BES10 v10.2 UDS Advanced Admin Guide en

Universal Device Service
Version: 10.2
Administration Guide
BlackBerry Enterprise Service 10
Published: 2015-02-24
SWD-20150223125016631
Contents
1
Introduction......................................................................................................................................9
About this guide.................................................................................................................................................................10
What is BlackBerry Enterprise Service 10?..........................................................................................................................10
Key features of BlackBerry Enterprise Service 10......................................................................................................... 10
About the Universal Device Service.................................................................................................................................... 11
Using the Universal Device Service console................................................................................................................. 12
Log in to the Universal Device Service console ............................................................................................................ 12
About BES10 Self-Service.................................................................................................................................................. 13
Setting up administrator accounts...................................................................................................15

Administrative roles and permissions..................................................................................................................................16
Administrator permissions...........................................................................................................................................16
Create an administrator account........................................................................................................................................ 18
Setting up device controls...............................................................................................................21

Creating and assigning profiles...........................................................................................................................................22
Using variables.................................................................................................................................................................. 22
Use custom variables.................................................................................................................................................. 23
Sending certificates to devices........................................................................................................................................... 24
Setting up encrypted email using S/MIME.................................................................................................................... 24
Create a CA certificate profile...................................................................................................................................... 24
Create a client certificate profile for SCEP.................................................................................................................... 25
Create a client certificate profile for a shared certificate............................................................................................... 27
Create a user certificate profile and assign it to a user account..................................................................................... 28
Controlling how devices can connect to your organization's network................................................................................... 28
Create a Microsoft ActiveSync profile...........................................................................................................................28
Create a Wi-Fi profile................................................................................................................................................... 30
Create a VPN profile.................................................................................................................................................... 32
Routing data for iOS devices through a proxy server............................................................................................................ 33
Create a global HTTP proxy profile for iOS devices........................................................................................................33
Enforcing compliance rules................................................................................................................................................ 34
Assigning and reconciling compliance profiles............................................................................................................. 35
Change the default compliance profile.........................................................................................................................35
Create a compliance profile......................................................................................................................................... 37
Update the template for the device compliance notification......................................................................................... 39
Returning devices to compliance................................................................................................................................. 39
Controlling how iOS and Android devices are activated and managed..................................................................................40
Change the default activation type...............................................................................................................................41

Create an activation type profile...................................................................................................................................41
What is the BES12 Client?............................................................................................................................................41
Managing devices that have a work space....................................................................................................................42
Upgrading work space apps........................................................................................................................................ 43
Controlling the capabilities of devices................................................................................................................................. 43
Create an IT policy.......................................................................................................................................................43
Create a work space IT policy...................................................................................................................................... 44
Routing data for the work browser through a proxy server....................................................................................................44
Create a proxy profile for Secure Work Space............................................................................................................... 44
Managing app availability on devices.................................................................................................................................. 46
Create an application definition................................................................................................................................... 46
Create a software configuration................................................................................................................................... 47
Assign a software configuration to a user account........................................................................................................ 48
Assign a software configuration to a group................................................................................................................... 48
View whether work apps are installed on a device.........................................................................................................48
Installing apps in the work space................................................................................................................................. 49
Managing groups and user accounts............................................................................................... 53

Creating and managing groups...........................................................................................................................................54
Create a group............................................................................................................................................................ 54
Change the properties of a group................................................................................................................................. 54
Assign an account to a group.......................................................................................................................................55
Remove an account from a group................................................................................................................................ 55
Assign an IT policy to a group.......................................................................................................................................56
Assign a profile to a group............................................................................................................................................56
Synchronizing groups with Microsoft Active Directory...................................................................................................56
Creating and managing user accounts................................................................................................................................58
Add a user account..................................................................................................................................................... 58
View a user account.................................................................................................................................................... 59
Assign an IT policy to a user account............................................................................................................................60
Assign a profile to a user account.................................................................................................................................60
Edit user account information......................................................................................................................................60
Change the device activation password for a user ........................................................................................................61
Activating and managing devices.................................................................................................... 63

Activating devices.............................................................................................................................................................. 64
Configure the default settings to activate a device........................................................................................................ 64
Update the template for the activation email message................................................................................................. 65
Send an activation email message............................................................................................................................... 66
Activate an iOS device................................................................................................................................................. 66
Activate an Android device.......................................................................................................................................... 67
Setting an activation password using BES10 Self-Service............................................................................................. 68

Managing devices.............................................................................................................................................................. 68
Using IT administration commands to manage devices................................................................................................ 68
Users with multiple devices......................................................................................................................................... 70
Jailbroken or rooted status.......................................................................................................................................... 70
Disable new device activations.................................................................................................................................... 70
Change the device ownership setting...........................................................................................................................71
View and save a device report...................................................................................................................................... 71
View device communication logs................................................................................................................................. 71
Deactivating devices................................................................................................................................................... 72
Maintaining and monitoring............................................................................................................ 73

Check the status of the BlackBerry Secure Connect Service................................................................................................74
Logging..............................................................................................................................................................................74
Log files...................................................................................................................................................................... 74
Audit logs....................................................................................................................................................................75
IT policy rules................................................................................................................................. 77
Descriptions of IT policy rules............................................................................................................................................. 78
Browser policy group...................................................................................................................................................78
Camera and video policy group....................................................................................................................................80
Certificates policy group.............................................................................................................................................. 82
Cloud service policy group........................................................................................................................................... 83
Connectivity policy group.............................................................................................................................................85
Content policy group................................................................................................................................................... 89
Diagnostics and usage policy group............................................................................................................................. 92
Encryption policy group............................................................................................................................................... 93
Lock screen policy group............................................................................................................................................. 93
Messaging policy group............................................................................................................................................... 95
Online store policy group............................................................................................................................................. 95
Password policy group.................................................................................................................................................98
Phone and messaging policy group............................................................................................................................105
Profiles and certificates policy group......................................................................................................................... 106
Security policy group.................................................................................................................................................106
Social policy group.................................................................................................................................................... 109
Storage and backup policy group...............................................................................................................................112
Voice assistant policy group.......................................................................................................................................113
Descriptions of work space IT policy rules.........................................................................................................................114
Allow sequential and repeated character passwords rule........................................................................................... 115
Require letters rule....................................................................................................................................................115
Require lowercase letters rule................................................................................................................................... 116
Require numbers rule................................................................................................................................................116
Require special characters rule................................................................................................................................. 117

Require uppercase letters rule...................................................................................................................................117
Restrict password length rule.................................................................................................................................... 118
Minimum length for the work space password rule..................................................................................................... 118
Maximum length for the work space password rule.................................................................................................... 119
Maximum password history rule................................................................................................................................ 119
Lock work space when device locks rule.................................................................................................................... 120
Lock device after inactivity in work space rule............................................................................................................ 120
Lock work space after inactivity rule.......................................................................................................................... 121
Track incorrect password attempts rule..................................................................................................................... 121
Action after maximum incorrect password attempts rule............................................................................................ 122
Enable plugins in secure browser rule........................................................................................................................ 123
Deactivate device after period of inactivity rule.......................................................................................................... 123
Work Connect contacts rule.......................................................................................................................................124
Allow apps in the personal space to access files in the work space rule.......................................................................124
Notification level rule.................................................................................................................................................125
Allow S/MIME rule..................................................................................................................................................... 126
Product documentation................................................................................................................ 127
Provide feedback..........................................................................................................................131
10
Glossary....................................................................................................................................... 133
11
Legal notice..................................................................................................................................135
Chapter
Introduction
Topics:
About this guide
What is BlackBerry Enterprise

Service 10?
About the Universal Device

Service
About BES10 Self-Service
Introduction
Introduction
About this guide

The Universal Device Service allows you to manage iOS devices and Android devices in your organization's environment.
This guide provides instructions on how to manage user accounts and devices after the Universal Device Service is
installed and configured.
This guide is intended for IT professionals who are responsible for activating devices and managing user accounts. Before
you can use the tasks in this guide, you need to complete the tasks to configure the Universal Device Service. You can find
instructions on configuring the Universal Device Service in the BlackBerry Enterprise Service 10 Configuration Guide.
What is BlackBerry Enterprise Service 10?

BlackBerry Enterprise Service 10 helps you manage mobile devices for your organization. You can manage BlackBerry
devices and BlackBerry PlayBook tablets, as well as iOS and Android devices, all from a unified interface. BlackBerry
Enterprise Service 10 is designed to help protect business information, keep mobile workers connected with the
information they need, and provide administrators with efficient tools that help keep business moving forward.
BlackBerry Enterprise Service 10 includes the following components:
Component
Description
BlackBerry Device Service
Provides advanced administration for BlackBerry 10 devices and BlackBerry

PlayBook tablets
Provides advanced administration for iOS and Android devices
BlackBerry Management Studio
Provides a unified interface to administer common tasks for BlackBerry 10

devices, BlackBerry PlayBook tablets, BlackBerry 7.1 and earlier devices, iOS
devices, and Android devices
BES10 Self-Service
Provides a console to users so that they can perform some self-service tasks.
For example, users can create activation passwords, remotely change the
password on their device, or delete data from the device.
Key features of BlackBerry Enterprise Service 10

The table below describes some of the key features for BlackBerry Enterprise Service 10.
10
Introduction
Feature
Description
Management of most types of devices
BlackBerry Enterprise Service 10 supports all types of BlackBerry devices

and tablets, as well as iOS devices and Android devices.
Single, unified interface
BlackBerry Management Studio is a single, web-based interface where you

can view all devices in one place and access the most common
management tasks across multiple domains. These tasks include creating
and managing groups, managing device controls, and activating mobile
devices.
Trusted and secure experience
Device controls give you precise management of how devices connect to

your network, what capabilities are enabled, and what apps are available.
Whether the devices are owned by your organization or your users, you can
protect your organization's information.
Balance of work and personal needs
BlackBerry Balance and Secure Work Space technology are designed to

ensure that personal and work information are kept separate and secure on
devices. If the device is lost or the employee leaves the organization, you
can delete only work-related information or all information from the device.
Additional security features are available depending on the device type.
About the Universal Device Service

The Universal Device Service is designed to permit you to manage devices that run iOS or Android OS in your organization's
environment.
If you activate devices using the Universal Device Service, you can use the Universal Device Service to:
Manage devices using the IT policies and IT administration commands that the devices support
Configure profiles for devices so that you can control the connections to your organization's environment
Assign activation type profiles to user accounts to control how devices are managed
Provision and manage work applications on devices
View the device inventory for your organization
To provide a single interface for helpdesk administrators to manage all the devices in your organization's environment, you
can connect BlackBerry Management Studio to the Universal Device Service.
11
Introduction
Using the Universal Device Service console

Feature
Description
Drag and drop

functionality
When viewing a group or user account, you can quickly apply IT policies, profiles and software
configurations using drag and drop functionality.
User list
In the user list, each row is a link that you can click to view the properties of the user account.
You can sort and reverse sort the information in the user list by clicking any of the column
headers. To display user accounts with multiple devices, sort by user.
Required fields
Fields that have a red asterisk (*) beside them are required. You must submit a value in all
required fields to complete a task. Default values, which you can customize, are often
displayed in the fields.
Available settings
In the Available Settings pane, you can view the number of users that are assigned to an IT
policy, profile, or software configuration. The value shown represents the number of unique
users that are assigned to a particular policy, profile, or software configuration. The user is not
counted twice if they are assigned directly and by group assignment.
Online help
Click the Help link in the upper-right corner of the screen to access online help. The online
help is updated regularly to provide the most recent information.
Log in to the Universal Device Service console

Also known as the Administration Console, the Universal Device Service console allows you to manage the Universal Device
Service and the user accounts associated with it. To open the Administration Console, you can use a browser on any
computer that has access to the computer that hosts the Administration Console.
When you install BlackBerry Enterprise Service 10, you specify the username and password that you use to log in for the
first time.
1.
In the browser, type https://<server_name>:<port>, where <server_name> is the FQDN of the computer that hosts
the Administration Console. The default port for the Administration Console is port 6443.
2.
In the Username field, type your username.
3.
In the Password field, type your password.
4.
Click Log in.
12
Introduction
About BES10 Self-Service

BES10 Self-Service is a web-based application that you can make available to users so that they can perform certain tasks
such as creating activation passwords, remotely locking their devices, or deleting data from their devices. Users do not
need to install any software on their computers to use BES10 Self-Service.
You must provide the BES10 Self-Service web address and login information to users. You can send this information in an
email message, or edit the activation email template to include the information. Provide the following information:
Web address. The web address for BES10 Self-Service is https://<server_name>:7445, where <server_name> is the
FQDN of the computer that hosts the console, and 7445 is the default port. You can change the port in the BES10
Configuration Tool.
Username and password. Company directory users can log in with their organization usernames and passwords. For
local users that have BlackBerry 10 devices, you must create their usernames and passwords in the BlackBerry Device
Service. Local users that have iOS or Android devices cannot use BES10 Self-Service.
Domain name (for Microsoft Active Directory users)
13
Chapter
Setting up administrator
accounts
Topics:
Administrative roles and

permissions
Create an administrator
account
Setting up administrator accounts
Administrative roles and permissions

When you create administrator accounts, you assign roles to the accounts so that you can control who can perform tasks in
the Universal Device Service.
Each role has a set of associated permissions. Permissions specify the information that you can view and the tasks that you
can perform using the Administration Console. Each action that you perform in the Administration Console is associated
with a specific permission.
Assign the Security role to the administrator account that you use to change other administrator account permissions.
Related information
Create an administrator account, 18
Administrator permissions
Each role contains multiple permissions that are turned on. The roles make sure that administrators who do not have
specific administrative permissions cannot escalate their permissions. For example, junior helpdesk administrators cannot
escalate their roles to senior helpdesk administrator roles.
Security role
Enterprise role
Senior Helpdesk
role
Create a group
Delete a group
View a group
Edit a group
Add user to a group
Create a user
Delete a user
View a user
Edit a user
Assign an administrative role
View a device
Permission
16
Junior Helpdesk
role
Permission
Security role
Enterprise role
Senior Helpdesk
role
Junior Helpdesk
role
Edit a device
Specify device ownership
Specify an activation password
Generate an activation email
View device activation settings
Edit device activation settings
Create an IT policy
Delete an IT policy
View an IT policy
Edit an IT policy
Assign an IT policy or a profile to a

user
Create a software configuration
View a software configuration
Edit a software configuration
Delete a software configuration
Create an application definition
View an application
Edit an application
Delete an application
Assign a software configuration to a

user
Delete all device data and remove

device
Delete only the organization data

and remove device
17
Create an administrator account

Before you begin: If you configured the Universal Device Service to connect to a company directory, you can add an
administrator account directly from your organization's list of users. If you did not configure these settings, you can create
local administrator accounts only.
1.
In the left pane, beside Administrators, click the + icon.
2.
In the Add a user window, perform one of the following tasks:
Task
Steps
Add an administrator account from 1. On the Directory tab, search for an administrator account.
the company directory.
2. In the Name drop-down list, select the administrator account.
If you have not configured the
3. If you want to add the administrator account to a group, in the Group
Universal Device Service to
membership drop-down list, select a group.
connect to a company directory,
4. To specify if this administrator will use a work or personal device, in the
the Directory tab is not shown.
Device ownership drop-down list, select an option.
5. Verify that the Administrator account check box is selected.
6. In the Administrator role drop-down list, select a role for the administrator.
Create a local administrator
account.
1. Select the Local tab.

2. Specify the administrator details.
3. If you want to add the administrator account to a group, in the Group
membership drop-down list, select a group.
4. To specify if this administrator will be using a corporate or personal device,
in the Device ownership drop-down list, select an option.
5. Verify that the Administrator account check box is selected.
6. Type a password.
7. In the Administrator role drop-down list, select a role for the administrator.
3.
To specify device activation settings for the administrator account, in the Device Activation section, select Enable
new device activations.
4.
Select one of the following options:
18
Use directory password to allow the administrator to use the company directory password to activate a device.
Specify an activation password to specify a password that the administrator must enter to activate a device.
5.
To specify when the activation password expires, select a time and date in the Activation expiration (date) and
Activation expiration (time) fields. If you do not specify an expiration date and time, the activation password will
never expire.
6.
To specify a maximum number of activation attempts the administrator is allowed to make before the device is
locked, in the Maximum number of activations per device field, type a value.
7.
To specify a maximum number of devices the administrator is allowed to have associated with this user account, in
the Maximum number of devices to activate field, type a value.
8.
To specify the device platforms that are supported, select Permitted devices and select one or more platforms.
9.
To specify the device versions that are supported, in the drop-down list, select one or more versions.
10. To send an email message that contains the information that the administrator requires to activate the device, select
Send activation email.
11. If you are using custom variables, click the arrow beside Custom Variables and fill in the fields.
12. Do one of the following:
To save this administrator account and create another, click Save & New.
To save this administrator account, click Save.
Related information
Administrative roles and permissions, 16
19
Chapter
Setting up device controls
Topics:
Creating and assigning profiles
Using variables
Sending certificates to devices
Controlling how devices can

connect to your organization's
network
Routing data for iOS devices

through a proxy server
Enforcing compliance rules
Controlling how iOS and

Android devices are activated
and managed
Controlling the capabilities of

devices
Routing data for the work

browser through a proxy server
Managing app availability on

devices
Creating and assigning profiles

You can use profiles to define the settings on devices. After you create profiles, you can assign them to a user account or to
a group of user accounts.
Profile
Description
VPN
Allows you to specify how devices connect to your organization's VPN
Wi-Fi
Allows you to specify how devices connect to your organization's Wi-Fi network
Microsoft ActiveSync
Allows you to specify how devices connect to your organization's messaging server and
synchronize email messages and organizer data using Microsoft ActiveSync
Global HTTP proxy
Allows you to direct all HTTP traffic to and from the personal space on iOS devices
through a proxy server behind your organizations firewall. Supported for iOS devices that
run iOS 6.0 or later and are supervised using Apple Configurator
CA certificate
Allows devices that use certificate-based authentication to trust network or server

certificates in your organization's environment
Client certificate
Allows you to provide client certificates to users' devices using SCEP or a shared
certificate
User certificate
Allows you to assign a client certificate to an individual user account and send the
certificate file to the user's devices
Compliance
Allows you to set conditions that require or restrict apps and restrict jailbroken or rooted
devices
Activation type
Allows you to specify how a device is managed after a user activates it. The profile applies
only to the next device that a user activates, and not to any currently activated devices.
Work space HTTP proxy
Allows you to direct all HTTP traffic for the work browser on supported iOS and Android
devices through a proxy server behind your organizations firewall
Using variables
You can use variables and custom variables to replace user account attributes and other attributes in the activation email
template and in profiles.
Note: You cannot use variables in the template for the device compliance notification.
22
The following table lists the variables that are available to use in the Universal Device Service.
Variable
Description
%DisplayName%
User's display name
%UserEmailAddress%
User's email address
%UserName%
User's username
%ActivationExpirationFinish%
Date and time when the activation password expires
%ActivationPassword%
Activation password that you created for the user
%BSCAddress%
Server address of the BlackBerry Secure Connect Service
%SRPID%
Unique SRP identifier for each BlackBerry Enterprise Service 10 instance
%BSCAddress%/%SRPID%/ca
Internal web address where users can download the SSL certificate for the
Communication Module
%EnterpriseAppStoreURL%
Internal web address where users with iOS devices that are activated with user
privacy, can download work apps.
%SSLCertCommon%
Common Name of the SSL certificate for the Communication Module
%SSLCertSHA%
Fingerprint of the SSL certificate for the Communication Module
%Custom1%, %Custom2%,
%Custom3%, %Custom4%,
%Custom5%
You can use up to five different variables for user attributes that you define. For
security reasons, you should not use a custom variable for a password.
Related information
Update the template for the activation email message, 65
Use custom variables

Use custom variables to define your own user attributes in addition to the standard user attributes such as display name,
contact email, and work phone number. You can use custom variables in the same way that you use other variables in the
activation email template or when you create profiles.
Note: For security reasons, you should not use a custom variable for a password.
For example, for local users, a user's ActiveSync username might not be the same as their local account username, so you
can use a custom variable to represent the ActiveSync username. In this example, Custom variable 1 is defined as the
ActiveSync username.
1.
Search for a user account.
2.
In the search results, click the name of a user account.
3.
Click the edit icon.
23
4.
Expand Custom Variables.
5.
In the Custom variable 1 field, type the user's ActiveSync username. Click Save.
6.
When you create a Microsoft ActiveSync profile, type %Custom1% in the username field.
Sending certificates to devices

A certificate is a digital document that binds the identity and public key of a certificate subject. Each certificate has a
corresponding private key that is stored separately. A CA signs the certificate to verify that it can be trusted.
A device can use certificates to:
Authenticate using SSL/TLS when it connects to web pages that use HTTPS
Authenticate with a work messaging server
Authenticate with a work Wi-Fi network or VPN
Encrypt and sign email messages using S/MIME protection
Many certificates that are used for different purposes can be stored on a device. You can use certificate profiles to send
client certificates and CA certificates to devices.
Setting up encrypted email using S/MIME

You can extend email security for iOS and Android device users by permitting users to send and receive S/MIME-protected
email messages. You cannot force users to use S/MIME.
There are two types of S/MIME protection available:
S/MIME for the native iOS email app. You enable this type of S/MIME in a Microsoft ActiveSync profile.
S/MIME for the iOS and Android apps in the work space. You enable this type of S/MIME in a work space IT policy.
To use either type of S/MIME, a user must enable S/MIME on the device and specify whether to encrypt, sign, or encrypt
and sign emails. Users must store their private keys and a certificate for each recipient that they want to send an encrypted
email message to on their devices. Users can store a key and certificates by importing the files from an email message.
Create a CA certificate profile

You can use CA certificate profiles to distribute CA certificates to devices if the devices use certificate-based
authentication to connect to a network or server in your organizations environment. When a device has the certificate for
the CA that signed a server certificate, the device recognizes and trusts the server certificate. The CA certificate has
a .cer, .crt, or .der file name extension.
24
Note: You cannot send CA certificates to devices that are activated with the "Work and Personal - User Privacy" activation
type.
1.
On the menu bar, click Library.
2.
In the CA certificate pane, click the + icon.
3.
In the Certificate name field, type a name for the CA certificate profile. Each CA certificate profile must have a unique
name. Some names (for example, ca_1) are reserved by default.
4.
In the Certificate description field, type a description for the CA certificate profile.
5.
In the Certificate file field, click Browse to specify the location of the certificate file.
6.
Click Save.
Related information
Assign a profile to a group, 56
Assign a profile to a user account, 60
Create a client certificate profile for SCEP

You can use a client certificate profile for SCEP to specify how devices obtain certificates from your organization's CA.
SCEP is a protocol that is used to automate the submission of certificate requests to a SCEP service and issue client
certificates to supported devices. Devices use the certificates to authenticate with your organization's servers.
Android devices do not support SCEP.
Before you begin: If you want the Universal Device Service to use a dynamic password obtained from an external SCEP
service, configure the external SCEP settings. For instructions, see Configure the external SCEP settings.
1.
2.
In the Shared certificate pane, click the + icon.
3.
In the Certificate name field, type a name for the profile.
4.
In the Certificate description field, type a description for the profile.
5.
In the Certificate source drop-down list, click SCEP.
6.
If the certificates need a subject alternative name, perform the following actions:
7.
a.
In the Alternative subject name type drop-down list, click the appropriate type.
b.
In the Alternative representation of the certificate subject field, type the subject alternative name. The value
must be an email address, the DNS name of the CA server, or the fully qualified URL of the server.
c.
In the NT principal name for certificate generation field, type the user principal name.
If your CA uses HTTP instead of HTTPS, in the Fingerprint for enrolling a SCEP certificate field, paste the CA
certificate fingerprint. Devices use the fingerprint to confirm the identity of the CA during the enrollment process.
25
8.
If you want to permit users to use the certificate for digital signatures, select the Use the generated certificate for
digital signatures check box.
9.
If you want to permit users to use the certificate for encryption, select the Use the generated certificate for key
encipherment check box.
10. In the Key size for certificate generation field, type the key size. The default value is 1024.
11. If necessary for your organization's SCEP configuration, in the Subject field, type
CN=<common_name>,O=<domain_name>.
12. If you want to permit devices to retry the server connection if the first attempt fails, perform the following actions:
a.
Select the Retry SCEP connection check box.
b.
In the Number of times SCEP connection should be retried field, type the type the number of times that
devices can try to connect.
c.
In the Time in seconds before the SCEP connection should be retried field, type number of seconds that
devices should wait between each attempt.
13. If you want to proxy SCEP requests from devices through the Universal Device Service, select the Proxy SCEP
requests through the Universal Device Service check box.
14. In the SCEP server configuration type drop-down list, perform one of the following actions:
If you want the system to use the external SCEP settings that you configured, click External.
If you want to specify the SCEP settings, click Defined.
15. If you selected Defined in step 14, perform the following actions:
a.
In the CA-IDENT attribute of the SCEP configuration field, type the name of the CA.
b.
In the Pre-shared secret type to use in certificate generation drop-down list, click None or Plain text. If you
select Plain text, type the pre-shared secret.
c.
In the Base URL of the SCEP server field, type the URL of the SCEP server.
16. Click Save.

Related information
Configure the external SCEP settings

You can configure external SCEP settings that allow the Universal Device Service to request a dynamic password from the
SCEP service. The Universal Device Service injects the password into the client certificate profile for SCEP when it sends
the profile to devices.
The default service type for the external SCEP is MSCA-NDES.
1.
On the menu bar, click Settings.
2.
In the External Integration pane, click External SCEP.
26
3.
Select the Enable SCEP check box.
4.
In the Authentication type drop-down list, click the appropriate authentication type.
5.
If you selected NTLM authentication, in the Domain of the credentials for the external SCEP service field, type the
domain of the external SCEP service.
6.
In the Username field, type the user name for the external SCEP service.
7.
In the Password field, type the password for the external SCEP service.
8.
In the URL for generating the challenge secret key of the directory field, type the URL.
9.
In the CA-IDENT attribute field, type the CA-IDENT attribute of the external SCEP service.
10. In the URL for enrollment requests of the directory field, type the URL.
11. Click Save.
Create a client certificate profile for a shared certificate

You can use a client certificate profile for a shared certificate to send the same client certificate to multiple devices. The
devices present the client certificate for authentication to a network or server in your organization's environment. You
might want to use this profile to distribute certificates when your environment or users' devices do not support SCEP. The
client certificate has a .pfx file extension.
1.
2.
In the Shared certificate pane, click the + icon.
3.
In the Certificate name field, type a name for the profile. Each client certificate profile for a shared certificate must
have a unique name. Some names (for example, ca_1) are reserved by default.
4.
In the Certificate description field, type a description for the profile.
5.
In the Certificate source drop-down list, click File.
6.
7.
In the Password field, type a password for the profile.
8.
Click Save.
Related information
27
Create a user certificate profile and assign it to a user

account
You can use a user certificate profile to assign a client certificate to an individual user account and send the certificate to
the user's devices. The devices present the client certificate for authentication to a network or server in your organization's
environment. You might want to use user certificate profiles to distribute certificates when your environment or devices do
not support SCEP. The client certificate has a .pfx file extension.
User certificate profiles are only available for individual user accounts and are not available in the Profiles pane.
1.
2.
3.
In the IT policies and profiles section, click the + icon.
4.
Click User certificate.
5.
In the Certificate name field, type a name for the user certificate profile.
6.
In the Certificate description field, type a description for the user certificate profile.
7.
In the Password field, type a password for the user certificate profile.
8.
9.
Click Apply.
Controlling how devices can connect to your

organization's network
You can specify how users' devices can connect to your organization's network and messaging servers.
Create a Microsoft ActiveSync profile

You can use Microsoft ActiveSync profiles to specify how devices connect to your organization's messaging server and
synchronize email messages and organizer data using Microsoft ActiveSync. You can also specify whether users can use S/
MIME to encrypt or sign email messages in the native iOS email app. You cannot force users to use S/MIME.
Before you begin:
28
If you use certificate-based authentication, create a CA certificate profile and a client certificate profile, or user
certificate profile, and assign them to users. Certificate-based authentication is for iOS devices only. For more
information, see Sending certificates to devices.
For Android devices that do not have a work space, users must install TouchDown on their devices or use a Motorola
device that supports the Enterprise Device Management API.
If you want to use Notes Traveler, devices must have a work space.
1.
2.
In the Microsoft ActiveSync pane, click the + icon.
3.
In the Profile name field, type the profile name.
4.
In the Profile description field, type a description for the profile.
5.
In the Credentials drop-down list, perform one of the following actions:
6.
If you want to use basic authentication (for example, a username and password), click None.
If you want to use a certificate profile for authentication (iOS devices only), click Certificate. In the Credential
name or description field, type a description.
If you selected Certificate in step 5, perform the following actions:
In the Certificate identifier drop-down list, click the certificate profile that you want to use.
If you want to prompt users for a password when their devices try to authenticate with the server or network,
select the Prompt the user for a password check box.
7.
In the Domain field, type the user domain name.
8.
In the Email address field, perform one of the following actions:
9.
If the profile is for one user, type the email address of the user.
If the profile is for multiple users, type %UserEmailAddress%.
In the Host name or IP address field, type the host name or IP address of the Microsoft ActiveSync server.
10. In the Username field, perform one of the following actions:
If the profile is for one user, type the username.
If the profile is for multiple users, type %UserName%.
If the profile is for multiple users in a Notes Traveler environment, type %DisplayName%.
11. If you want to permit users to encrypt or sign email messages in the native iOS email app, select the Use S/MIME
check box. Perform any of the following actions:
In the Encryption certificate identifier drop-down list, click the client certificate profile that users can use to
encrypt email messages.
In the Signing certificate identifier drop-down list, click the client certificate profile that users can use to sign
email messages.
12. If you want to control how devices manage email messages, select the Disable moving or sending email messages
and limit sync time check box. Perform any of the following actions:
29
To prevent moving email messages from this account to another existing email account on the device, select the
Disable moving email messages to another account check box.
To prevent third-party applications on the device from using this account to send email messages, select the
Disable sending email messages from this account in third-party applications check box.
To specify how long to keep existing email messages for this account on the device, select the Limit time to sync
email messages check box. Specify the synchronization period.
13. If you do not want devices to synchronize new email recipients to the device address book, select the Disable
synchronizing new recipients to device address book check box.
14. If the Microsoft ActiveSync server requires SSL authentication, select the Use SSL check box. If you want to permit
work space apps to accept any server certificate when connecting to the Microsoft ActiveSync server (including the
default ActiveSync self-signed certificate), select the Accept all SSL certificates check box.
15. Click Add.
Related information
Create a Wi-Fi profile

Before you begin: If you use certificate-based authentication, create a CA certificate profile and a client certificate profile,
or user certificate profile, and assign them to users. For more information, see Sending certificates to devices.
1.
2.
In the Wi-Fi pane, click the + icon.
3.
4.
In the Profile description field, type a description for the profile.
5.
If required, in the BSSID field, type the BSSID of the Wi-Fi network.
6.
If you do not want to broadcast the SSID for the Wi-Fi network, select the Hidden network check box.
7.
In the SSID field, type the network name of the Wi-Fi network.
8.
If you want iOS device users to be able to connect to the Wi-Fi network automatically, verify that the Automatically
join the network check box is selected.
9.
In the Network configuration drop-down list, select the appropriate network configuration.
10. In the Proxy type drop-down list, perform one of the following actions:
Task
Steps
Do not select a proxy server.
Select None.
30
Task
Steps
Automatically select an available

proxy server.
Select Automatic and type the URL used to retrieve proxy settings.
Specify a proxy server.
1. Select Manual.
2. In the Host name or IP address for the proxy server field, type the host
name or IP address.
3. In the Port number for the proxy server field, type the port number.
4. In the Username for the proxy server field, type the login name.
5. In the Password for the proxy server field, type the password.
11. In the Security type drop-down list, perform one of the following actions:
Task
Steps
Do not select a security type.
Select None.
Specify the Wi-Fi settings for a

Personal security type.
1. Select Personal.
2. In the Password field, type the password.
3. In the Security type of the personal Wi-Fi profile drop-down list, click the
appropriate security type.
Specify the Wi-Fi settings for an 1. Select Enterprise.

Enterprise security type.
2. In the Security type of the enterprise Wi-Fi profile drop-down list, click the
appropriate security type.
3. On the Protocols tab, select the protocols that apply to the Wi-Fi network.
4. On the Authentication tab, perform any of the following actions as required:
a
In the Identification for TTLS, PEAP and EAP-FAST field, type the
appropriate identifier.
If the Wi-Fi network requires a password, and you don't want users to have
to type the password, select the Password provided by the Wi-Fi
configuration check box. In the Wi-Fi connection password field, type the
password.
If the Wi-Fi network requires that users provide a username, and you don't
want users to have to type their username, in the Username field, type
%UserName%.
In the Authentication type for enterprise Wi-Fi configuration drop-down

list, click the appropriate authentication type. If you select Certificate, in
the Certificate identifier drop-down list, click the certificate profile that you
want to use.
31
Task
Steps
5. On the Trust tab, perform the following actions as required:
a
Click the + icon next to Trusted certificate identifiers expected for

authentication . In the drop-down list, click a certificate identifier.
To specify an expected certificate common name, click the + icon next to

Certificate common names expected from the authentication server and
type the common name.
If you want to permit iOS device users to allow exceptions to trust rules,
select the Trust user decisions check box.
12. Click Save.

Related information
Create a VPN profile

Android devices do not support VPN profiles.
Note: To allow affected third-party devices to store the XAuth password, you can modify the group-policy attributes of the
VPN profile in your Cisco VPN system to include the password-storage enable option. For more information, visit
www.blackberry.com/go/kbhelp to read KB30353.
Before you begin: If you use certificate-based authentication, create a CA certificate profile and a client certificate profile,
or user certificate profile, and assign them to users. For more information, see Sending certificates to devices.
1.
2.
In the VPN pane, click the + icon.
3.
4.
In the Description of the VPN profile field, type a description for the profile.
5.
In the VPN profile type drop-down list, click the appropriate profile type.
6.
In the Authentication drop-down list, click the appropriate authentication type. The available authentication types
depend on the profile type that you selected.
7.
Specify the VPN settings for your organization and select the appropriate options. The required settings and available
options depend on the profile type and authentication type that you selected.
8.
In the Hostname or IP address of VPN server field, type the host name or IP address of the VPN gateway.
32
9.
If the VPN gateway requires that users provide a username, and you don't want users to have to type their username,
in the Username for authenticating the connection field, type %UserName%.
10. In the Proxy type drop-down list, perform one of the following actions:
Task
Steps
Do not select a proxy server.
Select None.
Automatically select an available

proxy server.
Select Automatic and type the URL used to retrieve proxy settings.
Specify a proxy server.
1. Select Manual.
2. In the Host name or IP address for the proxy server field, type the host
name or IP address.
3. In the Port number for the proxy server field, type the port number.
4. In the Username for the proxy server field, type the login name.
5. In the Password for the proxy server field, type the password.
11. Click Save.

Related information
Routing data for iOS devices through a

proxy server
For iOS devices that run iOS 6.0 or later that are supervised using Apple Configurator, you can direct all HTTP traffic to and
from the personal space on devices through a proxy server behind your organizations firewall. To route data from the
personal space through a proxy server, you must create and assign a global HTTP proxy profile to user accounts or groups.
Global HTTP proxy profiles support proxy servers that use Basic Authentication, Integrated Authentication, or no
authentication.
Create a global HTTP proxy profile for iOS devices

1.
2.
In the left pane, click the + icon next to Global HTTP Proxy.
33
3.
Type a name and a description for the proxy profile.
4.
In the Proxy type drop-down list, perform one of the following actions:
5.
If you want to select the proxy server automatically using a PAC file, click Automatic. In the PAC URL field, type
the URL for the PAC file.
If you want to specify the proxy server, click Manual. Specify the FQDN or IP address of the proxy server, the port
number, and the username and password of the administrator account that you want to use to authenticate with
the proxy server.
Click Save.
After you finish: Assign the global HTTP proxy profile to user accounts or groups.
Related information
Enforcing compliance rules

You can use compliance profiles to encourage iOS and Android device users to follow your organizations standards for the
use of mobile devices. A compliance profile specifies the device conditions that are not acceptable in your organization.
For example, you can choose to disallow jailbroken or rooted devices.
A compliance profile specifies the following information:
Conditions that would make a device non-compliant with BlackBerry Enterprise Service 10. You can specify any of the
following conditions:
Device is jailbroken or rooted
Non-assigned application is installed
Optional application is not updated
Required application is not installed
Required application is not updated
Notifications that users receive if they violate the compliance conditions and the amount of time that users have to
correct the issue
Action that is taken if the user does not correct the issue, including limiting a users access to your organizations
resources, deleting work data from the device, or deleting all data from the device
34
Assigning and reconciling compliance profiles

Each user account can only be assigned one compliance profile. If you try to assign more than one compliance profile to a
user account, BlackBerry Enterprise Service 10 resolves the conflict and assigns the appropriate compliance profile using
the following rules:
A compliance profile assigned directly to a user account takes precedence over a compliance profile assigned to a
group, and over the default compliance profile
A compliance profile assigned to a group takes precedence over the default compliance profile
The default compliance profile is assigned to a user account only if the user is not assigned a compliance profile
directly or through group membership
Change the default compliance profile

The default compliance profile is assigned to user accounts only if the user is not assigned a compliance profile directly or
through group membership. You can change the settings of the default compliance profile but you cannot delete it.
1.
2.
In the left pane, click Compliance > Default.
3.
Type a description for the default compliance profile.
4.
Select the check box next to the settings that you want to configure. Do any of the following:
5.
If you want jailbroken or rooted devices to be considered non-compliant, select Jailbroken or rooted device.
If you want devices with applications that you did not install to be considered non-compliant, select Non-assigned
application is installed. Non-assigned applications do not include core applications that are installed with the
device operating system.
If you want devices that have not installed the latest update for optional applications to be considered noncompliant, select Optional application is not updated.
If you want devices that do not have a required application to be considered non-compliant, select Required
application is not installed.
If you want devices that have not installed the latest update for required applications to be considered noncompliant, select Required application is not updated.
In the Enforcement action drop-down list, for each setting that you selected in step 4, configure the Universal Device
Service to perform one of the following tasks when user accounts do not meet your organization's requirements:
Task
Steps
Automatically send an email

message, a device notification
1. Select Prompt for compliance.
35
Task
Steps
message, or both that advises

users of a compliance issue and of
the consequences.
2. In the Prompt method drop-down list, select the type of message that you
want the Universal Device Service to send. The message body comes from
the compliance notification template, which you can update. Do one of the
following:
To send an email message, select Email.
To send a device notification message, select Notification. Users can

view the notification on the device.
To send an email message and a device notification message, select

Both.
3. In the Prompt count field, specify the number of times an email message
or a device notification message should be sent before the required action
is enforced.
4. In the Prompt interval fields, specify the time between prompts.
5. In the Prompt interval expired action drop-down list, select the action that
you want the Universal Device Service to take when the prompt period
expires. For example, if the prompt count is three and the prompt interval
is 10 minutes, the prompt period expires after 30 minutes. Do one of the
following:
If you do not want to choose any options, select None.
To block users from accessing your organization's resources and

applications from their device, select Untrust. Data and applications
are not deleted from the device.
To delete your organization's data from the device, select Delete only
work data (unmanage).
To delete all data from the device, select Delete all data (full control
device) or unmanage (user privacy device).
Block users from accessing work

resources and applications from
their device.
Select Untrust. Data and applications are not deleted from the device.
Delete work data from the device

and remove the device from the
user account.
Select Delete only work data (unmanage).
For devices that are activated with

MDM controls or Work and
personal - full control, delete all
data from the devices and return
the device to factory settings.
Select Delete all data (full control device) or unmanage (user privacy
device).
36
Task
Steps

Work and personal - user privacy,
delete work data and remove the
device from the user account.
6.
Click Save.
Create a compliance profile

1.
2.
In the Compliance pane, click the + icon.
3.
Type a name and description for the compliance profile.
4.
Select the check box next to the settings that you want to configure. Do any of the following:
5.
If you want jailbroken or rooted devices to be considered non-compliant, select Jailbroken or rooted device.
If you want devices with applications that you did not install to be considered non-compliant, select Non-assigned
application is installed. Non-assigned applications do not include core applications that are installed with the
device operating system.
If you want devices that have not installed the latest update for optional applications to be considered noncompliant, select Optional application is not updated.
If you want devices that do not have a required application to be considered non-compliant, select Required
application is not installed.
If you want devices that have not installed the latest update for required applications to be considered noncompliant, select Required application is not updated.
In the Enforcement action drop-down list, for each setting that you selected in step 4, configure the Universal Device
Service to perform one of the following tasks when user accounts do not meet your organization's requirements:
Task
Steps
Automatically send an email

message, a device notification
message, or both that advises
users of a compliance issue and of
the consequences.
1. Select Prompt for compliance.

2. In the Prompt method drop-down list, select the type of message that you
want the Universal Device Service to send. The message body comes from
the compliance notification template, which you can update. Do one of the
following:
To send an email message, select Email.
To send a device notification message, select Notification. Users can

view the notification on the device.
37
Task
Steps
To send an email message and a device notification message, select

Both.
3. In the Prompt count field, specify the number of times an email message
or a device notification message should be sent before the required action
is enforced.
4. In the Prompt interval fields, specify the time between prompts.
5. In the Prompt interval expired action drop-down list, select the action that
you want the Universal Device Service to take when the prompt period
expires. For example, if the prompt count is three and the prompt interval
is 10 minutes, the prompt period expires after 30 minutes. Do one of the
following:
If you do not want to choose any options, select None.
To block users from accessing your organization's resources and

applications from their device, select Untrust. Data and applications
are not deleted from the device.
To delete your organization's data from the device, select Delete only
work data (unmanage).
To delete all data from the device, select Delete all data (full control
device) or unmanage (user privacy device).
Block users from accessing work

resources and applications from
their device.
1. Select Untrust. Data and applications are not deleted from the device.
Delete work data from the device

and remove the device from the
user account.
1. Select Delete only work data (unmanage).

MDM controls or Work and
personal - full control, delete all
data from the devices and return
the device to factory settings.
1. Select Delete all data (full control device) or unmanage (user privacy
device).

Work and personal - user privacy,
delete work data and remove the
device from the user account.
6.
Click Save.
Related information
38

Update the template for the device compliance

notification
You can use the Universal Device Service to automatically send an email message, a device notification message, or both,
to users when they do not comply with your organizations requirements. In the body of the message, you can tell users
what the compliance issue is and the consequences if they do not correct it. You can also include information about how to
return devices to compliance, and what actions users might need complete if an enforcement action is applied to their
devices.
Before you begin: Create a compliance profile to configure device compliance settings.
1.
On the menu bar, click Settings > Compliance Notification.
2.
In the From email address field, type the email address that you want to send the email message from. You might
want to use an email address that does not accept replies.
If your organization's messaging server is Microsoft Exchange Server and you selected Credentials as the
authentication type in the SMTP server settings, if the email address that you specify in the From email address field
does not match the account in the SMTP server settings, verify that the email address has the Send As permission in
Microsoft Exchange.
3.
In the Email subject field, update the default text if necessary.
4.
In the Email message field, update the default text if necessary.
5.
In the Device notification message field, update the default text if necessary.
6.
Click Save.
Returning devices to compliance

To return devices to compliance, users must correct the condition that made the device non-compliant. If the condition is
corrected before any enforcement action is taken, devices are automatically returned to compliance. If an enforcement
action is taken, the user might have to reactivate the device. The following table describes the actions required by users to
return their device to compliance.
Enforcement action
Action required by the user
Prompt for compliance
Correct the compliance condition.
Untrust
Correct the compliance condition. The untrusted state is

automatically removed when the condition is corrected.
Delete only work data (unmanage)
Correct the compliance condition and reactivate the device.
39
Enforcement action
Action required by the user
Delete all data (full control device) or unmanage (user

privacy device)
Correct the compliance condition and reactivate the device.
Controlling how iOS and Android devices

are activated and managed
The Activation Type profile determines how devices are activated, whether devices have a separate work space installed,
and how you can manage the data on the device. The assigned profile applies only to the next device that a user activates,
and not to devices that are already activated. There are three ways to activate devices:
Activation type
Description
MDM controls
Provides basic device management using device controls made available by

iOS and Android. There is no separate work space installed on the device, and
no added security for work data. You can control the device using IT
administration commands and IT policies. During activation, users must install
a mobile device management profile for iOS devices, and permit Administrator
permissions for Android devices.
A Silver license or Gold - Secure Work Space license is required for this
activation type.
Work and personal - full control
Provides full control of devices. When a device is activated, a separate work

space is created on the device and the user must create a password to access
the work space. Work data is protected using encryption and by requiring
authentication for connections to the work space. You can control the work
space, and some other aspects of the device using IT policies and commands.
During activation, users must install a mobile device management profile for
iOS devices, and permit Administrator permissions for Android devices.
A Gold - Secure Work Space license is required for this activation type.
Work and personal - user privacy
40
Provides control of work data on devices, while ensuring privacy for personal
data. When a device is activated, a separate work space is created on the
device and the user must create a password to access the work space. Work
data is protected using encryption and by requiring authentication for
connections to the work space. You can control the work space on the device
using IT administration commands and IT policies, but you cannot control any
aspects of the personal space on the device. Users are not required to install a
mobile device management profile for iOS devices, or permit Administrator
permissions for Android devices.
Activation type
Description
For iOS devices, you cannot send notifications to install internal work apps, and
you cannot view the status of work apps in the Administration Console. Users
with iOS devices must download internal work space apps from an internal
website (workspace://apps).
A Gold - Secure Work Space license is required for this activation type.
Change the default activation type

The default activation type profile is assigned to user accounts only if the user is not assigned a profile directly or through
group membership. You can change the default activation type, but you cannot delete the default profile.
1.
2.
In the left pane, click Activation type > Default.
3.
Type a description for the default activation type profile.
4.
In the Activation type drop-down list, select the activation type that you want to be the default.
5.
Click Save.
Create an activation type profile

If you want to assign different activation types to different users, you can create activation type profiles, in addition to the
default profile.
1.
2.
In the Activation type pane, click the + icon.
3.
Type a name and description for the profile.
4.
In the Activation type drop-down list, select the activation type to be associated with the profile.
5.
Click Save.
What is the BES12 Client?

The BES12 Client is an app that allows BlackBerry Enterprise Service 10 to communicate with iOS and Android devices. If
users want to activate iOS or Android devices on BlackBerry Enterprise Service 10, they must install the BES12 Client on
their devices. Users can download the latest version of the BES12 Client from the App Store for iOS devices, or from Google
Play for Android devices.
After users activate their devices, the BES12 Client allows users to do the following:
41
Verify whether their devices are compliant with the organization's standards
View the profiles that have been assigned to their user accounts
View the IT policy rules that have been assigned to their user accounts
Deactivate their devices
Managing devices that have a work space

Having a work space on devices helps to keep work information separate and secure, and allows you to manage the work
data on devices. Data that any of the apps in the work space use is saved securely and cannot be accessed outside of the
work space. For more information about work space security, visit docs.blackberry.com/BES10 to see the Secure Work
Space for iOS and Android Security Note.
If you assign the "Work and personal - full control", or "Work and personal - user privacy" activation type to user accounts,
during activation a work space is installed on the devices and users are prompted to create work space passwords. To
complete the work space setup, users must download the following apps on their devices:
Device type
Apps
iOS
Work Connect - for email, calendar, contacts, notes, and tasks
Work Browser - for browsing
Documents To Go - for securely viewing and editing work documents
Work Space Manager - required to run the other work space apps on the device
Secure Work Space - for email, calendar, contacts, and browsing
Documents To Go - for securely viewing and editing work documents
Android
The work space allows you to take advantage of the following features:
Convert your organization's internal apps into work space apps that can be installed and run in the work space, or
obtain work space apps from the App Store or Google Play. Use software configurations to install and manage work
space apps. For more information, see Installing apps in the work space.
Control specific behaviors of the work space on devices, such as password requirements and connection preferences,
by applying a work space IT policy to user accounts. A default work space IT policy is automatically applied to devices
with a work space.
Use IT administration commands to reset the work space password or delete the work space on devices.
For information about the requirements to enable the work space, visit www.blackberry.com/go/serverdocs to read the
BlackBerry Enterprise Service 10 Configuration Guide.
42
Upgrading work space apps

To support new features and additional operating systems, BlackBerry posts new versions of the work space apps in the
App Store and Google Play.
Notify users that they should upgrade the work space apps when prompted. If users upgrade their device operating system
and do not upgrade to the latest version of the work space apps, the work space may not function as expected.
For more information about the supported device operating systems, visit docs.blackberry.com/BES10 to see the
BlackBerry Enterprise Service 10 Compatibility Matrix.
Controlling the capabilities of devices

IT policies and work space IT policies control and manage the devices in your organization's environment. An IT policy
consists of multiple IT policy rules that manage the security and behavior of devices.
IT policies control the behavior of devices. Work space IT policies control the behavior of the work space on devices. You
can create several IT policies and work space IT policies, but you can apply only one IT policy and one work space IT policy
to each user account.
After a user activates a device, the Universal Device Service automatically sends the applied IT policy to the device. If the
user's device has a work space, the Universal Device Service also sends the applied work space IT policy to the device. If
you do not apply an IT policy or a work space IT policy to a user account or to a group that the user belongs to, the Universal
Device Service sends the default IT policy or the default work space IT policy to the device.
You can view and edit IT policies and work space IT policies in the Universal Device Service console. The default IT policy
and the default work space IT policy include the default settings for each IT policy rule. You can edit the default IT policy
and the default work space IT policy, but you cannot delete them.
Create an IT policy
1.
2.
In the IT Policies pane, click the + icon.
3.
Type a name and description for the IT policy.
4.
Configure the appropriate values for the IT policy rules.
5.
Click Save.
Related information
Descriptions of IT policy rules, 78
43
Create a work space IT policy

1.
2.
In the Work Space IT Policy pane, click the + icon.
3.
Type a name and description for the work space IT policy.
4.
Configure the appropriate values for the work space IT policy rules.
5.
Click Save.
Related information
Descriptions of work space IT policy rules, 114
Routing data for the work browser through a

proxy server
You can choose to direct all HTTP traffic for the work browser on supported iOS and Android devices through a proxy server
behind your organizations firewall. To route work browser data through a proxy server, you must create and assign a proxy
profile for Secure Work Space to user accounts or groups. Proxy profiles for Secure Work Space support proxy servers that
use Basic Authentication, Integrated Authentication, or no authentication.
Proxy profiles for Secure Work Space are supported for:
Any version of iOS 5.0 or later that supports Secure Work Space
Any version of Android 2.3 or later that supports Secure Work Space
For more information about OS compatibility, visit docs.blackberry.com/BES10 to read the BlackBerry Enterprise Service
10 Compatibility Matrix.
You can select the proxy server automatically using a PAC file, or you can specify the proxy server manually.
Create a proxy profile for Secure Work Space

1.
2.
In the left pane, click the + icon next to Work Space HTTP Proxy.
3.
Type a name and a description for the proxy profile.
4.
Perform one of the following actions:
44
If you want to select the proxy server automatically using a PAC file, select the Automatic check box. In the PAC
URL field, type the URL for the PAC file.
If you want to specify the proxy server, select the Manual check box. Specify the FQDN or IP address of the proxy
server and the port number (default 8080). Type the username and password of the administrator account that
you want to use to authenticate with the proxy server. For the username, use the format <domain>\<username>.
Optionally, type <domain>\%UserName% in the username field to have users authenticate with the proxy server
using their company directory passwords.
5.
Click Save.
After you finish: Assign the proxy profile for the Secure Work Space to user accounts or groups.
Related information
45
Managing app availability on devices

You can manage apps on devices by creating a software configuration that includes one or more application definitions,
and then assigning the software configuration to a user account or group.
If you want to update the version of an app in an application definition that is assigned to a user account or group, you can
replace the app in the application definition with the updated version. Do not create a new application definition with the
updated app version and assign it to the same user account or group.
Create an application definition

Create an application definition for each app that you want to install on devices. You can include many application sources
for an app, with a maximum of two application sources for each platform version; one for the regular app and one for the
secure version of the app. For example, you can include one application source for the regular version of an app for iOS 4.0,
and one application source for the secure version of an app for iOS 4.0.
Before you begin:
If you want to add a paid app to an application definition for iOS 5 and later devices, you should use the manual
installation method. You should not select the Prompt once installation method, the option to remove the app when the
device is removed from management in the Universal Device Service, or the option to disable backup to the iCloud
online service or iTunes Store. If you select any of these options, the app is treated as a work app and is subject to
actions that you perform as administrator. For example, if you remove work data from the device, the app is also
removed.
To create an application definition for an internal app that you want to install in the work space, you must first secure
the app and have the developer re-sign it. For more information, see Installing apps in the work space.
If you want to distribute a secured and re-signed work space app from the App Store or Google Play, you can follow this
task and then use a software configuration to distribute the work space app to users and groups. For more information,
see Installing apps in the work space.
Some secured apps that are available in the App Store or Google Play require specific ports to be open on BlackBerry
Enterprise Service 10. Contact the app vendor for information.
1.
2.
In the Application Definitions pane, click the + icon.
3.
Type a definition name and definition description.
4.
In the Default installation method drop-down list, perform one of the following actions:
46
If you want users to receive one prompt to install the app on their iOS 5 and later devices, select Prompt once. If
users dismiss the prompt they can install the app later using the Work Apps screen in the BES12 Client or the
Work Apps icon on the device. The default installation method is supported for iOS 5 and later devices only for
application sources that are either .ipa files (apps that are internally hosted by your organization) or free apps in
the App Store.
If you want users to install the app on the Work Apps screen in the BES12 Client or using the Work Apps icon on
the device, select Manual. This is the default installation method and it is supported for iOS devices and Android
devices for all application sources.
5.
If you want to remove the app from iOS 5 and later devices when the devices are removed from management in the
Universal Device Service, select the check box for that option.
6.
If you want to prevent apps on iOS 5 and later devices from being backed up to the iCloud online service or iTunes
Store, select the check box for that option.
7.
In the Applications sources section, click the + icon and select Upload binary (for an internal app) or App store app.
8.
In the Application name field, type the app name.
9.
In the Vendor field, type the name of the app vendor.
10. In the Application version field, type the app version.

11. In the Platform drop-down list, select a platform.
12. In the Application icon field, click Browse. Locate and select an icon for the app.
13. In the Application identifier field, type the identifier. For iOS devices, the application identifier can be found by
connecting the device to a computer and using the iPhone Configuration Utility. For Android devices, the application
identifier is part of the URL for the app in Google Play.
14. If you want to install a secured and re-signed app in the work space on devices, select the Secure application check
box.
15. In the Application source drop-down list, select one of the following:
For public apps, select Application web address and type the web address of the app in the App Store or Google
Play.
For internally hosted apps or work space apps, select Application file (.apk, .ipa) and type the file name for the
app or click Browse and locate the application file. .ipa files are supported only for iOS 5 and later devices
(available from the Work Apps icon on the device).
16. Click Save.

Related information
Installing apps in the work space, 49
Create a software configuration

You can create a software configuration that you can assign to user accounts and groups. A software configuration is a
collection of application definitions.
1.
2.
In the left pane, in the Software Configurations pane, click the + icon.
47
3.
In the Configuration name field, type the name.
4.
In the Configuration description field, type a description.
5.
Click the + icon to add an application definition to the software configuration.
6.
Select an application definition.
7.
Click Add.
8.
In the Disposition drop-down list, select Required or Optional.
9.
Click Save.
Assign a software configuration to a user account

1.
2.
3.
In the Software configurations section, click the + icon.
4.
In the drop-down list, select the software configuration that you want to assign to the user account.
5.
Click Apply.
Assign a software configuration to a group

1.
On the menu bar, click Users & Devices.
2.
In the left pane, click the name of a group.
3.
On the Settings tab, in the Software configurations section, click the + icon.
4.
In the drop-down list, select the software configuration that you want to assign to the group.
5.
Click Apply.
View whether work apps are installed on a device

1.
2.
3.
In the Software configurations window, click on a software configuration name to display the list of work apps. Apps
that the user did not install are indicated by a red icon. Apps that the user installed but that are not the correct
version are indicated by a red and white icon.
48
Installing apps in the work space

If you want to install an app developed by your organization in the work space on users devices, you must complete the
following steps:
1. Obtain the app binary file (.apk or .ipa) from the developer.
2. Secure the app by uploading the app binary file in the Universal Device Service administration console. This process
repackages the app so that it can be installed in the work space. Download the secured app and give it to the app
developer.
3. The app developer re-signs the app, and if necessary, creates an entitlements file. The developer gives you the app for
distribution. For more information about re-signing apps, visit developer.blackberry.com/devzone/develop/enterprise/
resign_work_space_app.html.
4. You create an application definition for the secured and re-signed app, then add the application definition to a software
configuration.
5. You assign the software configuration to users or groups.
This section explains how to secure and re-sign internal apps to convert them into work space apps. Third-party app
developers can secure and re-sign their applications and make them available on the App Store or Google Play. To
distribute a work space app from the App Store or Google Play, you can create an application definition for the app, add it
to a software configuration, and assign the software configuration to users.
Apps from the App Store or Google Play that are not designated as work space apps cannot be installed or run in the work
space. Only the app vendor can secure and re-sign an app so that it can be installed in the work space.
In previous releases, an app only had to be secured and re-signed to be permitted in the work space. In BlackBerry
Enterprise Service 10 version 10.1.3 and later, secured and re-signed apps can only be installed and run in the work space
if you assign them to users with a software configuration. This requirement gives you more control over the apps that are
permitted in the work space.
For more information about work space apps, visit docs.blackberry.com/BES10 to read the Secure Work Space for iOS and
Android Security Technical Note.
Secure an app
You can use the Universal Device Service administration console to secure an app so that it can be installed in the work
space on devices.
Before you begin:
Obtain the app binary file (.apk or .ipa) from the developer. The size of the app file must be no larger than 50 MB.
.ipa apps must be developed using iOS 7 SDK or later
1.
2.
In the left pane, click Work Space.
3.
In the Secure Applications window, click the + icon.
49
4.
Browse to the application file (.apk or .ipa) and click Upload.
5.
Check the status of the app. The process can take a few minutes to several hours. The status column displays one of
the following states:
6.
Processing
In progress
Failed - Retry
Securing complete
When the status is Securing complete, click Download secure file to download the secured app to your local
computer.
After you finish:

Give the secured app to the developer to re-sign. For more information about re-signing apps, visit
developer.blackberry.com/devzone/develop/enterprise/resign_work_space_app.html.
After the app is secured and re-signed, create an application definition for the app and include it in a software
configuration. Assign the software configuration to users or groups.
Related information
Create an application definition, 46
Types of apps
Work space-enabled devices can run three different types of apps:
Type of app
Description
Personal app
An app that the user installs on the device, or an app that the manufacturer or
wireless service provider installs on the device. BlackBerry Enterprise Service 10
treats these apps, and the data that they store, as personal data.
Work app
An app that you install and manage on a user's device. BlackBerry Enterprise
Service 10 treats these apps, and the data that they store, as work data.
Work space app
A work app that the work space secures with additional protections. BlackBerry
Enterprise Service 10 treats these apps, and the data that they store, as work
space data.
There are three different types of work space apps:

Type of app
Description
Default work space app
A work space app that appears on every work space-enabled device.
Internal work space app
An app that your organization develops and specifically prepares to run in the
work space.
50
Type of app
Description
External work space app
An app that a third-party develops and the app vendor specifically prepares to
run in the work space.
51
Chapter
Managing groups and user

accounts
Topics:
Creating and managing groups
Creating and managing user

accounts
Managing groups and user accounts
Creating and managing groups

You can manage multiple user accounts by adding the user accounts to a group and managing the group.
A group is a collection of related device users who share commonly configured properties. Administering users as a group
is more efficient than administering individual users because properties can be set, applied, or changed simultaneously for
all members of the group.
You can assign group properties, such as software configurations or IT policies, to a group using the Administration
Console.
If you remove a user account from a group, the account name remains in the global list of user accounts but it does not
appear in the group list.
Create a group
1.
In the left pane, beside Groups, click the + icon.
2.
In the Group name field, type a name for the group.
3.
To add an IT policy, certificate, profile, or software configuration to the group, in the IT policies and profiles section,
click the + icon.
4.
a.
Click IT policy, Software configuration, or the type of certificate or profile.
b.
Select the specific IT policy, certificate, profile, or software configuration in the drop-down list.
c.
Click Apply.
When you are finished specifying the group properties, click Add.
Change the properties of a group

After you create a group, you can change the properties for the group. When you add user and administrator accounts to a
group, the accounts inherit the properties of the group.
1.
In the left pane, expand Groups.
2.
Click the name of the group you want to change.
3.
4.
To change the properties of the group, click the Settings tab and do the following:
54
Option
Step
Change the IT policies and profiles 1. In the IT policies and profiles section, click the + icon.
applied to the group
2. Click IT policy or the type of certificate or profile.
3. Select the specific IT policy, certificate, or profile in the drop-down list.
4. Click Apply.
Change the software
configurations applied to the
group
Delete a group property
1. In the Software configurations section, click the + icon.

2. Select the software configuration in the drop-down list.
3. Click Apply.
Click the delete icon beside the group property you would like to remove from
the group.
Assign an account to a group

A user or administrator account can only be in one group at a time. If you assign an account to a new group, the account is
removed from their current group.
1.
In the left pane, click All Users.
2.
Click the selection box beside the names of the accounts you want to add to a group.
3.
Click Assign To Group.
4.
In the New group drop-down list, select a group.
5.
Click Assign.
Remove an account from a group

User or administrator accounts that are removed from a group are not deleted.
1.
2.
Click the selection box beside the names of the accounts you want to delete from the group.
3.
Click Remove From Group.
4.
Click Remove.
55
Assign an IT policy to a group

When you assign an IT policy or work space IT policy to a group, it replaces any IT policy or work space IT policy that is
currently applied to the group. The IT policy is applied to all members of the group. If a member of the group has a different
IT policy assigned to the user account, the IT policy assigned to the user account takes precedence and the group IT policy
is not applied to the user account.
1.
2.
3.
On the Available Settings tab, complete one of the following actions:
In the IT policies section, select the IT policy that you want to assign.
In the Work Space section, select the work space IT policy that you want to assign.
4.
Drag the IT policy or work space IT policy to the group name in the left pane.
5.
Click Apply.
Related information
Controlling the capabilities of devices, 43
Assign a profile to a group

Before you begin: Create profiles.
1.
2.
3.
On the Available Settings tab, in the Profiles section, select the profile that you want to assign.
4.
Drag the profile to the group name in the left pane.
5.
Click Apply.
Synchronizing groups with Microsoft Active Directory

You can use the BlackBerry Directory Sync Tool to synchronize the membership of security groups and distribution groups
in Microsoft Active Directory with groups in the Universal Device Service. After you map one-to-one relationships between
Microsoft Active Directory groups and Universal Device Service groups, you can start the synchronization process
manually, or you can use a task scheduling application to run the synchronization at a set interval.
When you run a synchronization process using the BlackBerry Directory Sync Tool, it compares the Microsoft Active
Directory group to the Universal Device Service group that you mapped it to. If the tool finds any differences in group
56
membership, it assigns user accounts to, or removes user accounts from, the Universal Device Service group until the
membership matches the Microsoft Active Directory group.
For more information about the BlackBerry Directory Sync Tool, visit www.blackberry.com/go/serverdocs to read the
BlackBerry Resource Kit for BlackBerry Enterprise Service 10 documentation.
57
Creating and managing user accounts

You can create user accounts and manage user accounts and their associated devices.
You can manage user accounts by adding user accounts to a group so that the properties of the group are assigned to the
user accounts automatically. A group can contain user accounts that you want to manage collectively. Options that you
configure at the user level take priority over options that you configure at the group level. You can also assign an IT policy to
a user account to control the actions users can perform using their devices.
Add a user account

Before you begin:
If you configured the Universal Device Service to connect to a company directory, you can add a user account directly
from your organization's list of users. If you did not configure these settings, you can create local user accounts only.
Update the template for the activation email message that you send to users when you add them to the Universal
Device Service. You can send the activation email message to a user when you add the user, or at anytime after you add
the user.
1.
In the left pane, beside All Users, click the + icon.
2.
In the Add a user window, perform one of the following tasks:
Task
Steps
Add a user account from the

company directory.
1. On the Directory tab, search for a user account.
If you have not configured the

Universal Device Service to
connect to a company directory,
the Directory tab is not shown.
3. If you want to add the user account to a group, in the Group membership
drop-down list, select a group.
2. In the Name drop-down list, select the user account.
4. To specify whether the user will use a work or personal device, in the
5. Verify that the Administrator account check box is clear.
Create a local user account.
1. Select the Local tab, and specify the details for the user account.
2. If you want to add the user account to a group, in the Group membership
drop-down list, select a group.
3. To specify whether the user will use a work or personal device, in the
58
Task
Steps
4. Verify that the Administrator account check box is clear.
3.
To specify device activation settings for the user account, in the Device Activation section, select Enable new device
activations.
4.
Select one of the following options:
Use directory password to allow the user to use the company directory password to activate a device.
Specify an activation password to specify a password that the user must enter to activate a device.
5.
To specify when the activation password expires, select a time and date in the Activation expiration (date) and
Activation expiration (time) fields. If you do not specify an expiration date and time, the activation password will
never expire.
6.
To specify a maximum number of times that the user is allowed to activate the device before the device is locked, in
the Maximum number of activations per device field, type a value.
7.
To specify a maximum number of devices that can be associated with the user account, in the Maximum number of
devices to activate field, type a value.
8.
To specify the device platforms that are supported, select Permitted devices and select one or more platforms.
9.
To specify the device versions that are supported, in the drop-down list, select one or more versions.
10. To send an email message to the user immediately after you save the user account, select Send activation email. The
email message will contain the activation information that you specified in the activation email template. If you do not
want the user to activatethe device with the default activation type, clear the Send activation email option and send
the email after you apply the desired activation type to the user account.
11. If you use custom variables, click the arrow beside Custom Variables and complete the fields.
12. Do one of the following:
To save the user account and create another user account, click Save & New.
To save the user account, click Save.
View a user account

You can view information about a user account by accessing the user account in the Universal Device Service. For
example, you can view the following information:
User information such as email address and display name
Smartphone model number or tablet model number, operating system, wireless service provider, phone number,
software version, and current state
Assigned IT policies, profiles, and software configurations
59
Groups the user account is assigned to
1.
2.
Assign an IT policy to a user account

When you assign an IT policy or work space IT policy to a user account, it replaces the IT policy or work space IT policy that
is currently applied to the user account. If a user account belongs to a group that is assigned a different IT policy, the IT
policy assigned to the user account takes precedence and the group IT policy is not applied to the user account.
1.
2.
3.
On the Available Settings tab, complete one of the following actions:
In the IT policies section, select the IT policy that you want to assign.
In the Work Space section, select the work space IT policy that you want to assign.
4.
Drag the IT policy or work space IT policy to anywhere in the user account window.
5.
Click Apply.
Related information
Controlling the capabilities of devices, 43
Assign a profile to a user account

Before you begin: Create profiles.
1.
2.
3.
On the Available Settings tab, in the Profiles section, select the profile that you want to assign.
4.
Drag the profile to anywhere in the user account window.
5.
Click Apply.
Edit user account information

1.
2.
60
3.
4.
Edit the user account information.
5.
In the Device ownership drop-down list, select the type of device ownership. The selection is applied to the next
device that the user activates. It does not change the ownership status of the user's existing devices.
6.
Click Save.
Change the device activation password for a user

Users must provide a username and password when they activate devices. When you add a user account in the Universal
Device Service, you can specify an activation password. To create a new activation password complete the following steps:
1.
2.
3.
Click the + icon.
4.
In the Device Activation window, click the edit icon.
5.
Perform one of the following actions:
Click Change activation password.
Select Use directory password or Specify activation password.
6.
If you selected Change activation password, or Specify activation password, type an activation password in the
Activation password field.
7.
To specify when the activation password expires, select a date and time in the Activation expiration (date) and
Activation expiration (time) drop-down lists.
8.
To send an email message to a user that contains the information that the user requires to activate their device,
select Send activation email.
9.
Click Save.
61
Chapter
Activating and managing

devices
Topics:
Activating devices
Managing devices
Activating and managing devices
Activating devices
When a user activates a device in the Universal Device Service, the device is associated with your organization's
environment so that the user can access work data on their device.
To activate their devices, users must type a username and an activation password. If the user account is associated with
your company directory, you can allow the user to use their company username and password, or you can specify an
activation password. For local user accounts, you must create a username and activation password for the user.
Complete the following tasks before you send activation emails to users:
Ensure that you have the required licenses available. For more information about licenses, see the BlackBerry
Enterprise Service 10 Licensing Guide.
Update the template for the activation email so that it includes all of the information that users need to activate their
devices.
If you do not want users to activate their devices using the default activation type, assign an activation type profile to the
user account or group. You cannot change the activation type for a user's device after the user has activated their
device.
Assign other profiles, software configurations, and IT policies as required.
Configure the default settings to activate a device

You can configure the default settings that are displayed in the Add a user window. If necessary, you can change the
default settings when you add a user account to the Universal Device Service.
1.
On the menu bar, click Settings > Activation Defaults.
2.
In the Device ownership drop-down list, perform one of the following actions:
Select Personal if users typically activate personal devices.
Select Corporate if users typically activate devices that belong to your organization.
Select Not specified, if some users activate personal devices and some users activate devices that belong to your
organization.
3.
In the Activation expiration fields, select a default date and time when the user must activate a device by.
4.
In the Maximum number of activations per device field, change the value to be the number of times that a user can
activate a device.
5.
In the Maximum number of devices to activate field, change the value to be the total number of devices that a user
can activate.
6.
Select Permitted devices if you want to specify the type and version of devices that users can activate.
64
7.
Click Save.
Update the template for the activation email message

You must update the template for the activation email message that you send to users. You can send the activation email
when you add a user account to the Universal Device Service, or any time after you add a user account.
1.
In the Administration Console, on the menu bar, click Settings > Activation Email.
2.
In the From email address field, replace the default text with the email address that you want to send the email
message from. You might want to use an email address that does not accept replies.
If your organization uses Microsoft Exchange Server and you selected Credentials as the authentication type in the
SMTP server settings, and the email address that you specify in the From email address field does not match the
account in the SMTP server settings, verify that the email address has the Send As permission in Microsoft Exchange.
3.
In the Subject field, update the default text.
4.
In the Message field, update the default text. You can use variables in the text to customize the email message for
different users. For a list of variables, see Using variables. You can complete some or all of the following changes:
5.
Replace <CompanyName> with your organization's name.
Review the paragraph in the Before you begin section. The variable https://%BSCAddress%/%SRPID%/ca is
replaced by the web address where the user can install the SSL certificate on the device. If the user installs the
certificate before activating the device, the certificate is displayed as a trusted certificate in step 4 of the default
text.
In step 1 of the default text, you can remove one of the app store web addresses if it is not required. For example,
if you support only iOS devices, you can remove the Google Play web address.
In step 3 of the default text, the variables %BSCAddress%/%SRPID% are automatically replaced in the email
message with the required server address and SRP ID.
In step 4 of the default text, you can replace <X or checkmark> with X (SSL certificate is not trusted) or
checkmark (SSL certificate is trusted). For more information about the SSL certificate, see the BlackBerry
Enterprise Service 10 Configuration Guide.
In step 5 of the default text, include information about the activation password. The password might be the user's
directory password or a password that you create. If you create the password, you can insert the
%ActivationPassword% variable in the email message to provide the password, or you can send the password to
the user separately.
If you did not select an expiry date for the activation password, you can remove the related statement in step 5.
Step 8 in the default text is applicable only to users with iOS devices that are activated with user privacy. If the
step is applicable, remove the text in the square brackets. If the step is not applicable, remove the entire step.
Optionally, you can include login information for BES10 Self-Service. The web address for BES10 Self-Service is
https://<server_name>:7445, where <server_name> is the FQDN of the computer that hosts the console. Company
directory users can log in with their directory usernames and passwords. For local users with BlackBerry 10 devices,
you must create each user's username and password in the BlackBerry Device Service. Local users with iOS or
Android devices cannot use BES10 Self-Service.
65
6.
Click Save.
Related information
Using variables, 22
Send an activation email message

When you add a user account to the Universal Device Service you can select the Send activation email check box to
automatically send an activation email message to a user. You can perform the following steps to send an activation email
at any time.
Before you begin: Update the template for the activation email message.
1.
In the Administration Console, search for a user account.
2.
In the search results, click the name of the user account.
3.
Beside the device tab, or tabs, click the + icon.
4.
In the Device Activation window, perform one of the following actions:
Click the email icon to send the activation email to the user.
Click the edit icon to change the device activation settings. Confirm that the Send activation email check box is
selected, and click Save.
Activate an iOS device

Before you begin:
Confirm that the required licenses are available.
Create a user account.
Assign profiles and software configurations to the user account, if required.
Send an activation email message to the user.
Send the following activation instructions to the device user. When you send the instructions to a user, indicate whether the
user needs to install the Communication Module SSL certificate and whether the user is a directory user (can use their
directory usernames and passwords) or a local user (must use the username and password that you specified).
1.
If your administrator notes that it is required, open the web address in your activation email to install the
Communication Module SSL certificate on your device. Installing the certificate before activation ensures that the
device recognizes and trusts BlackBerry Enterprise Service 10.
2.
Install the BES12 Client. The BES12 Client is available from the App Store.
3.
Tap the BES10 icon. Tap Continue.
4.
If you are prompted to turn on location services, complete the following steps:
66
a.
Tap Settings.
b.
Verify that Location Services is turned on.
c.
Verify that BES10 is turned on.
d.
Close Settings.
5.
Read the end user agreement and tap I Agree.
6.
Type your organization's server address and tap Go. You can find the server address in the activation email message.
7.
Confirm that the certificate details match your organization's information and tap Accept.
8.
Type your username and password and tap Activate My Device.
9.
If necessary, tap OK to install the required certificate.
10. Follow the instructions on the screen to complete the activation.

11. If you are prompted to enter the password for your email account or the passcode for your device, follow the
instructions on the screen.
12. If you are prompted, create a work space password and download work space apps.
After you finish: Open the BES12 Client and tap About. In the Activated Device section, you should see your device
information.
Activate an Android device

Before you begin:
Confirm that the required licenses are available.
Create a user account.
Assign profiles and software configurations to the user account, if required.
Send an activation email message to the user.
Send the following activation instructions to the device user. When you send the instructions to a user, indicate whether the
user needs to install the Communication Module SSL certificate and whether the user is a directory user (can use their
directory usernames and passwords) or a local user (must use the username and password that you specified).
1.
If your administrator notes that it is required, open the web address in your activation email to install the
Communication Module SSL certificate on your device. Installing the certificate before activation ensures that the
device recognizes and trusts BlackBerry Enterprise Service 10.
2.
Install the BES12 Client. The BES12 Client is available from Google Play.
3.
On the device, tap the BES10 icon.
4.
Read the end user agreement and tap I Agree.
67
5.
Type your organization's server address and tap Next. You can find the server address in the activation email
message.
6.
Confirm that the certificate details match your organization's information and tap Accept.
7.
Type your username and password and tap Activate My Device.
8.
Tap Activate to activate the security policies.
9.
If you are prompted, create a work space password and download work space apps.
After you finish: Open the BES12 Client and tap About. In the Activated Device section, you should see your device
information.
Setting an activation password using BES10 SelfService

Using BES10 Self-Service, BlackBerry Enterprise Service 10 users can create activation passwords so that they can
activate their devices over the wireless network. Users can select the type of device that they want to activate and specify
an activation password. Instructions for activating devices are also provided in BES10 Self-Service.
The web address for BES10 Self-Service is https://<server_name>:7445, where <server_name> is the FQDN of the
computer that hosts the console. Company directory users can log in with their organization usernames and passwords.
For local users that have BlackBerry 10 devices, you must create their usernames and passwords in the BlackBerry Device
Service. Local users that have iOS or Android devices cannot use BES10 Self-Service.
For more information about BES10 Self-Service, visit blackberry.com/go/docs to read the BES10 Self-Service User Guide.
Managing devices
The Universal Device Service includes IT administration commands that you can send to devices over the wireless network
to protect data on devices. You can view detailed information about individual devices in device reports and view a history
of all communication that occurs between devices and the Universal Device Service in the communication logs. If devices
are jailbroken or rooted, the Universal Device Service displays an indicator beside the name of the user account that is
associated with the jailbroken device or rooted device in the list of user accounts.
Using IT administration commands to manage devices

The Universal Device Service includes IT administration commands that you can send to a device over the wireless network
to help protect your organization's data on a device. If the device supports the commands, you can use them to lock the
device, unlock the device, reset the device password, permanently delete work data, or return the device settings to the
default values.
68
IT administration command
Description
Specify device password and For Android devices, this command allows you to create a
lock
new device password and lock the device. You must create
a password that complies with existing password rules.
When the user unlocks the device, the device prompts the
user to accept or reject the new password.
Activation types
MDM controls
Work and personal - full

control
MDM controls

control
MDM controls

control
MDM controls

control
Work and personal user privacy
You can use this command if the device is lost or stolen.

Lock device
This command locks a device. The user must type the

existing device password to unlock the device.
Unlock and clear password
This command allows you to unlock a device and clear the

existing password. The user is prompted to create a new
device password.
You can use this command if the user forgets the device
password.
Delete only work data
This command deletes any profiles that are assigned to the

device and removes the device from the Universal Device
Service. Work apps that are installed on the device are not
deleted.
If the device has a work space, the work space information is
deleted and the work space is removed from the device.
You can send this command to a personal device when a
user no longer works at your organization and you want to
delete the work data from the device.
The user account is not deleted when you send this
command.
Delete all device data
This command deletes all user information and application

data that the device stores including information in the work
space, returns the device to factory defaults, and removes

the device from the Universal Device Service. For Motorola
devices that support the Enterprise Device Management
API, information on the media card is also deleted.
MDM controls
control
You can send this command to a device when you want to

redistribute a previously used device to another user in your
organization, or to a device that is lost and unlikely to be
recovered.
You can specify whether you want to delete or disable a user
account from the Universal Device Service after the device
deletes all user information and application data.
69
IT administration command
Description
Activation types
Lock work space
This command locks the work space on a device so that the

user must type the existing work space password to unlock
the device.

control

control

Disable/enable work space
This command allows you to temporarily prevent access to

the work space apps on the device.
Users with multiple devices

Users can activate multiple devices with the Universal Device Service. If a user activates multiple devices, you can view the
list of device models that are associated with the user account in the user list, beside the user account name. To see details
about each device, you can click on the user account name and select the tab for a specific device.
Jailbroken or rooted status

If a device is jailbroken or rooted, someone ran software or performed an action on the device that allows the user to have
root access to the operating system of the device.
The Universal Device Service is designed to detect if a device is jailbroken or rooted and displays an indicator beside the
name of the user account in the list of user accounts.
If you configure device compliance settings, users can be notified or required to remove jailbreaking software or rooting
software from their devices. Users cannot access the work space on their devices if the devices are jailbroken or rooted.
You might have to help a user remove the jailbreaking software or rooting software from the device or perform an action on
the device to restore the device to the default state.
Disable new device activations

You can prevent users from activating devices by disabling new device activations. Devices that are already activated are
not deactivated when you disable device activations.
1.
2.
3.
Click the + icon.
70
4.
On the Device Activation page, click the edit icon.
5.
Clear the Enable new device activations check box.
6.
Click Save.
Change the device ownership setting

You can change the ownership type for a user's device. The ownership type is displayed in the device information and in
the device report.
1.
2.
3.
Select the device tab.
4.
In the Activated device pane, click the edit icon.
5.
In the Device ownership drop-down list, select the type of device ownership.
6.
Click Save.
View and save a device report

You can view detailed information about each device that is associated with the Universal Device Service by generating a
device report.
1.
2.
3.
In the Manage Device window, click the View device report icon.
4.
Click File > Save As... to save the device report to a file on the computer, if required.
View device communication logs

You can view the device communication logs to find out the history of communication between a device and the Universal
Device Service. Each device has its own communication log. Entries older than 14 days are cleared from the logs.
1.
2.
3.
In the Manage Device window, click the Communications Log icon.
71
Deactivating devices
When you or a user deactivates a device, the connection between the device and the user account in the Universal Device
Service is removed. You cannot manage the device, and the device is not displayed in the Administration Console. The user
cannot access work data on the device.
You can deactivate a device using the Delete only work data IT administration command. For more information, see Using
IT administration commands to manage devices.
A user can deactivate a device by selecting Deactivate My Device on the About screen in the BES12 Client.
Users cannot deactivate a device

Possible cause
You recently restored a backup of the Management Database and the user activated the device after you created the
backup version.
Possible solution
To deactivate the device, you or the user must delete the BES12 Client from the device.
The Work Apps icon remains on iOS device after the device is deactivated
Possible cause
If a user has an iOS device that is running iOS 5 or later, a blank Work Apps icon might remain on the device after the
device is deactivated.
Possible solution
The user can delete the blank Work Apps icon manually.
72
Chapter
Maintaining and monitoring
Topics:
Check the status of the

BlackBerry Secure Connect
Service
Logging
Check the status of the BlackBerry Secure

Connect Service
The BlackBerry Secure Connect Service is a web service that provides a single access port for activation and management
traffic for iOS devices and Android devices. If the BlackBerry Secure Connect Service is not running, or is experiencing
connectivity issues, users cannot activate devices or receive profile updates.
1.
2.
In the left pane, click Secure Connect Service.
3.
Confirm the status for the BlackBerry Secure Connect Service.
Logging
The Universal Device Service creates log files for each Universal Device Service component and audit logs that record
administrator requests, for example, to create, update, or delete user accounts or groups. Log files and audit logs can be
used to determine the cause of an issue.
Log files
The Universal Device Service creates log files for each Universal Device Service component and saves the log files on the
computer that hosts the Universal Device Service.
You can configure the location where the log files are stored when you install the Universal Device Service. By default, the
Universal Device Service saves log files in C:\Program Files (x86)\Research in Motion\BlackBerry Enterprise Service
10\Logs. Log files are organized in the following folders:
Audit
BWS
Comm
Core
EAS
Installer
RIM.UDS.GUI
74
Scheduler
The Installer logs files are named Setup<yyyymmdd><log_number>.log.

All other log files are saved in sub-folders that are named by date (yyyymmdd). The log files are named
<server_name>_<component_identifier>_<instance>_<yyyymmdd>_log _number>.csv, where the component identifier is
one of the following:
UCOM: Communication Module
UCOR: Core Module
USRV: Scheduler
BWS: BlackBerry Web Services
Audit: Audit log files
EAS: Microsoft ActiveSync gatekeeping
Audit logs
Audit logs record requests that you make to create, update, and delete user accounts or groups, send IT administration
commands to devices, add user accounts to groups or remove user accounts from groups, and create or assign profiles,
software configurations and IT policies to devices.
Audit logs are saved in the Audit folder and are named
<server_name>_<component_identifier>_Audit_<instance>_<yyyymmdd>_<log_number>.csv.
75
Chapter
IT policy rules
Topics:
Descriptions of IT policy rules
Descriptions of work space IT

policy rules
IT policy rules
IT policy rules
Descriptions of IT policy rules

The mobile operating system defines the rules that the device supports. For more information on the device settings, visit
the Apple Configurator Help for iOS devices and the Android Developers website for Android devices.
There are minimum OS requirements for each IT policy rule, however BlackBerry Enterprise Service 10 might not support
all versions of iOS or Android OS. For more information about supported versions, visit docs.blackberry.com/BES10 to read
the BlackBerry Enterprise Service 10 Compatibility Matrix.
Related information
Create an IT policy, 43
Browser policy group

The rules in this policy group specify restrictions for the default browser on the device. The rules apply only to iOS devices.
Hide the default web browser rule

Description
Selecting this rule disables the Safari browser and removes its icon from the Home
screen. This rule also prevents users from opening web clips on the device.
IT policy type
Device
Applicable activation types
MDM controls
iOS 5.0
Minimum OS requirements
Disable autofill in the default browser rule

Description
Selecting this rule prevents the Safari browser from saving user entries in web forms
for later use.
Related rules
This rule is not valid if the Hide the default web browser rule is selected.
IT policy type
Device
78
MDM controls
IT policy rules
iOS 5.0
Disable JavaScript in the default browser rule

Description
Selecting this rule disables JavaScript in the Safari browser. The browser ignores all
JavaScript on websites.
Related rules
This rule is not valid if the Hide the default browser rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Disable popups in the default browser rule

Description
Selecting this rule blocks pop-up windows in the Safari web browser.
Related rules
IT policy type
Device
MDM controls
iOS 5.0
Enable cookies rule

Description
This rule specifies how the Safari web browser handles cookies. If you select Always,
cookies are always accepted. If you select From visited websites, cookies are only
accepted from websites that the user visits directly in the browser. If you select Never,
cookies are never accepted.
Related rules
79
IT policy rules
IT policy type
Device
MDM controls
Never
From visited websites
Always
Default value
From visited websites
iOS 5.0
Possible values
Force fraud warnings rule

Description
Selecting this rule turns on fraud warnings in the Safari web browser. The browser
attempts to prevent the user from visiting websites identified as being fraudulent or
compromised.
Related rules
IT policy type
Device
MDM controls
iOS 5.0
Camera and video policy group

The rules in this policy group specify restrictions for cameras and device screen capture. All rules apply to iOS devices. One
rule applies to Android devices.
Disable output rule

Description
80
Selecting this rule prevents the device from streaming videos or sending the device
display to another device, such as a projector or television screen. Selecting this rule
also prevents users from taking screen captures of the device display.
IT policy rules
IT policy type
Device
MDM controls
iOS 5.0
Disable screen capture rule

Description
Selecting this rule prevents users from taking a screen capture of the device display.
Related rules
Selecting the Disable output rule also prevents users from taking screen captures.
Users cannot take screen captures if either rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Hide the default camera application rule

Description
Selecting this rule disables the device cameras. Users cannot take photographs or
videos.
IT policy type
Device
MDM controls
iOS 5.0
Android OS 4.0
Hide the default video-conferencing application rule

Description
Selecting this rule removes the FaceTime app icon from the Home screen. Users
cannot make video calls.
81
IT policy rules
Related rules
Selecting the Hide the default camera application rule also hides the FaceTime app
icon. Users cannot use FaceTime if either rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Certificates policy group

The rules in this policy group specify settings for using certificates on the device. The rules apply only to iOS devices.
Disable untrusted certificates rule

Description
Selecting this rule prevents users from trusting certificates that cannot be verified.
Related rules
Also selecting the Disable untrusted certificates after prompt rule displays a message
to the user when the device disables an untrusted certificate.
IT policy type
Device
MDM controls
iOS 5.0
Disable untrusted certificates after prompt rule

Description
Selecting this rule displays a message to the user when the device disables a
certificate that cannot be trusted.
Related rules
This rule is only valid if the Disable untrusted certificates rule is selected.
IT policy type
Device
MDM controls
82
IT policy rules
iOS 5.0
Disable wireless certificate updates rule

Description
Selecting this rule disables certificate updates over a wireless connection.
IT policy type
Device
MDM controls
iOS 7.0
Cloud service policy group

The rules in this policy group specify restrictions for using cloud services on the device. The rules apply only to iOS devices.
Disable cloud services rule

Description
Selecting this rule prevents the use of all iCloud services, including backup,
document, and picture services.
IT policy type
Device
MDM controls
iOS 5.0
Disable cloud backup service rule

Description
Selecting this rule prevents users from backing up their device data to iCloud.
Related rules
Selecting the Disable cloud services rule disables all iCloud services, including the
iCloud backup service.
IT policy type
Device
83
IT policy rules
MDM controls
iOS 5.0
Disable cloud document services rule

Description
Selecting this rule prevents users from storing documents in iCloud.
Related rules
Selecting the Disable cloud services rule disables all iCloud services, including iCloud
document services.
IT policy type
Device
MDM controls
iOS 5.0
Disable cloud picture services rule

Description
Selecting this rule prevents users from using Photo Stream. Sending this rule to a
device deletes Photo Stream photos from the device and prevents photos from the
camera roll from being sent to Photo Stream.
Related rules
Selecting the Disable cloud services rule disables all iCloud services, including Photo
Stream.
IT policy type
Device
MDM controls
iOS 5.0
Disable cloud picture sharing services rule

Description
Selecting this rule prevents users from using Shared Photo Streams.
This rule requires Universal Device Service 6.1 MR2 or later.
84
Related rules
IT policy rules
Selecting the Disable cloud picture services rule prevents users from using Photo
Stream.
Selecting the Disable cloud services rule disables all iCloud services, including Photo
Stream.
IT policy type
Device
MDM controls
iOS 6.0
Disable managed apps to use cloud sync rule

Description
Selecting this rule prevents managed apps from using cloud sync.
IT policy type
Device
MDM controls
iOS 8.0
Connectivity policy group

The rules in this policy group specify restrictions for network connectivity. The rules apply only to iOS devices.
Disable AirDrop rule

Description
Selecting this rule prevents users from using AirDrop to share data with other devices.
This rule applies only to devices that are supervised using Apple Configurator.
IT policy type
Device
MDM controls
iOS 7.0
85
IT policy rules
Disable host pairing rule

Description
Selecting this rule prevents the device from pairing with any computer other than the
Apple Configurator host. This rule applies only to devices that are supervised using
Apple Configurator.
IT policy type
Device
MDM controls
iOS 7.0
Disable network connectivity rule

Description
Selecting this rule prevents users from connecting the device to a Wi-Fi or wireless
network.
IT policy type
Device
MDM controls
iOS 5.0
Disable changes to wireless data usage for apps rule

Description
Selecting this rule prevents users from changing the wireless data usage for apps. This
rule applies only to devices that are supervised using Apple Configurator.
Related rules
This rule is not valid if the Disable network connectivity rule is selected.
IT policy type
Device
MDM controls
iOS 7.0
86
IT policy rules
Disable wireless connectivity rule

Description
Selecting this rule prevents users from connecting the device to a wireless network.
Related rules
Selecting the Disable network connectivity rule also prevents users from connecting
the device to a wireless network. Users cannot connect the device to a wireless
network if either rule is selected.
This rule is not valid if the Disable network connectivity rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Disable roaming rule

Description
Selecting this rule prevents users from connecting the device to a wireless network
when the device is roaming.
Related rules
This rule is not valid if the Disable network connectivity or Disable wireless
connectivity rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Disable data service when roaming rule

Description
Selecting this rule prevents the device from using the data connection when the
device is roaming. For iOS 4.x devices, selecting this rule disables background data
service when the device is roaming.
Related rules
This rule is not valid if the Disable network connectivity, Disable wireless connectivity,
or Disable roaming rule is selected.
IT policy type
Device
87
IT policy rules
MDM controls
iOS 5.0
Disable background data service when roaming rule

Description
Selecting this rule prevents devices from automatically synchronizing message and
organizer data when roaming. Devices that are roaming will sync only when the user
requests it.
Related rules
Disable roaming, or Disable data service when roaming rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Disable voice service when roaming rule

Description
Selecting this rule prevents users from making voice calls over the wireless network
when the device is roaming.
Related rules
or Disable roaming rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
88
IT policy rules
Require passcode on first AirPlay pairing rule

Description
Selecting this rule specifies whether a password is required on the first AirPlay pairing.
If this rule is selected, all devices that receive AirPlay requests from another device
must use a pairing password.
IT policy type
Device
MDM controls
iOS 7.1
Content policy group

The rules in this policy group specify restrictions for downloading content. This includes hiding explicit content and setting
the maximum allowed rating for apps, movies, and TV shows. The rules apply only to iOS devices.
Disable content rule

Description
Selecting this rule sets the maximum allowed rating for movies, TV shows, and apps to
0. Movies and TV shows downloaded from the iTunes Store are hidden and users
cannot preview or download movies or TV shows. The icons for work and personal
apps are removed from the Home screen and users cannot install or update apps. On
iOS devices with Secure Work Space, the BES12 Client and work space apps,
including default work space apps, are also removed from the Home screen.
This rule applies only to movies and TV shows that users can download from the
iTunes Store and apps that users can download from the App Store. This rule does not
apply to built-in iOS apps.
Related rules
The Hide the default music store rule removes the iTunes Store from the Home
screen.
The Hide the default application store rule removes the App Store from the Home
screen.
IT policy type
Device
MDM controls
89
IT policy rules
iOS 5.0
Hide explicit content rule

Description
Selecting this rule hides any explicit content downloaded from the iTunes Store and
the App Store.
Related rules
This rule is not valid if the Disable content rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Maximum allowed rating for applications rule

Description
This rule sets the maximum allowed content rating for apps that users can download
to the device from the App Store..
Specify a number between 0 and 100 to define the maximum allowed content rating
for apps. The number corresponds to ratings such as E, T, and M, or 9+, 12+, and
17+, which vary by country. The lower the number the greater the content restriction.
For instance, 0 allows no apps and 100 allows all apps.
Related rules
IT policy type
Device
MDM controls
Possible values
A number from 0 to 100.
Default value
100
90
iOS 5.0
IT policy rules
Maximum allowed rating for movies rule

Description
This rule sets the maximum allowed content rating for movies that users can download
to the device from theiTunes Store.
for movies. The number corresponds to ratings such as G, PG, and R, and age-based
ratings, which vary by country. The lower the number the greater the content
restriction. For instance, 0 allows no movies and 100 allows all movies.
Related rules
IT policy type
Device
MDM controls
Possible values
Default value
100
iOS 5.0
Maximum allowed rating for TV shows rule

Description
This rule sets the maximum allowed content rating for television shows that users can
download to the device from the iTunes Store.
for TV shows. The number corresponds to ratings such as G, PG, and R, and agebased ratings, which vary by country. The lower the number the greater the content
restriction. For instance, 0 allows no TV shows and 100 allows all TV shows.
Related rules
IT policy type
Device
MDM controls
Possible values
Default value
100
91
IT policy rules
iOS 5.0
Region that defines the rating restrictions rule

Description
This rule sets the country or region whose ratings are used for the content. This setting
is not required.
Related rules
IT policy type
Device
MDM controls
Possible values
A two-letter code indicating the country that the content ratings system applies to.
Default value
None
iOS 5.0
Diagnostics and usage policy group

The rule in this policy group specifies restrictions for sending device diagnostic information to the device manufacturer.
The rule applies only to iOS devices.
Disable submission of device diagnostic logs to device vendor rule

Description
Selecting this rule prevents devices from sending diagnostic information to Apple.
IT policy type
Device
MDM controls
iOS 5.0
92
IT policy rules
Encryption policy group

The rules in this policy group specify encryption requirements for device storage space. The rules only apply to Android
devices.
Apply encryption rules rule

Description
Selecting this rule encrypts portions of the device internal memory.
IT policy type
Device
MDM controls
Android OS 3.0
Encrypt internal device storage rule

Description
Selecting this rule encrypts the device data storage.
Related rules
This rule is only valid if the Apply encryption rules rule is selected.
IT policy type
Device
MDM controls
Android OS 3.0
Lock screen policy group

The rules in this policy group specify restrictions for the lock screen on the device. The rules apply only to iOS devices.
Disable Passbook notifications when device is locked rule

Description
Selecting this rule prevents the device from displaying notifications from the Passbook
app when the device is locked.
93
IT policy rules
This rule requires Universal Device Service 6.1 MR2 or later.

IT policy type
Device
MDM controls
iOS 6.0
Hide Control Center in lock screen rule

Description
Selecting this rule prevents users from swiping up to view the Control Center while the
screen is locked.
IT policy type
Device
MDM controls
iOS 7.0
Hide Notification Center in lock screen rule

Description
Selecting this rule prevents users from accessing the Notifications view in the
Notification Center when the screen is locked. New mail notifications still appear.
IT policy type
Device
MDM controls
iOS 7.0
Hide Today view in lock screen rule

Description
Selecting this rule prevents users from swiping down to see the Notification Center
using the Today view while the screen is locked.
IT policy type
Device
94
IT policy rules
MDM controls
iOS 7.0
Messaging policy group

The rule in this policy group specifies restrictions for messaging apps. The rule applies only to iOS devices.
Hide the default messaging application rule

Description
Selecting this rule prevents users from using the iMessage software feature.
This rule requires Universal Device Service 6.1 MR2 or later. This rule only applies to
devices that are supervised using the Apple Configurator.
IT policy type
Device
MDM controls
iOS 6.0
Online store policy group

The rules in this policy group specify restrictions for online stores available on devices. The rules apply only to iOS devices.
Disable online stores rule

Description
Selecting this rule prevents users from using all online content stores. Users cannot
make in-app purchases or use the App Store and iTunes Store on the device.
IT policy type
Device
MDM controls
95
IT policy rules
iOS 5.0
Disable purchases in applications rule

Description
Selecting this rule prevents users from making in-app purchases.
Related rules
Selecting the Disable online stores rule also prevents users from making purchases
within apps. Users cannot make purchases within apps if either rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Disable storage of online store password rule

Description
Selecting this rule prevents the online store from saving the user's password. Users
must enter their password for all content purchases. This rule is selected by default.
Related rules
This rule is not valid if the Disable online stores rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Hide the default application store rule

Description
Selecting this rule disables the App Store on the device and removes its icon from the
Home screen.
Related rules
Selecting the Disable online stores rule also disables the App Store and removes its
icon from the Home screen.
IT policy type
Device
96
IT policy rules
MDM controls
iOS 5.0
Hide the default book store rule

Description
Selecting this rule disables the iBooks Store on the device and removes its icon from
the Home screen.
devices that are supervised using Apple Configurator.
Related rules
Selecting the Disable online stores rule also disables the iBooks Store and removes its
IT policy type
Device
MDM controls
iOS 6.0
Disable erotica purchases from the default book store rule

Description
Selecting this rule prevents users from downloading media that has been tagged as
erotica from the iBooks Store.
Related rules
Selecting the Hide the default book store rule disables the iBooks Store and removes
its icon from the Home screen.
Selecting the Disable online stores rule disables the iBooks Store and removes its icon
from the Home screen.
IT policy type
Device
MDM controls
97
IT policy rules
iOS 6.0
Hide the default music store rule

Description
Selecting this rule disables the iTunes Store on the device and removes its icon from
the Home screen.
Related rules
Selecting the Disable online stores rule also disables the iTunes Store and removes its
IT policy type
Device
MDM controls
iOS 5.0
Password policy group

They rules in this policy group specify password requirements and rules for creating passwords. Most of the rules apply to
both iOS devices and Android devices.
Note: For some Android device models, if a user did not previously have a password set for a device and an IT policy is
pushed to the device that requires the user to set a password, the user cannot set a password. For more information,
please see the support information for the device.
Define password properties rule

Description
Selecting this rule allows you to set parameters that users must follow when setting
the device password.
Related rules
The Avoid repetition and simple patterns rule, Require alphanumeric value rule,
Require letters rule, Require lowercase letters rule, Require numbers rule, Require
special characters rule, and Require uppercase letters rule set the parameters for
user password requirements.
IT policy type
Device
MDM controls
98
IT policy rules
iOS 5.0
Android OS 2.3
Avoid repetition and simple patterns rule

Description
Selecting this rule prevents users from using sequential or repeated characters in the
device password.
Related rules
This rule is only valid if the Define password properties rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Require alphanumeric value rule

Description
Selecting this rule requires users to create a device password that contains at least
one letter and one number.
Related rules
IT policy type
Device
MDM controls
iOS 5.0
Require letters rule

Description
Selecting this rule requires users to create a device password that contains letters. For
Android OS 3.0 and later, you can also specify the minimum number of letters
required.
If you select this rule and then specify the minimum number of letters, a user must
create a password that includes at least the number of letters that you specify.
Related rules
99
IT policy rules
IT policy type
Device
MDM controls
Possible values
A number greater than 0.
Default value
Android OS 2.3
Require lowercase letters rule

Description
This rule specifies the minimum number of lowercase letters required in the device
password.
If you select this rule and then specify the minimum number of lowercase letters, a
user must create a password that includes at least the number of lowercase letters
that you specify.
Related rules
IT policy type
Device
MDM controls
Possible values
Default value
Android OS 3.0
Require numbers rule

Description
Selecting this rule requires users to create a device password that contains numerals.
For Android OS 3.0 and later, you can also specify the minimum number of numerals
required.
If you select this rule and then specify the minimum number of numerals, a user must
create a password that includes at least the number of numerals that you specify.
Related rules
100
IT policy rules
IT policy type
Device
MDM controls
Possible values
Default value
Android OS 2.3
Require special characters rule

Description
This rule specifies the minimum number of special characters required in the device
password.
If you select this rule and then specify the minimum number of special characters, a
user must create a password that includes at least the number of special characters
that you specify.
Related rules
IT policy type
Device
MDM controls
Possible values
Default value
iOS 5.0
Android OS 3.0
Require uppercase letters rule

Description
This rule specifies the minimum number of uppercase letters required in the device
password.
If you select this rule and then specify the minimum number of uppercase letters, a
user must create a password that includes at least the number of uppercase letters
that you specify.
Related rules
101
IT policy rules
IT policy type
Device
MDM controls
Possible values
Default value
Android OS 3.0
Delete data and applications from the device after incorrect password
attempts rule
Description
Selecting this rule specifies the number of times that a user can try an incorrect
password before the device deletes all user information and application data.
For Android devices, the device does not recognize an entry of less than four
characters as a password. If the user enters an incorrect password of less than four
characters, it will not be counted as an attempt.
IT policy type
Device
MDM controls
For iOS devices, a number between 4 and 10. If you set a value less than 4, a value
of 4 will be used. If you set a number greater than 10, a value of 10 will be used.
For Android devices, a number greater than 0.
Possible values
Default value
iOS 5.0
Android OS 2.3
Device password rule

Description
Selecting this rule requires users to enter the device password after a period of
inactivity.
IT policy type
Device
102
IT policy rules
MDM controls
iOS 5.0
Android OS 2.3
Enable auto-lock rule

Description
This rule specifies the maximum period of inactivity that can elapse before a device
locks. The value specified in this rule is the maximum value that a user can set on the
device.
Related rules
This rule is only valid if the Device password rule is selected.
IT policy type
Device
MDM controls
Possible values
A number greater than 0 and a period of days, hours, minutes, or seconds.
Default value
15 minutes
iOS 5.0
Android OS 2.3
Time after a device locks that it can be unlocked without a password rule
Description
This rule specifies the maximum period of time that can elapse before a password is
required to unlock a device. The grace period begins after the device locks. The value
specified in this rule is the maximum value that a user can set on the device.
Related rules
This rule is only valid if the Device password rule is selected.
IT policy type
Device
MDM controls
Possible values
103
IT policy rules
Default value
1 minute
iOS 5.0
Limit password age rule

Description
Selecting this rule allows you to specify the period of time after a password is set until
the device password expires and the user must set a new password. You can specify
any number of days, hours, minutes, or seconds.
IT policy type
Device
MDM controls
Possible values
A number greater than 0 and a time period of days, hours, minutes, or seconds.
Default value
90 days
iOS 5.0
Android OS 3.0
Limit password history rule

Description
Selecting this rule allows you to specify the number of previous passwords that the
device checks to prevent a user from reusing passwords.
Possible values
IT policy type
Device
MDM controls
Default value
iOS 5.0
Android OS 3.0
104
IT policy rules
Restrict password length rule

Description
Selecting this rule restricts the length of the device password.
IT policy type
Device
MDM controls
iOS 5.0
Android OS 2.3
Minimum length for the device password that is allowed rule

Description
Selecting this rule allows you to specify the minimum number characters required in
the device password.
Related rules
This rule is only valid if the Restrict password length rule is selected.
IT policy type
Device
MDM controls
Possible values
A number equal to or greater than 4.
Default value
iOS 5.0
Android OS 2.3
Phone and messaging policy group

The rule in this policy group specifies restrictions for the default phone app. The rule applies only to iOS devices.
Disable voice dialing rule

Description
Selecting this rule prevents users from making telephone calls on the device using Siri.
105
IT policy rules
IT policy type
Device
MDM controls
iOS 5.0
Profiles and certificates policy group

The rule in this policy group specifies restrictions for installing profiles and certificates on devices. The rule applies only to
iOS devices.
Disable interactive installation of profiles and certificates rule

Description
Selecting this rule prevents users from installing configuration profiles and
certificates.
IT policy type
Device
MDM controls
iOS 6.0
Security policy group

The rules in this policy group specify restrictions for security on the device. The rules apply only to iOS devices.
Disable activity continuation rule

Description
Selecting this rule prevents users from using the activity continuation feature to
transfer user activities among multiple devices associated with the user.
IT policy type
Device
106
IT policy rules
MDM controls
iOS 8.0
Disable changes to accounts on the device rule

Description
Selecting this rule prevents users from adding, deleting, or changing accounts on the
device. This rule applies only to devices that are supervised using Apple Configurator.
IT policy type
Device
MDM controls
iOS 7.0
Disable erase content and settings rule

Description
Selecting this rule prevents users from using the Erase All Content And Settings
option on a device to wipe it.
IT policy type
Device
MDM controls
iOS 8.0
Disable enabling restrictions rule

Description
Selecting this rule prevents users from using the Enable Restrictions option to
prevent access to apps or features on a device.
IT policy type
Device
107
IT policy rules
MDM controls
iOS 8.0
Disable spotlight internet results rule

Description
Selecting this rule prevents a Spotlight search from returning Internet search results
when searching for content on a device.
IT policy type
Device
MDM controls
iOS 8.0
Disable Touch ID to unlock device rule

Description
Selecting this rule prevents users from using Touch ID to unlock the device. When this
option is selected, users must use a password to unlock the device.
IT policy type
Device
MDM controls
iOS 7.0
Limit ad tracking rule

Description
Selecting this rule limits ad tracking in apps on the device.
IT policy type
Device
MDM controls
108
IT policy rules
iOS 7.0
Limit personal data to personal apps and accounts rule

Description
Selecting this rule displays only personal apps and accounts as possible destinations
when users attempt to open data such as attachments from a personal app or account
on the device. Safari and AirDrop will continue to display all apps and accounts as
possible destinations.
IT policy type
Device
MDM controls
iOS 7.0
Limit work data to work apps and accounts rule

Description
Selecting this rule displays only work apps and accounts as possible destinations
when users attempt to open data such as attachments from a work app or account on
the device.
IT policy type
Device
MDM controls
iOS 7.0
Social policy group

The rules in this policy group specify restrictions for social apps. The rules apply only to iOS devices.
Disable changes to Find My Friends settings rule

Description
Selecting this rule prevents users from changing the settings for the Find My Friends
app. This rule applies only to devices that are supervised using Apple Configurator.
109
IT policy rules
IT policy type
Device
MDM controls
iOS 7.0
Hide the Game Center and YouTube apps rule

Description
Selecting this rule prevents the use of the Game Center app and the YouTube app.
The apps are disabled and the YouTube app is removed from the Home screen. On
supervised devices, the Game Center app is removed from the Home screen.
IT policy type
Device
MDM controls
iOS 5.0
Hide the Game Center app and disable game functionality rule
Description
Selecting this rule prevents the use of the Game Center app. On devices that are
supervised using Apple Configurator, the icon is removed from the Home screen.
Related rules
Selecting the Hide the Game Center and YouTube apps rule also disables the Game
Center app.
IT policy type
Device
MDM controls
iOS 5.0
Disable adding Game Center friends rule

Description
110
Selecting this rule prevents users from adding friends in the Game Center app.
IT policy rules
Related rules
This rule is not valid if the Hide the Game Center app and disable game functionality
rule or Hide the Game Center and YouTube apps rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Disable multiplayer gaming rule

Description
Selecting this rule prevents users from playing multiplayer games in the Game Center
app.
Related rules
This rule is not valid if the Hide the Game Center app and disable game functionality
rule or Hide the Game Center and YouTube apps rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Hide the Game Center app rule

Description
Selecting this rule prevents the use of the Game Center app on supervised iOS
devices. The Game Center app is disabled and its icon is removed from the Home
screen.
Related rules
Selecting the Hide the Game Center app and disable game functionality rule also
disables the Game Center app.
Selecting the Hide the Game Center and YouTube apps rule also disables the Game
Center app.
IT policy type
Device
111
IT policy rules
MDM controls
iOS 6.0
Hide the YouTube app rule

Description
Selecting this rule prevents the use of the YouTube app. The app is disabled and the
icon is removed from the Home screen.
This rule is obsolete in iOS 6.0 and later.
Related rules
Selecting the Hide the Game Center and YouTube apps rule also disables the
YouTube app.
IT policy type
Device
MDM controls
iOS 5.0
Storage and backup policy group

The rules in this policy group specify restrictions for backing up device data. The rules apply only to iOS devices.
Require that the device backup data is encrypted rule

Description
Selecting this rule stores all backup data in an encrypted format on the user's
computer.
IT policy type
Device
MDM controls
iOS 5.0
112
IT policy rules
Disable enterprise book backup rule

Description
Selecting this rule prevents users from backing up enterprise books.
IT policy type
Device
MDM controls
iOS 8.0
Disabe enterprise book metadata sync rule

Description
Selecting this rule forces devices to synchronize enterprise book metadata, such as
notes and highlights.
IT policy type
Device
MDM controls
iOS 8.0
Voice assistant policy group

The rules in this policy group specify restrictions for using voice commands with the device. The rules apply only to iOS
devices.
Disable the default voice assistant application rule

Description
Selecting this rule prevents users from using Siri, voice commands, and dictation.
IT policy type
Device
MDM controls
iOS 5.0
113
IT policy rules
Disable voice assistant application when device is locked rule

Description
Selecting this rule prevents users from using Siri voice commands when the device is
locked and prevents users from unlocking the device using Siri voice commands. This
rule applies only if the user has set a password for the device.
Related rules
If you select this rule, you should also select the Device password rule to require that
the user sets a password.
This rule is not valid if the Disable the default voice assistant application rule is
selected.
IT policy type
Device
MDM controls
iOS 5.0
Hide user-generated content in voice assistant apps rule

Description
Selecting this rule prevents users from adding their own content to Siri. This rule
applies only to devices that are supervised using Apple Configurator.
IT policy type
Device
MDM controls
iOS 7.0
Descriptions of work space IT policy rules

The work space IT policy rules apply only to the work space on the device.
There are minimum OS requirements for each work space IT policy rule, however BlackBerry Enterprise Service 10 might
not support all versions of iOS or Android OS. For more information about supported versions, visit docs.blackberry.com/
BES10 to read the BlackBerry Enterprise Service 10 Compatibility Matrix.
114
IT policy rules
Related information
Create a work space IT policy, 44
Allow sequential and repeated character passwords

rule
Description
Selecting this rule allows a user to set a work space password that uses sequential
characters, such as abcd, or repeated characters, such as 1111.
IT policy type
Work space
iOS 5.0
Android OS 2.3
Require letters rule

Description
This rule specifies the minimum number of letters required in the work space
password.
If you select this rule and then specify the minimum number of letters, a user must
create a password that includes at least the number of letters that you specify.
IT policy type
Work space
Possible values
Default value
iOS 5.0
Android OS 2.3
115
IT policy rules
Require lowercase letters rule

Description
This rule specifies the minimum number of lowercase letters required in the work
space password.
If you select this rule and then specify the minimum number of lowercase letters, a
user must create a password that includes at least the number of lowercase letters
that you specify.
IT policy type
Work space
Possible values
Default value
iOS 5.0
Android OS 2.3
Require numbers rule

Description
This rule specifies the minimum number of numerals required in the work space
password.
If you select this rule and then specify the minimum number of numerals, a user must
create a password that includes at least the number of numerals that you specify.
IT policy type
Work space
Possible values
Default value
116
iOS 5.0
IT policy rules
Android OS 2.3
Require special characters rule

Description
This rule specifies the minimum number of special characters required in the work
space password.
If you select this rule and then specify the minimum number of special characters, a
user must create a password that includes at least the number of special characters
that you specify.
IT policy type
Work space
Possible values
Default value
iOS 5.0
Android OS 2.3
Require uppercase letters rule

Description
This rule specifies the minimum number of uppercase letters required in the work
space password.
If you select this rule and then specify the minimum number of uppercase letters, a
user must create a password that includes at least the number of uppercase letters
that you specify.
IT policy type
Work space
Possible values
Default value
117
IT policy rules
iOS 5.0
Android OS 2.3
Restrict password length rule

Description
Selecting this rule restricts the length of the work space password.
IT policy type
Work space
iOS 5.0
Android OS 2.3
Minimum length for the work space password rule

Description
This rule allows you to specify the minimum number of characters required in the work
space password.
Related rules
IT policy type
Work space
Possible values
Default value
iOS 5.0
Android OS 2.3
118
IT policy rules
Maximum length for the work space password rule

Description
This rule allows you to specify the maximum number of characters required in the
work space password.
Related rules
IT policy type
Work space
Possible values
Default value
32
iOS 5.0
Android OS 2.3
Maximum password history rule

Description
This rule specifies the number of previous work space passwords that the device
checks to prevent a user from reusing work space passwords.
IT policy type
Work space
Possible values
Default value
iOS 5.0
Android OS 2.3
119
IT policy rules
Lock work space when device locks rule

Description
This rule specifies whether the work space locks when a device locks after a period of
inactivity.
If this rule is selected, when a user is in the work space, the work space locks after the
period of inactivity specified in the Lock device after inactivity in work space rule.
When the user is in the personal space, or if the Lock device after inactivity in work
space rule is not selected, the work space locks after the period of inactivity specified
in the auto-lock setting on the device.
IT policy type
Work space
iOS 5.0
Android OS 2.3
Lock device after inactivity in work space rule

Description
This rule specifies the period of inactivity in the work space that can elapse before a
device locks.
If you configure this rule, the following behavior occurs after the specified inactivity
period:
On iOS devices, the work space locks when a work space app is open. The device
doesnt lock and the screen doesnt turn off.
On Android devices with a password, the device locks when a work space app is
open. The work space isnt locked.
On Android devices without a password, the device turns off the screen when a
work space app is open. The work space isnt locked.
On Android devices, the inactivity period that you specify is the maximum time for
inactivity. A user can set a shorter inactivity period on the device. If the user sets a
shorter inactivity period, the screen locks when that inactivity period is met.
IT policy type
120
Work space
IT policy rules
Possible values
Default value
15 minutes
iOS 5.0
Android OS 2.3
Lock work space after inactivity rule

Description
This rule specifies the period of inactivity in the personal space that can elapse before
the work space locks.
IT policy type
Work space
Possible values
Default value
30 minutes
iOS 5.0
Android OS 2.3
Track incorrect password attempts rule

Description
Selecting this rule specifies the number of times that a user can try an incorrect
password before the action specified in the Action after maximum incorrect password
attempts rule occurs.
IT policy type
Work space
121
IT policy rules
Possible values
Default value
iOS 5.0
Android OS 2.3
Action after maximum incorrect password attempts

rule
Description
This rule specifies the action that occurs after the maximum number of incorrect
password attempts has been reached.
If you select Disable work space, the work space is disabled and can only be restored
by an administrator.
If you select Deactivate device, the work space is disabled and all data in the work
space is deleted immediately. iOS devices are deactivated.
If you select Disable work space and after N days, deactivate device, you must also
specify a number of days. The work space is disabled immediately and can only be
restored by an administrator. If the work space is not restored before the specified
number of days elapse, all data in the work space is deleted. iOS devices are
deactivated.
Related rules
This rule is only valid if the Track incorrect password attempts rule is selected.
IT policy type
Work space
Disable work space
Deactivate device
Disable work space and after N days, deactivate device
Possible values
Default value
Disable work space
iOS 5.0
Android OS 2.3
122
IT policy rules
Enable plugins in secure browser rule

Description
This rule specifies how the browser app in the work space handles plug-ins.
If you select On, the browser allows all plug-ins to run.
If you select Off, the browser does not allow plug-ins to run.
If you select On Demand, the device prompts the user when the browser tries to run a
plug-in.
IT policy type
Work space
On
Off
On Demand
Possible values
Default value
On
Android OS 2.3
Deactivate device after period of inactivity rule

Description
This rule specifies the number of days of inactivity in the work space that can elapse
before all data in the work space is deleted, including work email messages, contacts,
and files. iOS devices are deactivated.
IT policy type
Work space
Possible values
Default value
60 days
123
IT policy rules
iOS 5.0
Android OS 2.3
Work Connect contacts rule

Description
This rule specifies whether work contacts are exported from the Work Connect app in
the work space to the personal address book on the device. The Contacts app is the
personal address book on an iOS device.
If you select Export to personal address book, only work contacts with phone numbers
are exported. When you deactivate the device, work contacts are removed from the
personal address book.
If you select Do not export to personal address book, work contacts are not exported
and calls and SMS text messages from work contacts do not display the contact name.
If you select Allow user to configure, the user can choose to export work contacts from
the Work Connect app to the personal address book.
IT policy type
Work space
Export to personal address book
Do not export to personal address book
Allow user to configure
Possible values
Default value
Allow user to configure
iOS 6.0
Allow apps in the personal space to access files in the

work space rule
Description
124
Select this rule to allow apps in the personal space on devices to access files in the
work space.
IT policy rules
If you allow apps in the personal space to access files in the work space and later
update the policy to change this setting, personal apps on devices will still have
access to existing files in the work space. Personal apps will not have access to files
added after the rule is updated on the device to disallow access.
IT policy type
Work space
Android OS 2.3
Notification level rule

Description
This rule specifies the level of notifications that a user sees for apps in the work space
when the work space is locked.
If you select Show notifications without details, the user sees that an app has a
notification but does not see the name of the app or any details about the notification.
If you select Show app name, the user sees only the name of the app that has a
notification.
If you select Show all information, the user sees details about the notification such as
the title and, if applicable for the notification, the summary and ticker. For example,
the title of the meeting in the calendar, the line below the title, and a scrolling
message when the notification first appears.
IT policy type
Work space
Show notifications without details
Show app name
Show all information
Possible values
Default value
Show notifications without details
Android OS 2.3
125
IT policy rules
Allow S/MIME rule

Description
Selecting this rule allows a user to choose whether to enable S/MIME in the Work
Connect app on the device.
IT policy type
Work space
iOS 5.0
Android OS 2.3
126
Product documentation
To read the following guides or other related materials, visit docs.blackberry.com/BES10.

Category
Resource
Description
Overview
Introduction to BlackBerry
Enterprise Service 10
Quick, visual introduction to BlackBerry Enterprise Service

10 at a high level
What's New in BlackBerry

Enterprise Service 10 Quick
Reference
Summary of new features, enhancements, and updates in

BlackBerry Enterprise Service 10
BlackBerry Enterprise Service

10 Product Overview
Introduction to BlackBerry Enterprise Service 10 and its

features
Finding your way through the documentation
Architecture
Enterprise Solution Comparison

Chart
Comparison of what features are available across different

BlackBerry enterprise solutions
Supported Features by Device

Type
Comparison of what features are supported for each type of

device in BlackBerry Enterprise Service 10

10 Architecture and Data Flow
Quick Reference Guide
Descriptions of BlackBerry Enterprise Service 10

components
Descriptions of activation and email data flows for different

types of devices
Release notes

10 Release Notes
Descriptions of known issues and potential workarounds
Installation and
upgrade

10 Compatibility Matrix
Software that is compatible with BlackBerry Enterprise

Service 10
Category
Configuration
Resource
Description

10 Performance Calculator
Tool to estimate the hardware required to support a given

workload for BlackBerry Enterprise Service 10

10 Installation Guide
System requirements
Installation instructions

10 Upgrade Guide
System requirements
Upgrade instructions

10 Licensing Guide
Descriptions of different types of licenses
Instructions for activating and managing licenses in

Instructions for how to configure server components before

you start administering users and their devices

10 Configuration Guide
Administration

Basic Administration Guide
Instructions for creating and managing user accounts in

multiple Services
Instructions for managing multiple devices for each user

account
Advanced Administration Guide
Advanced administration for BlackBerry 10 devices and

BlackBerry PlayBook tablets
Instructions for creating user accounts, groups, roles, and

administrator accounts
Instructions for activating devices
Instructions for creating and sending IT policies and profiles
Instructions for managing apps on devices
Advanced Administration Guide
128
Basic administration for all supported device types, including

BlackBerry 10 devices, BlackBerry PlayBook tablets, iOS
devices, Android devices, and BlackBerry 7.1 and earlier
devices
Advanced administration for iOS and Android devices
Category
Security
Resource
Description
Instructions for creating user accounts, groups, and

administrator accounts
Instructions for activating devices
Instructions for creating and sending IT policies and profiles
Instructions for managing apps on devices
Descriptions of IT policy rules for iOS and Android devices

Policy Reference Spreadsheet
Descriptions of IT policy rules for BlackBerry 10 devices and

BlackBerry PlayBook tablets

Solution Security Technical
Overview
Description of the security maintained by the BlackBerry

Device Service, BlackBerry Infrastructure, and BlackBerry
10 devices and BlackBerry PlayBook tablets to protect data
and connections
Description of the BlackBerry 10 OS
Description of the BlackBerry PlayBook OS
Description of how work data is protected on BlackBerry 10

devices and BlackBerry PlayBook tablets when you use the
Description of the security maintained by the Universal

Device Service, BlackBerry Infrastructure, and work spaceenabled devices to protect work space data at rest and in
transit
Description of how work space apps are protected on work

space-enabled devices when you use the Universal Device
Service
Secure Work Space for iOS and

Android Security Note
129
Provide feedback
To provide feedback on this content, visit www.blackberry.com/docsfeedback.
Provide feedback
10
Glossary
Glossary
BSSID
Basic Service Set Identifier
CA
certification authority
DNS
Domain Name System
EAP-FAST
Extensible Authentication Protocol Flexible Authentication via Secure Tunneling
HTTP
Hypertext Transfer Protocol over Secure Sockets Layer
HTTPS
Hypertext Transfer Protocol over Secure Sockets Layer
IP
Internet Protocol
NTLM
NT LAN Manager
PEAP
Protected Extensible Authentication Protocol
S/MIME
Secure Multipurpose Internet Mail Extensions
SCEP
simple certificate enrollment protocol
SMTP
Simple Mail Transfer Protocol
SRP
Server Routing Protocol
SSL
Secure Sockets Layer
SSID
service set identifier
TLS
Transport Layer Security
TTLS
Tunneled Transport Layer Security
URI
Uniform Resource Identifier
VPN
virtual private network
11
Legal notice
Legal notice
12
2015 BlackBerry. All rights reserved. BlackBerry and related trademarks, names, and logos are the property of
BlackBerry Limited and are registered and/or used in the U.S. and countries around the world.
Apple, AirDrop, AirPlay, App Store, Apple Configurator, FaceTime, iBooks Store, iCloud, iMessage, iPhone, iTunes Store,
Passbook, Safari, Siri, and Spotlight are trademarks of Apple Inc. Cisco is a trademark of Cisco Systems, Inc. and/or its
affiliates in the United States and certain other countries. Android, Google Play, and YouTube are trademarks of Google
Inc. iOS is a trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. iOS is used under
license by Apple Inc. JavaScript is a trademark of Oracle and/or its affiliates. Microsoft, ActiveSync, and Active Directory
are trademarks of Microsoft Corporation. Motorola is a trademark of Motorola Trademark Holdings, LLC. TouchDown is a
trademark of NitroDesk Inc. Wi-Fi is a trademark of the Wi-Fi Alliance. All other trademarks are the property of their
respective owners.
This documentation including all documentation incorporated by reference herein such as documentation provided or
made available on the BlackBerry website provided or made accessible "AS IS" and "AS AVAILABLE" and without
condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its affiliated
companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical, or other
inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and confidential
information and/or trade secrets, this documentation may describe some aspects of BlackBerry technology in generalized
terms. BlackBerry reserves the right to periodically change information that is contained in this documentation; however,
BlackBerry makes no commitment to provide any such changes, updates, enhancements, or other additions to this
documentation to you in a timely manner or at all.
This documentation might contain references to third-party sources of information, hardware or software, products or
services including components and content such as content protected by copyright and/or third-party websites
(collectively the "Third Party Products and Services"). BlackBerry does not control, and is not responsible for, any Third
Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility,
performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The
inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by
BlackBerry of the Third Party Products and Services or the third party in any way.
EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS,
ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR
WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE
QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A
COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE
OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES
REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR
PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND
CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE
DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE
Legal notice
HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM
THAT IS THE SUBJECT OF THE CLAIM.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL
BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR
PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY
PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING
DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED
DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS,
BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION
OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY
APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF
THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST
OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR
PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF
BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO
OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING
ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.
THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF
THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT,
NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL
BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY
CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS,
AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO
INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT
CONTRACTORS.
IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR,
EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF
BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.
Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that
your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer
Internet browsing functionality with a subscription to the BlackBerry Internet Service. Check with your service provider for
availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with
BlackBerry's products and services may require one or more patent, trademark, copyright, or other licenses in order to
avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party
Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring
them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any
Third Party Products and Services that are provided with BlackBerry's products and services are provided as a
convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees,
representations, or warranties of any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation
thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of
136
Legal notice
separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a
license or other agreement with BlackBerry.
The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry
applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN
AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR
SERVICE OTHER THAN THIS DOCUMENTATION.
BlackBerry Limited
2200 University Avenue East
Waterloo, Ontario
Canada N2K 0A7
BlackBerry UK Limited
200 Bath Road
Slough, Berkshire SL1 3XE
United Kingdom
Published in Canada
137

BES10 v10.2 UDS Advanced Admin Guide en

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

BES10 v10.2 UDS Advanced Admin Guide en

Hochgeladen von

Copyright:

Verfügbare Formate

Universal Device Service

BlackBerry Enterprise Service 10

Setting up administrator accounts...................................................................................................15

Setting up device controls...............................................................................................................21

Change the default activation type...............................................................................................................................41

Managing groups and user accounts............................................................................................... 53

Activating and managing devices.................................................................................................... 63

Setting an activation password using BES10 Self-Service............................................................................................. 68

Maintaining and monitoring............................................................................................................ 73

Require special characters rule................................................................................................................................. 117

Product documentation................................................................................................................ 127

About this guide

What is BlackBerry Enterprise

About the Universal Device

About BES10 Self-Service

About this guide

What is BlackBerry Enterprise Service 10?

BlackBerry Device Service

Provides advanced administration for BlackBerry 10 devices and BlackBerry

Universal Device Service

Provides advanced administration for iOS and Android devices

BlackBerry Management Studio

Provides a unified interface to administer common tasks for BlackBerry 10

Key features of BlackBerry Enterprise Service 10

Management of most types of devices

BlackBerry Enterprise Service 10 supports all types of BlackBerry devices

Single, unified interface

BlackBerry Management Studio is a single, web-based interface where you

Trusted and secure experience

Device controls give you precise management of how devices connect to

Balance of work and personal needs

BlackBerry Balance and Secure Work Space technology are designed to

About the Universal Device Service

Provision and manage work applications on devices

View the device inventory for your organization

Using the Universal Device Service console

Drag and drop

Log in to the Universal Device Service console

In the Username field, type your username.

In the Password field, type your password.

Click Log in.

About BES10 Self-Service

Domain name (for Microsoft Active Directory users)

Administrative roles and

Setting up administrator accounts

Setting up administrator accounts

Administrative roles and permissions

Add user to a group

Assign an administrative role

Setting up administrator accounts

Specify device ownership

Specify an activation password

Generate an activation email

View device activation settings

Edit device activation settings

Assign an IT policy or a profile to a

Create a software configuration

View a software configuration

Edit a software configuration

Delete a software configuration

Create an application definition

Assign a software configuration to a