How it Works
Blackberry
Loading...
C
D
E
F
G
H
I
J
K
L
M
Loading...
Loading...
ENTERPRISE SERVER FOR MICROSOFT EXCHANGE
User Manual
7 pgs185.99 Kb0
User Manual
175 pgs1.16 Mb0
User Manual
59 pgs419.71 Kb0
User Manual
75 pgs1.27 Mb0
User Manual
7 pgs91.87 Kb0
User Manual
77 pgs520.85 Kb0
User Manual
15 pgs135.15 Kb0
User Manual
64 pgs672.77 Kb0
User Manual
5 pgs71.84 Kb0
User Manual
16 pgs240.66 Kb0
User Manual
7 pgs182.57 Kb0
User Manual
26 pgs172.2 Kb0
User Manual
35 pgs330.52 Kb0
User Manual
5 pgs147.74 Kb0
User Manual
4 pgs155.41 Kb0
Table of contents
Loading...

Blackberry ENTERPRISE SERVER FOR MICROSOFT EXCHANGE User Manual

Download
Administration Guide
BlackBerry Enterprise Server for Microsoft Exchange
Version: 4.1 | Service Pack: 6
SWD-493311-0708083041-001
Contents
1 Creating administrator accounts..................................................................................................................................... 13
Administrative roles.................................................................................................................................................................... 13
Creating a BlackBerry Enterprise Server administrator in a Microsoft SQL Server environment................................... 14
Configure the BlackBerry Manager to use database authentication in a Microsoft SQL Server environment............ 15
2 Setting up security options............................................................................................................................................... 17
How the BlackBerry Enterprise Solution encrypts data on the transport layer................................................................. 17
Standard encryption algorithms that the BlackBerry Enterprise Solution uses............................................................ 17
Change the encryption type.................................................................................................................................................. 18
Options for extending messaging security.............................................................................................................................. 18
Protection of data using the PGP Support Package for BlackBerry devices.................................................................. 18
Prerequisites: Protecting data using the PGP Support Package for BlackBerry devices............................................. 19
Prerequisites: Protecting data using the S/MIME Support Package for BlackBerry devices...................................... 19
Generating organization-specific encryption keys for PIN-to-PIN message encryption................................................ 20
Generate a new peer-to-peer encryption key.................................................................................................................... 20
Authenticating the BlackBerry MDS Integration Service to the BlackBerry Manager and web services...................... 20
Allow the BlackBerry MDS Integration Service to communicate with the BlackBerry Manager................................ 21
Allow client authentication between the BlackBerry MDS Integration Service and web services............................. 21
3 Setting up proxy servers for BlackBerry Enterprise Server components................................................................. 23
Configuring certain BlackBerry Enterprise Server components to use proxy servers...................................................... 23
Configure a BlackBerry Enterprise Server component to authenticate to a proxy server on behalf of BlackBerry
4 Sharing BlackBerry Enterprise Server components..................................................................................................... 27
Configuring multiple BlackBerry Enterprise Server instances to use the same BlackBerry Enterprise Server
component.................................................................................................................................................................................... 27
Configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry MDS Connection Service
.................................................................................................................................................................................................... 27
Configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry MDS Integration Service
.................................................................................................................................................................................................... 28
Configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry Collaboration Service
.................................................................................................................................................................................................... 28
5 Setting up user accounts................................................................................................................................................... 29
Adding user accounts to the BlackBerry Enterprise Server.................................................................................................. 29
Add user accounts to the BlackBerry Enterprise Server.................................................................................................... 29
Creating user groups................................................................................................................................................................... 29
Create a user group................................................................................................................................................................. 29
Add a user account to a user group...................................................................................................................................... 30
6 Sending software and Java applications to BlackBerry devices............................................................................... 31
Making BlackBerry Device Software and Java applications available to users................................................................. 31
Making software and applications available on a network drive......................................................................................... 31
Install the BlackBerry Device Software on a network drive.............................................................................................. 31
Indexing applications on a network drive................................................................................................................................ 33
Create or update a software index for applications on a network drive......................................................................... 33
Share a network drive for applications................................................................................................................................ 33
Defining software configurations............................................................................................................................................. 33
Create a software configuration........................................................................................................................................... 34
Define an application control policy.................................................................................................................................... 34
Send an application to a BlackBerry device over the wireless network.............................................................................. 36
Monitor wireless application push failures.............................................................................................................................. 36
Install the BlackBerry Device Software or BlackBerry Applications on a BlackBerry device using the BlackBerry
Manager........................................................................................................................................................................................ 39
Installing the collaboration client on BlackBerry devices..................................................................................................... 39
7 Setting up the messaging environment......................................................................................................................... 41
Creating email message filters.................................................................................................................................................. 41
Create an email message filter that applies to all users................................................................................................... 41
Turn on an email message filter that applies to a user group.......................................................................................... 43
Create an email message filter that applies to a specific user account......................................................................... 43
Turn on an email message filter that applies to a specific user account........................................................................ 44
Enforcing secure messaging using classifications................................................................................................................. 45
Configure message classifications............................................................................................................................................ 45
Create a message classification............................................................................................................................................ 45
Create a message classification based on an existing classification.............................................................................. 46
Order message classifications.............................................................................................................................................. 46
Delete message classifications............................................................................................................................................. 47
Mapping address book fields for synchronization and address lookups............................................................................ 47
8 Making BlackBerry MDS Runtime Applications available to users.......................................................................... 51
Creating BlackBerry MDS Runtime Applications and sending them to BlackBerry devices........................................... 51
Preparing BlackBerry devices to install BlackBerry MDS Runtime Applications.............................................................. 53
Configuring access to web services and managing signed and unsigned applications.................................................. 54
Allow BlackBerry MDS Runtime Applications to access web services using HTTPS.................................................... 54
Define a BlackBerry MDS Runtime Application as a trusted application...................................................................... 54
Configure whether users can install unsigned BlackBerry MDS Runtime Applications on BlackBerry devices...... 55
Configuring how users access and use BlackBerry MDS Runtime Applications............................................................... 55
Create a BlackBerry MDS Integration Service device policy............................................................................................ 55
Assign a BlackBerry MDS Integration Service device policy to a user group................................................................ 56
Assign a BlackBerry MDS Integration Service device policy to a specific user............................................................. 56
Sending BlackBerry MDS Runtime Applications to BlackBerry devices............................................................................. 56
Install a BlackBerry MDS Runtime Application on BlackBerry devices.......................................................................... 57
Install a BlackBerry MDS Runtime Application on a specific BlackBerry device.......................................................... 57
Applying an application control policy to a BlackBerry MDS Runtime Application......................................................... 58
Add the application launcher file for a BlackBerry MDS Runtime Application to the network drive........................ 58
Assign an application control policy to a BlackBerry MDS Runtime Application......................................................... 59
9 Configuring how users access enterprise applications and web content............................................................... 61
Specifying a BlackBerry MDS Connection Service as the central push server.................................................................. 61
Configuring how BlackBerry devices authenticate to content servers............................................................................... 61
Configure how BlackBerry devices authenticate to content servers.............................................................................. 62
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that
use NTLM.................................................................................................................................................................................. 62
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to the RSA Authentication
Configuring how the BlackBerry MDS Connection Service manages requests for web content.................................... 64
Configure the BlackBerry MDS Connection Service to manage HTTP cookie storage................................................ 64
Configure the timeout limit for HTTP connections with BlackBerry devices................................................................. 64
Configure the timeout limit for HTTP connections to web servers.................................................................................. 65
Configure the maximum number of times that the BlackBerry Browser accepts HTTP redirections........................ 65
Allowing push applications to make trusted connections to the BlackBerry MDS Connection Service........................ 65
Create a key store to store certificates for use with HTTPS connections....................................................................... 66
Add a certificate for the BlackBerry MDS Connection Service........................................................................................ 66
Export the BlackBerry MDS Connection Service certificate to make it available to push applications.................... 67
Import the BlackBerry MDS Connection Service certificate to the key store of a push application.......................... 67
Configuring how applications open trusted connections to web servers........................................................................... 68
Allow BlackBerry devices to connect to untrusted web servers....................................................................................... 68
Configure the BlackBerry MDS Connection Service to retrieve certificates for web servers...................................... 68
Configure the BlackBerry MDS Connection Service to retrieve the status of certificates for web servers............... 69
Add retrieved certificates for web servers........................................................................................................................... 70
Configuring how the BlackBerry MDS Connection Service connects to BlackBerry devices.......................................... 70
Specify the maximum amount of data that the BlackBerry MDS Connection Service can send to BlackBerry devices
.................................................................................................................................................................................................... 70
Specify the pending content timeout limit for the BlackBerry MDS Connection Service........................................... 70
Allow Java applications to use persistent socket connections with the BlackBerry MDS Connection Service........ 71
Specify the thread pool size of the BlackBerry MDS Connection Service...................................................................... 71
Specify the maximum number of persistent socket connections.................................................................................... 71
Specify the port number that the web server listens on for push application requests............................................... 72
Specify how often the BlackBerry MDS Connection Service polls for configuration information............................. 72
10 Assigning BlackBerry devices to users........................................................................................................................... 73
Preparing to distribute BlackBerry devices............................................................................................................................. 73
Assigning BlackBerry devices to user accounts...................................................................................................................... 74
Option 1: Activate a BlackBerry device using the BlackBerry Manager......................................................................... 74
Option 2: Activating BlackBerry devices over the wireless network............................................................................... 74
Option 3: Activating BlackBerry devices over the LAN..................................................................................................... 78
11 Managing administrator accounts.................................................................................................................................. 79
Assign a BlackBerry Enterprise Server administrator to a different administrative role................................................. 79
Delete an administrator account from a BlackBerry Enterprise Server.............................................................................. 79
12 Controlling the BlackBerry environment....................................................................................................................... 81
Controlling BlackBerry device access to the BlackBerry Enterprise Server....................................................................... 81
Turn on the Enterprise Service Policy.................................................................................................................................. 81
Permit a user to override the Enterprise Service Policy.................................................................................................... 82
Controlling BlackBerry device behavior using IT policies..................................................................................................... 82
Create an IT policy.................................................................................................................................................................. 82
Assign an IT policy to a group of users................................................................................................................................ 83
Deactivating BlackBerry devices without applied IT policies........................................................................................... 85
Changing the default behavior of the BlackBerry devices and BlackBerry Desktop Software in your organization
.................................................................................................................................................................................................... 85
Returning to the original default behavior of BlackBerry devices and the BlackBerry Desktop Software............... 86
Creating new IT policy rules to control third-party applications..................................................................................... 87
13 Managing user accounts................................................................................................................................................... 89
Managing user groups................................................................................................................................................................ 89
Delete a user group................................................................................................................................................................. 90
Managing user accounts............................................................................................................................................................ 90
Move a user account to a different user group................................................................................................................... 90
Move a user account out of a user group............................................................................................................................. 90
Move a user account from one BlackBerry Enterprise Server to another....................................................................... 91
Delete a user account from the BlackBerry Enterprise Server......................................................................................... 91
Update a user account manually.......................................................................................................................................... 91
14 Protecting and reassigning BlackBerry devices........................................................................................................... 93
Protecting lost, stolen, or replaced BlackBerry devices......................................................................................................... 93
Protect a lost BlackBerry device........................................................................................................................................... 93
Reissuing BlackBerry devices to new users............................................................................................................................. 94
Preparing a BlackBerry device for redistribution............................................................................................................... 95
15 Managing wireless applications...................................................................................................................................... 97
Managing applications on BlackBerry devices....................................................................................................................... 97
Upgrade an application on a BlackBerry device over the wireless network.................................................................. 97
Remove applications from BlackBerry devices over the wireless network..................................................................... 97
Change an application control policy.................................................................................................................................. 97
Managing software configurations........................................................................................................................................... 98
16 Managing organizer data synchronization.................................................................................................................... 99
Turning off organizer data synchronization............................................................................................................................ 99
Turn off synchronization of organizer data for all user accounts.................................................................................... 99
Turn off synchronization of organizer data for a user group............................................................................................ 99
Turn off synchronization of organizer data for a specific user account.......................................................................... 99
Changing how organizer data synchronizes........................................................................................................................... 100
Change the direction of organizer data synchronization for all user accounts............................................................. 100
Change the direction of organizer data synchronization for a user group.................................................................... 100
Change the direction of organizer data synchronization for a specific user account.................................................. 101
Change how conflicts during organizer data synchronization are resolved for all user accounts............................. 101
Change how conflicts during organizer data synchronization are resolved for a user group..................................... 101
Change how conflicts during organizer data synchronization are resolved for a specific user account.................. 102
17 Managing your messaging environment and attachment support........................................................................... 103
Managing message forwarding................................................................................................................................................. 103
Forward messages to a BlackBerry device when no filter rules apply............................................................................ 103
Do not deliver messages to a BlackBerry device when no filter rules apply.................................................................. 103
Forward messages from inbox subfolders to a BlackBerry device................................................................................... 104
Turn off synchronization for messages sent from BlackBerry devices that belong to a user group.......................... 104
Turn off synchronization for messages sent from a BlackBerry device.......................................................................... 104
Managing wireless message reconciliation............................................................................................................................. 105
Managing content in RTF and HTML-formatted messages.................................................................................................. 106
Turn off rich content and inline images for groups of users............................................................................................. 107
Turn off rich content and inline images in messages for individual users..................................................................... 107
Managing access to remote message data............................................................................................................................. 108
Turn off the ability to check meeting invitee availability on the BlackBerry device..................................................... 108
Turn off the ability to search for remote email messages from the BlackBerry device................................................ 108
Managing message signatures and disclaimers..................................................................................................................... 108
Add a signature to all messages sent by members of a user group................................................................................ 108
Add a signature to all messages sent from a user’s BlackBerry device.......................................................................... 109
Add a disclaimer to all messages sent from BlackBerry devices..................................................................................... 109
Add a disclaimer to all messages sent by members of a user group............................................................................... 109
Add a disclaimer to all messages sent from a user’s BlackBerry device......................................................................... 110
Specify conflict rules for disclaimers.................................................................................................................................... 110
Turn off disclaimers................................................................................................................................................................. 111
Monitor messages that users send from their BlackBerry devices...................................................................................... 111
Managing the incoming message queue................................................................................................................................. 111
Delete messages for a specific user from the incoming message queue....................................................................... 111
Managing the wireless backup and recovery of organizer data.......................................................................................... 112
Turn off the wireless backup of organizer data for a user group..................................................................................... 112
Turn off the wireless backup of organizer data for a user account................................................................................. 112
Delete a user’s organizer data from the BlackBerry Enterprise Server........................................................................... 113
Synchronizing contact pictures................................................................................................................................................. 113
Turn off synchronization for contact pictures on a user account.................................................................................... 113
Sending notification messages to users.................................................................................................................................. 113
Send a notification message to all users in the BlackBerry Domain............................................................................... 114
Send a notification message to all users on a BlackBerry Enterprise Server................................................................. 114
Send a notification message to the members of a user group......................................................................................... 114
Send a notification message to a specific user................................................................................................................... 114
Managing instant messaging.................................................................................................................................................... 114
Change the instant messaging server that the BlackBerry Collaboration Service connects to................................. 115
Changing the transport protocol that the BlackBerry Collaboration Service uses to connect to the instant
messaging server..................................................................................................................................................................... 115
Specify the Microsoft Windows domain name for users who log in to the collaboration client................................. 116
Managing instant messaging sessions.................................................................................................................................... 117
Specify the maximum number of instant messaging sessions that can be open at the same time........................... 117
Specify the idle timeout limit for instant messaging sessions......................................................................................... 117
Specify the inactivity timeout limit for instant messaging sessions............................................................................... 117
Managing instant messaging features..................................................................................................................................... 118
Prevent users from sending specific file types to instant messaging contacts using the BlackBerry Client for IBM
Lotus Sametime....................................................................................................................................................................... 118
Specifying the maximum size of file types that users can send using the BlackBerry Client for IBM Lotus Sametime
.................................................................................................................................................................................................... 118
Prevent users from sending instant messaging conversations in email messages...................................................... 118
Prevent users from saving instant messaging conversations........................................................................................... 119
Manage the icon that appears on the BlackBerry device for mobile contacts.............................................................. 119
Make additional contact information and phone numbers available for the BlackBerry Client for IBM Lotus
Sametime users........................................................................................................................................................................ 119
Troubleshooting: Instant messaging........................................................................................................................................ 120
Users cannot view phone numbers for contacts in the BlackBerry Client for IBM Lotus Sametime.......................... 121
Optimizing how the BlackBerry Attachment Service converts attachments..................................................................... 122
BlackBerry Attachment Service optimization settings...................................................................................................... 123
Change the maximum file size for attachments that users can receive......................................................................... 124
Suggested file sizes for attachments................................................................................................................................... 124
Change the maximum dimensions for image attachments that users can view........................................................... 125
Optimizing how the BlackBerry Messaging Agent reconciles attachments to the messaging server........................... 125
Change the maximum file size for attachments that users can send............................................................................. 126
Prevent users from sending large attachments.................................................................................................................. 126
Change the maximum file size of attachments that users can download...................................................................... 126
Turn off support for an attachment file format....................................................................................................................... 127
Add support for additional attachment file formats.............................................................................................................. 127
18 Managing BlackBerry MDS Runtime Applications....................................................................................................... 129
Upgrade a BlackBerry MDS Runtime Application on BlackBerry devices.......................................................................... 129
Remove a trusted certificate from the BlackBerry MDS Integration Service..................................................................... 130
Making installed BlackBerry MDS Runtime Applications unavailable on BlackBerry devices........................................ 130
Make an installed BlackBerry MDS Runtime Application unavailable on BlackBerry devices................................... 130
Make an installed BlackBerry MDS Runtime Application available on BlackBerry devices again............................. 130
Removing BlackBerry MDS Runtime Applications................................................................................................................. 131
Make a BlackBerry MDS Runtime Application unavailable for installation................................................................... 131
Remove an installed BlackBerry MDS Runtime Application from BlackBerry devices................................................. 131
Remove an installed BlackBerry MDS Runtime Application from a specific BlackBerry device................................. 132
Configuring a new connection between a BlackBerry MDS Integration Service and a BlackBerry MDS Connection
Service........................................................................................................................................................................................... 132
Make a BlackBerry MDS Connection Service available to a BlackBerry MDS Integration Service............................ 133
Make a BlackBerry MDS Connection Service unavailable to a BlackBerry MDS Integration Service....................... 133
19 Managing how users access enterprise applications and web content................................................................... 135
Restricting user access to content on web servers................................................................................................................ 135
Restrict requests for content on web servers from BlackBerry devices.......................................................................... 135
Specify web address patterns................................................................................................................................................ 135
Create a pull rule..................................................................................................................................................................... 136
Restrict or allow web address patterns using a pull rule.................................................................................................. 136
Assign a pull rule to a user group......................................................................................................................................... 137
Assign a pull rule to a specific user...................................................................................................................................... 137
Restricting user access to media content in the BlackBerry Browser................................................................................. 137
Prevent users from accessing specific media types........................................................................................................... 138
Configure a maximum file size for media types.................................................................................................................. 138
Restricting the push application content that users can receive........................................................................................ 138
Restrict push applications from sending data to BlackBerry devices............................................................................. 139
Create push initiators for push applications....................................................................................................................... 139
Turn on push authorization.................................................................................................................................................... 140
Create a push rule................................................................................................................................................................... 140
Assign push initiators to a push rule.................................................................................................................................... 141
Assign a push rule to a user group....................................................................................................................................... 141
Assign a push rule to a specific user.................................................................................................................................... 141
Encrypt push requests that push applications send to BlackBerry devices................................................................... 142
Associate a push initiator with the BlackBerry MDS Integration Service...................................................................... 142
Managing push application requests....................................................................................................................................... 143
Specify device ports for application-reliable push requests............................................................................................ 143
Store push application requests in the BlackBerry Configuration Database................................................................ 144
Configure the settings for storing push requests in the BlackBerry Configuration Database................................... 144
Configure the maximum number of active connections that the BlackBerry MDS Connection Service can process
.................................................................................................................................................................................................... 144
Configure the maximum number of queued connections that the BlackBerry MDS Connection Service can process
20 Monitoring a BlackBerry Domain.................................................................................................................................... 147
How the BlackBerry Controller monitors the BlackBerry Enterprise Server components............................................... 147
Changing how the BlackBerry Controller monitors the BlackBerry Enterprise Server components and restarts
services.......................................................................................................................................................................................... 147
Change how the BlackBerry Controller restarts the BlackBerry Messaging Agent...................................................... 147
Monitoring the BlackBerry MDS Integration Service notification messages..................................................................... 152
Set up monitoring of the BlackBerry MDS Integration Service notification messages for a BlackBerry device...... 152
Monitor the BlackBerry MDS Integration Service notification messages for a BlackBerry device............................ 153
Filter the BlackBerry MDS Integration Service notification messages by date and time............................................ 153
Block notification messages from a web services host...................................................................................................... 153
Monitoring PIN messages, SMS text messages, and calls.................................................................................................... 154
Monitor SMS text messages.................................................................................................................................................. 155
Turn off call logging................................................................................................................................................................ 156
Log files for the BlackBerry Enterprise Server components.................................................................................................. 156
Changing where the BlackBerry Enterprise Server components write log files................................................................ 156
Change the location where the BlackBerry Enterprise Server components write log files......................................... 156
Store all of the BlackBerry Enterprise Server component log files in one folder.......................................................... 157
Changing how the BlackBerry Enterprise Server components create log files................................................................. 157
Add a prefix to the file names of all the BlackBerry Enterprise Server component log files....................................... 157
Configure the maximum size for a BlackBerry Enterprise Server component log file.................................................. 157
Create a new BlackBerry Enterprise Server component log file when the current log file reaches the maximum
Changing how the BlackBerry MDS Connection Service creates a log file....................................................................... 160
Change the interval at which the BlackBerry MDS Connection Service writes information to the log file.............. 161
Change the logging level for the UDP log file.................................................................................................................... 161
Change the port number that the BlackBerry MDS Connection Service connects to when sending UDP log file
messages.................................................................................................................................................................................. 161
Change the logging level for the TCP log file..................................................................................................................... 162
Change the port number that the BlackBerry MDS Connection Service connects to when sending TCP log file
messages.................................................................................................................................................................................. 162
Change the logging level for the Event log file.................................................................................................................. 162
Change which BlackBerry MDS Connection Service activities are written to the log file............................................... 162
Change which BlackBerry Collaboration Service activities are written to the log file..................................................... 164
21 Managing a BlackBerry Domain...................................................................................................................................... 165
Managing multiple BlackBerry Domain instances................................................................................................................. 165
Connect the BlackBerry Manager to a different BlackBerry Domain............................................................................. 165
Managing CAL keys..................................................................................................................................................................... 165
Add or delete a CAL key......................................................................................................................................................... 165
Copy a license key to a text file............................................................................................................................................. 166
22 Glossary................................................................................................................................................................................ 167
23 Legal notice.......................................................................................................................................................................... 171
Administration Guide

Creating administrator accounts

Creating administrator accounts

Administrative roles

The BlackBerry® Enterprise Server uses predefined roles, which correspond to common administrative roles in organizations, to control who can perform specific tasks and limit who can access sensitive data in your organization.
You assign each BlackBerry Enterprise Server administrator to an administrative role. If you already manage your organization using Windows® groups, assign those groups to the administrative roles so that you can manage role membership through the group.
When an administrator starts the BlackBerry Manager, the BlackBerry Manager checks the authentication credentials, determines the administrative role, and displays a list of the tasks that the administrator can perform.
Role Description
security administrator (rim_db_admin_security) These administrators can perform all tasks. They are the
only administrators who can manage role membership and change sensitive security properties, such as licenses and encryption keys.
The administrator account that you created during the installation process is assigned the security administrator role automatically.
enterprise administrator (rim_db_admin_enterprise) These administrators can perform all tasks that relate to
user accounts, services, instances of the BlackBerry Enterprise Server, and global application data.
1
These administrators cannot view role membership, licenses, or encryption keys.
device administrator (rim_db_admin_handheld) These administrators can perform all tasks that relate to
user accounts and BlackBerry device management, including:
supporting new user accounts
implementing BlackBerry devices
managing software configurations
13
Administration Guide
Role Description
senior help desk administrator (rim_db_admin_sr_helpdesk)
junior help desk administrator (rim_db_admin_jr_helpdesk)
auditor (rim_db_admin_audit_<role>) These administrators can view all tasks and properties that

Creating a BlackBerry Enterprise Server administrator in a Microsoft SQL Server environment

managing the installation and behavior of third-party applications on BlackBerry devices
These administrators can perform all tasks that relate to user account management, including:
adding, moving, and deleting user accounts
updating and sending IT policies to BlackBerry devices
sending IT administration commands to BlackBerry devices
These administrators can perform tasks that relate to user account management, including:
creating and sending passwords for activating BlackBerry devices over the wireless network
resending service books or IT policies
These administrators cannot add, move, or delete user accounts or send certain IT administration commands.
relate to the role, but they cannot perform the tasks or change the properties. Use this view-only role when training new administrators.
Creating a BlackBerry Enterprise Server administrator in a Microsoft SQL Server environment
BlackBerry® Enterprise Server administrators are database users who can access the BlackBerry Configuration Database using the BlackBerry Manager. This access is restricted to the administrative roles that the BlackBerry Enterprise Server administrators are assigned to.
Only administrators who are assigned to the security administrator role can create other BlackBerry Enterprise Server administrators accounts. When creating administrator accounts, perform one of the following tasks:
assign an administrative role to an existing database account
create a new database account and assign it an administrative role
14
Administration Guide

Configure the BlackBerry Manager to use database authentication in a Microsoft SQL Server environment

Assign an administrative role to a new or existing Microsoft SQL Server database account
Note: Do not assign an administrative role using the Microsoft® SQL Server® consoles or assign more than one administrative
role to an administrator. The BlackBerry® Configuration Database uses the most restrictive settings to determine which tasks the BlackBerry Manager displays, so an administrator who is assigned both enterprise and junior help desk roles sees only the tasks for the junior help desk role.
Before you begin:
Verify that you have the system administrator role on the database server.
If you are assigning an administrator to the security or enterprise administrative role, verify that the administrator has administrative permission on the Microsoft® Exchange messaging server.
If you are creating a new database account and want to use Windows® authentication, verify that the Windows user account or group already exists.
1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain.
2. On the Role Administration tab, click a role.
3. Complete one of the following actions:
• To add an administrative role to an existing Microsoft SQL Server database account, click List Administrators.
• To create a new Microsoft SQL Server database account and assign it to an administrative role, click Add
Administrators.
4. Complete one of the following actions:
• To add an administrative role to an existing administrator account, click the administrator account that you want to
add the role to.
• To create a database account only and add an administrative role to the account, type a user name.
• To create a database account for an existing Windows user account or group and add an administrative role to the
account, type a user name preceded by a domain name (for example, DOMAIN\username).
5. If prompted, type and confirm a password.
6. Click OK.
Configure the BlackBerry Manager to use database authentication in a Microsoft SQL Server environment
During the installation process, if you choose to connect to the BlackBerry® Configuration Database using Windows® authentication, the BlackBerry Manager uses Windows authentication automatically. If you create database accounts for your administrators, you must change the type of authentication that the BlackBerry Manager uses.
1. In the BlackBerry Manager, on the Tools menu, click Options.
2. Click Database.
3. In the Authentication drop-down list, click Database Authentication.
15
Administration Guide
4. Click OK.
5. Restart the BlackBerry Manager.
Configure the BlackBerry Manager to use database authentication in a Microsoft SQL Server environment
16
Administration Guide

Setting up security options

Setting up security options
2

How the BlackBerry Enterprise Solution encrypts data on the transport layer

The BlackBerry® Enterprise Solution uses a symmetric key encryption algorithm (Triple DES or AES) to protect all data that the BlackBerry® Enterprise Server and a BlackBerry device send between them.
The BlackBerry Enterprise Solution uses the symmetric key encryption algorithm to create message keys and master encryption keys, and uses those encryption keys to encrypt all data that the BlackBerry device sends or receives, while the data travels between the BlackBerry device and the BlackBerry Enterprise Server.
This data encryption process occurs automatically and is designed to verify that a message that a user sends from a BlackBerry device, which is outside the organization's firewall, remains protected on the transport layer until the BlackBerry Enterprise Server receives the message.
Standard encryption algorithms that the BlackBerry Enterprise Solution uses
Encryption type Description
Triple DES
AES
Triple DES and AES
default encryption method
uses the Triple DES algorithm to encrypt and decrypt all data that the BlackBerry® Enterprise Server and all BlackBerry devices on the BlackBerry Enterprise Server send between them
uses the AES algorithm to encrypt and decrypt all data that the BlackBerry Enterprise Server and all BlackBerry devices on the BlackBerry Enterprise Server send between them
designed to use a longer encryption key to provide a better combination of security and performance than Triple DES
designed to protect user data and encryption keys from traditional attacks and side-channel attacks
requires BlackBerry® Desktop Software version 4.0 or later and BlackBerry® Device Software version 4.0 or later
permits use of either the Triple DES algorithm or AES algorithm to encrypt and decrypt all data that the BlackBerry Enterprise Server and all BlackBerry devices on the BlackBerry Enterprise Server send between them
17
Administration Guide

Options for extending messaging security

Encryption type Description
uses Triple DES encryption on BlackBerry devices that do not support AES (BlackBerry devices that are running BlackBerry Device Software versions earlier than version 4.0)
by default, uses AES encryption on BlackBerry devices that support AES
Change the encryption type
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Server Configuration tab, click Edit Properties.
3. Click General.
4. In the Security section, click Encryption Algorithm.
5. In the drop-down list, select an encryption type.
6. Click OK.
After you finish: If you changed the encryption type, you must reactivate all of the BlackBerry devices in the BlackBerry Domain so that users can send and receive messages on their BlackBerry devices.
Related topics
Assigning BlackBerry devices to user accounts, 74
Options for extending messaging security
When a user sends a message from the BlackBerry® device, by default, the BlackBerry® Enterprise Server does not encrypt the message when it forwards the message to the message recipient. To extend the messaging security that standard BlackBerry encryption provides, the user must install additional secure messaging technology on the BlackBerry device, and you must set the BlackBerry device to use that secure messaging technology.
To offer an additional layer of messaging security between the sender and recipient of an email message or PIN message, you can turn on S/MIME technology or PGP® technology for BlackBerry devices. When you use either one of these technologies, you allow sender-to-recipient authentication and confidentiality. These technologies also help to maintain the integrity and privacy of the data from the time that a BlackBerry device user sends a message from the BlackBerry device to when the message recipient decrypts and opens the message.
Protection of data using the PGP Support Package for BlackBerry devices
BlackBerry® devices that are running the PGP® Support Package for BlackBerry® devices can digitally sign, encrypt, or sign and encrypt data that they send to the BlackBerry® Enterprise Server.
18
Administration Guide
Options for extending messaging security
With supported versions of the PGP Support Package for BlackBerry devices installed, BlackBerry devices can receive PGP/ MIME format messages. With both the PGP Support Package for BlackBerry devices and the S/MIME Support Package for BlackBerry® devices installed and turned on, BlackBerry devices can download PGP® keys with attached S/MIME X.509 certificates from the PGP® Universal Server and use them in compliance with the PGP Universal Server secure email policy. The PGP Support Package for BlackBerry devices continues to support OpenPGP format messages.
For more information, see the PGP Support Package for BlackBerry Devices Security Technical Overview.
Prerequisites: Protecting data using the PGP Support Package for BlackBerry devices
Set the PGP® Universal Server Address IT policy rule in the IT policy that you assign to BlackBerry® device users.
Instruct the BlackBerry device users to install the PGP® Support Package for BlackBerry® devices on their BlackBerry devices and enroll with the PGP Universal Server so that the BlackBerry devices can process PGP messages.
Instruct the BlackBerry device users to enroll with PGP when the BlackBerry devices prompt them to.
Prerequisites: Protecting data using the S/MIME Support Package for BlackBerry devices
Turn on S/MIME message processing on the BlackBerry® Enterprise Server so that the BlackBerry Enterprise Server can process S/MIME messages.
Instruct BlackBerry® device users to install the S/MIME Support Package for BlackBerry devices on their BlackBerry devices so that the BlackBerry device can process S/MIME messages.
Instruct BlackBerry device users to add the Certificate Synchronization Manager to the BlackBerry® Desktop Manager so that the BlackBerry Desktop Manager can manage certificates for their BlackBerry devices.
Turn on support for processing S/MIME-protected messages on the BlackBerry Enterprise Server
1. In the BlackBerry® Manager, in the left pane, click Servers.
2. On the Server Configuration tab, click Edit Properties.
3. In the left pane, click Messaging.
4. In the Secure Messages section, click Enable S/MIME Message Processing.
5. In the drop-down list, click True.
6. Click OK.
How S/MIME-protected messages on BlackBerry devices discard appended disclaimers
If the S/MIME Support Package for BlackBerry® devices is installed on a BlackBerry device and turned on, the BlackBerry® Enterprise Server does not apply an appended disclaimer to S/MIME-protected messages that the user sends from the BlackBerry device. Digital signatures on S/MIME-protected messages that the BlackBerry device sends are not valid if disclaimers are appended to the messages.
19
Administration Guide
Define encryption options for S/MIME-protected messages
1. In the BlackBerry® Manager, in the left pane, click Servers.
2. On the Server Configuration tab, click Edit Properties.
3. In the left pane, click Messaging.
4. In the Secure Messages section, select the encryption options to include when processing S/MIME-protected messages.
5. Click OK.

Generating organization-specific encryption keys for PIN-to-PIN message encryption

Generating organization-specific encryption keys for PIN-to-PIN message encryption
By default, all BlackBerry® devices store a common peer-to-peer encryption key for protecting PIN-to-PIN messages. To limit the number of BlackBerry devices that can decrypt PIN messages that users in your organization send from their BlackBerry devices, you can generate a new peer-to-peer encryption key that is stored on and known only to BlackBerry devices in your organization. BlackBerry devices with an organization-specific peer-to-peer encryption key can send and receive PIN messages only with other BlackBerry devices that store the same peer-to-peer encryption key.
You should generate a new peer-to-peer encryption key if you know that your current organization-specific peer-to-peer encryption key is compromised.
Generate a new peer-to-peer encryption key
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, expand Service Control & Customization.
3. Click Update Peer-to-Peer Encryption Key.
4. Click Set or update the Peer-to-Peer encryption key for all devices within this organization.
5. Click Yes.

Authenticating the BlackBerry MDS Integration Service to the BlackBerry Manager and web services

After you install the BlackBerry® MDS Integration Service, you must install a digital certificate for the BlackBerry MDS Integration Service in the key store on the same computer. This certificate allows server-authenticated communication between the BlackBerry MDS Integration Service and the BlackBerry Manager.
20
Administration Guide
Authenticating the BlackBerry MDS Integration Service to the BlackBerry Manager and web services
You can install a self-signed certificate for the BlackBerry MDS Integration Service, or you can get a signed root certificate from a certificate authority and install it in the key store using the Java® keytool. You can replace the self-signed certificate with a signed root certificate at any time, but you should install the certificate that you want to use immediately after you install the BlackBerry MDS Integration Service and before you allow authentication with the BlackBerry Manager or web services using that certificate.
You can also export the certificate for the BlackBerry MDS Integration Service to allow client authentication with external web services.
For more information about using the Java keytool, visit java.sun.com/javase/6/docs/technotes/tools/windows/
keytool.html.
Allow the BlackBerry MDS Integration Service to communicate with the BlackBerry Manager
When the BlackBerry® Manager connects to the BlackBerry MDS Integration Service for the first time after installation, the BlackBerry Manager prompts you to view and install the BlackBerry MDS Integration Service self-signed certificate. This certificate allows server-authenticated communication between the BlackBerry MDS Integration Service and the BlackBerry Manager.
Before you begin: Perform this task immediately after you install the BlackBerry MDS Integration Service.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Integration Service.
2. In the certificate installation dialog box, click View Certificate.
3. Review the certificate information.
4. Click Install Certificate.
5. Complete the instructions on the screen. Accept the default settings.
6. When prompted, click Cancel.
Allow client authentication between the BlackBerry MDS Integration Service and web services
The self-signed certificate for the BlackBerry® MDS Integration Service allows client authentication between the BlackBerry MDS Integration Service and web services hosts. If the BlackBerry® MDS Runtime Applications in your organization's environment use HTTPS to communicate with web servers to receive application data and application updates, you must export the certificate for the BlackBerry MDS Integration Service to the web services hosts. This allows BlackBerry MDS Runtime Applications that use web services to authenticate to the web services and access them.
Before you begin:
Contact your organization's application developers for information about the web services that the BlackBerry MDS Runtime Applications in your environment use.
If you replaced the self-signed certificate for the BlackBerry MDS Integration Service with a signed root certificate from a certificate authority, the web services must trust the root certificate authority to authenticate to the BlackBerry MDS Integration Service.
21
Administration Guide
Authenticating the BlackBerry MDS Integration Service to the BlackBerry Manager and web services
1. Using Microsoft® Internet Explorer®, export the self-signed certificate for the BlackBerry MDS Integration Service from the trusted root certificate authorities area of the computer's key store.
2. Send the self-signed certificate to the web services servers that the BlackBerry MDS Runtime Applications use.
3. Verify that the certificate is installed in the trusted key store of the web services servers.
After you finish:
If multiple BlackBerry MDS Integration Service servers are installed, export the certificate for each BlackBerry MDS Integration Service.
Allow BlackBerry MDS Runtime Applications to access web services using HTTPS.
22
Administration Guide

Setting up proxy servers for BlackBerry Enterprise Server components

Setting up proxy servers for BlackBerry Enterprise Server
3
components

Configuring certain BlackBerry Enterprise Server components to use proxy servers

You can configure the BlackBerry® MDS Connection Service, BlackBerry MDS Integration Service, and BlackBerry Collaboration Service to use proxy servers to access web addresses on the Internet and your organization's intranet. You should use a proxy method that is consistent with how other applications and servers in your organization access web content.
Since proxy servers typically do not permit traffic between servers on the same side of the firewall, you can configure certain BlackBerry® Enterprise Server components to use a .pac file, or to access the Internet directly through a proxy server. You can also configure multiple proxy servers to manage traffic to specific web addresses, and you can specify URLs that the BlackBerry Enterprise Server components can access without using a proxy server.
The BlackBerry MDS Integration Service sends application updates and data to BlackBerry devices through the BlackBerry MDS Connection Service. The BlackBerry MDS Integration Service can only accept and respond to messages that it receives from a direct connection with the BlackBerry MDS Connection Service. If you configured the BlackBerry MDS Connection Service to use a proxy server, you must configure proxy rules to allow a direct connection between the BlackBerry MDS Connection Service and the BlackBerry MDS Integration Service. You cannot use a proxy server to exchange data between these components of the BlackBerry Enterprise Server. If you use a .pac file configuration, you can change the .pac file to allow a direct connection between the BlackBerry MDS Connection Service and the BlackBerry MDS Integration Service.
Related topics
Configuring multiple BlackBerry Enterprise Server instances to use the same BlackBerry Enterprise Server component, 27
Configure a BlackBerry Enterprise Server component to use a .pac file
You can configure the BlackBerry® MDS Connection Service, BlackBerry MDS Integration Service, or BlackBerry Collaboration Service to use a .pac file.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry® Enterprise Server component.
2. On the appropriate tab for a BlackBerry Enterprise Server component, click Edit Properties.
3. In the left pane, click Proxy.
4. Double-click Proxy Mappings.
5. Click New.
6. Double-click Universal Resource Locator.
7. Type the URL regular expression that you want the proxy mapping rule to control.
8. Double-click Proxy String.
9. Click New.
23
Administration Guide
10. In the Proxy Type drop-down list, perform one of the following actions:
• To detect a .pac file automatically, click AUTO. Double-click the Proxy String field and delete the default values.
• To specify the location of the .pac file, click PAC. Double-click the Proxy String field and type the proxy server name,
port number, and location of the .pac file (for example, http://<ProxyServer>:<Port>/<PACFilePath>/ <PACFileName>).
11. Click OK.
Configuring certain BlackBerry Enterprise Server components to use proxy servers
Configure a BlackBerry Enterprise Server component to use a proxy server
You can configure the BlackBerry® MDS Connection Service, BlackBerry MDS Integration Service, or BlackBerry Collaboration Service to access web servers through a proxy server.
You can specify more than one proxy string in a proxy mapping rule for a web address. If the BlackBerry® Enterprise Server component cannot access the web server using the first proxy string, it tries to access the web server using the subsequent proxy strings that you typed, until it accesses the web server successfully.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry Enterprise Server component.
2. On the appropriate tab for a BlackBerry Enterprise Server component, click Edit Properties.
3. In the left pane, click Proxy.
4. Click New.
5. In the Universal Resource Locator field, type the regular expression for the web address that you want the proxy mapping rule to control.
6. Double-click Proxy String.
7. Click New.
8. In the Proxy Type drop-down list, perform any of the following actions:
• To configure a proxy server, click PROXY. Double-click the Proxy String field and type the proxy server name and
port number.
• To exclude the web address from routing through the proxy server, click DIRECT. Double-click the Proxy String
field and delete the default value.
9. Click OK.
Configure a BlackBerry Enterprise Server component to authenticate to a proxy server on behalf of BlackBerry devices
You can configure the BlackBerry® MDS Connection Service, BlackBerry MDS Integration Service, or BlackBerry Collaboration Service to authenticate to a proxy server on behalf of BlackBerry devices.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry® Enterprise Server component.
2. On the appropriate tab, click Edit Properties.
3. In the left pane, click Proxy.
24
Administration Guide
Configuring certain BlackBerry Enterprise Server components to use proxy servers
4. Double-click Proxy Mappings.
5. Click a URL.
6. Click Properties.
7. In the User Name field, type the user name that the BlackBerry Enterprise Server component can use to connect to the proxy server that is defined for the web address.
8. In the Password field, type the password for the user name.
9. In the Password (Confirmation) field, retype the password.
10. Click OK.
25
Administration Guide

Sharing BlackBerry Enterprise Server components

Sharing BlackBerry Enterprise Server components
4

Configuring multiple BlackBerry Enterprise Server instances to use the same BlackBerry Enterprise Server component

To help make a BlackBerry® Domain more scalable, you can configure multiple BlackBerry® Enterprise Server instances to use the same BlackBerry MDS Connection Service, BlackBerry MDS Integration Service, or BlackBerry Collaboration Service. If a BlackBerry Domain contains a single BlackBerry Enterprise Server, all BlackBerry Enterprise Server components are associated with that BlackBerry Enterprise Server automatically.
Configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry MDS Connection Service
You can configure multiple BlackBerry® Enterprise Server instances to use the same central push server to transfer application data from BlackBerry devices, and to manage HTTP requests from the BlackBerry® Browser.
Before you begin: You must set a BlackBerry MDS Connection Service in your BlackBerry Domain as the central push server.
1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Service Control & Customization.
3. Click MDS CS to BES Mapping.
4. In the MDS CS to BES Mappings dialog box, in the left pane, click the BlackBerry MDS Connection Service that you have set as the central push server.
5. In the right pane, click the BlackBerry Enterprise Server instances that you want to use the central push server.
6. Click OK.
Related topics
Specifying a BlackBerry MDS Connection Service as the central push server, 61
27
Administration Guide
Configuring multiple BlackBerry Enterprise Server instances to use the same BlackBerry Enterprise Server
component
Configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry MDS Integration Service
You can configure multiple instances of the BlackBerry® Enterprise Server to use the same BlackBerry MDS Integration Service to send BlackBerry MDS Runtime Applications and updates to BlackBerry devices. By associating multiple instances of the BlackBerry Enterprise Server with a single BlackBerry MDS Integration Service, you can make the BlackBerry MDS Runtime Applications that are stored in a single BlackBerry MDS Application Repository available to users on multiple BlackBerry Enterprise Server instances.
Before you begin: You must configure server authentication between the BlackBerry MDS Integration Service and the BlackBerry Manager. Complete the instructions on the screen the first time that you click the BlackBerry MDS Integration Service.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry Enterprise Server.
2. On the Server Configuration tab, click Edit Properties.
3. In the left pane, click MDS Integration Service.
4. Click BlackBerry MDS Integration Service Server URL.
5. In the drop-down list, click the BlackBerry MDS Integration Service that you want to assign to the BlackBerry Enterprise Server.
6. Click OK.
After you finish: Repeat this task for each BlackBerry Enterprise Server that you want to associate with the same BlackBerry MDS Integration Service.
Related topics
Allow the BlackBerry MDS Integration Service to communicate with the BlackBerry Manager, 21
Configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry Collaboration Service
You can configure multiple BlackBerry® Enterprise Server instances to use the same BlackBerry Collaboration Service to connect to your organization's instant messaging server, and to manage requests from the collaboration client that you use in your organization's BlackBerry Domain.
1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Service Control & Customization.
3. Click IM to BES Mapping.
4. In the IM to BES Mappings dialog box, in the left pane, click the BlackBerry Collaboration Service that you want multiple BlackBerry Enterprise Server instances to use.
5. In the right pane, select the BlackBerry Enterprise Server instances that you want to have use the BlackBerry Collaboration Service.
6. Click OK.
28
Administration Guide

Setting up user accounts

Setting up user accounts
5

Adding user accounts to the BlackBerry Enterprise Server

When you add a user account to the BlackBerry® Enterprise Server, the user’s Microsoft® Exchange mailbox does not have to be in the same Microsoft Exchange site or routing group as the BlackBerry Enterprise Server.
Add a user account to only one BlackBerry Enterprise Server at a time.
Related topics
Assigning BlackBerry devices to users, 73
Add user accounts to the BlackBerry Enterprise Server
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Server Configuration tab, click Common.
3. Click Add Users.
4. In the Show Names from the drop-down list, click an address group.
5. In the user list, click one or more users.
6. Click Select.
7. Click OK.

Creating user groups

You can create user groups and assign user accounts to user groups based on custom criteria, such as user location, organizational group, or BlackBerry® device model. User accounts in a user group can exist on different BlackBerry® Enterprise Server instances in the BlackBerry Domain.
Create a user group
Create groups of user accounts in the BlackBerry® Domain to apply common configuration properties for the user group or to perform administrative tasks on all user accounts in the user group. User accounts in a user group can be located on different BlackBerry® Enterprise Server instances in the BlackBerry Domain.
1. In the BlackBerry Manager, in the left pane, click User Groups.
2. Click Create Group.
3. Type a name and description for the user group.
4. Click OK.
29
Administration Guide
Creating user groups
Add a user account to a user group
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Users tab, click one or more user accounts.
3. Click Assign User to Group.
4. Click a group name.
5. Click OK.
When you add user accounts to a group, the BlackBerry Manager assigns the group properties to the user accounts automatically.
30
Administration Guide

Sending software and Java applications to BlackBerry devices

Sending software and Java applications to BlackBerry
6
devices

Making BlackBerry Device Software and Java applications available to users

You can make BlackBerry® Device Software or applications available on a network drive, and make the software available to a user account or user group in the following ways:
send BlackBerry Java® Applications, the collaboration client, or the BlackBerry® MDS Runtime to BlackBerry devices over the wireless network
install BlackBerry Device Software on or add applications to a BlackBerry device that is connected to the computer that hosts the BlackBerry Manager
make the BlackBerry Device Software and applications available so that a user can install the software and add applications using the application loader tool
You can also create a software configuration to define how the BlackBerry® Enterprise Server delivers the applications to BlackBerry devices, and which applications users can add to BlackBerry devices.

Making software and applications available on a network drive

To make the BlackBerry® Device Software or applications available for users to install on or add to their BlackBerry devices, you must save the BlackBerry Device Software and applications to a network drive and create a software index. You can maintain only one version of software or an application on the network drive at a time.
Install the BlackBerry Device Software on a network drive
You install the BlackBerry® Device Software on a network drive to make the BlackBerry Device Software available to users to install on their BlackBerry devices.
Before you begin: Your organization's wireless service provider must provide you with the BlackBerry Device Software installation media.
1. Copy the BlackBerry Device Software installation media to a network drive in your organization's environment.
2. On the network drive, double-click the .exe file.
3. Complete the installation process.
After you finish: Verify that the files are located at <drive> :\Program Files\Common Files\Research In Motion\Shared \Loader Files.
31
Administration Guide
Making software and applications available on a network drive
Add a Java application to a network drive
You add a Java® application to a network drive so that the application can be made available to users' BlackBerry® devices. Before you begin: If a third-party developer requires you to add an application to copy the application files, you must
complete the instructions that the vendor provides. You can then copy the required application files and module files to a network drive in your organization's environment.
1. If necessary, on the network drive, create the path <drive>:\Program Files\Common Files\Research In Motion\Shared \Applications.
2. In the Applications folder, create a subfolder for the application that you want to add.
3. Copy the .alx, .cod, and .dll files to the subfolder.
Add a collaboration client to a network drive
You add a collaboration client to a network drive to make the application avaliable for users to install on their BlackBerry® devices. For information about the compatibility of collaboration clients and versions of the BlackBerry® Enterprise Server, visit na.blackberry.com/eng/support/downloads/im_server_compatibility.jsp.
1. If necessary, on the network drive, create the path <drive> :\Program Files\Common Files\Research In Motion\Shared \Applications.
2. Visit www.na.blackberry.com/eng/support/downloads to download the collaboration client for your organization's environment.
3. Double-click the .zip file that you downloaded.
4. Extract the .alx and .cod files to the path that you created in step 1.
Add the BlackBerry MDS Runtime to a network drive
You add the BlackBerry® MDS Runtime to a network drive for users to install on their BlackBerry devices so that they can use BlackBerry MDS Runtime Applications.
1. Visit www.na.blackberry.com/eng/support/downloads to download the most recent version of the BlackBerry MDS Runtime.
2. If necessary, on the network drive, create the path <drive>:\Program Files\Common Files\Research In Motion\Shared \Applications.
3. Create a folder for the BlackBerry MDS Runtime.
4. From the .zip file that you downloaded, extract the MdsRuntime.alx file and the .cod files for the applicable BlackBerry® Device Software version to the BlackBerry MDS Runtime folder that you created in step 3.
32
Administration Guide

Indexing applications on a network drive

Indexing applications on a network drive
To inform the application loader tool and software configurations of the applications that are available to add to BlackBerry® devices, you create a software index for the applications that you add to your organization's network drive. When you create a software index, the BlackBerry® Enterprise Server creates a specification.pkg file and a PkgDBCache.xml index file for each application.
Create or update a software index for applications on a network drive
Not all software or applications require indexing. If you add BlackBerry® Device Software version 4.0 or later for Java® based BlackBerry devices, it creates the index files automatically. If you change an .alx file for an application that already appears in a software index on your organization's network drive, you must update the software index.
1. At the command prompt, navigate to <drive>:\Program Files\Common Files\Research In Motion\Apploader.
2. Perform one of the following actions:
• To create a software index, type loader.exe /index.
• To update a software index, type loader.exe /reindex.
The application loader tool creates or updates the software index structure on the network drive, and it adds any missing index files.
Share a network drive for applications
You share a network drive for applications to make the applications available for users to install on their BlackBerry® devices.
1. Share <drive>:\Program Files\Common Files\Research In Motion\Shared\Applications.
2. Set the permission attributes to Read-only.

Defining software configurations

Software configurations allow you to perform the following actions to manage applications on BlackBerry® devices for specific user accounts or groups:
remotely add and remove third-party Java® applications, the collaboration client, and the BlackBerry® MDS Runtime using the application loader tool on BlackBerry devices that are connected to computers running the BlackBerry® Device Manager
define application control policies and add them to software configurations to specify the resources that third-party Java applications, the collaboration client, and the BlackBerry MDS Runtime can access on BlackBerry devices from behind the organization's firewall
You must create a separate software configuration for each BlackBerry device series in your organization.
33
Administration Guide
Defining software configurations
You must either install all of the application files that you want to install on a specific BlackBerry device model on the BlackBerry® Enterprise Server or on a computer with a shared network drive before you can set an application control policy on a BlackBerry device. You set up a software configuration to point to the location of the application files.
Create a software configuration
If you have more than one BlackBerry® device series in your organization, you must create a different software configuration for each series.
1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain.
2. On the Software Configurations tab, click Add New Configuration.
3. Type a configuration name and description in the appropriate fields.
4. Click Change.
5. Type the location of the BlackBerry® Device Software or applications.
6. Click OK.
7. In the Application Name list, select the check box beside the BlackBerry device series that you want to configure the BlackBerry Device Software or applications for.
8. Perform one of the following actions:
• To permit users to add applications to BlackBerry devices, select the check box beside the application name.
• To prevent users from adding the application to BlackBerry devices, clear the check box beside the application name.
9. Click OK.
After you finish: Define an application control policy.
Define an application control policy
For more information about defining application control policy rules, see the Policy Reference Guide. Before you begin: Create a software configuration.
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. Click the Software Configurations tab.
3. Click Manage Application Policies.
4. Click New.
5. Type a new policy name.
6. Customize the application control policy rules.
7. Click OK.
After you finish: Assign an application control policy to an application in a software configuration.
34
Administration Guide
Defining software configurations
Assign an application control policy to an application
Before you begin: To assign an application control policy other than the default application control policy settings, you
must first define an application control policy.
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. Click the Software Configurations tab.
3. In the Configuration Name list, click a software configuration.
4. Click Edit Configuration.
5. Expand the Application Software application tree.
6. In the Policy drop-down list, click an option to assign an application control policy to the application:
Option Description
Assign the default application control policy. To assign the application control policy that is assigned at the
application software level, click <default>.
Assign an application control policy that you have defined. To assign an application control policy that you have defined to
all applications that are not currently assigned to an application control policy, click that application control policy.
Allow the user to set application controls on the BlackBerry device.
7. Click OK.
To allow the application control settings that are configured on the BlackBerry device, click <none>.
After you finish: Assign the software configuration to a user group or user account.
Assign a software configuration to a user group
1. In the BlackBerry® Manager, in the left pane, click a user group.
2. In the lower pane, on the Group Configuration tab, click Device Management.
3. Click Assign Software Configuration.
4. Click the software configuration that you want to assign.
5. Click OK.
Assign a software configuration to a user account
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Users tab, click the user account that you want to assign the software configuration to.
3. In the lower pane, click Device Management.
35
Administration Guide
4. Click Assign Software Configuration.
5. Click the software configuration that you want to assign.
6. Click OK.

Send an application to a BlackBerry device over the wireless network

Send an application to a BlackBerry device over the wireless network
You can send a BlackBerry® Java Application, the collaboration client, and the BlackBerry® MDS Runtime over the wireless network to supported BlackBerry devices that have 16 MB or more of flash memory. The BlackBerry® Enterprise Server can take up to 4 hours to send the application to a BlackBerry device.
Before you begin: To send an application over the wireless network, your organization's IT policy must permit third-party applications on BlackBerry devices.
1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain.
2. On the Software Configurations tab, click a software configuration.
3. In the lower pane, click Edit Configuration.
4. Click the application that you want to send over the wireless network.
5. In the Delivery drop-down list, click Wireless.
6. To make sure that the application remains installed on a BlackBerry device, change the Disposition application control policy to Required.
7. Click OK.

Monitor wireless application push failures

You can retrieve information from the BlackBerry® Configuration Database to identify any issues with the wireless delivery of applications to BlackBerry devices.
1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain.
2. Click the Software Config Status tab.
3. In the Name field, type the name of the user whose BlackBerry device you want to monitor. If you leave the Name field empty, the search applies to all users in the BlackBerry Domain.
4. In the Status field, click the status that you want to monitor.
5. To change the information that displays for each database entry, right-click a column heading. Select the columns that you want to display.
6. In the Entries per page field, type the maximum number of database entries to display.
7. Click Search.
Error messages: Wireless application push
To troubleshoot push failures for wireless applications, collect the following information:
36
Administration Guide
Monitor wireless application push failures
BlackBerry® Policy Service log files from the day the issue was reported (log level 4 recommended)
BlackBerry Dispatcher log files from the day the issue was reported (log level 4 recommended)
BlackBerry device information
If the preceding information does not address the issue, you might also require the following information:
BlackBerry Policy Service log files from the day the issue was reported (log level 6 recommended)
event log of the BlackBerry device from the day the issue was reported
system event logs and application event logs
software configuration files created on the network drive that the BlackBerry device is associated with
copy of the BlackBerry Configuration Database
SQL trace of the BlackBerry Policy Service communicating with the BlackBerry Configuration Database
For more information about changing the log level for a BlackBerry Enterprise Server component to 6, visit
www.blackberry.com/support to read article KB04342. For information about how to obtain the event log of a BlackBerry
device, visit www.blackberry.com/support to read article KB05349.
Device timed out waiting for module
This message appears when a BlackBerry device reports a timeout failure while waiting for the application modules. Resend the application to the BlackBerry device. If the second wireless application push is not successful, in the log files
that you collected, locate the user account that is experiencing the issue. Trace the installation activity.
Device reported insufficient memory to install module
This message appears when a BlackBerry device does not have enough flash memory available to install the application modules.
Instruct the user to make more flash memory available on the BlackBerry device. Resend the application.
Device reported that there was an Incomplete Module
This message appears when an application module is not installed successfully on a BlackBerry device. Resend the application. If the second wireless application push is not successful, in the log files that you collected, locate
the user account that is experiencing the issue. Trace the installation activity.
Device reported that the Module Save Failed
This message appears when a BlackBerry device cannot save an application module. Resend the application. If the second wireless application push is not successful, in the log files that you collected, locate
the user account that is experiencing the issue. Trace the installation activity.
Device reported a general failure installing the module
This message appears when an application does not install successfully on a BlackBerry device. Verify that the BlackBerry device has enough memory available to install the application. Resend the application.
Incomplete ACK data for APPD request
37
Administration Guide
Monitor wireless application push failures
This message appears when the BlackBerry Policy Service does not receive an acknowledgment message that a BlackBerry device has received application data.
Verify that the BlackBerry device is turned on and is located in a wireless coverage area. Resend the application.
Device reported a %s error while installing module
This message appears when an error occurs in the BlackBerry Policy Service that prevents the application from installing successfully on a BlackBerry device.
In the log files that you collected, locate the user account that is experiencing the issue. Trace the installation activity.
Device reported Data Format Error in packet while installing module
This message appears when an error occurs in the BlackBerry Policy Service that prevents the application from installing successfully on a BlackBerry device.
In the log files that you collected, locate the user account that is experiencing the issue. Trace the installation activity.
Device reported Invalid Command while installing module
This message appears when an error occurs in the BlackBerry Policy Service that prevents the application from installing successfully on a BlackBerry device.
In the log files that you collected, locate the user account that is experiencing the issue. Trace the installation activity.
Device Reported Insufficient Body Data while installing module
This message appears when an error occurs in the BlackBerry Policy Service that prevents the application from installing successfully on a BlackBerry device.
In the log files that you collected, locate the user account that is experiencing the issue. Trace the installation activity.
Device reported Invalid Module Hash while installing module
This message appears when an error occurs in the BlackBerry Policy Service that prevents the application from installing successfully on a BlackBerry device.
In the log files that you collected, locate the user account that is experiencing the issue. Trace the installation activity.
Device reported Invalid App Data Length while installing module
This message appears when an error occurs in the BlackBerry Policy Service that prevents the application from installing successfully on a BlackBerry device.
In the log files that you collected, locate the user account that is experiencing the issue. Trace the installation activity.
Device reported Insufficient App Data while installing module
This message appears when an error occurs in the BlackBerry Policy Service that prevents the application from installing successfully on a BlackBerry device.
In the log files that you collected, locate the user account that is experiencing the issue. Trace the installation activity.
Related topics
Log files for the BlackBerry Enterprise Server components, 156
38
Administration Guide
Change the logging level for a BlackBerry Enterprise Server component, 158
Install the BlackBerry Device Software or BlackBerry Applications on a BlackBerry device using the BlackBerry
Manager

Install the BlackBerry Device Software or BlackBerry Applications on a BlackBerry device using the BlackBerry Manager

If you want to save network bandwidth, or if you want to install the BlackBerry® Device Software or add applications to BlackBerry devices before you distribute the BlackBerry devices to users, you can use the BlackBerry Manager to complete the installation process.
1. Connect the BlackBerry device to the computer that hosts the BlackBerry Manager.
2. In the BlackBerry Manager, in the left pane, click BlackBerry Domain.
3. On the Software Configurations tab, click a software configuration.
4. Click Edit Configuration.
5. Click the software or application that you want to install on the BlackBerry device.
6. In the Delivery drop-down list, click Wireline only.
7. To make sure that the application remains installed on a BlackBerry device, change the Disposition application control policy to Required.
8. Click OK.

Installing the collaboration client on BlackBerry devices

You can use one of the following methods to install the collaboration client on users' BlackBerry® devices.
Method Resource
over the wireless network using the BlackBerry® Enterprise Server
using the BlackBerry® Desktop Software using the BlackBerry Application Web Loader using the standalone BlackBerry application loader tool
See the "Making BlackBerry Device Software and Java applications available to users" section of the BlackBerry Enterprise Server Administration Guide.
You must verify that your organization's IT policy permits third-party applications on BlackBerry devices. For more information, see the BlackBerry Enterprise Server Policy Reference Guide. To read the Deploying Java Applications document, visit www.blackberry.com/
developers and click the White Papers link.
To read the Deploying Java Applications document, visit www.blackberry.com/
developers and click the White Papers link.
To read the Deploying Java Applications document, visit www.blackberry.com/
developers and click the White Papers link.
39
Administration Guide
Installing the collaboration client on BlackBerry devices
Method Resource
using the BlackBerry® Browser To read the Deploying Java Applications document, visit www.blackberry.com/
developers and click the White Papers link.
To download the .zip file for the appropriate collaboration client, visit www.blackberry.com/support/downloads. For information about the compatibility of collaboration clients and versions of the BlackBerry Enterprise Server, visit
na.blackberry.com/eng/support/downloads/im_server_compatibility.jsp.
40
Administration Guide

Setting up the messaging environment

Setting up the messaging environment
7

Creating email message filters

You can create email message filters to define which messages the BlackBerry® Enterprise Server forwards from users’ email applications to their BlackBerry devices. When users receive messages in the incoming message queue, the BlackBerry Enterprise Server applies email message filters to determine how to direct the messages: forward, forward with priority, or do not forward to the users' BlackBerry devices.
Email message filters that you create and apply using the BlackBerry Manager override the email message filters that users create using the BlackBerry® Desktop Manager or their BlackBerry devices. You can specify the order that the email message filters are applied in.
You can create the following types of email message filters:
global filters: apply to all users on the BlackBerry Enterprise Server
group filters: apply to all users that belong to a user group on a BlackBerry Enterprise Server
user filters: apply to specific users on the BlackBerry Enterprise Server
Users cannot view or change global filters or group filters. If you define global filters or group filters, you must explain to users that some of their email message filters might not apply to incoming messages.
If you change global filters, the BlackBerry Enterprise Server applies the changes immediately.
Create an email message filter that applies to all users
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Server Configuration tab, click Edit Properties.
3. In the left pane, click Global Filters.
4. Double-click Global Filter Definition.
5. Click New.
6. In the New Message Conditions section, double-click Filter Name.
7. Type a name for the email message filter.
8. Configure the options for the email message filter.
9. Click Action.
10. Perform one of the following tasks:
41
Administration Guide
Task Steps
Create an email message filter that does not deliver messages that match the filter criteria.
Create an email message filter that forwards messages that match the filter criteria.
> In the drop-down list, click Hold.
a. In the drop-down list, click Forward. b. Double-click Forwarding Options. c. Select the appropriate message forwarding options.
Creating email message filters
11. Click OK.
12. In the Filter Name list, click the email message filter that you created.
13. To move the email message filter higher or lower in the list, click Move Up or Move Down. The BlackBerry Enterprise Server applies email message filters in the order that they are listed in. Organize the email
message filters from the least restrictive to the most restrictive.
14. Click OK.
Turn on an email message filter that applies to all user accounts
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Server Configuration tab, click Edit Properties.
3. In the left pane, click Global Filters.
4. Double-click Global Filter Definition.
5. In the Filter Name list, click an email message filter.
6. Click Properties.
7. In the New Message Conditions section, in the Enabled drop-down list, click True.
8. Click OK.
The BlackBerry Enterprise Server applies email message filters in the order that they are listed in.
Create an email message filter that applies to a user group
1. In the BlackBerry® Manager, in the left pane, click a user group.
2. On the Group Configuration tab, click Edit Group Template.
3. In the left pane, click Filters.
4. Double-click Filter Rules.
5. Click New.
6. In the New Message Conditions section, double-click Filter Name.
7. Type a name for the email message filter.
8. Configure the options for the email message filter.
42
Administration Guide
Creating email message filters
9. Click Action.
10. Perform one of the following tasks:
Task Steps
Create an email message filter that does not deliver messages that match the filter criteria.
Create an email message filter that forwards messages that match the filter criteria.
> In the drop-down list, click Hold.
a. In the drop-down list, click Forward. b. Double-click Forwarding Options. c. Select the appropriate message forwarding options.
11. Click OK.
12. In the Filter Name list, click the email message filter that you created.
13. To move the email message filter higher or lower in the list, click Move Up or Move Down. The BlackBerry® Enterprise Server applies email message filters in the order that they are listed in. Organize the email
message filters from the least restrictive to the most restrictive.
14. Click OK.
15. Select the Filter Rules check box.
16. Click Reapply Template.
Turn on an email message filter that applies to a user group
1. In the BlackBerry® Manager, in the left pane, click a user group.
2. On the Group Configuration tab, click Edit Group Template.
3. In the left pane, click Filters.
4. Double-click Filter Rules.
5. In the Filter Name list, click an email message filter.
6. Click Properties.
7. In the New Message Conditions section, in the Enabled drop-down list, click True.
8. Click OK.
9. Select the Filter Rules check box.
10. Click Reapply Template.
The BlackBerry® Enterprise Server applies email message filters in the order that they are listed in.
Create an email message filter that applies to a specific user account
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
43
Administration Guide
2. On the Users tab, double-click a user account.
3. In the left pane, click Filters.
4. Double-click Filter Rules.
5. Click New.
6. In the New Message Conditions section, double-click Filter Name.
7. Type a name for the new email message filter.
8. Configure the options for the email message filter.
9. Click Action.
10. Perform one of the following tasks:
Task Steps
Create an email message filter that does not deliver messages that match the filter criteria.
Create an email message filter that forwards messages that match the filter criteria.
> In the drop-down list, click Hold.
a. In the drop-down list, click Forward. b. Double-click Forwarding Options. c. Select the appropriate message forwarding options.
11. Click OK.
12. In the Filter Name list, click the email message filter that you created.
13. Click Move Up or Move Down to move the filter higher or lower in the list. The BlackBerry Enterprise Server applies email message filters in the order that they are listed in. Organize the email
message filters from the least restrictive to the most restrictive.
14. Click OK.
Turn on an email message filter that applies to a specific user account
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Users tab, double-click a user account.
3. In the left pane, click Filters.
4. Double-click Filter Rules.
5. In the Filter Name list, click an email message filter.
6. Click Properties.
7. In the New Message Conditions section, in the Enabled drop-down list, click True.
8. Click OK.
The BlackBerry Enterprise Server applies email message filters in the order that they are listed in.
44
Administration Guide

Enforcing secure messaging using classifications

Enforcing secure messaging using classifications
You can use message classifications to require S/MIME-enabled users or PGP® enabled users to sign, encrypt, or sign and encrypt email messages that they send from their BlackBerry® devices.
You use the Message Classification IT policy rule to configure one or more message classifications that users can apply to email messages. The classification that the users select when they compose messages determines the type of S/MIME message protection or PGP message protection that applies to the messages.
If a user does not select a message classification, by default, the BlackBerry device applies the first classification in the list. You can change the order that the BlackBerry device lists the classifications in.
The message protection options on the BlackBerry device are limited to the types of encryption and digitial signing that the secure messaging packages on the BlackBerry device allow. When a user applies a classification to a message on a BlackBerry device, the user must select one type of message protection that that message classification permits, or accept the default type of message protection. If a user selects a classification that requires signing, encryption, or signing and encryption of the message, and if the user does not have a secure messaging package installed on the BlackBerry device, the user cannot send the message.

Configure message classifications

Create a message classification
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Edit Properties.
3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policies.
5. In the list of IT policies, select an IT policy.
6. Click Properties.
7. Click OK.
8. Click Security Policy Group.
9. Double-click the Message Classification IT policy rule.
10. Click New.
11. Type a display name to appear in the Classifications list on the BlackBerry device.
12. Type a subject suffix to append, in parentheses, to the message subject. For example, type the subject suffix (U) for a classification that is named Unclassified.
13. In the drop-down list, click a minimum action for encoding the message. For example, click Signed to permit the user to select all encoding types for the secure messaging packages that are installed on the BlackBerry device.
45
Administration Guide
Configure message classifications
14. Click Apply.
15. Click OK.
After you finish: If you create more than one message classification, order the classifications in the list. By default, if a user does not select a message classification, the BlackBerry device applies the first classification in the list.
Create a message classification based on an existing classification
Before you begin: Create a message classification.
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Edit Properties.
3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policies.
5. In the list of IT policies, select an IT policy.
6. Click Properties.
7. Click Security Policy Group.
8. Double-click the Message Classification IT policy rule.
9. Click a display name.
10. Click New Copy.
11. Type a new display name.
12. Type a new subject suffix.
13. In the drop-down list, click a minimum action for encoding the message.
14. Click Apply.
15. Click OK.
Order message classifications
Before you begin: Create message classifications.
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Edit Properties.
3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policies.
5. In the list of IT policies, select an IT policy.
6. Click Properties.
46
Administration Guide
7. Click Security Policy Group.
8. Double-click the Message Classification IT policy rule.
9. Click a display name.
10. Perform any of the following actions:
• To move the selected classification to the top of the list, click Make First.
• To move the selected classification one position higher in the list, click Move Up.
• To move the selected classification one position lower in the list, click Move Down.
• To move the selected classification to the bottom of the list, click Make Last.
11. Click Apply.

Mapping address book fields for synchronization and address lookups

Delete message classifications
Before you begin: Create a message classification.
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Edit Properties.
3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policies.
5. In the list of IT policies, select an IT policy.
6. Click Properties.
7. Click Security Policy Group.
8. Double-click the Message Classification IT policy rule.
9. Click a display name.
10. Click Remove.
11. Click Apply.
Mapping address book fields for synchronization and address lookups
You can map address book fields from the email applications on users' computers to the contact lists on their BlackBerry® devices. The information in these fields synchronize to BlackBerry devices and are displayed in address lookups. You can create the following types of field mappings on the BlackBerry® Enterprise Server:
global field mappings: apply to all user accounts in a BlackBerry Domain
user field mappings: apply to specific user accounts
You can map up to four custom fields that users define in the address books on their computers to their BlackBerry devices. When users request a remote address lookup from the GAL, the fields that you configure display on BlackBerry devices.
47
Administration Guide
Mapping address book fields for synchronization and address lookups
Map an address book field in the email application to an address book field on all BlackBerry devices
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Service Control & Customization.
3. Click Edit PIM Sync Global Field Mapping.
4. In the Desktop Field column, click a field.
5. In the Device Field column, in the drop-down list, click the address book field for the BlackBerry device that you want to map to the field in the email application.
6. Click OK.
Map an address book field in the email application to an address book field on a specific BlackBerry device
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Users tab, click a user account.
3. In the lower pane, click Service Control & Customization.
4. Click Edit PIM Sync Field Mapping.
5. In the Desktop Field column, click a field.
6. In the Device Field column, in the drop-down list, click the address book field for the BlackBerry device that you want to map to the field in the email application.
7. Click OK.
Map address book fields that users defined to address book fields on all BlackBerry devices
You can map up to four address book fields that users define in the email application to BlackBerry® devices.
1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Service Control & Customization.
3. Click Edit PIM Sync Global Field Mapping.
4. In the Desktop Field column, click User Defined String 1.
5. In the Device Field column, in the drop-down list, click the address book field for the BlackBerry device that you want to map to the address book field in the email application.
6. Click OK.
48
Administration Guide
Mapping address book fields for synchronization and address lookups
Map address book fields that users defined to address book fields on a specific BlackBerry device
You can map up to four address book fields that users define in the email application to a specific BlackBerry® device.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Users tab, click a user account.
3. In the lower pane, click Service Control & Customization.
4. Click Edit PIM Sync Field Mapping.
5. In the Desktop Field column, click User Defined String 1.
6. In the Device Field column, in the drop-down list, click the address book field for the BlackBerry device that you want to map to the address book field in the email application.
7. Click OK.
49
Administration Guide

Making BlackBerry MDS Runtime Applications available to users

Making BlackBerry MDS Runtime Applications available to users

Creating BlackBerry MDS Runtime Applications and sending them to BlackBerry devices

To see the documentation for administrators of the BlackBerry® Enterprise Server, visit www.blackberry.com/go/
serverdocs. To see the BlackBerry Mobile Data System Technical Overview and documentation for BlackBerry developer
tools, visit www.blackberry.com/developers.
Task Actor Resource
Install the BlackBerry Enterprise Server with the BlackBerry MDS Integration Service. Authenticate the BlackBerry MDS Integration Service to the BlackBerry Manager.
Download the BlackBerry® MDS Runtime. Administrator na.blackberry.com/eng/services/
Install the BlackBerry MDS Runtime on a network drive.
Send the BlackBerry MDS Runtime to BlackBerry devices.
Administrator BlackBerry Enterprise Server Installation
Guide
Administrator BlackBerry Enterprise Server
Administration Guide
Section: Setting up security options
mobile_upgrade.jsp
Administrator BlackBerry Enterprise Server
Administration Guide
Section: Sending software and Java applications to BlackBerry devices
Administrator BlackBerry Enterprise Server
Administration Guide
Section: Sending software and Java applications to BlackBerry devices
8
Install the BlackBerry® MDS Studio or the BlackBerry® Plug-in for Microsoft® Visual Studio®.
BlackBerry MDS Runtime Deployment Guide
Developer BlackBerry MDS Studio Developer Guide
Section: Installing, configuring, and removing the BlackBerry MDS Studio
51
Administration Guide
Creating BlackBerry MDS Runtime Applications and sending them to BlackBerry devices
Task Actor Resource
BlackBerry Plug-in for Microsoft Visual Studio Release Notes and Known Issues List
Create a BlackBerry MDS Runtime Application.
Developer BlackBerry MDS Studio Getting Started
Guide
BlackBerry MDS Studio Developer Guide
BlackBerry MDS Studio Fundamentals Guide
BlackBerry Plug-in for Microsoft Visual Studio Developer Guide
BlackBerry Plug-in for Microsoft Visual
Studio online help Publish a BlackBerry MDS Runtime Application to the BlackBerry MDS
Developer BlackBerry MDS Studio Developer Guide
Section: Publishing BlackBerry MDS
Application Repository.
Studio applications on BlackBerry devices
Establish client authentication between the BlackBerry MDS Integration Service and web services.
Configure authentication for BlackBerry MDS Runtime Applications.
52
BlackBerry MDS Studio Fundamentals
Guide
Section: Deployment cycle for BlackBerry Applications
BlackBerry Plug-in for Microsoft Visual Studio Developer Guide
Section: Publish the BlackBerry application
Administrator BlackBerry Enterprise Server
Administration Guide
Section: Setting up security options
Administrator BlackBerry Enterprise Server
Administration Guide
Administration Guide

Preparing BlackBerry devices to install BlackBerry MDS Runtime Applications

Task Actor Resource
Section: Making BlackBerry MDS
Topic: Configuring access to web
Assign a BlackBerry MDS Integration Service device policy to BlackBerry devices.
Administrator BlackBerry Enterprise Server
Administration Guide
Section: Making BlackBerry MDS
Topic: Configuring how users access
Install BlackBerry MDS Runtime Applications on BlackBerry devices.
Administrator BlackBerry Enterprise Server
Administration Guide
Section: Making BlackBerry MDS
Runtime Applications available to users
services and managing signed and unsigned applications
Runtime Applications available to users
and use BlackBerry MDS Runtime Applications
Runtime Applications available to users
Preparing BlackBerry devices to install BlackBerry MDS Runtime Applications
BlackBerry® MDS Runtime Applications can only be installed and used on BlackBerry devices that have the BlackBerry® MDS Runtime installed and activated. You can install the BlackBerry MDS Runtime on BlackBerry devices over the wireless network, or you can add it to a network drive and instruct users to install it on their BlackBerry devices using the application loader tool in the BlackBerry® Desktop Manager.
To download the latest version of the BlackBerry MDS Runtime, visit na.blackberry.com/eng/services/
mobile_upgrade.jsp. For more information about installing and activating the BlackBerry MDS Runtime on BlackBerry
devices, visit www.blackberry.com/developers.
Related topics
Sending software and Java applications to BlackBerry devices, 31
53
Administration Guide

Configuring access to web services and managing signed and unsigned applications

Configuring access to web services and managing signed and unsigned applications
Allow BlackBerry MDS Runtime Applications to access web services using HTTPS
If you configured authentication between the BlackBerry® MDS Integration Service and web services, you must configure the BlackBerry MDS Integration Service to allow BlackBerry MDS Runtime Applications to establish HTTPS connections to external web services.
Before you begin: Configure the BlackBerry MDS Integration Service to authenticate to web services.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Integration Service.
2. On the MDS Integration Services tab, click Edit Properties.
3. In the left pane, click General.
4. Click Allow Web Services Access over SSL.
5. In the drop-down list, click True.
6. Click OK.
7. On the MDS Integration Services tab, click Common.
8. Click Stop Service.
9. When the status displays “Stopped,” click Start Service.
Related topics
Authenticating the BlackBerry MDS Integration Service to the BlackBerry Manager and web services, 20
Define a BlackBerry MDS Runtime Application as a trusted application
A developer in your organization can sign a BlackBerry® MDS Runtime Application with a digital certificate. Add this digital certificate to the BlackBerry MDS Integration Service to define the BlackBerry MDS Runtime Application as a trusted application that can send data to and receive data from application servers or web servers.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Integration Service.
2. On the MDS Integration Services tab, click Common.
3. Click Add Certificate.
4. In the Alias field, type a name for the certificate.
5. In the Certificate file field, click Browse. Click the certificate that you want to add.
6. Click OK.
54
Administration Guide

Configuring how users access and use BlackBerry MDS Runtime Applications

Configure whether users can install unsigned BlackBerry MDS Runtime Applications on BlackBerry devices
You can configure whether users are allowed to install BlackBerry® MDS Runtime Applications that are not signed with a digital certificate. By default, users are allowed to install unsigned BlackBerry MDS Runtime Applications on their BlackBerry devices.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Integration Service.
2. On the MDS Integration Services tab, click Edit Properties.
3. In the left pane, click General.
4. Click Allow Unsigned Applications.
5. In the drop-down list, perform one of the following actions:
• To allow users to install unsigned BlackBerry MDS Runtime Applications, click True.
• To prevent users from installing unsigned BlackBerry MDS Runtime Applications, click False.
6. Click OK.
7. On the MDS Integration Services tab, expand Common.
8. Click Stop Service.
9. When the status displays “Stopped,” click Start Service.
Configuring how users access and use BlackBerry MDS Runtime Applications
You can create BlackBerry® MDS Integration Service device policies and assign them to users and user groups to control how users access and use BlackBerry® MDS Runtime Applications on their BlackBerry devices. Device policies define whether users can upgrade the BlackBerry MDS Runtime, and whether users can discover, install, and remove BlackBerry MDS Runtime Applications from their BlackBerry devices. You can also use device policies to define whether BlackBerry MDS Runtime Applications can access data and other applications on the BlackBerry devices, and to specify message queue limits for data that BlackBerry MDS Runtime Applications send and receive.
Create a BlackBerry MDS Integration Service device policy
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry MDS Integration Service.
2. On the MDS Integration Services tab, click Edit Properties.
3. Click Device Policies.
4. Double-click BlackBerry MDS Integration Service Device Policy Definition.
5. Click New.
6. Click Device Policy.
7. Double-click Policy Name.
55
Administration Guide
8. Type a name for the device policy.
9. Specify the device policy rule settings. For more information about the device policy settings, see the Policy Reference Guide.
10. Click OK.
After you finish: Assign the device policy that you created to a user or user group.

Sending BlackBerry MDS Runtime Applications to BlackBerry devices

Assign a BlackBerry MDS Integration Service device policy to a user group
Before you begin: Make sure that all of the users in the group are connected to the same BlackBerry® MDS Integration
Service. The group must contain at least one user.
1. In the BlackBerry Manager, in the left pane, click a user group.
2. On the Group Configuration tab, click MDS Integration Service.
3. Click Assign Device Policy.
4. In the Device Policy drop-down list, click the device policy that you want to assign to the user group.
5. Click OK.
Assign a BlackBerry MDS Integration Service device policy to a specific user
1. In the BlackBerry® Manager, in the left pane, expand a BlackBerry MDS Integration Service.
2. Click Devices Registered.
3. On the Devices Registered tab, click a user account.
4. In the lower pane, click Common.
5. Click Assign Device Policy.
6. In the Device Policy drop-down list, click the device policy that you want to assign to the user.
7. Click OK.
Sending BlackBerry MDS Runtime Applications to BlackBerry devices
You can send BlackBerry® MDS Runtime Applications to BlackBerry devices over the wireless network. Users can also use the BlackBerry MDS Control Center on their BlackBerry devices to search the BlackBerry MDS Application Repository for available applications and install the applications on their BlackBerry devices. Users can use the BlackBerry MDS Control Center after the BlackBerry® MDS Runtime is successfully installed and activated on their BlackBerry devices.
If you do not want users to search for and install available applications, you can assign a BlackBerry MDS Integration Service device policy to users that prevents them from viewing the applications that are available in the BlackBerry MDS Application Repository.
56
Administration Guide
Sending BlackBerry MDS Runtime Applications to BlackBerry devices
Install a BlackBerry MDS Runtime Application on BlackBerry devices
1. In the BlackBerry® Manager, in the left pane, click a user group.
2. On the View menu, click Choose Columns. Add the MDS Integration Service Server URL column.
3. Click the MDS Integration Service Server URL column heading.
4. Click the user accounts that are connected to the same BlackBerry MDS Integration Service server.
5. On the Group Configuration tab, click MDS Services.
6. Click Install on Device.
7. Click the BlackBerry MDS Runtime Application that you want to install.
8. Click Next.
9. In the Group size for pushing field, type the number of BlackBerry devices to send the installation request to at the same time.
10. In the Push interval field, type an interval for the BlackBerry MDS Integration Service to send the installation request to BlackBerry devices.
11. To set a specific time to send the installation request at, click the Schedule check box. Specify the start date and time.
12. To display a prompt on BlackBerry devices that allows users to cancel the installation, clear the Required check box.
13. Click Next.
14. Click Finish.
Install a BlackBerry MDS Runtime Application on a specific BlackBerry device
Before you begin: Obtain the PIN of the BlackBerry® device.
1. In the BlackBerry Manager, in the left pane, expand a BlackBerry MDS Integration Service.
2. Click Application Registry.
3. Click the BlackBerry MDS Runtime Application that you want to install.
4. In the lower pane, click Device Management.
5. Click Install on Device.
6. In the Install application on devices drop-down list, click without application installed.
7. Clear the Select all check box.
8. Click the PIN of the BlackBerry device that you want to install the application on.
9. Click Next.
10. To set a specific time at which to send the installation request, click the Schedule check box. Specify the start date and time.
57
Administration Guide
11. To display a prompt on the BlackBerry device that allows the user to cancel the installation, clear the Required check box.
12. Click Next.
13. Click Finish.

Applying an application control policy to a BlackBerry MDS Runtime Application

Applying an application control policy to a BlackBerry MDS Runtime Application
In BlackBerry® Enterprise Server version 4.1 SP5 and later, you can apply an application control policy to a BlackBerry® MDS Runtime Application that was created using BlackBerry® MDS Studio version 2.0 or later or BlackBerry® Plug-in for Microsoft® Visual Studio® version 1.1 or later. You can use an application control policy to specify the types of data on BlackBerry devices that the BlackBerry MDS Runtime Application can and cannot access. For example, you can apply an application control policy that restricts a BlackBerry MDS Runtime Application from accessing the organizer data on BlackBerry devices.
To apply an application control policy to a BlackBerry MDS Runtime Application, you must add an application launcher (.cod) file for the BlackBerry MDS Runtime Application to a software configuration. You must then apply an application control policy to the application launcher file. When you assign the software configuration to users, the application launcher file installs on users' BlackBerry devices and enforces the application control policy for the BlackBerry MDS Runtime Application. Only BlackBerry devices that are running BlackBerry® MDS Runtime version 4.5 or later can use the application launcher file.
Add the application launcher file for a BlackBerry MDS Runtime Application to the network drive
Before you begin: Get the application launcher (.cod) file for the BlackBerry® MDS Runtime Application from the application
developer.
1. If necessary, on the network drive, create the path <drive>:\Program Files\Common Files\Research In Motion\Shared \Applications.
2. In the Applications folder, create a folder for the BlackBerry MDS Runtime Application.
3. Copy the application launcher file to the folder that you created.
4. In the folder, create a .txt file.
5. Rename the .txt file to <application_name>.alx.
6. In a text editor, open the .alx file.
7. Copy the following text into the .alx file. For the variables, use information that the application developer provides.
<loader version="1.0">
<application id="application_launcher_id">
<name>application_launcher_name</name>
58
Administration Guide
Applying an application control policy to a BlackBerry MDS Runtime Application
<description>application_launcher_description</description>
<version>application_launcher_version</version>
<vendor>vendor</vendor>
<copyright>copyright_information</copyright>
<directory SystemSize="normal"></directory>
<fileset Java="1.0" Color="true">
<files>name_of_.cod_application_launcher</files>
</fileset>
</application>
</loader>
8. Save and close the .alx file.
After you finish: Re-index the applications that are located at <drive>:\Program Files\Common Files\Research In Motion \Shared\Applications. Share the network drive.
Related topics
Indexing applications on a network drive, 33
Assign an application control policy to a BlackBerry MDS Runtime Application
Before you begin: Add the application launcher (.cod) file for the BlackBerry® MDS Runtime Application to the network
drive.
1. In the BlackBerry Manager, create a software configuration that includes the application launcher file for the BlackBerry MDS Runtime Application.
2. Apply an application control policy to the application launcher file.
3. Assign the software configuration to a user account or user group that has the BlackBerry MDS Runtime Application installed on the users' BlackBerry devices.
Related topics
Defining software configurations, 33
59
Administration Guide

Configuring how users access enterprise applications and web content

Configuring how users access enterprise applications and
9
web content

Specifying a BlackBerry MDS Connection Service as the central push server

You can specify one BlackBerry® MDS Connection Service in a BlackBerry Domain as the central push server. The central push server receives content push requests from server-side applications that are located on an application server, on a web server, or in a database. It also manages push requests and sends application data and application updates to BlackBerry Applications on BlackBerry devices.
Specify the central push server
Only one BlackBerry® MDS Connection Service in your organization's BlackBerry Domain can be specified as the central push server. When you specify a BlackBerry MDS Connection Service as the central push server, any other BlackBerry MDS Connection Service specified as the central push server in your organization's BlackBerry Domain has the designation removed.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Connection Service.
2. On the Connection Service tab, click Common.
3. Click Set as Push Server.
After you finish:
If you have the BlackBerry MDS Integration Service installed, verify that the central push server appears in the list of BlackBerry MDS Connection Service instances that are available to the BlackBerry MDS Integration Service. You can configure multiple instances of the BlackBerry® Enterprise Server in your organization's BlackBerry Domain to use the BlackBerry MDS Connection Service that you defined as the central push server.
Notify the push application developers in your organization's environment that you have designated a new central push server.
Related topics
Make a BlackBerry MDS Connection Service available to a BlackBerry MDS Integration Service, 133 Configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry MDS Connection Service, 27

Configuring how BlackBerry devices authenticate to content servers

If you configured the content servers in your organization's environment to use an authentication protocol to authenticate the sources of the data requests that they receive, you can control how BlackBerry® devices authenticate to content servers to receive application data and application updates.
61
Administration Guide
Configuring how BlackBerry devices authenticate to content servers
Configure how BlackBerry devices authenticate to content servers
Configure whether BlackBerry® devices authenticate to content servers directly, or whether the BlackBerry MDS Connection Service authenticates to content servers on behalf of BlackBerry devices. If you configure BlackBerry devices to authenticate directly to content servers, but do not configure an authentication method for BlackBerry MDS Connection Service connections, users are prompted to provide login information on their authenticated BlackBerry devices every 30 minutes. The BlackBerry device prompts users only if the connection to the content server persists for more than 30 minutes.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Connection Service.
2. On the Connection Service tab, click Edit Properties.
3. In the left pane, click HTTP.
4. Click Support HTTP Authentication.
5. In the drop-down list, perform one of the following actions:
• If you want BlackBerry devices to authenticate to content servers directly, click False.
• If you want the BlackBerry MDS Connection Service to store authentication information and perform HTTP
authentication on behalf of BlackBerry devices, click True.
6. Double-click Authentication Timeout.
7. Type the length of time, in milliseconds, that you want authentication information for BlackBerry devices to remain valid on the content server.
By default, the authentication timeout limit is 1 hour.
8. Click OK.
After you finish: If you set Support HTTP Authentication to True, configure the BlackBerry MDS Connection Service to authenticate to content servers that use NTLM, Kerberos™, LTPA, or RSA® Authentication Manager on behalf of BlackBerry devices.
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use NTLM
Before you begin: Configure the BlackBerry® MDS Connection Service to authenticate to content servers on behalf of
BlackBerry devices.
1. Navigate to <drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\Instance \config.
2. Configure the MdsLogin.conf file.
For more information about the Java® Authentication and Authorization Service configuration file, visit http://java.sun.com/
javase/6/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html.
62
Administration Guide
Configuring how BlackBerry devices authenticate to content servers
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use Kerberos
Before you begin: Configure the BlackBerry® MDS Connection Service to authenticate to content servers on behalf of
BlackBerry devices.
1. Navigate to <drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\Instance \config.
2. Configure the krb5.conf file.
For more information about the Kerberos™ 5 configuration file, visit web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.3/doc/
krb5-admin.html#krb5.conf.
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use LTPA
BlackBerry® devices that are running BlackBerry® Device Software version 3.8 or later manage how they store the HTTP cookies that they use to authenticate to content servers that use LTPA authentication technology. For BlackBerry devices that use previous versions of the BlackBerry Device Software, you must allow the BlackBerry MDS Connection Service to manage HTTP cookie storage on the BlackBerry devices.
Before you begin: Configure the BlackBerry MDS Connection Service to authenticate to the content servers in your environment on behalf of BlackBerry devices.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Connection Service.
2. On the Connection Service tab, click Edit Properties.
3. In the left pane, click HTTP.
4. Click Support HTTP Cookie Storage.
5. In the drop-down list, click True.
6. Click OK.
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to the RSA Authentication Manager
When you turn on RSA® authentication, users must type their login information on their BlackBerry® devices before they can access intranet or Internet content. After a user is authenticated, if proxy authentication is configured, the BlackBerry device prompts the user to authenticate to the proxy server.
Before you begin: Configure the BlackBerry MDS Connection Service to authenticate to the content servers in your organization's environment on behalf of BlackBerry devices.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Connection Service.
63
Administration Guide
2. On the Connection Service tab, click Edit Properties.
3. In the left pane, click RSA Authentication.
4. Click Enable RSA Authorization Support.
5. In the drop-down list, click True.
6. To specify how long an authenticated BlackBerry device can remain connected to your organization's network while the user is active, double-click RSA Authentication Timeout. Type a number, in minutes.
By default, the authenticated connection persists for 24 hours.
7. To specify how long a BlackBerry device can remain connected to your organization's network while the user is inactive, double-click RSA Inactivity Timeout. Type a number, in minutes.
By default, an authenticated connection persists for 60 minutes of user inactivity on the BlackBerry device.
8. Click OK.

Configuring how the BlackBerry MDS Connection Service manages requests for web content

Configuring how the BlackBerry MDS Connection Service manages requests for web content
The BlackBerry® MDS Connection Service manages requests for web content from the BlackBerry® Browser and other applications on BlackBerry devices. You can configure how the BlackBerry MDS Connection Service manages these requests.
Configure the BlackBerry MDS Connection Service to manage HTTP cookie storage
By default, the BlackBerry® MDS Connection Service does not manage HTTP cookie storage. If the BlackBerry device requires JavaScript® support in its HTTP requests, the BlackBerry device processes cookies.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Connection Service.
2. On the Connection Service tab, click Edit Properties.
3. In the left pane, click HTTP.
4. Click Support HTTP Cookie Storage.
5. In the drop-down list, click True.
6. Click OK.
After you finish: To prevent the BlackBerry MDS Connection Service from managing HTTP cookie storage, set the Support HTTP Cookie Storage drop-down list to False.
Configure the timeout limit for HTTP connections with BlackBerry devices
You can specify how long the BlackBerry® MDS Connection Service waits for a BlackBerry device to send data before it closes the HTTP connection to the BlackBerry device. The default timeout limit is 120,000 milliseconds (2 minutes).
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Connection Service.
64
Administration Guide
2. On the Connection Service tab, click Edit Properties.
3. In the left pane, click HTTP.
4. Double-click HTTP Device Connection Timeout.
5. Type a number, in milliseconds.
6. Click OK.

Allowing push applications to make trusted connections to the BlackBerry MDS Connection Service

Configure the timeout limit for HTTP connections to web servers
You can specify how long the BlackBerry® MDS Connection Service waits for a web server to send data before it closes the HTTP connection to the web server. The default timeout limit is 120,000 milliseconds (2 minutes).
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Connection Service.
2. On the Connection Service tab, click Edit Properties.
3. In the left pane, click HTTP.
4. Double-click HTTP Server Connection Timeout.
5. Type a number, in milliseconds.
6. Click OK.
Configure the maximum number of times that the BlackBerry Browser accepts HTTP redirections
HTTP redirection occurs when the BlackBerry® Browser requests a web page from a web server and the web server redirects the request to a new web address for the page. The default limit is five redirections.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Connection Service.
2. On the Connection Service tab, click Edit Properties.
3. In the left pane, click HTTP.
4. Double-click Maximum Number of Redirects.
5. Type a number.
6. Click OK.
Allowing push applications to make trusted connections to the BlackBerry MDS Connection Service
To allow push applications to open trusted connections to the BlackBerry® MDS Connection Service, you must create a key store (the webserver.keystore file) on the computer that hosts the BlackBerry MDS Connection Service. This key store allows the BlackBerry MDS Connection Service to accept HTTPS connections from push applications.
Push applications can use a BlackBerry MDS Connection Service certificate to open HTTPS connections to the BlackBerry MDS Connection Service to push application data and application updates to BlackBerry devices.
65
Administration Guide
Allowing push applications to make trusted connections to the BlackBerry MDS Connection Service
You can use the Java® keytool to create a self-signed certificate for the BlackBerry MDS Connection Service, or you can import a signed certificate from a trusted public certificate authority. You can use the Java keytool to export the BlackBerry MDS Connection Service certificate from the key store, and import the certificate to the key stores that the Java push applications use.
For more information about using the Java keytool, visit java.sun.com/javase/6/docs/technotes/tools/windows/
keytool.html. For more information about the Apache Tomcat™ requirements, visit tomcat.apache.org/tomcat-5.5-doc/ssl­howto.html.
Create a key store to store certificates for use with HTTPS connections
You must create a key store to store the certificates that allow the BlackBerry® MDS Connection Service to accept HTTPS connections from push applications.
1. On the computer that hosts the BlackBerry MDS Connection Service, on the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration.
2. On the Mobile Data Service tab, configure the key store information. Only one key store can exist. The file must be named webserver.keystore and it must be located at <drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\webserver.
3. Click Create Keystore File.
4. If prompted to overwrite a key store, click Yes.
5. Click OK.
Add a certificate for the BlackBerry MDS Connection Service
To allow server-side push applications to open trusted HTTPS connections to the BlackBerry® MDS Connection Service and push application data and application updates to BlackBerry devices, you must add a certificate for the BlackBerry MDS Connection Service to the webserver.keystore file.
1. On the computer that hosts the BlackBerry MDS Connection Service, navigate to <drive>:\Program Files\Java\<JRE version>\bin.
2. At the command prompt, perform one of the following tasks:
Task Steps
Create a self-signed certificate for the BlackBerry MDS Connection Service and add it to the key store.
Add a publicly signed certificate to the key store.
66
a. Type keytool -genkey -alias tomcat -keyalg RSA -
keystore webserver.keystore.
b. Type the required information. c. To verify the information that you typed, type Yes.
a. Type keytool -import -trustcacerts -alias tomcat -file
<trustedserver.cer> -keystore webserver.keystore.
b. Type the key store password.
Administration Guide
c. When prompted, click Yes.
3. Copy the key store file to <drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\webserver.
After you finish: Export the certificate for the BlackBerry MDS Connection Service to make it available to other applications.
Export the BlackBerry MDS Connection Service certificate to make it available to push applications
You must export the certificate for the BlackBerry® MDS Connection Service to import it to the key store of a server-side push application.
Before you begin: Add a self-signed or publicly signed certificate for the BlackBerry MDS Connection Service to the key store.
1. On the computer that hosts the BlackBerry MDS Connection Service, navigate to <drive>:\Program Files\Java\<JRE version>\bin.
2. At the command prompt, type keytool -export -alias tomcat -file <server.cer> -keystore <drive>:\Program Files
\Research In Motion\BlackBerry Enterprise Server\MDS\webserver\webserver.keystore -storepass
<password>.
3. Type the key store password.
After you finish: Import the certificate for the BlackBerry MDS Connection Service to the key store of a push application.
Import the BlackBerry MDS Connection Service certificate to the key store of a push application
To allow a server-side push application to open trusted connections to the BlackBerry® MDS Connection Service, you must add the certificate for the BlackBerry MDS Connection Service to the key store of the push application.
1. On the computer that hosts the BlackBerry MDS Connection Service, navigate to <drive>:\Program Files\Java\<JRE version>\bin.
2. At a command prompt, type keytool -import -trustcacerts -alias <alias> -file <server.cer> -keystore <application_keystore>.
3. Type the key store password.
4. To add the certificate to the key store, at the prompt, type Yes.
After you finish: If the certificate does not exist, import the certificate to <drive>:\Program Files\Java\<JRE version>\lib \security\cacerts.
67
Administration Guide

Configuring how applications open trusted connections to web servers

Configuring how applications open trusted connections to web servers
You can configure the BlackBerry® MDS Connection Service to allow push applications on untrusted web servers to push application data and application updates to BlackBerry devices. If you want to open trusted connections between web servers and the BlackBerry MDS Connection Service, you must create a key store (the webserver.keystore file) on the computer that hosts the BlackBerry MDS Connection Service. This key store allows the BlackBerry MDS Connection Service to accept HTTPS connections from push applications on web servers.
Your organization can trust a web server that hosts push applications if the BlackBerry® Enterprise Server stores a certificate for it in the key store. To trust web servers, you can configure BlackBerry devices to use the BlackBerry MDS Connection Service to retrieve certificate information for web servers that host push applications, and use the Java® keytool to install the certificates on the computer that hosts the BlackBerry MDS Connection Service. Push applications can use the trusted certificates to authenticate to the BlackBerry MDS Connection Service.
The BlackBerry MDS Connection Service supports LDAP and OCSP for the retrieval of certificates and certificate status, and SSL/TLS for authenticated connections that use trusted certificates.
Related topics
Create a key store to store certificates for use with HTTPS connections, 66
Allow BlackBerry devices to connect to untrusted web servers
You can allow BlackBerry® devices to connect to untrusted web servers so that applications on those servers can push content to BlackBerry devices.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Connection Service.
2. On the Connection Service tab, click Edit Properties.
3. Click TLS/HTTPS.
4. Perform one of the following tasks:
Task Steps
Allow outgoing requests from the BlackBerry device that the BlackBerry MDS Connection Service encrypts with HTTPS.
Allow outgoing requests from the BlackBerry device that the BlackBerry MDS Connection Service encrypts with TLS.
a. Click Allow Untrusted HTTPS Connections. b. In the drop-down list, click True.
a. Click Allow Untrusted TLS Connections. b. In the drop-down list, click True.
Configure the BlackBerry MDS Connection Service to retrieve certificates for web servers
You must define a user name and password for the BlackBerry® MDS Connection Service to authenticate to LDAP servers on behalf of BlackBerry devices.
68
Administration Guide
Configuring how applications open trusted connections to web servers
Do not change the default LDAP port parameters unless a port conflict exists with another service on the same computer. If you change the port number or host server information, you must stop and restart the BlackBerry MDS Connection Service to reload this information.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Connection Service.
2. On the Connection Service tab, click Edit Properties.
3. Click LDAP.
4. Configure the LDAP server settings.
5. Click OK.
After you finish: Configure the BlackBerry MDS Connection Service to retrieve the status of certificates for web servers.
Configure the BlackBerry MDS Connection Service to retrieve the status of certificates for web servers
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry MDS Connection Service.
2. On the Connection Service tab, click Edit Properties.
3. Click OCSP.
4. Perform any of the following tasks:
Task Steps
Configure the BlackBerry MDS Connection Service to accept OCSP servers (responders) that the BlackBerry device specifies.
Configure the OCSP handler to use the OCSP responder extension in a certificate.
Configure the default web address of the OCSP responder.
Configure the web address of the server that the CRL is located on.
5. Click OK.
After you finish: Install retrieved certificates for web servers.
a. Click Use Device Responders. b. In the drop-down list, click True.
a. If a certificate is present, click Use Certificate Extension
Responders.
b. In the drop-down list, click True.
a. Double-click Default Responder URL. b. Type the web address of the OCSP responder.
a. Double-click Default CRL Server URL. b. Type the web address of the CRL server.
69
Administration Guide

Configuring how the BlackBerry MDS Connection Service connects to BlackBerry devices

Add retrieved certificates for web servers
You can use the Java® keytool to add a certificate for a web server to the BlackBerry® MDS Connection Service key store. The certificate allows connections to the trusted web server.
1. Save the certificate from a secure web site to a .cer file.
2. On the computer that hosts the BlackBerry MDS Connection Service, copy the .cer file to <drive>:\Program Files\Java \<JRE version>\lib\security.
3. At a command prompt, navigate to <drive>:\Program Files\Java\<JRE version>\bin.
4. Type keytool -import -trustcacerts -alias <alias_name> -file <cert_filename> -keystore cacerts.
5. Type the key store password.
6. To add the certificate to the key store, at the prompt, type Yes.
After you finish: For more information about using the Java keytool, visit java.sun.com/javase/6/docs/technotes/tools/
windows/keytool.html.
Configuring how the BlackBerry MDS Connection Service connects to BlackBerry devices
Specify the maximum amount of data that the BlackBerry MDS Connection Service can send to BlackBerry devices
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry MDS Connection Service.
2. On the Connection Service tab, click Edit Properties.
3. In the left pane, click General.
4. Double-click Maximum KB/Connection.
5. Type a number, in KB.
6. Click OK.
Specify the pending content timeout limit for the BlackBerry MDS Connection Service
You can specify how long the BlackBerry® MDS Connection Service waits for acknowledgement from a BlackBerry device before it deletes pending content for that BlackBerry device.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Connection Service.
2. On the Connection Service tab, click Edit Properties.
3. In the left pane, click General.
4. Double-click Flow Control Timeout.
70
Administration Guide
5. Type a number, in milliseconds.
6. Click OK.
Configuring how the BlackBerry MDS Connection Service connects to BlackBerry devices
Allow Java applications to use persistent socket connections with the BlackBerry MDS Connection Service
Before you begin: Verify that your system memory supports persistent socket connections.
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry MDS Connection Service.
2. On the Connection Service tab, click Edit Properties.
3. In the left pane, click General.
4. Click Use Persistent Socket.
5. In the drop-down list, click True.
6. Click OK.
Specify the thread pool size of the BlackBerry MDS Connection Service
You can specify the maximum number of threads that the BlackBerry® MDS Connection Service can process simultaneously. Before you begin: Verify that your system memory can support the thread pool size that you want to specify.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Connection Service.
2. On the Connection Service tab, click Edit Properties.
3. Click General.
4. Double-click Thread Pool Size.
5. Type a number between 100 and 1000.
6. Click OK.
Specify the maximum number of persistent socket connections
You can specify the maximum number of persistent socket connections that can be open simultaneously between BlackBerry® devices and the BlackBerry MDS Connection Service.
Before you begin: Verify that your system memory can support the number of persistent socket connections that you want to specify.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Connection Service.
2. On the Connection Service tab, click Edit Properties.
3. Click General.
4. Double-click Maximum Simultaneous Persistent Sockets.
71
Administration Guide
Configuring how the BlackBerry MDS Connection Service connects to BlackBerry devices
5. Type a number between 100 and 3500.
6. Click OK.
Specify the port number that the web server listens on for push application requests
You can specify the port number that the web server listens on for HTTP requests and HTTPS requests from server-side push applications. Change the default port parameters only if a port conflict exists with another service on the same computer.
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry MDS Connection Service.
2. On the Connection Service tab, click Edit Properties.
3. Click General.
4. Perform one of the following actions:
• To specify the port for HTTP requests, double-click Web Server Listen Port. Type the port number.
• To specify the port for HTTPS requests, double-click Web Server SSL Listen Port. Type the port number.
5. Click OK.
After you finish:
Restart the BlackBerry MDS Connection Service.
Notify your organization's push application developers that you changed the port number that the web server listens on for push application requests.
Specify how often the BlackBerry MDS Connection Service polls for configuration information
You can specify how often the BlackBerry® MDS Connection Service polls the BlackBerry Configuration Database for changes to the BlackBerry MDS Connection Service and BlackBerry Collaboration Service administrative settings. The default interval is 5 minutes.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Connection Service.
2. On the Connection Service tab, click Edit Properties.
3. Click General.
4. Double-click Admin Configuration Cycle Timer.
5. Type a number, in minutes.
6. Click OK.
72
Administration Guide

Assigning BlackBerry devices to users

Assigning BlackBerry devices to users
10

Preparing to distribute BlackBerry devices

Before you assign BlackBerry® devices to users, you can configure the BlackBerry® Enterprise Server to add messages that users previously sent and received on supported BlackBerry devices. You can add messages for new users and for users whose PINs change when they receive replacement BlackBerry devices.
When the BlackBerry Enterprise Server adds messages to a BlackBerry device, the BlackBerry Enterprise Server applies the message filter rules and redirection settings for the user account.
Change how the BlackBerry Enterprise Server loads users’ existing messages onto BlackBerry devices
By default, the BlackBerry® Enterprise Server loads the headers of 200 messages from the previous 5 days onto a user's BlackBerry device when it is activated. If you change the BlackBerry Enterprise Server settings to load the headers and body of messages onto a user's BlackBerry device when it is activated, the BlackBerry Enterprise Server can load up to 750 messages from the last 14 days for each user.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry Enterprise Server.
2. On the Server Configuration tab, click Edit Properties.
3. Click Messaging.
4. To load the body and headers of messages onto BlackBerry devices, in the Send Headers Only drop-down list, click False.
5. To specify the number of previous days that you want to load messages for, in the Prepopulation By Message Age field, type a number.
6. To specify the maximum number of messages to load, in the Prepopulation By Message Count field, type a number.
7. Click OK.
Prevent the BlackBerry Enterprise Server from loading legacy messages onto new BlackBerry devices
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Server Configuration tab, click Edit Properties.
3. In the left pane, click Messaging.
4. In the Message Prepopulation section, perform the following actions:
• In the Prepopulation By Message Age field, type 0.
• In the Prepopulation By Message Count field, type 0.
73
Administration Guide

Assigning BlackBerry devices to user accounts

Assigning BlackBerry devices to user accounts
When you assign a BlackBerry® device to a user account, you associate the BlackBerry device with that user’s email account. To assign BlackBerry devices to user accounts and activate the BlackBerry devices, you can use any of the following methods:
Method Description
using the BlackBerry Manager You can activate BlackBerry devices before distributing them to users by
connecting the BlackBerry devices to the computer that hosts the BlackBerry Manager.
over the wireless network New BlackBerry device users and users receiving replacement BlackBerry
devices can activate their BlackBerry devices without requiring a physical connection to your organization's network.
over the LAN New BlackBerry device users and users receiving replacement BlackBerry
devices can activate their BlackBerry devices by connecting the BlackBerry devices to a computer that has the BlackBerry® Desktop Manager installed.
If you added a user account that was located on another BlackBerry® Enterprise Server in a different BlackBerry Domain, or the user previously used the BlackBerry® Desktop Redirector, you must assign a BlackBerry device to that user account using the BlackBerry Manager.
Option 1: Activate a BlackBerry device using the BlackBerry Manager
1. Connect the BlackBerry® device to the computer that hosts the BlackBerry Manager.
2. In the BlackBerry Manager, in the left pane, click a BlackBerry® Enterprise Server.
3. On the Users tab, click the user account that you want to assign to the BlackBerry device.
4. Click Device Management.
5. Click Assign Handheld.
6. Click the BlackBerry device that you want to assign to the user account.
7. Click OK.
Option 2: Activating BlackBerry devices over the wireless network
To activate BlackBerry® devices over the wireless network, you assign activation passwords to user accounts. Users receive their activation passwords in email messages and associate their BlackBerry devices with their email accounts by typing the passwords on their BlackBerry devices.
74
Administration Guide
Assigning BlackBerry devices to user accounts
Save bandwidth by synchronizing organizer data over the LAN
When BlackBerry® devices are activated over the wireless network, by default, the BlackBerry® Enterprise Server synchronizes the initial load of organizer data over the wireless network. To save bandwidth, you can set an IT policy to synchronize the initial load of organizer data through the BlackBerry Router and over your organization's LAN when users connect their BlackBerry devices to a computer that the BlackBerry® Device Manager is installed on.
1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Edit Properties.
3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policies.
5. In the list of policies, click Default.
6. Click Properties.
7. Click PIM Sync Policy Group.
8. Click the Disable Wireless Bulk Loads IT policy rule.
9. In the drop-down list, click True.
10. Click OK.
11. Instruct users to connect their BlackBerry devices to their computers and start the BlackBerry Device Manager.
Wireless activation
The wireless activation process activates BlackBerry® devices on the BlackBerry® Enterprise Server remotely. Neither you nor the users are required to connect the BlackBerry devices to a computer on your organization's network to complete the activation process.
You can use the wireless activation feature to activate a large number of BlackBerry devices remotely. When BlackBerry device users want to activate new or replacement BlackBerry devices on the BlackBerry Enterprise Server over the wireless network, they must notify you. You use the BlackBerry Manager to set the activation passwords, and communicate the passwords to the BlackBerry device users verbally.
The BlackBerry® Enterprise Solution can begin the wireless activation process automatically, or when BlackBerry device users open the activation application on their BlackBerry devices and type their activation passwords and email addresses. When the activation process completes successfully, the BlackBerry device users are activated on the BlackBerry Enterprise Server and can send email messages from and receive email messages on their BlackBerry devices.
Activation passwords
The BlackBerry® Enterprise Server activates a BlackBerry device over the wireless network using the activation authentication protocol and an activation password that is specific to the BlackBerry device user account.
75
Administration Guide
Assigning BlackBerry devices to user accounts
Item Description
length of password Typical activation passwords are four to eight characters long. Activation
passwords are limited to the following character lengths:
BlackBerry device: 31 characters
BlackBerry Manager: 32 characters
KeyGenPassword field that stores the password in the BlackBerry Configuration Database: 50 characters
character support Activation passwords support all characters except accented characters. security The wireless activation authentication protocol is designed so that short
activation passwords do not compromise the security of the protocol.
You must provide the activation passwords securely to authenticated users. If users received their passwords but have not activated their accounts on the BlackBerry Enterprise Server, users with malicious intent who can access the passwords will be able to connect their devices to the BlackBerry Enterprise Server and assume the identities of the intended users.
When a BlackBerry device is activated successfully on the BlackBerry Enterprise Server, the activation password is inactive and cannot be reused to activate another BlackBerry device.
If a user has received an activation password, you cannot generate a new activation password for the user until the active password expires.
expiry time A password is no longer valid if any of the following events occur:
the BlackBerry device is not activated successfully on the BlackBerry Enterprise Server after 48 hours
a user types the activation password unsuccessfully five consecutive times
the BlackBerry Enterprise Server activates a BlackBerry device successfully on the user account using the password
Customize the activation password
You can customize the character length of the activation password and the type of activation password that you send to users in a BlackBerry® Domain. For example, for the BlackBerry® 7100 Series, you can assign the 7100 Friendly password type to require users to press only one key at a time.
1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain.
76
Administration Guide
Assigning BlackBerry devices to user accounts
2. On the Global tab, click Edit Properties.
3. Click General.
4. To change the activation password length, double-click Auto-generated password length. Type a character length.
5. To change the activation password type, in the Auto-generated password type drop-down list, click a password type.
6. Click OK.
Customize the activation message
To provide troubleshooting information or to make sure that the activation message conforms to your organization's messaging policies, you can customize the default activation message that users receive in the email applications on their computers.
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Edit Properties.
3. Click General.
4. In the Administration section, double-click Custom Activation Email Message.
5. Type the parameters, subject, and message.
6. Click OK.
Send an activation password to a user
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Users tab, click a user account.
3. Click Service Access.
4. Click Set Activation Password.
5. Type an activation password.
6. Retype the password to confirm it.
7. Type the PIN of the BlackBerry device for the user.
8. In the Password Expires in drop-down list, click an expiration time.
9. Notify the user of the new password manually, or click Generate and Email Activation Password to send the password
to the user automatically.
10. Click OK.
Send an activation password to a group of users
1. In the BlackBerry® Manager, in the left pane, click User Groups.
2. On the User Groups List tab, click a group.
3. Click Service Access.
77
Administration Guide
Assigning BlackBerry devices to user accounts
4. Click Generate and Email Activation Password.
5. Click OK.
Option 3: Activating BlackBerry devices over the LAN
Users can activate their BlackBerry® devices by connecting them to computers that the BlackBerry® Desktop Manager is installed on. During the activation process, the BlackBerry Desktop Manager prompts users to associate their BlackBerry devices with their respective work email accounts and generate encryption keys.
When users complete the activation process, the BlackBerry® Enterprise Server adds messages and organizer data to the BlackBerry devices through the BlackBerry Router. If a connection to the BlackBerry Router is interrupted, the data transfer continues over the wireless network.
78
Administration Guide

Managing administrator accounts

Managing administrator accounts
11

Assign a BlackBerry Enterprise Server administrator to a different administrative role

As organizational changes occur, you might need to move an administrator to a different administrative role.
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Role Administration tab, click the role that the administrator is assigned to.
3. Click List Administrators.
4. Remove the administrator from the list.
5. Click the role that you want to assign the administrator to.
6. Click the administrator.
7. Click OK.
The database permissions change immediately.
After you finish: Instruct the administrator to restart the BlackBerry Manager.

Delete an administrator account from a BlackBerry Enterprise Server

1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Role Administration tab, click the role that the administrator is assigned to.
3. Click Remove Administrators.
4. In the drop-down list, click the administrator.
5. Click OK.
After you finish: Optionally, you can delete the database account associated with that administrator from the database.
79
Administration Guide

Controlling the BlackBerry environment

Controlling the BlackBerry environment
12

Controlling BlackBerry device access to the BlackBerry Enterprise Server

You can turn on the Enterprise Service Policy to control which BlackBerry® devices can connect to the BlackBerry® Enterprise Server. After you turn on the Enterprise Service Policy, by default, the BlackBerry Enterprise Server prevents connections from new BlackBerry devices that you associate with it; however, it allows connections from BlackBerry devices that are already activated on the BlackBerry Enterprise Server. The Enterprise Service Policy also applies to devices with BlackBerry® Connect™ software, devices with BlackBerry® Built-In™ software, and devices that are running the BlackBerry® Application Suite.
You can use the Enterprise Service Policy to create allowed lists that control which BlackBerry devices users can activate on a BlackBerry Enterprise Server, over the wireless network, or over a serial connection. BlackBerry devices that meet the allowed list criteria can complete the activation process on that BlackBerry Enterprise Server.
You can define the following types of criteria:
specific, allowed BlackBerry device PINs as a string
allowed range of BlackBerry device PINs
You can also control access to the BlackBerry Enterprise Server based on specific manufacturers and models of BlackBerry devices. The BlackBerry Manager includes lists of allowed manufacturers and models based on the properties of the BlackBerry devices that are associated with the BlackBerry Enterprise Server. You can clear items in these lists to prevent further connections by BlackBerry devices of a specific manufacturer or model.
You can allow a specific user to override the Enterprise Service Policy so that the user can still connect to the BlackBerry Enterprise Server even if that user's BlackBerry device or BlackBerry enabled device meets criteria that you exclude from the allowed list.
Turn on the Enterprise Service Policy
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. In the right pane, click Service Control & Customization.
3. Click Enable Enterprise Service Policy.
4. Click OK.
5. On the Global tab, click Edit Properties.
6. Click Enterprise Service Policy.
7. Configure the necessary properties.
8. Click OK.
81
Administration Guide

Controlling BlackBerry device behavior using IT policies

Permit a user to override the Enterprise Service Policy
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Users tab, click a user account.
3. Click Edit Properties.
4. Click ES Policy Override.
5. In the drop-down list, click True.
6. Click OK.
Controlling BlackBerry device behavior using IT policies
You can use one or more IT policies to control the behavior of BlackBerry® devices and the BlackBerry® Desktop Software in your organization. The Default IT policy includes all standard IT policy rules on the BlackBerry® Enterprise Server. After new users in a BlackBerry Domain activate their BlackBerry devices on the BlackBerry Enterprise Server, the BlackBerry Enterprise Server automatically pushes the Default IT policy to their BlackBerry devices.
The default settings for IT policy rules reflect the default behavior of BlackBerry devices or the BlackBerry Desktop Software. You can use IT policy rules to change the behavior of supported BlackBerry device types. For more information, see the Policy Reference Guide.
You can customize and control the behavior of BlackBerry devices and the BlackBerry Desktop Software by performing the following actions:
changing an IT policy rule to a True or False value
typing a string, which simultaneously turns on an IT policy rule and provides the parameters for its use
selecting a predefined, permitted value to assign to an IT policy rule
Create an IT policy
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Edit Properties.
3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policies.
5. Click New.
6. Double-click IT Policy Name.
7. Type a name for the new IT policy.
8. Configure the IT policy rules by performing the following actions:
• In the left pane, click a policy group.
• In the right pane, double-click the IT policy rule.
82
Administration Guide
• Specify a value for the IT policy rule.
9. Click OK.
Create an IT policy based on an existing IT policy
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Edit Properties.
3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policies.
5. Click an IT policy.
6. Click New Copy.
7. Type a name for the new IT policy.
8. Configure the IT policy rules by performing the following actions:
• In the left pane, click a policy group.
• In the right pane, double-click the IT policy rule.
• Specify a value for the IT policy rule.
9. Click OK.
Controlling BlackBerry device behavior using IT policies
Import an IT policy
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, expand Service Control & Customization.
3. Click Import IT Policy Definitions.
4. Click an .xml file that contains IT policy rule definitions.
5. Click Open.
6. Click OK.
Assign an IT policy to a group of users
1. In the BlackBerry® Manager, in the left pane, click User Groups List.
2. In the Group Name list, click a group.
3. Click Edit Group Template.
4. Click IT Policy.
5. To override any user exceptions to the IT policy rules, in the right pane, select the IT Policy Name option.
6. In the drop-down list, click an IT policy.
7. Click Reapply Template.
8. Click Yes.
83
Administration Guide
Controlling BlackBerry device behavior using IT policies
9. Click OK.
Assign an IT policy to a user account
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Edit Properties.
3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policy to User Mapping.
5. In the left pane, click a user account.
6. In the right pane, click the IT policy that you want to assign.
7. Click OK.
Enforcing IT policy changes over the wireless network
You can use wireless IT policy to immediately enforce IT policy rule additions, deletions, or changes on C++ based BlackBerry® devices that are running BlackBerry® Device Software version 2.5 or later and on Java® based BlackBerry devices that are running BlackBerry Device Software version 3.6 or later. When a BlackBerry device receives an updated IT policy or a new IT policy, the BlackBerry device and the BlackBerry® Desktop Software apply the configuration changes.
The BlackBerry® Enterprise Server must resend the IT policy to the BlackBerry device to update the behavior of the BlackBerry device and the BlackBerry Desktop Software over the wireless network. By default, the BlackBerry Enterprise Server is designed to resend the IT policy to the BlackBerry devices of users that are assigned to that IT policy within a short period of time after you update the IT policy.
You can also resend an IT policy to a specific BlackBerry device user manually. You can configure the BlackBerry Enterprise Server to resend IT policies to BlackBerry devices on that specific BlackBerry Enterprise Server at a scheduled interval regardless of whether you have changed the IT policies. When the BlackBerry device receives an updated IT policy or a new IT policy, the BlackBerry device and the BlackBerry Desktop Software apply the configuration changes.
Resend an IT policy to a BlackBerry device manually
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Users tab, click a user account.
3. Click IT Admin.
4. Click Resend IT Policy.
Resend an IT policy to a BlackBerry device automatically
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Server Configuration tab, click Edit Properties.
84
Administration Guide
3. In the IT Admin section, double-click Policy Resend Interval.
4. Type the interval, in hours, at which you want the BlackBerry Enterprise Server to resend the IT policy.
5. Click OK.
Controlling BlackBerry device behavior using IT policies
Deactivating BlackBerry devices without applied IT policies
To prevent BlackBerry® devices that do not have an IT policy applied successfully from remaining active on a BlackBerry® Enterprise Server, you can set the Disable Users With Unapplied IT Policy field to True. The Disable User Time Limit field specifies the amount of time (in hours) that a BlackBerry device can be active on a BlackBerry Enterprise Server without having an IT policy applied on that device.
If you set the Disable Users With Unapplied IT Policy field, by default, the BlackBerry Enterprise Server sends the IT policy to the BlackBerry device every 30 minutes until the device applies the IT policy successfully or the time limit expires. If the time limit expires, the BlackBerry Enterprise Server deactivates the PIN for the BlackBerry device user. The allowed range for this setting is 0 hours (to deactivate BlackBerry devices in a failed IT policy state automatically) through 8760 hours.
Deactivate BlackBerry devices without applied IT policies
Before you begin: Activate the BlackBerry® devices on the BlackBerry® Enterprise Server.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry Enterprise Server.
2. On the Server Configuration tab, click Edit Properties.
3. In the left pane, click IT Admin.
4. Click Disable Users With Unapplied IT Policy.
5. In the drop-down list, click True.
6. In the Disable User Time Limit field, type the time limit (in hours) after which the PINs for BlackBerry devices that do
not have an IT policy applied are deactivated on the BlackBerry Enterprise Server.
7. Click Apply.
8. Click OK.
After you finish: Before reactivating the BlackBerry devices on the BlackBerry Enterprise Server, instruct users to click Wipe Device in the Security Options on their BlackBerry devices to delete all data on their BlackBerry devices.
Changing the default behavior of the BlackBerry devices and BlackBerry Desktop Software in your organization
To change the default behavior of the BlackBerry® devices and BlackBerry® Desktop Software in your organization, you can set the values of IT policy rules in the Default IT policy, or you can create a new IT policy, set its IT policy rule values, and assign one or more user acoounts or user groups to the new IT policy.
85
Administration Guide
Controlling BlackBerry device behavior using IT policies
You can change the assigned value of a standard IT policy rule in an IT policy. You cannot add, delete, or change the permitted values for a standard IT policy rule. You also cannot delete the standard IT policy rules. You can add a new IT policy rule to an IT policy, delete a new IT policy rule from an IT policy, or change the assigned value of a new IT policy rule in an IT policy.
Some IT policy rules have a corresponding user-accessible field on BlackBerry devices. When you set an IT policy rule to a True or False value, you prevent a user from selecting another value for a corresponding field on the BlackBerry device. When you set an IT policy rule by typing a string that simultaneously turns on the IT policy rule and provides the parameters for its use, the user cannot change the value of a corresponding field on the BlackBerry device. When you select a predefined, permitted value to assign to an IT policy rule, you restrict the values that the user can set for a corresponding field on the BlackBerry device. When an IT policy rule allows a numneric range, you can select any numerical value within the permitted range.
A lock icon next to a field on the BlackBerry device indicates that the IT policy controls the setting and the user cannot change it.
Change the setting for an IT policy rule
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Edit Properties.
3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policies.
5. In the list of policies, click an IT policy.
6. Click Properties.
7. Configure the IT policy rules by performing the following actions:
• In the left pane, click a policy group.
• In the right pane, click an IT policy rule.
• Specify a value for the IT policy rule.
8. Click OK.
Returning to the original default behavior of BlackBerry devices and the BlackBerry Desktop Software
To return to the original default behavior of a feature on BlackBerry® devices or in the BlackBerry® Desktop Software, you can set the IT policy rule that controls that feature to Default, if that setting is available, or delete the value that you previously set.
If you assign users to a new IT policy, you can delete that IT policy to return those users to the default behavior for all features on the BlackBerry devices and in the BlackBerry Desktop Software. The BlackBerry® Enterprise Server automatically reassigns the users to the Default IT policy and resends the Default IT policy to the BlackBerry devices, enforcing the default settings. You cannot delete the Default IT policy.
86
Administration Guide
Controlling BlackBerry device behavior using IT policies
Delete an IT policy
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Edit Properties.
3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policies.
5. Click the IT policy that you want to delete.
6. Click Remove.
7. Click OK.
Creating new IT policy rules to control third-party applications
You can create new IT policy rules to control the applications that your organization creates for BlackBerry® devices that are running in your enterprise environment. After you create a new IT policy rule, you can add it to and assign a value to it in new or existing IT policy. Only applications that your organization creates can use the new IT policy rule. You cannot create new IT policy rules to control standard BlackBerry device applications and features.
Create an IT policy rule for a third-party application
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Edit Properties.
3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policies.
5. Click the IT policy.
6. Click Properties.
7. In the Properties list, click User Defined Items.
8. Double-click IT Policy Template.
9. Click New.
10. Type a name and description for the IT policy rule.
11. In the drop-down list, click the type of values that the IT policy rule uses.
12. In the drop-down list, click the location where the IT policy rule is enforced.
13. Type the minimum and maximum values that an integer IT policy rule can accept.
14. Type the data that a bitmask IT policy rule can accept. Include up to eight related Boolean values. You can assign a bit option name for one, some, or all of the 8-bit values. For example, you might create a bitmask IT policy rule called Allowed Features with three Boolean bit values, where bit 0 is named Phone, bit 1 is named Browser, and bit 2 is named Third-Party Apps.
87
Administration Guide
Controlling BlackBerry device behavior using IT policies
15. Click OK.
16. In the Policy Item Settings section, provide a value for the IT policy rule in this IT policy.
17. Click OK.
Change or delete IT policy rules for third-party applications
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Edit Properties.
3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policies.
5. Click Default.
6. Click Properties.
7. In the Properties list, click User Defined Items.
8. Double-click IT Policy Template.
9. Click an IT policy rule.
10. Perform one of the following actions:
• To change an IT policy rule, click Properties. Change the necessary values.
• To delete an IT policy rule, click Remove.
88
Administration Guide

Managing user accounts

Managing user accounts
13

Managing user groups

You can specify exceptions to user group properties by changing the properties for a single user account after you add that user account to the user group. If you change and reapply the user group properties, the updated group properties override any previous exceptions in the properties of user accounts.
If you move a user account out of a user group, the user account remains in the global users list, but it does not appear in the user group lists.
Change the properties of a user group
After you create a user group, specify the properties that you want to apply to all user accounts in the group. When you add user accounts to a group, you assign the group properties to the user accounts automatically. You can copy properties from one group to another. When you apply configuration properties to a group, or perform administrative tasks on a group, these settings apply to all user accounts in the group.
1. In the BlackBerry® Manager, in the left pane, click User Groups.
2. On the User Groups List tab, click a group.
3. Click Edit Group Template.
4. Change settings for the properties.
5. Click Apply.
6. Select the check boxes beside the properties that you want to update for all users in the group.
7. Click Reapply Template.
8. Click Yes.
9. Click OK.
Rename a user group
1. In the BlackBerry® Manager, in the left pane, click User Groups.
2. On the User Groups List tab, click a group.
3. In the lower pane, click Group Admin.
4. Click Modify Group Definition.
5. In the Group Name field, type a new name.
6. Click OK.
89
Administration Guide

Managing user accounts

Delete a user group
1. In the BlackBerry® Manager, in the left pane, click User Groups.
2. On the User Groups List tab, click a group.
3. In the lower pane, click Group Admin.
4. Click Delete Group.
5. Click Yes.
Managing user accounts
You can move user accounts between user groups, or from one BlackBerry® Enterprise Server to another in the BlackBerry Domain. If you move a user account from one BlackBerry Enterprise Server to another, the destination BlackBerry Enterprise Server sends new service books to the user's BlackBerry device over the wireless network.
If you move a user mailbox or change its display name on the messaging server, the BlackBerry Enterprise Server is designed to update the user account within 15 minutes. If you move a hidden mailbox that does not appear in the GAL, you must update the user account manually on the BlackBerry Enterprise Server.
When you delete a user account from the BlackBerry Enterprise Server, you can retain the user's BlackBerry Enterprise Server information in the user mailbox. When you retain the information, you can add the user account again or the user can continue to use the BlackBerry device as a BlackBerry® Desktop Redirector user. When you add a user account that you retained the BlackBerry Enterprise Server information for, the user can continue to use the BlackBerry device with the same settings that the user account had before you deleted it.
Move a user account to a different user group
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Users tab, click a user account.
3. In the lower pane, click Account.
4. Click Assign To Group.
5. Click the group that you want to move the user account to.
6. Click OK.
Move a user account out of a user group
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Users tab, click a user account.
3. In the lower pane, click Account.
90
Administration Guide
4. Click Remove From Group.
5. Click Yes.
Move a user account from one BlackBerry Enterprise Server to another
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Users tab, click a user account.
3. In the lower pane, click Account.
4. Click Move User.
5. Click the destination BlackBerry Enterprise Server.
6. Click OK.
Delete a user account from the BlackBerry Enterprise Server
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Users tab, click a user account.
3. In the lower pane, click Account.
4. Click Delete User.
5. Click Yes.
6. Perform one of the following actions:
• To retain the BlackBerry Enterprise Server information in the user’s mailbox, click No.
• To delete the BlackBerry Enterprise Server information from the user’s mailbox, click Yes.
Managing user accounts
Update a user account manually
1. In the BlackBerry® Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Users tab, click a user account.
3. In the lower pane, click Account.
4. Click Reload User.
5. Click OK.
91
Administration Guide

Protecting and reassigning BlackBerry devices

Protecting and reassigning BlackBerry devices
14

Protecting lost, stolen, or replaced BlackBerry devices

You can use IT administration commands to immediately protect your organization's confidential data on BlackBerry® devices over the wireless network.
IT administration command Description
Set a Password and Lock Handheld This command creates a new password and locks a lost BlackBerry device
remotely. You can communicate the new password to the user when the user locates the BlackBerry device. When the user unlocks the BlackBerry device, the BlackBerry device prompts the user to accept or reject the password change.
Erase Data and Disable Handheld This command remotely erases all user information and application data
that a BlackBerry device stores.
You can use this command to prepare a BlackBerry device for transfer between users in your organization or to protect a stolen BlackBerry device.
Protect a lost BlackBerry device
If a user misplaces a BlackBerry® device or a BlackBerry device is stolen, you can protect the data on the BlackBerry device by locking the BlackBerry device or making it unavailable.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Users tab, click a user account.
3. Click IT Admin.
4. Click Set Password and Lock Handheld.
5. In the New Password field and the New Password Again field, type a password that is between 4 and 14 characters long.
CAUTION: Do not use special characters. Some BlackBerry devices do not support special characters in passwords. Those BlackBerry devices do not unlock when the user types a password that uses special characters.
6. Click OK.
93
Administration Guide

Reissuing BlackBerry devices to new users

Protect a lost BlackBerry device that a user might recover
If a BlackBerry® device is lost but the user might recover it, you can protect the BlackBerry device by scheduling it to start deleting all user information and application data and become unavailable after a period of time that you specify. You can also specify whether the user can cancel the scheduled command if the user recovers the BlackBerry device.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Users tab, click a user account.
3. Click IT Admin.
4. Click Erase Data and Disable Handheld.
5. Click Yes.
6. Type the number of hours that you want to pass before the BlackBerry device starts deleting user information and application data.
7. To allow the user to cancel the scheduled command on the BlackBerry device if the user recovers it, select the check box.
8. Click OK.
Protect a stolen BlackBerry device
1. In the BlackBerry Manager, in the left pane, click a BlackBerry® Enterprise Server.
2. On the Users tab, click a user account.
3. Click IT Admin.
4. Click Erase Data and Disable Handheld.
5. Click Yes.
After you finish: You must contact your service provider to turn off service for a BlackBerry® device after you send the Erase Data and Disable Handheld command to the BlackBerry device and verify that the BlackBerry device received the command.
Reissuing BlackBerry devices to new users
When you reissue a BlackBerry® device to a new user, you have the following options:
prepare the BlackBerry device for redistribution by deleting the previous user’s application data from the BlackBerry device and installing applications on or removing applications from the BlackBerry device
prepare the BlackBerry device for redistribution by deleting all applications and data from the BlackBerry device to return the BlackBerry device to its default application configuration
turn off message prepopulation for the new user before redistributing the BlackBerry device if the new user used the BlackBerry® Desktop Manager to back up messages that the previous BlackBerry device received
register the new PIN for message forwarding by activating the new BlackBerry device after the user receives it
94
Administration Guide
Reissuing BlackBerry devices to new users
Preparing a BlackBerry device for redistribution
Before you reissue a BlackBerry® device to a new user, delete application data from the BlackBerry device, and then replace the applications on the BlackBerry device.
1. Choose a method to delete the previous user’s application data from the BlackBerry device and make the BlackBerry device unavailable to that user before assigning the BlackBerry device to a new user.
Task Steps
Delete the previous user’s application data.
Delete all applications and data from the BlackBerry device.
a. Connect the BlackBerry device to the computer on which
the BlackBerry Manager is installed.
b. In the BlackBerry Manager, in the left pane, click Local
Ports (Device Management). c. In the Connection list, click a connection. d. Click Wipe Handheld File System. e. Click Yes. f. If prompted, type the BlackBerry device password to
complete the task.
a. Connect the BlackBerry device to the computer on which
the BlackBerry Manager is installed. b. In the BlackBerry Manager, in the left pane, click Local
Ports (Device Management). c. In the Connection list, click a connection. d. Click Nuke Handheld. e. Click Yes.
2. Replace the applications on the BlackBerry device. a. Connect the BlackBerry device to the computer on which the BlackBerry Manager is installed.
b. In the BlackBerry Manager, in the left pane, click Local Ports (Device Management). c. In the Connection list, click a connection. d. Click Load Device (Interactive). e. Click a software configuration. f. Click OK. g. In the Device Software Configuration Screen, clear the check boxes beside the applications to remove, and
select the check boxes beside the applications to install.
h. Complete the application loader wizard.
95
Administration Guide

Managing wireless applications

Managing wireless applications
15

Managing applications on BlackBerry devices

Upgrade an application on a BlackBerry device over the wireless network
You can upgrade a BlackBerry® Java Application, the collaboration client, and the BlackBerry® MDS Runtime on BlackBerry devices over the wireless network. The BlackBerry® Enterprise Server might take up to 4 hours to upgrade an application on a BlackBerry device.
1. In the network drive, add or upgrade the application.
2. Re-index the application.
If the application control policy for an application has a Disposition set to Required, the application upgrade is automatically sent over the wireless network.
Related topics
Making BlackBerry Device Software and Java applications available to users, 31 Create or update a software index for applications on a network drive, 33
Remove applications from BlackBerry devices over the wireless network
You can remove a BlackBerry® Java Application, the collaboration client, and the BlackBerry® MDS Runtime from BlackBerry devices over the wireless network. The BlackBerry® Enterprise Server might take up to 4 hours to remove an application from a BlackBerry device.
1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain.
2. On the Software Configurations tab, click Manage Application Policies.
3. Double-click an application control policy.
4. In the Disposition drop-down list, click Disallowed.
5. Click OK.
Change an application control policy
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Software Configurations tab, click Manage Application Policies.
3. Click the application control policy that you want to change.
4. Click Properties.
5. Change the properties of the application control policy.
6. Click OK.
97
Administration Guide

Managing software configurations

Managing software configurations
Delete a software configuration from a user account
1. In the BlackBerry® Manager, click a BlackBerry® Enterprise Server.
2. In the Users list, click the user account that you want to delete the software configuration from.
3. Click Device Management.
4. Click Assign Software Configuration.
5. Click <none>.
6. Click OK.
Create a software configuration based on an existing software configuration
1. In the BlackBerry® Manager, click BlackBerry Domain.
2. On the Software Configurations tab, click a software configuration.
3. Click Copy Configuration.
4. Double-click the copied software configuration.
5. In the Configuration Name field, rename the software configuration.
6. Specify the software configuration properties you want.
7. Click OK.
98
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use