BlackBerry Access Administration Guide

BlackBerry Access

Administration Guide

2020-05-12Z

||2

Contents

What is BlackBerry Access?..............................................................................5

Getting started with BlackBerry Access............................................................ 6

System requirements............................................................................................................................................. 6

DeployingBlackBerry Access................................................................................................................................6

Downloading and activatingBlackBerry Access..................................................................................................7

Prerequisites: DeployingBlackBerry WorkwithBlackBerry Access...................................................................7

Managing BlackBerry Access............................................................................9

Making BlackBerry Access available to users..................................................................................................... 9

MakeBlackBerry Accessavailable to users inBlackBerry UEM............................................................. 9

Making BlackBerry Access available to users in Good Control.............................................................. 9

Configuring BlackBerry Access app settings.......................................................................................................9

Configure BlackBerry Access app settings in BlackBerry UEM...............................................................9

Configure BlackBerry Access app settings in Good Control.................................................................10

BlackBerry Accessapp configuration settings.......................................................................................10

Configuring the BlackBerry Dynamics Launcher............................................................................................... 28

Adding the work app catalog to the BlackBerry Dynamics Launcher...................................................28

Whitelist theBlackBerry UEM App Catalogin theBlackBerry DynamicsConnectivity profile........................ 29

Configure single sign-on for BlackBerry Access in Good Control.................................................................... 29

Configure single sign-on for BlackBerry Access in BlackBerry UEM............................................................... 30

Setting up a PAC file to manage a proxy infrastructure...................................................................................31

PAC file example...................................................................................................................................... 32

Configure PAC settings inBlackBerry UEM............................................................................................34

Configure PAC settings in Good Control................................................................................................ 34

Test a PAC configuration.........................................................................................................................35

Refreshing PAC configuration on devices.............................................................................................. 35

PAC file FAQ..............................................................................................................................................36

Configure RSA SecurID soft token authentication............................................................................................ 37

Configure an RSA SecurID application policy in BlackBerry UEM.........................................................38

Configure an RSA SecurID application policy in Good Control............................................................. 38

Kerberos authentication support........................................................................................................................ 38

Mapping domains to Kerberos realms................................................................................................... 39

Managing certificates.......................................................................................................................................... 40

Verify that BlackBerry Access can use certificates in BlackBerry UEM............................................... 40

Verify that BlackBerry Access can use certificates in Good Control....................................................40

Upload certificates for users inBlackBerry UEM................................................................................... 41

Upload certificates for users in Good Control........................................................................................41

Delete certificates for users in BlackBerry UEM.................................................................................... 41

Delete certificates for users in Good Control.........................................................................................41

Security features...................................................................................................................................................42

Remote data wipe.....................................................................................................................................42

Send device commands to BlackBerry Access in BlackBerry UEM......................................................42

Send device commands to BlackBerry Access in Good Control.......................................................... 43

Secure storage of browsing activity........................................................................................................44

||iii

SSL and TLS..............................................................................................................................................44

NTLMv2 authentication............................................................................................................................ 44

HTTP basic authentication.......................................................................................................................44

User passwords........................................................................................................................................ 44

Video support....................................................................................................................................................... 45

Video support FAQ....................................................................................................................................45

Configuring allowed Internet domains............................................................................................................... 46

Changing communications protocols.................................................................................................................47

Configure access to WebRTC-based destinations............................................................................................ 47

Allow users to open custom URL schemes.......................................................................................................48

Allow users to securely edit files within an app inBlackBerry Accesson Windows or macOS......................48

IdentifyingBlackBerry Accessin user agent..................................................................................................... 48

Good Control cloud deployments and intranet servers.................................................................................... 49

UsingBlackBerry Analyticsto collect app data.................................................................................................50

Configure a compliance rule for Windows antivirus detection in Good Control............................................. 50

Configure support for FQDN resolution in Good Control.................................................................................. 50

Troubleshooting.............................................................................................. 51

Diagnostics............................................................................................................................................................51

Generate a diagnostics report oniOSdevices....................................................................................... 51

Generate a diagnostics report onAndroiddevices................................................................................51

Troubleshoot issues using theBlackBerry Accessconsole.............................................................................51

Upload log files to BlackBerry Support.............................................................................................................. 52

Troubleshoot connectivity issues....................................................................................................................... 52

Troubleshoot routing issues................................................................................................................................52

Feature support...............................................................................................56

Browser support for HTML5 and CSS3........................................................... 58

BlackBerry Access for Android HTML and CSS3 support................................................................................ 58

BlackBerry Access for iOS HTML and CSS3 support....................................................................................... 70

BlackBerry Access for macOS HTML and CSS3 support................................................................................. 84

BlackBerry Access for Windows HTML and CSS3 support.............................................................................. 97

Legal notice.................................................................................................. 110

||iv

What is BlackBerry Access?

BlackBerry Access is a secure browser that allows users to access your organization's intranet and business
applications through the work firewall, without using a VPN, on Android, iOS, Windows, and macOS devices.

BlackBerry Access is part of the suite of BlackBerry Dynamics mobile productivity apps. You deploy and manage
BlackBerry Access using BlackBerry UEM or a standalone Good Control server. Both solutions give you the ability
to configure app settings to meet the needs and standards of your organization.

The features offered by BlackBerry Access:

Feature Description

Secures data BlackBerry Access secures work web apps in containers, ensuring that data

is protected and never leaves your organization's control. All browsing data is
encrypted with industry-leading FIPS-validated AES encryption, and BlackBerry
Access uses PAC file URLs to route work data securely.

User authentication BlackBerry Access leverages standard user authentication methods, including

SSL, NTLM, and TLS, and supports credential persistence.

BlackBerry Access also supports single sign-on with Kerberos Constrained
Delegation across realms and RSA soft token generation.

Intuitive browser features BlackBerry Access provides an intuitive interface that makes it easy to

download content, set bookmarks, and browse in multiple tabs. BlackBerry
Access for iOS also captures and saves web clips, and allows users to view
streaming video with intuitive player controls.

App deployment BlackBerry Access supports pop-ups that streamline the deployment of web

apps, including Cisco WebEx, Salesforce, and custom-developed apps. You
can deploy your organization's HTML5 desktop apps securely, and can provide
users with offline access to those apps.

Integrated app store BlackBerry Access offers an integrated enterprise app store for Android and

iOS devices.

Remote commands If a user's device is compromised (for example, lost or stolen), you can

remotely delete browser data, lock the app, or wipe device data.

Integration with other apps BlackBerry Access for Windows and BlackBerry Access for macOS also

provide users with access to BlackBerry Work to access their mail, calendars,
and contacts from within the secure browser.

|What is BlackBerry Access?|5

Getting started with BlackBerry Access

System requirements

To use BlackBerry Access, your organization must meet the following requirements:

Item Requirement

Management solution One of the following:

• BlackBerry UEM, version 12.6 MR1 or later

• Good Control version 2.3 or later, Good Proxy version 2.3 or later

Device OS For device OS compatibility, see the Mobile/Desktop OS and Enterprise

Applications Compatibility Matrix.

DeployingBlackBerry Access

You can use eitherBlackBerry UEMorGood Controlto manageBlackBerry Access. If you have not configured
yourBlackBerry UEMorGood Controlenvironment, you must complete configuration tasks before you can
continue with the tasks in this guide. Refer to the table below for more information on which solution to use and
where to find more information.

Management option Description

BlackBerry UEM • If you require MDM capabilities, you must manageBlackBerry

AccessusingBlackBerry UEM.

• To useBlackBerry UEMto manageBlackBerry Access,see Managing

BlackBerry Dynamics appsfor information about deployingBlackBerry

Accessin your organization.

Good Control • Although it is recommended that you useBlackBerry UEM, if you do

not require MDM, you can useGood Controlto manageBlackBerry
Access. For more information on the benefits of usingBlackBerry UEM,
seeBenefits of upgrading from Good Control to BlackBerry UEM.

• To useGood Controlto manageBlackBerry Access,see theGood

Controldocumentationfor information about deployingBlackBerry

Accessin your organization.

|Getting started with BlackBerry Access|6

Downloading and activatingBlackBerry Access

Platform Details

• BlackBerry Access for
Androiddevices

• BlackBerry Access for
iOSdevices

• BlackBerry Access for
Windowsdevices

• BlackBerry Access for
macOSdevices

• For MDM managed devices, you can useBlackBerry UEMto
pushBlackBerry Accessto users, or you can make the app available
in users' work catalogs. Users can download theBlackBerry
UEM Clientfrom theGoogle Playstore orApp Store. TheUEM
Clientmanages the activation ofBlackBerry Dynamicsapps, so users
do not require an access key to activate the apps.

• For devices that are not MDM managed, users can
downloadBlackBerry Accessfrom theGoogle Playstore orApp
Store. UsingBlackBerry UEMorGood Control, you provide users with
an access key to activateBlackBerry Access(seeGenerate access

keys for BlackBerry Dynamics apps).

• Direct users to download and installBlackBerry Accessfrom
theBlackBerry Products and Application Support page.

• UsingBlackBerry UEMorGood Control, you provide users with an
access key to activateBlackBerry Access(seeGenerate access keys

for BlackBerry Dynamics apps).

Prerequisites: DeployingBlackBerry WorkwithBlackBerry Access

When users installBlackBerry Access for WindowsorBlackBerry Access for macOS,BlackBerry Workis also
installed as an integrated web extension forBlackBerry Access.

Before you deployBlackBerry Access for WindowsorBlackBerry Access for macOSwithBlackBerry Work, note
the following prerequisites:

• Verify that the “DisableBlackBerry Work” app configuration setting is not selected (seeBlackBerry Accessapp

configuration settings).

• BlackBerry WorkusesMicrosoft Exchange Web Servicesinstead ofMicrosoft Exchange
ActiveSync.BlackBerry Workdoesn’t use a configuration file for theMicrosoft Exchange Web
ServicesAutodiscover service. Verify that theMicrosoft Exchange Web ServicesAutodiscover service
is enabled. For more information about using EWSEditor to check if the Autodiscover service is enabled,
visitsupport.blackberry.com/communityto read article 40351.

• Verify that theBlackBerry Enterprise Mobility Serveris configured for theMicrosoft Exchange Web
ServicesAutodiscover service. For instructions, see theBlackBerry Enterprise Mobility Server Installation and

Configuration content

Note: To useBEMSfor Autodiscover, the user must be assigned theBlackBerry Core and Mail
Services or Good Enterprise Services entitlement.The entitlement must be configured in theBlackBerry
Dynamicsconnectivity profile linked to the FQDN of theBEMSand port 8443. For more information,
seeConfigure BlackBerry Work connection settings.

.

Autodiscovery of the user's mailbox occurs as follows:

|Getting started with BlackBerry Access|7

1. BlackBerry Workconnects toBEMSto perform autodiscovery if the properBEMS-related entitlements

are configured in theBlackBerry Dynamicsconnectivity profile and assigned to the user.Good Enterprise
ServicesorBlackBerry Core and Mail Servicesentitlements both cover this requirement.

2. If that fails,BlackBerry Workattempts to connect to https://<emaildomain.com>/autodiscover/

autodiscover.svc

3. If that fails,BlackBerry Workattempts to connect tohttps://autodiscover.<emaildomain.com>/

autodiscover/autodiscover.svc.

• IfMicrosoft Exchange Web Servicesis using a self-signed server certificate, ensure that the “Alert user for
invalid or expired certificate” app configuration setting is not selected.

If you want to enableKerberosConstrained Delegation, note the following prerequisites:

• In theMicrosoft Internet Information Services(IIS), enableKerberosauthentication
(underWindowsauthentication) for theMicrosoft Exchange Web Servicesweb server.

• InMicrosoft Active Directory Users and Computers, in theMicrosoftManagement Console (MMC), on the
Delegation tab, add theMicrosoft Exchange Web ServicesHTTP service for theUEMorGoodadministrator
account.

• IfKerberosConstrained Delegation is enabled, users can’t enter their authentication credentials (username
and password). Authentication is delegated to theUEMorGoodadministrator account.

• For more information about setting upKerberosConstrained Delegation, readConfiguring Kerberos for

BlackBerry Dynamics appsin theBlackBerry UEM Configuration content.

|Getting started with BlackBerry Access|8

Managing BlackBerry Access

Making BlackBerry Access available to users

MakeBlackBerry Accessavailable to users inBlackBerry UEM

To manageBlackBerry AccessinBlackBerry UEM, you must addBlackBerry Accessto the app list. Your
organization must be entitled to useBlackBerry Accessin theBlackBerry Marketplace for Enterprise Software.
After your organization is entitled to use the app, you can update the app list to synchronize the apps
withBlackBerry UEMimmediately, or wait until it synchronizes automatically (UEMsynchronizesBlackBerry
Dynamicsapps every 24 hours). AfterBlackBerry Accesshas been added to the app list, you can assign it to
users.

For complete instructions for managingBlackBerry Dynamicsapps inBlackBerry UEM, seesee Managing

BlackBerry Dynamics apps

1. Log in to your account athttps://marketplace.blackberry.com/apps.

2. Locate the app in theBlackBerry Marketplace for Enterprise Softwareand request a trial. The app will be made

available to your organization and can be assigned to users after the app has been synchronized toBlackBerry
UEM.

3. To purchase the app, follow the instructions provided by the app developer.

After you finish:

• Update the app list.

• To allow users to install and activateBlackBerry Accesson their devices,assignBlackBerry Accessto a user

group oruser account.

• If you want to use theBlackBerry UEM Clientto manage the activation ofBlackBerry Access(and
otherBlackBerry Dynamicsapps) onAndroidoriOSdevices, instruct users to download theBlackBerry UEM
Clientfrom theGoogle Playstore orApp Store.

• If you want users to activateBlackBerry Accessusing an access key, useto send users an email with the
email address and access key they need to activate the app (seeGenerate access keys for BlackBerry

Dynamics apps).

Update the app list

1. On the menu bar, clickApps.

2.

Click .

Making BlackBerry Access available to users in Good Control

For more information about makingBlackBerry Accessavailable to users inGood Control,see theGood

ControlOnline Help.

Configuring BlackBerry Access app settings

Configure BlackBerry Access app settings in BlackBerry UEM

1. On the menu bar, click Apps.

2. Click the BlackBerry Access app.

|Managing BlackBerry Access|9

3. On the BlackBerry Dynamics tab, in the App configuration table, click +.

4. Type a name for the app configuration.

5. Configure the app settings. See BlackBerry Accessapp configuration settings for a description of the settings

that you can configure.

6. Click Save.

After you finish: Assign BlackBerry Access to a user group. or user account

Configure BlackBerry Access app settings in Good Control

1. On the menu bar, click Policy Sets.

2. Click the name of the policy that you want to assign to BlackBerry Access users.

3. Click the APPS tab.

4. Expand APP SPECIFIC POLICIES > BLACKBERRY ACCESS.

5. Configure the app settings. See BlackBerry Accessapp configuration settings for a description of the settings

that you can configure.

6. Click Update.

BlackBerry Accessapp configuration settings

General

Setting Description Applies to

Homepage This setting specifies the URL for the website that

you want to appear as the home screen when users
startBlackBerry Access.

The URL must begin with "http://" or "https://".

Allow user to set home
page

Use UIWebView to
render web content on
devices (only applicable
toiOSdevices 12.0 or
earlier)

This setting specifies whether users can set their own
home pages inBlackBerry Access.

This setting specifies whether to allowiOS12.0 and
earlier devices to use UIWebView. The default view is
WKWebView.

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
iOS

|Managing BlackBerry Access|10

Setting Description Applies to

Allow telephone and
maps URL

IdentifyBlackBerry
Accessin User Agent

Enable pop-up windows This setting specifies whetherBlackBerry

This setting specifies whether users can access
telephone and map URLs inBlackBerry Access.

This setting specifies whetherBlackBerry Accesscan
send its user agent string to servers hosting
websites that users visit. The user agent string
identifiesBlackBerry Accessin the HTTP request
headers.

Servers use the information in the user agent string to
provide content tailored toBlackBerry Access.

Accessallows pop-up windows.

Disabling pop-up windows may cause issues with
applications such asMicrosoft Exchange, that open
pop-up windows for tasks like composing new
email messages. If you disable this setting, when
an app tries to open a pop-up window,BlackBerry
Accessdisplays a message that pop-up windows are
blocked.

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

Allow other applications
to open urls in full screen
mode. (iOS only)

Allow import
of bookmarks
fromSafariorFirefox

Push Bookmarks This setting specifies bookmarks that will be

Enable web clip feature This setting specifies whether users can use web

This setting specifies whether apps can open in full
screen mode by default.

This setting specifies whether users can import
bookmarks that they export from other browsers
intoBlackBerry Access.

preloaded inBlackBerry Accessto make it easier for
users to access work intranet webpages.

You can copy and paste the text of your bookmarks
file directly into this text box. The bookmarks must
follow theNetscapebookmark file format. For more
information, seehttps://gist.github.com/jgarber623/

cdc8e2fa1cbcb6889872.

clips. Web clips are small icons on mobile devices
that link to webpages.

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
iOS

|Managing BlackBerry Access|11

Setting Description Applies to

Allow users to perform
app diagnostics

Enable APK installation
(Android only)

Allow external apps
to open HTTP/HTTPS
URLs throughBlackBerry
Access

Do not allow download
from any HTTP or
HTTPS site you have not
approved by whitelisting
it inBlackBerry Control

This setting specifies whether users can perform
app diagnostics forBlackBerry Access. If this setting
is selected, the “Run Diagnostics” option appears
in theBlackBerry Accesssettings menu on users’
devices.

This setting specifies whether users can download
and install .apk files.

This setting specifies whether third-party apps on the
device can open webpages inBlackBerry Access.

Note: ForBlackBerry Access for iOS, links in
third-party, non-BlackBerry Dynamicsapps can
open inBlackBerry Accessonly if they launch
with the following URL scheme:access://open?

url=(for example,access://open?url=http://
www.blackberry.com)

This setting specifies whetherBlackBerry
Accessusers can download content from HTTP or
HTTPS webpages even if they haven't been added to
an allowed list.

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Android

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

Do not allow download
from any HTTPS site
you have not approved
by whitelisting it
inBlackBerry Control

Enable export of
downloaded files to OS
file system (Windows
and Mac)

Enable import of files
from OS file system

Enable Direct Downloads This setting specifies whetherBlackBerry Workusers

This setting specifies whetherBlackBerry
Accessusers can download content from HTTPS
webpages even if they haven't been added to an
allowed list.

This setting specifies whetherBlackBerry Workusers
can download files directly to their device's
default download folder, instead of theBlackBerry
Dynamicssecure container.

Note that allowing users to bypass the secure
container is a potential security risk.

This setting specifies whetherBlackBerry Workusers
can attach files that aren't in theBlackBerry
Dynamicssecure container.

can download attachments in email messages
directly to the device's file system, instead of into
the Download Manager in theBlackBerry Dynamics
Launcher.

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Work for
Windows

• BlackBerry Work for
macOS

• BlackBerry Work for
Windows

• BlackBerry Work for
macOS

• BlackBerry Work for
Windows

• BlackBerry Work for
macOS

|Managing BlackBerry Access|12

Setting Description Applies to

DisableBlackBerry Work This setting specifies whether users can

useBlackBerry Work.

Open HTML files
from otherBlackBerry
Dynamicsapplications

Enable Geolocation This setting specifies whetherBlackBerry

Enable 3rd Party
Applications

This setting specifies whetherBlackBerry
Accesscan open HTML files from otherBlackBerry
Dynamicsapps.

Accessusers can allow webpages to access their
device's location.

This setting specifies whetherBlackBerry Accesscan
open custom URL schemes supported by third-party
apps. By default,BlackBerry Accessopens only HTTP
and HTTPS URL schemes.

If you select this setting, you must also set the "Enter
comma separated URL schemes" setting.

Note: Each URL string must be mapped as
yourstring://your.URL.string. For example, for Webex,
you could use wbx://yourcompany.webex.com.
In Access, the user would click on the anchor tag
<a href="wbx://blackberry.webex.com">wbx://
blackberry.webex.com</a> to open the local Webex
app and pass the string yourcompany.webex.com to
the app.

• BlackBerry Work for
Windows

• BlackBerry Work for
macOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

Enter comma separated
URL schemes

This setting specifies the custom URL schemes
thatBlackBerry Accesscan open.

The list must be separated by commas. For example,
itms-services,market,wbx,lync, where "itms-services"
isApp Store, "market" isGoogle Play, "watchdox"
isBlackBerry Workspaces, "wbx" isWebEx, and "lync"
isMicrosoft Lync Server.

This setting is valid only if the "Enable 3rd Party
Applications" setting is selected.

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

|Managing BlackBerry Access|13

Setting Description Applies to

Enter JSON for search
engine titles and URLs

Enable QR Code
scanning

This setting specifies search engine links that
are added to the end of users' search results for
bookmarks, history, or downloads. They provide
users with easier access to search engines when they
perform searches.

In the text box, specify the search engine labels to
show inBlackBerry Accesssuch asGoogleand the
corresponding search engine URLs. The text must
be in .json format and each entry must end with
[[GASEARCHKEY]]. For example:

[

{"Google":"https://www.google.com/?
gws_rd=ssl#q=[[GASEARCHKEY]]"},
{"Yahoo":"https://search.yahoo.com/search?
p=[[GASEARCHKEY]]"}, {"Bing":"http://
www.bing.com/search?q=[[GASEARCHKEY]]"}

]

This setting specifies whether users can scan a QR
code.

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

To force policy update
to device, enter current
date and time and click
update

Security

Setting Description Applies to

Allow SHA1 leaf or
intermediate certificates

Allow legacy/weak
algorithms (DES)

This setting allows you to send the updated app
settings to devices. It also refreshes PAC files.

Enter the current date and time, in either 24-hour
format or 12-hour format (for example, 02-16-2017
12:04AM in 12-hour format and 02-16-2017 0004 in
24-hour format) and click Update.

This setting specifies whetherBlackBerry
Accessusers can access https websites that
use SHA1 signature TLS certificates and expired
certificates. By default, this setting is selected.

This setting specifies whetherBlackBerry Accesscan
use 3DES algorithms.

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

|Managing BlackBerry Access|14

Setting Description Applies to

Allow user to securely
save authentication
credentials

Expire stored credentials
after

Alert user for invalid or
expired certificate

This setting specifies whetherBlackBerry
Accessusers can save their authentication
credentials that they use to access webpages.

This setting specifies when the stored user
credentials expire. You can choose between "'Never
Expire" or "24 Hrs."

This setting is valid only if the "Allow user to securely
save authentication credentials" setting is selected.

This setting specifies whether users will be notified
when certificates are invalid or expired.

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

Enforce strict tunnel This setting specifies whetherBlackBerry Accesscan

use only IP addresses and URLs listed in Connectivity
profiles. If an IP address or a URL is explicitly defined
to route DIRECT, the site is allowed and routes
DIRECT.

External sites that are not explicitly defined in the
Connectivity profile are blocked. However, if the
default route is configured to use aBlackBerry
Proxycluster, all undefined IP addresses and URLs
are allowed. If external sites are not allowed, they are
blocked.

If the default route is set to DIRECT, all sites that are
not explicitly allowed are blocked.

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

|Managing BlackBerry Access|15

Setting Description Applies to

Allow URL not in Allowed
Domains of Connectivity
Profiles to be loaded in
native browser

When user selects apply
to all during prompt
to open in third party
browser, do not prompt
again for all the hosts
under same domain.

Do not prompt client cert
authorization for all sites

This setting specifies whether, whenBlackBerry
Accessusers try to access webpages from
domains that aren't listed in the allowed domains in
Connectivity profiles, they are opened in the device's
native browser instead ofBlackBerry Access.

This setting is valid only if the "Enforce strict tunnel"
setting is selected.

This setting specifies whether,when user selects
“Always open links from “ <domain>” in Safari“, the
user will not be prompted again for any other hosts
user accesses within same domain.

When a user uploads only one certificate
toBlackBerry UEMthat matches a recognized CA,
selecting this setting allows the webpage requesting
authorization to obtain the certificate without
prompting the user. If the user has uploaded multiple
certificates from the same CA, the user is prompted
to select the certificate to use.

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

BlackBerry Access for
iOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

Do not prompt client cert
authorization for white
listed sites only

List all certificates
available to user to
choose for client cert
authentication

When a user uploads only one certificate
toBlackBerry UEMthat matches a recognized CA,
selecting this setting allows all domains listed in the
allowed domains portion in Connectivity profiles to
obtain the certificate without prompting the user.
If the user has uploaded multiple certificates from
the same CA, the user is prompted to select the
certificate to use.

Specify whether all uploaded encryption certificates
are displayed when a user attempts to access
websites that require a client cert

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

|Managing BlackBerry Access|16

Network

Setting Description Applies to

Enter comma
separatedKerberosrealm
mappings e.g.:
foo=FOO.COMPANY.COM

EnableKerberosForwardable
Ticket

Resolve short names
to full qualified
domain name (FQDN)
forKerberosauthentication

This setting specifiesKerberosrealm
mappings.Kerberosauthentication realms define
areas that are under control ofKerberos. These
mappings allow you to equate realm names with other
names that are accessible or for some other reason.

The limit is 4000 characters.

This setting specifies whetherKerberosForwardable
tickets can be used.

Forwardable tickets inKerberosare client-side
authentication credentials that are tied to a particular
IP address that can be treated as new tickets with
other IP addresses.

This setting specifies whether users can reach
servers by typing the unqualified domain name
instead of the FQDN forKerberosauthentication.

Enabling this setting may impact performance.

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

Disable file upload and
download on mobile
connections (Windows
Only)

Enable HTTP 2.0 Support This setting specifies whether HTTP 2.0 is supported

Enable Web Proxy This setting specifies whetherBlackBerry Accesscan

This setting specifies whether files can be
downloaded or uploaded when users are connected
to a mobile network instead of aWi-Finetwork.

inBlackBerry Access.

communicate through a web proxy server.

• BlackBerry Access for
Windows

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

|Managing BlackBerry Access|17

Setting Description Applies to

Use Proxy Auto
Configuration

Enter URL for PAC file
location

PAC files make it easier for users to work with proxy
servers by hiding the complexities of authentication
from the end user.

If your organization uses a PAC file to define proxy
rules, you can select this setting to use the proxy
server settings from the PAC file that you specify.

Enabling this setting will override static web proxy
settings.

This setting requiresBlackBerry Dynamicsservers
version 1.6 and later.

This setting is valid only if the "Enable Web Proxy"
setting is selected.

This setting specifies the URL for the web server that
hosts the PAC file, including the PAC file name. For
example, http://www.example.com/PACfile.pac.

Note: The PAC file must not be hosted on the
same server asGood Controlor on the same server
asBlackBerry UEMor any of its components. This
configuration is not supported.

The limit is 4000 characters.

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

This setting is valid only if the "Enable Web Proxy" and
"Use Proxy Auto Configuration" settings are selected.

Use Static Web Proxy
(Full Tunnel)

Proxy Host This setting specifies the the FQDN or IP address of

This setting specifies whether communications are
enabled through a single web proxy service only.

This setting is valid only if the "Enable Web Proxy"
setting is selected.

Note: Enabling this setting overrides 'Enforce strict
tunnel' settings.

the proxy server.

This setting is valid only if the "Use Static Web Proxy
(Full Tunnel)" setting is selected.

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

|Managing BlackBerry Access|18

Setting Description Applies to

Proxy Port This setting specifies the port number of the proxy

server.

This setting is valid only if the "Use Static Web Proxy
(Full Tunnel)" setting is selected.

Enable PAC proxy check
for all the sub-resources

RSA

Setting Description Applies to

You can use this setting to enforce PAC processing
without caching.

Selecting this setting has an impact on the
performance of your organization’s environment.
It is recommended to use this feature for special
circumstances only.

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

EnableRSA SecurID This setting specifies whether users can useRSA

SecurIDtoken authentication to authenticate
withBlackBerry Access, instead of a password.

Prompt PIN for PINPAD
Token

Token File Password
Retry Count

Token Request SendTo
Email Address

This setting specifies whether users are always
prompted for anRSA SecurIDPIN.

This setting is valid only if the "Enable RSA SecurID"
setting is selected.

This setting specifies the number of times that a user
can enter an incorrectRSA SecurIDPIN before they
are locked out.

This setting is valid only if the "Enable RSA SecurID"
setting is selected.

This setting specifies the email address of
yourRSAauthentication manager. AllRSA
SecurIDtoken seed record requests are sent to this
address.

This setting is valid only if the "Enable RSA SecurID"
setting is selected.

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

|Managing BlackBerry Access|19

Setting Description Applies to

Token Request CC Email
Address

Token Request Email
Subject

Features

Setting Description Applies to

Allow user to upload This setting specifies whether users can upload files

Allow user to take new
photos/videos and
upload

This setting specifies the email address that should
be CC'd for allRSA SecurIDtoken seed record
requests.

This setting is valid only if the "EnableRSA SecurID"
setting is selected.

This setting specifies the email subject for token
request emails.

This setting is valid only if the "EnableRSA SecurID"
setting is selected.

to web pages inBlackBerry Access. Files can have a
maximum size of 20 MB.

This setting specifies whether users can take photos
and videos and upload the photos and videosto a
web page. Users must allowBlackBerry Accessto
access their cameras. Files can have a maximum size
of 20 MB.

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

Allow user to select
existing photos/videos to
upload

Allow user to select files
from file providers to
upload

Allow user to upload
files from the download
manager

This setting specifies whether users can upload
existing photos and videos from their photo libraries
to a web page. Files can have a maximum size of 20
MB.

This setting specifies whether users can upload files
from other file apps. Files can have a maximum size
of 20 MB.

This setting specifies whether users can upload files
that have been downloaded to the downloads folder
inBlackBerry Access.

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

• BlackBerry Access for
Android

• BlackBerry Access for
iOS

|Managing BlackBerry Access|20

BlackBerry Work(Mac and Win)

Setting Description Applies to

Launch mail app on
browser start

Enable avatar photos This setting specifies whether users can set avatar

EWS server Optionally, you can use this setting to specify the

This setting specifies whether the mail app opens
instead of a browser windowwhenBlackBerry
Accessstarts.

photos. If it is disabled, the user's initials appear
instead.

URL that the mail app uses forMicrosoft Exchange
Web Servicesprovisioning.Otherwise,BlackBerry
Workuses autodiscovery methods to locate the EWS
server.

Optionally, you can enter a series of name=value pairs
separated by commas, where the name designates
an email domain and the value designates the URL
for the EWS endpoint for that domain.Using this
method, administrators can assign multiple users
with different EWS endpoints to the same application
policy and be able to controlwhere the mail app
accesses mail, based on the user’s email domain.

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

Enable KCD or PKNIT
Support

Use client certificate in
place of login/password

For example:

• Single value: blackberry.com=http://
mail.blackberry.com

• Multiple values: blackberry.com=http://
mail.blackberry.com,yahoo.com=https://
mail.yahoo.com

Note: BlackBerry Accessdoes not validate the
entries. All related logs are prefixed by[WEB_MAIL]
EWS URL Resolution:at the INFO log level.

This setting specifies whether the mail app can
useKerberosconstrained delegation.

This setting specifies whether users can use SSL
certificates instead of using a login and password
to authenticate withBlackBerry Work. Depending
on your environment, SSL certificates must be
uploaded toBlackBerry UEMorGood Control. For
more information, seeManaging certificates.

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

|Managing BlackBerry Access|21

Setting Description Applies to

Disable Notifications This setting specifies whetherBlackBerry

Workdisplays notifications for mail and calendar
events.

Enable email
Classification

This setting specifies whether to enable email
classification markings, such as INTERNAL,
CONFIDENTIAL, NO FORWARD, and/or NO REPLY.If
selected, specify the following sample information in
theClassifications and caveatsfield as required:

<emailClassificationMarks>
<options>
<classifications>ON</
classifications>
<caveats>OFF</caveats>

<classificationDefault>INTERNAL</
classificationDefault>
<caveatDefault>NO FORWARD</
caveatDefault>
</options>
<classifications>
<classification>
<select>INTERNAL</select>
<subject>(INTERNAL)</subject>
</classification>
<classification>
<select>CONFIDENTIAL</select>
<subject>[CONFIDENTIAL]</
subject>
</classification>
</classifications>
<caveats>
<caveat>
<select>NO FORWARD</select>
<subject>(DO NOT FORWARD)</
subject>
</caveat>
<caveat>
<select>NO REPLY</select>
<subject>(DO NOT REPLY)</
subject>
</caveat>
</caveats>
</emailClassificationMarks>

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

|Managing BlackBerry Access|22

Setting Description Applies to

Display warning while
sending message if
recipient's email domain
is unauthorized

Default signing algorithm This setting specifies the algorithm to use for signing

Default encryption
algorithm

Enable Revocation
Checking

This setting specifies whether to display a warning if
the user is sending an email to a recipient in an email
domain that is not authorized. If selected, specify
email domains you want to authorize in the Authorize
email domains field.

Users will notice that email addresses in untrusted
domains appear in purple text.

sent messages.

This setting specifies the algorithm to use for
encrypting sent messages.

This setting allows you to setrevocation checking
of all certificates used for signing/encryption and
signing verification/decryption of S/MIME messages.

• When you select this box,Use AIA extension in
certificate if presentis selected by default.

• In theDefault OSCP URLfield, specify the web
address of the OSCP service.The OCSP URI is
used by the S/MIME verification APIs as an OCSP
revocation check service if an AIA extension is not
present in a certificate or if theUse AIA extension
in certificate if presentcheck box is not selected.

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

|Managing BlackBerry Access|23

Setting Description Applies to

UseOffice 365Modern
Authentication

This setting allows you to configure options
forMicrosoft Office 365. Modern authentication
enablesBlackBerry Workto us sign-in features such
as Multi-Factor Authentication and SAML-based
third-party Identity Providers. If selected, specify the
following:

• In theAzureApp ID field, specify theMicrosoft
Azureapp ID forBlackBerry Work.

For information on how obtain anAzureapp
ID, seeObtain anAzureapp ID forBlackBerry

WorkforWindowsandmacOS.

• In theOffice 365Sign On URL field, specify the
web address thatBlackBerry Workshould use
when it signs in toOffice 365. If you do not
specify a value,BlackBerry Workuses https://
login.microsoftonline.com during setup.

• In theOffice 365Tenant ID field, specify the
tenant ID of theOffice 365server that you
wantBlackBerry Workto connect to during setup.
If you do not specify a value, a value of "common"
is used.

• In theOffice 365Resource field, specify the
resource URL of theOffice 365server that you
wantBlackBerry Workto connect to during
setup. If you do not specify a value,BlackBerry
Workuseshttps://outlook.office365.com during
setup.

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

BlackBerry Access(Mac and Win)

Setting Description Applies to

Enable WebRTC This setting specifies whether to enableaccess

to WebRTC protocol-based destinations such
asCitrixVDI browser-based access.

For information on how to configureBlackBerry
Accessto support WebRTC, seeConfigure access to

WebRTC-based destinations.

Enable Microphone
Access

This setting specifies whetherBlackBerry
Accessshould display a prompt that allows users to
permit websites to use the device's microphone. You
can enable it only if WebRTC is enabled.

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

|Managing BlackBerry Access|24

Setting Description Applies to

Enable Camera Access This setting specifies whetherBlackBerry

Accessshould display a prompt that allows users to
permit websites touse the device's camera.You can
enable it only if WebRTC is enabled.

Enable UDP Protocol
support

Enable Printing This setting specifies whether to allow users to print

Enable embedded PDF
viewer

Automatically open
PDF andMicrosoft
Officedocuments after
download

This setting specifies whether to allow UDP
connections initiated by websites.

web pages.

This setting specifies whether to allow users to view
embedded PDFs from withinBlackBerry Access.

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

EnableMicrosoft
OfficeURI support

OnlyMicrosoft OfficeURIs that specify online
documents are supported.

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

|Managing BlackBerry Access|25

Setting Description Applies to

Enable Upgrade
Notifications

Enable Awingu Extension This setting specifies whether to enable the Awingu

This setting specifies whether to push notifications to
users when a new upgrade is available.

If selected, specify the following:

• In the Min Windows Version field, specify the
minimumBlackBerry Access for Windowsversion.
If there are versions available that are later than
the version specified in this field, users will be sent
an upgrade notification.

• In the Min Mac Version field, specify the
minimumBlackBerry Access for macOSversion. If
there are versions available that are later than the
version specified in this field, users will be sent an
upgrade notification.

• In the Win Download URL field, specify the URL for
theBlackBerry Access for Windowsapp.

• In the Mac Download URL field, specify the URL
for theBlackBerry Access for Windowsapp.

• In the Notification Message, you can create a
custom message or leave the default message.

extension which allows users to store their Awingu
credentials. Also, when enabled, an icon is added to
the toolbar inBlackBerry Accessand users can launch
Awingu by clicking the icon in the toolbar.

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

If selected, you must specify the following:

• In the Awingu URL field, specify your
organization's Awingu URL. For example,
yourcompany.awingu.com

• In the Awingu DOMAIN field, specify your
organization's Awingu domain.

|Managing BlackBerry Access|26

Setting Description Applies to

Enable installation of
extensions

Enable developer mode This setting allows you to enable developer mode

This setting specifies whether to allow websites to
download extensions for third-party apps.

If selected, in the Permitted Extension Ids field,
specify one more more extension IDs that can be
installed. The source can be from any URL.

Note: WebExandSkypecan be enabled either by
adding their extension ids or by adding their protocols
to the external protocols list.

In theChromeapp store, users can add only apps that
have permitted extensions.

If anextension is enabled and installed, and
the administrator removes its ID, the extension
is removed fromBlackBerry Access. If the
administrator re-adds the extension, the user must
restartBlackBerry Accessto be able to add the app
from theChromeapp store.

inBlackBerry Access.

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

• BlackBerry Access for
Windows

• BlackBerry Access for
macOS

Obtain anAzureapp ID forBlackBerry WorkforWindowsandmacOS

If you are configuringOffice 365settings in the app configuration forBlackBerry Work, you may need to obtain
and copy theAzureapp ID forBlackBerry WorkforWindowsandmacOS.

Note: If you have already created anAzureapp ID forBlackBerry WorkforiOSandBlackBerry
WorkforAndroid,make sure that you do not use the sameAzureapp ID forforBlackBerry
WorkforWindowsandmacOS.BlackBerry WorkforWindowsandmacOSneed their ownAzureapp ID.

1. Log on toportal.azure.com.

2. In the left column, clickAzure Active Directory.

3. ClickApp registrations.

4. ClickNew registration.

5. In theNamefield, enter a name for the app. This is the name that users will see.

6. Select a supported account type.

7. In theRedirect URIdrop-down list, selectPublic client (mobile & desktop). and enterchrome-extension://

glilhfdenplejncjmngdaojopbobomfa/login.html

8. ClickRegister.

9. In theManagesection, clickAPI permissions.

10.ClickAdd a permission.

11.In theSelect an APIsection, click theMicrosoft APIstab.

12.SelectExchange.

13.If your environment is usingOffice 365 Exchange Online, set the following permissions:

|Managing BlackBerry Access|27

• Delegated permissions: Access mailboxes as the signed-in user via Exchange Web Services (EWS >

EWS.AccessAsUser.All).

14.ClickAdd permissions.

15.ClickMicrosoft Graph. IfMicrosoft Graphis not listed, addMicrosoft Graph.

16.Set the following permissions forMicrosoft Graph:

• Delegated permissions

• Sign in and read user profile (User > User.Read)

• Send mail as a user(Mail > Mail.Send)

17.Click one of the following:

• IfMicrosoft Graphexisted in the API permissions list, clickUpdate permissions.

• If you needed to addMicrosoft Graph, clickCreate.

18.ClickGrant Permissionsto apply the permissions for the app. These settings will not be applied to the app

until you have granted the updated permissions.

19.ClickYes.
You can now copy the Application ID for the app that you created.In theManagesection, clickOverview.It is
located under the name of the app, in the Application ID field.

Configuring the BlackBerry Dynamics Launcher

The BlackBerry Dynamics Launcher allows users to access their BlackBerry Dynamics apps in one place. Using
the BlackBerry Dynamics Launcher button, users can access things such as BlackBerry Work (mail, calendar,
contacts), app catalogs, and downloads, from the BlackBerry Access browser window.

You can configure the BlackBerry Dynamics Launcher in the BlackBerry Enterprise Mobility Server. You can also
set a customized icon for the BlackBerry Dynamics Launcher.

For more information, see the BlackBerry Enterprise Mobility Server content.

Adding the work app catalog to the BlackBerry Dynamics Launcher

You can add the work app catalog to the BlackBerry Dynamics Launcher so that users have quick access to a list
of their assigned work apps.

For BlackBerry Access for Android devices, when users select the BlackBerry UEM App Catalog icon in the
BlackBerry Dynamics Launcher, the work app catalog opens in the BlackBerry UEM Client.

For BlackBerry Access for iOS devices, when users select the BlackBerry UEM App Catalog icon in the BlackBerry
Dynamics Launcher, the work app catalog opens in the BlackBerry Access for iOS browser.

For more information about using BlackBerry UEM to manage BlackBerry Access, see the Getting started with

BlackBerry UEM and BlackBerry Dynamics content.

For more information about using Good Control to manage BlackBerry Access, visit http://help.blackberry.com/

en/good-control-good-proxy/current/ to read the Good Control Help Guide.

|Managing BlackBerry Access|28

Whitelist theBlackBerry UEM App Catalogin theBlackBerry
DynamicsConnectivity profile

TheBlackBerry UEM App Catalogfeature is configured automatically byBlackBerry UEMand must be able to
route through the Internet. If theRoute all trafficoption is not selected in theBlackBerry DynamicsConnectivity
profile, you must configure the *.bbsecure.com domain requests to route through Direct. For more information on
theBlackBerry DynamicsConnectivity profile, seeSetting up network connections for BlackBerry Dynamics apps.

1. On the menu bar, clickPolicies and Profiles.

2. ClickNetworks and connections>BlackBerry Dynamics connectivity.

3. Select the connectivity profile that you want to edit.

4. In theDomaintable, click+.

5. On theAllowed Domainscreen, enter the following:

a) In theDomainfield, enter*.bbsecure.com.
b) SelectDirect.

6. ClickSave.

Configure single sign-on for BlackBerry Access in Good Control

You can enable single sign-on for BlackBerry Access in an environment that's already set up for Microsoft Office
365 with Microsoft Active Directory Federation Services and single sign-on.

Before you begin:

• Configure single sign-on in Office 365 with Active Directory Federation Services version 2.0 or 3.0, relying on
Windows Authentication and Kerberos.

• Configure Good Control for Kerberos constrained delegation.

• Verify that the "Identify BlackBerry Access in User Agent" app setting is selected in BlackBerry UEM or Good
Control.

1. Verify the SPN for Active Directory Federation Services. For Active Directory Federation Services to use
Kerberos, the Active Directory Federation Services service must have registered an SPN. This SPN should
already be registered by the prerequisite Active Directory Federation Services configuration in Office 365.

a) Open a command prompt on a computer with Active Directory RSAT tools installed.
b) Enter the command: setspn -q HOST/fqdn.of.adfs.server where fqdn.of.adfs.server is the FQDN of your

Active Directory Federation Services server.

This command exposes the name service account that serves Active Directory Federation Services. For a safer
form of delegation (HOST allows any protocol, only HTTP is needed) you might want to register the HTTP
SPN of the Active Directory Federation Services service account with the following command: setspn -S
HTTP/fqdn.of.adfs.serverADFS_service_account, where ADFS_service_account is the name of the Active
Directory Federation Services service account shown in the previous command.

2. Enable the User Agent in Active Directory Federation Services. By default, Active Directory Federation Services
allows only known user agents to use Windows Authentication. All other user agents are considered external
and are served with Forms Based Authentication (FBA) or certificate authentication.

a) To enable single sign-on in BlackBerry Access you need to add the BlackBerry Access user agent string

to Active Directory Federation Services to allow Windows Authentication for BlackBerry Access and
Kerberos constrained delegation. For all platforms, the BlackBerry Access user agent string begins with

Mozilla/5.0.

|Managing BlackBerry Access|29

b) To verify the Active Directory Federation Services user agents, enter the following command: Get-

ADFSProperties | Select -ExpandProperty WIASupportedUserAgents

c) Edit and run the following script to add the new user agent to Active Directory Federation Services.

$NewUserAgent must be edited to the value that you will add.

$NewUserAgent = "Mozilla/5.0"
$CurrentUserAgents = Get-ADFSProperties | Select -ExpandProperty
WIASupportedUserAgents
$UserAgentAddArray = $CurrentUserAgents + $NewUserAgent
Set-ADFSProperties -WIASupportedUserAgents $UserAgentAddArray

d) To verify that the Active Directory Federation Services user agent has been added, run the Get-

ADFSProperties command again: Get-ADFSProperties | Select -ExpandProperty

WIASupportedUserAgents

e) Restart the Active Directory Federation Services service.

3. Set delegation on the Kerberos account of Good Control.
a) Log in to Good Control.

b) Navigate to the Server Properties tab.
c) Scroll to find the value of the gc.krb5.principal.name property. Set this object name in Microsoft Active

Directory.

d) On your Microsoft Active Directory server, click the Delegation tab.
e) Click ADD and enter the Active Directory Federation Services service account name that you discovered in

step 1.

f) Add the HTTP SPN.
g) Click OK.

Configure single sign-on for BlackBerry Access in BlackBerry UEM

You can enable single sign-on for BlackBerry Access in an environment that's already set up for Microsoft Office
365 with Microsoft Active Directory Federation Services and single sign-on.

Before you begin:

• Configure single sign-on in Office 365 with Active Directory Federation Services version 2.0 or 3.0, relying on
Windows Authentication and Kerberos.

• Configure BlackBerry UEM for Kerberos constrained delegation.

• Verify that the "Identify BlackBerry Access in User Agent" app setting is selected in BlackBerry UEM.

1. Verify the SPN for Active Directory Federation Services. For Active Directory Federation Services to use
Kerberos, the Active Directory Federation Services service must have registered an SPN. This SPN should
already be registered by the prerequisite Active Directory Federation Services configuration in Office 365.

a) Open a command prompt on a computer with Active Directory RSAT tools installed.
b) Enter the command: setspn -q HOST/fqdn.of.adfs.server where fqdn.of.adfs.server is the FQDN of your

Active Directory Federation Services server.

This command exposes the name service account that serves Active Directory Federation Services. For a safer
form of delegation (HOST allows any protocol, only HTTP is needed) you might want to register the HTTP
SPN of the Active Directory Federation Services service account with the following command: setspn -S
HTTP/fqdn.of.adfs.serverADFS_service_account, where ADFS_service_account is the name of the Active
Directory Federation Services service account shown in the previous command.

|Managing BlackBerry Access|30