BES10 v10.2 UDS Advanced Admin Guide En

8/17/2019 BES10 v10.2 UDS Advanced Admin Guide En

1/138

BlackBerry Enterprise Service 10

Universal Device ServiceVersion: 10.2

A d

m i n i s t r a t i o n G

u i d

e


2/138


3/138


4/138


5/138

Contents

1 Introduction......................................................................................................................................9

About this guide.................................................................................................................................................................10

What is BlackBerry Enterprise Service 10?..........................................................................................................................10

Key features of BlackBerry Enterprise Service 10.........................................................................................................10

About the Universal Device Service.................................................................................................................................... 11

Using the Universal Device Service console................................................................................................................. 12Log in to the Universal Device Service console ............................................................................................................ 12

About BES10 Self-Service.................................................................................................................................................. 13

2 Setting up administrator accounts...................................................................................................15

Administrative roles and permissions..................................................................................................................................16

Administrator permissions...........................................................................................................................................16

Create an administrator account........................................................................................................................................ 18

3 Setting up device controls...............................................................................................................21Creating and assigning profiles...........................................................................................................................................22

Using variables.................................................................................................................................................................. 22

Use custom variables.................................................................................................................................................. 23

Sending certificates to devices........................................................................................................................................... 24

Setting up encrypted email using S/MIME....................................................................................................................24

Create a CA certificate profile......................................................................................................................................24

Create a client certificate profile for SCEP.................................................................................................................... 25Create a client certificate profile for a shared certificate............................................................................................... 27

Create a user certificate profile and assign it to a user account.....................................................................................28

Controlling how devices can connect to your organization's network................................................................................... 28

Create a Microsoft ActiveSync profile...........................................................................................................................28

Create a Wi-Fi profile...................................................................................................................................................30

Create a VPN profile.................................................................................................................................................... 32

Routing data for iOS devices through a proxy server............................................................................................................ 33Create a global HTTP proxy profile for iOS devices........................................................................................................33

Enforcing compliance rules................................................................................................................................................34

Assigning and reconciling compliance profiles............................................................................................................. 35

Change the default compliance profile.........................................................................................................................35

Create a compliance profile.........................................................................................................................................37

Update the template for the device compliance notification.........................................................................................39

Returning devices to compliance.................................................................................................................................39

Controlling how iOS and Android devices are activated and managed..................................................................................40


6/138

Change the default activation type...............................................................................................................................41

Create an activation type profile...................................................................................................................................41

What is the BES12 Client?............................................................................................................................................41

Managing devices that have a work space....................................................................................................................42

Upgrading work space apps........................................................................................................................................ 43

Controlling the capabilities of devices.................................................................................................................................43

Create an IT policy.......................................................................................................................................................43

Create a work space IT policy...................................................................................................................................... 44

Routing data for the work browser through a proxy server....................................................................................................44

Create a proxy profile for Secure Work Space............................................................................................................... 44

Managing app availability on devices..................................................................................................................................46

Create an application definition...................................................................................................................................46

Create a software configuration................................................................................................................................... 47

Assign a software configuration to a user account........................................................................................................ 48

Assign a software configuration to a group................................................................................................................... 48

View whether work apps are installed on a device.........................................................................................................48

Installing apps in the work space................................................................................................................................. 49

4 Managing groups and user accounts...............................................................................................53Creating and managing groups...........................................................................................................................................54

Create a group............................................................................................................................................................ 54

Change the properties of a group.................................................................................................................................54

Assign an account to a group.......................................................................................................................................55

Remove an account from a group................................................................................................................................ 55

Assign an IT policy to a group.......................................................................................................................................56

Assign a profile to a group............................................................................................................................................56Synchronizing groups with Microsoft Active Directory...................................................................................................56

Creating and managing user accounts................................................................................................................................58

Add a user account..................................................................................................................................................... 58

View a user account.................................................................................................................................................... 59

Assign an IT policy to a user account............................................................................................................................60

Assign a profile to a user account.................................................................................................................................60

Edit user account information......................................................................................................................................60Change the device activation password for a user ........................................................................................................61

5 Activating and managing devices.................................................................................................... 63

Activating devices..............................................................................................................................................................64

Configure the default settings to activate a device........................................................................................................64

Update the template for the activation email message................................................................................................. 65

Send an activation email message............................................................................................................................... 66

Activate an iOS device.................................................................................................................................................66Activate an Android device.......................................................................................................................................... 67


7/138

Setting an activation password using BES10 Self-Service.............................................................................................68

Managing devices..............................................................................................................................................................68

Using IT administration commands to manage devices................................................................................................ 68

Users with multiple devices......................................................................................................................................... 70

Jailbroken or rooted status.......................................................................................................................................... 70

Disable new device activations.................................................................................................................................... 70

Change the device ownership setting...........................................................................................................................71

View and save a device report......................................................................................................................................71

View device communication logs................................................................................................................................. 71

Deactivating devices................................................................................................................................................... 72

6 Maintaining and monitoring............................................................................................................ 73Check the status of the BlackBerry Secure Connect Service................................................................................................74

Logging..............................................................................................................................................................................74

Log files...................................................................................................................................................................... 74

Audit logs....................................................................................................................................................................75

7 IT policy rules................................................................................................................................. 77

Descriptions of IT policy rules.............................................................................................................................................78

Browser policy group...................................................................................................................................................78

Camera and video policy group....................................................................................................................................80

Certificates policy group..............................................................................................................................................82

Cloud service policy group...........................................................................................................................................83

Connectivity policy group.............................................................................................................................................85

Content policy group................................................................................................................................................... 89

Diagnostics and usage policy group............................................................................................................................. 92

Encryption policy group...............................................................................................................................................93

Lock screen policy group.............................................................................................................................................93

Messaging policy group...............................................................................................................................................95

Online store policy group............................................................................................................................................. 95

Password policy group.................................................................................................................................................98

Phone and messaging policy group............................................................................................................................105

Profiles and certificates policy group......................................................................................................................... 106

Security policy group.................................................................................................................................................106Social policy group....................................................................................................................................................109

Storage and backup policy group...............................................................................................................................112

Voice assistant policy group.......................................................................................................................................113

Descriptions of work space IT policy rules.........................................................................................................................114

Allow sequential and repeated character passwords rule........................................................................................... 115

Require letters rule....................................................................................................................................................115

Require lowercase letters rule................................................................................................................................... 116Require numbers rule................................................................................................................................................116


8/138

Require special characters rule................................................................................................................................. 117

Require uppercase letters rule...................................................................................................................................117

Restrict password length rule.................................................................................................................................... 118

Minimum length for the work space password rule.....................................................................................................118

Maximum length for the work space password rule.................................................................................................... 119

Maximum password history rule................................................................................................................................ 119

Lock work space when device locks rule.................................................................................................................... 120

Lock device after inactivity in work space rule............................................................................................................120

Lock work space after inactivity rule.......................................................................................................................... 121

Track incorrect password attempts rule.....................................................................................................................121

Action after maximum incorrect password attempts rule............................................................................................122

Enable plugins in secure browser rule........................................................................................................................123

Deactivate device after period of inactivity rule.......................................................................................................... 123

Work Connect contacts rule.......................................................................................................................................124

Allow apps in the personal space to access files in the work space rule.......................................................................124

Notification level rule.................................................................................................................................................125

Allow S/MIME rule..................................................................................................................................................... 126

8 Product documentation................................................................................................................ 1279 Provide feedback..........................................................................................................................131

10 Glossary....................................................................................................................................... 133

11 Legal notice..................................................................................................................................135


9/138

Chapter

1Introduction

Topics:

• About this guide

• What is BlackBerry EnterpriseService 10?

• About the Universal DeviceService

• About BES10 Self-Service

Administration Guide Introduction


10/138

About this guideThe Universal Device Service allows you to manage iOS devices and Android devices in your organization's environment.This guide provides instructions on how to manage user accounts and devices after the Universal Device Service isinstalled and configured.

This guide is intended for IT professionals who are responsible for activating devices and managing user accounts. Beforeyou can use the tasks in this guide, you need to complete the tasks to configure the Universal Device Service. You can findinstructions on configuring the Universal Device Service in the BlackBerry Enterprise Service 10 Configuration Guide.

What is BlackBerry Enterprise Service 10?

BlackBerry Enterprise Service 10 helps you manage mobile devices for your organization. You can manage BlackBerrydevices and BlackBerry PlayBook tablets, as well as iOS and Android devices, all from a unified interface. BlackBerryEnterprise Service 10 is designed to help protect business information, keep mobile workers connected with theinformation they need, and provide administrators with efficient tools that help keep business moving forward.

BlackBerry Enterprise Service 10 includes the following components:

Component Description

BlackBerry Device Service Provides advanced administration for BlackBerry 10 devices and BlackBerry

PlayBook tablets

Universal Device Service Provides advanced administration for iOS and Android devices

BlackBerry Management Studio Provides a unified interface to administer common tasks for BlackBerry 10devices, BlackBerry PlayBook tablets, BlackBerry 7.1 and earlier devices, iOSdevices, and Android devices

BES10 Self-Service Provides a console to users so that they can perform some self-service tasks.

For example, users can create activation passwords, remotely change thepassword on their device, or delete data from the device.

Key features of BlackBerry Enterprise Service 10The table below describes some of the key features for BlackBerry Enterprise Service 10.


10


11/138

Feature Description

Management of most types of devices BlackBerry Enterprise Service 10 supports all types of BlackBerry devices

and tablets, as well as iOS devices and Android devices.

Single, unified interface BlackBerry Management Studio is a single, web-based interface where youcan view all devices in one place and access the most commonmanagement tasks across multiple domains. These tasks include creatingand managing groups, managing device controls, and activating mobiledevices.

Trusted and secure experience Device controls give you precise management of how devices connect to

your network, what capabilities are enabled, and what apps are available.Whether the devices are owned by your organization or your users, you canprotect your organization's information.

Balance of work and personal needs BlackBerry Balance and Secure Work Space technology are designed toensure that personal and work information are kept separate and secure ondevices. If the device is lost or the employee leaves the organization, youcan delete only work-related information or all information from the device.Additional security features are available depending on the device type.

About the Universal Device ServiceThe Universal Device Service is designed to permit you to manage devices that run iOS or Android OS in your organization'senvironment.

If you activate devices using the Universal Device Service, you can use the Universal Device Service to:

• Manage devices using the IT policies and IT administration commands that the devices support

• Configure profiles for devices so that you can control the connections to your organization's environment

• Assign activation type profiles to user accounts to control how devices are managed

• Provision and manage work applications on devices

• View the device inventory for your organization

To provide a single interface for helpdesk administrators to manage all the devices in your organization's environment, youcan connect BlackBerry Management Studio to the Universal Device Service.


11


12/138

Using the Universal Device Service consoleFeature Description

Drag and dropfunctionality

When viewing a group or user account, you can quickly apply IT policies, profiles and softwareconfigurations using drag and drop functionality.

User list In the user list, each row is a link that you can click to view the properties of the user account.You can sort and reverse sort the information in the user list by clicking any of the column

headers. To display user accounts with multiple devices, sort by user.Required fields Fields that have a red asterisk (*) beside them are required. You must submit a value in all

required fields to complete a task. Default values, which you can customize, are oftendisplayed in the fields.

Available settings In the Available Settings pane, you can view the number of users that are assigned to an ITpolicy, profile, or software configuration. The value shown represents the number of uniqueusers that are assigned to a particular policy, profile, or software configuration. The user is notcounted twice if they are assigned directly and by group assignment.

Online help Click the Help link in the upper-right corner of the screen to access online help. The onlinehelp is updated regularly to provide the most recent information.

Log in to the Universal Device Service console

Also known as the Administration Console, the Universal Device Service console allows you to manage the Universal DeviceService and the user accounts associated with it. To open the Administration Console, you can use a browser on any

computer that has access to the computer that hosts the Administration Console.

When you install BlackBerry Enterprise Service 10, you specify the username and password that you use to log in for the

first time.

1. In the browser, type https:// :, where is the FQDN of the computer that hoststhe Administration Console. The default port for the Administration Console is port 6443.

2. In the Username field, type your username.

3. In the Password field, type your password.

4. Click Log in.


12


13/138

About BES10 Self-ServiceBES10 Self-Service is a web-based application that you can make available to users so that they can perform certain taskssuch as creating activation passwords, remotely locking their devices, or deleting data from their devices. Users do notneed to install any software on their computers to use BES10 Self-Service.

You must provide the BES10 Self-Service web address and login information to users. You can send this information in anemail message, or edit the activation email template to include the information. Provide the following information:

• Web address. The web address for BES10 Self-Service is https:// :7445, where is theFQDN of the computer that hosts the console, and 7445 is the default port. You can change the port in the BES10Configuration Tool.

• Username and password. Company directory users can log in with their organization usernames and passwords. Forlocal users that have BlackBerry 10 devices, you must create their usernames and passwords in the BlackBerry DeviceService. Local users that have iOS or Android devices cannot use BES10 Self-Service.

• Domain name (for Microsoft Active Directory users)


13


14/138


15/138

Chapter

2Setting up administrator

accountsTopics:

• Administrative roles and

permissions• Create an administrator

account

Administration Guide Setting up administrator accounts


16/138

Administrative roles and permissionsWhen you create administrator accounts, you assign roles to the accounts so that you can control who can perform tasks inthe Universal Device Service.

Each role has a set of associated permissions. Permissions specify the information that you can view and the tasks that youcan perform using the Administration Console. Each action that you perform in the Administration Console is associatedwith a specific permission.

Assign the Security role to the administrator account that you use to change other administrator account permissions.

Related information

Create an administrator account, 18

Administrator permissionsEach role contains multiple permissions that are turned on. The roles make sure that administrators who do not have

specific administrative permissions cannot escalate their permissions. For example, junior helpdesk administrators cannot

escalate their roles to senior helpdesk administrator roles.

Permission Security role Enterprise roleSenior Helpdesk

role

Junior Helpdesk

role

Create a group √ √ √

Delete a group √ √

View a group √ √ √ √

Edit a group √ √ √

Add user to a group √ √ √

Create a user √ √ √

Delete a user √ √ √

View a user √ √ √ √

Edit a user √ √ √ √

Assign an administrative role √

View a device √ √ √ √


16


17/138

Permission Security role Enterprise roleSenior Helpdesk

role

Junior Helpdesk

role

Edit a device √ √ √ √

Specify device ownership √ √ √ √

Specify an activation password √ √ √ √

Generate an activation email √ √ √ √

View device activation settings √ √ √ √

Edit device activation settings √ √ √ √

Create an IT policy √ √

Delete an IT policy √ √

View an IT policy √ √ √ √

Edit an IT policy √ √

Assign an IT policy or a profile to a

user√ √ √

Create a software configuration √ √

View a software configuration √ √ √ √

Edit a software configuration √ √

Delete a software configuration √ √

Create an application definition √ √

View an application √ √ √ √

Edit an application √ √

Delete an application √ √

Assign a software configuration to a

user√ √ √

Delete all device data and remove

device

√ √ √ √

Delete only the organization data

and remove device

√ √ √ √


17

Ad i i i G id S i d i i


18/138

Create an administrator accountBefore you begin: If you configured the Universal Device Service to connect to a company directory, you can add an

administrator account directly from your organization's list of users. If you did not configure these settings, you can create

local administrator accounts only.

1. In the left pane, beside Administrators, click the + icon.

2. In the Add a user window, perform one of the following tasks:

Task Steps

Add an administrator account fromthe company directory.

If you have not configured theUniversal Device Service to

connect to a company directory,the Directory tab is not shown.

1. On the Directory tab, search for an administrator account.

2. In the Name drop-down list, select the administrator account.

3. If you want to add the administrator account to a group, in the Groupmembership drop-down list, select a group.

4. To specify if this administrator will use a work or personal device, in theDevice ownership drop-down list, select an option.

5. Verify that the Administrator account check box is selected.

6. In the Administrator role drop-down list, select a role for the administrator.

Create a local administratoraccount.

1. Select the Local tab.

2. Specify the administrator details.

3. If you want to add the administrator account to a group, in the Groupmembership drop-down list, select a group.

4. To specify if this administrator will be using a corporate or personal device,in the Device ownership drop-down list, select an option.

5. Verify that the Administrator account check box is selected.

6. Type a password.

7. In the Administrator role drop-down list, select a role for the administrator.

3. To specify device activation settings for the administrator account, in the Device Activation section, select Enablenew device activations.

4. Select one of the following options:

• Use directory password to allow the administrator to use the company directory password to activate a device.

• Specify an activation password to specify a password that the administrator must enter to activate a device.


18



19/138

5. To specify when the activation password expires, select a time and date in the Activation expiration (date) andActivation expiration (time) fields. If you do not specify an expiration date and time, the activation password willnever expire.

6. To specify a maximum number of activation attempts the administrator is allowed to make before the device islocked, in the Maximum number of activations per device field, type a value.

7. To specify a maximum number of devices the administrator is allowed to have associated with this user account, inthe Maximum number of devices to activate field, type a value.

8. To specify the device platforms that are supported, select Permitted devices and select one or more platforms.

9. To specify the device versions that are supported, in the drop-down list, select one or more versions.

10. To send an email message that contains the information that the administrator requires to activate the device, selectSend activation email.

11. If you are using custom variables, click the arrow beside Custom Variables and fill in the fields.

12. Do one of the following:

• To save this administrator account and create another, click Save & New .

• To save this administrator account, click Save.

Related information

Administrative roles and permissions, 16


19


20/138

Administration Guide Setting up device controls


21/138

Chapter

3Setting up device controls

Topics:

• Creating and assigning profiles

• Using variables

• Sending certificates to devices

• Controlling how devices canconnect to your organization'snetwork

• Routing data for iOS devicesthrough a proxy server

• Enforcing compliance rules

• Controlling how iOS andAndroid devices are activatedand managed

• Controlling the capabilities ofdevices

• Routing data for the workbrowser through a proxy server

• Managing app availability ondevices




22/138

Creating and assigning profilesYou can use profiles to define the settings on devices. After you create profiles, you can assign them to a user account or toa group of user accounts.

Profile Description

VPN Allows you to specify how devices connect to your organization's VPN

Wi-Fi Allows you to specify how devices connect to your organization's Wi-Fi network

Microsoft ActiveSync Allows you to specify how devices connect to your organization's messaging server andsynchronize email messages and organizer data using Microsoft ActiveSync

Global HTTP proxy Allows you to direct all HTTP traffic to and from the personal space on iOS devicesthrough a proxy server behind your organization’s firewall. Supported for iOS devices thatrun iOS 6.0 or later and are supervised using Apple Configurator

CA certificate Allows devices that use certificate-based authentication to trust network or servercertificates in your organization's environment

Client certificate Allows you to provide client certificates to users' devices using SCEP or a sharedcertificate

User certificate Allows you to assign a client certificate to an individual user account and send thecertificate file to the user's devices

Compliance Allows you to set conditions that require or restrict apps and restrict jailbroken or rooteddevices

Activation type Allows you to specify how a device is managed after a user activates it. The profile appliesonly to the next device that a user activates, and not to any currently activated devices.

Work space HTTP proxy Allows you to direct all HTTP traffic for the work browser on supported iOS and Androiddevices through a proxy server behind your organization’s firewall

Using variablesYou can use variables and custom variables to replace user account attributes and other attributes in the activation email

template and in profiles.

Note: You cannot use variables in the template for the device compliance notification.

g p

22



23/138

The following table lists the variables that are available to use in the Universal Device Service.

Variable Description

%DisplayName% User's display name

%UserEmailAddress% User's email address

%UserName% User's username

%ActivationExpirationFinish% Date and time when the activation password expires

%ActivationPassword% Activation password that you created for the user

%BSCAddress% Server address of the BlackBerry Secure Connect Service

%SRPID% Unique SRP identifier for each BlackBerry Enterprise Service 10 instance

%BSCAddress%/%SRPID%/ca Internal web address where users can download the SSL certificate for the

Communication Module

%EnterpriseAppStoreURL% Internal web address where users with iOS devices that are activated with user

privacy, can download work apps.

%SSLCertCommon% Common Name of the SSL certificate for the Communication Module%SSLCertSHA% Fingerprint of the SSL certificate for the Communication Module

%Custom1%, %Custom2%,

%Custom3%, %Custom4%,

%Custom5%

You can use up to five different variables for user attributes that you define. For

security reasons, you should not use a custom variable for a password.

Related information

Update the template for the activation email message, 65

Use custom variablesUse custom variables to define your own user attributes in addition to the standard user attributes such as display name,

contact email, and work phone number. You can use custom variables in the same way that you use other variables in the

activation email template or when you create profiles.

Note: For security reasons, you should not use a custom variable for a password.

For example, for local users, a user's ActiveSync username might not be the same as their local account username, so you

can use a custom variable to represent the ActiveSync username. In this example, Custom variable 1 is defined as the

ActiveSync username.

1. Search for a user account.

2. In the search results, click the name of a user account.

3. Click the edit icon.

23



24/138

4. Expand Custom Variables.

5. In the Custom variable 1 field, type the user's ActiveSync username. Click Save.

6. When you create a Microsoft ActiveSync profile, type %Custom1% in the username field.

Sending certificates to devicesA certificate is a digital document that binds the identity and public key of a certificate subject. Each certificate has a

corresponding private key that is stored separately. A CA signs the certificate to verify that it can be trusted.

A device can use certificates to:

• Authenticate using SSL/TLS when it connects to web pages that use HTTPS

• Authenticate with a work messaging server

• Authenticate with a work Wi-Fi network or VPN

• Encrypt and sign email messages using S/MIME protection

Many certificates that are used for different purposes can be stored on a device. You can use certificate profiles to sendclient certificates and CA certificates to devices.

Setting up encrypted email using S/MIMEYou can extend email security for iOS and Android device users by permitting users to send and receive S/MIME-protected

email messages. You cannot force users to use S/MIME.There are two types of S/MIME protection available:

• S/MIME for the native iOS email app. You enable this type of S/MIME in a Microsoft ActiveSync profile.

• S/MIME for the iOS and Android apps in the work space. You enable this type of S/MIME in a work space IT policy.

To use either type of S/MIME, a user must enable S/MIME on the device and specify whether to encrypt, sign, or encryptand sign emails. Users must store their private keys and a certificate for each recipient that they want to send an encryptedemail message to on their devices. Users can store a key and certificates by importing the files from an email message.

Create a CA certificate profileYou can use CA certificate profiles to distribute CA certificates to devices if the devices use certificate-based

authentication to connect to a network or server in your organization’s environment. When a device has the certificate for

the CA that signed a server certificate, the device recognizes and trusts the server certificate. The CA certificate has

a .cer, .crt, or .der file name extension.

24



25/138

Note: You cannot send CA certificates to devices that are activated with the "Work and Personal - User Privacy" activation

type.

1. On the menu bar, click Library.

2. In the CA certificate pane, click the + icon.

3. In the Certificate name field, type a name for the CA certificate profile. Each CA certificate profile must have a uniquename. Some names (for example, ca_1) are reserved by default.

4. In the Certificate description field, type a description for the CA certificate profile.

5. In the Certificate file field, click Browse to specify the location of the certificate file.

6. Click Save.

Related information

Assign a profile to a group, 56

Assign a profile to a user account, 60

Create a client certificate profile for SCEPYou can use a client certificate profile for SCEP to specify how devices obtain certificates from your organization's CA.

SCEP is a protocol that is used to automate the submission of certificate requests to a SCEP service and issue client

certificates to supported devices. Devices use the certificates to authenticate with your organization's servers.

Android devices do not support SCEP.

Before you begin: If you want the Universal Device Service to use a dynamic password obtained from an external SCEP

service, configure the external SCEP settings. For instructions, see Configure the external SCEP settings.


2. In the Shared certificate pane, click the + icon.

3. In the Certificate name field, type a name for the profile.

4. In the Certificate description field, type a description for the profile.

5. In the Certificate source drop-down list, click SCEP.

6. If the certificates need a subject alternative name, perform the following actions:

a. In the Alternative subject name type drop-down list, click the appropriate type.

b. In the Alternative representation of the certificate subject field, type the subject alternative name. The valuemust be an email address, the DNS name of the CA server, or the fully qualified URL of the server.

c. In the NT principal name for certificate generation field, type the user principal name.

7. If your CA uses HTTP instead of HTTPS, in the Fingerprint for enrolling a SCEP certificate field, paste the CAcertificate fingerprint. Devices use the fingerprint to confirm the identity of the CA during the enrollment process.

25



26/138

8. If you want to permit users to use the certificate for digital signatures, select the Use the generated certificate fordigital signatures check box.

9. If you want to permit users to use the certificate for encryption, select the Use the generated certificate for key

encipherment check box.

10. In the Key size for certificate generation field, type the key size. The default value is 1024.

11. If necessary for your organization's SCEP configuration, in the Subject field, typeCN=,O=.

12. If you want to permit devices to retry the server connection if the first attempt fails, perform the following actions:

a. Select the Retry SCEP connection check box.

b. In the Number of times SCEP connection should be retried field, type the type the number of times thatdevices can try to connect.

c. In the Time in seconds before the SCEP connection should be retried field, type number of seconds thatdevices should wait between each attempt.

13. If you want to proxy SCEP requests from devices through the Universal Device Service, select the Proxy SCEPrequests through the Universal Device Service check box.

14. In the SCEP server configuration type drop-down list, perform one of the following actions:

• If you want the system to use the external SCEP settings that you configured, click External.

• If you want to specify the SCEP settings, click Defined.

15. If you selected Defined in step 14, perform the following actions:

a. In the CA-IDENT attribute of the SCEP configuration field, type the name of the CA.

b. In the Pre-shared secret type to use in certificate generation drop-down list, click None or Plain text. If youselect Plain text, type the pre-shared secret.

c. In the Base URL of the SCEP server field, type the URL of the SCEP server.

16. Click Save.

Related information



Configure the external SCEP settingsYou can configure external SCEP settings that allow the Universal Device Service to request a dynamic password from the

SCEP service. The Universal Device Service injects the password into the client certificate profile for SCEP when it sends

the profile to devices.

The default service type for the external SCEP is MSCA-NDES.

1. On the menu bar, click Settings.

2. In the External Integration pane, click External SCEP.

26



27/138

3. Select the Enable SCEP check box.

4. In the Authentication type drop-down list, click the appropriate authentication type.

5. If you selected NTLM authentication, in the Domain of the credentials for the external SCEP service field, type thedomain of the external SCEP service.

6. In the Username field, type the user name for the external SCEP service.

7. In the Password field, type the password for the external SCEP service.

8. In the URL for generating the challenge secret key of the directory field, type the URL.

9. In the CA-IDENT attribute field, type the CA-IDENT attribute of the external SCEP service.

10. In the URL for enrollment requests of the directory field, type the URL.11. Click Save.

Create a client certificate profile for a shared certificateYou can use a client certificate profile for a shared certificate to send the same client certificate to multiple devices. The

devices present the client certificate for authentication to a network or server in your organization's environment. Youmight want to use this profile to distribute certificates when your environment or users' devices do not support SCEP. The

client certificate has a .pfx file extension.


2. In the Shared certificate pane, click the + icon.

3. In the Certificate name field, type a name for the profile. Each client certificate profile for a shared certificate musthave a unique name. Some names (for example, ca_1) are reserved by default.

4. In the Certificate description field, type a description for the profile.

5. In the Certificate source drop-down list, click File.


7. In the Password field, type a password for the profile.

8. Click Save.

Related informationAssign a profile to a group, 56


27



28/138

Create a user certificate profile and assign it to a useraccountYou can use a user certificate profile to assign a client certificate to an individual user account and send the certificate to

the user's devices. The devices present the client certificate for authentication to a network or server in your organization's

environment. You might want to use user certificate profiles to distribute certificates when your environment or devices do

not support SCEP. The client certificate has a .pfx file extension.

User certificate profiles are only available for individual user accounts and are not available in the Profiles pane.1. Search for a user account.

2. In the search results, click the name of a user account.

3. In the IT policies and profiles section, click the + icon.

4. Click User certificate.

5. In the Certificate name field, type a name for the user certificate profile.

6. In the Certificate description field, type a description for the user certificate profile.

7. In the Password field, type a password for the user certificate profile.


9. Click Apply.

Controlling how devices can connect to yourorganization's networkYou can specify how users' devices can connect to your organization's network and messaging servers.

Create a Microsoft ActiveSync profileYou can use Microsoft ActiveSync profiles to specify how devices connect to your organization's messaging server and

synchronize email messages and organizer data using Microsoft ActiveSync. You can also specify whether users can use S/

MIME to encrypt or sign email messages in the native iOS email app. You cannot force users to use S/MIME.

Before you begin:

28



29/138

• If you use certificate-based authentication, create a CA certificate profile and a client certificate profile, or user

certificate profile, and assign them to users. Certificate-based authentication is for iOS devices only. For more

information, see Sending certificates to devices.

• For Android devices that do not have a work space, users must install TouchDown on their devices or use a Motoroladevice that supports the Enterprise Device Management API.

• If you want to use Notes Traveler, devices must have a work space.


2. In the Microsoft ActiveSync pane, click the + icon.

3. In the Profile name field, type the profile name.

4. In the Profile description field, type a description for the profile.

5. In the Credentials drop-down list, perform one of the following actions:

• If you want to use basic authentication (for example, a username and password), click None.

• If you want to use a certificate profile for authentication (iOS devices only), click Certificate. In the Credentialname or description field, type a description.

6. If you selected Certificate in step 5, perform the following actions:

• In the Certificate identifier drop-down list, click the certificate profile that you want to use.

• If you want to prompt users for a password when their devices try to authenticate with the server or network,select the Prompt the user for a password check box.

7. In the Domain field, type the user domain name.

8. In the Email address field, perform one of the following actions:

• If the profile is for one user, type the email address of the user.

• If the profile is for multiple users, type %UserEmailAddress%.

9. In the Host name or IP address field, type the host name or IP address of the Microsoft ActiveSync server.

10. In the Username field, perform one of the following actions:

• If the profile is for one user, type the username.

• If the profile is for multiple users, type %UserName%.

• If the profile is for multiple users in a Notes Traveler environment, type %DisplayName%.

11. If you want to permit users to encrypt or sign email messages in the native iOS email app, select the Use S/MIMEcheck box. Perform any of the following actions:

• In the Encryption certificate identifier drop-down list, click the client certificate profile that users can use toencrypt email messages.

• In the Signing certificate identifier drop-down list, click the client certificate profile that users can use to signemail messages.

12. If you want to control how devices manage email messages, select the Disable moving or sending email messages

and limit sync time check box. Perform any of the following actions:

29



30/138

• To prevent moving email messages from this account to another existing email account on the device, select theDisable moving email messages to another account check box.

• To prevent third-party applications on the device from using this account to send email messages, select the

Disable sending email messages from this account in third-party applications check box.• To specify how long to keep existing email messages for this account on the device, select the Limit time to sync

email messages check box. Specify the synchronization period.

13. If you do not want devices to synchronize new email recipients to the device address book, select the Disablesynchronizing new recipients to device address book check box.

14. If the Microsoft ActiveSync server requires SSL authentication, select the Use SSL check box. If you want to permitwork space apps to accept any server certificate when connecting to the Microsoft ActiveSync server (including the

default ActiveSync self-signed certificate), select the Accept all SSL certificates check box.15. Click Add.

Related information



Create a Wi-Fi profileBefore you begin: If you use certificate-based authentication, create a CA certificate profile and a client certificate profile,

or user certificate profile, and assign them to users. For more information, see Sending certificates to devices.


2. In the Wi-Fi pane, click the + icon.


4. In the Profile description field, type a description for the profile.

5. If required, in the BSSID field, type the BSSID of the Wi-Fi network.

6. If you do not want to broadcast the SSID for the Wi-Fi network, select the Hidden network check box.

7. In the SSID field, type the network name of the Wi-Fi network.

8. If you want iOS device users to be able to connect to the Wi-Fi network automatically, verify that the Automatically

join the network check box is selected.

9. In the Network configuration drop-down list, select the appropriate network configuration.

10. In the Proxy type drop-down list, perform one of the following actions:

Task Steps

Do not select a proxy server. Select None.

30



31/138

Task Steps

Automatically select an availableproxy server.

Select Automatic and type the URL used to retrieve proxy settings.

Specify a proxy server. 1. Select Manual.

2. In the Host name or IP address for the proxy server field, type the hostname or IP address.

3. In the Port number for the proxy server field, type the port number.

4. In the Username for the proxy server field, type the login name.

5. In the Password for the proxy server field, type the password.

11. In the Security type drop-down list, perform one of the following actions:

Task Steps

Do not select a security type. Select None.

Specify the Wi-Fi settings for a

Personal security type.

1. Select Personal.

2. In the Password field, type the password.

3. In the Security type of the personal Wi-Fi profile drop-down list, click theappropriate security type.

Specify the Wi-Fi settings for anEnterprise security type.

1. Select Enterprise.

2. In the Security type of the enterprise Wi-Fi profile drop-down list, click theappropriate security type.

3. On the Protocols tab, select the protocols that apply to the Wi-Fi network.

4. On the Authentication tab, perform any of the following actions as required:

a In the Identification for TTLS, PEAP and EAP-FAST field, type theappropriate identifier.

b If the Wi-Fi network requires a password, and you don't want users to haveto type the password, select the Password provided by the Wi-Ficonfiguration check box. In the Wi-Fi connection password field, type the

password.c If the Wi-Fi network requires that users provide a username, and you don't

want users to have to type their username, in the Username field, type%UserName%.

d In the Authentication type for enterprise Wi-Fi configuration drop-downlist, click the appropriate authentication type. If you select Certificate, inthe Certificate identifier drop-down list, click the certificate profile that youwant to use.

31



32/138

Task Steps

5. On the Trust tab, perform the following actions as required:

a Click the + icon next to Trusted certificate identifiers expected forauthentication . In the drop-down list, click a certificate identifier.

b To specify an expected certificate common name, click the + icon next toCertificate common names expected from the authentication server andtype the common name.

c If you want to permit iOS device users to allow exceptions to trust rules,select the Trust user decisions check box.

12. Click Save.

Related information



Create a VPN profileAndroid devices do not support VPN profiles.

Note: To allow affected third-party devices to store the XAuth password, you can modify the group-policy attributes of the

VPN profile in your Cisco VPN system to include the password-storage enable option. For more information, visit

www.blackberry.com/go/kbhelp to read KB30353.

Before you begin: If you use certificate-based authentication, create a CA certificate profile and a client certificate profile,or user certificate profile, and assign them to users. For more information, see Sending certificates to devices.


2. In the VPN pane, click the + icon.


4. In the Description of the VPN profile field, type a description for the profile.

5. In the VPN profile type drop-down list, click the appropriate profile type.

6. In the Authentication drop-down list, click the appropriate authentication type. The available authentication typesdepend on the profile type that you selected.

7. Specify the VPN settings for your organization and select the appropriate options. The required settings and availableoptions depend on the profile type and authentication type that you selected.

8. In the Hostname or IP address of VPN server field, type the host name or IP address of the VPN gateway.

32


http://www.blackberry.com/go/kbhelphttp://www.blackberry.com/go/kbhelp


33/138

9. If the VPN gateway requires that users provide a username, and you don't want users to have to type their username,in the Username for authenticating the connection field, type %UserName%.


Task Steps

Do not select a proxy server. Select None.

Automatically select an availableproxy server.

Select Automatic and type the URL used to retrieve proxy settings.

Specify a proxy server. 1. Select Manual.

2. In the Host name or IP address for the proxy server field, type the hostname or IP address.

3. In the Port number for the proxy server field, type the port number.

4. In the Username for the proxy server field, type the login name.

5. In the Password for the proxy server field, type the password.

11. Click Save.

Related information



Routing data for iOS devices through aproxy serverFor iOS devices that run iOS 6.0 or later that are supervised using Apple Configurator, you can direct all HTTP traffic to andfrom the personal space on devices through a proxy server behind your organization’s firewall. To route data from thepersonal space through a proxy server, you must create and assign a global HTTP proxy profile to user accounts or groups.

Global HTTP proxy profiles support proxy servers that use Basic Authentication, Integrated Authentication, or noauthentication.

Create a global HTTP proxy profile for iOS devices1. On the menu bar, click Library.

2. In the left pane, click the + icon next to Global HTTP Proxy.

33



34/138

3. Type a name and a description for the proxy profile.


• If you want to select the proxy server automatically using a PAC file, click Automatic. In the PAC URL field, type

the URL for the PAC file.

• If you want to specify the proxy server, click Manual. Specify the FQDN or IP address of the proxy server, the portnumber, and the username and password of the administrator account that you want to use to authenticate withthe proxy server.

5. Click Save.

After you finish: Assign the global HTTP proxy profile to user accounts or groups.

Related informationAssign a profile to a group, 56


Enforcing compliance rulesYou can use compliance profiles to encourage iOS and Android device users to follow your organization’s standards for theuse of mobile devices. A compliance profile specifies the device conditions that are not acceptable in your organization.For example, you can choose to disallow jailbroken or rooted devices.

A compliance profile specifies the following information:

• Conditions that would make a device non-compliant with BlackBerry Enterprise Service 10. You can specify any of thefollowing conditions:

• Device is jailbroken or rooted

• Non-assigned application is installed

• Optional application is not updated

• Required application is not installed

• Required application is not updated

• Notifications that users receive if they violate the compliance conditions and the amount of time that users have tocorrect the issue

• Action that is taken if the user does not correct the issue, including limiting a user’s access to your organization’sresources, deleting work data from the device, or deleting all data from the device

34



35/138

Assigning and reconciling compliance profilesEach user account can only be assigned one compliance profile. If you try to assign more than one compliance profile to auser account, BlackBerry Enterprise Service 10 resolves the conflict and assigns the appropriate compliance profile usingthe following rules:

• A compliance profile assigned directly to a user account takes precedence over a compliance profile assigned to agroup, and over the default compliance profile

• A compliance profile assigned to a group takes precedence over the default compliance profile

• The default compliance profile is assigned to a user account only if the user is not assigned a compliance profiledirectly or through group membership

Change the default compliance profileThe default compliance profile is assigned to user accounts only if the user is not assigned a compliance profile directly or

through group membership. You can change the settings of the default compliance profile but you cannot delete it.


2. In the left pane, click Compliance > Default.

3. Type a description for the default compliance profile.

4. Select the check box next to the settings that you want to configure. Do any of the following:

• If you want jailbroken or rooted devices to be considered non-compliant, select Jailbroken or rooted device.

• If you want devices with applications that you did not install to be considered non-compliant, select Non-assignedapplication is installed. Non-assigned applications do not include core applications that are installed with thedevice operating system.

• If you want devices that have not installed the latest update for optional applications to be considered non-compliant, select Optional application is not updated.

• If you want devices that do not have a required application to be considered non-compliant, select Requiredapplication is not installed.

• If you want devices that have not installed the latest update for required applications to be considered non-compliant, select Required application is not updated.

5. In the Enforcement action drop-down list, for each setting that you selected in step 4, configure the Universal DeviceService to perform one of the following tasks when user accounts do not meet your organization's requirements:

Task Steps

Automatically send an emailmessage, a device notification

1. Select Prompt for compliance.

35



36/138

Task Steps

message, or both that advisesusers of a compliance issue and ofthe consequences.

2. In the Prompt method drop-down list, select the type of message that youwant the Universal Device Service to send. The message body comes fromthe compliance notification template, which you can update. Do one of thefollowing:

• To send an email message, select Email.

• To send a device notification message, select Notification. Users canview the notification on the device.

• To send an email message and a device notification message, selectBoth.

3. In the Prompt count field, specify the number of times an email messageor a device notification message should be sent before the required actionis enforced.

4. In the Prompt interval fields, specify the time between prompts.

5. In the Prompt interval expired action drop-down list, select the action thatyou want the Universal Device Service to take when the prompt periodexpires. For example, if the prompt count is three and the prompt interval

is 10 minutes, the prompt period expires after 30 minutes. Do one of thefollowing:

• If you do not want to choose any options, select None.

• To block users from accessing your organization's resources andapplications from their device, select Untrust. Data and applicationsare not deleted from the device.

• To delete your organization's data from the device, select Delete only

work data (unmanage).• To delete all data from the device, select Delete all data (full control

device) or unmanage (user privacy device).

Block users from accessing workresources and applications fromtheir device.

Select Untrust. Data and applications are not deleted from the device.

Delete work data from the deviceand remove the device from theuser account.

Select Delete only work data (unmanage).

For devices that are activated withMDM controls or Work andpersonal - full control, delete alldata from the devices and returnthe device to factory settings.

Select Delete all data (full control device) or unmanage (user privacydevice).

36



37/138

Task Steps

For devices that are activated withWork and personal - user privacy,delete work data and remove thedevice from the user account.

6. Click Save.

Create a compliance profile1. On the menu bar, click Library.2. In the Compliance pane, click the + icon.

3. Type a name and description for the compliance profile.

4. Select the check box next to the settings that you want to configure. Do any of the following:

• If you want jailbroken or rooted devices to be considered non-compliant, select Jailbroken or rooted device.

• If you want devices with applications that you did not install to be considered non-compliant, select Non-assignedapplication is installed. Non-assigned applications do not include core applications that are installed with thedevice operating system.

• If you want devices that have not installed the latest update for optional applications to be considered non-compliant, select Optional application is not updated.

• If you want devices that do not have a required application to be considered non-compliant, select Requiredapplication is not installed.

• If you want devices that have not installed the latest update for required applications to be considered non-compliant, select Required application is not updated.

5. In the Enforcement action drop-down list, for each setting that you selected in step 4, configure the Universal DeviceService to perform one of the following tasks when user accounts do not meet your organization's requirements:

Task Steps

Automatically send an email

message, a device notificationmessage, or both that advisesusers of a compliance issue and ofthe consequences.

1. Select Prompt for compliance.

2. In the Prompt method drop-down list, select the type of message that youwant the Universal Device Service to send. The message body comes fromthe compliance notification template, which you can update. Do one of thefollowing:

• To send an email message, select Email.

• To send a device notification message, select Notification. Users canview the notification on the device.

37



38/138

Task Steps

• To send an email message and a device notification message, selectBoth.

3. In the Prompt count field, specify the number of times an email messageor a device notification message should be sent before the required actionis enforced.

4. In the Prompt interval fields, specify the time between prompts.

5. In the Prompt interval expired action drop-down list, select the action thatyou want the Universal Device Service to take when the prompt period

expires. For example, if the prompt count is three and the prompt intervalis 10 minutes, the prompt period expires after 30 minutes. Do one of thefollowing:

• If you do not want to choose any options, select None.

• To block users from accessing your organization's resources andapplications from their device, select Untrust. Data and applicationsare not deleted from the device.

• To delete your organization's data from the device, select Delete only

work data (unmanage).

• To delete all data from the device, select Delete all data (full controldevice) or unmanage (user privacy device).

Block users from accessing workresources and applications fromtheir device.

1. Select Untrust. Data and applications are not deleted from the device.

Delete work data from the deviceand remove the device from theuser account.

1. Select Delete only work data (unmanage).

For devices that are activated withMDM controls or Work andpersonal - full control, delete alldata from the devices and returnthe device to factory settings.

For devices that are activated withWork and personal - user privacy,delete work data and remove thedevice from the user account.

1. Select Delete all data (full control device) or unmanage (user privacydevice).

6. Click Save.

Related information

38

Assign a profile to a group 56



39/138



Update the template for the device compliancenotificationYou can use the Universal Device Service to automatically send an email message, a device notification message, or both,

to users when they do not comply with your organization’s requirements. In the body of the message, you can tell users

what the compliance issue is and the consequences if they do not correct it. You can also include information about how to

return devices to compliance, and what actions users might need complete if an enforcement action is applied to theirdevices.

Before you begin: Create a compliance profile to configure device compliance settings.

1. On the menu bar, click Settings > Compliance Notification.

2. In the From email address field, type the email address that you want to send the email message from. You mightwant to use an email address that does not accept replies.

If your organization's messaging server is Microsoft Exchange Server and you selected Credentials as theauthentication type in the SMTP server settings, if the email address that you specify in the From email address fielddoes not match the account in the SMTP server settings, verify that the email address has the Send As permission inMicrosoft Exchange.

3. In the Email subject field, update the default text if necessary.

4. In the Email message field, update the default text if necessary.

5. In the Device notification message field, update the default text if necessary.

6. Click Save.

Returning devices to complianceTo return devices to compliance, users must correct the condition that made the device non-compliant. If the condition iscorrected before any enforcement action is taken, devices are automatically returned to compliance. If an enforcement

action is taken, the user might have to reactivate the device. The following table describes the actions required by users toreturn their device to compliance.

Enforcement action Action required by the user

Prompt for compliance Correct the compliance condition.

Untrust Correct the compliance condition. The untrusted state isautomatically removed when the condition is corrected.

Delete only work data (unmanage) Correct the compliance condition and reactivate the device.

39

Enforcement action Action req ired b the ser



40/138

Enforcement action Action required by the user

Delete all data (full control device) or unmanage (userprivacy device)

Correct the compliance condition and reactivate the device.

Controlling how iOS and Android devicesare activated and managedThe Activation Type profile determines how devices are activated, whether devices have a separate work space installed,and how you can manage the data on the device. The assigned profile applies only to the next device that a user activates,and not to devices that are already activated. There are three ways to activate devices:

Activation type Description

MDM controls Provides basic device management using device controls made available byiOS and Android. There is no separate work space installed on the device, and

no added security for work data. You can control the device using ITadministration commands and IT policies. During activation, users must installa mobile device management profile for iOS devices, and permit Administratorpermissions for Android devices.

A Silver license or Gold - Secure Work Space license is required for thisactivation type.

Work and personal - full control Provides full control of devices. When a device is activated, a separate workspace is created on the device and the user must create a password to accessthe work space. Work data is protected using encryption and by requiringauthentication for connections to the work space. You can control the workspace, and some other aspects of the device using IT policies and commands.During activation, users must install a mobile device management profile foriOS devices, and permit Administrator permissions for Android devices.

A Gold - Secure Work Space license is required for this activation type.

Work and personal - user privacy Provides control of work data on devices, while ensuring privacy for personal

data. When a device is activated, a separate work space is created on thedevice and the user must create a password to access the work space. Workdata is protected using encryption and by requiring authentication forconnections to the work space. You can control the work space on the deviceusing IT administration commands and IT policies, but you cannot control anyaspects of the personal space on the device. Users are not required to install amobile device management profile for iOS devices, or permit Administratorpermissions for Android devices.

40




41/138


For iOS devices, you cannot send notifications to install internal work apps, andyou cannot view the status of work apps in the Administration Console. Users

with iOS devices must download internal work space apps from an internalwebsite (workspace://apps).

A Gold - Secure Work Space license is required for this activation type.

Change the default activation typeThe default activation type profile is assigned to user accounts only if the user is not assigned a profile directly or throughgroup membership. You can change the default activation type, but you cannot delete the default profile.


2. In the left pane, click Activation type > Default.

3. Type a description for the default activation type profile.

4. In the Activation type drop-down list, select the activation type that you want to be the default.

5. Click Save.

Create an activation type profileIf you want to assign different activation types to different users, you can create activation type profiles, in addition to the

default profile.


2. In the Activation type pane, click the + icon.

3. Type a name and description for the profile.

4. In the Activation type drop-down list, select the activation type to be associated with the profile.

5. Click Save.

What is the BES12 Client?The BES12 Client is an app that allows BlackBerry Enterprise Service 10 to communicate with iOS and Android devices. Ifusers want to activate iOS or Android devices on BlackBerry Enterprise Service 10, they must install the BES12 Client ontheir devices. Users can download the latest version of the BES12 Client from the App Store for iOS devices, or from GooglePlay for Android devices.

After users activate their devices, the BES12 Client allows users to do the following:

41

• Verify whether their devices are compliant with the organization's standards



42/138

y p g

• View the profiles that have been assigned to their user accounts

• View the IT policy rules that have been assigned to their user accounts

• Deactivate their devices

Managing devices that have a work spaceHaving a work space on devices helps to keep work information separate and secure, and allows you to manage the workdata on devices. Data that any of the apps in the work space use is saved securely and cannot be accessed outside of thework space. For more information about work space security, visit docs.blackberry.com/BES10 to see the Secure WorkSpace for iOS and Android Security Note.

If you assign the "Work and personal - full control", or "Work and personal - user privacy" activation type to user accounts,during activation a work space is installed on the devices and users are prompted to create work space passwords. Tocomplete the work space setup, users must download the following apps on their devices:

Device type Apps

iOS • Work Connect - for email, calendar, contacts, notes, and tasks

• Work Browser - for browsing

• Documents To Go - for securely viewing and editing work documents

Android • Work Space Manager - required to run the other work space apps on the device

• Secure Work Space - for email, calendar, contacts, and browsing

• Documents To Go - for securely viewing and editing work documents

The work space allows you to take advantage of the