salesforce, and custom-developed apps. You can deploy your organization's HTML5 desktop apps securely, and can provide users with offline access to those apps.
Integrated app store BlackBerry Access offers an integrated enterprise app store for Android and
iOS devices.
Remote commands If a user's device is compromised (for example, lost or stolen), you can
remotely delete browser data, lock the app, or wipe device data.
Integration with other apps BlackBerry Access for Windows and BlackBerry Access for macOS also
provide users with access to BlackBerry Work to access their mail, calendars, and contacts from within the secure browser.
|What is BlackBerry Access?|5

Getting started with BlackBerry Access

System requirements

To use BlackBerry Access, your organization must meet the following requirements:
Item Requirement
Management solution One of the following:
BlackBerry UEM, version 12.6 MR1 or later
Good Control version 2.3 or later, Good Proxy version 2.3 or later
Device OS For device OS compatibility, see the Mobile/Desktop OS and Enterprise
Applications Compatibility Matrix.
DeployingBlackBerry Access
You can use eitherBlackBerry UEMorGood Controlto manageBlackBerry Access. If you have not configured yourBlackBerry UEMorGood Controlenvironment, you must complete configuration tasks before you can continue with the tasks in this guide. Refer to the table below for more information on which solution to use and where to find more information.
Management option Description
BlackBerry UEM If you require MDM capabilities, you must manageBlackBerry
AccessusingBlackBerry UEM.
To useBlackBerry UEMto manageBlackBerry Access,see Managing
BlackBerry Dynamics appsfor information about deployingBlackBerry
Accessin your organization.
Good Control Although it is recommended that you useBlackBerry UEM, if you do
not require MDM, you can useGood Controlto manageBlackBerry Access. For more information on the benefits of usingBlackBerry UEM, seeBenefits of upgrading from Good Control to BlackBerry UEM.
To useGood Controlto manageBlackBerry Access,see theGood
Controldocumentationfor information about deployingBlackBerry
Accessin your organization.
|Getting started with BlackBerry Access|6
Downloading and activatingBlackBerry Access
Platform Details
BlackBerry Access for Androiddevices
BlackBerry Access for iOSdevices
BlackBerry Access for Windowsdevices
BlackBerry Access for macOSdevices
For MDM managed devices, you can useBlackBerry UEMto pushBlackBerry Accessto users, or you can make the app available in users' work catalogs. Users can download theBlackBerry UEM Clientfrom theGoogle Playstore orApp Store. TheUEM Clientmanages the activation ofBlackBerry Dynamicsapps, so users do not require an access key to activate the apps.
For devices that are not MDM managed, users can downloadBlackBerry Accessfrom theGoogle Playstore orApp Store. UsingBlackBerry UEMorGood Control, you provide users with an access key to activateBlackBerry Access(seeGenerate access
keys for BlackBerry Dynamics apps).
Direct users to download and installBlackBerry Accessfrom theBlackBerry Products and Application Support page.
UsingBlackBerry UEMorGood Control, you provide users with an access key to activateBlackBerry Access(seeGenerate access keys
for BlackBerry Dynamics apps).
Prerequisites: DeployingBlackBerry WorkwithBlackBerry Access
When users installBlackBerry Access for WindowsorBlackBerry Access for macOS,BlackBerry Workis also installed as an integrated web extension forBlackBerry Access.
Before you deployBlackBerry Access for WindowsorBlackBerry Access for macOSwithBlackBerry Work, note the following prerequisites:
Verify that the “DisableBlackBerry Work” app configuration setting is not selected (seeBlackBerry Accessapp
configuration settings).
BlackBerry WorkusesMicrosoft Exchange Web Servicesinstead ofMicrosoft Exchange ActiveSync.BlackBerry Workdoesn’t use a configuration file for theMicrosoft Exchange Web ServicesAutodiscover service. Verify that theMicrosoft Exchange Web ServicesAutodiscover service is enabled. For more information about using EWSEditor to check if the Autodiscover service is enabled, visitsupport.blackberry.com/communityto read article 40351.
Verify that theBlackBerry Enterprise Mobility Serveris configured for theMicrosoft Exchange Web ServicesAutodiscover service. For instructions, see theBlackBerry Enterprise Mobility Server Installation and
Configuration content
Note: To useBEMSfor Autodiscover, the user must be assigned theBlackBerry Core and Mail Services or Good Enterprise Services entitlement.The entitlement must be configured in theBlackBerry Dynamicsconnectivity profile linked to the FQDN of theBEMSand port 8443. For more information, seeConfigure BlackBerry Work connection settings.
.
Autodiscovery of the user's mailbox occurs as follows:
|Getting started with BlackBerry Access|7
1. BlackBerry Workconnects toBEMSto perform autodiscovery if the properBEMS-related entitlements
are configured in theBlackBerry Dynamicsconnectivity profile and assigned to the user.Good Enterprise ServicesorBlackBerry Core and Mail Servicesentitlements both cover this requirement.
2. If that fails,BlackBerry Workattempts to connect to https://<emaildomain.com>/autodiscover/
autodiscover.svc
3. If that fails,BlackBerry Workattempts to connect tohttps://autodiscover.<emaildomain.com>/
autodiscover/autodiscover.svc.
IfMicrosoft Exchange Web Servicesis using a self-signed server certificate, ensure that the “Alert user for invalid or expired certificate” app configuration setting is not selected.
If you want to enableKerberosConstrained Delegation, note the following prerequisites:
In theMicrosoft Internet Information Services(IIS), enableKerberosauthentication (underWindowsauthentication) for theMicrosoft Exchange Web Servicesweb server.
InMicrosoft Active Directory Users and Computers, in theMicrosoftManagement Console (MMC), on the Delegation tab, add theMicrosoft Exchange Web ServicesHTTP service for theUEMorGoodadministrator account.
IfKerberosConstrained Delegation is enabled, users can’t enter their authentication credentials (username and password). Authentication is delegated to theUEMorGoodadministrator account.
For more information about setting upKerberosConstrained Delegation, readConfiguring Kerberos for
BlackBerry Dynamics appsin theBlackBerry UEM Configuration content.
|Getting started with BlackBerry Access|8

Managing BlackBerry Access

Making BlackBerry Access available to users

MakeBlackBerry Accessavailable to users inBlackBerry UEM
To manageBlackBerry AccessinBlackBerry UEM, you must addBlackBerry Accessto the app list. Your organization must be entitled to useBlackBerry Accessin theBlackBerry Marketplace for Enterprise Software. After your organization is entitled to use the app, you can update the app list to synchronize the apps withBlackBerry UEMimmediately, or wait until it synchronizes automatically (UEMsynchronizesBlackBerry Dynamicsapps every 24 hours). AfterBlackBerry Accesshas been added to the app list, you can assign it to users.
For complete instructions for managingBlackBerry Dynamicsapps inBlackBerry UEM, seesee Managing
BlackBerry Dynamics apps
1. Log in to your account athttps://marketplace.blackberry.com/apps.
2. Locate the app in theBlackBerry Marketplace for Enterprise Softwareand request a trial. The app will be made
available to your organization and can be assigned to users after the app has been synchronized toBlackBerry UEM.
3. To purchase the app, follow the instructions provided by the app developer.
After you finish:
Update the app list.
To allow users to install and activateBlackBerry Accesson their devices,assignBlackBerry Accessto a user
group oruser account.
If you want to use theBlackBerry UEM Clientto manage the activation ofBlackBerry Access(and otherBlackBerry Dynamicsapps) onAndroidoriOSdevices, instruct users to download theBlackBerry UEM Clientfrom theGoogle Playstore orApp Store.
If you want users to activateBlackBerry Accessusing an access key, useto send users an email with the email address and access key they need to activate the app (seeGenerate access keys for BlackBerry
Dynamics apps).
Update the app list
1. On the menu bar, clickApps.
2.
Click .

Making BlackBerry Access available to users in Good Control

For more information about makingBlackBerry Accessavailable to users inGood Control,see theGood
ControlOnline Help.

Configuring BlackBerry Access app settings

Configure BlackBerry Access app settings in BlackBerry UEM

1. On the menu bar, click Apps.
2. Click the BlackBerry Access app.
|Managing BlackBerry Access|9
3. On the BlackBerry Dynamics tab, in the App configuration table, click +.
4. Type a name for the app configuration.
5. Configure the app settings. See BlackBerry Accessapp configuration settings for a description of the settings
that you can configure.
6. Click Save.
After you finish: Assign BlackBerry Access to a user group. or user account

Configure BlackBerry Access app settings in Good Control

1. On the menu bar, click Policy Sets.
2. Click the name of the policy that you want to assign to BlackBerry Access users.
3. Click the APPS tab.
4. Expand APP SPECIFIC POLICIES > BLACKBERRY ACCESS.
5. Configure the app settings. See BlackBerry Accessapp configuration settings for a description of the settings
that you can configure.
6. Click Update.
BlackBerry Accessapp configuration settings
General
Setting Description Applies to
Homepage This setting specifies the URL for the website that
you want to appear as the home screen when users startBlackBerry Access.
The URL must begin with "http://" or "https://".
Allow user to set home page
Use UIWebView to render web content on devices (only applicable toiOSdevices 12.0 or earlier)
This setting specifies whether users can set their own home pages inBlackBerry Access.
This setting specifies whether to allowiOS12.0 and earlier devices to use UIWebView. The default view is WKWebView.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for iOS
|Managing BlackBerry Access|10
Setting Description Applies to
Allow telephone and maps URL
IdentifyBlackBerry Accessin User Agent
Enable pop-up windows This setting specifies whetherBlackBerry
This setting specifies whether users can access telephone and map URLs inBlackBerry Access.
This setting specifies whetherBlackBerry Accesscan send its user agent string to servers hosting websites that users visit. The user agent string identifiesBlackBerry Accessin the HTTP request headers.
Servers use the information in the user agent string to provide content tailored toBlackBerry Access.
Accessallows pop-up windows.
Disabling pop-up windows may cause issues with applications such asMicrosoft Exchange, that open pop-up windows for tasks like composing new email messages. If you disable this setting, when an app tries to open a pop-up window,BlackBerry Accessdisplays a message that pop-up windows are blocked.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
Allow other applications to open urls in full screen mode. (iOS only)
Allow import of bookmarks fromSafariorFirefox
Push Bookmarks This setting specifies bookmarks that will be
Enable web clip feature This setting specifies whether users can use web
This setting specifies whether apps can open in full screen mode by default.
This setting specifies whether users can import bookmarks that they export from other browsers intoBlackBerry Access.
preloaded inBlackBerry Accessto make it easier for users to access work intranet webpages.
You can copy and paste the text of your bookmarks file directly into this text box. The bookmarks must follow theNetscapebookmark file format. For more information, seehttps://gist.github.com/jgarber623/
cdc8e2fa1cbcb6889872.
clips. Web clips are small icons on mobile devices that link to webpages.
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for iOS
|Managing BlackBerry Access|11
Setting Description Applies to
Allow users to perform app diagnostics
Enable APK installation (Android only)
Allow external apps to open HTTP/HTTPS URLs throughBlackBerry Access
Do not allow download from any HTTP or HTTPS site you have not approved by whitelisting it inBlackBerry Control
This setting specifies whether users can perform app diagnostics forBlackBerry Access. If this setting is selected, the “Run Diagnostics” option appears in theBlackBerry Accesssettings menu on users’ devices.
This setting specifies whether users can download and install .apk files.
This setting specifies whether third-party apps on the device can open webpages inBlackBerry Access.
Note: ForBlackBerry Access for iOS, links in third-party, non-BlackBerry Dynamicsapps can open inBlackBerry Accessonly if they launch with the following URL scheme:access://open?
url=(for example,access://open?url=http:// www.blackberry.com)
This setting specifies whetherBlackBerry Accessusers can download content from HTTP or HTTPS webpages even if they haven't been added to an allowed list.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Android
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Android
BlackBerry Access for iOS
Do not allow download from any HTTPS site you have not approved by whitelisting it inBlackBerry Control
Enable export of downloaded files to OS file system (Windows and Mac)
Enable import of files from OS file system
Enable Direct Downloads This setting specifies whetherBlackBerry Workusers
This setting specifies whetherBlackBerry Accessusers can download content from HTTPS webpages even if they haven't been added to an allowed list.
This setting specifies whetherBlackBerry Workusers can download files directly to their device's default download folder, instead of theBlackBerry Dynamicssecure container.
Note that allowing users to bypass the secure container is a potential security risk.
This setting specifies whetherBlackBerry Workusers can attach files that aren't in theBlackBerry Dynamicssecure container.
can download attachments in email messages directly to the device's file system, instead of into the Download Manager in theBlackBerry Dynamics Launcher.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Work for Windows
BlackBerry Work for macOS
BlackBerry Work for Windows
BlackBerry Work for macOS
BlackBerry Work for Windows
BlackBerry Work for macOS
|Managing BlackBerry Access|12
Setting Description Applies to
DisableBlackBerry Work This setting specifies whether users can
useBlackBerry Work.
Open HTML files from otherBlackBerry Dynamicsapplications
Enable Geolocation This setting specifies whetherBlackBerry
Enable 3rd Party Applications
This setting specifies whetherBlackBerry Accesscan open HTML files from otherBlackBerry Dynamicsapps.
Accessusers can allow webpages to access their device's location.
This setting specifies whetherBlackBerry Accesscan open custom URL schemes supported by third-party apps. By default,BlackBerry Accessopens only HTTP and HTTPS URL schemes.
If you select this setting, you must also set the "Enter comma separated URL schemes" setting.
Note: Each URL string must be mapped as yourstring://your.URL.string. For example, for Webex, you could use wbx://yourcompany.webex.com. In Access, the user would click on the anchor tag <a href="wbx://blackberry.webex.com">wbx:// blackberry.webex.com</a> to open the local Webex app and pass the string yourcompany.webex.com to the app.
BlackBerry Work for Windows
BlackBerry Work for macOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
Enter comma separated URL schemes
This setting specifies the custom URL schemes thatBlackBerry Accesscan open.
The list must be separated by commas. For example, itms-services,market,wbx,lync, where "itms-services" isApp Store, "market" isGoogle Play, "watchdox" isBlackBerry Workspaces, "wbx" isWebEx, and "lync" isMicrosoft Lync Server.
This setting is valid only if the "Enable 3rd Party Applications" setting is selected.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
|Managing BlackBerry Access|13
Setting Description Applies to
Enter JSON for search engine titles and URLs
Enable QR Code scanning
This setting specifies search engine links that are added to the end of users' search results for bookmarks, history, or downloads. They provide users with easier access to search engines when they perform searches.
In the text box, specify the search engine labels to show inBlackBerry Accesssuch asGoogleand the corresponding search engine URLs. The text must be in .json format and each entry must end with [[GASEARCHKEY]]. For example:
[
{"Google":"https://www.google.com/? gws_rd=ssl#q=[[GASEARCHKEY]]"}, {"Yahoo":"https://search.yahoo.com/search? p=[[GASEARCHKEY]]"}, {"Bing":"http:// www.bing.com/search?q=[[GASEARCHKEY]]"}
]
This setting specifies whether users can scan a QR code.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Android
BlackBerry Access for iOS
To force policy update to device, enter current date and time and click update
Security
Setting Description Applies to
Allow SHA1 leaf or intermediate certificates
Allow legacy/weak algorithms (DES)
This setting allows you to send the updated app settings to devices. It also refreshes PAC files.
Enter the current date and time, in either 24-hour format or 12-hour format (for example, 02-16-2017 12:04AM in 12-hour format and 02-16-2017 0004 in 24-hour format) and click Update.
This setting specifies whetherBlackBerry Accessusers can access https websites that use SHA1 signature TLS certificates and expired certificates. By default, this setting is selected.
This setting specifies whetherBlackBerry Accesscan use 3DES algorithms.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Android
BlackBerry Access for iOS
|Managing BlackBerry Access|14
Setting Description Applies to
Allow user to securely save authentication credentials
Expire stored credentials after
Alert user for invalid or expired certificate
This setting specifies whetherBlackBerry Accessusers can save their authentication credentials that they use to access webpages.
This setting specifies when the stored user credentials expire. You can choose between "'Never Expire" or "24 Hrs."
This setting is valid only if the "Allow user to securely save authentication credentials" setting is selected.
This setting specifies whether users will be notified when certificates are invalid or expired.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
Enforce strict tunnel This setting specifies whetherBlackBerry Accesscan
use only IP addresses and URLs listed in Connectivity profiles. If an IP address or a URL is explicitly defined to route DIRECT, the site is allowed and routes DIRECT.
External sites that are not explicitly defined in the Connectivity profile are blocked. However, if the default route is configured to use aBlackBerry Proxycluster, all undefined IP addresses and URLs are allowed. If external sites are not allowed, they are blocked.
If the default route is set to DIRECT, all sites that are not explicitly allowed are blocked.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
|Managing BlackBerry Access|15
Setting Description Applies to
Allow URL not in Allowed Domains of Connectivity Profiles to be loaded in native browser
When user selects apply to all during prompt to open in third party browser, do not prompt again for all the hosts under same domain.
Do not prompt client cert authorization for all sites
This setting specifies whether, whenBlackBerry Accessusers try to access webpages from domains that aren't listed in the allowed domains in Connectivity profiles, they are opened in the device's native browser instead ofBlackBerry Access.
This setting is valid only if the "Enforce strict tunnel" setting is selected.
This setting specifies whether,when user selects “Always open links from “ <domain>” in Safari“, the user will not be prompted again for any other hosts user accesses within same domain.
When a user uploads only one certificate toBlackBerry UEMthat matches a recognized CA, selecting this setting allows the webpage requesting authorization to obtain the certificate without prompting the user. If the user has uploaded multiple certificates from the same CA, the user is prompted to select the certificate to use.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for iOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
Do not prompt client cert authorization for white listed sites only
List all certificates available to user to choose for client cert authentication
When a user uploads only one certificate toBlackBerry UEMthat matches a recognized CA, selecting this setting allows all domains listed in the allowed domains portion in Connectivity profiles to obtain the certificate without prompting the user. If the user has uploaded multiple certificates from the same CA, the user is prompted to select the certificate to use.
Specify whether all uploaded encryption certificates are displayed when a user attempts to access websites that require a client cert
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Android
BlackBerry Access for iOS
|Managing BlackBerry Access|16
Network
Setting Description Applies to
Enter comma separatedKerberosrealm mappings e.g.: foo=FOO.COMPANY.COM
EnableKerberosForwardable Ticket
Resolve short names to full qualified domain name (FQDN) forKerberosauthentication
This setting specifiesKerberosrealm mappings.Kerberosauthentication realms define areas that are under control ofKerberos. These mappings allow you to equate realm names with other names that are accessible or for some other reason.
The limit is 4000 characters.
This setting specifies whetherKerberosForwardable tickets can be used.
Forwardable tickets inKerberosare client-side authentication credentials that are tied to a particular IP address that can be treated as new tickets with other IP addresses.
This setting specifies whether users can reach servers by typing the unqualified domain name instead of the FQDN forKerberosauthentication.
Enabling this setting may impact performance.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
Disable file upload and download on mobile connections (Windows Only)
Enable HTTP 2.0 Support This setting specifies whether HTTP 2.0 is supported
Enable Web Proxy This setting specifies whetherBlackBerry Accesscan
This setting specifies whether files can be downloaded or uploaded when users are connected to a mobile network instead of aWi-Finetwork.
inBlackBerry Access.
communicate through a web proxy server.
BlackBerry Access for Windows
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
|Managing BlackBerry Access|17
Setting Description Applies to
Use Proxy Auto Configuration
Enter URL for PAC file location
PAC files make it easier for users to work with proxy servers by hiding the complexities of authentication from the end user.
If your organization uses a PAC file to define proxy rules, you can select this setting to use the proxy server settings from the PAC file that you specify.
Enabling this setting will override static web proxy settings.
This setting requiresBlackBerry Dynamicsservers version 1.6 and later.
This setting is valid only if the "Enable Web Proxy" setting is selected.
This setting specifies the URL for the web server that hosts the PAC file, including the PAC file name. For example, http://www.example.com/PACfile.pac.
Note: The PAC file must not be hosted on the same server asGood Controlor on the same server asBlackBerry UEMor any of its components. This configuration is not supported.
The limit is 4000 characters.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
This setting is valid only if the "Enable Web Proxy" and "Use Proxy Auto Configuration" settings are selected.
Use Static Web Proxy (Full Tunnel)
Proxy Host This setting specifies the the FQDN or IP address of
This setting specifies whether communications are enabled through a single web proxy service only.
This setting is valid only if the "Enable Web Proxy" setting is selected.
Note: Enabling this setting overrides 'Enforce strict tunnel' settings.
the proxy server.
This setting is valid only if the "Use Static Web Proxy (Full Tunnel)" setting is selected.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
|Managing BlackBerry Access|18
Setting Description Applies to
Proxy Port This setting specifies the port number of the proxy
server.
This setting is valid only if the "Use Static Web Proxy (Full Tunnel)" setting is selected.
Enable PAC proxy check for all the sub-resources
RSA
Setting Description Applies to
You can use this setting to enforce PAC processing without caching.
Selecting this setting has an impact on the performance of your organization’s environment. It is recommended to use this feature for special circumstances only.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
EnableRSA SecurID This setting specifies whether users can useRSA
SecurIDtoken authentication to authenticate withBlackBerry Access, instead of a password.
Prompt PIN for PINPAD Token
Token File Password Retry Count
Token Request SendTo Email Address
This setting specifies whether users are always prompted for anRSA SecurIDPIN.
This setting is valid only if the "Enable RSA SecurID" setting is selected.
This setting specifies the number of times that a user can enter an incorrectRSA SecurIDPIN before they are locked out.
This setting is valid only if the "Enable RSA SecurID" setting is selected.
This setting specifies the email address of yourRSAauthentication manager. AllRSA SecurIDtoken seed record requests are sent to this address.
This setting is valid only if the "Enable RSA SecurID" setting is selected.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Android
BlackBerry Access for iOS
|Managing BlackBerry Access|19
Setting Description Applies to
Token Request CC Email Address
Token Request Email Subject
Features
Setting Description Applies to
Allow user to upload This setting specifies whether users can upload files
Allow user to take new photos/videos and upload
This setting specifies the email address that should be CC'd for allRSA SecurIDtoken seed record requests.
This setting is valid only if the "EnableRSA SecurID" setting is selected.
This setting specifies the email subject for token request emails.
This setting is valid only if the "EnableRSA SecurID" setting is selected.
to web pages inBlackBerry Access. Files can have a maximum size of 20 MB.
This setting specifies whether users can take photos and videos and upload the photos and videosto a web page. Users must allowBlackBerry Accessto access their cameras. Files can have a maximum size of 20 MB.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Android
BlackBerry Access for iOS
Allow user to select existing photos/videos to upload
Allow user to select files from file providers to upload
Allow user to upload files from the download manager
This setting specifies whether users can upload existing photos and videos from their photo libraries to a web page. Files can have a maximum size of 20 MB.
This setting specifies whether users can upload files from other file apps. Files can have a maximum size of 20 MB.
This setting specifies whether users can upload files that have been downloaded to the downloads folder inBlackBerry Access.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Android
BlackBerry Access for iOS
|Managing BlackBerry Access|20
BlackBerry Work(Mac and Win)
Setting Description Applies to
Launch mail app on browser start
Enable avatar photos This setting specifies whether users can set avatar
EWS server Optionally, you can use this setting to specify the
This setting specifies whether the mail app opens instead of a browser windowwhenBlackBerry Accessstarts.
photos. If it is disabled, the user's initials appear instead.
URL that the mail app uses forMicrosoft Exchange Web Servicesprovisioning.Otherwise,BlackBerry Workuses autodiscovery methods to locate the EWS server.
Optionally, you can enter a series of name=value pairs separated by commas, where the name designates an email domain and the value designates the URL for the EWS endpoint for that domain.Using this method, administrators can assign multiple users with different EWS endpoints to the same application policy and be able to controlwhere the mail app accesses mail, based on the user’s email domain.
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Windows
BlackBerry Access for macOS
Enable KCD or PKNIT Support
Use client certificate in place of login/password
For example:
Single value: blackberry.com=http:// mail.blackberry.com
Multiple values: blackberry.com=http:// mail.blackberry.com,yahoo.com=https:// mail.yahoo.com
Note: BlackBerry Accessdoes not validate the entries. All related logs are prefixed by[WEB_MAIL] EWS URL Resolution:at the INFO log level.
This setting specifies whether the mail app can useKerberosconstrained delegation.
This setting specifies whether users can use SSL certificates instead of using a login and password to authenticate withBlackBerry Work. Depending on your environment, SSL certificates must be uploaded toBlackBerry UEMorGood Control. For more information, seeManaging certificates.
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Windows
BlackBerry Access for macOS
|Managing BlackBerry Access|21
Setting Description Applies to
Disable Notifications This setting specifies whetherBlackBerry
Workdisplays notifications for mail and calendar events.
Enable email Classification
This setting specifies whether to enable email classification markings, such as INTERNAL, CONFIDENTIAL, NO FORWARD, and/or NO REPLY.If selected, specify the following sample information in theClassifications and caveatsfield as required:
<emailClassificationMarks> <options> <classifications>ON</ classifications> <caveats>OFF</caveats>
<classificationDefault>INTERNAL</ classificationDefault> <caveatDefault>NO FORWARD</ caveatDefault> </options> <classifications> <classification> <select>INTERNAL</select> <subject>(INTERNAL)</subject> </classification> <classification> <select>CONFIDENTIAL</select> <subject>[CONFIDENTIAL]</ subject> </classification> </classifications> <caveats> <caveat> <select>NO FORWARD</select> <subject>(DO NOT FORWARD)</ subject> </caveat> <caveat> <select>NO REPLY</select> <subject>(DO NOT REPLY)</ subject> </caveat> </caveats> </emailClassificationMarks>
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Windows
BlackBerry Access for macOS
|Managing BlackBerry Access|22
Setting Description Applies to
Display warning while sending message if recipient's email domain is unauthorized
Default signing algorithm This setting specifies the algorithm to use for signing
Default encryption algorithm
Enable Revocation Checking
This setting specifies whether to display a warning if the user is sending an email to a recipient in an email domain that is not authorized. If selected, specify email domains you want to authorize in the Authorize email domains field.
Users will notice that email addresses in untrusted domains appear in purple text.
sent messages.
This setting specifies the algorithm to use for encrypting sent messages.
This setting allows you to setrevocation checking of all certificates used for signing/encryption and signing verification/decryption of S/MIME messages.
When you select this box,Use AIA extension in certificate if presentis selected by default.
In theDefault OSCP URLfield, specify the web address of the OSCP service.The OCSP URI is used by the S/MIME verification APIs as an OCSP revocation check service if an AIA extension is not present in a certificate or if theUse AIA extension in certificate if presentcheck box is not selected.
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Windows
BlackBerry Access for macOS
|Managing BlackBerry Access|23
Setting Description Applies to
UseOffice 365Modern Authentication
This setting allows you to configure options forMicrosoft Office 365. Modern authentication enablesBlackBerry Workto us sign-in features such as Multi-Factor Authentication and SAML-based third-party Identity Providers. If selected, specify the following:
In theAzureApp ID field, specify theMicrosoft Azureapp ID forBlackBerry Work.
For information on how obtain anAzureapp ID, seeObtain anAzureapp ID forBlackBerry
WorkforWindowsandmacOS.
In theOffice 365Sign On URL field, specify the web address thatBlackBerry Workshould use when it signs in toOffice 365. If you do not specify a value,BlackBerry Workuses https:// login.microsoftonline.com during setup.
In theOffice 365Tenant ID field, specify the tenant ID of theOffice 365server that you wantBlackBerry Workto connect to during setup. If you do not specify a value, a value of "common" is used.
In theOffice 365Resource field, specify the resource URL of theOffice 365server that you wantBlackBerry Workto connect to during setup. If you do not specify a value,BlackBerry Workuseshttps://outlook.office365.com during setup.
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access(Mac and Win)
Setting Description Applies to
Enable WebRTC This setting specifies whether to enableaccess
to WebRTC protocol-based destinations such asCitrixVDI browser-based access.
For information on how to configureBlackBerry Accessto support WebRTC, seeConfigure access to
WebRTC-based destinations.
Enable Microphone Access
This setting specifies whetherBlackBerry Accessshould display a prompt that allows users to permit websites to use the device's microphone. You can enable it only if WebRTC is enabled.
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Windows
BlackBerry Access for macOS
|Managing BlackBerry Access|24
Setting Description Applies to
Enable Camera Access This setting specifies whetherBlackBerry
Accessshould display a prompt that allows users to permit websites touse the device's camera.You can enable it only if WebRTC is enabled.
Enable UDP Protocol support
Enable Printing This setting specifies whether to allow users to print
Enable embedded PDF viewer
Automatically open PDF andMicrosoft Officedocuments after download
This setting specifies whether to allow UDP connections initiated by websites.
web pages.
This setting specifies whether to allow users to view embedded PDFs from withinBlackBerry Access.
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Windows
BlackBerry Access for macOS
EnableMicrosoft OfficeURI support
OnlyMicrosoft OfficeURIs that specify online documents are supported.
BlackBerry Access for Windows
BlackBerry Access for macOS
|Managing BlackBerry Access|25
Setting Description Applies to
Enable Upgrade Notifications
Enable Awingu Extension This setting specifies whether to enable the Awingu
This setting specifies whether to push notifications to users when a new upgrade is available.
If selected, specify the following:
In the Min Windows Version field, specify the minimumBlackBerry Access for Windowsversion. If there are versions available that are later than the version specified in this field, users will be sent an upgrade notification.
In the Min Mac Version field, specify the minimumBlackBerry Access for macOSversion. If there are versions available that are later than the version specified in this field, users will be sent an upgrade notification.
In the Win Download URL field, specify the URL for theBlackBerry Access for Windowsapp.
In the Mac Download URL field, specify the URL for theBlackBerry Access for Windowsapp.
In the Notification Message, you can create a custom message or leave the default message.
extension which allows users to store their Awingu credentials. Also, when enabled, an icon is added to the toolbar inBlackBerry Accessand users can launch Awingu by clicking the icon in the toolbar.
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Windows
BlackBerry Access for macOS
If selected, you must specify the following:
In the Awingu URL field, specify your organization's Awingu URL. For example, yourcompany.awingu.com
In the Awingu DOMAIN field, specify your organization's Awingu domain.
|Managing BlackBerry Access|26
Setting Description Applies to
Enable installation of extensions
Enable developer mode This setting allows you to enable developer mode
This setting specifies whether to allow websites to download extensions for third-party apps.
If selected, in the Permitted Extension Ids field, specify one more more extension IDs that can be installed. The source can be from any URL.
Note: WebExandSkypecan be enabled either by adding their extension ids or by adding their protocols to the external protocols list.
In theChromeapp store, users can add only apps that have permitted extensions.
If anextension is enabled and installed, and the administrator removes its ID, the extension is removed fromBlackBerry Access. If the administrator re-adds the extension, the user must restartBlackBerry Accessto be able to add the app from theChromeapp store.
inBlackBerry Access.
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Access for Windows
BlackBerry Access for macOS
Obtain anAzureapp ID forBlackBerry WorkforWindowsandmacOS
If you are configuringOffice 365settings in the app configuration forBlackBerry Work, you may need to obtain and copy theAzureapp ID forBlackBerry WorkforWindowsandmacOS.
Note: If you have already created anAzureapp ID forBlackBerry WorkforiOSandBlackBerry WorkforAndroid,make sure that you do not use the sameAzureapp ID forforBlackBerry WorkforWindowsandmacOS.BlackBerry WorkforWindowsandmacOSneed their ownAzureapp ID.
1. Log on toportal.azure.com.
2. In the left column, clickAzure Active Directory.
3. ClickApp registrations.
4. ClickNew registration.
5. In theNamefield, enter a name for the app. This is the name that users will see.
6. Select a supported account type.
7. In theRedirect URIdrop-down list, selectPublic client (mobile & desktop). and enterchrome-extension://
glilhfdenplejncjmngdaojopbobomfa/login.html
8. ClickRegister.
9. In theManagesection, clickAPI permissions.
10.ClickAdd a permission.
11.In theSelect an APIsection, click theMicrosoft APIstab.
12.SelectExchange.
13.If your environment is usingOffice 365 Exchange Online, set the following permissions:
|Managing BlackBerry Access|27
Delegated permissions: Access mailboxes as the signed-in user via Exchange Web Services (EWS >
EWS.AccessAsUser.All).
14.ClickAdd permissions.
15.ClickMicrosoft Graph. IfMicrosoft Graphis not listed, addMicrosoft Graph.
16.Set the following permissions forMicrosoft Graph:
Delegated permissions
Sign in and read user profile (User > User.Read)
Send mail as a user(Mail > Mail.Send)
17.Click one of the following:
IfMicrosoft Graphexisted in the API permissions list, clickUpdate permissions.
If you needed to addMicrosoft Graph, clickCreate.
18.ClickGrant Permissionsto apply the permissions for the app. These settings will not be applied to the app
until you have granted the updated permissions.
19.ClickYes. You can now copy the Application ID for the app that you created.In theManagesection, clickOverview.It is located under the name of the app, in the Application ID field.

Configuring the BlackBerry Dynamics Launcher

The BlackBerry Dynamics Launcher allows users to access their BlackBerry Dynamics apps in one place. Using the BlackBerry Dynamics Launcher button, users can access things such as BlackBerry Work (mail, calendar, contacts), app catalogs, and downloads, from the BlackBerry Access browser window.
You can configure the BlackBerry Dynamics Launcher in the BlackBerry Enterprise Mobility Server. You can also set a customized icon for the BlackBerry Dynamics Launcher.
For more information, see the BlackBerry Enterprise Mobility Server content.

Adding the work app catalog to the BlackBerry Dynamics Launcher

You can add the work app catalog to the BlackBerry Dynamics Launcher so that users have quick access to a list of their assigned work apps.
For BlackBerry Access for Android devices, when users select the BlackBerry UEM App Catalog icon in the BlackBerry Dynamics Launcher, the work app catalog opens in the BlackBerry UEM Client.
For BlackBerry Access for iOS devices, when users select the BlackBerry UEM App Catalog icon in the BlackBerry Dynamics Launcher, the work app catalog opens in the BlackBerry Access for iOS browser.
For more information about using BlackBerry UEM to manage BlackBerry Access, see the Getting started with
BlackBerry UEM and BlackBerry Dynamics content.
For more information about using Good Control to manage BlackBerry Access, visit http://help.blackberry.com/
en/good-control-good-proxy/current/ to read the Good Control Help Guide.
|Managing BlackBerry Access|28
Whitelist theBlackBerry UEM App Catalogin theBlackBerry DynamicsConnectivity profile
TheBlackBerry UEM App Catalogfeature is configured automatically byBlackBerry UEMand must be able to route through the Internet. If theRoute all trafficoption is not selected in theBlackBerry DynamicsConnectivity profile, you must configure the *.bbsecure.com domain requests to route through Direct. For more information on theBlackBerry DynamicsConnectivity profile, seeSetting up network connections for BlackBerry Dynamics apps.
1. On the menu bar, clickPolicies and Profiles.
2. ClickNetworks and connections>BlackBerry Dynamics connectivity.
3. Select the connectivity profile that you want to edit.
4. In theDomaintable, click+.
5. On theAllowed Domainscreen, enter the following:
a) In theDomainfield, enter*.bbsecure.com. b) SelectDirect.
6. ClickSave.

Configure single sign-on for BlackBerry Access in Good Control

You can enable single sign-on for BlackBerry Access in an environment that's already set up for Microsoft Office 365 with Microsoft Active Directory Federation Services and single sign-on.
Before you begin:
Configure single sign-on in Office 365 with Active Directory Federation Services version 2.0 or 3.0, relying on Windows Authentication and Kerberos.
Configure Good Control for Kerberos constrained delegation.
Verify that the "Identify BlackBerry Access in User Agent" app setting is selected in BlackBerry UEM or Good Control.
1. Verify the SPN for Active Directory Federation Services. For Active Directory Federation Services to use Kerberos, the Active Directory Federation Services service must have registered an SPN. This SPN should already be registered by the prerequisite Active Directory Federation Services configuration in Office 365.
a) Open a command prompt on a computer with Active Directory RSAT tools installed. b) Enter the command: setspn -q HOST/fqdn.of.adfs.server where fqdn.of.adfs.server is the FQDN of your
Active Directory Federation Services server.
This command exposes the name service account that serves Active Directory Federation Services. For a safer form of delegation (HOST allows any protocol, only HTTP is needed) you might want to register the HTTP SPN of the Active Directory Federation Services service account with the following command: setspn -S HTTP/fqdn.of.adfs.serverADFS_service_account, where ADFS_service_account is the name of the Active Directory Federation Services service account shown in the previous command.
2. Enable the User Agent in Active Directory Federation Services. By default, Active Directory Federation Services allows only known user agents to use Windows Authentication. All other user agents are considered external and are served with Forms Based Authentication (FBA) or certificate authentication.
a) To enable single sign-on in BlackBerry Access you need to add the BlackBerry Access user agent string
to Active Directory Federation Services to allow Windows Authentication for BlackBerry Access and Kerberos constrained delegation. For all platforms, the BlackBerry Access user agent string begins with
Mozilla/5.0.
|Managing BlackBerry Access|29
b) To verify the Active Directory Federation Services user agents, enter the following command: Get-
ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
c) Edit and run the following script to add the new user agent to Active Directory Federation Services.
$NewUserAgent must be edited to the value that you will add.
$NewUserAgent = "Mozilla/5.0" $CurrentUserAgents = Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents $UserAgentAddArray = $CurrentUserAgents + $NewUserAgent Set-ADFSProperties -WIASupportedUserAgents $UserAgentAddArray
d) To verify that the Active Directory Federation Services user agent has been added, run the Get-
ADFSProperties command again: Get-ADFSProperties | Select -ExpandProperty
WIASupportedUserAgents
e) Restart the Active Directory Federation Services service.
3. Set delegation on the Kerberos account of Good Control. a) Log in to Good Control.
b) Navigate to the Server Properties tab. c) Scroll to find the value of the gc.krb5.principal.name property. Set this object name in Microsoft Active
Directory.
d) On your Microsoft Active Directory server, click the Delegation tab. e) Click ADD and enter the Active Directory Federation Services service account name that you discovered in
step 1.
f) Add the HTTP SPN. g) Click OK.

Configure single sign-on for BlackBerry Access in BlackBerry UEM

You can enable single sign-on for BlackBerry Access in an environment that's already set up for Microsoft Office 365 with Microsoft Active Directory Federation Services and single sign-on.
Before you begin:
Configure single sign-on in Office 365 with Active Directory Federation Services version 2.0 or 3.0, relying on Windows Authentication and Kerberos.
Configure BlackBerry UEM for Kerberos constrained delegation.
Verify that the "Identify BlackBerry Access in User Agent" app setting is selected in BlackBerry UEM.
1. Verify the SPN for Active Directory Federation Services. For Active Directory Federation Services to use Kerberos, the Active Directory Federation Services service must have registered an SPN. This SPN should already be registered by the prerequisite Active Directory Federation Services configuration in Office 365.
a) Open a command prompt on a computer with Active Directory RSAT tools installed. b) Enter the command: setspn -q HOST/fqdn.of.adfs.server where fqdn.of.adfs.server is the FQDN of your
Active Directory Federation Services server.
This command exposes the name service account that serves Active Directory Federation Services. For a safer form of delegation (HOST allows any protocol, only HTTP is needed) you might want to register the HTTP SPN of the Active Directory Federation Services service account with the following command: setspn -S HTTP/fqdn.of.adfs.serverADFS_service_account, where ADFS_service_account is the name of the Active Directory Federation Services service account shown in the previous command.
|Managing BlackBerry Access|30
2. Enable the User Agent in Active Directory Federation Services. By default, Active Directory Federation Services allows only known user agents to use Windows Authentication. All other user agents are considered external and are served with Forms Based Authentication (FBA) or certificate authentication.
a) To enable single sign-on in BlackBerry Access you need to add the BlackBerry Access user agent string
to Active Directory Federation Services to allow Windows Authentication for BlackBerry Access and Kerberos constrained delegation. For all platforms, the BlackBerry Access user agent string begins with Mozilla/5.0..
b) To verify the Active Directory Federation Services user agents, enter the following command: Get-
ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
c) Edit and run the following script to add the new user agent to Active Directory Federation Services.
$NewUserAgent must be edited to the value that you will add.
$NewUserAgent = "Mozilla/5.0" $CurrentUserAgents = Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents $UserAgentAddArray = $CurrentUserAgents + $NewUserAgent Set-ADFSProperties -WIASupportedUserAgents $UserAgentAddArray
d) To verify that the Active Directory Federation Services user agent has been added, run the Get-
ADFSProperties command again: Get-ADFSProperties | Select -ExpandProperty
WIASupportedUserAgents
e) Restart the Active Directory Federation Services service.
3. Set delegation on the Kerberos account. a) Log in to BlackBerry UEM.
b) Click Settings > BlackBerry Dynamics > Properties. c) Scroll to find the value of the gc.krb5.principal.name property. Set this object name in Microsoft Active
Directory.
d) On your Microsoft Active Directory server, click the Delegation tab. e) Click ADD and enter the Active Directory Federation Services service account name that you discovered in
step 1.
f) Add the HTTP SPN. g) Click OK.

Setting up a PAC file to manage a proxy infrastructure

A work network can have complex traffic flows between local networks, connected vendor and partner networks, and the Internet. DNS domains are often split between internal and Internet hosts that require complex routing. A PAC file is an efficient way to manage a complex proxy infrastructure.
A PAC file is aJavaScriptfunction definition that determines whether web browser requests (HTTP, HTTPS, and FTP) go directly to the destination or if they are forwarded to a web proxy server. PAC files can support proxy deployments in which clients are configured to send traffic to the web proxy.
The benefits of using a PAC file:
A PAC file allows you to automatically:
Send Internet-bound HTTP, HTTPS, and FTP traffic directly to the proxy
Send Intranet traffic directly to the destination
Make exceptions for internal or external sites that must be routed or bypass the proxy
A PAC file locks down theBlackBerry AccessLAN egress configuration
A PAC file provides a flexible, easy-to-maintain, and script-driven method of controlling the routing of web requests
|Managing BlackBerry Access|31
A PAC file can include code that handles proxy load distribution and failover
A PAC file can be stored and updated in a central location, instead of distributed on multiple servers and devices; when a PAC file is changed, client browsers retrieve the updated copy the next timeBlackBerry Accessis launched
A PAC filecan be configured to return DIRECT, NATIVE, BLOCK, or PROXY to have more granular control over browsing
Note:
It is a best practice to keep the PAC file size under 1 MB to ensure proper performance.
The return values in the PAC file must not contain spaces or newline characters.
The PAC file must not be hosted on the same server asGood Controlor on the same server asBlackBerry UEMor any of its components. This configuration is not supported.

PAC file example

PAC files should start with a clear and concise coding methodology. You can achieve the same result using several different methods using the PAC file functions that are available and the flexibility of theJavaScriptlanguage. The following example shows how to:
Normalize the requested URL for pattern matching
Bypass the proxy when the destination is a plain hostname (a hostname that doesn't include a domain)
Bypass the proxy for a defined set of local domains
Bypass non-routable addresses (RFC 3330, better known as Special-Use IPv4 Addresses)
Send remaining HTTP, HTTPS, and FTP traffic to a specific proxy
function FindProxyForURL(url, host)
/* Normalize the URL for pattern matching */ { url = url.toLowerCase(); host = host.toLowerCase();
/* Don't proxy local hostnames */ if (isPlainHostName(host)) { return 'DIRECT'; }
/* Don't proxy local domains */ if (dnsDomainIs(host, ".example1.com") || (host == "example1.com") || dnsDomainIs(host, ".example2.com") || (host == "example2.com") || dnsDomainIs(host, ".example3.com") || (host == "example3.com")) { return 'DIRECT'; } /* Don't proxy non-routable addresses (RFC 3330) */ if (isInNet(hostIP, '0.0.0.0', '255.0.0.0') || isInNet(hostIP, '10.0.0.0', '255.0.0.0') || isInNet(hostIP, '127.0.0.0', '255.0.0.0') || isInNet(hostIP, '169.254.0.0', '255.255.0.0') || isInNet(hostIP, '172.16.0.0', '255.240.0.0') || isInNet(hostIP, '192.0.2.0', '255.255.255.0') || isInNet(hostIP, '192.88.99.0', '255.255.255.0') || isInNet(hostIP, '192.168.0.0', '255.255.0.0') ||
|Managing BlackBerry Access|32
isInNet(hostIP, '198.18.0.0', '255.254.0.0') || isInNet(hostIP, '224.0.0.0', '240.0.0.0') || isInNet(hostIP, '240.0.0.0', '240.0.0.0')) { return 'DIRECT'; }
/* Don't proxy local addresses.*/ if (false) { return 'DIRECT'; } }
if (url.substring(0, 5) == 'http:' || url.substring(0, 6) == 'https:' || url.substring(0, 4) == 'ftp:') { return 'PROXY xyz1.example.com:8080'; }
return 'DIRECT'; }
The following example shows a simple load distribution and failover using DNS:
{ if (isInNet(myIpAddress(), "10.1.0.0", "255.255.0.0")) { return "PROXY xyz1.example.com:8080; " + "PROXY xyz2.example.com:8080"; }
if (isInNet(myIpAddress(), "10.2.0.0", "255.255.0.0")) { return "PROXY xyz1.example.com:8080; " + "PROXY xyz2.example.com:8080"; } if (isInNet(myIpAddress(), "10.3.0.0", "255.255.0.0")) { return "PROXY xyz2.example.com:8080; " + "PROXY xyz1.example.com:8080"; } if (isInNet(myIpAddress(), "10.4.0.0", "255.255.0.0")) { return "PROXY xyz2.example.com:8080; " + "PROXY xyz1.example.com:8080"; } else return "DIRECT"; }
The following example (new in version 2.9) shows how to specify URLs to open in the native browser and URLs to block:
function FindProxyForURL(url, host) {
if (shExpMatch (url, "*example.org*")){ return "PROXY example.net:8080; PROXY :3128"; } if (dnsDomainIs (host, "blackberry.com")){ return "NATIVE"; } if (dnsDomainIs (host, ".example.com*")){
|Managing BlackBerry Access|33
return "BLOCK"; }
//redirect on http page if (shExpMatch (url, "*domain123.example.net*")){ return "BLOCK http://domain1.example.org/"; }
return 'DIRECT'; }
Configure PAC settings inBlackBerry UEM
Before you begin: Verify that the PAC file is not hosted on the same server asBlackBerry UEMor any of its components. This configuration is not supported.
1. In theBlackBerry UEMmanagement console, on the menu bar, clickApps.
2. Click theBlackBerry Accessapp.
3. On theBlackBerry Dynamicstab, in theApp configurationtable, click the app configuration that you want to
edit.
4. Click theNetworktab.
5. Select theEnable Web Proxyoption.
6. Select theUse Proxy Auto Configurationoption.
7. In theEnter URL for PAC file locationfield, type the fully qualified PAC file location.
8. Click theSecuritytab.
9. Select theEnforce strict tunneloption.
10.ClickSave.
11.For theBlackBerry Dynamicssubsystem to route traffic to a proxy resolved by the PAC file, every proxy server
and the PAC location must be allowed access throughBlackBerry Proxy. Perform the following actions: a) ClickPolicies and profiles.
b) ExpandConnectivity (BlackBerry Dynamics). c) ClickDefault. d)
Click .
e)
In theAllowed Domainstable, click .
f) Enter the domain and select theBlackBerry Proxyinstances to use with the proxy server that you included
in the PAC file .
g) ClickSave. h)
Click to add more PAC hosts.

Configure PAC settings in Good Control

Before you begin: Verify that the PAC file is not hosted on the same server as Good Control. This configuration is not supported.
1. In to the Good Control console, in the navigator, click Policy Sets.
2. Select the BlackBerry Access policy that you want to configure.
3. Click the Edit icon.
4. Click the Application Policies tab.
5. Click Good Access.
6. Click the Network tab.
|Managing BlackBerry Access|34
7. Select the Enable Web Proxy option and enter the fully qualified PAC file location.
8. In the Enter URL for PAC file location field, type the fully qualified PAC file location.
9. For on-premises deployments, click the Security tab and make sure that the Enforce strict tunnel option is
selected. For cloud deployments, Strict Tunnel must be disabled or you will block access to external sites.
10.Click Update.
11.For the BlackBerry Dynamics subsystem to route traffic to a proxy resolved by the PAC file, every proxy server
and the PAC location must be allowed access through Good Proxy. Perform the following actions: a) In the navigator, under Policies, click Connectivity Profiles.
b) Click Master Connection Profile. c) Beside Allowed Domains, click Edit. d) Enter the domain and select the Good Proxy instances to use with the proxy server that you included in the
PAC file.
e) Click Add to include more entries. f) Click Save to save these settings.
12.For on-premises deployments, verify that Strict Tunnel is enabled by repeating Steps 1 and 2 above and then clicking the Security tab. For cloud deployments, Strict Tunnel must be disabled or you will block access to external sites.

Test a PAC configuration

When you test PAC configurations, it's recommended that you enable debugging and detailed logging to accurately capture the sequence of operations. When detailed logging is enabled from the app, BlackBerry Access logs proxy-related errors to a special console found in device settings. To view this console, you can open BlackBerry Access on the device, tap Settings > Console.
BlackBerry Access also provides network utilities that can be used to debug a PAC file policy. To view these network utilities from the device, you can tap Settings > Advanced – Network Utilities, select PAC Resolve, and enter an IP or Hostname to check how the currently applied PAC file resolves it.

Refreshing PAC configuration on devices

You can ensure that the latest PAC configuration has been pushed to all devices by forcing a policy refresh of the BlackBerry Access policies and PAC settings in either BlackBerry UEM or Good Control.
Force a policy and PAC file refresh in BlackBerry UEM
If you have changed a policy and want to force BlackBerry UEM to send updates, including refreshing the PAC files on devices, perform the following steps in BlackBerry UEM:
1. On the menu bar, click Apps.
2. Click the BlackBerry Access app.
3. On the BlackBerry Dynamics tab, in the App configuration table, click the app configuration that you want to
edit.
4. On the General tab, scroll to the To force policy update to device, enter current date and time and click update field.
5. Enter the date and time in either 24 hour format or 12 hour format. For example, 02-16-2017 12:04AM (12­hour) and 02-16-2017 0004 (24-hour).
6. Click Save.
Force a policy and PAC file refresh in Good Control
The Good Control server sends policy updates to all client devices when the policies have been changed.
|Managing BlackBerry Access|35
If you have changed a policy and want to force Good Control to send updates, including refreshing the PAC files on devices, perform the following steps in Good Control:
1. Click Policy Sets.
2. Click the policy set that you want to configure.
3. Click the Apps tab.
4. Expand the App Specific Policies section.
5. Scroll to find the entry for BlackBerry Access and click to expand.
6. Click the General tab.
7. Scroll to the To force policy update to device, enter current date and time and click update field.
8. Enter the date and time in either 24 hour format or 12 hour format. For example, 02-16-2017 12:04AM (12-
hour) and 02-16-2017 0004 (24-hour).
9. Click Update.

PAC file FAQ

What happens when a PAC file can't be downloaded?
If a PAC policy is mentioned but the PAC file can't be downloaded, BlackBerry Access doesn't allow the browser to navigate to any web sites, and users see the following message: "Invalid web proxy configuration". Users can try reloading the page to restart the PAC file download so that BlackBerry Access can try to download the PAC file again.
When is a PAC file downloaded and how long is it cached?
For iOS devices, the PAC file is downloaded whenever the BlackBerry Access policy is updated and the app is unlocked. Whenever the BlackBerry Access policy comes to the app, the download sequence starts. When the device starts receiving the PAC file, the previous PAC file is replaced with the new one. After it is downloaded, the data is stored in a persisted file and it's not downloaded again unless a new policy is pushed by Good Control.
For Android devices, the PAC file is downloaded only at the time the user tries to load a webpage. When it's downloaded, the PAC data is stored in memory (not persisted) and not downloaded again until either the policy is updated, the app is restarted, or whenever the network changes. The PAC file is downloaded again when a user accesses a webpage after restarting the device or when network changes occur.
You can use the "Enable PAC proxy check for all the sub-resources" app setting to enforce PAC processing without caching. Setting this app setting has an impact on the performance of your organization’s environment. It's recommended to use this feature for special circumstances only.
Is there a cache timeout that controls whether the client will download PAC regularly?
There's no cache timeout for PAC files. The client doesn't download a new configuration unless it meets the criteria described in the previous question.
How can you force clients to update PAC files if the PAC URL is the same but the PAC content has changed?
Due to a limitation in Good Control, you cannot apply the policy without changing one of the fields in the policy.
You can force a refresh of BlackBerry Access policies, including PAC configuration, on user's devices.
|Managing BlackBerry Access|36
Why do users see an "Invalid Web Proxy Configuration" error message and how can users diagnose the problem?
This error message is displayed due to various conditions related to PAC files or the proxy server. Users can go to the console in BlackBerry Access to see more details. This error message can be displayed for the following reasons:
The PAC script couldn't be executed because of a JavaScript error. Unfortunately, BlackBerry Access can't detect JavaScript errors. It's recommended that you first test the PAC file in a browser on a computer and then deploy it to devices. A PAC tester tool is available to test the PAC here: https://code.google.com/p/pactester/.
The PAC file returns an empty value. In the case of computer browsers, they fall back to a connection without a web proxy. However, for security reasons, BlackBerry Access doesn't fall back and displays an error message instead.
None of the web proxies returned by the PAC files are whitelisted in Good Control client connections. For more information, see Configure PAC settings in Good Control.
The PAC URL is invalid, is not whitelisted, or the PAC URL couldn't be connected to. For more information, see
Configure PAC settings in Good Control.
Manual proxy is set but the proxy details haven't been configured. For more information, see Configure PAC
settings in Good Control.

Configure RSA SecurID soft token authentication

BlackBerry Access for iOS and Android devices supports RSA SecurID soft token authentication. The software consists of an app and a separately installed, software-based security token that transfers password protection and authentication delegation to Good for Enterprise.
BlackBerry Access contains an embedded RSA SecurID authenticator that can generate and display a 6-digit or 8­digit tokencode at 30 or 60 second intervals.
1. To start a user’s RSA SecurID software authenticator, provision an RSA SecurID software token seed record and send it to the user in an email so that they can import the seed record into BlackBerry Access.
2. Configure an RSA SecurID application policy in BlackBerry UEM or Configure an RSA SecurID application policy
in Good Control. The policy includes the email address of an RSA Authentication Manager administrator who
is responsible for assigning and delivering software token seed records.
3. Generate the Compressed Token Format URL with the RSA Authentication Manager. Replace the protocol portion of the URL to send an HTTP URL to Good for Enterprise so that it can import the RSA token into BlackBerry Access:
Change the com.rsa.securid://ctf?ctfData=numeric_string or custom_url_scheme://ctf?
ctfData=numeric_string to http://ctf?ctfData=numeric_string.
The URL is case sensitive: ctfData must be mixed case, as shown.
4. The seed record must be delivered in an .sdtid file or a Compressed Token Format URL. The user imports the seed record into BlackBerry Access.
5. A user that has BlackBerry Access already activated on their device opens the email message and clicks the RSA token to install it in BlackBerry Access.
After you finish:
The RSA administrator assigns a software token to the user, binds it to the user’s device ID, and sends the seed record to the user in a Compressed Token Format URL format.
The user opens the seed record in BlackBerry Access.
BlackBerry Access imports the seed record and instantiates the RSA SecurID authenticator.
|Managing BlackBerry Access|37

Configure an RSA SecurID application policy in BlackBerry UEM

1. In the BlackBerry UEM console, click Apps.
2. Click the BlackBerry Access app.
3. On the BlackBerry Dynamics tab, in the App configuration table, click the app configuration that you want to
edit.
4. Click the RSA tab.
5. Select the Enable RSA SecurID checkbox.
6. BlackBerry Access must prompt a PINPAD software token user to enter their PIN in order to generate an RSA
SecurID passcode. If you want BlackBerry Access to prompt users each time they request a passcode, select the Prompt PIN for PINPAD Token check box. Otherwise, BlackBerry Access will cache the PIN.
7. Enter your RSA Authentication Manager administrator’s email address in the RSA Administrator Email Address field. Good Control will send all token seed record requests to this address.
8. If you want to CC a recipient each time a BlackBerry Access user requests an RSA SecurID seed record, enter the recipient’s email address in the RSA Administrator CC Email Address field.
9. Click Save.

Configure an RSA SecurID application policy in Good Control

1. In the Good Control console, click Policy Sets.
2. Locate the policy set that you want to configure in the Policy Sets table and click the edit icon in the Action
column.
3. Click the Apps tab.
4. In the App Specific Policies section, expand the BlackBerry Access policy.
5. Click the RSA tab.
6. Select the Enable RSA SecurID checkbox.
7. BlackBerry Access must prompt a PINPAD software token user to enter their PIN in order to generate an RSA
SecurID passcode. If you want BlackBerry Access to prompt users each time they request a passcode, select the Prompt PIN for PINPAD Token check box. Otherwise, BlackBerry Access will cache the PIN.
8. Enter your RSA Authentication Manager administrator’s email address in the RSA Administrator Email Address field. Good Control will send all token seed record requests to this address.
9. If you want to CC a recipient each time a BlackBerry Access user requests an RSA SecurID seed record, enter the recipient’s email address in the RSA Administrator CC Email Address field.
10.Click Update.

Kerberos authentication support

BlackBerry Access fully supports Kerberos authentication. Kerberos authentication is an integral part of Microsoft Active Directory implementations that has increasingly become a centerpiece of enterprise-level interoperability. It provides secure user authentication through the Active Directory domain controller, which maintains the user account and login information necessary to access your organization's network.
The Kerberos protocol governs three system participants:
1. A KDC
2. The client device
3. The server it wants to access
The KDC is installed as part of the domain controller and performs two service functions: the Authentication Service and the TGS.
|Managing BlackBerry Access|38
When they log in to your network, users must negotiate access by providing a login name and password that's verified by the AS portion of the KDC within their domain. The KDC has access to the Active Directory user account information. After a user is authenticated, the user is granted a TGT that's valid for the local domain. The TGT is cached on the device, which uses it to request sessions with services throughout the network. You can configure the TGT’s default expiration.
In addition, BlackBerry Access is certified for Kerberos Constrained Delegation, a BlackBerry Dynamics platform feature that lets domain administrators restrict the network resources that a service trusted for delegation can access by limiting the scope where application services can act on a user’s behalf. When configured, Kerberos Constrained Delegation restricts which front-end service accounts can delegate to their back-end services. By supporting constrained delegation across domains, services can be configured to use constrained delegation to authenticate to servers in other domains rather than using unconstrained delegation. This provides authentication support for across-domain service solutions by using an existing Kerberos infrastructure without needing to trust front-end services to delegate to any service.

Mapping domains to Kerberos realms

When a client attempts to access a service running on a particular server, it knows the name of the service (host) and the name of the server (for example, server01.example.com), but because more than one Kerberos realm may be deployed on your network, it must guess the name of the realm in which the service resides.
By default, the name of the realm is taken to be the DNS domain name of the server in uppercase letters.
Example Domain Name EXAMPLE Kerberos REALM NAME
server01.example.org EXAMPLE.ORG
server01.example.com EXAMPLE.COM
server01.hq.example.com HQ.EXAMPLE.COM
In many configurations, this is sufficient, but in others, the derived realm name might not be the name of a valid realm. In these cases, the mapping from the server's DNS domain name to the name of its realm must be specified, as shown below.
For BlackBerry Access domain-to-realm mapping, you can record a list of comma-separated equivalencies in which the first mapping in the list is treated as the default domain mapping. It will be used if the user has left the domain field empty, as well as when the server requires NTLM or Kerberos authentication.
Another frequent use of this mapping is to equate a NetBiOS name that users might be familiar with to a Kerberos realm name that becomes more recognizable.
Map domains to Kerberos realms in BlackBerry UEM
1. In the BlackBerry UEM console, click Apps.
2. Click the BlackBerry Access app.
3. On the BlackBerry Dynamics tab, in the App configuration table, click the app configuration that you want to
edit.
4. Click the Network tab.
5. In the field provided, enter the list of comma-separated values, using this
syntax:domain=KERBEROS_REALM_NAME The value of KERBEROS_REALM_NAME must always be in uppercase letters.
Example: eastdomain=EAST.EXAMPLE.CORP
|Managing BlackBerry Access|39
6. Click Save.
Map domains to Kerberos realms in Good Control
1. In the Good Control console, click Policy Sets.
2. Locate the policy set that you want to configure in the Policy Sets table and click the edit icon in the Action
column.
3. Click the Apps tab.
4. In the App Specific Policies section, expand the BlackBerry Access policy.
5. Click the Network tab.
6. In the field provided, enter the list of comma-separated values, using this
syntax:domain=KERBEROS_REALM_NAME The value of KERBEROS_REALM_NAME must always be in uppercase letters.
Example: eastdomain=EAST.EXAMPLE.CORP
7. Click Update.

Managing certificates

BlackBerry UEMandGood Controlsupport the use of public and private key (PKCS #12) certificates for signing email and client authentication.
The following section explains how to allow users to use certificates withBlackBerry Access. It assumes that you have already set up your environment to communicate with your CA. If you have not completed this step, refer to the following instructions, depending on your environment:
Connect BlackBerry UEM to your organization’s BlackBerry Dynamics PKI Connector
In theGood Controlonline help, see theCertificates Definitions Tabsection.
For more information on setting up your environment to use certificates, refer to the following:
ForGood Control,see the Certificates section in theGood Controlonline help.
ForBlackBerry UEM,see the Certificates section in theBlackBerry UEMadministration content.

Verify that BlackBerry Access can use certificates in BlackBerry UEM

By default, the BlackBerry Work and BlackBerry Access apps are allowed to the use PKCS#12 certificates. For other BlackBerry Dynamics apps, you must allow them to use certificates. To verify that BlackBerry Access can use certificates, complete the following steps.
1. In the BlackBerry UEM console, click Apps.
2. Click the BlackBerry Access app.
3. On the BlackBerry Dynamics tab, in the User certificates section, make sure that the Allow BlackBerry Dynamics apps to use user certificates, SCEP profiles, and user credential profiles option is selected.
4. Click Save.

Verify that BlackBerry Access can use certificates in Good Control

By default, the BlackBerry Work and BlackBerry Access apps are allowed to the use PKCS#12 certificates. You must add any other apps that you want to allow to the App Usage tab in Good Control. To veryify that BlackBerry Access can use certificates, complete the following steps.
1. Navigate to the Certificates > App Usage tab.
|Managing BlackBerry Access|40
2. To add an app, click Add App.
3. In the dialog box, find the app that you want to add and select it. Click OK.
4. To remove an application, scroll through the list to find the app to remove.
5. Click X beside the app.
6. Click OK to remove the app or Cancel to retain it.
Upload certificates for users inBlackBerry UEM
The client certificate must have a .pfx or .p12 file name extension. You can send more than one client certificate to devices.
1. On the menu bar, clickUsers.
2. Search for a user account.
3. In the search results, click the name of a user account.
4.
In theIT policy and profilessection, click .
5. ClickUser certificate.
6. Type a description for the certificate.
7. In theCertificate filefield, clickBrowseto locate the certificate file.
8. ClickAdd.

Upload certificates for users in Good Control

You can upload PKCS#12 certificate files for users in Good Control.
Before you begin: The certificate files must have either a .p12 or .pfx file extension.
1. Navigate to Users and Groups.
2. Select a user to edit and click User Actions > Edit User.
3. Click the Certificates tab.
4. Click Upload.
5. Navigate to the PKCS#12 certificate file on your computer.
6. Select or open the file.
7. Follow the instructions on the screen to upload the certificate file.
Good Control displays the date of the upload. Good Control can't display more information about the certificate until the user uses the certificate at least once by entering the password to the certificate file. Until the password is entered, the certificate is encrypted and details can't be obtained from it.

Delete certificates for users in BlackBerry UEM

You can delete PKCS #12 certificate files for users in BlackBerry UEM.
1. On the menu bar, click Users.
2. Search for a user account.
3. In the search results, click the name of a user account.
4.
In the BlackBerry Dynamics user certificates table, click beside the certificate that you want to delete.

Delete certificates for users in Good Control

You can delete PKCS#12 certificate files for users in Good Control.
1. Navigate to Users and Groups.
|Managing BlackBerry Access|41
2. Select a user to edit and click User Actions > Edit User.
3. Click the Certificates tab.
4. Select the certificate that you want to delete.
5. Click Delete.

Security features

BlackBerry Accessis built using theBlackBerry Dynamics SDKand provides users with access to your organization's network behind your firewall. For more information about security and theBlackBerry Dynamics SDK, including how data-at-rest and data-in-transit is secured, cryptography details, and policy enforcement, see theBlackBerry DynamicsSecurity White Paper.
BlackBerry Accessprotects data with anti-debugging techniques, method integrity checking, and source code obfuscation of security-sensitive code on all platforms. Unlike users oniOSandAndroidplatforms, users on aWindowsandmacOSplatforms have administrator privileges.BlackBerry Access for WindowsandBlackBerry Access for macOSdo not have compliance rules that detect whether a device is jailbroken or rooted.BlackBerry Access for WindowsandBlackBerry Access for macOShave an additional compliance policy to check for the presence of antivirus software.
The following are some additional security features that are specific toBlackBerry Access:
All browser data stored in a secure container
Support for PAC files
Connectivity profiles that define the network connections, Internet domains, IP address ranges, and app servers that devices can connect to when usingBlackBerry Access
DLP policy enforcement
Support for various authentication methods, including client certificates,Kerberos, and more
SeparateBlackBerry Dynamicscertificate store
Support for S/MIME inBlackBerry Work for WindowsandBlackBerry Work for macOS
Secure file downloads and secure file viewer
Policy that specifies which extensions can be downloaded inBlackBerry Access

Remote data wipe

Wiping data is a process that allows you to remotely erase data from a user's device when a violation or breach of security policy is detected, a user’s network permissions are changed or revoked, or the user’s employment is terminated. When data is wiped, the secure container on the device where files and folders that the organization owns are located is physically rewritten with zeros to prevent data recovery. This is different from an ordinary file deletion, where only the pointer to the file in the file allocation table is deleted.

Send device commands to BlackBerry Access in BlackBerry UEM

After BlackBerry Access, or any other BlackBerry Dynamics app, has been installed on a device, you can perform actions on the apps. For example, you can delete app data if a user has lost a device.
1. On the menu bar, click Users.
2. Search for a user account.
3. In the search results, click the name of the user account.
4. Select the device tab for the device that has installed the app that you want to manage.
5. In the BlackBerry Dynamics apps section, perform one of the following actions:
|Managing BlackBerry Access|42
Task Steps
Lock app Lock the BlackBerry Dynamics app. This is useful when a user has lost
a device but may recover it. The app cannot be accessed but app data is not deleted.
Unlock app Unlock the BlackBerry Dynamics app. The user will regain access to
the app and app data.
Delete app data Delete all data for the BlackBerry Dynamics app and make the app
unusable. The app data cannot be recovered. This is useful when a user has lost a device and cannot recover it.
Logging on Turn on app logging. Logging is set to debug level.
Logging off Turn off app logging.
Upload log file Upload the app logs from the device to the BlackBerry Dynamics NOC.
Get app events Display detailed information about compliance and other app events.
6. Confirm whether you want to complete the action.

Send device commands to BlackBerry Access in Good Control

After BlackBerry Access, or any other BlackBerry Dynamics app, has been installed on a device, you can perform actions on the apps. For example, you can delete app data if a user has lost a device.
1. Navigate to Users and Groups > select a user > Edit > Devices and Apps > select a device > Installed Apps.
2. Check the checkboxes for the applications you want to change.
3. In the search results, click the name of the user account.
4. Using the App Actions menu on the right, perform one of the following actions:
Task Steps
Lock app Lock the BlackBerry Dynamics app. This is useful when a user has lost
a device but may recover it. The app cannot be accessed but app data is not deleted.
Unlock app Unlock the BlackBerry Dynamics app. The user will regain access to
the app and app data.
Delete app data Delete all data for the BlackBerry Dynamics app and make the app
unusable. The app data cannot be recovered. This is useful when a user has lost a device and cannot recover it.
Logging on Turn on app logging. Logging is set to debug level.
Logging off Turn off app logging.
Upload log file Upload the app logs from the device to the BlackBerry Dynamics NOC.
|Managing BlackBerry Access|43
Task Steps
Get app events Display detailed information about compliance and other app events.
5. Confirm whether you want to complete the action.

Secure storage of browsing activity

All BlackBerry Access browsing activity, including browser data, the cache, and cookies are encrypted and stored in a secure container on devices. The secure container ensures that work data is stored separately from personal data on devices.

SSL and TLS

SSL transmission protocol employs a cryptographic system that uses two keys to encrypt data: a public key known to everyone and a private, or secret, key known only to the recipient of the message. TLS is the successor to SSL.
Both protocols use X.509 certificates and asymmetric cryptography to identify the counterparty with whom they are talking, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties, providing data and message confidentiality, along with message authentication codes for message integrity and message authentication. An important characteristic is PFS, so the short term session key cannot be derived from the long-term asymmetric secret key.

NTLMv2 authentication

NTLMv2 is a challenge-response authentication protocol and a cryptographically strengthened replacement for NTLMv1. Kerberos, which is the preferred authentication protocol for Windows and Microsoft Active Directory domains, is used when a server belongs to a Windows Server domain or if a trust relationship with a Windows Server domain is established in some other way, such as Linux to Microsoft Active Directory authentication.
NTLMv2 sends two 16-byte responses to an 8-byte server challenge. The two responses are:
The HMAC-MD5 hash of the server challenge, which is a randomly generated client challenge
An HMAC-MD5 hash of the user's password and other identifying information
The formula that is used begins with the NT Hash, that is stored in the SAM or Active Directory, and continues to hash in the username and domain name, using HMAC-MD5.

HTTP basic authentication

HTTP basic authentication implementation is the simplest technique for enforcing access controls to web resources because it doesn’t require cookies, session identifiers, or login pages. Instead, HTTP basic authentication uses static, standard HTTP headers, which means that no handshakes have to be done in anticipation.
However, the basic authentication mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with BASE64 in transit, but not encrypted or hashed. Basic authentication should therefore only be used over HTTPS.

User passwords

Users can change their passwords in the BlackBerry Access settings.
|Managing BlackBerry Access|44

Video support

BlackBerry Access for iOS devices supports many video formats. YouTube videos aren't supported because they are served with non-compliant tags that can't be replaced or rewritten by BlackBerry Access. You must open YouTube videos in a native browser instead. BlackBerry Access for iOS devices support the same video formats that Apple does, except for the following legacy formats: M2V, 3GP, and 3GP-2.
To securely play videos on web sites, the HTML5 <video> tag with the <source> element's src attribute is required at the time the page is loaded in the browser. If BlackBerry Access can't detect a <video> tag, the video playback isn't secured. The following is a sample of the tags:
<video width="320" height="240" controls> <source src=“test.mp4" type="video/mp4"> <source src=“test.ogg" type="video/ogg"> Your browser does not support the video tag. </video>
Web servers that serve videos must be configured for byte streaming so that BlackBerry Access can play them. The web server must support the HTTP header 206 Partial Content. Otherwise, videos are downloaded to the device, and the user must play them manually.

Video support FAQ

Q. What are the limitations in BlackBerry Access capability to trap all video elements and in the website and stream securely through BlackBerry Dynamics?
Because BlackBerry Access uses Apple's webkit to render the HTML data, it isn't possible to catch all video elements and redirect them through the BlackBerry Dynamics network. Instead, BlackBerry Access will run some additional Java scripts after the page is loaded to replace the video elements with custom URL which will make the native player call back to BlackBerry Access application logic when it needs to fetch data so that the video data can be streamed through BlackBerry Dynamics. There are few limitations due to the fact that BlackBerry Access translates video elements after the page is loaded:
While a page is being loaded (not fully loaded), if the user taps on any of video elements, the player may request data directly and not go through BlackBerry Dynamics. The video playback may not work if the HTTP server that hosts video can't be reached directly. Users must wait for the page to load completely, and the video icons must be replaced by BlackBerry Access playback icons.
Some of the pages have logic to dynamically create video elements based on user action after the page is loaded. These dynamically inserted video elements may not be playable through BlackBerry Access secured streaming.
Custom javascript players and HTML elements are not supported.
Q. What are the requirements for video to be streamed and played in BlackBerry Access through BlackBerry Dynamics?
BlackBerry Access supports secure streaming of video files hosted within corporate intranet through HTTP based video streaming over BlackBerry Dynamics based secured connection. The current solution requires the following setup to work seamlessly:
The HTTP server hosting video has to support range requests. Otherwise the video can't be played back.
The network over which the device is connected to should be able to support the minimum bitrate needed by video files. The bitrate differs based on resolution of video, not meeting this rate will either not play back the video or will have a lot of pauses while the player is trying to buffer the data.
It is recommended to have BlackBerry Access connected to the Good Proxy server using BlackBerry Dynamics Direct Connect instead of through the BlackBerry Dynamics NOC for less latency and better video playback.
|Managing BlackBerry Access|45
Q. What video files are supported by BlackBerry Access?
BlackBerry Access uses iOS native video player and should support most of audio/video codecs and containers supported by the native player. BlackBerry Access has been tested for video and audio encoded with AAC, MP3, MPEG 4, H.264, and MP4 contained in video containers. BlackBerry Access doesn't support 3GP.
Q. What is maximum size of video file supported?
BlackBerry Access uses 32 bit values to keep track of video offset, so it can support up to 2 GB of data. Only video files up to 700 MB have been tested.
Q. Where are video files buffered and what are limitations with buffering?
BlackBerry Access has a limited amount of buffering in RAM (volatile program memory). The memory is capped at 20 MB currently, and no video data is stored in the file. Because caching doesn't persist in the file, the video player may have to fetch the same data repeatedly depending on how the user plays the video.
Q. Why does it take lot of time to start video playback when I go forward or back in a video?
Because seeking requires BlackBerry Access to fetch data from the network by issuing new connections and requesting a new data range, it takes time for the connection request and fetch depending on the current bandwidth and latency. Also, because of limited non-persistent buffering, BlackBerry Access may not have previously played data when user seeks back while watching video and must request the data from server again.
Q. How do I download video file and watch it later?
The download option is available only for the video files.Whole locations are referred in the link tag (href) or when the video URL is entered in the address bar. BlackBerry Access doesn't support download to file for videos that are embedded in HTML files using <video> tags.
Q. Why does my BlackBerry Access application lock while watching video?
This because of a security restriction in BlackBerry Dynamics and the IT policy. The video player doesn't reset the idle timeout, so the device can lock while user is watching video. You may have to tap the screen now and then to reset the idle timeout.
Q. Is Apple's HTTP live streaming supported?
Yes.

Configuring allowed Internet domains

You can configure default and allowed Internet domains for users to use inBlackBerry Access. This allows users to reach servers by typing the unqualified domain name instead of the FQDN. For example, if your organization has an internal server running knowledge base software with an FQDN of kb.example.com, you can configure domain information so that users can reach that server by simply typing "kb" in the browser.
You use connectivity profiles to specify allowed Internet domains in eitherBlackBerry UEMorGood Control. You can set up configurations that apply to your entire user base or configurations that apply only to specific user groups.
For more information, see one of the following, depending on your environment:
If you are usingBlackBerry UEM, seeCreate aBlackBerry Dynamicsconnectivity profile in the BlackBerry UEM
Administration content..
If you are usingGood Control, see theGood ControlHelp content.
|Managing BlackBerry Access|46

Changing communications protocols

UsingBlackBerry UEMorGood Control, you can allow certain secure communications protocols, such as TLSv1.0 or TLSv2, for communication with client devices.
You should be careful when you disable protocols. Check with your organization's IT staff to find out which protocols can be safely disabled. Otherwise, you might disable a protocol that's used on your network, and this can disrupt the secure handshake that's required betweenBlackBerry UEMorGood Controland users' devices, and users may receive a “Page Not Found” message.
BlackBerry Access for iOShas its own application policy that controls which communications protocol to use.
For more information, see one of the following, depending on your environment:
If you are usingBlackBerry UEM, seeConfiguringBlackBerry UEMto make TLS/SSL connections toExchange
ActiveSyncin theBlackBerry UEMConfiguration content.
If you are usingGood Control, see theGood ControlHelp content.

Configure access to WebRTC-based destinations

You canconfigureBlackBerry Access for macOSandBlackBerry Access for Windowstoallow communication using WebRTC protocol-based web clients such asCitrixVDI browser-based access.
Note: BlackBerry Access blocks the camera and microphone. Any WebRTC clients trying to use the camera or microphone onWindowsormacOSis not supported.
WebRTC trafficcan often have high bandwidth demands. For this reason,BlackBerryrecommends routing this traffic directly.
Route WebRTC traffic directly
If the WebRTC destination is accessible directly over the internet, use the following routing configuration:
On theSecuritytab of theBlackBerry Accessapp configuration policy, clear theEnforce Strict Tunnelcheckbox to disable strict tunnel.
Configure theBlackBerry DynamicsConnectivity profile to route traffic directly to the WebRTC destination, as follows:
ForBlackBerry UEMversion 12.11 and later: Add the WebRTC destination URL to theAdditional
serverssection and specifyDirect connectivity. This allows the connection to route directly even if the default route is set to use aBlackBerry Proxycluster.
ForBlackBerry UEMversion 12.10 and earlier andGood Control: DisableRoute All. Ensure that existing
internal domains or servers are configured to route throughBlackBerry Proxyclusters. Do notadd the WebRTC destination to theBlackBerry DynamicsConnectivity profile. This will allow the connection to route directly.
This configuration supports both TCP- and UDP-based WebRTC connections.
Note: TheBlackBerry DynamicsConnectivity profile and strict tunnel configuration have no effect on UDP connections. UDP connections route directly to the WebRTC destination through the local internet connection.
Route WebRTC traffic through BlackBerry Proxy
If the WebRTC destination is notdirectly accessible over the internet, or the traffic is required to route through aBlackBerry Proxycluster, take the following items into consideration:
To route WebRTC traffic throughBlackBerry Proxyclusters, theBlackBerry Proxyclusters must be configured to use Direct Connect.For more information, seethe Direct Connect content.
|Managing BlackBerry Access|47
Note: If you do not configure theBlackBerry Proxyclusters with Direct Connect, the WebRTC destination does not load. For more information, visitsupport.blackberry.com/communityto read article 62766.
Ensure that enoughBlackBerry Proxyservers are installed to handle the load generated by the WebRTC traffic.
This configuration supportsonlyTCP-based WebRTC connections.BlackBerry Proxyservers support only TCP protocol. UDP-based WebRTC connections do not work if the traffic is routed throughBlackBerry Proxy.

Allow users to open custom URL schemes

By default, BlackBerry Access opens only HTTP and HTTPS URL schemes. You can use the "Enable 3rd Party Applications" and "Enter comma separated URL schemes" app settings in BlackBerry UEM or Good Control to allow users to open custom URL schemes supported by third-party apps. For more information about these app settings, see BlackBerry Accessapp configuration settings.
You must add the third-party URL scheme names in the "Enter comma separated URL schemes" app setting, or users are blocked from accessing the third-party apps. You can find the names of blocked third-party URL schemes in the BlackBerry Access console log.
Before you begin: Verify that detailed logging is enabled in BlackBerry Access.
1. In BlackBerry Access, click the URL to access the third-party application.
2. Wait until BlackBerry Access returns the following error message: URL scheme is blocked.
3. Go to the BlackBerry Access console.
4. Look for the error message for the blocked URL scheme.
5. In BlackBerry UEM or Good Control, add the name of the URL scheme to the "Enable 3rd Party Applications"
app setting.
Allow users to securely edit files within an app inBlackBerry Accesson Windows or macOS
To allow users to securely edit files within an app inBlackBerry AccessonWindowsormacOS, add the Secure Document Editing app to the user's allowed apps in BlackBerry UEM.This requires the "Secure Editing of Office Documents (Word, PPT and Excel)" license. Contact BlackBerry Sales for more information.For more information, seeAssign an app to a user accountin the BlackBerry UEMAdministration content.
IdentifyingBlackBerry Accessin user agent
When aBlackBerry Accessuser visitsa website,BlackBerry Accesssends its user agent string to the server that hosts the website. The user agent string contains tokens that provide information, such as the browser description, operating system, and current browser mode, in the HTTP request headers. The website server may use this information in the user agent string to provide content tailored to mobile browsers.
The user agent string does not include any identifiable tokens to indicate that the browser isBlackBerry Access. Toadd "GoodAccess" or "Good Access" and the version information of theBlackBerry Accessapp to the user agent string, enable the "IdentifyBlackBerry Accessin User Agent" setting on the General tab of theBlackBerry Accessapp config inBlackBerry UEMor in the App Specific Policy of the assigned Policy Set inGood Control.
The following are examples of user agent strings when the setting is not enabled:
|Managing BlackBerry Access|48
BlackBerry Access for Android:
Mozilla/5.0 (Linux; Android 8.1.0; BBF100-2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.99 Mobile Safari/537.36
BlackBerry Access for iOS:
Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D100 Safari/604.5.6
BlackBerry Access for Windows:
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.91 Safari/537.36
BlackBerry Access for macOS:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.91 Safari/537.36
The following are examples of user agent strings when the setting is enabled:
BlackBerry Access for Android:
Mozilla/5.0 (Linux; Android 4.1.1; SAMSUNG-SGH-I747/JRO03L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.45 Mobile Safari/537.36 GoodAccess/<app version>
BlackBerry Access for iOS:
Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D100 Safari/604.5.6 GoodAccess/<app version>
BlackBerry Access for Windows:
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.91 Safari/537.36 Good Access/<app version>
BlackBerry Access for macOS:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.91 Safari/537.36 Good Access/<app version>

Good Control cloud deployments and intranet servers

When you use BlackBerry Access with the Good Control cloud configuration, intranet servers (resources on your internal network) aren't accessible.
In on-premises instances of Good Control, you have access to a Good Proxy server, which must be configured to allow access from outside your organization's firewall. However, in Good Control Cloud, there's no administrator­accessible Good Proxy server because you don't configure servers, ports, web proxies, or other the hardware or network settings. You can't configure access to an intranet in Good Control Cloud because there are multiple distributed intranets that belong to different organizations. For security reasons, these intranets can't be part of the shared cloud configuration.
|Managing BlackBerry Access|49
UsingBlackBerry Analyticsto collect app data
You can enable theBlackBerry Analyticsfeature for your users if you want to capture events inBlackBerry Dynamicsapps, such as when the user starts theBlackBerry Dynamicsapps, the user’s platform, and when the app goes into the background. You can view and analyze the metrics by logging in to theBlackBerry Dynamicsweb-based system and accessing the Analytics dashboard. For more information aboutBlackBerry Analytics, visitBlackBerry Help and Manuals: BlackBerry Analytics.

Configure a compliance rule for Windows antivirus detection in Good Control

You can use a compliance rule to check if antivirus software is installed and running on Windows.
1. On the menu bar, click Policy Sets.
2. Click the name of the policy that you want to assign to users.
3. Click the COMPLIANCE POLICIES tab.
4. Expand ANTIVIRUS STATUS (WIN32 ONLY).
5. For Checks Antivirus Status, select Enable.
6. For Failure Action, select the action to take if users are not compliant.
7. Click Update.

Configure support for FQDN resolution in Good Control

In Good Control, you can configure support for FQDN resolution for Kerberos authentication.
1. On the menu bar, click GP Server Properties.
2. On the DEFAULT GP SERVER PROPERTIES tab, select the check box for gp.gps.unalias.hostname.
3. Click Submit.
|Managing BlackBerry Access|50

Troubleshooting

Diagnostics

If a user is reporting an issue, you can ask them to perform app diagnostics.
You can use diagnostic tools to check the connection between BlackBerry Access and BlackBerry Proxy and other target servers.
BlackBerry Access for iOS also has a “Collect network summary” option that you can use to collect and display a summary of your internet usage. The summary, which can be used for diagnostics, displays information such as delays in connections, authentication handshakes, and proxy resolution.
Generate a diagnostics report oniOSdevices
You can ask users to generate a diagnostics report and then email the results.
Before you begin: Provide the following instructions to users:
1.
Tap to open theBlackBerry Dynamics Launcher.
2.
Tap .
3. In the Support section, tapRun Diagnostics.
4. TapStart Diagnostic.
5. ClickStart.
6. When the diagnostics complete, clickShare logsto send an email with the report details.
Generate a diagnostics report onAndroiddevices
You can ask users to generate a diagnostics report and then email the results.
Before you begin: Provide the following instructions to users:
1.
Tap to open theBlackBerry Dynamics Launcher.
2.
Tap .
3. In the Support section, tapRun Diagnostics.
4. TapStart Diagnostics.
5. When the diagnostics complete, clickShare Resultsto send an email with the report details.
Troubleshoot issues using theBlackBerry Accessconsole
You can use theBlackBerry Accessconsole to help users find possible causes of issues that they might encounter.
Provide the following instructions to users:
1.
Tap to open theBlackBerry Dynamics Launcher.
2.
Tap .
3. TapSettings.
4. TapConsole.
|Troubleshooting|51
5. Look at the displayed messages to see if they indicate what the problem is.

Upload log files to BlackBerry Support

If requested by BlackBerry Support, you can upload log files to help troubleshoot issues that your users are having with BlackBerry Dynamics apps.
Provide the following instructions to users:
1.
Tap to open the BlackBerry Dynamics Launcher.
2.
Tap .
3. In the Advanced section, click Logs.
4. Click Upload Logs.

Troubleshoot connectivity issues

If users are reporting connectivity issues, you can ask them to perform connectivity tests. These tests also help you troubleshoot proxy servers and PAC file configurations. Tests are performed on the connections between the device, other servers, and the BlackBerry Dynamics NOC, and do not go through the BlackBerry Proxy (if using BlackBerry UEM) or Good Proxy (if using Good Control).
Provide the following instructions to users:
1.
Tap to open the BlackBerry Dynamics Launcher.
2.
Tap .
3. In the Advanced section, choose one of the following:
On iOS devices, click Network Utilities.
On Android devices, click Net Tools.
4. Provide the URL or IP address that you want to test to users and tell them to enter it.
5. Depending on what you want to test, tell users to select either Ping, Trace, or Lookup.

Troubleshoot routing issues

The tables in this section provide details about howBlackBerry Accessroutes traffic depending on whether a manual proxy or proxy autoconfiguration (PAC) is used. You can use this information to troubleshoot browsing issues related to traffic routing.
Note: The table does not describe the situation where a target URL is configured to be blocked by either theBlackBerry DynamicsConnectivity Profile or the PAC file because the URL is always blocked no matter which other configurations are in place.
Legend
No proxy:The proxy server is not specified in theBlackBerry Accessapp configuration.
Manual proxy:A web proxy server is manually specified in theBlackBerry Accessapp configuration. When a web proxy is specified in this way,BlackBerry Accessattempts to route all traffic through the web proxy.
|Troubleshooting|52
PAC:A PAC file is specified in theBlackBerry Accessapp configuration. When a PAC is configured,BlackBerry Accessfollows the rules specified in the PAC to determine whether to send traffic through the web proxy. Specifies the result of the PAC file check against the target host (DIRECT, PROXY, BLOCK, NATIVE).
Host route = BBP:The specified target URL is configured to route through aBlackBerry Proxycluster based on theBlackBerry DynamicsConnectivity Profile. This URL is explicitly defined, or is under the Default Route or an Allowed domains rule.
Host route = DIRECT:The specified target URL is configured to route directly based on theBlackBerry DynamicsConnectivity Profile. This URL is explicitly defined or is under the Default Route.
Web Proxy Route = BBP:The proxy server's URL is configured to route through aBlackBerry Proxycluster based on theBlackBerry DynamicsConnectivity Profile. This URL is explicitly defined, or is under the Default Route or an Allowed domains rule.
Web proxy route = DIRECT:The proxy server's URL is configured to route directly based on theBlackBerry DynamicsConnectivity Profile. This URL is explicitly defined or is under the Default Route.
Strict tunnel on Strict tunnel off
No proxy
Host route = BBP
No proxy
Host route = DIRECT
Manual proxy
Host route = BBP
Web proxy route = BBP
Manual proxy
Host route = DIRECT
Web proxy route = BBP
BlackBerry Accessroutes traffic through theBlackBerry Proxycluster.
The host is blocked because of strict tunnel.
BlackBerry Accessroutes traffic though theBlackBerry Proxycluster and then through the web proxy.
BlackBerry Accessroutes traffic though theBlackBerry Proxycluster and then through the web proxy.
BlackBerry Accessroutes traffic through theBlackBerry Proxycluster.
BlackBerry Accessroutes traffic directly to the host.
BlackBerry Accessroutes traffic though theBlackBerry Proxycluster and then through the web proxy.
BlackBerry Accessroutes traffic though theBlackBerry Proxycluster and then through the web proxy.
Note: Even though the host does not resolve in theBlackBerry DynamicsConnectivity Profile, the web proxy does resolve. Therefore all traffic through the web proxy goes through theBlackBerry Proxycluster.
Manual proxy
Host route = BBP
Web proxy route = DIRECT
The web proxy server is blocked because of strict tunnel.
BlackBerry Accessroutes traffic directly to the web proxy and then to the host.
Note: Even though the host resolves in theBlackBerry DynamicsConnectivity Profile, because the web proxy configured as DIRECT, all traffic through that web proxy is direct.
|Troubleshooting|53
Strict tunnel on Strict tunnel off
Manual proxy
Host route = DIRECT
Web proxy route = DIRECT
PAC returns DIRECT
Host route = BBP
PAC returns PROXY
Host route = BBP
Web proxy route = BBP
PAC returns PROXY
Host route = DIRECT
Web proxy route = BBP
Both the host and the web proxy server are blocked because of strict tunnel.
The host is blocked because of strict tunnel.
BlackBerry Accessroutes traffic though theBlackBerry Proxycluster and then through the web proxy.
BlackBerry Accessroutes traffic though theBlackBerry Proxycluster and then through the web proxy.
BlackBerry Accessroutes traffic directly to the web proxy and then to the host.
BlackBerry Accessroutes traffic directly to the host.
BlackBerry Accessroutes traffic though theBlackBerry Proxycluster and then through the web proxy.
Note: Even though the host does not resolve in theBlackBerry DynamicsConnectivity Profile, the web proxy does resolve. Therefore all traffic through the web proxy goes through theBlackBerry Proxycluster.
BlackBerry Accessroutes traffic directly to the web proxy and then to the host.
Note: Even though the host resolves in theBlackBerry DynamicsConnectivity Profile, because the web proxy configured as DIRECT, all traffic through that web proxy is direct.
PAC returns PROXY
Host route = BBP
Web proxy route = DIRECT
PAC returns PROXY
Host route = DIRECT
Web proxy route = DIRECT
Behavior of myIPAddress and DNSResolve
Depending on the routing configuration, the DNS resolution and the source IP address will differ. The following table describes which endpoint makes the DNS calls and which endpoint is considered the source IP address when connecting to a target host.
The web proxy is blocked because of strict tunnel.
The host is blocked because of strict tunnel.
BlackBerry Accessroutes traffic directly to the web proxy and then to the host.
BlackBerry Accessroutes traffic directly to the web proxy and then to the host.
|Troubleshooting|54
DNSResolve during PAC computation
DNSResolve for socket connection
MyIPAddress for PAC
Host route = BBP
Strict tunnel = On
Host route = BBP
Strict tunnel = Off
Host route = DIRECT
Strict tunnel = On
Host route = DIRECT
Strict tunnel = Off
TheBlackBerry Proxyresolves the IP address of the host.
TheBlackBerry Proxyresolves the IP address of the host.
TheBlackBerry Proxyresolves the IP address of the host.
TheBlackBerry Proxyresolves the IP address of the host.
TheBlackBerry Proxyresolves the IP address of the host.
TheBlackBerry Proxyresolves the IP address of the host.
DNSResolve is blocked or there is no DNS resolution.
The device resolves the IP address of the host.
The IP address of theBlackBerry Proxyis used.
The IP address of theBlackBerry Proxyis used.
The IP address of theBlackBerry Proxyis used.
The IP address of the device is used.
|Troubleshooting|55

Feature support

Feature Description Applies to
Cookies Persistent cookies
Nonpersistent cookies
JavaScriptengine
HTML attachments
Uses native WKWebView for rendering BlackBerry Access for
UsesGoogle’s open source V8JavaScriptengine for rendering.
Navigation return to HTML attachment BlackBerry Access for
Maximum size of attachment is 3 MB BlackBerry Access for
Long tap on attachment BlackBerry Access for
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
iOS
BlackBerry Access for Android
Android
Android
BlackBerry Access for iOS
iOS
No support for child pages or resources (relative links from the parent page)
Audio Support for the same audio formats
thatApplesupports.
To securely play audio on web sites, the HTML5<audio>tag is required at the time the page is loaded in the browser. IfBlackBerry Accesscan't detect an<audio>tag, the audio playback isn't secured.
Fingerprint authentication
SamsungPass for user authentication using fingerprints. You can use the same application policies that you use to manageAndroidfingerprint authentication forSamsungPass.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for iOS
BlackBerry Access for Android
|Feature support|56
Feature Description Applies to
Languages supported byBlackBerry Accesscontrols
File types Unsupported file types:
Plugins Adobe Flash: Not supported
English, Danish, Dutch, French, German, Italian, Japanese, Korean, Simplified Chinese, Spanish, and Swedish
English, Dutch, French, Japanese, Korean, Simplified Chinese, and Swedish
.msg:Microsoft Outlookmessage format
.zip: Compressed file archive
Applets: Not supported
Microsoft ActiveX: Not supported
WebSockets: Supported only forBlackBerry Access for iOS,BlackBerry Access for macOS, andBlackBerry Access for Windows. WebSockets are not secured byBlackBerry Access for Android.
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
BlackBerry Work for Windows
BlackBerry Work for macOS
BlackBerry Access for Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
SAML and ADAL Supported BlackBerry Access for
Android
BlackBerry Access for iOS
BlackBerry Access for Windows
BlackBerry Access for macOS
|Feature support|57

Browser support for HTML5 and CSS3

BlackBerry Access for Android HTML and CSS3 support

Feature list Tags
Score 464 of 555
Parsing rules
<!DOCTYPE html> triggers standards mode Supported
HTML5 tokenizer Supported
HTML5 tree building Supported
SVG in text/html Supported
MathML in text/html Supported
Video
video element Supported
Subtitle Supported Supported
Poster image Supported Supported
BlackBerry Access for Android
Audio
MPEG-4 Supported Unsupported
H.264 Supported Supported
Ogg Theora Supported Unsupported
WebM Supported with VP8 Supported Supported
WebM Supported with VP9 Supported Unsupported
audio element Supported
PCM audio Supported Supported
AAC Supported Supported
MP3 Supported Supported
|Browser support for HTML5 and CSS3|58
Feature list Tags
Ogg Vorbis Supported Supported
Ogg Opus Supported Unsupported
WebM Supported Supported
Elements
Embedding custom non-visible data Supported
New or modified elements
section element Supported
section element Supported
nav element Supported
article element Supported
aside element Supported
BlackBerry Access for Android
hgroup element Supported
header element Supported
footer element Supported
Grouping content elements
figure element Supported
figcaption element Supported
reversed attribute on the ol element Supported
Text-level semantic elements
download attribute on the a element Supported
ping attribute on the a element Supported
mark element Supported
ruby, rt and rp elements Supported
time element Unsupported
wbr element Supported
|Browser support for HTML5 and CSS3|59
Feature list Tags
Interactive elements
details element Supported
summary element Supported
menu element of type toolbar Unsupported
menu element of type popup Unsupported
dialog element Unsupported
Global attributes or methods
hidden attribute Supported
Dynamic markup insertion
outerHTML property Supported
insertAdjacentHTML function Supported
BlackBerry Access for Android
Forms
Field types
input type=text Supported
Minimal element Supported Supported
Selection Direction Supported
input type=search Supported
Minimal element Supported Supported
input type=tel Supported
Minimal element Supported Supported
input type=url Supported
Minimal element Supported Supported
Field validation Supported
input type=email Supported
Minimal element Supported Supported
|Browser support for HTML5 and CSS3|60
Feature list Tags
Field validation Supported
input type=datetime Unsupported
Minimal element Supported Unsupported
Custom user-interface Unsupported
Value sanitization Unsupported
min attribute Unsupported
max attribute Unsupported
step attribute Unsupported
stepDown() method Unsupported
stepUp() method Unsupported
valueAsDate()mothen Unsupported
BlackBerry Access for Android
valueAsNumber() method Unsupported
input type=month Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=week Unsupported
Minimal element Supported Unsupported
|Browser support for HTML5 and CSS3|61
Feature list Tags
Custom user-interface Unsupported
Value sanitization Unsupported
min attribute Unsupported
max attribute Unsupported
step attribute Unsupported
stepDown() method Unsupported
stepUp() method Unsupported
valueAsDate()mothen Unsupported
valueAsNumber() method Unsupported
input type=time Supported
Minimal element Supported Supported
BlackBerry Access for Android
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=datetime-local Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
|Browser support for HTML5 and CSS3|62
Feature list Tags
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsNumber() method Supported
input type=number Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
Field validation Supported
min attribute Supported
BlackBerry Access for Android
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsNumber() method Supported
input type=range Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
|Browser support for HTML5 and CSS3|63
Feature list Tags
valueAsNumber() method Supported
input type=color Unsupported
Minimal element Supported Unsupported
Custom user-interface Unsupported
Value sanitization Supported
input type=checkbox Supported
Minimal element Supported Supported
indeterminate property Supported
input type=image Supported
Minimal element Supported Supported
width property Supported
BlackBerry Access for Android
height property Supported
input type=file Supported (except for
Android SB)
Minimal element Supported Supported
files property Supported
textarea Supported
Minimal element Supported Supported
maxlength attribute Supported
wrap attribute Supported
select Supported
Minimal element Supported Supported
required attribute Supported
fieldset Supported
Minimal element Supported Supported
|Browser support for HTML5 and CSS3|64
Feature list Tags
elements attribute Supported
disabled attribute Supported
datalist Unsupported
Minimal element Supported Unsupported
list attribute for fields Unsupported
keygen Supported
Minimal element Supported Supported
challenge attribute Supported
keytype attribute Supported
output Supported
Minimal element Supported Supported
BlackBerry Access for Android
Fields
progress Supported
Minimal element Supported Supported
meter Supported
Minimal element Supported Supported
Field validation Supported
pattern attribute Supported
required attribute Supported
Association of controls and forms Supported
control property on labels Supported
form property on fields Supported
formAction property on fields Supported
formEnctype property on fields Supported
formMethod property on fields Supported
|Browser support for HTML5 and CSS3|65
Feature list Tags
formNoValidate property on fields Supported
formTarget property on fields Supported
labels property on fields Supported
Other attributes Supported
autofocus attribute Supported
autocomplete attribute Supported
placeholder attribute Supported
multiple attribute Supported
dirName attribute Supported
CSS selectors Supported
:valid selector Supported
BlackBerry Access for Android
:invalid selector Supported
:optional selector Supported
:required selector Supported
:in-range selector Supported
:out-of-range selector Supported
:read-write selector Supported
:read-only selector Supported
Events Supported
oninput event Supported
onchange event Supported
oninvalid event Supported
Forms Supported
Form validation Supported
checkValidity method Supported
|Browser support for HTML5 and CSS3|66
Feature list Tags
noValidate attribute Supported
User interaction
Drag and drop
Attributes Unsupported
draggable attribute Unsupported
dropzone attribute Unsupported
Events Unsupported
ondrag event Unsupported
ondragstart event Unsupported
ondragenter event Unsupported
ondragover event Unsupported
BlackBerry Access for Android
ondragleave event Unsupported
ondragend event Unsupported
ondrop event Unsupported
HTML editing
Editing elements Supported
contentEditable attribute Supported
isContentEditable property Supported
Editing documents Supported
designMode attribute Supported
CSS selectors Unsupported
APIs Supported
execCommand method Supported
queryCommandEnabled method Supported
queryCommandIndeterm method Supported
|Browser support for HTML5 and CSS3|67
Feature list Tags
queryCommandState method Supported
queryCommandsupporteded method Supported
queryCommandValue method Supported
Spellcheck Supported
spellcheck attribute Supported
History and navigation
Session history Supported
Microdata
Microdata Unsupported
Web applications
Application Cache Supported
BlackBerry Access for Android
Security
Various
Related specifications
Custom scheme handlers Unsupported
Custom content handlers Unsupported
Custom search providers Supported
Sandboxed iframe Supported
Seamless iframe Unsupported
iframe with inline contents Supported
Scoped style element Unsupported
Asyncronous script execution Supported
Runtime script error reporting Supported
Base64 encoding and decoding Supported
Location and Orientation
|Browser support for HTML5 and CSS3|68
Feature list Tags
Device Orientation Supported
Communication
Cross-document messaging
Server-Sent Events Supported
XMLHttpRequest Level 2 Supported
Upload files Supported
Text response type Supported
Document response type Supported
Array buffer response type Supported
Blob response type Supported
Files
BlackBerry Access for Android
Storage
Workers
Local multimedia
Notifications
File API Supported
API:
File
Session Storage Unsupported
Secure Local Storage wit persistence Supported
IndexedDB Unsupported
Web SQL Database Unsupported
Web Workers Supported
Shared Workers Supported
Access the webcam Unsupported
Directories and System Supported
|Browser support for HTML5 and CSS3|69
Feature list Tags
Web Notifications Unsupported
Other
Page Visibility Supported
Text selection Supported
Scroll into view Supported
Mutation Observer Supported
Experimental
Audio
Web Audio API Unsupported
BlackBerry Access for Android
Video and Animation
These media formats may be rendered by invoking native device players when device is connected to corporate
1
Wi-Fi network.
1
Full screen Supported Supported
Pointer Lock Supported Supported
window.requestAnimationFrame Supported

BlackBerry Access for iOS HTML and CSS3 support

Feature list Tags
Score 410
Parsing rules 10
<!DOCTYPE html> triggers standards mode Supported
BlackBerry Access for iOS
HTML5 tokenizer Supported
HTML5 tree building Supported
SVG in text/html Supported
MathML in text/html Supported
|Browser support for HTML5 and CSS3|70
Feature list Tags
Canvas 20
canvas element Supported
2D context Supported
Text Supported
Video 21/30
video element Supported
Subtitle Supported Unsupported
Poster image Supported Supported
MPEG-4 Supported Supported
H.264 Supported Supported
Ogg Theora Supported Unsupported
BlackBerry Access for iOS
WebM Supported Unsupported
WebM Supported with VP9 Supported Unsupported
Audio 20
audio element Supported
PCM audio Supported Supported
AAC Supported Supported
MP3 Supported Supported
Ogg Vorbis Supported Unsupported
Ogg Opus Supported Unsupported
WebM Supported Unsupported
Elements 29/35
Embedding custom non-visible data Supported
New or modified elements
section element Supported
|Browser support for HTML5 and CSS3|71
Feature list Tags
section element Supported
nav element Supported
article element Supported
aside element Supported
hgroup element Supported
header element Supported
footer element Supported
Grouping content elements Supported
figure element Supported
figcaption element Supported
reversed attribute on the ol element Supported
BlackBerry Access for iOS
Text-level semantic elements partially Supported
download attribute on the a element Unsupported
ping attribute on the a element Supported
mark element Supported
ruby, rt and rp elements Supported
time element Unsupported
wbr element Supported
Interactive elements partially Supported
details element Supported
summary element Supported
command element Unsupported
menu element of type list Supported
menu element of type toolbar Unsupported
menu element of type context Unsupported
|Browser support for HTML5 and CSS3|72
Feature list Tags
Global attributes or methods
hidden attribute Supported
Dynamic markup insertion Supported
outerHTML property Supported
insertAdjacentHTML function Supported
Forms 102/115
Field types
input type=text Supported
Minimal element Supported Supported
Selection Direction Supported
input type=search Supported
BlackBerry Access for iOS
Minimal element Supported Supported
input type=tel Supported
Minimal element Supported Supported
input type=url Supported
Minimal element Supported Supported
Field validation Supported
input type=email Supported
Minimal element Supported Supported
Field validation Supported
input type=datetime Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
|Browser support for HTML5 and CSS3|73
Feature list Tags
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=date Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
BlackBerry Access for iOS
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=month Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
|Browser support for HTML5 and CSS3|74
Feature list Tags
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=time partially Supported
Minimal element Supported Supported
Custom user-interface Unsupported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
BlackBerry Access for iOS
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=time Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
|Browser support for HTML5 and CSS3|75
Feature list Tags
input type=datetime-local Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsNumber() method Supported
input type=number Supported
BlackBerry Access for iOS
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
Field validation Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsNumber() method Supported
input type=range Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
|Browser support for HTML5 and CSS3|76
Feature list Tags
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsNumber() method Supported
input type=color Unsupported
Minimal element Supported Unsupported
Custom user-interface Unsupported
Value sanitization Unsupported
input type=checkbox Supported
BlackBerry Access for iOS
Minimal element Supported Supported
indeterminate property Supported
input type=image Supported
Minimal element Supported Supported
width property Supported
height property Supported
input type=file Supported
Minimal element Supported Supported
files property Supported
textarea Supported
Minimal element Supported Supported
maxlength attribute Supported
wrap attribute Supported
select Supported
|Browser support for HTML5 and CSS3|77
Feature list Tags
Minimal element Supported Supported
required attribute Supported
fieldset partially Supported
Minimal element Supported Supported
elements attribute Unsupported
disabled attribute Supported
datalist Unsupported
Minimal element Supported Unsupported
list attribute for fields Unsupported
keygen Supported
Minimal element Supported Supported
BlackBerry Access for iOS
Fields
challenge attribute Supported
keytype attribute Supported
output Supported
Minimal element Supported Supported
progress Unsupported
Minimal element Supported Unsupported
meter Unsupported
Minimal element Supported Unsupported
Field validation Supported
pattern attribute Supported
required attribute Supported
Association of controls and forms Supported
control property on labels Supported
|Browser support for HTML5 and CSS3|78
Feature list Tags
form property on fields Supported
formAction property on fields Supported
formEnctype property on fields Supported
formMethod property on fields Supported
formNoValidate property on fields Supported
formTarget property on fields Supported
labels property on fields Supported
Other attributes Supported
autofocus attribute Supported
autocomplete attribute Supported
placeholder attribute Supported
BlackBerry Access for iOS
multiple attribute Supported
dirName attribute Supported
CSS selectors Supported
:valid selector Supported
:invalid selector Supported
:optional selector Supported
:required selector Supported
:in-range selector Supported
:out-of-range selector Supported
:read-write selector Supported
:read-only selector Supported
Events Supported
oninput event Supported
onchange event Supported
|Browser support for HTML5 and CSS3|79
Feature list Tags
oninvalid event Supported
Forms Supported
Form validation Supported
checkValidity method Supported
noValidate attribute Supported
User interaction 20 20
Drag and drop Unsupported
Attributes Unsupported
draggable attribute Unsupported
dropzone attribute Unsupported
Events Unsupported
BlackBerry Access for iOS
ondrag event Unsupported
ondragstart event Unsupported
ondragenter event Unsupported
ondragover event Unsupported
ondragleave event Unsupported
ondragend event Unsupported
ondrop event Unsupported
HTML editing
Editing elements Supported
contentEditable attribute Supported
isContentEditable property Supported
Editing documents Supported
designMode attribute Supported
APIs Supported
|Browser support for HTML5 and CSS3|80
Feature list Tags
execCommand method Supported
queryCommandEnabled method Supported
queryCommandIndeterm method Supported
queryCommandState method Supported
queryCommandsupporteded method Supported
queryCommandValue method Supported
Spellcheck
spellcheck attribute Supported
History and navigation 10
Session history Supported
Microdata 0/15
BlackBerry Access for iOS
Microdata Unsupported
Web applications 15/20
Application Cache Supported
Custom scheme handlers Unsupported
Custom content handlers Unsupported
Custom search providers Unsupported
Security 15/20
Sandboxed iframe Supported
Seamless iframe Unsupported
iframe with inline contents Supported
Various 5/10
Scoped style element Unsupported
Asyncronous script execution Supported
Runtime script error reporting Supported
|Browser support for HTML5 and CSS3|81
Feature list Tags
Base64 encoding and decoding Supported
Related specifications
Location and Orientation 20
Device Orientation Supported
WebGL 10/25
3D context Unsupported
Native binary data Supported
ArrayBuffer Supported
Int8Array Supported
Uint8Array Supported
Int16Array Supported
BlackBerry Access for iOS
Uint16Array Supported
Int32Array Supported
Uint32Array Supported
Float32Array Supported
Float64Array Supported
DataView Supported
Communication 33/35
Cross-document messaging Supported
Server-Sent Events Supported
XMLHttpRequest Level 2 partially Supported
Upload files Supported
Text response type Supported
Document response type Supported
Array buffer response type Supported
|Browser support for HTML5 and CSS3|82
Feature list Tags
BlackBerry Access for iOS
Blob response type Unsupported
Files 10
File API Supported
API:
File
Directories and System Unsupported
Storage 15/25
Session Storage Supported
Secure Local Storage without persistence Supported
IndexedDB Unsupported
Web SQL Database Unsupported
Workers 15
Web Workers Supported
Shared Workers Supported
Local multimedia 0/10
Access the webcam Unsupported
Notifications 0/10
Web Notifications Unsupported
Other 8/10
Page Visibility Unsupported
Text selection Supported
Scroll into view Supported
Mutation Observer Supported
Experimental
Audio 5
Web Audio API Supported
Video and Animation
1
3/10
|Browser support for HTML5 and CSS3|83
Feature list Tags
Full screen Supported Unsupported
Pointer Lock Supported Unsupported
window.requestAnimationFrame Supported
These media formats may be rendered by invoking native device players when device is connected to corporate
1
Wi-Fi network.
BlackBerry Access for iOS

BlackBerry Access for macOS HTML and CSS3 support

Feature list Tags
Score 504 of 555
Parsing rules
<!DOCTYPE html> triggers standards mode Supported
HTML5 tokenizer Supported
HTML5 tree building Supported
SVG in text/html Supported
MathML in text/html Supported
Video
video element Supported
Audio track selection Unsupported
Video track selection Unsupported
BlackBerry Access for macOS
Subtitle Supported Supported
Poster image Supported Supported
MPEG-4 Supported Unsupported
H.264 Supported Unsupported
H.265 Supported Unsupported
Ogg Theora Supported Supported
|Browser support for HTML5 and CSS3|84
Feature list Tags
WebM Supported with VP8 Supported Supported
WebM Supported with VP9 Supported Supported
Audio
audio element Supported
PCM audio Supported Supported
AAC Supported Unsupported
MP3 Supported Supported
Ogg Vorbis Supported Supported
Ogg Opus Supported Supported
WebM Supported Supported
Elements
BlackBerry Access for macOS
Embedding custom non-visible data Supported
New or modified elements
section element Supported
section element Supported
nav element Supported
article element Supported
aside element Supported
hgroup element Supported
header element Supported
footer element Supported
Grouping content elements
figure element Supported
figcaption element Supported
reversed attribute on the ol element Supported
|Browser support for HTML5 and CSS3|85
Feature list Tags
Text-level semantic elements
download attribute on the a element Supported
ping attribute on the a element Supported
mark element Supported
ruby, rt and rp elements Supported
time element Unsupported
wbr element Supported
Interactive elements
details element Supported
summary element Supported
menu element of type toolbar Unsupported
BlackBerry Access for macOS
Forms
menu element of type popup Unsupported
dialog element Unsupported
Global attributes or methods
hidden attribute Supported
Dynamic markup insertion
outerHTML property Supported
insertAdjacentHTML function Supported
Field types
input type=text Supported
Minimal element Supported Supported
Selection Direction Supported
input type=search Supported
Minimal element Supported Supported
|Browser support for HTML5 and CSS3|86
Feature list Tags
input type=tel Supported
Minimal element Supported Supported
input type=url Supported
Minimal element Supported Supported
Field validation Supported
input type=email Supported
Minimal element Supported Supported
Field validation Supported
input type=datetime Unsupported
Minimal element Supported Unsupported
Custom user-interface Unsupported
BlackBerry Access for macOS
Value sanitization Unsupported
min attribute Unsupported
max attribute Unsupported
step attribute Unsupported
stepDown() method Unsupported
stepUp() method Unsupported
valueAsDate()mothen Unsupported
valueAsNumber() method Unsupported
input type=month Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
|Browser support for HTML5 and CSS3|87
Feature list Tags
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=week Unsupported
Minimal element Supported Unsupported
Custom user-interface Unsupported
Value sanitization Unsupported
min attribute Unsupported
max attribute Unsupported
BlackBerry Access for macOS
step attribute Unsupported
stepDown() method Unsupported
stepUp() method Unsupported
valueAsDate()mothen Unsupported
valueAsNumber() method Unsupported
input type=time Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
|Browser support for HTML5 and CSS3|88
Feature list Tags
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=datetime-local Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
BlackBerry Access for macOS
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=number Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
Field validation Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsNumber() method Supported
input type=range Supported
|Browser support for HTML5 and CSS3|89
Feature list Tags
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsNumber() method Supported
input type=color Unsupported
Minimal element Supported Unsupported
BlackBerry Access for macOS
Custom user-interface Unsupported
Value sanitization Supported
input type=checkbox Supported
Minimal element Supported Supported
indeterminate property Supported
input type=image Supported
Minimal element Supported Supported
width property Supported
height property Supported
input type=file Supported (except for
Android SB)
Minimal element Supported Supported
files property Supported
textarea Supported
|Browser support for HTML5 and CSS3|90
Feature list Tags
Minimal element Supported Supported
maxlength attribute Supported
wrap attribute Supported
select Supported
Minimal element Supported Supported
required attribute Supported
fieldset Supported
Minimal element Supported Supported
elements attribute Unsupported
disabled attribute Supported
datalist Unsupported
BlackBerry Access for macOS
Fields
Minimal element Supported Unsupported
list attribute for fields Unsupported
keygen Supported
Minimal element Supported Supported
challenge attribute Supported
keytype attribute Supported
output Supported
Minimal element Supported Supported
progress Supported
Minimal element Supported Supported
meter Supported
Minimal element Supported Supported
Field validation Supported
|Browser support for HTML5 and CSS3|91
Feature list Tags
pattern attribute Supported
required attribute Supported
Association of controls and forms Supported
control property on labels Supported
form property on fields Supported
formAction property on fields Supported
formEnctype property on fields Supported
formMethod property on fields Supported
formNoValidate property on fields Supported
formTarget property on fields Supported
labels property on fields Supported
BlackBerry Access for macOS
Other attributes Supported
autofocus attribute Supported
autocomplete attribute Supported
placeholder attribute Supported
multiple attribute Supported
dirName attribute Supported
CSS selectors Supported
:valid selector Supported
:invalid selector Supported
:optional selector Supported
:required selector Supported
:in-range selector Supported
:out-of-range selector Supported
:read-write selector Supported
|Browser support for HTML5 and CSS3|92
Feature list Tags
:read-only selector Supported
Events Supported
oninput event Supported
onchange event Supported
oninvalid event Supported
Forms Supported
Form validation Supported
checkValidity method Supported
noValidate attribute Supported
User interaction
Drag and drop
BlackBerry Access for macOS
Attributes Unsupported
draggable attribute Unsupported
dropzone attribute Unsupported
Events Unsupported
ondrag event Unsupported
ondragstart event Unsupported
ondragenter event Unsupported
ondragover event Unsupported
ondragleave event Unsupported
ondragend event Unsupported
ondrop event Unsupported
HTML editing
Editing elements Supported
contentEditable attribute Supported
|Browser support for HTML5 and CSS3|93
Feature list Tags
isContentEditable property Supported
Editing documents Supported
designMode attribute Supported
CSS selectors Unsupported
APIs Supported
execCommand method Supported
queryCommandEnabled method Supported
queryCommandIndeterm method Supported
queryCommandState method Supported
queryCommandsupported method Supported
queryCommandValue method Supported
BlackBerry Access for macOS
History and navigation
Microdata
Web applications
Security
Spellcheck Supported
spellcheck attribute Supported
Session history Supported
Microdata Unsupported
Application Cache Supported
Custom scheme handlers Unsupported
Custom content handlers Unsupported
Custom search providers Supported
Sandboxed iframe Supported
Seamless iframe Unsupported
|Browser support for HTML5 and CSS3|94
Feature list Tags
iframe with inline contents Supported
Various
Scoped style element Unsupported
Asyncronous script execution Supported
Runtime script error reporting Supported
Base64 encoding and decoding Supported
Related specifications
Location and Orientation
Device Orientation Supported
Communication
Cross-document messaging
BlackBerry Access for macOS
Files
Storage
Server-Sent Events Supported
XMLHttpRequest Level 2 Supported
Upload files Supported
Text response type Supported
Document response type Supported
Array buffer response type Supported
Blob response type Supported
File API Supported
API:
File
Session Storage Unsupported
Secure Local Storage with persistence Supported
Directories and System Supported
IndexedDB Unsupported
|Browser support for HTML5 and CSS3|95
Feature list Tags
Web SQL Database Unsupported
Workers
Web Workers Supported
Shared Workers Supported
Local multimedia
Access the webcam Unsupported
Notifications
Web Notifications Unsupported
Other
Page Visibility Supported
Text selection Supported
BlackBerry Access for macOS
Scroll into view Supported
Mutation Observer Supported
Experimental
Audio
Web Audio API Unsupported
Video and Animation
1
Full screen Supported Supported
Pointer Lock Supported Supported
window.requestAnimationFrame Supported
These media formats may be rendered by invoking native device players when device is connected to corporate
1
Wi-Fi network.
|Browser support for HTML5 and CSS3|96

BlackBerry Access for Windows HTML and CSS3 support

Feature list Tags
Score 504 of 555
Parsing rules
<!DOCTYPE html> triggers standards mode Supported
HTML5 tokenizer Supported
HTML5 tree building Supported
SVG in text/html Supported
MathML in text/html Supported
Video
video element Supported
Audio track selection Unsupported
Audio track selection Unsupported
BlackBerry Access for Windows
Audio
Subtitle Supported Supported
Poster image Supported Supported
MPEG-4 Supported Unsupported
H.264 Supported Unsupported
H.265 Supported Unsupported
Ogg Theora Supported Supported
WebM Supported with VP8 Supported Supported
WebM Supported with VP9 Supported Supported
audio element Supported
PCM audio Supported Supported
AAC Supported Unsupported
|Browser support for HTML5 and CSS3|97
Feature list Tags
MP3 Supported Supported
Ogg Vorbis Supported Supported
Ogg Opus Supported Supported
WebM Supported Supported
Elements
Embedding custom non-visible data Supported
New or modified elements
section element Supported
section element Supported
nav element Supported
article element Supported
BlackBerry Access for Windows
aside element Supported
hgroup element Supported
header element Supported
footer element Supported
Grouping content elements
figure element Supported
figcaption element Supported
reversed attribute on the ol element Supported
Text-level semantic elements
download attribute on the a element Supported
ping attribute on the a element Supported
mark element Supported
ruby, rt and rp elements Supported
time element Unsupported
|Browser support for HTML5 and CSS3|98
Feature list Tags
wbr element Supported
Interactive elements
details element Supported
summary element Supported
menu element of type toolbar Unsupported
menu element of type popup Unsupported
dialog element Unsupported
Global attributes or methods
hidden attribute Supported
Dynamic markup insertion
outerHTML property Supported
BlackBerry Access for Windows
Forms
insertAdjacentHTML function Supported
Field types
input type=text Supported
Minimal element Supported Supported
Selection Direction Supported
input type=search Supported
Minimal element Supported Supported
input type=tel Supported
Minimal element Supported Supported
input type=url Supported
Minimal element Supported Supported
Field validation Supported
input type=email Supported
|Browser support for HTML5 and CSS3|99
Feature list Tags
Minimal element Supported Supported
Field validation Supported
input type=datetime Unsupported
Minimal element Supported Unsupported
Custom user-interface Unsupported
Value sanitization Unsupported
min attribute Unsupported
max attribute Unsupported
step attribute Unsupported
stepDown() method Unsupported
stepUp() method Unsupported
BlackBerry Access for Windows
valueAsDate()mothen Unsupported
valueAsNumber() method Unsupported
input type=month Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=week Unsupported
|Browser support for HTML5 and CSS3|100
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use