Page 1
BlackBerry Enterprise Server for
Microsoft Exchange
Version: 5.0
Service Pack: 3
Administration Guide
Page 2
Published: 2012-09-24
SWD-20120924140022907
Page 3
Contents
1 Overview: BlackBerry Enterprise Server ......................................................................................... 21
Document revision history ................................................................................................................................................ 21
Getting started in your BlackBerry Enterprise Server environment ..................................................................................... 22
2 Log in to the BlackBerry Administration Service for the first time .................................................... 26
There is a problem with this website's security certificate .................................................................................................. 26
This connection is untrusted ............................................................................................................................................. 27
3 Creating administrator accounts .................................................................................................... 29
Administrative roles and permissions ................................................................................................................................ 29
Preconfigured administrative roles ............................................................................................................................. 29
Creating roles ................................................................................................................................................................... 34
Create a role .............................................................................................................................................................. 34
Create a role based on an existing role ........................................................................................................................ 35
Create an administrator account ....................................................................................................................................... 35
Add an administrator account to a group .......................................................................................................................... 36
Specify an email address for the BlackBerry Administration Service .................................................................................. 37
Permit an administrator to log in to the BlackBerry Administration Service using a messaging server account .................... 37
Assign a BlackBerry device to an administrator account .................................................................................................... 38
4
Using an IT policy to manage BlackBerry Enterprise Solution security ............................................ 39
Using IT policy rules to manage BlackBerry Enterprise Solution security ............................................................................ 39
Preconfigured IT policies .................................................................................................................................................. 40
Default values for preconfigured IT policies ................................................................................................................ 41
Creating and importing IT policies ..................................................................................................................................... 44
Create an IT policy ..................................................................................................................................................... 44
Create an IT policy based on an existing IT policy ........................................................................................................ 45
Import IT policy data .................................................................................................................................................. 45
Import IT policy rules from an IT policy pack ............................................................................................................... 46
Change the value for an IT policy rule ................................................................................................................................ 46
Assign an IT policy to a group ............................................................................................................................................ 47
Assign an IT policy to a user account ................................................................................................................................. 47
Sending an IT policy over the wireless network .................................................................................................................. 48
Resend an IT policy to a BlackBerry device manually .................................................................................................. 48
Resend an IT policy to a BlackBerry device automatically ........................................................................................... 48
Assigning IT policies and resolving IT policy conflicts ......................................................................................................... 49
Option 1: Applying one IT policy to each user account ................................................................................................ 50
Option 2: Applying multiple IT policies to each user account ....................................................................................... 51
Page 4
View the resolved IT policy rules that are assigned to a user account ........................................................................... 54
Deactivating BlackBerry devices that do not have IT policies applied ................................................................................. 54
Deactivate BlackBerry devices that do not have IT policies applied ............................................................................. 55
Creating new IT policy rules to control third-party applications ........................................................................................... 55
Create an IT policy rule for a third-party application .................................................................................................... 55
Change or delete IT policy rules for third-party applications ........................................................................................ 56
Export all IT policy data to a data file ................................................................................................................................. 56
Delete an IT policy ............................................................................................................................................................ 57
5 Configuring security options .......................................................................................................... 58
Encrypting data that the BlackBerry Enterprise Server and a BlackBerry device send to each other ................................... 58
Algorithms that the BlackBerry Enterprise Solution uses to encrypt data ..................................................................... 58
Change the symmetric key encryption algorithm that the BlackBerry Enterprise Solution uses .................................... 59
Managing device access to the BlackBerry Enterprise Server ............................................................................................ 59
Turn on the Enterprise Service Policy ......................................................................................................................... 60
Configure the Enterprise Service Policy ...................................................................................................................... 60
Permit a user to override the Enterprise Service Policy ................................................................................................ 61
Extending messaging security to a BlackBerry device ........................................................................................................ 61
Extending messaging security using PGP encryption .................................................................................................. 61
Extending messaging security using S/MIME encryption ............................................................................................. 62
Enforcing secure messaging using classifications .............................................................................................................. 65
Create a message classification ................................................................................................................................. 65
Create a message classification based on an existing message classification .............................................................. 66
Order message classifications .................................................................................................................................... 66
Delete a message classification .................................................................................................................................. 67
Generating organization-specific encryption keys for PIN-message encryption .................................................................. 67
Generate a PIN encryption key ................................................................................................................................... 67
Turn off BlackBerry services that the BlackBerry MDS Connection Service, BlackBerry Collaboration Service, and
BlackBerry MVS provide ................................................................................................................................................... 68
When a BlackBerry device overwrites data in the BlackBerry device memory ..................................................................... 68
Changing when a BlackBerry device cleans the BlackBerry device memory ................................................................ 69
Best practice: Configuring additional memory cleaner settings for BlackBerry devices ................................................ 70
6
Configuring the BlackBerry Enterprise Server environment ............................................................ 71
Best practice: Running the BlackBerry Enterprise Server .................................................................................................. 71
Configuring certain BlackBerry Enterprise Server components to use proxy servers ........................................................... 72
Configure a BlackBerry Enterprise Server component to use a .pac file ....................................................................... 72
Configure a BlackBerry Enterprise Server component to use a proxy server ................................................................. 73
Configure a BlackBerry Enterprise Server component to authenticate to a proxy server on behalf of BlackBerry
devices ...................................................................................................................................................................... 74
Configuring the BlackBerry Administration Service to use a proxy server ............................................................................ 74
Configuring proxy selection for the BlackBerry Administration Service ........................................................................ 75
Page 5
Configuring the BlackBerry Administration Service to authenticate with a proxy server ................................................ 77
Configuring multiple BlackBerry Enterprise Server instances to use the same BlackBerry Enterprise Server component ..... 79
Configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry MDS Connection Service ........ 79
Configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry Collaboration Service ............. 80
Configuring support for Unicode languages ....................................................................................................................... 80
Configure support for Unicode languages ................................................................................................................... 80
Change the character encoding that the BlackBerry Enterprise Server uses to send Unicode messages ...................... 81
Configure support for Unicode text in calendars on BlackBerry devices in a Microsoft Exchange environment ............. 82
7 Configuring user accounts ............................................................................................................. 84
Creating user groups ........................................................................................................................................................ 84
Create a group to manage similar user accounts ......................................................................................................... 84
Add user accounts to a group ..................................................................................................................................... 84
Adding a user account to the BlackBerry Enterprise Server ............................................................................................... 85
Add a user account .................................................................................................................................................... 85
Create a user account that is not in the contact list in the BlackBerry Configuration Database ..................................... 86
Export a list of user accounts ...................................................................................................................................... 87
Importing a list of user accounts to a BlackBerry Enterprise Server ............................................................................. 87
8 Assigning BlackBerry devices to users ........................................................................................... 91
Preparing to distribute a BlackBerry device ....................................................................................................................... 91
Change how the BlackBerry Enterprise Server downloads a user's existing email messages onto the BlackBerry
device ....................................................................................................................................................................... 91
Prevent the BlackBerry Enterprise Server from synchronizing existing email messages onto a BlackBerry device ........ 92
Assigning BlackBerry devices to user accounts ................................................................................................................. 92
Option 1: Activate a BlackBerry device using the BlackBerry Administration Service ................................................... 93
Option 2: Activating a BlackBerry device over the wireless network ............................................................................. 94
Option 3: Activating BlackBerry devices over the LAN ................................................................................................. 97
Option 4: Activating BlackBerry devices using the BlackBerry Web Desktop Manager ................................................. 98
Option 5: Activating BlackBerry devices over an enterprise Wi-Fi network ................................................................... 98
9
Configuring BlackBerry Enterprise Server high availability ............................................................ 101
Check the health of a BlackBerry Enterprise Server ......................................................................................................... 101
Availability state and failover status of the BlackBerry Enterprise Server ................................................................... 101
How the BlackBerry Enterprise Server uses health parameters ........................................................................................ 102
Defining when failover occurs .................................................................................................................................. 102
Changing the promotion threshold and failover threshold ................................................................................................ 104
Change the promotion threshold and failover threshold and the order of the health parameters ................................ 104
Changing when automatic failover occurs by customizing the health parameters for user accounts and messaging
servers .................................................................................................................................................................... 106
Prerequisites: Configuring the BlackBerry Enterprise Server pair to fail over automatically ............................................... 108
Configure the BlackBerry Enterprise Server to fail over automatically ............................................................................... 108
Monitoring the BlackBerry Enterprise Server for an automatic failover event .................................................................... 109
Page 6
Use the BlackBerry Administration Service to find the time and reason for the last automatic failover event ............... 109
Fail over the BlackBerry Enterprise Server manually using the BlackBerry Administration Service .................................... 109
Fail over the BlackBerry Enterprise Server manually using the BlackBerry Configuration Panel ........................................ 110
10 Configuring high availability for BlackBerry Enterprise Server components ................................... 111
Creating a BlackBerry MDS Connection Service pool for high availability .......................................................................... 111
Create a BlackBerry MDS Connection Service pool for high availability ...................................................................... 111
Configure the BlackBerry MDS Connection Service and BlackBerry Collaboration Service to fail over automatically .......... 112
Create a BlackBerry Collaboration Service pool for high availability .................................................................................. 113
Create a BlackBerry Attachment Service pool for high availability .................................................................................... 114
You cannot determine the BlackBerry Attachment Connector that the BlackBerry Enterprise Server or the
BlackBerry MDS Connection Service uses ................................................................................................................ 115
Create a BlackBerry Router pool for high availability ........................................................................................................ 116
Permit a BlackBerry Enterprise Server to connect to a remote BlackBerry Router ..................................................... 117
Creating a BlackBerry Administration Service pool that includes the BlackBerry Web Desktop Manager using DNS
round robin .................................................................................................................................................................... 118
Configure the BlackBerry Administration Service instances in a pool to communicate across network subnets .......... 119
Changing the name of the BlackBerry Administration Service pool .................................................................................. 119
Change the name of the BlackBerry Administration Service pool .............................................................................. 120
Fail over the BlackBerry MDS Connection Service or BlackBerry Collaboration Service manually ..................................... 120
Monitoring the high availability status or job deployment status using the BlackBerry Administration Service ................... 121
Monitor the high availability status or job deployment status using the BlackBerry Administration Service ................. 122
Remove a BlackBerry MDS Connection Service instance from a pool ............................................................................... 122
Remove a BlackBerry Collaboration Service instance from a pool .................................................................................... 123
Remove a BlackBerry Attachment Service instance from a pool ...................................................................................... 123
Remove a BlackBerry Router instance from a pool .......................................................................................................... 124
11
Configuring BlackBerry Configuration Database high availability .................................................. 125
Prerequisites: Configuring database mirroring or database replication of the BlackBerry Configuration Database ............. 125
Configuring database mirroring ....................................................................................................................................... 126
Stop the BlackBerry Enterprise Server instances ...................................................................................................... 126
Configure database mirroring for the BlackBerry Configuration Database ................................................................. 127
Start the BlackBerry Enterprise Server instances ...................................................................................................... 127
Configure the BlackBerry Enterprise Solution to support database mirroring ............................................................. 128
Resend the database mirroring parameters to BlackBerry Enterprise Server components ......................................... 129
Configuring the BlackBerry Configuration Database for one-way transactional replication in an environment that
includes Microsoft SQL Server 2005 or 2008 ................................................................................................................... 130
Stop the BlackBerry Enterprise Server instances ...................................................................................................... 130
Create the replicated BlackBerry Configuration Database from a backup .................................................................. 130
Permit access to the BlackBerry Configuration Database instances .......................................................................... 131
Configure the publication for the BlackBerry Configuration Database ....................................................................... 131
Increase the maximum data size for transactional replication ................................................................................... 132
Page 7
Prepare the database server that hosts the replicated BlackBerry Configuration Database and configure the
subscription ............................................................................................................................................................ 133
Start the BlackBerry Enterprise Server instances ...................................................................................................... 134
Reacting if the BlackBerry Configuration Database that you configured for transactional replication stops responding ..... 134
Return to the BlackBerry Configuration Database when you configured transactional replication ..................................... 135
Configuring a new mirror BlackBerry Configuration Database .......................................................................................... 135
12 Sending software and BlackBerry Java Applications to BlackBerry devices ................................... 136
Managing BlackBerry Java Applications and BlackBerry Device Software ........................................................................ 136
Developing BlackBerry Java Applications for BlackBerry devices ..................................................................................... 137
Preparing to distribute BlackBerry Java Applications ....................................................................................................... 137
Specify a shared network folder for BlackBerry Java Applications ............................................................................. 138
Add a BlackBerry Java Application to the application repository ............................................................................... 139
Add a collaboration client to the application repository ............................................................................................. 139
Specify keywords for a BlackBerry Java Application .................................................................................................. 140
Configuring application control policies ........................................................................................................................... 140
Standard application control policies ....................................................................................................................... 140
Change a standard application control policy ........................................................................................................... 141
Create custom application control policies for a BlackBerry Java Application ............................................................ 141
IT policy rules take precedence on smartphones ...................................................................................................... 143
Application control policies for unlisted applications ....................................................................................................... 143
Change the standard application control policy for unlisted applications that are optional ......................................... 143
Create an application control policy for unlisted applications .................................................................................... 144
Configure the priority of application control policies for unlisted applications ............................................................ 144
Creating software configurations ..................................................................................................................................... 145
Create a software configuration ................................................................................................................................ 146
Add a BlackBerry Java Application to a software configuration ................................................................................. 146
Assign a software configuration to a group ................................................................................................................ 147
Assign a software configuration to multiple user accounts ........................................................................................ 148
Assign a software configuration to a user account ..................................................................................................... 148
Install BlackBerry Java Applications on a BlackBerry device at a central computer .......................................................... 149
View the status of a job ................................................................................................................................................... 150
View the status of a task ........................................................................................................................................... 150
Stopping a job that is running .......................................................................................................................................... 158
Stop a job that is running ......................................................................................................................................... 159
View the users that have a BlackBerry Java Application installed on their BlackBerry devices .......................................... 159
View how the BlackBerry Administration Service resolved software configuration conflicts for a user account ................... 160
Reconciliation rules for conflicting settings in software configurations ............................................................................. 161
Reconciliation rules: BlackBerry Java Applications ................................................................................................... 162
Reconciliation rules: BlackBerry Device Software ..................................................................................................... 164
Reconciliation rules: Standard application settings ................................................................................................... 165
Page 8
Reconciliation rules: Application control policies ...................................................................................................... 166
Reconciliation rules: Application control policies for unlisted applications ................................................................. 166
13 Alternative methods for installing BlackBerry Java Applications on BlackBerry devices ................ 168
Installing BlackBerry Java Applications on BlackBerry devices without using the BlackBerry Administration Service ........ 168
Developing BlackBerry Java Applications for BlackBerry devices ..................................................................................... 168
Methods you can use to install BlackBerry Java Applications on BlackBerry devices ........................................................ 169
Installing BlackBerry Java Applications using the BlackBerry Desktop Software ............................................................... 170
Prerequisites: Installing BlackBerry Java Applications using the BlackBerry Desktop Software .................................. 170
Make the BlackBerry Java Application available to the BlackBerry Desktop Software ................................................ 171
Install the BlackBerry Java Application using the BlackBerry Desktop Software ........................................................ 171
Installing BlackBerry Java Applications using the BlackBerry Application Web Loader ..................................................... 172
Prerequisites: Installing BlackBerry Java Applications using the BlackBerry Application Web Loader ........................ 172
Enable the BlackBerry Application Web Loader on a web server ............................................................................... 173
Install the BlackBerry Java Application using the BlackBerry Application Web Loader ............................................... 174
Installing BlackBerry Java Applications using the standalone application loader tool ........................................................ 174
Prerequisites: Installing BlackBerry Java Applications using the standalone application loader tool ........................... 175
Add BlackBerry Java Application files to a shared network folder .............................................................................. 176
Share the Research In Motion folder that contains the BlackBerry Java Application .................................................. 176
Configure the standalone application loader tool to install the BlackBerry Java Application in automated mode ......... 177
Install the BlackBerry Java Application using the standalone application loader tool ................................................. 177
Installing BlackBerry Java Applications using a web browser on BlackBerry devices ........................................................ 178
Prerequisites: Installing BlackBerry Java Applications using a web browser on BlackBerry devices ............................ 178
Install the BlackBerry Java Application on a web server ............................................................................................ 179
Install the BlackBerry Java Application using a web browser on the BlackBerry device .............................................. 179
14
Configuring how users access enterprise applications and web content ....................................... 180
Specifying a BlackBerry MDS Connection Service as a central push server ...................................................................... 180
Specify a BlackBerry MDS Connection Service as a central push server .................................................................... 181
Configuring how BlackBerry devices authenticate to content servers ............................................................................... 181
Configure how BlackBerry devices authenticate to content servers ........................................................................... 181
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use
NTLM ...................................................................................................................................................................... 182
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use
Kerberos ................................................................................................................................................................. 183
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use
LTPA ....................................................................................................................................................................... 183
Configuring the BlackBerry MDS Connection Service to authenticate devices to the RSA Authentication Manager ..... 184
Configuring how the BlackBerry MDS Connection Service manages requests for web content .......................................... 186
Configure the BlackBerry MDS Connection Service to manage HTTP cookie storage ................................................. 186
Configure the timeout limit for HTTP connections with BlackBerry devices ............................................................... 187
Configure the timeout limit for HTTP connections with web servers ........................................................................... 187
Configure the maximum number of times that the BlackBerry Browser accepts HTTP redirections ............................ 188
Page 9
15
Permitting push applications to make trusted connections to a BlackBerry MDS Connection Service ............................... 188
Create a key store to store certificates for use with HTTPS connections ..................................................................... 189
Add a certificate for the BlackBerry MDS Connection Service ................................................................................... 189
Export the BlackBerry MDS Connection Service certificate to make it available to push applications ......................... 190
Import the BlackBerry MDS Connection Service certificate to the key store of a push application .............................. 190
Permit push applications to select the transport protocol for PAP requests ...................................................................... 191
Configuring a BlackBerry MDS Connection Service to trust web servers ........................................................................... 191
Specify whether the BlackBerry MDS Connection Service requires trusted HTTPS connections from web servers ...... 192
Specify whether the BlackBerry MDS Connection Service requires trusted TLS connections from web servers ........... 192
Configuring certificate server information for the BlackBerry MDS Connection Service .............................................. 193
Add a retrieved certificate for a web server to the key store ....................................................................................... 200
Permitting users to access intranet sites on BlackBerry devices using global login information ......................................... 200
Configure global login information for intranet site access ......................................................................................... 201
Configuring how the BlackBerry MDS Connection Service connects to BlackBerry devices .............................................. 201
Specify the maximum amount of data that a BlackBerry MDS Connection Service can send to BlackBerry devices .... 201
Specify the pending content timeout limit for a BlackBerry MDS Connection Service ................................................. 202
Permit Java applications to use scalable socket connections with a BlackBerry MDS Connection Service .................. 202
Specify the thread pool size of a BlackBerry MDS Connection Service ....................................................................... 202
Specify the maximum number of scalable socket connections .................................................................................. 203
Prevent the BlackBerry MDS Connection Service from using scalable HTTP ............................................................. 203
Specify the port number that the web server listens on for push application requests ................................................ 204
Specify how often a BlackBerry MDS Connection Service polls for configuration information ..................................... 205
Setting up the messaging environment ........................................................................................ 206
Creating email message filters ........................................................................................................................................ 206
Create an email message filter that applies to all user accounts on a BlackBerry Enterprise Server ............................ 206
Turn on an email message filter that applies to all user accounts on a BlackBerry Enterprise Server .......................... 207
Create an email message filter that applies to a specific user account ....................................................................... 207
Turn on an email message filter that applies to a specific user account ..................................................................... 208
Copying existing email message filters to another BlackBerry Enterprise Server ............................................................... 209
Export email message filters for a BlackBerry Enterprise Server ................................................................................ 209
Import email message filters for a BlackBerry Enterprise Server ................................................................................ 209
Copying existing email message filters to user accounts .................................................................................................. 210
Export email message filters for a user account ........................................................................................................ 210
Import email message filters for a user account ........................................................................................................ 210
Extension plug-ins for processing messages .................................................................................................................... 211
Install an extension plug-in application ..................................................................................................................... 211
Add an extension plug-in to a BlackBerry Messaging Agent ...................................................................................... 212
Change how a BlackBerry Messaging Agent uses extension plug-ins ......................................................................... 213
Mapping contact information fields for synchronization and contact lookups ................................................................... 214
Map a contact information field in an email application to contact list fields on BlackBerry devices ........................... 214
Page 10
Map a contact list field in an email application to a contact list field on a BlackBerry device ...................................... 214
Map a contact information field in an email application to contact list fields on BlackBerry devices ........................... 215
Map a contact list field in an email application to a contact list field on a BlackBerry device ...................................... 215
16 Configuring BlackBerry devices to enroll certificates over the wireless network ............................. 217
Configure the certificate information using IT policies ...................................................................................................... 217
Configure the BlackBerry MDS Connection Service to connect to the certificate authority ................................................ 218
Add communication information to a BlackBerry MDS Connection Service configuration set ..................................... 219
Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance ... 220
Add certificate information to a Wi-Fi profile .................................................................................................................... 221
Managing an enrolled certificate ..................................................................................................................................... 221
Change the polling interval, logging, and pool size for the BlackBerry MDS Connection Service connection to the
certificate authority ........................................................................................................................................................ 222
Properties in the rimpublic.properties file ................................................................................................................. 223
17 Making the BlackBerry Web Desktop Manager available to users ................................................. 224
Installing the client components of the BlackBerry Web Desktop Manager on users' computers ....................................... 224
Publish the client files for the BlackBerry Web Desktop Manager in a Windows GPO for Windows XP ................................ 225
Publish the client files for the BlackBerry Web Desktop Manager in a Windows GPO for Windows Vista ............................. 226
Configure the Microsoft ActiveX Installer on Windows Vista ....................................................................................... 227
Configure users' computers to install the client file for the BlackBerry Web Desktop Manager automatically .................... 227
Make the BlackBerry Web Desktop Manager available to users ....................................................................................... 229
18 Configuring the BlackBerry Web Desktop Manager ...................................................................... 230
Permit users to perform administrative tasks using the BlackBerry Web Desktop Manager ............................................... 230
Permit users to activate devices using the BlackBerry Web Desktop Manager .................................................................. 231
Permit users to back up and restore data using the BlackBerry Web Desktop Manager .................................................... 231
Configure the domains for backing up data using the BlackBerry Web Desktop Manager ................................................. 232
Change the text colors in the BlackBerry Web Desktop Manager ..................................................................................... 232
BlackBerry Web Desktop Manager text colors .......................................................................................................... 233
Display a custom image in the BlackBerry Web Desktop Manager ................................................................................... 234
Display the domain name on the login page of the BlackBerry Web Desktop Manager ...................................................... 234
19
Creating and configuring Wi-Fi profiles and VPN profiles .............................................................. 235
Creating and configuring Wi-Fi profiles ............................................................................................................................ 235
Prerequisites: Creating Wi-Fi profiles and VPN profiles ............................................................................................. 235
Create a Wi-Fi profile ............................................................................................................................................... 237
Create a Wi-Fi profile based on an existing Wi-Fi profile ............................................................................................ 237
Configure a Wi-Fi profile on a BlackBerry device ....................................................................................................... 238
Assign a Wi-Fi profile to a group ............................................................................................................................... 238
Assign a Wi-Fi profile to a user account .................................................................................................................... 238
Configure a Wi-Fi profile ........................................................................................................................................... 239
Creating and configuring VPN profiles ............................................................................................................................. 239
Create a VPN profile ................................................................................................................................................ 240
Page 11
Create a VPN profile based on an existing VPN profile ............................................................................................... 240
Configure a VPN profile ............................................................................................................................................ 240
Assign a VPN profile to a group ................................................................................................................................ 241
Assign a VPN profile to a user account ..................................................................................................................... 241
Associate a VPN profile with a Wi-Fi profile ............................................................................................................... 242
Delete a Wi-Fi profile ...................................................................................................................................................... 242
Delete a VPN profile ....................................................................................................................................................... 243
Importing profile information from a .csv file .................................................................................................................... 243
Best practices: Creating a .csv file that contains profile information that you want to import ...................................... 243
Create a .csv file that contains profile information that you want to import ................................................................. 244
Import profile information from a .csv file .................................................................................................................. 246
20 Configuring encryption and authentication methods for Wi-Fi enabled BlackBerry devices ........... 247
Configuring WEP encryption ........................................................................................................................................... 247
Configure WEP keys for BlackBerry devices using a Wi-Fi profile ............................................................................... 247
Configuring PSK encryption ............................................................................................................................................ 248
Configure PSK encryption data for BlackBerry devices using a Wi-Fi profile ............................................................... 249
Configuring LEAP authentication .................................................................................................................................... 249
Configure LEAP authentication data for BlackBerry devices using a Wi-Fi profile ....................................................... 250
Configuring PEAP authentication .................................................................................................................................... 250
Configure PEAP authentication data for BlackBerry devices using a Wi-Fi profile ....................................................... 251
Prerequisites: Distributing a certificate using the BlackBerry Desktop Manager ........................................................ 252
Distribute a certificate using the BlackBerry Desktop Manager ................................................................................. 252
Configure PEAP configuration settings in the Wi-Fi profile on a BlackBerry device ..................................................... 253
Configuring EAP-TLS authentication ............................................................................................................................... 254
Configure EAP-TLS authentication data for BlackBerry devices using a Wi-Fi profile .................................................. 255
Configure EAP-TLS configuration settings in the Wi-Fi profile on a BlackBerry device ................................................ 256
Configuring EAP-TTLS authentication ............................................................................................................................. 256
Configure EAP-TTLS authentication data for BlackBerry devices using a Wi-Fi profile ................................................ 257
Configure EAP-TTLS configuration settings in the Wi-Fi profile on a BlackBerry device .............................................. 258
Configuring EAP-FAST authentication ............................................................................................................................. 259
Configure EAP-FAST authentication ......................................................................................................................... 259
Send EAP-FAST authentication data to a BlackBerry device using a Wi-Fi profile ...................................................... 260
Configure EAP-FAST configuration settings in the Wi-Fi profile on BlackBerry devices ............................................... 261
21
Configuring software tokens for BlackBerry devices ..................................................................... 262
Prerequisites: Configuring BlackBerry devices for RSA authentication ............................................................................. 262
Configure BlackBerry devices for RSA authentication ...................................................................................................... 263
Configure RSA authentication over a Wi-Fi network using a software token ...................................................................... 264
Configure RSA authentication over a VPN network using a software token ....................................................................... 264
Assign software tokens to a user account ........................................................................................................................ 265
Page 12
22 Changing the security settings of the BlackBerry Administration Service and BlackBerry Web
Desktop Manager ........................................................................................................................ 266
Import a new SSL certificate for the BlackBerry Administration Service and BlackBerry Web Desktop Manager ................ 266
Configuring Microsoft Active Directory authentication in an environment that includes a resource forest .......................... 267
Change the information for Microsoft Active Directory authentication ....................................................................... 268
Configuring single sign-on authentication for the BlackBerry Administration Service and BlackBerry Web Desktop
Manager ........................................................................................................................................................................ 269
Configure constrained delegation for the Microsoft Active Directory account to support single sign-on
authentication ......................................................................................................................................................... 270
Turn on single sign-on authentication for the BlackBerry Administration Service ....................................................... 270
BlackBerry Administration Service web addresses and BlackBerry Web Desktop Manager web addresses that
support BlackBerry Administration Service single sign-on ......................................................................................... 271
Changing password settings for BlackBerry Administration Service authentication .......................................................... 272
Change password settings for BlackBerry Administration Service authentication ...................................................... 272
Regenerate the system credentials for the BlackBerry Administration Service ................................................................. 273
23 Protecting and redistributing devices ........................................................................................... 274
Preparing a device for redistribution to a new user .......................................................................................................... 274
Use the BlackBerry Administration Service to delete user data and assign the device to a new user ........................... 274
Use the BlackBerry Administration Service to delete device data and disable the device before assigning the
device to a new user ................................................................................................................................................ 275
Deleting only work data from a device ............................................................................................................................. 275
Delete only work data from a device ......................................................................................................................... 277
Using IT administration commands to protect a lost or stolen device ............................................................................... 278
Protect a stolen device ............................................................................................................................................. 279
Protect a lost device ................................................................................................................................................ 279
Protect a lost device that a user might not recover .................................................................................................... 280
24
25
Managing administrator accounts ............................................................................................... 282
Change role permissions ................................................................................................................................................ 282
Change the roles for an administrator account ................................................................................................................ 282
Delete a role ................................................................................................................................................................... 283
Delete an administrator account ..................................................................................................................................... 283
Managing groups and user accounts ........................................................................................... 285
Managing groups ............................................................................................................................................................ 285
Using default groups to manage user accounts and administrator accounts .............................................................. 285
Remove a user account from a group ....................................................................................................................... 286
Change the properties of a group ............................................................................................................................. 287
Rename a group ...................................................................................................................................................... 287
Delete a group ......................................................................................................................................................... 287
Managing user accounts ................................................................................................................................................. 288
Move a user account to a different group .................................................................................................................. 288
Move a user account from one BlackBerry Enterprise Server to another .................................................................... 289
Page 13
Delete a user account from the BlackBerry Enterprise Server ................................................................................... 289
Update a user account manually .............................................................................................................................. 290
Add an administrator role to a user account ............................................................................................................. 290
Update the contact list manually .............................................................................................................................. 290
Resend service books to a BlackBerry device ........................................................................................................... 291
26 Managing the delivery of BlackBerry Java Applications, BlackBerry Device Software, and device
settings to BlackBerry devices ..................................................................................................... 292
Managing the default distribution settings for jobs ........................................................................................................... 292
Change default settings for a job schedule ............................................................................................................... 292
Change how IT policies are sent to BlackBerry devices ............................................................................................. 293
Change how to install, update, or remove BlackBerry Java Applications .................................................................... 294
Change how to install or update the BlackBerry Device Software .............................................................................. 296
Change how the BlackBerry Enterprise Server sends standard application settings to BlackBerry devices ................. 297
Managing the distribution settings for a specific job ........................................................................................................ 298
Specify the start time and priority for a job ................................................................................................................ 299
Change how a job sends IT policies to BlackBerry devices ........................................................................................ 299
Change how a job sends BlackBerry Java Applications to BlackBerry devices ........................................................... 300
Change how a job sends the BlackBerry Device Software to BlackBerry devices ........................................................ 302
Change how a job sends standard application settings to BlackBerry devices ........................................................... 303
Managing BlackBerry Java Applications on BlackBerry devices ....................................................................................... 304
Make a BlackBerry Java Application unavailable for installation ................................................................................ 304
Remove a BlackBerry Java Application from BlackBerry devices over the wireless network ....................................... 305
Managing software configurations .................................................................................................................................. 306
Remove a software configuration from a group ......................................................................................................... 306
Remove a software configuration from multiple user accounts .................................................................................. 306
Remove a software configuration from a user account .............................................................................................. 307
Delete a software configuration ................................................................................................................................ 307
27
Managing how users access enterprise applications and web content .......................................... 308
Restricting user access to content on web servers ........................................................................................................... 308
Restrict requests for content on web servers from BlackBerry devices ...................................................................... 308
Specify web address patterns .................................................................................................................................. 309
Create a pull rule ..................................................................................................................................................... 309
Restrict or permit web addresses and Intranet addresses using a pull rule ................................................................ 310
Assign a pull rule to the members of a group ............................................................................................................ 311
Assign a pull rule to user accounts ........................................................................................................................... 311
Restricting user access to media content in the BlackBerry Browser ............................................................................... 312
Prevent users from accessing specific media types .................................................................................................. 312
Configure download limits for media content types ................................................................................................... 312
Default download limits for media content types ....................................................................................................... 313
Configuring Integrated Windows authentication so that users can access resources on your organization's network ......... 314
Page 14
Configuring the Microsoft Active Directory account to delegate access ..................................................................... 315
Configuring the BlackBerry MDS Connection Service when the messaging server is located in a remote Microsoft
Active Directory domain ........................................................................................................................................... 317
Turn on Integrated Windows authentication so that users can access resources on your organization's network ........ 318
Restricting the push application content that users can receive ....................................................................................... 320
Restrict push applications from sending data to BlackBerry devices ......................................................................... 320
Create push initiators for push applications .............................................................................................................. 320
Turn on push authorization ...................................................................................................................................... 321
Create a push rule ................................................................................................................................................... 322
Assign push initiators to a push rule ......................................................................................................................... 322
Assign a push rule to the members of a group ........................................................................................................... 323
Assign a push rule to user accounts ......................................................................................................................... 323
Encrypt push requests that push applications send to BlackBerry devices ................................................................ 324
Managing push application requests ............................................................................................................................... 324
Specify device ports for application-reliable push requests ....................................................................................... 324
Store push application requests in the BlackBerry Configuration Database ............................................................... 325
Configure the settings for storing push requests in the BlackBerry Configuration Database ....................................... 326
Configure the maximum number of active connections that a BlackBerry MDS Connection Service can process ........ 326
Configure the maximum number of queued connections that a BlackBerry MDS Connection Service can process ..... 327
28 Managing organizer data synchronization .................................................................................... 328
Managing the wireless backup and recovery of organizer data ......................................................................................... 328
Turn off the wireless backup of organizer data for a user account .............................................................................. 328
Delete organizer data for members of a user group from the BlackBerry Enterprise Server ........................................ 329
Delete a user's organizer data from a BlackBerry Enterprise Server .......................................................................... 329
Turning off organizer data synchronization ...................................................................................................................... 329
Turn off organizer data synchronization for all user accounts that are associated with a BlackBerry Enterprise
Server ..................................................................................................................................................................... 330
Turn off organizer data synchronization for a specific user account ........................................................................... 330
Changing how organizer data synchronizes ..................................................................................................................... 331
Change the direction of organizer data synchronization for all user accounts on a BlackBerry Enterprise Server ........ 331
Change the direction of organizer data synchronization for a specific user account ................................................... 331
Change how the BlackBerry Administration Service resolves conflicts during organizer data synchronization for all
user accounts on a BlackBerry Enterprise Server ...................................................................................................... 332
Change how the BlackBerry Administration Service resolves conflicts during organizer data synchronization for a
specific user account ............................................................................................................................................... 332
Synchronizing contact pictures ....................................................................................................................................... 333
Turn off synchronization of contact pictures for a user account ................................................................................. 333
29
Managing your organization's messaging environment and attachment support ........................... 335
Managing message forwarding ....................................................................................................................................... 335
Forward email messages to a BlackBerry device when no filter rules apply ................................................................ 335
Do not deliver email messages to a BlackBerry device when no filter rules apply ....................................................... 336
Page 15
Forward email messages from inbox subfolders to a BlackBerry device ..................................................................... 336
Turn off email message forwarding to user accounts in a group ................................................................................. 337
Turn off email message forwarding to a user account ................................................................................................ 337
Turn off synchronization for email messages sent from a BlackBerry device .............................................................. 338
Turn off email message forwarding when a user connects a BlackBerry device to a computer ................................... 338
Managing the incoming message queue ......................................................................................................................... 339
Delete email messages for user accounts from the incoming message queue ........................................................... 339
Managing wireless message reconciliation ...................................................................................................................... 340
Turn off wireless message reconciliation for a BlackBerry Enterprise Server .............................................................. 340
Turn on reconciliation for email messages that are hard deleted ............................................................................... 340
Managing access to remote message data ...................................................................................................................... 341
Prevent a user from checking the availability of meeting participants on the BlackBerry device ................................. 341
Prevent a user from searching for remote email messages using a device ................................................................. 342
Managing email messages that contain HTML and rich content ...................................................................................... 343
View whether a user turned on support for email messages that contain HTML and rich content for a BlackBerry
device ..................................................................................................................................................................... 343
Turn off support for rich text formatting and inline images in email messages for users on a BlackBerry Enterprise
Server ..................................................................................................................................................................... 344
Turn off support for rich text formatting and inline images in email messages using an IT policy rule .......................... 345
Synchronizing folders on the BlackBerry device .............................................................................................................. 346
Control which published public contact folders a user can synchronize to a BlackBerry device .................................. 346
Control which personal contact subfolders a user can synchronize to a BlackBerry device ........................................ 346
Control which personal mail folders a user can synchronize with a BlackBerry device ................................................ 347
Configuring access to documents on remote file systems ................................................................................................ 348
Configure the BlackBerry MDS Connection Service to communicate with a remote file system .................................. 348
Add communication information to a BlackBerry MDS Connection Service configuration set ..................................... 349
Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance ... 350
Managing signatures and disclaimers in email messages ................................................................................................ 351
Add a signature to email messages that a user sends from a BlackBerry device ........................................................ 351
Add a disclaimer to email messages that users send from BlackBerry devices .......................................................... 352
Add a disclaimer to email messages that a user sends from a BlackBerry device ....................................................... 352
Specify conflict rules for disclaimers ........................................................................................................................ 353
Turn off disclaimers for email messages ................................................................................................................... 353
Monitor email messages that users send from BlackBerry devices ................................................................................... 354
Sending notification messages to users ........................................................................................................................... 354
Send a notification message to all users in a BlackBerry Domain .............................................................................. 355
Send a notification message to all users on a BlackBerry Enterprise Server ............................................................... 355
Send a notification message to group members ........................................................................................................ 355
Send a notification message to a user ....................................................................................................................... 356
Change the size of the message state database ............................................................................................................... 356
How the BlackBerry Attachment Connector communicates with BlackBerry Attachment Service instances ..................... 357
Page 16
Change how a BlackBerry Attachment Connector retries sending requests to a BlackBerry Attachment Service ........ 357
Change how a BlackBerry Attachment Connector restores a lost connection to a BlackBerry Attachment Service ..... 358
Attachment file formats that the BlackBerry Attachment Service supports ...................................................................... 359
Limitations for supported attachment file formats ..................................................................................................... 359
Changing how a BlackBerry Attachment Service converts attachments ........................................................................... 361
Change how a BlackBerry Attachment Service converts attachments ....................................................................... 361
Change the maximum file size for attachments that users can receive ...................................................................... 363
Turn off support for an attachment file format for a BlackBerry Attachment Service ......................................................... 364
Add support for an additional attachment file format to a BlackBerry Attachment Service ................................................ 365
Changing how the BlackBerry Messaging Agent reconciles attachments to the messaging server .................................... 366
Change the maximum file size for attachments that users can send .......................................................................... 366
Prevent users from sending large attachments ......................................................................................................... 367
Change the maximum file size of attachments that users can download .................................................................... 367
30 Managing calendars .................................................................................................................... 369
Configuring the BlackBerry Enterprise Server to use Microsoft Exchange Web Services or MAPI and CDO libraries ........... 369
Prerequisites: Configuring the BlackBerry Enterprise Server to use Microsoft Exchange Web Services ....................... 369
Turn off client throttling in Microsoft Exchange 2010 ................................................................................................ 370
Configure the BlackBerry Enterprise Server to use Microsoft Exchange Web Services ................................................ 370
Configure the BlackBerry Enterprise Server to use MAPI and CDO libraries ............................................................... 371
Configure the BlackBerry Messaging Agent instances to use a web address for a specific Microsoft Autodiscover
service .................................................................................................................................................................... 372
Configure the BlackBerry Messaging Agent instances to use a specific web address for a client access server for
Microsoft Exchange ................................................................................................................................................. 373
Configuring the BlackBerry Messaging Agent instances to look up the user's status using only Microsoft Exchange
Web Services ........................................................................................................................................................... 374
Correcting calendar synchronization errors on devices .................................................................................................... 375
Configuration levels using the BlackBerry Enterprise Trait Tool ................................................................................. 375
Turn off corrective calendar synchronization ............................................................................................................ 376
View the current settings for corrective calendar synchronization ............................................................................. 377
Turn off automatic error correction in corrective calendar synchronization ................................................................ 377
Configure the range of days to check for calendar synchronization errors .................................................................. 378
Configure when corrective calendar synchronization runs ......................................................................................... 379
Logging information for corrective calendar synchronization ..................................................................................... 380
Delete a setting for corrective calendar synchronization ........................................................................................... 381
Start corrective calendar synchronization manually for a user account ............................................................................ 382
Improving the flow of email messages and calendar synchronization when the BlackBerry Enterprise Server runs on
Windows Server 2008 ..................................................................................................................................................... 382
Change how the BlackBerry Enterprise Server creates temporary MAPI profiles for the CalHelper application ........... 383
31
Managing instant messaging ....................................................................................................... 384
Installing a collaboration client on BlackBerry devices ..................................................................................................... 384
Change the instant messaging server or pool that a BlackBerry Collaboration Service connects to .................................... 385
Page 17
Change the transport protocol for a Microsoft instant messaging environment ................................................................. 385
Specify the Windows domain name for users who log in to a collaboration client .............................................................. 386
Managing instant messaging sessions ............................................................................................................................. 387
Specify the maximum number of instant messaging sessions that can be open at the same time ............................... 387
Specify the inactivity timeout limit for instant messaging sessions ............................................................................. 387
Managing instant messaging features ............................................................................................................................. 388
Prevent users from sending specific file types to instant messaging contacts using the BlackBerry Client for IBM
Lotus Sametime ....................................................................................................................................................... 388
Specifying the maximum size of file types that users can send using the BlackBerry Client for IBM Lotus Sametime .. 388
Prevent users from sending instant messaging conversations in email messages ...................................................... 389
Prevent users from saving instant messaging conversations ..................................................................................... 389
Hide the icon that appears on BlackBerry devices for mobile contacts ...................................................................... 389
Make additional contact information and phone numbers available for the BlackBerry Client for IBM Lotus
Sametime users ....................................................................................................................................................... 390
32 Managing a BlackBerry Domain .................................................................................................. 392
Restarting BlackBerry Enterprise Server components ..................................................................................................... 392
Restart a BlackBerry Enterprise Server component using the BlackBerry Administration Service .............................. 393
Restart a BlackBerry Enterprise Server component using Windows Services ............................................................. 393
Best practice: Restarting more than one BlackBerry Administration Service instance ............................................... 394
Using the BlackBerry Enterprise Trait Tool ...................................................................................................................... 394
Use the BlackBerry Enterprise Trait Tool .................................................................................................................. 394
BlackBerry Enterprise Trait Tool traits ............................................................................................................................. 395
Permit the BlackBerry Messaging Agent to write statistics to Microsoft Exchange mailboxes ............................................ 406
Managing BlackBerry CAL keys ...................................................................................................................................... 407
Add or delete a BlackBerry CAL key ......................................................................................................................... 407
Copy a BlackBerry CAL key to a text file .................................................................................................................... 408
Configuring the BlackBerry Mail Store Service instance that updates the contact list ....................................................... 408
Configure the BlackBerry Mail Store Service instance that updates the contact list ................................................... 409
Configuring a Hosted BlackBerry services environment ................................................................................................... 409
Configuring Hosted BlackBerry services when you permit your organization’s customers limited access to
Microsoft Active Directory ........................................................................................................................................ 410
Configure Hosted BlackBerry services when your organization’s customers have full control of their subtree in
Microsoft Active Directory ........................................................................................................................................ 411
Configuring the BlackBerry Enterprise Server to use LDAP to retrieve email addresses and organizer data ....................... 412
Configure the BlackBerry Enterprise Server to connect to Microsoft Active Directory ................................................. 413
Configure the BlackBerry Enterprise Server to retrieve email addresses and organizer data using LDAP .................... 414
Prevent the BlackBerry Enterprise Server from retrieving contact information for specific users ................................ 415
Restrict the location in Microsoft Active Directory that the BlackBerry Enterprise Server can retrieve email
addresses and organizer data from .......................................................................................................................... 416
Configuring BlackBerry Policy Service throttling .............................................................................................................. 416
View the current settings for BlackBerry Policy Service throttling .............................................................................. 417
Page 18
Configuring BlackBerry Policy Service throttling for IT policies and service books ...................................................... 417
Configuring BlackBerry Policy Service throttling for PIN encryption keys ................................................................... 419
Configuring BlackBerry Policy Service throttling for application polling ..................................................................... 419
Delete a BlackBerry Policy Service throttling setting ................................................................................................. 420
Change the port number that BlackBerry Enterprise Server components use to connect to the BlackBerry
Configuration Database .................................................................................................................................................. 421
Change the port number that the syslog tools use to monitor BlackBerry Enterprise Server events ................................... 422
33 BlackBerry Controller and BlackBerry Enterprise Server Component Monitoring .......................... 423
How the BlackBerry Controller monitors the BlackBerry Enterprise Server components ................................................... 423
Change how the BlackBerry Controller restarts the BlackBerry Messaging Agent ...................................................... 423
Change how the BlackBerry Controller restarts a BlackBerry Enterprise Server service ............................................. 426
BlackBerry Enterprise Server Alert Tool ........................................................................................................................... 428
Configuring notifications using the BlackBerry Enterprise Server Alert Tool ............................................................... 428
34 BlackBerry Enterprise Server log files .......................................................................................... 431
Monitoring PIN messages, SMS text messages, and calls ................................................................................................ 431
Change the default location for the log files for PIN messages, SMS text messages, and calls .................................... 431
Log files for BlackBerry Enterprise Server components .................................................................................................... 433
Changing the location where BlackBerry Enterprise Server components save log files ............................................... 433
Changing how BlackBerry Enterprise Server components create log files .................................................................. 434
Component identifiers for log files ............................................................................................................................ 439
BlackBerry MDS Connection Service log files .................................................................................................................. 440
Changing how the BlackBerry MDS Connection Service creates a log file .................................................................. 440
Using BlackBerry MDS Connection Service log files to view information for proxied connections to BlackBerry
devices .................................................................................................................................................................... 444
BlackBerry Collaboration Service log files ........................................................................................................................ 445
Change which activities the BlackBerry Collaboration Service writes to a log file ........................................................ 445
35
BlackBerry Enterprise Solution connection types and port numbers ............................................. 447
BlackBerry Administration Service connection types and port numbers ........................................................................... 447
BlackBerry Attachment Service connection types and port numbers ............................................................................... 449
BlackBerry Collaboration Service connection types and port numbers ............................................................................. 450
BlackBerry Configuration Database connection types and port numbers ......................................................................... 452
BlackBerry Controller connection types and port numbers .............................................................................................. 453
BlackBerry Dispatcher connection types and port numbers ............................................................................................ 454
BlackBerry Messaging Agent connection types and port numbers ................................................................................... 456
BlackBerry MDS Connection Service connection types and port numbers ....................................................................... 459
BlackBerry Monitoring Service connection types and port numbers ................................................................................. 460
BlackBerry Policy Service connection types and port numbers ........................................................................................ 461
BlackBerry Router connection types and port numbers ................................................................................................... 462
BlackBerry Synchronization Service connection types and port numbers ......................................................................... 464
CalHelper connection type and port number ................................................................................................................... 465
Page 19
IBM Lotus Sametime connection type and port number .................................................................................................. 466
Microsoft Exchange connection types and port numbers ................................................................................................. 466
Microsoft Office Live Communications Server 2005 connection types and port numbers .................................................. 467
BlackBerry Client for use with Microsoft Office Live Communications Server 2005 connection types and port numbers .... 467
Novell GroupWise Messenger connection type and port number ..................................................................................... 468
SNMP agent connection types and port numbers ............................................................................................................ 468
Syslog connection type and port number ........................................................................................................................ 469
36 Troubleshooting .......................................................................................................................... 470
Troubleshooting: Connecting to the BlackBerry Administration Service ........................................................................... 470
The web browser displays an HTTP 404 or HTTP 504 error message when it tries to connect to a BlackBerry
Administration Service instance ............................................................................................................................... 470
Troubleshooting: BlackBerry Enterprise Server Performance ........................................................................................... 471
A BlackBerry Enterprise Server that you installed remotely from the BlackBerry Configuration Database uses an
unexpected amount of system resources and increases wireless network traffic ....................................................... 471
Microsoft SQL Server uses a considerable amount of disk space ............................................................................... 472
Troubleshooting: Setting up user accounts ...................................................................................................................... 472
You cannot create a user account in the BlackBerry Administration Service .............................................................. 472
You cannot find a new user account in the directory using the BlackBerry Administration Service ............................. 473
Troubleshooting: Messaging ........................................................................................................................................... 473
Messages are not delivered to BlackBerry devices .................................................................................................... 473
Text does not appear correctly in Unicode email messages ...................................................................................... 474
Troubleshooting: Instant messaging ................................................................................................................................ 474
Users cannot view phone numbers for contacts in the BlackBerry Client for IBM Lotus Sametime ............................. 474
A user did not accept a notification about an instant message on a computer and the notification disappeared ......... 476
A user receives a 301 error when the user logs in to an instant messaging application on a BlackBerry device ........... 476
Troubleshooting: BlackBerry Web Desktop Manager ....................................................................................................... 477
Troubleshooting: Users cannot log in to the BlackBerry Web Desktop Manager ......................................................... 477
Troubleshooting: Connections to the Wi-Fi network ......................................................................................................... 478
A BlackBerry device cannot connect to a Wi-Fi network ............................................................................................ 478
A BlackBerry device cannot open a VPN connection ................................................................................................ 487
A BlackBerry device cannot connect to the mobile network using UMA or GAN ......................................................... 488
Verify whether a BlackBerry device can resolve an IP address ................................................................................... 489
Look up a computer name to resolve an IP address .................................................................................................. 489
Troubleshooting: BlackBerry Administration Service pools .............................................................................................. 490
BlackBerry Administration Service instances located in different network segments are not connecting to each
other ....................................................................................................................................................................... 490
Troubleshooting: BlackBerry Monitoring Service connections .......................................................................................... 491
A user cannot log in to the BlackBerry Monitoring Service ......................................................................................... 491
Troubleshooting: IT policies ............................................................................................................................................ 492
I cannot find an IT policy rule in the BlackBerry Administration Service ..................................................................... 492
37
Glossary ...................................................................................................................................... 493
Page 20
38 Legal notice ................................................................................................................................ 498
Page 21
Administration Guide Overview: BlackBerry Enterprise Server
Overview: BlackBerry
1
Enterprise Server
The BlackBerry Enterprise Server is designed to be a secure, centralized link between an organization's wireless network,
communications software, applications, and BlackBerry smartphones. The BlackBerry Enterprise Server integrates with
your organization's existing infrastructure to provide smartphone users with mobile access to your organization's
resources.
You can manage the BlackBerry Enterprise Server, smartphones, and user accounts using the BlackBerry Administration
Service. You can access the BlackBerry Administration Service web application from any computer that can access the
computer that hosts the BlackBerry Administration Service.
You can optionally install BlackBerry Mobile Fusion Studio in your organization's environment to provide a simplified
administrative console for your organization's helpdesk administrators and an integrated view of the BlackBerry Enterprise
Server and other MDM domains. For more information, visit http://www.blackberry.com/go/serverdocs to see the
BlackBerry Mobile Fusion Studio Feature and Technical Overview.
Document revision history
Date Description
17 September 2012 Updated the following topics:
• Create an administrator account
• Permit users to perform administrative tasks using the BlackBerry Web
Desktop Manager
• Add a retrieved certificate for a web server to the key store
• Changing password settings for BlackBerry Administration Service
authentication
• Permit a BlackBerry Enterprise Server to connect to a remote BlackBerry
Router
• Use the BlackBerry Administration Service to delete device data and disable
the device before assigning the device to a new user
21
Page 22
Administration Guide Overview: BlackBerry Enterprise Server
Date Description
14 September 2011 Updated the following topics:
• Import IT policy data
• Reconciliation rules for conflicting IT policies when you apply multiple IT
policies to a user account
• Reconciliation rules for conflicting IT policies when you apply one IT policy to
the user account
• Troubleshooting: IT policies
• Mapping contact information fields for synchronization and contact lookups
• Map a contact information field in an email application to a contact list field
on BlackBerry devices
• Permit users to create activation passwords using the BlackBerry Web
Desktop Manager
3 August 2011 Added the following topic:
• Import IT policy rules from an IT policy pack
14 June 2011 Updated the following topics:
• Configuring a new mirror BlackBerry Configuration Database
• Configure the certificate information using IT policies
07 March 2011 Initial version
Getting started in your BlackBerry Enterprise Server environment
The following table lists the tasks that administrators typically perform after installing a BlackBerry Enterprise Server, and
the chapter or section in the BlackBerry Enterprise Server Administration Guide that contains the information required to
complete the task. Some of the tasks might not be required in your organization's environment.
Task Chapter
Create administrator accounts. Creating administrator accounts
22
Page 23
Administration Guide Overview: BlackBerry Enterprise Server
Task Chapter
Review the default IT policies. If necessary, change existing
IT policies or create new IT policies.
Configuring security options
• Section: Using an IT policy to manage BlackBerry
Enterprise Solution security
Add user accounts to the BlackBerry Enterprise Server. Configuring user accounts
• Section: Adding a user account to the BlackBerry
Enterprise Server
Create groups. Configuring user accounts
• Section: Creating groups
Add user accounts to groups. Configuring user accounts
• Section: Add a user account to a group
Review the default distribution settings for IT policies. If
necessary, change the default distribution settings.
Managing the delivery of BlackBerry Java Applications,
BlackBerry Device Software, and device settings to
BlackBerry devices
• Section: Change how IT policies are sent to BlackBerry
devices
Assign IT policies to groups or user accounts. Setting up security options
• Section: Assign an IT policy to a group
• Section: Assign an IT policy to a user account
Assign BlackBerry devices to user accounts. Assigning BlackBerry devices to users
If necessary, change the default messaging settings for your
organization's environment.
Setting up the messaging environment
Managing your messaging environment and attachment
support
Prepare to distribute BlackBerry Java Applications. Sending software and BlackBerry Java Applications to
BlackBerry devices
• Section: Preparing to distribute BlackBerry Java
Applications
Review the default distribution settings for BlackBerry Java
Applications. If necessary, change the default distribution
settings.
Managing the delivery of BlackBerry Java Applications,
BlackBerry Device Software, and device settings to
BlackBerry devices
23
Page 24
Administration Guide Overview: BlackBerry Enterprise Server
Task Chapter
• Section: Change how to install, update, or remove
BlackBerry Java Applications on BlackBerry devices
Review the default application control policies and
application control policies for unlisted applications. If
necessary, change the existing application control policies.
Sending software and BlackBerry Java Applications to
BlackBerry devices
• Section: Configuring application control policies
• Section: Application control policies for unlisted
applications
Create software configurations for BlackBerry Java
Applications.
Sending software and BlackBerry Java Applications to
BlackBerry devices
• Section: Creating software configurations
Assign software configurations for BlackBerry Java
Applications to groups, multiple user accounts, or individual
user accounts.
Sending software and BlackBerry Java Applications to
BlackBerry devices
• Section: Assign a software configuration to a group
• Section: Assign a software configuration to multiple user
accounts
• Section: Assign a software configuration to a user
account
Configure BlackBerry Enterprise Server high availability. Configuring BlackBerry Enterprise Server high availability
Optional tasks
Task Chapter
Update BlackBerry Device Software on BlackBerry devices. Visit www.blackberry.com/go/serverdocs to see the
BlackBerry Device Software Update Guide.
Make the BlackBerry Web Desktop Manager available to
users and configure the BlackBerry Web Desktop Manager.
Making the BlackBerry Web Desktop Manager available to
users
Configuring the BlackBerry Web Desktop Manager
Change the default settings for your instant messaging
Managing instant messaging
environment.
Create and configure Wi-Fi and VPN profiles. Creating and configuring Wi-Fi profiles and VPN profiles
Configure BlackBerry devices to enroll certificates. Configuring BlackBerry devices to enroll certificates
24
Page 25
Administration Guide Overview: BlackBerry Enterprise Server
Task Chapter
Configure high availability for BlackBerry Enterprise Server
components and for the BlackBerry Configuration
Database.
Use the BlackBerry Monitoring Service to troubleshoot
issues and monitor the health of a BlackBerry Enterprise
Server.
Change how the BlackBerry Enterprise Server creates log
files.
Configuring BlackBerry Enterprise Server high availability
Configuring BlackBerry Configuration Database high
availability
Visit www.blackberry.com/go/serverdocs to see the
BlackBerry Enterprise Server Monitoring Guide.
BlackBerry Enterprise Server log files
25
Page 26
Administration Guide Log in to the BlackBerry Administration Service for the first time
Log in to the BlackBerry
2
Administration Service for the
first time
To open the BlackBerry Administration Service, you can use a browser on any computer that has access to the computer
that hosts the BlackBerry Administration Service.
Before you begin: To manage a BlackBerry device using the BlackBerry Administration Service while the BlackBerry
device is connected to the computer, the browser must permit Microsoft ActiveX controls.
1. In the browser, type https://
that hosts the BlackBerry Administration Service.
2. In the User name field, type admin.
3. In the Password field, type the password that you created during the installation process.
4. In the Log in using drop-down list, click BlackBerry Administration Service or Active Directory Authentication.
5. Click Log in.
Related information
Best practice: Running the BlackBerry Enterprise Server, 71
The web browser displays an HTTP 404 or HTTP 504 error message when it tries to connect to a BlackBerry Administration
Service instance, 470
<server_name>
/webconsole/app, where <server_name> is the name of the computer
There is a problem with this website's security certificate
Description
The browser displays this error message when you try to navigate to the BlackBerry Administration Service using Windows
Internet Explorer version 7 or later.
26
Page 27
Administration Guide Log in to the BlackBerry Administration Service for the first time
Possible solution
Add the web address for the BlackBerry Administration Service to the list of trusted web sites in Windows Internet Explorer,
and install the certificate for the BlackBerry Administration Service in the certificate store of your computer.
1. In Windows Internet Explorer, navigate to the BlackBerry Administration Service console.
2. Click Continue to this website (not recommended).
3. On the Tools menu, click Internet Options.
4. On the Security tab, click Local Intranet.
5. Click Sites.
6. Click Add to add the console to the list of trusted web sites.
7. Click Close.
8. Click OK.
9. In the browser window, on the toolbar, click Certificate Error.
10. Click View certificates.
11. Click Install certificate. The Certificate Import Wizard opens.
12. Complete the instructions in the Certificate Import Wizard. If you are trying to log in to the BlackBerry Administration
Service using a computer that runs Windows Vista, perform the following actions in the Certificate Import Wizard.
a In the Certificate Store dialog box, click Place all certificates in the following store.
b Click Browse.
c Click Trusted Root Certification Authorities.
d Click OK.
13. Close and reopen the browser.
This connection is untrusted
Description
The browser displays this error message when you try to navigate to the BlackBerry Administration Service or BlackBerry
Monitoring Service using Mozilla Firefox 3.6.
Possible solution
Install the certificate for the BlackBerry Administration Service or BlackBerry Monitoring Service in the certificate store of
your computer.
1. In Firefox, navigate to the BlackBerry Administration Service console or BlackBerry Monitoring Service console.
27
Page 28
Administration Guide Log in to the BlackBerry Administration Service for the first time
2. Click I Understand the Risks.
3. Click Add Exception.
4. Click Confirm Security Exception.
5. Close and reopen the browser.
28
Page 29
Administration Guide Creating administrator accounts
Creating administrator
3
accounts
Administrative roles and permissions
You create roles for administrator accounts or assign preconfigured roles to administrator accounts so that you can specify
what tasks an administrator can perform on the BlackBerry Enterprise Server.
You can specify the actions that administrators can perform by changing the permission that you assign to administrative
roles. Permissions specify the information that administrators can view and the tasks that they can perform using the
BlackBerry Administration Service and BlackBerry Monitoring Service. Each action that you perform in the BlackBerry
Administration Service is associated with a specific permission. You can specify the actions that administrators can
perform by changing the permission that you assign to administrative roles. For more information about performing specific
tasks that are associated with the permissions, see the BlackBerry Enterprise Server Administration Guide. Roles do not
apply to tasks that an administrator can perform using the BlackBerry Configuration Panel.
You can assign multiple roles to administrator accounts. If you assign multiple roles to an administrator account, the
administrator is assigned all the permissions that are turned on for each of the roles.
You can also assign roles to groups and add administrator accounts to groups. This allows you to specify administrative role
permissions at a group level instead of at an individual level. If the group contains BlackBerry device users, the roles are
also assigned to the users and the users become administrators.
Preconfigured administrative roles
The BlackBerry Enterprise Server installation process includes preconfigured administrative roles. You can use the
preconfigured administrative roles in your organization's environment instead of creating customize administrative roles.
Each preconfigured administrative role contains multiple permissions that are turned on. The preconfigured administrative
roles make sure that users that do not have specific administrative permissions cannot escalate their permissions. For
example, junior helpdesk administrators cannot escalate their roles to senior helpdesk administrator roles. You can
configure additional permissions in the preconfigured administrative roles or turn off any of the permissions.
29
Page 30
Administration Guide Creating administrator accounts
Permission name Security role
Enterprise
role
Senior
Helpdesk
role
Junior
Helpdesk
role
Create a group X X X
Delete a group X X
View a group (across Group) X X X X
Edit a group (across Group) X X X X
Create a user X X X
Delete a user X X X
View a user (across Group) X X X X
Edit a user (across Group) X X X X
View a device (across Group) X X X X
Edit a device (across Group) X X X X
View device activation
X X
settings
Edit device activation
X X
settings
Server only
role
User only
role
X
X
X
X
X
X
X
X
X
X
X
X
Create an IT policy X X
Delete an IT policy X X
View an IT policy X X X X
Edit an IT policy X X
Import an IT policy X X
Export an IT policy X X
Create a user-defined IT
X X
policy template
Delete a user-defined IT
X X
policy template
Edit a user-defined IT policy
X X
template
30
X
X
X
X
X
X
X
X
X
Page 31
Administration Guide Creating administrator accounts
Senior
Helpdesk
role
Permission name Security role
Enterprise
role
Import an IT policy template X X
Resend data to devices X X X
Create a software
X X
configuration
View a software
X X X X
configuration
Edit a software configuration X X
Delete a software
X X
configuration
View BlackBerry
X X
Administration Service
software management
Edit BlackBerry
X X
Administration Service
software management
Create an application X X
Junior
Helpdesk
role
Server only
role
User only
role
X
X
X
X
X
X
X
View an application X X X X
Edit an application X X
Delete an application X X
Create an administrator user X
Specify an activation
X X X X
password
Generate an activation email X X X X
Assign the current device to
X X X X
a user
Turn off and on external
X X X
services
Clear activation password X X X X
X
X
X
X
X
X
X
X
31
Page 32
Administration Guide Creating administrator accounts
Permission name Security role
Clear synchronization
X X X
Enterprise
role
Senior
Helpdesk
role
Junior
Helpdesk
role
backup data
Clear user statistics X X X X
Export statistics X X
Reset user field mapping X X X
Turn on redirection X X X
Turn off redirection X X X
Refresh available user list
X X
from company directory
Add User from Company
X X X
Directory
Synchronize GroupWise
X X
System Address Book
Clear and synchronize
X X
GroupWise System Address
Book
Server only
role
User only
role
X
X
X
X
X
X
X
X
X
X
View a server X X
Edit a server X X
View a component X X
Edit a component X X
View an instance X X
Edit an instance X X
Change the status of an
X X
instance
Edit an instance relationship X X
View a job X X
32
X
X
X
X
X
X
X
X
X
Page 33
Administration Guide Creating administrator accounts
Permission name Security role
Enterprise
role
Edit a job X X
Manage deployment job
X X
tasks
Change the status of a job
X X
task
Update peer-to-peer
X X
encryption key
View job distribution settings X X
Edit job distribution settings X X
Delete an instance X X
Edit license keys X X
View license keys X X
Manually fail a job X X
Clear instance statistics X X
Senior
Helpdesk
role
Junior
Helpdesk
role
Server only
role
X
X
X
X
X
User only
role
X
X
X
X
X
X
View push rules for the
X X X X X X
BlackBerry MDS Connection
Service
View pull rules for the
X X X X
BlackBerry MDS Connection
Service
Send message (across
X X X X
Group)
Create a role X
Delete a role X
View a role X X
Edit a role X
Add or remove role X
X
X
X
X
X
X
33
Page 34
Administration Guide Creating administrator accounts
Permission name Security role
Import or export groups
within roles
Import new users X X
Import or export users X X X
Import user updates X X
Import or export email
message filters for a user
Export asset summary data X X
Add or remove to user
configuration
Delete all device data and
remove device
Delete only the organization
data and remove device
X
X X
X X X
X X X X
X X X X
Enterprise
role
Senior
Helpdesk
role
Junior
Helpdesk
role
Server only
role
User only
role
X
X
X
X
X
X
X
X
Creating roles
You can create roles for administrator accounts so that administrators in your organization can perform specific tasks and
view specific information in the BlackBerry Administration Service, BlackBerry Monitoring Service, and BlackBerry Web
Desktop Manager. For example, you can create a role that has all permissions turned off by default and you can customize
the role by turning on specific permissions. You can also create a role that is based on a preconfigured role and customize
the role that you create.
Create a role
You can create a role for an administrator account if existing roles do not fulfill the criteria that your organization specified
for the type of administrator account that you want to create. It is worthy to note that by default, when a new role is created
all permissions for that role are turned off.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Role.
34
Page 35
Administration Guide Creating administrator accounts
2. Click Create a role.
3. Type a name and description for the role.
4. Click Save.
5. In the Role information section, click the name of the role that you created.
6. Click Edit role.
7. Switch the appropriate tabs to turn on the appropriate permissions.
8. Click Save all.
After you finish: Assign the role to an administrator account or group.
Create a role based on an existing role
To create a new role for an administrator account that is similar to an existing role, you can simply copy the existing role,
use it to make a new role, and then make the appropriate changes to the new role.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Role.
2. Click Manage roles.
3. In the list of existing roles, click the role that you want to copy.
4. Click Copy role.
5. Type a name and description for the role.
6. Click Copy role.
7. In the Role information section, click the name of the role that you created.
8. Click Edit role.
9. Switch the appropriate tabs to change the appropriate permissions.
10. Click Save all.
After you finish: Assign the role to an administrator account or group.
Create an administrator account
You can create an account for administrators so that they can log in to the BlackBerry Administration Service and manage
the BlackBerry Enterprise Server. You create an administrator account and assign the account to one or more roles. The
roles control the actions that an administrator can perform in the BlackBerry Administration Service.
35
Page 36
Administration Guide Creating administrator accounts
If your environment includes a Microsoft Exchange resource forest, you must create the administrator account in the
resource forest.
Before you begin: Verify that you can configure the authentication type and roles for an administrator account.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Administrator
user.
2. Click Create an administrator user.
3. Type the required information. Consider using the minimum rules for password complexity when you create the
password for the administrator account. The password should be at least 8 characters in length and contain at least
one number, letter, and special character, and should not contain dictionary words.
4. In the Role drop-down list, click the role that you want to assign to the administrator account.
5. Click Create an administrator user.
After you finish: To configure the administrator account, provide the login information to the administrator and add the
administrator account to a group, or you can assign additional roles to the administrator account.
Related information
Assigning BlackBerry devices to user accounts, 92
Managing administrator accounts, 282
Add an administrator account to a group
When you add an administrator account to one or more groups, you can manage role permissions at a group level instead
of at an individual level. If you use groups to manage administrator roles and administrator accounts in your organization's
environment, you can add multiple administrator accounts to specific groups and assign the appropriate roles to each
group.
If you add a role to a group, all accounts in the group become administrator accounts and have all of the permissions
Note:
that are assigned to that role, even if the accounts are user accounts for BlackBerry device users.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
2. Click Manage users.
3. Search for an administrator account.
4. In the search results, click the display name for the administrator account.
5. Click Edit user.
6. On the Groups tab, in the Available groups list, click the group that you want to add the administrator account to.
7. Click Add.
8. Click Save all.
36
Page 37
Administration Guide Creating administrator accounts
Related information
Create a group to manage similar user accounts, 84
Specify an email address for the BlackBerry Administration Service
You can specify the email address that the BlackBerry Administration Service sends BlackBerry Enterprise Server system
messages or activation passwords from.
Before you begin: Create an email account on your organization's messaging server.
1. In the BlackBerry Administration Service, on the Devices menu, expand Wireless activations.
2. Click Device activation settings.
3. Click Edit activation settings.
4. In the Sender address field, type the email address that you want the BlackBerry Administration Service to send
system messages or activation passwords from.
5. Click Save all.
Permit an administrator to log in to the BlackBerry Administration Service using a messaging server account
You can permit an administrator to log in to the BlackBerry Administration Service using a user name and password for the
messaging server.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
2. Click Manage users.
3. Search for a user account.
4. In the search results, click the display name for the user account.
5. Click Edit user.
6. In the Authentication type section, click the Edit icon.
37
Page 38
Administration Guide Creating administrator accounts
7. In the User information section, in the Display name field, type the user name.
8. In the Authentication type section, type and verify a password.
9. Click the Update icon.
10. Click Save all.
Assign a BlackBerry device to an administrator account
You can assign a BlackBerry device to an administrator without creating a separate user account.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
2. Click Manage users.
3. Search for an administrator account.
4. Click the display name for the administrator account.
5. In the BlackBerry Enterprise Server status list, click Enable as BlackBerry user.
6. Search for the messaging server display name or email address of the administrator.
7. Select the check box beside the administrator account.
8. Click Next.
9. Click the BlackBerry Enterprise Server that you want to assign the administrator account to.
10. Click Save all.
38
Page 39
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
Using an IT policy to manage
4
BlackBerry Enterprise Solution
security
You can use an IT policy to control and manage BlackBerry devices, the BlackBerry Desktop Software, and the BlackBerry
Web Desktop Manager in your organization's environment. An IT policy consists of multiple IT policy rules that manage the
security and behavior of the BlackBerry Enterprise Solution. For example, you can use IT policy rules to manage the
following security features and behaviors of the device:
• encryption (for example, encryption of user data and messages that the BlackBerry Enterprise Server forwards to
message recipients) and encryption strength
• use of a password or pass phrase
• connections that use Bluetooth wireless technology
• protection of user data and device transport keys on the device
• control of device resources, such as the camera or GPS, that are available to third-party applications
The BlackBerry Enterprise Server includes preconfigured IT policies that you can use to manage the security of the
BlackBerry Enterprise Solution. The Default IT policy includes IT policy rules that are configured to indicate the default
behavior of the device or BlackBerry Desktop Software.
After a device user activates a device, the BlackBerry Enterprise Server automatically sends to the device the IT policy that
you assigned to the user account or group. By default, if you do not assign an IT policy to the user account or group, the
BlackBerry Enterprise Server sends the Default IT policy. If you delete an IT policy that you assigned to the user account or
group, the BlackBerry Enterprise Server automatically re-assigns the Default IT policy to the user account and resends the
Default IT policy to the device.
For more information, see the BlackBerry Enterprise Server Policy Reference Guide.
Using IT policy rules to manage BlackBerry Enterprise Solution security
You can use IT policy rules to customize and control the actions that the BlackBerry Enterprise Solution can perform.
39
Page 40
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
To use an IT policy rule on a BlackBerry device, you must verify that the BlackBerry Device Software version supports the IT
policy rule. For example, you cannot use the Disable Camera IT policy rule to control whether a BlackBerry device user can
access the camera on the device if the BlackBerry Device Software version does not support the IT policy rule. For
information about the BlackBerry Device Software version that is required for a specific IT policy rule, see the BlackBerry
Enterprise Server Policy Reference Guide.
If you create a custom IT policy that does not permit users to change their user information on their devices, you can only
apply this custom IT policy to devices running BlackBerry Device Software 5.0 or later.
The BlackBerry Administration Service groups the IT policy rules by common properties or by application. Most IT policy
rules are designed so that you can assign them to multiple user accounts and groups.
Preconfigured IT policies
The BlackBerry Enterprise Server includes the following preconfigured IT policies that you can change to create IT policies
that meet the requirements of your organization.
Preconfigured IT policy Description
Default This policy includes all the standard IT policy rules that are set on the
BlackBerry Enterprise Server.
Individual-Liable Devices Similar to the Default IT policy, this policy prevents BlackBerry device users from
accessing organizer data from within the social networking applications on their
BlackBerry devices.
This policy permits users to access their personal calendar services and email
messaging services (for example, their BlackBerry Internet Service accounts),
update the BlackBerry Device Software using methods that exist outside your
organization, make calls when devices are locked, and cut, copy, and paste text.
Users cannot forward email messages from one email messaging service to
another.
You can use the Individual-Liable Devices IT policy if your organization includes
users who purchase their own devices and connect the devices to a BlackBerry
Enterprise Server instance in your organization's environment.
Basic Password Security Similar to the Default IT policy, this policy also requires a basic password that
users can use to unlock their devices. Users must change the passwords
regularly. The IT policy includes a password timeout that locks devices.
Medium Password Security Similar to the Default IT policy, this policy also requires a complex password that
users can use to unlock their devices. Users must change the passwords
regularly. This policy includes a maximum password history and turns off
Bluetooth technology on devices.
40
Page 41
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
Preconfigured IT policy Description
Medium Security with No 3rd Party
Applications
Advanced Security Similar to the Default IT policy, this IT policy also requires a complex password
Advanced Security with No 3rd Party
Applications
Similar to the Medium Password Security, this policy requires a complex
password that a user must change frequently, a security timeout, and a
maximum password history. This policy prevents users from making their
devices discoverable by other Bluetooth enabled devices and prevents devices
from downloading third-party applications.
that users must change frequently, a password timeout that locks devices, and a
maximum password history. This policy restricts Bluetooth technology on
devices, turns on strong content protection, turns off USB mass storage, and
requires devices to encrypt external file systems.
Similar to the Advanced Security IT policy, this IT policy requires a complex
password that users must change frequently, a password timeout that locks
devices, and a maximum password history. This policy restricts Bluetooth
technology on devices, turns on strong content protection, turns off USB mass
storage, requires devices to encrypt external file systems, and prevents devices
from downloading third-party applications.
Default values for preconfigured IT policies
You can configure additional IT policy rules in the preconfigured IT policies or change any of the following values:
IT policy rule Default IT
policy
IndividualLiable
Device IT
policy
Basic
Password
Security IT
policy
Medium
Password
Security IT
policy
Medium
Password
Security
with No 3rd
Party
Applications
IT policy
Advanced
Security IT
policy
Advanced
Security
with No 3rd
Party
Applications
IT policy
Device-Only Items
Enable LongTerm Timeout
Maximum
Security Timeout
Maximum
Password Age
Password
Pattern Checks
— — — Yes Yes Yes Yes
— — 30 minutes 10 minutes 10 minutes 10 minutes 10 minutes
— — 60 days 30 days 30 days 30 days 30 days
no restriction — no restriction at least 1
alpha and 1
at least 1
alpha and 1
at least 1
alpha and 1
at least 1
alpha and 1
41
Page 42
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
IT policy rule Default IT
policy
IndividualLiable
Device IT
policy
Password
No — Yes Yes Yes Yes Yes
Required
User Can
Yes — Yes Yes Yes Yes Yes
Change Timeout
User Can
Yes — No No No No No
Disable
Password
Password policy group
Maximum
— — — 6 6 6 6
Password
History
RIM Value-Added Applications policy group
Basic
Password
Security IT
policy
Medium
Password
Security IT
policy
numeric
character
Medium
Password
Security
with No 3rd
Party
Applications
IT policy
numeric
character
Advanced
Security IT
policy
numeric
character
Advanced
Security
with No 3rd
Party
Applications
IT policy
numeric
character
Disable
Organizer Data
Access for Social
Networking
Applications
Security policy group
Allow Outgoing
Call When
Locked
Content
Protection
Strength
Disable Cut/
Copy/Paste
Disable
Forwarding
42
Yes Yes — — — — —
No Yes — — — — —
— — — — — Strong Strong
No No — — — — —
No Yes — — — — —
Page 43
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
IT policy rule Default IT
policy
Between
Services
Disable USB
No — — — — Yes Yes
Mass Storage
Disallow Third
No — — — Yes — Yes
Party
Application
Download
External File
Not required — — — — Encrypt to
System
Encryption level
Force Lock
No — — Yes Yes Yes Yes
When Holstered
IndividualLiable
Device IT
policy
Basic
Password
Security IT
policy
Medium
Password
Security IT
policy
Medium
Password
Security
with No 3rd
Party
Applications
IT policy
Advanced
Security IT
policy
user
password
(excluding
multimedia
directories)
Advanced
Security
with No 3rd
Party
Applications
IT policy
Encrypt to
user
password
(excluding
multimedia
directories)
Reset to Factory
No Yes — — — — —
Defaults on Wipe
Service Exclusivity policy group
Allow Other
Yes Yes — — — — —
Calendar
Services
Allow Other
Yes Yes — — — — —
Message
Services
Bluetooth policy group
Disable Address
No — — — — Yes Yes
Book Transfer
Disable
No — — Yes Yes Yes Yes
Discoverable
Mode
43
Page 44
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
IT policy rule Default IT
policy
Disable File
Transfer
Disable Serial
Port Profile
Require LED
Connection
Indicator
Wi-Fi policy group
Wi-Fi Allow
Handheld
Changes
Wireless Software Upgrades policy group
Allow Non
Enterprise
Upgrade
No — — — — Yes Yes
No — — — — Yes Yes
No — — — — Yes Yes
Yes — No No No No No
No Yes — — — — —
IndividualLiable
Device IT
policy
Basic
Password
Security IT
policy
Medium
Password
Security IT
policy
Medium
Password
Security
with No 3rd
Party
Applications
IT policy
Advanced
Security IT
policy
Advanced
Security
with No 3rd
Party
Applications
IT policy
Creating and importing IT policies
Create an IT policy
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
2. Click Create an IT policy.
3. Type a name and description for the IT policy.
4. Click Save.
5. To configure the IT policy, perform the following actions:
a. In the IT policy information section, click the IT policy.
44
Page 45
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
b. Click Edit IT policy.
c. On a tab for an IT policy group, configure values for the IT policy rules.
d. Click Save All.
After you finish: For more information, see the BlackBerry Enterprise Server Policy Reference Guide.
Create an IT policy based on an existing IT policy
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
2. Click Manage IT policies.
3. In the list of IT policies, click the IT policy that you want to copy.
4. Click Copy IT policy.
5. Type a name and description for the new IT policy.
6. Click Save.
7. To change the IT policy settings, perform the following actions:
a. In the IT policy information section, click the IT policy.
b. Click Edit IT policy.
c. On a tab for an IT policy group, change the appropriate values for the IT policy rules.
d. Click Save all.
After you finish: For more information, see the BlackBerry Enterprise Server Policy Reference Guide.
Related information
Preconfigured IT policies, 40
Import IT policy data
CAUTION:
assigned to user accounts and groups in the BlackBerry Domain that you are importing IT policy data to.
Before you begin: Export IT policy data from a different BlackBerry Domain.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
2. Click Manage IT policies.
3. In the Manage IT policies section, click Import IT policy list.
4. In the IT policy import section, specify the following information:
For you to import IT policy data successfully, the IT policy data file must contain all of the IT policies that are
45
Page 46
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
• Location of the data source file
• File encryption password that you use to protect the data source file
5. Click Next.
6. Click Add all IT policies.
Related information
Preconfigured IT policies, 40
Import IT policy rules from an IT policy pack
You can import the IT policy rules that Research In Motion releases in an IT policy pack into your organization's BlackBerry
Enterprise Server.
1. Download the IT policy pack to your computer and extract the contents of the file.
2. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
3. Click Manage IT policy rules.
4. Click Import IT policy definitions.
5. Navigate to and select the XML file that contains the IT policy rules (for example, ITPolicyTemplate082409.xml).
6. Click Save.
Change the value for an IT policy rule
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
2. Click Manage IT policies.
3. In the IT policy information section, click the IT policy.
4. Click Edit IT policy.
5. On a tab for an IT policy group, change the appropriate values for the IT policy rules.
6. Click Save all.
46
Page 47
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
Assign an IT policy to a group
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group.
2. Click Manage groups.
3. In the Manage groups section, click the group that you want to assign an IT policy to.
4. On the Policies tab, click Edit group.
5. In the drop-down list, click an IT policy.
6. Click Save all.
Related information
Adding a user account to the BlackBerry Enterprise Server, 85
Assigning IT policies and resolving IT policy conflicts, 49
Assign an IT policy to a user account
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
2. Click Manage users.
3. Search for a user account.
4. In the search results, click the display name of the user account.
5. On the Policies tab, click Edit user.
6. In the drop-down list, click an IT policy.
7. Click Save all.
Related information
Adding a user account to the BlackBerry Enterprise Server, 85
Assigning IT policies and resolving IT policy conflicts, 49
47
Page 48
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
Sending an IT policy over the wireless network
If your organization's environment includes C++ based BlackBerry devices that are running BlackBerry Device Software
version 2.5 or later or Java based devices that are running BlackBerry Device Software version 3.6 or later, the BlackBerry
Enterprise Server can send changes to IT policies to a device over the wireless network automatically. When the device
receives an updated IT policy or a new IT policy, the device, BlackBerry Desktop Software, and BlackBerry Web Desktop
Manager apply the configuration changes immediately.
By default, the BlackBerry Enterprise Server is designed to resend an IT policy to the device within a short period of time
after you update the IT policy using the BlackBerry Administration Service. You can also resend an IT policy to a specific
device manually. You can configure the BlackBerry Enterprise Server to resend the IT policy to the device at scheduled
intervals regardless of whether you changed the IT policy.
Related information
Using IT policy rules to manage BlackBerry Enterprise Solution security, 39
Assigning IT policies and resolving IT policy conflicts, 49
Preconfigured IT policies, 40
Resend an IT policy to a BlackBerry device manually
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
2. Click Manage users.
3. Search for a user account.
4. In the search results, click the display name for the user account.
5. On the Policies tab, click View resolved IT policy data.
6. Click Resend IT policy to a device.
Resend an IT policy to a BlackBerry device automatically
1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology.
48
Page 49
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
2. Expand BlackBerry Domain > Component view.
3. In the Policy section, click an instance.
4. Click Edit instance.
5. In the General section, in the Policy resend interval (hours) field, type an interval that you want the BlackBerry
device to resend the IT policy at.
6. Click Save All.
Assigning IT policies and resolving IT policy conflicts
You can assign IT policies directly to a user account or to a group. By default, if you do not assign an IT policy to a user
account or a group that the user is a member of, the BlackBerry Enterprise Server applies the Default IT policy to the user
account. If you assign an IT policy to a group that a user account is a member of, the BlackBerry Enterprise Server applies
the group IT policy to the user account. If you assign an IT policy to the user account directly, the BlackBerry Enterprise
Server applies this IT policy to the user account instead of the group IT policy or Default IT policy.
If a user account is a member of multiple groups that have different IT policies, the BlackBerry Enterprise Server must
determine which IT policy to apply to the user account. You must use one of the following reconciliation options:
Method Description
Apply one IT policy to the user account The BlackBerry Enterprise Server applies one of the group IT policies to the user
account. You specify rankings for the available IT policies using the BlackBerry
Administration Service and the BlackBerry Enterprise Server applies the IT
policy with the highest ranking.
If you upgrade to BlackBerry Enterprise Server 5.0 SP2 or later from a previous
version of the BlackBerry Enterprise Server, this is the default method for
resolving IT policy conflicts.
Apply multiple IT policies to the user
account
Related information
The BlackBerry Enterprise Server applies all of the group IT policies to the user
account, resulting in a combined IT policy that has a unique ID. The BlackBerry
Enterprise Server resolves conflicting IT policy rules using the ranking of the
available IT policies that you specified using the BlackBerry Administration
Service. If an IT policy rule is different in the multiple IT policies, the BlackBerry
Enterprise Server applies the rule setting from the IT policy that you ranked the
highest.
If you install BlackBerry Enterprise Server 5.0 SP2 or later, this is the default
method for resolving IT policy conflicts.
49
Page 50
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
Option 1: Applying one IT policy to each user account, 50
Option 2: Applying multiple IT policies to each user account, 51
Option 1: Applying one IT policy to each user account
You can configure the BlackBerry Enterprise Server to apply only one IT policy to a user account when a user account is a
member of multiple groups that have different IT policies. In this scenario, the BlackBerry Enterprise Server applies the IT
policy that you ranked the highest in the BlackBerry Administration Service.
If you upgrade to BlackBerry Enterprise Server 5.0 SP2 or later from a previous version of the BlackBerry Enterprise Server,
this is the default method for resolving IT policy conflicts. If you install BlackBerry Enterprise Server 5.0 SP2 or later, the
default method for resolving IT policy conflicts is to apply multiple IT policies to each user account and create a combined
IT policy that has a unique ID for the user account.
Reconciliation rules for conflicting IT policies when you apply one IT policy to the user account
The BlackBerry Enterprise Server can apply only one IT policy to a user account. Since you can assign IT policies to user
accounts, groups, or the BlackBerry Domain, the BlackBerry Administration Service uses predefined rules to determine
which IT policy it can apply to a user account.
The BlackBerry Administration Service might have to reconcile conflicting IT policies if you perform any of the following
actions:
• add an IT policy to or remove an IT policy from a user account or group
• change an IT policy
• change the ranking of IT policies
• delete an IT policy
Scenario Rule
You add a new user account to a BlackBerry Enterprise
Server. You do not assign an IT policy directly to the user
account and you do not add the user to a group.
You assign an IT policy to a user account and a different IT
policy to a group that the user account belongs to.
A user account belongs to multiple groups. You assign
multiple IT policies to the groups but do not assign an IT
policy to the user account.
50
The IT policy that you assigned to the BlackBerry Domain,
or the Default IT policy that is assigned to the BlackBerry
Domain, is assigned to the user account.
The IT policy that you assign to a user account takes
precedence over an IT policy that you assign to a group. An
IT policy that you assign to a group takes precedence over
the IT policy that you assign to the BlackBerry Domain (or
the Default IT policy).
The BlackBerry Enterprise Server applies the IT policy that
you ranked the highest in the BlackBerry Administration
Service to the user account.
Page 51
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
Change the method that the BlackBerry Enterprise Server uses to resolve conflicting IT policies
You can change the method that the BlackBerry Enterprise Server uses to determine what IT policy to apply to a user
account when a user account belongs to multiple groups that have different IT policies. If you change the method used to
resolve conflicting IT policies, the next IT policy reconciliation process that occurs might have a significant impact on the
performance of your organization's BlackBerry Enterprise Server environment. It is a best practice to configure this feature
during low usage periods.
1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view.
2. Click BlackBerry Administration Service.
3. At the bottom of the page, click Switch method to resolve multiple IT policies.
4. Click Yes - Switch the method.
Related information
Option 1: Applying one IT policy to each user account, 50
Option 2: Applying multiple IT policies to each user account, 51
Rank IT policies
You must rank the IT policies that you create so that the BlackBerry Enterprise Server can resolve IT policy conflicts when a
user account is a member of multiple groups that have different IT policies.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
2. Click Manage IT policies.
3. Click Set priority of IT policies.
4. To move the IT policies higher or lower in the list, click the up arrow icon or down arrow icon.
5. Click Save.
Option 2: Applying multiple IT policies to each user account
You can configure the BlackBerry Enterprise Server to apply multiple IT policies to a user account when a user account is a
member of multiple groups that have different IT policies. The BlackBerry Enterprise Server creates a combined IT policy
for the user account that has a unique ID by applying the policy rules from the multiple IT policies and resolving any
conflicting rule settings. The BlackBerry Enterprise Server resolves conflicting rule settings by applying the rule setting
from the IT policy that you ranked the highest in the BlackBerry Administration Service.
51
Page 52
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
If you install BlackBerry Enterprise Server 5.0 SP2 or later, this is the default method for resolving IT policy conflicts. If you
upgrade to BlackBerry Enterprise Server 5.0 SP2 or later from a previous version of the BlackBerry Enterprise Server, the
default method for resolving IT policy conflicts is to assign one IT policy to each user account according to the rankings of
the IT policies that you specify in the BlackBerry Administration Service.
Reconciliation rules for conflicting IT policies when you apply multiple IT policies to a user account
The BlackBerry Enterprise Server can apply multiple IT policies to a user account if the user account is a member of
multiple groups that have different IT policies. Since you can assign IT policies to user accounts, groups, or the BlackBerry
Domain, the BlackBerry Administration Service uses predefined rules to apply an IT policy to a user account.
The BlackBerry Administration Service might have to reconcile conflicting IT policies if you perform any of the following
actions:
• add an IT policy to or remove an IT policy from a user account or group
• change an IT policy
• change the ranking of IT policies
• delete an IT policy
Scenario Rule
You add a new user account to a
BlackBerry Enterprise Server. You do
not assign an IT policy directly to the
user account and you do not add the
user account to a group.
You assign an IT policy to a user
account and different IT policies to the
groups that the user account belongs
to.
A user account belongs to multiple
groups. You assign multiple IT policies
to the groups but you do not assign an
IT policy to the user account.
A user account belongs to two groups.
You assign the first group IT policy A,
which has the Allow Browser IT policy
rule as blank (which means that it uses
The Default IT policy (applied at the BlackBerry Domain level) is assigned to the
user account.
The IT policy that you assign to a user account takes precedence over the IT
policies that you assign to the groups that the user belongs to. An IT policy that
you assign to a group takes precedence over the Default IT policy (applied at the
BlackBerry Domain level).
If you assign multiple IT policies to the groups that the user account belongs to,
the BlackBerry Enterprise Server resolves the IT policy rule settings in the
multiple IT policies and assigns a combined IT policy that has a unique ID to the
user account. The BlackBerry Enterprise Server resolves conflicting settings for
IT policy rules by applying the rule setting from the IT policy that you ranked the
highest in the BlackBerry Administration Service.
For example, you configure the Disable Photo Camera IT policy rule to Yes in IT
policy A and to No in IT policy B. If you rank IT policy A higher than IT policy B,
the Yes setting is applied for this rule.
When the BlackBerry Enterprise Server resolves conflicting rule settings, any
rule settings that have been explicitly configured to a value take precedence
over IT policy rule settings that are blank (these rules revert to the default value).
52
Page 53
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
Scenario Rule
the default value of Yes). You assign
the second group IT policy B, which
has the Allow Browser IT policy rule set
to No. You ranked IT policy A higher
than IT policy B in the BlackBerry
Administration Service.
For example, in this scenario, the Allow Browser IT policy rule setting from IT
policy B, No, is applied to the user account even though IT policy A is ranked
higher than IT policy B, because the Allow Browser IT policy rule is blank in IT
policy A. If the Allow Browser IT policy rule was configured to Yes in IT policy A,
the Yes value would be applied to the user account.
Change the method that the BlackBerry Enterprise Server uses to resolve conflicting IT policies
You can change the method that the BlackBerry Enterprise Server uses to determine what IT policy to apply to a user
account when a user account belongs to multiple groups that have different IT policies. If you change the method used to
resolve conflicting IT policies, the next IT policy reconciliation process that occurs might have a significant impact on the
performance of your organization's BlackBerry Enterprise Server environment. It is a best practice to configure this feature
during low usage periods.
1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view.
2. Click BlackBerry Administration Service.
3. At the bottom of the page, click Switch method to resolve multiple IT policies.
4. Click Yes - Switch the method.
Related information
Option 1: Applying one IT policy to each user account, 50
Option 2: Applying multiple IT policies to each user account, 51
Rank IT policies
You must rank the IT policies that you create so that the BlackBerry Enterprise Server can resolve IT policy conflicts when a
user account is a member of multiple groups that have different IT policies.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
2. Click Manage IT policies.
3. Click Set priority of IT policies.
4. To move the IT policies higher or lower in the list, click the up arrow icon or down arrow icon.
5. Click Save.
Preview how the BlackBerry Enterprise Server resolves IT policy conflicts
You can preview how the BlackBerry Enterprise Server resolves conflicting settings for IT policy rules for multiple IT policies
that you select. You can use this feature to determine which IT policies have conflicting IT policy rules and how the
53
Page 54
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
BlackBerry Enterprise Server resolves the conflicting rules. The preview displays the conflicting IT policy rules and the
resolved settings for each rule. If an IT policy rule is not conflicting in the multiple IT policies that you selected, the preview
does not display the policy rule in the results.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
2. Click Manage IT policies.
3. Click Preview resolved IT policies.
4. Select two or more IT policies.
5. Click Preview.
View the resolved IT policy rules that are assigned to a user account
If a user account belongs to multiple groups, and you assign a different IT policy to each group, the BlackBerry Enterprise
Server resolves conflicting IT policies or IT policy rule settings using the reconciliation method that you select in the
BlackBerry Administration Service. You can view the results of the IT policy reconciliation and the settings that the
BlackBerry Enterprise Server resolves for each rule in the BlackBerry Administration Service. If an IT policy rule is not
conflicting in the multiple IT policies that were applied to the user account, the preview does not display the IT policy rule.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
2. Click Manage users.
3. Search for a user account.
4. In the search results, click the display name for a user account.
5. On the Policies tab, in the Resolved IT Policy name section, click the name of the IT policy.
Deactivating BlackBerry devices that do not have IT policies applied
To prevent BlackBerry devices that do not have IT policies applied to them from remaining active on a BlackBerry
Enterprise Server, you can change the Disable users with unapplied IT policy option to True. The Disable user time limit
(hours) option specifies the amount of time that BlackBerry devices can be active on a BlackBerry Enterprise Server
without having an IT policy applied to the BlackBerry devices.
If you change the Disable users with unapplied IT policy option to True, by default, the BlackBerry Enterprise Server sends
the IT policy to the BlackBerry devices every 30 minutes until the BlackBerry devices apply the IT policy or the time limit
54
Page 55
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
expires. If the time limit expires, the BlackBerry Enterprise Server deactivates the BlackBerry device PINs. The permitted
range for this option is 0 hours to 8760 hours. If you specify 0 hours, BlackBerry devices deactivate when the IT policy
cannot apply automatically.
Deactivate BlackBerry devices that do not have IT policies applied
1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view > Policy.
2. Click the instance that you want to change.
3. In the Disable Users with Unapplied IT Policy drop-down list, click True.
4. In the Disable user time limit (hours) field, type the time (in hours) that can occur before the PINs for BlackBerry
devices that you did not apply an IT policy to are deactivated on the BlackBerry Enterprise Server.
5. Click Save All.
After you finish: Before you re-activate the BlackBerry devices on the BlackBerry Enterprise Server, on the BlackBerry
devices, in the Security Options list, instruct users to click Wipe Handheld or Security Wipe to delete all of the data on the
BlackBerry devices.
Creating new IT policy rules to control thirdparty applications
You can create IT policy rules to control the applications that your organization creates for BlackBerry devices that are
running in your organization's environment. After you create an IT policy rule, you can add it to a new or existing IT policy
and assign a value to it. Only applications that your organization creates can use the IT policy rule that you create. You
cannot create new IT policy rules to control device applications and features.
Create an IT policy rule for a third-party application
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
2. Click Create an IT policy rule.
3. Type a name and description for the IT policy rule.
4. In the Type drop-down list, click the type of value that the IT policy rule uses.
55
Page 56
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
5. In the Destination drop-down list, choose whether you want the BlackBerry device, the BlackBerry Desktop Software,
or both to be able to use the IT policy rule.
6. Click Save.
After you finish: Add the IT policy rule to an IT policy.
Change or delete IT policy rules for third-party applications
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
2. Click Manage IT policy rules.
3. Click an IT policy rule.
4. Perform one of the following actions:
• To change the IT policy rule, click Edit IT policy rule. Change the appropriate values.
• To delete the IT policy rule, click Delete IT policy rule. Verify that you want to delete the IT policy rule.
5. Click Save.
Export all IT policy data to a data file
If you export all IT policy data to a data file, you must create an encryption password for the data file that you can use to
protect the data file. You can import the data file at a later time to another BlackBerry Domain.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
2. Click Manage IT policies.
3. Click Export IT policy list.
4. In the File encryption password field and Confirm file encryption password field, type a password so that the
BlackBerry Enterprise Server can encrypt the IT policy data file.
5. Click Export.
6. Click Download file.
7. Click Save.
8. Browse to a location on a local or network drive where you want to save the data file.
9. Click Save.
56
Page 57
Administration Guide Using an IT policy to manage BlackBerry Enterprise Solution security
10. Click Close.
Delete an IT policy
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
2. Click Manage IT policies.
3. In the list of IT policies, click an IT policy.
4. Click Delete IT policy.
5. Click Yes – Delete the IT policy.
Related information
Assigning IT policies and resolving IT policy conflicts, 49
57
Page 58
Administration Guide Configuring security options
Configuring security options
5
Encrypting data that the BlackBerry Enterprise Server and a BlackBerry device send to each other
To encrypt data that is in transit between the BlackBerry Enterprise Server and a BlackBerry device in your organization,
the BlackBerry Enterprise Solution uses BlackBerry transport layer encryption. BlackBerry transport layer encryption is
designed to encrypt data from the time that a BlackBerry device user sends a message from the BlackBerry device to when
the BlackBerry Enterprise Server receives the message, and from the time that the BlackBerry Enterprise Server sends a
message to when the BlackBerry device receives the message.
Before the BlackBerry device sends a message, it compresses and encrypts the message using the device transport key.
When the BlackBerry Enterprise Server receives a message from the BlackBerry device, the BlackBerry Dispatcher
decrypts the message using the device transport key, and then decompresses the message.
Algorithms that the BlackBerry Enterprise Solution uses to encrypt data
The BlackBerry Enterprise Solution uses AES or Triple DES as the symmetric key cryptographic algorithm for encrypting
data. By default, the BlackBerry Enterprise Server uses the strongest algorithm that both the BlackBerry Enterprise Server
and the BlackBerry device support for BlackBerry transport layer encryption.
If you configure the BlackBerry Enterprise Server to support AES and Triple DES, by default, the BlackBerry Enterprise
Solution generates device transport keys using AES encryption. If a BlackBerry device uses BlackBerry Device Software
version 3.7 or earlier or BlackBerry Desktop Software version 3.7 or earlier, the BlackBerry Enterprise Solution generates
the device transport keys of the BlackBerry device using Triple DES.
58
Page 59
Administration Guide Configuring security options
Change the symmetric key encryption algorithm that the BlackBerry Enterprise Solution uses
1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > BlackBerry Enterprise Server.
2. Click the instance that you want to change.
3. Click Edit instance.
4. In the Security information section, in the Encryption algorithm drop-down list, click the encryption algorithm that
you want the BlackBerry Enterprise Solution to use.
5. Click Save All.
After you finish: Re-activate all of the BlackBerry devices that are located in the BlackBerry Domain so that users can send
and receive email messages on their BlackBerry devices.
Related information
Assigning BlackBerry devices to user accounts, 92
Managing device access to the BlackBerry Enterprise Server
You can use the Enterprise Service Policy to control which BlackBerry devices can connect to a BlackBerry Enterprise
Server. By default, after you turn on the Enterprise Service Policy, the BlackBerry Enterprise Server permits connections
from any device that you previously associated with the BlackBerry Enterprise Server. The BlackBerry Enterprise Server
also prevents connections from any device that you associate with the BlackBerry Enterprise Server after you turn on the
Enterprise Service Policy.
You can configure an allowed list to determine which devices can access a BlackBerry Enterprise Server. A device that
meets the criteria that you specify in the allowed list can associate with the BlackBerry Enterprise Server when the device
activates over the wireless network.
You can define the following types of criteria:
• specific device PINs
• range of device PINs
• specific manufacturers
• specific device models
59
Page 60
Administration Guide Configuring security options
The BlackBerry Administration Service includes lists of permitted manufacturers and models of devices that you
associated with the BlackBerry Enterprise Server previously.
You can permit a user to override the Enterprise Service Policy so that a device can connect to the BlackBerry Enterprise
Server even if you configure the allowed list with criteria that exclude that device.
For more information, see the BlackBerry Enterprise Server Administration Guide.
Turn on the Enterprise Service Policy
You can turn on the Enterprise Service Policy to control which BlackBerry devices can connect to the BlackBerry
Enterprise Server.
1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
2. Click BlackBerry Enterprise Server.
3. Click Turn on Enterprise Service Policy.
4. Click Yes - Turn on enterprise service policy.
Configure the Enterprise Service Policy
By default, when you turn on the Enterprise Service Policy, all BlackBerry devices that you activated can access the
BlackBerry Enterprise Server. You must configure the Enterprise Service Policy to specify the BlackBerry devices that you
want to access the BlackBerry Enterprise Server. To add a new BlackBerry device to the BlackBerry Enterprise Server, you
must add the PIN for the BlackBerry device to the Enterprise Service Policy before a user can activate the BlackBerry
device.
Before you begin: Turn on the Enterprise Service Policy.
1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
2. Click BlackBerry Enterprise Server.
3. Click Edit component.
4. In the Enterprise Service Policy section, in the Allowed drop-down lists, click Yes for each BlackBerry device model
that you want to permit to access the BlackBerry Enterprise Server.
5. To add a new BlackBerry device, on the Add new allowed PINs tab, in the New allowed PINs field, type the PIN for
the BlackBerry device. Click the Add icon.
6. To remove a BlackBerry device from the list, on the Remove existing allowed PINs tab, search for the PIN for the
BlackBerry device. In the search results, select the PIN for the BlackBerry device.
7. Click Save All.
60
Page 61
Administration Guide Configuring security options
Permit a user to override the Enterprise Service Policy
Before you begin: Turn on the Enterprise Service Policy.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
2. Click Manage users.
3. Search for a user account.
4. Click the display name for the user account.
5. Click Edit user.
6. On the Component information tab, in the BlackBerry Enterprise Server information section, in the Enterprise
service policy override drop-down list, click Yes.
7. Click Save All.
Extending messaging security to a BlackBerry device
If your organization's messaging environment supports highly secure messaging technology such as PGP encryption or S/
MIME encryption, you can configure the BlackBerry Enterprise Solution to encrypt a message using PGP encryption or S/
MIME encryption so that the message remains encrypted when the BlackBerry Enterprise Server forwards the message to
the email applications of recipients. To extend messaging security, the sender and recipient must install highly secure
messaging technology on the computers that host the email applications and on their BlackBerry devices, and you must
configure the BlackBerry devices to use the highly secure messaging technology.
Extending messaging security using PGP encryption
You can extend messaging security for the BlackBerry Enterprise Solution and permit a BlackBerry device user to send and
receive PGP protected email messages and PGP protected PIN messages on a BlackBerry device. The BlackBerry
Enterprise Solution supports the OpenPGP format and PGP/MIME format on the BlackBerry device.
To extend messaging security, you must instruct the BlackBerry device user to install the PGP Support Package for
BlackBerry smartphones on the BlackBerry device and to transfer the PGP private key of the BlackBerry device user to the
BlackBerry device. The BlackBerry device user can use the PGP private key to digitally sign, encrypt, and send PGP
protected messages from the BlackBerry device. If a BlackBerry device user does not install the PGP Support Package for
BlackBerry smartphones, the BlackBerry device displays an error message when the BlackBerry device user tries to open
PGP protected messages.
61
Page 62
Administration Guide Configuring security options
To require the BlackBerry device user to use PGP encryption when forwarding or replying to messages, you can configure
the PGP Force Digital Signature IT policy rule and the PGP Force Encrypted Messages IT policy rule.
The PGP Support Package for BlackBerry smartphones is designed to support encoding and decoding Unicode messages
and permits PGP encryption using keys or passwords. The PGP Support Package for BlackBerry smartphones permits the
BlackBerry device to encrypt PGP protected email messages or PGP protected PIN messages using a password that the
sender and recipient both know.
For more information about the OpenPGP format, see RFC 2440. For more information about the PGP/MIME format, see
RFC 3156.
Configure the BlackBerry Enterprise Solution to support PGP encryption
1. Configure the PGP Universal Server Address IT policy rule in the IT policy that you assign to BlackBerry device users.
2. Instruct users to install the PGP Support Package for BlackBerry smartphones on BlackBerry devices.
3. Instruct users to enroll with the PGP Universal Server when the BlackBerry devices prompt them to so that the
BlackBerry devices can process PGP protected messages.
Extending messaging security using S/MIME encryption
You can extend messaging security for the BlackBerry Enterprise Solution and permit a BlackBerry device user to send and
receive S/MIME-protected email messages and S/MIME-protected PIN messages on a BlackBerry device.
To extend messaging security, you or the BlackBerry device user must install the S/MIME Support Package for BlackBerry
smartphones on the BlackBerry device and transfer the S/MIME private key of the BlackBerry device user to the
BlackBerry device. The S/MIME Support Package for BlackBerry smartphones is designed to work with email applications
such as Microsoft Outlook, Microsoft Outlook Express, and IBM Lotus Notes, and with PKIs such as Netscape, Entrust
Authority Security Manager version 5 and later, and Microsoft certification authorities.
The BlackBerry device user uses the S/MIME private key to decrypt S/MIME-protected messages on the BlackBerry device
and to sign, encrypt, and send S/MIME-protected messages from the BlackBerry device. If the BlackBerry Enterprise
Server receives an S/MIME-encrypted message but the BlackBerry device user did not install the S/MIME Support Package
for BlackBerry smartphones, the BlackBerry Enterprise Server sends a message to the BlackBerry device to indicate that
the BlackBerry device does not support S/MIME-encrypted messages.
After the BlackBerry device user installs the S/MIME Support Package for BlackBerry smartphones, the BlackBerry device
user can synchronize and manage S/MIME certificates and S/MIME private keys using the certificate synchronization tool
of the BlackBerry Desktop Manager. The BlackBerry Enterprise Server does not apply an appended disclaimer to S/MIMEprotected messages that the BlackBerry device user sends from the BlackBerry device. Digital signatures on S/MIMEprotected messages that the BlackBerry device sends are not valid if disclaimers are appended to the messages.
To require the BlackBerry device user to use S/MIME encryption when forwarding or replying to messages, you can
configure the S/MIME Force Digital Signature IT policy rule and the S/MIME Force Encrypted Messages IT policy rule.
The S/MIME Support Package for BlackBerry smartphones is also designed to support the following features:
• Encoding and decoding of Unicode messages
62
Page 63
Administration Guide Configuring security options
• Ability to use a password, which the sender and recipient each know, to encrypt S/MIME-protected email messages or
PIN messages
• Ability to read S/MIME certificates that are stored on a smart card
Configure the BlackBerry Enterprise Solution to support S/MIME encryption
1. Configure encryption options for S/MIME-protected messages on the BlackBerry Enterprise Server.
2. If required, configure message classifications for email messages.
3. If required, configure the BlackBerry MDS Connection Service to retrieve certificates and the status of certificates
from LDAP servers, DSML certificate servers, OCSP servers, or CRL servers.
4. Instruct users to install the S/MIME Support Package for BlackBerry smartphones on BlackBerry devices.
5. Perform one of the following tasks:
• Instruct users to add the Certificate Synchronization Manager to the BlackBerry Desktop Manager so that the
BlackBerry Desktop Manager can manage certificates for the BlackBerry devices.
• Configure the BlackBerry Enterprise Server to permit users to enroll certificates over the wireless network.
Related information
Configuring certificate server information for the BlackBerry MDS Connection Service, 193
Enforcing secure messaging using classifications, 65
Configuring BlackBerry devices to enroll certificates over the wireless network, 217
Configure encryption options for S/MIME-protected messages
You can configure encryption options to control how the BlackBerry Enterprise Server processes S/MIME-protected
messages.
1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
2. Click the instance that you want to change.
3. Click Edit instance.
4. On the Messaging tab, in the Security settings section, perform any of the following actions:
• To require that the BlackBerry Enterprise Server encrypts messages using S/MIME encryption for a second time
when the BlackBerry Enterprise Server processes S/MIME-protected messages that an S/MIME-enabled
application weakly encrypted or only signed, in the Turn on S/MIME encryption on signed and weakly encrypted
messages drop-down list, click True.
• To permit BlackBerry device users that have email applications that do not support S/MIME to read the text of an
S/MIME-protected message, in the Send S/MIME messages in clear-signed format drop-down list, click True.
63
Page 64
Administration Guide Configuring security options
• To require that the BlackBerry Enterprise Server deletes attachment data from any signed-only S/MIME-protected
messages so that the BlackBerry Enterprise Server conserves bandwidth, in the Remove attachment data from
signed S/MIME messages drop-down list, click True.
• To require that the BlackBerry Enterprise Server sends encrypted S/MIME-protected messages using an updated
MIME content-type that is in accordance with PKCS#7 instead of the default legacy MIME content-type, in the
Use PKCS #7 MIME type drop-down list, click True.
5. Click Save all.
6. To make sure that the changes take effect immediately, perform the following actions to restart the BlackBerry
Messaging Agent:
a. On the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain >
Component view > BlackBerry Enterprise Server.
b. Click the BlackBerry Enterprise Server instance that includes the BlackBerry Messaging Agent.
c. Click Restart instance.
Related information
Restarting BlackBerry Enterprise Server components, 392
Turn off support for processing S/MIME-protected messages on the BlackBerry Enterprise Server
By default, the BlackBerry Enterprise Server can process S/MIME-protected messages. You can turn off support for
processing S/MIME-protected messages if the BlackBerry Enterprise Server experiences issues when it processes S/MIMEprotected messages or if your organization does not use S/MIME encryption.
1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
2. Click the instance that you want to change.
3. On the Messaging tab, click Edit instance.
4. In the Security settings section, in the Turn on S/MIME message processing drop-down list, click False.
5. Click Save All.
64
Page 65
Administration Guide Configuring security options
Enforcing secure messaging using classifications
You can use message classifications to require S/MIME-enabled users or PGP enabled users to sign, encrypt, or sign and
encrypt email messages that they send from the BlackBerry devices.
You use the Message Classification IT policy rule to configure one or more message classifications that users can apply to
email messages. The message classification that the users select when they compose email messages determines the type
of S/MIME message protection or PGP message protection that applies to the email messages.
If a user does not select a message classification, by default, the BlackBerry device applies the first classification in the
message classification list on the BlackBerry device. You can change the order that the BlackBerry device lists the
classifications in.
The message protection options on the BlackBerry device are limited to the types of encryption and digitial signing that the
highly secure messaging packages on the BlackBerry device permit. When a user applies a message classification to an
email message on a BlackBerry device, the user must select one type of message protection that the message
classification permits, or accept the default type of message protection. If a user selects a message classification that
requires signing, encryption, or signing and encryption of the email message, and the user did not install a highly secure
messaging package on the BlackBerry device, the user cannot send the email message.
Create a message classification
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
2. Click Manage IT policies.
3. In the list of IT policies, click an IT policy.
4. Click Edit IT policy.
5. On the Security tab, at the bottom of the screen, in the Message Classification Display Name field, type a display
name that you want to appear in the Classifications list on BlackBerry devices.
6. Type a subject suffix that you want to append to the message subject in parentheses . For example, type the subject
suffix (U) for a classification that is named Unclassified.
7. In the Minimum Actions drop-down list, click an action that a BlackBerry device user can perform to encode the
message. For example, to permit users to select all of the encoding types for the secure messaging packages that
they install on their BlackBerry devices, click Signed.
8. Click the Add icon.
9. Click Save all.
65
Page 66
Administration Guide Configuring security options
After you finish: If you create more than one message classification, order the message classifications in the list. By
default, if a user does not select a message classification, the BlackBerry device applies the first message classification in
the list.
Create a message classification based on an existing message classification
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
2. Click Manage IT policies.
3. In the list of IT policies, click an IT policy.
4. Click Edit IT policy.
5. On the Security tab, at the bottom of the screen, click the Copy icon beside the message classification that you want
to copy.
6. In the Message classification display name field, type a name for the message classification that you copied.
7. If necessary, change the subject suffix that you want to append, in parentheses, to the email message subject.
8. If necessary, click the minimum action for encoding the email message in the Minimum Actions drop-down list.
9. Click the Add icon.
10. Click Save all.
After you finish: Order the message classifications in the list. By default, if a user does not select a message classification,
the BlackBerry device applies the first classification in the list.
Order message classifications
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
2. Click Manage IT policies.
3. In the list of IT policies, click an IT policy.
4. Click Edit IT policy.
5. On the Security tab, at the bottom of the screen, click the Up or Down arrow icon beside the message classification
that you want to move to prioritize the message classification.
6. Click Save all.
66
Page 67
Administration Guide Configuring security options
Delete a message classification
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
2. Click Manage IT policies.
3. In the list of IT policies, click an IT policy.
4. Click Edit IT policy.
5. On the Security tab, at the bottom of the screen, click the Delete icon beside the message classification.
6. Click Save all.
Generating organization-specific encryption keys for PIN-message encryption
By default, all BlackBerry devices store a common PIN encryption key that they use to protect PIN messages. To limit the
number of devices that can decrypt PIN messages that BlackBerry device users in your organization send from their
devices, you can generate a new PIN encryption key that is stored on and known only to devices in your organization. A
device that has a PIN encryption key that is specific to your organization can perform the following actions:
• can only encrypt PIN messages sent to other devices on your organization's network that use the same PIN encryption
key
• can only decrypt PIN messages that are sent from devices that use the global PIN encryption key or PIN messages from
other devices on your organization's network that use the same PIN encryption key
• cannot decrypt PIN messages sent from devices that use a PIN encryption key from another organization
You should generate a new PIN encryption key if you know that your current organization-specific PIN encryption key is
compromised.
Generate a PIN encryption key
You can generate a PIN encryption key to make the BlackBerry devices in your organization use a PIN encryption key that
is specific to your organization for PIN messaging.
1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology.
2. Click BlackBerry Domain.
67
Page 68
Administration Guide Configuring security options
3. Click Update peer-to-peer encryption key.
4. Click Create new key.
Turn off BlackBerry services that the BlackBerry MDS Connection Service, BlackBerry Collaboration Service, and BlackBerry MVS provide
You can prevent BlackBerry device users that you associate with a BlackBerry Enterprise Server from browsing the intranet
or Internet, running applications that communicate with application servers and content servers, sending or receiving
instant messages, or making calls using VoIP. You can turn off the BlackBerry services if you want to enhance security,
save bandwidth on the wireless network, or conserve system resources on the computer.
1. In the BlackBerry Administration Service, expand BlackBerry Solution topology > BlackBerry Domain > Component
view > BlackBerry Enterprise Server.
2. Click the instance that you want to change.
3. Click Edit Instance.
4. In the External services turned on drop-down list, click No.
5. Click Save All.
6. Restart the BlackBerry Enterprise Server.
Related information
Restarting BlackBerry Enterprise Server components, 392
When a BlackBerry device overwrites data in the BlackBerry device memory
A BlackBerry device continually runs the memory cleaner application during the Java based garbage collection process to
overwrite data in the BlackBerry device memory that the BlackBerry device no longer uses.
The BlackBerry device runs the garbage collection process when any of the following conditions exist:
68
Page 69
Administration Guide Configuring security options
• You or a BlackBerry device user turns on content protection for the BlackBerry device.
• An application uses the RIM Cryptographic API to create a private key or symmetric key.
• A third-party application turns on the garbage collection process by registering with the memory cleaner application on
the BlackBerry device. The memory cleaner application instructs applications to empty caches and to free the
BlackBerry device memory that is associated with sensitive application data that the applications no longer use.
• A BlackBerry device user installs the S/MIME Support Package for BlackBerry smartphones on the BlackBerry device.
• A BlackBerry device user installs the PGP Support Package for BlackBerry smartphones on the BlackBerry device.
When the BlackBerry device runs the garbage collection process, the garbage collection process overwrites the data that
the BlackBerry device no longer uses with zeroes, periodically runs the memory cleaner application, and overwrites the
memory that the memory cleaner application frees.
Changing when a BlackBerry device cleans the BlackBerry device memory
By default, the memory cleaner application runs on a BlackBerry device when the BlackBerry device is inactive for a
specified period of time. You or a BlackBerry device user can change when the memory cleaner application runs when any
the following conditions exist:
• The BlackBerry device user synchronizes the BlackBerry device with a computer.
• The BlackBerry device user locks the BlackBerry device.
• The BlackBerry device locks after it is inactive for a specified period of time.
• The BlackBerry device user changes the time or time zone on the BlackBerry device.
To change when the memory cleaner application runs, you can use IT policies or the BlackBerry device user can turn on or
turn off the memory cleaner application in the Security options on the BlackBerry device.
You or the BlackBerry device user cannot turn off the memory cleaner application on the BlackBerry device if any of the
following conditions exist:
• You or the BlackBerry device user turns on content protection on the BlackBerry device.
• An application uses the RIM Cryptographic API to create a private key or symmetric key.
• An application that registers with the memory cleaner application requires that memory cleaning application be turned
on.
• The BlackBerry device user installs the S/MIME Support Package for BlackBerry smartphones on the BlackBerry
device and a private key exists on the BlackBerry device.
• The BlackBerry device user installs the PGP Support Package for BlackBerry smartphones on the BlackBerry device
and a private key exists on the BlackBerry device.
If you or the BlackBerry device user turns on the memory cleaner application, Java based garbage collection process uses
the memory cleaner application automatically. The garbage collection process overwrites data that the BlackBerry device
no longer uses.
69
Page 70
Administration Guide Configuring security options
For more information about the IT policy rules that you can use to change when the memory cleaner application runs, see
the BlackBerry Enterprise Server Policy Reference Guide.
Best practice: Configuring additional memory cleaner settings for BlackBerry devices
Scenario Recommendation
Remove decrypted content from BlackBerry device
memory when the user holsters BlackBerry device.
Remove decrypted content from BlackBerry device
memory when the BlackBerry device is idle.
Start the memory cleaner after a specific amount of time
has elapsed.
For more information, see the BlackBerry Enterprise Server Policy Reference Guide and S/MIME Support Package User
Guide Supplement.
Change the Force Memory Clean When Holstered IT policy
rule to Yes.
Change the Force Memory Clean When Idle IT policy rule to
Yes.
Set the Memory Cleaner Maximum Idle Time IT policy rule
to the desired time (for example, 10 minutes).
70
Page 71
Administration Guide Configuring the BlackBerry Enterprise Server environment
Configuring the BlackBerry Enterprise Server environment
Best practice: Running the BlackBerry Enterprise Server
Best practice Description
Do not change the startup type for the
BlackBerry Enterprise Server services.
Do not change the account information
for BlackBerry Enterprise Server
services.
When you install or upgrade the BlackBerry Enterprise Server, the setup
application configures the startup type for the BlackBerry Enterprise Server
services to automatic or manual. For example, the setup application configures
the startup type for the BlackBerry Mail Store Service, BlackBerry Policy
Service, and BlackBerry Synchronization Service to manual.
To avoid errors in the BlackBerry Enterprise Server, do not change the startup
type for the BlackBerry Enterprise Server services.
When you install or upgrade the BlackBerry Enterprise Server, the setup
application configures the account information for the BlackBerry Enterprise
Server services.
Do not change the account information for the BlackBerry Enterprise Server
unless the BlackBerry Enterprise Server documentation specifies that you can.
6
Run the BlackBerry Configuration
Panel as an administrator.
Related information
Restarting BlackBerry Enterprise Server components, 392
Consider the following guidelines if you are running the BlackBerry Configuration
Panel on Windows Server 2008:
• Log in to the computer with a user account that is in the Administrator group
on the Windows Server.
• Right-click the BlackBerry Configuration Panel icon and click Run as
administrator.
71
Page 72
Administration Guide Configuring the BlackBerry Enterprise Server environment
Configuring certain BlackBerry Enterprise Server components to use proxy servers
You can configure the BlackBerry MDS Connection Service and the BlackBerry Collaboration Service to use proxy servers
to access web addresses on the Internet and your organization's intranet. You should use a proxy method that is consistent
with the proxy method that other applications and servers in your organization use to access web content.
Proxy servers typically do not permit network traffic between servers that are on the same side of the firewall, so you can
configure certain BlackBerry Enterprise Server components to use a .pac file, or to access the Internet directly through a
proxy server. You can also configure multiple proxy servers to manage traffic to specific web addresses, and you can
specify URLs that the BlackBerry Enterprise Server components can access without using a proxy server.
Related information
Configuring multiple BlackBerry Enterprise Server instances to use the same BlackBerry Enterprise Server component,
79
Configure a BlackBerry Enterprise Server component to use a .pac file
You can configure the BlackBerry MDS Connection Service and the BlackBerry Collaboration Service to use a .pac file. The
BlackBerry Enterprise Server components support only one .pac file.
1. In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
2. Expand the appropriate BlackBerry Enterprise Server component.
3. Click the instance that you want to change.
4. Click Edit instance.
5. On the Proxy mappings tab, in the Universal resource locator field, type the regular expression for the web address
that you want the proxy mapping rule to control.
6. In the Proxy type drop-down list, perform one of the following actions:
• To detect a .pac file automatically, click AUTO.
• To specify the location of the .pac file, click PAC. In the Proxy string field, type the proxy server name, port
number, and location of the .pac file using the following format: <proxy_server>:<port>/<pac_filepath>/
<pac_filename>.
72
Page 73
Administration Guide Configuring the BlackBerry Enterprise Server environment
7. Click the Add icon for the proxy item. If you add more than one proxy item, use the Up and Down icons to set the
priority of the proxy items.
8. Click the Add icon for the web address. If you add more than one web address, use the Up and Down icons to set the
priority of the web addresses.
9. Click Save all.
Configure a BlackBerry Enterprise Server component to use a proxy server
You can configure the BlackBerry MDS Connection Service and the BlackBerry Collaboration Service to access web servers
through a proxy server.
You can specify more than one proxy string in a proxy mapping rule for a web address. If the BlackBerry Enterprise Server
component cannot access the web server using the first proxy string, it tries to access the web server using the subsequent
proxy strings that you specify, until the component accesses the web server.
If the BlackBerry MDS Connection Service is configured to use a proxy server, BlackBerry device users can browse web
sites that use HTTPS if the proxy server supports basic authentication only.
1. In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
2. Expand the appropriate BlackBerry Enterprise Server component.
3. Click the instance that you want to change.
4. Click Edit instance.
5. On the Proxy mappings tab, in the Universal resource locator field, type the URL regular expression for the web
address that you want the proxy mapping rule to control.
6. In the Proxy type drop-down list, perform one of the following actions:
• To configure a proxy server, click PROXY. In the Proxy string field, type the proxy server name and port number
using the following format: <proxy_server>:<port>.
• To exclude the web address from routing through the proxy server, click DIRECT.
7. Click the Add icon for the proxy item. If you add more than one proxy item, use the Up and Down icons to set the
priority for the proxy items.
8. Click the Add icon for the web address. If you add more than one web address, use the Up and Down icons to set the
priority for the web addresses.
9. Click Save all.
73
Page 74
Administration Guide Configuring the BlackBerry Enterprise Server environment
Configure a BlackBerry Enterprise Server component to authenticate to a proxy server on behalf of BlackBerry devices
You can configure the BlackBerry MDS Connection Service and the BlackBerry Collaboration Service to authenticate to a
proxy server on behalf of BlackBerry devices.
Before you begin: If you want to configure the BlackBerry MDS Connection Service to authenticate to a proxy server on
behalf of BlackBerry devices, turn on authentication support for the BlackBerry MDS Connection Service.
1. In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
2. Expand the appropriate BlackBerry Enterprise Server component.
3. Click the instance that you want to change.
4. Click Edit instance.
5. On the Proxy mappings tab, click the Edit button for a web address.
6. In the Credentials section, in the User name field, type the user name that the BlackBerry Enterprise Server
component can use to connect to the proxy server that is defined for the web address.
7. In the Password and Confirm password fields, type the password for the user name.
8. Click the Add icon.
9. Click Save all.
Related information
Configure how BlackBerry devices authenticate to content servers, 181
Configuring the BlackBerry Administration Service to use a proxy server
If you want to allow the BlackBerry Administration Service to automatically download device.xml files, vendor.xml files, and
information about BlackBerry Device Software bundles from the BlackBerry Infrastructure, and your organization uses a
proxy server, you must configure the BlackBerry Administration Service to select and authenticate (if necessary) with the
proxy server.
74
Page 75
Administration Guide Configuring the BlackBerry Enterprise Server environment
Configuring proxy selection for the BlackBerry Administration Service
You can configure the BlackBerry Administration Service to select a proxy server either manually or automatically.
To manually select a proxy server, you can use one of the following tools:
• Proxy Configuration Tool (proxycfg.exe) with Windows Server 2003 or earlier
• Network Shell Utility (netsh.exe) with Windows Server 2008
• Windows Internet Explorer
To automatically select a proxy server, you can use one of the following methods:
• enable the Web Proxy Autodiscovery Protocol using the BlackBerry Enterprise Trait Tool
• specify a URL for a PAC file using Windows Internet Explorer
Configuring manual proxy selection for a BlackBerry Administration Service instance
Depending on the operating system on the computer that hosts the BlackBerry Administration Service instance, you can
use the Proxy Configuration Tool or the Network Shell Utility to manually select a proxy server for a BlackBerry
Administration Service instance. You must configure manual proxy selection for all of the computers that host a BlackBerry
Administration Service instance. Both the Proxy Configuration Tool and the Network Shell Utility store the proxy server
settings in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
\WinHttpSettings registry key. You must run both tools as an administrator.
The Proxy Configuration Tool works with Windows Server 2003 or earlier, and it is located in one of the following locations:
• For 32-bit Windows operating systems, the Proxy Configuration Tool is located at c:\Windows\system32\.
• For 64-bit Windows operating systems, the Proxy Configuration Tool is located at c:\Windows\sysWow64\.
For more information about the Proxy Configuration Tool, visit www.msdn.microsoft.com and search for proxycfg.exe.
The Network Shell Utility works with Windows Server 2008. For more information about the Network Shell Utility, visit
technet.microsoft.com and search for Netsh.exe.
Configure manual proxy selection for the Windows account that runs the BlackBerry Administration Service
Perform this task on all of the computers that host a BlackBerry Administration Service instance.
1. On the computer that hosts the BlackBerry Administration Service, log in using the Windows account that runs the
BlackBerry Administration Service.
2. Open Windows Internet Explorer.
75
Page 76
Administration Guide Configuring the BlackBerry Enterprise Server environment
3. Click Tools > Internet Options.
4. On the Connections tab, click LAN settings.
5. Select Use a proxy server for your LAN.
6. In the Address field, type the address for the proxy server.
7. In the Port field, type the port number for the proxy server.
8. Click OK.
9. Click OK.
Windows Internet Explorer stores the settings for the proxy server in the HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Internet Settings registry key.
Configure the BlackBerry Administration Service to use the Web Proxy Autodiscovery Protocol to select a proxy server automatically
If you want to configure the BlackBerry Administration Service to use the Web Proxy Autodiscovery Protocol to select a
proxy server automatically, you must use the BlackBerry Enterprise Trait Tool. The Web Proxy Autodiscovery Protocol uses
DHCP and DNS to find a PAC file. Perform this task on any computer that hosts a BlackBerry Administration Service
instance.
CAUTION: If the proxy server authenticates using HTTP basic authentication, the Web Proxy Autodiscovery Protocol file
must be on a computer that is separate from the proxy server and uses Windows authentication or anonymous
authentication.
1. On the computer that hosts the BlackBerry Administration Service, at the command prompt, navigate to the folder
that contains the TraitTool.exe file.
2. To turn on Web Proxy Autodiscovery Protocol, type traittool -global -trait BASIsProxyWPADOptionEnabled -set 1.
Turn off Web Proxy Autodiscovery Protocol
Perform this task on any computer that hosts a BlackBerry Administration Service instance.
1. On the computer that hosts the BlackBerry Administration Service, at the command prompt, navigate to the folder
that contains the TraitTool.exe file.
2. To turn off Web Proxy Autodiscovery Protocol, type traittool -global -trait BASIsProxyWPADOptionEnabled -erase.
Configure the BlackBerry Administration Service to use a PAC file to select a proxy server automatically
Before you begin:
Obtain the URL for the PAC file.
Perform this task on all of the computers that host a BlackBerry Administration Service instance.
76
Page 77
Administration Guide Configuring the BlackBerry Enterprise Server environment
CAUTION: If the proxy server authenticates using HTTP basic authentication, the PAC file must be on a computer that is
separate from the proxy server and uses Windows authentication or anonymous authentication.
1. On the computer that hosts the BlackBerry Administration Service instance, log in using the Windows account that
runs the BlackBerry Administration Service.
2. Open Windows Internet Explorer.
3. Click Tools > Internet Options.
4. On the Connections tab, click LAN settings.
5. Select Use automatic configuration script.
6. In the Address field, type the URL for the PAC file.
7. Click OK.
8. Click OK.
Configuring the BlackBerry Administration Service to authenticate with a proxy server
If your organization's proxy server requires authentication, you must configure the BlackBerry Administration Service to
authenticate with the proxy server.
If the proxy server uses Windows authentication, you must configure the proxy server to authenticate the Windows account
that runs the BlackBerry Administration Service.
If your proxy server uses HTTP basic authentication, you can configure the user name and password for HTTP basic
authentication using the BlackBerry Enterprise Trait Tool. You can specify the credentials for either the entire BlackBerry
Domain or for individual BlackBerry Administration Service instances. The BlackBerry Administration Service tries the
credentials that you specify for the BlackBerry Administration Service instance first and then tries the credentials that you
specify for the BlackBerry Domain.
Configure the BlackBerry Administration Service to use HTTP basic authentication
You use the BlackBerry Enterprise Trait Tool to configure the BlackBerry Administration Service to use HTTP basic
authentication to authenticate with a proxy server. HTTP basic authentication requires a user name and password for
authentication.
1. On the computer that hosts the BlackBerry Administration Service, at the command prompt, navigate to the folder
that contains the TraitTool.exe file.
2. Perform one of the following tasks:
77
Page 78
Administration Guide Configuring the BlackBerry Enterprise Server environment
Task Steps
Specify the credentials for HTTP
basic authentication that your
organization's BlackBerry Domain
uses.
Specify the credentials for HTTP
basic authentication that a
specific BlackBerry Administration
Service instance uses.
1. Type traittool -global -trait BASProxyBasicAuthUID -set <user_name>,
where <user_name> is the user name (for example,
user01@blackberry.com or blackberry.com\user01).
2. Type traittool -global -trait BASProxyBasicAuthPassword -set
<password>, where <password> is the password.
1. Type traittool -BASServer <name> -trait BASProxyBasicAuthUID -set
<user_name>, where <name> is the host name of the computer that hosts
the BlackBerry Administration Service instance and <user_name> is the
user name (for example, user01@blackberry.com or blackberry.com
\user01) for that computer.
2. Type traittool -BASServer <name> -trait BASProxyBasicAuthPassword -
set <password>, where <name> is the host name of the computer that
hosts the BlackBerry Administration Service instance and <password> is
the password for the computer.
Delete credentials for HTTP basic authentication
1. On the computer that hosts the BlackBerry Administration Service, at the command prompt, navigate to the folder
that contains the TraitTool.exe file.
2. Perform one of the following tasks:
Task Steps
Delete the user name and password
that all of the BlackBerry
Administration Service instances in
your organization's BlackBerry
Domain use for HTTP basic
authentication.
Delete the user name and password
for the computer that a single
BlackBerry Administration Service
instance in your organization's
BlackBerry Domain uses for HTTP
basic authentication.
78
1. Type traittool -global -trait BASProxyBasicAuthUID -erase.
2. Type traittool -global -trait BASProxyBasicAuthPassword -erase.
1. Type traittool -BASServer <name> -trait BASProxyBasicAuthUID -
erase.
2. Type traittool -BASServer <name> -trait
BASProxyBasicAuthPassword -erase.
Page 79
Administration Guide Configuring the BlackBerry Enterprise Server environment
Configuring multiple BlackBerry Enterprise Server instances to use the same BlackBerry Enterprise Server component
To help make a BlackBerry Domain more scalable, you can configure multiple BlackBerry Enterprise Server instances to
use the same BlackBerry MDS Connection Service or BlackBerry Collaboration Service. If a BlackBerry Domain contains
one BlackBerry Enterprise Server, all of the BlackBerry Enterprise Server components are associated with that BlackBerry
Enterprise Server automatically.
Configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry MDS Connection Service
You can configure multiple BlackBerry Enterprise Server instances to use the same central push server to transfer
application data to and from BlackBerry devices and to manage HTTP requests from the BlackBerry Browser.
Before you begin: Specify a BlackBerry MDS Connection Service as a central push server.
1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Conection Service.
2. Click the instance that you want to change.
3. Click Edit instance.
4. On the Supported Dispatcher instances tab, in the Available Dispatcher instances list, click the BlackBerry
Enterprise Server instance that you want to use the BlackBerry MDS Connection Service.
5. Click Add.
6. Repeat steps 4 and 5 for each BlackBerry Enterprise Server instance that you want to have use the BlackBerry MDS
Connection Service.
7. Click Save all.
Related information
Specifying a BlackBerry MDS Connection Service as a central push server, 180
79
Page 80
Administration Guide Configuring the BlackBerry Enterprise Server environment
Configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry Collaboration Service
You can configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry Collaboration Service to
connect to your organization's instant messaging server, and to manage requests from the collaboration client on users'
BlackBerry devices.
1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Collaboration.
2. Click the instance that you want to change.
3. Click Edit instance.
4. On the Supported Dispatcher instances tab, in the Available Dispatcher instances list, click the BlackBerry
Enterprise Server instance that you want to use the BlackBerry Collaboration Service.
5. Click Add.
6. Repeat steps 4 and 5 for each BlackBerry Enterprise Server instance that you want to use the BlackBerry
Collaboration Service.
7. Click Save all.
Configuring support for Unicode languages
Configure support for Unicode languages
You can make sure that the messaging application can display the Unicode messages that the BlackBerry device sends by
configuring the BlackBerry Enterprise Server to support Unicode languages (for example, Japanese, Korean, or Simplified
Chinese).
1. On the computer that hosts the BlackBerry Enterprise Server, on the taskbar, click Start > Run.
2. Type regedit.
3. Click OK.
4. Perform one of the following actions:
80
Page 81
Administration Guide Configuring the BlackBerry Enterprise Server environment
• If you are running a 32-bit version of Windows, go to HKEY_LOCAL_MACHINE\SOFTWARE\Research In Motion
\BlackBerry Enterprise Server\Agents.
• If you are running a 64-bit version of Windows, go to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node
\Research In Motion\BlackBerry Enterprise Server\Agents.
5. If the MAPIEncoding registry key exists, perform one of the following actions:
• Delete the key.
• Change the value of the key to 1.
6. Perform one of the following actions:
• If you are running a 32-bit version of Windows, go to HKEY_LOCAL_MACHINE\SOFTWARE\Research In Motion
\BlackBerry Enterprise Server\Setup.
• If you are running a 64-bit version of Windows, go to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node
\Research In Motion\BlackBerry Enterprise Server\Setup.
7. Verify that the ConfigKeystoreCountry registry key is set to one of the following values, depending on your
organization's environment:
• CN for Simplified Chinese
• JP for Japanese
• KR for Korean
8. In the Windows Services, restart the BlackBerry Dispatcher.
Related information
Restarting BlackBerry Enterprise Server components, 392
Change the character encoding that the BlackBerry Enterprise Server uses to send Unicode messages
By default, when the BlackBerry Enterprise Server receives Unicode messages from BlackBerry devices, it uses UTF-8
character encoding to process the Unicode messages. If email applications cannot correctly display Unicode messages
that devices send (for example, if email applications cannot display attachment file names or contact lists correctly), you
can configure the BlackBerry Enterprise Server to select another character encoding to use to process Unicode messages.
Before you begin: Configure support for Unicode languages.
1. On the computer that hosts the BlackBerry Enterprise Server, on the taskbar, click Start > Run.
2. Type regedit.
81
Page 82
Administration Guide Configuring the BlackBerry Enterprise Server environment
3. Click OK.
4. Perform one of the following actions:
• If you are running a 32-bit version of Windows, go to HKEY_LOCAL_MACHINE\SOFTWARE\Research In Motion
\BlackBerry Enterprise Server\Agents.
• If you are running a 64-bit version of Windows, go to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node
\Research In Motion\BlackBerry Enterprise Server\Agents.
5. Create a DWORD value that is named AutoSelectOutgoingEncoding.
6. Double-click the new DWORD value.
7. In the Value data field, perform one of the following actions:
• To configure the BlackBerry Enterprise Server to select the most appropriate character encoding when it encodes
plain-text messages, type 1. If the BlackBerry Enterprise Server cannot identify which character encoding to use,
the BlackBerry Enterprise Server encodes plain-text messages in UTF-8.
• To configure the BlackBerry Enterprise Server to select the most appropriate character encoding when it encodes
email messages that use RTF or HTML, type 2. If the BlackBerry Enterprise Server cannot identify which
character encoding to use, the BlackBerry Enterprise Server encodes email messages that use RTF or HTML in
UTF-8.
• To configure the BlackBerry Enterprise Server to select the most appropriate character encoding when it encodes
plain-text messages and email messages that use RTF or HTML, type 3. If the BlackBerry Enterprise Server
cannot identify which character encoding to use, the BlackBerry Enterprise Server encodes all email messages in
UTF-8.
8. In the Windows Services, restart the BlackBerry Dispatcher.
Related information
Restarting BlackBerry Enterprise Server components, 392
Configure support for Unicode text in calendars on BlackBerry devices in a Microsoft Exchange environment
You must complete this task for all Microsoft Exchange versions to ensure calendar items use the correct Unicode
characters in fields such as subject, location, or notes.
Before you begin: In a Microsoft Exchange 2003 environment, install the following hotfixes for wireless calendar
synchronization:
• Visit http://support.microsoft.com/kb/913643 to download and install the required hotfix on the messaging server.
82
Page 83
Administration Guide Configuring the BlackBerry Enterprise Server environment
• Visit http://support.microsoft.com/kb/923537/en-us to download and install the required hotfix on the computer that
will host the BlackBerry Enterprise Server.
1. On the BlackBerry Enterprise Server, on the Start menu, click Run.
2. Type regedit.
3. Click OK.
4. Perform one of the following actions:
• If you are running a 32-bit version of Windows, navigate to HKEY_LOCAL_MACHINE\Software\Research In Motion
\BlackBerry Enterprise Server\Agents.
• If you are running a 64-bit version of Windows, navigate to HKEY_LOCAL_MACHINE\Software\WOW6432Node
\Research In Motion\BlackBerry Enterprise Server\Agents.
5. Create a DWORD value that is named SetLocaleIDs.
6. Set the value to 1.
7. In the Windows Services, restart the BlackBerry Messaging Agent.
Related information
Restarting BlackBerry Enterprise Server components, 392
83
Page 84
Administration Guide Configuring user accounts
Configuring user accounts
7
Creating user groups
You can create user groups and assign user accounts to user groups based on custom criteria, such as user location,
organizational group, or BlackBerry device model. User accounts that are part of a user group can exist on multiple
BlackBerry Enterprise Server instances in the BlackBerry Domain.
Create a group to manage similar user accounts
You can reduce the time that you spend managing user accounts by adding similar user accounts to a group, and assigning
shared properties, such as software configurations or IT policies, to the group. Properties that you assign to a group are
assigned to all user accounts in the group.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group.
2. Click Create a group.
3. In the Group information section, type a name and description for the group.
4. Click Save.
After you finish:
• Add properties to the group.
• Add user accounts to the group.
Related information
Change the properties of a group, 287
Add user accounts to a group, 84
Add user accounts to a group
You can add user accounts to a group to assign the properties of the group to user accounts automatically.
84
Page 85
Administration Guide Configuring user accounts
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
2. Click Manage users.
3. Search for the user accounts.
4. Select the user accounts.
5. In the Add to user configuration list, click Add group.
6. In the Available groups list, click the group that you want to add the user accounts to.
7. Click Add.
8. Click Save.
Adding a user account to the BlackBerry Enterprise Server
If you add a user account to the BlackBerry Enterprise Server, you are not required to locate the Microsoft Exchange
mailbox for the BlackBerry device that the user account is associated with or the routing group that the BlackBerry
Enterprise Server is located in.
Related information
Assigning BlackBerry devices to users, 91
Add a user account
You can add a user account to the BlackBerry Enterprise Server, assign a BlackBerry device to a user account and activate
the BlackBerry device. The user account must exist on your organization's messaging server.
Before you begin: If required, create a group of user accounts so that you can manage user accounts that are similar.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
2. Click Create a user.
3. Search for a user account.
4. Select the check box beside the display name for the user account.
5. Click Continue.
6. If your organization's environment includes multiple BlackBerry Enterprise Server instances, select the BlackBerry
Enterprise Server that you want to add the user account to.
7. If groups exist in the Available groups list, click at least one group that you want to add the user account to.
85
Page 86
Administration Guide Configuring user accounts
8. Click Add.
9. To select an activation option, perform one of the following actions:
Option Step
Specify an activation password for
the user account.
Generate an activation password
for the user account automatically.
Activate the user account without
using an activation password.
Related information
Assigning BlackBerry devices to users, 91
Managing user accounts, 288
1. Click Create a user with activation password.
2. In the Set activation password, section, type and confirm an activation
password. The password must not contain special characters. Some
BlackBerry devices do not support special characters and do not unlock
when a user types a password that contains special characters.
3. In the Password expiration (hours) field, type the amount of time, in hours,
that you want to elapse before the activation password expires.
4. Click Create user.
Click Create a user with generated activation password.
Click Create a user without activation password.
Create a user account that is not in the contact list in the BlackBerry Configuration Database
You can create a user account for a user even if the did not yet synchronize the contact information for the user account to
the BlackBerry Configuration Database. If the BlackBerry Mail Store Service did not synchronize the contact information
and you create a user account, the BlackBerry Administration Service does not display the user account in the search
results.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
2. Click Create a user.
3. Search for a user account.
4. Click Add user from company directory.
5. In the Email address field, type the email address, in SMTP format, of the user account that you want to add.
6. Click Find user in company directory.
7. Click Save user to available user list and Create BlackBerry Enabled User.
86
Page 87
Administration Guide Configuring user accounts
8. If you installed multiple BlackBerry Enterprise Server instances, select the BlackBerry Enterprise Server that you want
to add the user account to.
9. Click Continue.
10. Type and confirm an activation password. The password must not contain special characters. Specific BlackBerry
devices do not support special characters and do not unlock when a user types a password that contains special
characters.
11. In the Password expiration field, type the amount of time, in hours, that can elapse before the activation password
expires.
12. Click Create user.
Export a list of user accounts
You can export a list of user accounts from a BlackBerry Enterprise Server to a .csv file. The .csv file contains information
about the user accounts, such as the user ID, display name, PIN and email address. You can import the list of user
accounts to another BlackBerry Enterprise Server.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
2. Click Manage users.
3. Search for one or more user accounts.
4. Select the checkboxes beside the display names of the appropriate user accounts.
5. In the Export users list, click Export selected users.
6. Click Download file.
7. Save the .csv file.
Importing a list of user accounts to a BlackBerry Enterprise Server
You can add multiple user accounts to a BlackBerry Enterprise Server by importing a .csv file that contains a list of user
accounts and the required information to activate the user accounts on a BlackBerry Enterprise Server.
The .csv file can include the following information:
• user accounts that you want to create
• names of the groups you want to add the user accounts to
• activation passwords and expiry times that you want to assign to the user accounts
The BlackBerry Administration Service processes actions in the order that they appear in the .csv file. If the BlackBerry
Administration Service encounters an error that is specific to an action during the import process (for example, an action is
87
Page 88
Administration Guide Configuring user accounts
incorrectly formatted in the .csv file), the BlackBerry Administration Service continues to process the remaining actions
that are listed in the file and displays an error message for the action that the BlackBerry Administration Service could not
process.
The import process can take a long time (more than 30 minutes) to complete if you add more than 2000 user accounts.
Fields in a .csv file that contain user account information
The BlackBerry Administration Service uses a .csv file to add user account information to the BlackBerry Enterprise Server.
The following table lists the fields in the .csv file that might be populated when you import user account information.
Field Description
Email Address The field specifies the email address for the user account.
SRP ID This field specifies the SRP ID for the BlackBerry Enterprise Server that you want
to add the user account to.
Group Names This field specifies the names of groups that you want to add the user account
to.
Activation Password Operation This field specifies whether an activation password is required to activate the
user account and whether that password will be specified by the administrator
or the BlackBerry Administration Service. The activation password value
specified in this field can either be "specify", "none", or "generate" in lower
case only. The activation password operation must be the same on each line in
the .csv file.
If the field is set to "specify", the activation password and the expiry time (in
hours) are optional fields in the .csv file. If the activation password and the expiry
time values are not included in the .csv file, you will be prompted to specify
these values the after uploading the .csv file. If you specify the activation
password and the expiry time for the user accounts, the values must be provided
on every line of the csv file.
If the field is set to "generate", the password is automatically generated by the
BlackBerry Administration Service and the final two fields of each .csv line must
be empty. The activation password will expire if the user does not activate the
BlackBerry device on the BlackBerry Enterprise Server before the password
timeout elapses. The default value is 48 hours.
If the field is set to "none", the user account will be created without an activation
password and the final two fields of each .csv line must be empty.
To activate a BlackBerry device on the BlackBerry Enterprise Server over the
wireless network, an activation password is required.
Activation Password This field specifies the activation password for the user account if an activation
password is required.
88
Page 89
Administration Guide Configuring user accounts
Field Description
Activation Password Expiry This field specifies the amount of time, in hours, that can elapse before the
activation password expires if an activation password is required.
The activation password will expire if the user does not activate the BlackBerry
device on the BlackBerry Enterprise Server before a default value of 48 hours
elapses.
Example: Importing user accounts to a BlackBerry Enterprise Server
"Email Address","SRP ID","Group Names","Activation Password Operation","Activation
Password","Activation Password Expiry"
"wbarichak@example.com","WBARICHAK0033","Admins","specify", "asdf","24"
"jbuac@example.com","JBUAC0011,"Admins","specify", "asdf","24"
Import multiple user accounts from a .csv file
You can import a list of user accounts from a .csv file to a BlackBerry Enterprise Server so that you can manage the user
accounts.
Before you begin: Create a .csv file.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
2. Click Manage users.
3. Click Manage multiple users from an import list.
4. In the Manage multiple users from an import list section, click Browse.
5. Navigate to the .csv file that contains the user accounts that you want to import.
6. Click Next.
7. Perform the appropriate actions for the user accounts.
Create multiple user accounts by importing the user accounts from a .csv file
You can import a list of user accounts from a .csv file and add them to a BlackBerry Enterprise Server. The user accounts
must exist on your organizations messaging server.
Before you begin: Create the .csv file.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
2. Click Create a user.
89
Page 90
Administration Guide Configuring user accounts
3. Click Import new users.
4. In the Import users from a list section, click Browse.
5. Navigate to the .csv file that contains the user accounts that you want to import.
6. Click Continue.
7. Perform the appropriate actions for the user accounts.
90
Page 91
Administration Guide Assigning BlackBerry devices to users
Assigning BlackBerry devices
8
to users
Preparing to distribute a BlackBerry device
Before you distribute a BlackBerry device to a user, you can configure the BlackBerry Enterprise Server to synchronize
email messages that the user previously sent and received on a supported BlackBerry device. You can synchronize
messages for a new user or for a user whose PIN changed when they received a replacement BlackBerry device.
When the BlackBerry Enterprise Server synchronizes messages onto a BlackBerry device, it applies the message filter rules
and redirection settings that are specific to the user account.
Change how the BlackBerry Enterprise Server downloads a user's existing email messages onto the BlackBerry device
By default, the BlackBerry Enterprise Server synchronizes the headers of 200 email messages from the previous 5 days to
a BlackBerry device when you activate it. If you change the BlackBerry Enterprise Server settings so that it synchronizes
the headers and body of messages to a BlackBerry device when you activate it, the BlackBerry Enterprise Server can
synchronize up to 3000 messages from the previous 30 days.
1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
2. Click the instance that you want to change.
3. Click Edit instance.
4. On the Messaging tab, in the Message prepopulation settings section, perform the following actions:
• To specify if you want full message bodies delivered or just message headers, in the Send headers only field,
select an option.
91
Page 92
Administration Guide Assigning BlackBerry devices to users
• To specify the number of previous days that you want to synchronize messages from, in the Prepopulation By
message age field, type a number.
• To specify the maximum number of messages that you want to synchronize, in the Prepopulation By message
count field, type a number.
5. Click Save all.
Prevent the BlackBerry Enterprise Server from synchronizing existing email messages onto a BlackBerry device
1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
2. Click the instance that you want to change.
3. Click Edit instance.
4. On the Messaging tab, in the Message prepopulation settings section, perform the following actions:
• In the Prepopulation by message age field, type 0.
• In the Prepopulation by message count field, type 0.
5. Click Save all.
Assigning BlackBerry devices to user accounts
To assign BlackBerry devices to user accounts and activate the BlackBerry devices, you can use any of the following
methods:
Method Description
BlackBerry Administration Service
You can activate BlackBerry devices before you distribute them to users by
connecting the BlackBerry devices to a computer and logging in to the
BlackBerry Administration Service.
92
Page 93
Administration Guide Assigning BlackBerry devices to users
Method Description
over the wireless network New BlackBerry device users and users that are receiving replacement
BlackBerry devices can activate the BlackBerry devices without requiring a
physical connection to your organization's network.
over the LAN New BlackBerry device users and users that are receiving replacement
BlackBerry devices can activate the BlackBerry devices by connecting the
BlackBerry devices to a computer that hosts the BlackBerry Desktop
Manager.
BlackBerry Web Desktop Manager New BlackBerry device users and users that are receiving replacement
BlackBerry devices can activate the BlackBerry devices by connecting the
BlackBerry devices to a computer that hosts the BlackBerry Web Desktop
Manager.
over your organization's Wi-Fi network You can activate Wi-Fi enabled BlackBerry devices over your organization's
Wi-Fi network.
If you add a user account that was previously located on another BlackBerry Enterprise Server in a different BlackBerry
Domain, or the user previously used the BlackBerry Desktop Redirector, you must assign a BlackBerry device to the user
account using the BlackBerry Administration Service.
Related information
Managing BlackBerry Java Applications and BlackBerry Device Software, 136
Option 1: Activate a BlackBerry device using the BlackBerry Administration Service
Before you begin: If necessary, prepare a BlackBerry device so that you can redistribute it to a user.
1. Connect the BlackBerry device to a computer that can access the BlackBerry Administration Service.
2. On the Devices menu, expand Attached devices.
3. Click Manage current device.
4. Click Assign current device.
5. Search for a user account.
6. In the search results, click the display name for a user account.
7. Click Associate user.
8. Click Assign current device.
93
Page 94
Administration Guide Assigning BlackBerry devices to users
Option 2: Activating a BlackBerry device over the wireless network
To activate a BlackBerry device over the wireless network, you assign an activation password to a user account. The user
receives the activation password in an email message and associates the BlackBerry device with the email account by
typing the password on the BlackBerry device.
Save bandwidth by synchronizing organizer data over the LAN
When users activate BlackBerry devices over the wireless network, by default, the BlackBerry Enterprise Server
synchronizes the initial download of organizer data over the wireless network. To save bandwidth, you can configure an IT
policy to synchronize the initial download of organizer data through the BlackBerry Router and over your organization's
LAN when users connect their BlackBerry devices to a computer that hosts the BlackBerry Device Manager.
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
2. Click Manage IT policies.
3. Click Default.
4. Click Edit IT policy.
5. On the PIM Synchronization tab, in the Disable Wireless Bulk Loads rule, in the drop-down list, click Yes.
6. Click Save all.
Wireless activation
The wireless activation process activates BlackBerry devices on the BlackBerry Enterprise Server over the wireless
network. Neither you nor the users are required to connect the BlackBerry devices to a computer to complete the
activation process.
You can use wireless activation process to activate a large number of BlackBerry devices over the wireless network. When
users want to activate BlackBerry devices on the BlackBerry Enterprise Server over the wireless network, they must notify
you. You can use the BlackBerry Administration Service to configure activation passwords and distribute the passwords to
the users.
The BlackBerry Enterprise Solution can begin the wireless activation process automatically or when users open the
activation application on the BlackBerry devices and type an activation password and email address. When the activation
process completes, users can send email messages from and receive email messages on their BlackBerry devices.
When you initiate the wireless activation process, the BlackBerry Enterprise Server sends an email message with an etp.dat
attachment from the blackberry.net domain to the user's email application. To make sure that the message is not blocked
or modified, add the blackberry.net domain to the allowed list in the anti-virus and anti-spam software applications used by
the messaging server or gateway.
94
Page 95
Administration Guide Assigning BlackBerry devices to users
Activation passwords
The BlackBerry Enterprise Server activates a BlackBerry device over the wireless network using the wireless activation
authentication protocol and an activation password that is specific to the user account associated with the BlackBerry
device.
Item Description
length of the activation password Typical activation passwords are four to eight characters long. Activation
passwords are limited to the following character lengths:
• BlackBerry device: 31 characters
• BlackBerry Administration Service : 20 characters
• KeyGenPassword field that stores the password in the BlackBerry
Configuration Database: 50 characters
character support Activation passwords can include any type of character
security Wireless activation is designed so that short activation passwords do not
compromise the security of the protocol.
You must distribute the activation password to the authenticated user securely.
If the user receives the activation password, but does not activate the
BlackBerry device on the BlackBerry Enterprise Server, a potentially malicious
user who can access the activation password can connect another BlackBerry
device to the BlackBerry Enterprise Server and assume the identity of the
intended user.
When a user activates a BlackBerry device on the BlackBerry Enterprise Server,
the activation password becomes inactive and a potentially malicious user
cannot reuse it to activate another BlackBerry device.
If a user receives an activation password, you cannot generate a new activation
password for the user until the activation password expires. An activation
password expires after 48 hours by default. You can configure an activation to
password expire earlier than the default value of 48 hours.
expiry time An activation password is no longer valid if any of the following events occur:
• the user does not activate the BlackBerry device on the BlackBerry
Enterprise Server before the default value of 48 hours elapses
• the user types the activation password incorrectly five consecutive times
• the BlackBerry Enterprise Server activates a BlackBerry device using the
activation password
95
Page 96
Administration Guide Assigning BlackBerry devices to users
Customize the activation password
You can customize the type of activation password and the number of characters the password can contain that you send
to BlackBerry devices in a BlackBerry Domain. You can also change the length of time that the activation password exists
before it expires.
1. In the BlackBerry Administration Service, on the Devices menu, expand Wireless activations.
2. Click Device activation settings.
3. Click Edit activation settings.
4. In the Password settings section, perform the following actions:
• To change the activation password length, in the Auto-generated password length field, type a character length.
• To change the activation password type, in the Auto-generated password type drop-down list, click a password
type.
• To change the length of time that the activation password exists before it expires, in the Auto-generated
password lifespan (hours) field, type the number of hours.
5. Click Save all.
Customize the activation message
To provide information to help troubleshoot activation issues that a user might encounter or to make sure that the
activation message that users receive on their computers conforms to your organization's messaging policies, you can
customize the default activation message.
1. In the BlackBerry Administration Service, on the Devices menu, expand Wireless activations.
2. Click Device activation settings.
3. Click Edit activation settings.
4. In the Email initialization message section, perform the following actions:
• In the Sender address field, type the email address for the administrator account.
• In the Custom activation message field, type the subject, and message.
5. Click Save all.
Send an activation password to a user
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
2. Click Manage users.
3. Search for a user account.
96
Page 97
Administration Guide Assigning BlackBerry devices to users
4. In the search results, click the display name for the user account.
5. In the Device activation list, click Specify an activation password.
6. In the Activation password and Confirm password fields, type an activation password. The password must not
contain special characters. Some BlackBerry devices do not support special characters and do not unlock when a
user types a password that contains special characters.
7. In the Password expiration (hours) field, type the amount of time that can elapse before the activation password
expires.
8. Click Specify an activation password.
Send an activation password to multiple users
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
2. Click Manage users.
3. Search for one or more user accounts.
4. Select the checkboxes beside the display names of the appropriate user accounts.
5. In the Device activation list, click Specify an activation password.
6. In the Activation password and Confirm password fields, type an activation password. The password must not
contain special characters. Some BlackBerry devices do not support special characters and do not unlock when a
user types a password that contains special characters.
7. In the Password expiration (hours) field, type the amount of time, in hours, that can elapse before the activation
password expires.
8. Click Specify an activation password.
Option 3: Activating BlackBerry devices over the LAN
Users can activate BlackBerry devices by connecting them to computers that the BlackBerry Desktop Manager is
associated with. During the activation process, the BlackBerry Desktop Manager prompts users to associate the
BlackBerry devices with their work email accounts and generate encryption keys.
When users complete the activation process, the BlackBerry Enterprise Server sends email messages and organizer data
to the BlackBerry devices through the BlackBerry Router. If a connection to the BlackBerry Router is interrupted, the data
transfer continues over the wireless network.
97
Page 98
Administration Guide Assigning BlackBerry devices to users
Option 4: Activating BlackBerry devices using the BlackBerry Web Desktop Manager
Users can activate their BlackBerry devices by connecting them to computers using a USB cable or Bluetooth connection
and logging in to the BlackBerry Web Desktop Manager. During the activation process, the BlackBerry Web Desktop
Manager prompts users to associate the BlackBerry device with their email accounts and generate encryption keys.
When users complete the activation process, the BlackBerry Enterprise Server synchronizes email messages and organizer
data to BlackBerry devices through the BlackBerry Router. If a connection to the BlackBerry Router is interrupted, the data
transfer continues over the wireless network.
Option 5: Activating BlackBerry devices over an enterprise Wi-Fi network
Users can activate Wi-Fi enabled BlackBerry devices over an enterprise Wi-Fi network in environments that have the
following characteristics:
• BlackBerry devices can connect to the enterprise Wi-Fi network but cannot connect to the BlackBerry Infrastructure.
• Users did not install BlackBerry Desktop Manager on their computers and cannot access BlackBerry Web Desktop
Manager.
• You want to deploy and activate a large number of BlackBerry devices.
To activate BlackBerry devices over the enterprise Wi-Fi network, you must configure the BlackBerry Router as an SMTP
client (also known as a Mail User Agent). As an SMTP client, the BlackBerry Router communicates with an SMTP server,
that sends an ETP message to the user. The ETP message is the email message that the BlackBerry Router sends to the
user’s mailbox during the activation process.
You can configure the BlackBerry Router to act as a gateway for BlackBerry device activations over the enterprise Wi-Fi
network and as a gateway for other network traffic such as email messages, data, or calendar synchronization, or to act
only as a gateway for BlackBerry device activations over the enterprise Wi-Fi network. If you choose to configure the
BlackBerry Router only as a gateway for BlackBerry device activations over the enterprise Wi-Fi network, you must
configure the BlackBerry Router as part of a chain of BlackBerry Router instances and make sure that one or more
BlackBerry Router instances in the chain can act as a gateway for other network traffic.
For more information about Wi-Fi enabled BlackBerry devices, see the BlackBerry Enterprise Server Feature and Technical
Overview.
98
Page 99
Administration Guide Assigning BlackBerry devices to users
Prerequisites: Configuring a BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi network
• On the computer that you installed the BlackBerry Router, or on a remote computer, configure an SMTP service that
the BlackBerry Router can use. For more information, see the documentation for the Windows Server.
• To restrict the BlackBerry Router so that it acts only as a gateway for BlackBerry device activations over the enterprise
Wi-Fi network, on a computer that does not host a BlackBerry Enterprise Server, install a BlackBerry Router whose only
purpose is to provide a connection to Wi-Fi enabled BlackBerry devices over the enterprise Wi-Fi network. Configure
the BlackBerry Router as part of a chain of BlackBerry Router instances and make sure that one or more BlackBerry
Router instances in the chain can act as a gateway for other network traffic such as email messages, data, or calendar
synchronization.
• Verify that the wireless access points can connect to the BlackBerry Router that you configured for BlackBerry device
activations over the enterprise Wi-Fi network.
• Verify that each BlackBerry Enterprise Server can connect to a BlackBerry Router that you configured for BlackBerry
device activations over the enterprise Wi-Fi network.
• Create a user account and activation password on the BlackBerry Enterprise Server for each new BlackBerry device.
Configure a BlackBerry Router to permit BlackBerry device activations over the enterprise Wi-Fi network
1. On the computer that hosts the BlackBerry Router, on the taskbar, click Start > Programs > BlackBerry Enterprise
Server > BlackBerry Server Configuration.
2. On the OTA WIFI Activation tab, select the Permit wireless activation in your WLAN environment check box.
3. Optionally, to restrict the BlackBerry Router so that it acts as a gateway for wireless activations over the enterprise WiFi network and not as a gateway for other network traffic such as email messages, data, or calendar synchronization,
select the Prevent all serial bypass traffic through this router except WLAN activations check box. Only restrict the
BlackBerry Router if you configured more than one BlackBerry Router instance.
4. To specify how the BlackBerry Router locates the SMTP server, in the Activation Gateway Settings section, select
one of the following options:
• To permit the BlackBerry Router to determine which SMTP server it uses for ETP traffic based on the mail
exchange record of the host domain, select Use MX Lookup to obtain SMTP server.
• To provide the SMTP server name and port number for the BlackBerry Router, select Explicitly provide SMTP
server name and port. Type the server name and the server port number for the SMTP server.
5. If the SMTP server requires authentication, specify the SMTP login name and SMTP password.
6. In the From address for ETP messages field, type the email address that you want to use as the From address. The
ETP message is the email message that the BlackBerry Router sends to the users' mailboxes during the activation
process.
99
Page 100
Administration Guide Assigning BlackBerry devices to users
7. Click Apply.
8. Click OK.
9. In the Windows Services, restart the BlackBerry Router.
After you finish: Instruct users to activate the Wi-Fi enabled BlackBerry devices.
Activate a Wi-Fi enabled BlackBerry device
If you want to activate a Wi-Fi enabled BlackBerry device using the enterprise Wi-Fi network, you can instruct a BlackBerry
user to perform the following task on the BlackBerry device. If you want to reactivate a BlackBerry device, you must create
a new activation password for the BlackBerry device.
1. On the BlackBerry device, in the device options, click Advanced Options.
2. Click Enterprise Activation.
3. Type the activation email address.
4. Type the activation password.
5. In the Activation Server Address field, type the IP address for the BlackBerry Router that the BlackBerry device can
use to activate over the enterprise Wi-Fi network.
6. In the menu, click Activate.
After you finish:
• For more information, see the user guide for the BlackBerry device.
• To view the activation status, in the BlackBerry Administration Service, on the Wireless > View activations page,
search for the user account. Confirm that the activation is successful.
Related information
Restarting BlackBerry Enterprise Server components, 392
Troubleshooting: Connections to the Wi-Fi network, 478
100
Loading...