Beruflich Dokumente
Kultur Dokumente
Version: 10.2
Administration Guide
Published: 2015-02-24
SWD-20150223125016631
Contents
1
Introduction......................................................................................................................................9
About this guide.................................................................................................................................................................10
What is BlackBerry Enterprise Service 10?..........................................................................................................................10
Key features of BlackBerry Enterprise Service 10......................................................................................................... 10
About the Universal Device Service.................................................................................................................................... 11
Using the Universal Device Service console................................................................................................................. 12
Log in to the Universal Device Service console ............................................................................................................ 12
About BES10 Self-Service.................................................................................................................................................. 13
IT policy rules................................................................................................................................. 77
Descriptions of IT policy rules............................................................................................................................................. 78
Browser policy group...................................................................................................................................................78
Camera and video policy group....................................................................................................................................80
Certificates policy group.............................................................................................................................................. 82
Cloud service policy group........................................................................................................................................... 83
Connectivity policy group.............................................................................................................................................85
Content policy group................................................................................................................................................... 89
Diagnostics and usage policy group............................................................................................................................. 92
Encryption policy group............................................................................................................................................... 93
Lock screen policy group............................................................................................................................................. 93
Messaging policy group............................................................................................................................................... 95
Online store policy group............................................................................................................................................. 95
Password policy group.................................................................................................................................................98
Phone and messaging policy group............................................................................................................................105
Profiles and certificates policy group......................................................................................................................... 106
Security policy group.................................................................................................................................................106
Social policy group.................................................................................................................................................... 109
Storage and backup policy group...............................................................................................................................112
Voice assistant policy group.......................................................................................................................................113
Descriptions of work space IT policy rules.........................................................................................................................114
Allow sequential and repeated character passwords rule........................................................................................... 115
Require letters rule....................................................................................................................................................115
Require lowercase letters rule................................................................................................................................... 116
Require numbers rule................................................................................................................................................116
Provide feedback..........................................................................................................................131
10
Glossary....................................................................................................................................... 133
11
Legal notice..................................................................................................................................135
Administration Guide
Chapter
Introduction
Topics:
Introduction
Administration Guide
Introduction
Description
BES10 Self-Service
Provides a console to users so that they can perform some self-service tasks.
For example, users can create activation passwords, remotely change the
password on their device, or delete data from the device.
10
Administration Guide
Introduction
Feature
Description
Manage devices using the IT policies and IT administration commands that the devices support
Configure profiles for devices so that you can control the connections to your organization's environment
Assign activation type profiles to user accounts to control how devices are managed
To provide a single interface for helpdesk administrators to manage all the devices in your organization's environment, you
can connect BlackBerry Management Studio to the Universal Device Service.
11
Administration Guide
Introduction
Description
When viewing a group or user account, you can quickly apply IT policies, profiles and software
configurations using drag and drop functionality.
User list
In the user list, each row is a link that you can click to view the properties of the user account.
You can sort and reverse sort the information in the user list by clicking any of the column
headers. To display user accounts with multiple devices, sort by user.
Required fields
Fields that have a red asterisk (*) beside them are required. You must submit a value in all
required fields to complete a task. Default values, which you can customize, are often
displayed in the fields.
Available settings
In the Available Settings pane, you can view the number of users that are assigned to an IT
policy, profile, or software configuration. The value shown represents the number of unique
users that are assigned to a particular policy, profile, or software configuration. The user is not
counted twice if they are assigned directly and by group assignment.
Online help
Click the Help link in the upper-right corner of the screen to access online help. The online
help is updated regularly to provide the most recent information.
In the browser, type https://<server_name>:<port>, where <server_name> is the FQDN of the computer that hosts
the Administration Console. The default port for the Administration Console is port 6443.
2.
3.
4.
12
Administration Guide
Introduction
Web address. The web address for BES10 Self-Service is https://<server_name>:7445, where <server_name> is the
FQDN of the computer that hosts the console, and 7445 is the default port. You can change the port in the BES10
Configuration Tool.
Username and password. Company directory users can log in with their organization usernames and passwords. For
local users that have BlackBerry 10 devices, you must create their usernames and passwords in the BlackBerry Device
Service. Local users that have iOS or Android devices cannot use BES10 Self-Service.
13
Administration Guide
Chapter
Setting up administrator
accounts
Topics:
Create an administrator
account
Administration Guide
Administrator permissions
Each role contains multiple permissions that are turned on. The roles make sure that administrators who do not have
specific administrative permissions cannot escalate their permissions. For example, junior helpdesk administrators cannot
escalate their roles to senior helpdesk administrator roles.
Security role
Enterprise role
Senior Helpdesk
role
Create a group
Delete a group
View a group
Edit a group
Create a user
Delete a user
View a user
Edit a user
View a device
Permission
16
Junior Helpdesk
role
Administration Guide
Permission
Security role
Enterprise role
Senior Helpdesk
role
Junior Helpdesk
role
Edit a device
Create an IT policy
Delete an IT policy
View an IT policy
Edit an IT policy
View an application
Edit an application
Delete an application
17
Administration Guide
2.
Task
Steps
Add an administrator account from 1. On the Directory tab, search for an administrator account.
the company directory.
2. In the Name drop-down list, select the administrator account.
If you have not configured the
3. If you want to add the administrator account to a group, in the Group
Universal Device Service to
membership drop-down list, select a group.
connect to a company directory,
4. To specify if this administrator will use a work or personal device, in the
the Directory tab is not shown.
Device ownership drop-down list, select an option.
5. Verify that the Administrator account check box is selected.
6. In the Administrator role drop-down list, select a role for the administrator.
Create a local administrator
account.
3.
To specify device activation settings for the administrator account, in the Device Activation section, select Enable
new device activations.
4.
18
Use directory password to allow the administrator to use the company directory password to activate a device.
Specify an activation password to specify a password that the administrator must enter to activate a device.
Administration Guide
5.
To specify when the activation password expires, select a time and date in the Activation expiration (date) and
Activation expiration (time) fields. If you do not specify an expiration date and time, the activation password will
never expire.
6.
To specify a maximum number of activation attempts the administrator is allowed to make before the device is
locked, in the Maximum number of activations per device field, type a value.
7.
To specify a maximum number of devices the administrator is allowed to have associated with this user account, in
the Maximum number of devices to activate field, type a value.
8.
To specify the device platforms that are supported, select Permitted devices and select one or more platforms.
9.
To specify the device versions that are supported, in the drop-down list, select one or more versions.
10. To send an email message that contains the information that the administrator requires to activate the device, select
Send activation email.
11. If you are using custom variables, click the arrow beside Custom Variables and fill in the fields.
12. Do one of the following:
To save this administrator account and create another, click Save & New.
Related information
Administrative roles and permissions, 16
19
Administration Guide
Chapter
Topics:
Using variables
Administration Guide
Description
VPN
Wi-Fi
Allows you to specify how devices connect to your organization's Wi-Fi network
Microsoft ActiveSync
Allows you to specify how devices connect to your organization's messaging server and
synchronize email messages and organizer data using Microsoft ActiveSync
Allows you to direct all HTTP traffic to and from the personal space on iOS devices
through a proxy server behind your organizations firewall. Supported for iOS devices that
run iOS 6.0 or later and are supervised using Apple Configurator
CA certificate
Client certificate
Allows you to provide client certificates to users' devices using SCEP or a shared
certificate
User certificate
Allows you to assign a client certificate to an individual user account and send the
certificate file to the user's devices
Compliance
Allows you to set conditions that require or restrict apps and restrict jailbroken or rooted
devices
Activation type
Allows you to specify how a device is managed after a user activates it. The profile applies
only to the next device that a user activates, and not to any currently activated devices.
Allows you to direct all HTTP traffic for the work browser on supported iOS and Android
devices through a proxy server behind your organizations firewall
Using variables
You can use variables and custom variables to replace user account attributes and other attributes in the activation email
template and in profiles.
Note: You cannot use variables in the template for the device compliance notification.
22
Administration Guide
The following table lists the variables that are available to use in the Universal Device Service.
Variable
Description
%DisplayName%
%UserEmailAddress%
%UserName%
User's username
%ActivationExpirationFinish%
%ActivationPassword%
%BSCAddress%
%SRPID%
%BSCAddress%/%SRPID%/ca
Internal web address where users can download the SSL certificate for the
Communication Module
%EnterpriseAppStoreURL%
Internal web address where users with iOS devices that are activated with user
privacy, can download work apps.
%SSLCertCommon%
%SSLCertSHA%
%Custom1%, %Custom2%,
%Custom3%, %Custom4%,
%Custom5%
You can use up to five different variables for user attributes that you define. For
security reasons, you should not use a custom variable for a password.
Related information
Update the template for the activation email message, 65
2.
3.
23
Administration Guide
4.
5.
In the Custom variable 1 field, type the user's ActiveSync username. Click Save.
6.
When you create a Microsoft ActiveSync profile, type %Custom1% in the username field.
Authenticate using SSL/TLS when it connects to web pages that use HTTPS
Many certificates that are used for different purposes can be stored on a device. You can use certificate profiles to send
client certificates and CA certificates to devices.
S/MIME for the native iOS email app. You enable this type of S/MIME in a Microsoft ActiveSync profile.
S/MIME for the iOS and Android apps in the work space. You enable this type of S/MIME in a work space IT policy.
To use either type of S/MIME, a user must enable S/MIME on the device and specify whether to encrypt, sign, or encrypt
and sign emails. Users must store their private keys and a certificate for each recipient that they want to send an encrypted
email message to on their devices. Users can store a key and certificates by importing the files from an email message.
24
Administration Guide
Note: You cannot send CA certificates to devices that are activated with the "Work and Personal - User Privacy" activation
type.
1.
2.
3.
In the Certificate name field, type a name for the CA certificate profile. Each CA certificate profile must have a unique
name. Some names (for example, ca_1) are reserved by default.
4.
In the Certificate description field, type a description for the CA certificate profile.
5.
In the Certificate file field, click Browse to specify the location of the certificate file.
6.
Click Save.
Related information
Assign a profile to a group, 56
Assign a profile to a user account, 60
2.
3.
4.
5.
6.
If the certificates need a subject alternative name, perform the following actions:
7.
a.
In the Alternative subject name type drop-down list, click the appropriate type.
b.
In the Alternative representation of the certificate subject field, type the subject alternative name. The value
must be an email address, the DNS name of the CA server, or the fully qualified URL of the server.
c.
In the NT principal name for certificate generation field, type the user principal name.
If your CA uses HTTP instead of HTTPS, in the Fingerprint for enrolling a SCEP certificate field, paste the CA
certificate fingerprint. Devices use the fingerprint to confirm the identity of the CA during the enrollment process.
25
Administration Guide
8.
If you want to permit users to use the certificate for digital signatures, select the Use the generated certificate for
digital signatures check box.
9.
If you want to permit users to use the certificate for encryption, select the Use the generated certificate for key
encipherment check box.
10. In the Key size for certificate generation field, type the key size. The default value is 1024.
11. If necessary for your organization's SCEP configuration, in the Subject field, type
CN=<common_name>,O=<domain_name>.
12. If you want to permit devices to retry the server connection if the first attempt fails, perform the following actions:
a.
b.
In the Number of times SCEP connection should be retried field, type the type the number of times that
devices can try to connect.
c.
In the Time in seconds before the SCEP connection should be retried field, type number of seconds that
devices should wait between each attempt.
13. If you want to proxy SCEP requests from devices through the Universal Device Service, select the Proxy SCEP
requests through the Universal Device Service check box.
14. In the SCEP server configuration type drop-down list, perform one of the following actions:
If you want the system to use the external SCEP settings that you configured, click External.
15. If you selected Defined in step 14, perform the following actions:
a.
In the CA-IDENT attribute of the SCEP configuration field, type the name of the CA.
b.
In the Pre-shared secret type to use in certificate generation drop-down list, click None or Plain text. If you
select Plain text, type the pre-shared secret.
c.
In the Base URL of the SCEP server field, type the URL of the SCEP server.
2.
26
Administration Guide
3.
4.
In the Authentication type drop-down list, click the appropriate authentication type.
5.
If you selected NTLM authentication, in the Domain of the credentials for the external SCEP service field, type the
domain of the external SCEP service.
6.
In the Username field, type the user name for the external SCEP service.
7.
In the Password field, type the password for the external SCEP service.
8.
In the URL for generating the challenge secret key of the directory field, type the URL.
9.
In the CA-IDENT attribute field, type the CA-IDENT attribute of the external SCEP service.
10. In the URL for enrollment requests of the directory field, type the URL.
11. Click Save.
2.
3.
In the Certificate name field, type a name for the profile. Each client certificate profile for a shared certificate must
have a unique name. Some names (for example, ca_1) are reserved by default.
4.
5.
6.
In the Certificate file field, click Browse to specify the location of the certificate file.
7.
8.
Click Save.
Related information
Assign a profile to a group, 56
Assign a profile to a user account, 60
27
Administration Guide
2.
3.
4.
5.
In the Certificate name field, type a name for the user certificate profile.
6.
In the Certificate description field, type a description for the user certificate profile.
7.
In the Password field, type a password for the user certificate profile.
8.
In the Certificate file field, click Browse to specify the location of the certificate file.
9.
Click Apply.
28
Administration Guide
If you use certificate-based authentication, create a CA certificate profile and a client certificate profile, or user
certificate profile, and assign them to users. Certificate-based authentication is for iOS devices only. For more
information, see Sending certificates to devices.
For Android devices that do not have a work space, users must install TouchDown on their devices or use a Motorola
device that supports the Enterprise Device Management API.
If you want to use Notes Traveler, devices must have a work space.
1.
2.
3.
4.
5.
6.
If you want to use basic authentication (for example, a username and password), click None.
If you want to use a certificate profile for authentication (iOS devices only), click Certificate. In the Credential
name or description field, type a description.
In the Certificate identifier drop-down list, click the certificate profile that you want to use.
If you want to prompt users for a password when their devices try to authenticate with the server or network,
select the Prompt the user for a password check box.
7.
8.
9.
If the profile is for one user, type the email address of the user.
In the Host name or IP address field, type the host name or IP address of the Microsoft ActiveSync server.
If the profile is for multiple users in a Notes Traveler environment, type %DisplayName%.
11. If you want to permit users to encrypt or sign email messages in the native iOS email app, select the Use S/MIME
check box. Perform any of the following actions:
In the Encryption certificate identifier drop-down list, click the client certificate profile that users can use to
encrypt email messages.
In the Signing certificate identifier drop-down list, click the client certificate profile that users can use to sign
email messages.
12. If you want to control how devices manage email messages, select the Disable moving or sending email messages
and limit sync time check box. Perform any of the following actions:
29
Administration Guide
To prevent moving email messages from this account to another existing email account on the device, select the
Disable moving email messages to another account check box.
To prevent third-party applications on the device from using this account to send email messages, select the
Disable sending email messages from this account in third-party applications check box.
To specify how long to keep existing email messages for this account on the device, select the Limit time to sync
email messages check box. Specify the synchronization period.
13. If you do not want devices to synchronize new email recipients to the device address book, select the Disable
synchronizing new recipients to device address book check box.
14. If the Microsoft ActiveSync server requires SSL authentication, select the Use SSL check box. If you want to permit
work space apps to accept any server certificate when connecting to the Microsoft ActiveSync server (including the
default ActiveSync self-signed certificate), select the Accept all SSL certificates check box.
15. Click Add.
Related information
Assign a profile to a group, 56
Assign a profile to a user account, 60
2.
3.
4.
5.
If required, in the BSSID field, type the BSSID of the Wi-Fi network.
6.
If you do not want to broadcast the SSID for the Wi-Fi network, select the Hidden network check box.
7.
In the SSID field, type the network name of the Wi-Fi network.
8.
If you want iOS device users to be able to connect to the Wi-Fi network automatically, verify that the Automatically
join the network check box is selected.
9.
In the Network configuration drop-down list, select the appropriate network configuration.
10. In the Proxy type drop-down list, perform one of the following actions:
Task
Steps
Select None.
30
Administration Guide
Task
Steps
Select Automatic and type the URL used to retrieve proxy settings.
1. Select Manual.
2. In the Host name or IP address for the proxy server field, type the host
name or IP address.
3. In the Port number for the proxy server field, type the port number.
4. In the Username for the proxy server field, type the login name.
5. In the Password for the proxy server field, type the password.
11. In the Security type drop-down list, perform one of the following actions:
Task
Steps
Select None.
1. Select Personal.
2. In the Password field, type the password.
3. In the Security type of the personal Wi-Fi profile drop-down list, click the
appropriate security type.
In the Identification for TTLS, PEAP and EAP-FAST field, type the
appropriate identifier.
If the Wi-Fi network requires a password, and you don't want users to have
to type the password, select the Password provided by the Wi-Fi
configuration check box. In the Wi-Fi connection password field, type the
password.
If the Wi-Fi network requires that users provide a username, and you don't
want users to have to type their username, in the Username field, type
%UserName%.
31
Administration Guide
Task
Steps
5. On the Trust tab, perform the following actions as required:
a
If you want to permit iOS device users to allow exceptions to trust rules,
select the Trust user decisions check box.
2.
3.
4.
In the Description of the VPN profile field, type a description for the profile.
5.
In the VPN profile type drop-down list, click the appropriate profile type.
6.
In the Authentication drop-down list, click the appropriate authentication type. The available authentication types
depend on the profile type that you selected.
7.
Specify the VPN settings for your organization and select the appropriate options. The required settings and available
options depend on the profile type and authentication type that you selected.
8.
In the Hostname or IP address of VPN server field, type the host name or IP address of the VPN gateway.
32
Administration Guide
9.
If the VPN gateway requires that users provide a username, and you don't want users to have to type their username,
in the Username for authenticating the connection field, type %UserName%.
10. In the Proxy type drop-down list, perform one of the following actions:
Task
Steps
Select None.
Select Automatic and type the URL used to retrieve proxy settings.
1. Select Manual.
2. In the Host name or IP address for the proxy server field, type the host
name or IP address.
3. In the Port number for the proxy server field, type the port number.
4. In the Username for the proxy server field, type the login name.
5. In the Password for the proxy server field, type the password.
2.
In the left pane, click the + icon next to Global HTTP Proxy.
33
Administration Guide
3.
4.
In the Proxy type drop-down list, perform one of the following actions:
5.
If you want to select the proxy server automatically using a PAC file, click Automatic. In the PAC URL field, type
the URL for the PAC file.
If you want to specify the proxy server, click Manual. Specify the FQDN or IP address of the proxy server, the port
number, and the username and password of the administrator account that you want to use to authenticate with
the proxy server.
Click Save.
After you finish: Assign the global HTTP proxy profile to user accounts or groups.
Related information
Assign a profile to a group, 56
Assign a profile to a user account, 60
Conditions that would make a device non-compliant with BlackBerry Enterprise Service 10. You can specify any of the
following conditions:
Notifications that users receive if they violate the compliance conditions and the amount of time that users have to
correct the issue
Action that is taken if the user does not correct the issue, including limiting a users access to your organizations
resources, deleting work data from the device, or deleting all data from the device
34
Administration Guide
A compliance profile assigned directly to a user account takes precedence over a compliance profile assigned to a
group, and over the default compliance profile
A compliance profile assigned to a group takes precedence over the default compliance profile
The default compliance profile is assigned to a user account only if the user is not assigned a compliance profile
directly or through group membership
2.
3.
4.
Select the check box next to the settings that you want to configure. Do any of the following:
5.
If you want jailbroken or rooted devices to be considered non-compliant, select Jailbroken or rooted device.
If you want devices with applications that you did not install to be considered non-compliant, select Non-assigned
application is installed. Non-assigned applications do not include core applications that are installed with the
device operating system.
If you want devices that have not installed the latest update for optional applications to be considered noncompliant, select Optional application is not updated.
If you want devices that do not have a required application to be considered non-compliant, select Required
application is not installed.
If you want devices that have not installed the latest update for required applications to be considered noncompliant, select Required application is not updated.
In the Enforcement action drop-down list, for each setting that you selected in step 4, configure the Universal Device
Service to perform one of the following tasks when user accounts do not meet your organization's requirements:
Task
Steps
35
Administration Guide
Task
Steps
2. In the Prompt method drop-down list, select the type of message that you
want the Universal Device Service to send. The message body comes from
the compliance notification template, which you can update. Do one of the
following:
3. In the Prompt count field, specify the number of times an email message
or a device notification message should be sent before the required action
is enforced.
4. In the Prompt interval fields, specify the time between prompts.
5. In the Prompt interval expired action drop-down list, select the action that
you want the Universal Device Service to take when the prompt period
expires. For example, if the prompt count is three and the prompt interval
is 10 minutes, the prompt period expires after 30 minutes. Do one of the
following:
To delete your organization's data from the device, select Delete only
work data (unmanage).
To delete all data from the device, select Delete all data (full control
device) or unmanage (user privacy device).
Select Untrust. Data and applications are not deleted from the device.
Select Delete all data (full control device) or unmanage (user privacy
device).
36
Administration Guide
Task
Steps
Click Save.
2.
3.
4.
Select the check box next to the settings that you want to configure. Do any of the following:
5.
If you want jailbroken or rooted devices to be considered non-compliant, select Jailbroken or rooted device.
If you want devices with applications that you did not install to be considered non-compliant, select Non-assigned
application is installed. Non-assigned applications do not include core applications that are installed with the
device operating system.
If you want devices that have not installed the latest update for optional applications to be considered noncompliant, select Optional application is not updated.
If you want devices that do not have a required application to be considered non-compliant, select Required
application is not installed.
If you want devices that have not installed the latest update for required applications to be considered noncompliant, select Required application is not updated.
In the Enforcement action drop-down list, for each setting that you selected in step 4, configure the Universal Device
Service to perform one of the following tasks when user accounts do not meet your organization's requirements:
Task
Steps
37
Administration Guide
Task
Steps
3. In the Prompt count field, specify the number of times an email message
or a device notification message should be sent before the required action
is enforced.
4. In the Prompt interval fields, specify the time between prompts.
5. In the Prompt interval expired action drop-down list, select the action that
you want the Universal Device Service to take when the prompt period
expires. For example, if the prompt count is three and the prompt interval
is 10 minutes, the prompt period expires after 30 minutes. Do one of the
following:
To delete your organization's data from the device, select Delete only
work data (unmanage).
To delete all data from the device, select Delete all data (full control
device) or unmanage (user privacy device).
1. Select Untrust. Data and applications are not deleted from the device.
1. Select Delete all data (full control device) or unmanage (user privacy
device).
Click Save.
Related information
38
Administration Guide
2.
In the From email address field, type the email address that you want to send the email message from. You might
want to use an email address that does not accept replies.
If your organization's messaging server is Microsoft Exchange Server and you selected Credentials as the
authentication type in the SMTP server settings, if the email address that you specify in the From email address field
does not match the account in the SMTP server settings, verify that the email address has the Send As permission in
Microsoft Exchange.
3.
4.
5.
In the Device notification message field, update the default text if necessary.
6.
Click Save.
Untrust
39
Administration Guide
Enforcement action
Description
MDM controls
40
Provides control of work data on devices, while ensuring privacy for personal
data. When a device is activated, a separate work space is created on the
device and the user must create a password to access the work space. Work
data is protected using encryption and by requiring authentication for
connections to the work space. You can control the work space on the device
using IT administration commands and IT policies, but you cannot control any
aspects of the personal space on the device. Users are not required to install a
mobile device management profile for iOS devices, or permit Administrator
permissions for Android devices.
Administration Guide
Activation type
Description
For iOS devices, you cannot send notifications to install internal work apps, and
you cannot view the status of work apps in the Administration Console. Users
with iOS devices must download internal work space apps from an internal
website (workspace://apps).
A Gold - Secure Work Space license is required for this activation type.
2.
3.
4.
In the Activation type drop-down list, select the activation type that you want to be the default.
5.
Click Save.
2.
3.
4.
In the Activation type drop-down list, select the activation type to be associated with the profile.
5.
Click Save.
41
Administration Guide
Verify whether their devices are compliant with the organization's standards
View the profiles that have been assigned to their user accounts
View the IT policy rules that have been assigned to their user accounts
Apps
iOS
Work Space Manager - required to run the other work space apps on the device
Android
The work space allows you to take advantage of the following features:
Convert your organization's internal apps into work space apps that can be installed and run in the work space, or
obtain work space apps from the App Store or Google Play. Use software configurations to install and manage work
space apps. For more information, see Installing apps in the work space.
Control specific behaviors of the work space on devices, such as password requirements and connection preferences,
by applying a work space IT policy to user accounts. A default work space IT policy is automatically applied to devices
with a work space.
Use IT administration commands to reset the work space password or delete the work space on devices.
For information about the requirements to enable the work space, visit www.blackberry.com/go/serverdocs to read the
BlackBerry Enterprise Service 10 Configuration Guide.
42
Administration Guide
Create an IT policy
1.
2.
3.
4.
5.
Click Save.
Related information
Descriptions of IT policy rules, 78
43
Administration Guide
2.
3.
4.
Configure the appropriate values for the work space IT policy rules.
5.
Click Save.
Related information
Descriptions of work space IT policy rules, 114
Any version of iOS 5.0 or later that supports Secure Work Space
Any version of Android 2.3 or later that supports Secure Work Space
For more information about OS compatibility, visit docs.blackberry.com/BES10 to read the BlackBerry Enterprise Service
10 Compatibility Matrix.
You can select the proxy server automatically using a PAC file, or you can specify the proxy server manually.
2.
In the left pane, click the + icon next to Work Space HTTP Proxy.
3.
4.
44
Administration Guide
If you want to select the proxy server automatically using a PAC file, select the Automatic check box. In the PAC
URL field, type the URL for the PAC file.
If you want to specify the proxy server, select the Manual check box. Specify the FQDN or IP address of the proxy
server and the port number (default 8080). Type the username and password of the administrator account that
you want to use to authenticate with the proxy server. For the username, use the format <domain>\<username>.
Optionally, type <domain>\%UserName% in the username field to have users authenticate with the proxy server
using their company directory passwords.
5.
Click Save.
After you finish: Assign the proxy profile for the Secure Work Space to user accounts or groups.
Related information
Assign a profile to a group, 56
Assign a profile to a user account, 60
45
Administration Guide
If you want to add a paid app to an application definition for iOS 5 and later devices, you should use the manual
installation method. You should not select the Prompt once installation method, the option to remove the app when the
device is removed from management in the Universal Device Service, or the option to disable backup to the iCloud
online service or iTunes Store. If you select any of these options, the app is treated as a work app and is subject to
actions that you perform as administrator. For example, if you remove work data from the device, the app is also
removed.
To create an application definition for an internal app that you want to install in the work space, you must first secure
the app and have the developer re-sign it. For more information, see Installing apps in the work space.
If you want to distribute a secured and re-signed work space app from the App Store or Google Play, you can follow this
task and then use a software configuration to distribute the work space app to users and groups. For more information,
see Installing apps in the work space.
Some secured apps that are available in the App Store or Google Play require specific ports to be open on BlackBerry
Enterprise Service 10. Contact the app vendor for information.
1.
2.
3.
4.
In the Default installation method drop-down list, perform one of the following actions:
46
If you want users to receive one prompt to install the app on their iOS 5 and later devices, select Prompt once. If
users dismiss the prompt they can install the app later using the Work Apps screen in the BES12 Client or the
Work Apps icon on the device. The default installation method is supported for iOS 5 and later devices only for
Administration Guide
application sources that are either .ipa files (apps that are internally hosted by your organization) or free apps in
the App Store.
If you want users to install the app on the Work Apps screen in the BES12 Client or using the Work Apps icon on
the device, select Manual. This is the default installation method and it is supported for iOS devices and Android
devices for all application sources.
5.
If you want to remove the app from iOS 5 and later devices when the devices are removed from management in the
Universal Device Service, select the check box for that option.
6.
If you want to prevent apps on iOS 5 and later devices from being backed up to the iCloud online service or iTunes
Store, select the check box for that option.
7.
In the Applications sources section, click the + icon and select Upload binary (for an internal app) or App store app.
8.
9.
For public apps, select Application web address and type the web address of the app in the App Store or Google
Play.
For internally hosted apps or work space apps, select Application file (.apk, .ipa) and type the file name for the
app or click Browse and locate the application file. .ipa files are supported only for iOS 5 and later devices
(available from the Work Apps icon on the device).
2.
In the left pane, in the Software Configurations pane, click the + icon.
47
Administration Guide
3.
4.
5.
6.
7.
Click Add.
8.
9.
Click Save.
2.
3.
4.
In the drop-down list, select the software configuration that you want to assign to the user account.
5.
Click Apply.
2.
3.
On the Settings tab, in the Software configurations section, click the + icon.
4.
In the drop-down list, select the software configuration that you want to assign to the group.
5.
Click Apply.
2.
3.
In the Software configurations window, click on a software configuration name to display the list of work apps. Apps
that the user did not install are indicated by a red icon. Apps that the user installed but that are not the correct
version are indicated by a red and white icon.
48
Administration Guide
Secure an app
You can use the Universal Device Service administration console to secure an app so that it can be installed in the work
space on devices.
Before you begin:
Obtain the app binary file (.apk or .ipa) from the developer. The size of the app file must be no larger than 50 MB.
1.
2.
3.
49
Administration Guide
4.
5.
Check the status of the app. The process can take a few minutes to several hours. The status column displays one of
the following states:
6.
Processing
In progress
Failed - Retry
Securing complete
When the status is Securing complete, click Download secure file to download the secured app to your local
computer.
After the app is secured and re-signed, create an application definition for the app and include it in a software
configuration. Assign the software configuration to users or groups.
Related information
Create an application definition, 46
Types of apps
Work space-enabled devices can run three different types of apps:
Type of app
Description
Personal app
An app that the user installs on the device, or an app that the manufacturer or
wireless service provider installs on the device. BlackBerry Enterprise Service 10
treats these apps, and the data that they store, as personal data.
Work app
An app that you install and manage on a user's device. BlackBerry Enterprise
Service 10 treats these apps, and the data that they store, as work data.
A work app that the work space secures with additional protections. BlackBerry
Enterprise Service 10 treats these apps, and the data that they store, as work
space data.
Description
An app that your organization develops and specifically prepares to run in the
work space.
50
Administration Guide
Type of app
Description
An app that a third-party develops and the app vendor specifically prepares to
run in the work space.
51
Administration Guide
Chapter
Topics:
Administration Guide
Create a group
1.
2.
3.
To add an IT policy, certificate, profile, or software configuration to the group, in the IT policies and profiles section,
click the + icon.
4.
a.
b.
Select the specific IT policy, certificate, profile, or software configuration in the drop-down list.
c.
Click Apply.
When you are finished specifying the group properties, click Add.
2.
3.
4.
To change the properties of the group, click the Settings tab and do the following:
54
Administration Guide
Option
Step
Change the IT policies and profiles 1. In the IT policies and profiles section, click the + icon.
applied to the group
2. Click IT policy or the type of certificate or profile.
3. Select the specific IT policy, certificate, or profile in the drop-down list.
4. Click Apply.
Change the software
configurations applied to the
group
Delete a group property
2.
Click the selection box beside the names of the accounts you want to add to a group.
3.
4.
5.
Click Assign.
2.
Click the selection box beside the names of the accounts you want to delete from the group.
3.
4.
Click Remove.
55
Administration Guide
2.
3.
In the IT policies section, select the IT policy that you want to assign.
In the Work Space section, select the work space IT policy that you want to assign.
4.
Drag the IT policy or work space IT policy to the group name in the left pane.
5.
Click Apply.
Related information
Controlling the capabilities of devices, 43
2.
3.
On the Available Settings tab, in the Profiles section, select the profile that you want to assign.
4.
5.
Click Apply.
56
Administration Guide
membership, it assigns user accounts to, or removes user accounts from, the Universal Device Service group until the
membership matches the Microsoft Active Directory group.
For more information about the BlackBerry Directory Sync Tool, visit www.blackberry.com/go/serverdocs to read the
BlackBerry Resource Kit for BlackBerry Enterprise Service 10 documentation.
57
Administration Guide
Update the template for the activation email message that you send to users when you add them to the Universal
Device Service. You can send the activation email message to a user when you add the user, or at anytime after you add
the user.
1.
2.
Task
Steps
3. If you want to add the user account to a group, in the Group membership
drop-down list, select a group.
4. To specify whether the user will use a work or personal device, in the
Device ownership drop-down list, select an option.
5. Verify that the Administrator account check box is clear.
1. Select the Local tab, and specify the details for the user account.
2. If you want to add the user account to a group, in the Group membership
drop-down list, select a group.
3. To specify whether the user will use a work or personal device, in the
Device ownership drop-down list, select an option.
58
Administration Guide
Task
Steps
4. Verify that the Administrator account check box is clear.
3.
To specify device activation settings for the user account, in the Device Activation section, select Enable new device
activations.
4.
Use directory password to allow the user to use the company directory password to activate a device.
Specify an activation password to specify a password that the user must enter to activate a device.
5.
To specify when the activation password expires, select a time and date in the Activation expiration (date) and
Activation expiration (time) fields. If you do not specify an expiration date and time, the activation password will
never expire.
6.
To specify a maximum number of times that the user is allowed to activate the device before the device is locked, in
the Maximum number of activations per device field, type a value.
7.
To specify a maximum number of devices that can be associated with the user account, in the Maximum number of
devices to activate field, type a value.
8.
To specify the device platforms that are supported, select Permitted devices and select one or more platforms.
9.
To specify the device versions that are supported, in the drop-down list, select one or more versions.
10. To send an email message to the user immediately after you save the user account, select Send activation email. The
email message will contain the activation information that you specified in the activation email template. If you do not
want the user to activatethe device with the default activation type, clear the Send activation email option and send
the email after you apply the desired activation type to the user account.
11. If you use custom variables, click the arrow beside Custom Variables and complete the fields.
12. Do one of the following:
To save the user account and create another user account, click Save & New.
Smartphone model number or tablet model number, operating system, wireless service provider, phone number,
software version, and current state
59
Administration Guide
1.
2.
2.
3.
In the IT policies section, select the IT policy that you want to assign.
In the Work Space section, select the work space IT policy that you want to assign.
4.
Drag the IT policy or work space IT policy to anywhere in the user account window.
5.
Click Apply.
Related information
Controlling the capabilities of devices, 43
2.
3.
On the Available Settings tab, in the Profiles section, select the profile that you want to assign.
4.
5.
Click Apply.
2.
60
Administration Guide
3.
4.
5.
In the Device ownership drop-down list, select the type of device ownership. The selection is applied to the next
device that the user activates. It does not change the ownership status of the user's existing devices.
6.
Click Save.
2.
3.
4.
5.
6.
If you selected Change activation password, or Specify activation password, type an activation password in the
Activation password field.
7.
To specify when the activation password expires, select a date and time in the Activation expiration (date) and
Activation expiration (time) drop-down lists.
8.
To send an email message to a user that contains the information that the user requires to activate their device,
select Send activation email.
9.
Click Save.
61
Administration Guide
Chapter
Topics:
Activating devices
Managing devices
Administration Guide
Activating devices
When a user activates a device in the Universal Device Service, the device is associated with your organization's
environment so that the user can access work data on their device.
To activate their devices, users must type a username and an activation password. If the user account is associated with
your company directory, you can allow the user to use their company username and password, or you can specify an
activation password. For local user accounts, you must create a username and activation password for the user.
Complete the following tasks before you send activation emails to users:
Ensure that you have the required licenses available. For more information about licenses, see the BlackBerry
Enterprise Service 10 Licensing Guide.
Update the template for the activation email so that it includes all of the information that users need to activate their
devices.
If you do not want users to activate their devices using the default activation type, assign an activation type profile to the
user account or group. You cannot change the activation type for a user's device after the user has activated their
device.
2.
In the Device ownership drop-down list, perform one of the following actions:
Select Corporate if users typically activate devices that belong to your organization.
Select Not specified, if some users activate personal devices and some users activate devices that belong to your
organization.
3.
In the Activation expiration fields, select a default date and time when the user must activate a device by.
4.
In the Maximum number of activations per device field, change the value to be the number of times that a user can
activate a device.
5.
In the Maximum number of devices to activate field, change the value to be the total number of devices that a user
can activate.
6.
Select Permitted devices if you want to specify the type and version of devices that users can activate.
64
Administration Guide
7.
Click Save.
In the Administration Console, on the menu bar, click Settings > Activation Email.
2.
In the From email address field, replace the default text with the email address that you want to send the email
message from. You might want to use an email address that does not accept replies.
If your organization uses Microsoft Exchange Server and you selected Credentials as the authentication type in the
SMTP server settings, and the email address that you specify in the From email address field does not match the
account in the SMTP server settings, verify that the email address has the Send As permission in Microsoft Exchange.
3.
4.
In the Message field, update the default text. You can use variables in the text to customize the email message for
different users. For a list of variables, see Using variables. You can complete some or all of the following changes:
5.
Review the paragraph in the Before you begin section. The variable https://%BSCAddress%/%SRPID%/ca is
replaced by the web address where the user can install the SSL certificate on the device. If the user installs the
certificate before activating the device, the certificate is displayed as a trusted certificate in step 4 of the default
text.
In step 1 of the default text, you can remove one of the app store web addresses if it is not required. For example,
if you support only iOS devices, you can remove the Google Play web address.
In step 3 of the default text, the variables %BSCAddress%/%SRPID% are automatically replaced in the email
message with the required server address and SRP ID.
In step 4 of the default text, you can replace <X or checkmark> with X (SSL certificate is not trusted) or
checkmark (SSL certificate is trusted). For more information about the SSL certificate, see the BlackBerry
Enterprise Service 10 Configuration Guide.
In step 5 of the default text, include information about the activation password. The password might be the user's
directory password or a password that you create. If you create the password, you can insert the
%ActivationPassword% variable in the email message to provide the password, or you can send the password to
the user separately.
If you did not select an expiry date for the activation password, you can remove the related statement in step 5.
Step 8 in the default text is applicable only to users with iOS devices that are activated with user privacy. If the
step is applicable, remove the text in the square brackets. If the step is not applicable, remove the entire step.
Optionally, you can include login information for BES10 Self-Service. The web address for BES10 Self-Service is
https://<server_name>:7445, where <server_name> is the FQDN of the computer that hosts the console. Company
directory users can log in with their directory usernames and passwords. For local users with BlackBerry 10 devices,
you must create each user's username and password in the BlackBerry Device Service. Local users with iOS or
Android devices cannot use BES10 Self-Service.
65
Administration Guide
6.
Click Save.
Related information
Using variables, 22
2.
3.
4.
Click the email icon to send the activation email to the user.
Click the edit icon to change the device activation settings. Confirm that the Send activation email check box is
selected, and click Save.
Send the following activation instructions to the device user. When you send the instructions to a user, indicate whether the
user needs to install the Communication Module SSL certificate and whether the user is a directory user (can use their
directory usernames and passwords) or a local user (must use the username and password that you specified).
1.
If your administrator notes that it is required, open the web address in your activation email to install the
Communication Module SSL certificate on your device. Installing the certificate before activation ensures that the
device recognizes and trusts BlackBerry Enterprise Service 10.
2.
Install the BES12 Client. The BES12 Client is available from the App Store.
3.
4.
If you are prompted to turn on location services, complete the following steps:
66
Administration Guide
a.
Tap Settings.
b.
c.
d.
Close Settings.
5.
6.
Type your organization's server address and tap Go. You can find the server address in the activation email message.
7.
Confirm that the certificate details match your organization's information and tap Accept.
8.
9.
Send the following activation instructions to the device user. When you send the instructions to a user, indicate whether the
user needs to install the Communication Module SSL certificate and whether the user is a directory user (can use their
directory usernames and passwords) or a local user (must use the username and password that you specified).
1.
If your administrator notes that it is required, open the web address in your activation email to install the
Communication Module SSL certificate on your device. Installing the certificate before activation ensures that the
device recognizes and trusts BlackBerry Enterprise Service 10.
2.
Install the BES12 Client. The BES12 Client is available from Google Play.
3.
4.
67
Administration Guide
5.
Type your organization's server address and tap Next. You can find the server address in the activation email
message.
6.
Confirm that the certificate details match your organization's information and tap Accept.
7.
8.
9.
If you are prompted, create a work space password and download work space apps.
After you finish: Open the BES12 Client and tap About. In the Activated Device section, you should see your device
information.
Managing devices
The Universal Device Service includes IT administration commands that you can send to devices over the wireless network
to protect data on devices. You can view detailed information about individual devices in device reports and view a history
of all communication that occurs between devices and the Universal Device Service in the communication logs. If devices
are jailbroken or rooted, the Universal Device Service displays an indicator beside the name of the user account that is
associated with the jailbroken device or rooted device in the list of user accounts.
68
Administration Guide
IT administration command
Description
Specify device password and For Android devices, this command allows you to create a
lock
new device password and lock the device. You must create
a password that complies with existing password rules.
When the user unlocks the device, the device prompts the
user to accept or reject the new password.
Activation types
MDM controls
MDM controls
MDM controls
MDM controls
MDM controls
Work and personal - full
control
69
Administration Guide
IT administration command
Description
Activation types
2.
3.
70
Administration Guide
4.
5.
6.
Click Save.
2.
3.
4.
5.
In the Device ownership drop-down list, select the type of device ownership.
6.
Click Save.
2.
3.
In the Manage Device window, click the View device report icon.
4.
Click File > Save As... to save the device report to a file on the computer, if required.
2.
3.
71
Administration Guide
Deactivating devices
When you or a user deactivates a device, the connection between the device and the user account in the Universal Device
Service is removed. You cannot manage the device, and the device is not displayed in the Administration Console. The user
cannot access work data on the device.
You can deactivate a device using the Delete only work data IT administration command. For more information, see Using
IT administration commands to manage devices.
A user can deactivate a device by selecting Deactivate My Device on the About screen in the BES12 Client.
Possible solution
To deactivate the device, you or the user must delete the BES12 Client from the device.
The Work Apps icon remains on iOS device after the device is deactivated
Possible cause
If a user has an iOS device that is running iOS 5 or later, a blank Work Apps icon might remain on the device after the
device is deactivated.
Possible solution
The user can delete the blank Work Apps icon manually.
72
Administration Guide
Chapter
Topics:
Logging
Administration Guide
2.
3.
Logging
The Universal Device Service creates log files for each Universal Device Service component and audit logs that record
administrator requests, for example, to create, update, or delete user accounts or groups. Log files and audit logs can be
used to determine the cause of an issue.
Log files
The Universal Device Service creates log files for each Universal Device Service component and saves the log files on the
computer that hosts the Universal Device Service.
You can configure the location where the log files are stored when you install the Universal Device Service. By default, the
Universal Device Service saves log files in C:\Program Files (x86)\Research in Motion\BlackBerry Enterprise Service
10\Logs. Log files are organized in the following folders:
Audit
BWS
Comm
Core
EAS
Installer
RIM.UDS.GUI
74
Administration Guide
Scheduler
USRV: Scheduler
Audit logs
Audit logs record requests that you make to create, update, and delete user accounts or groups, send IT administration
commands to devices, add user accounts to groups or remove user accounts from groups, and create or assign profiles,
software configurations and IT policies to devices.
Audit logs are saved in the Audit folder and are named
<server_name>_<component_identifier>_Audit_<instance>_<yyyymmdd>_<log_number>.csv.
75
Administration Guide
Chapter
IT policy rules
Topics:
IT policy rules
Administration Guide
IT policy rules
Selecting this rule disables the Safari browser and removes its icon from the Home
screen. This rule also prevents users from opening web clips on the device.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule prevents the Safari browser from saving user entries in web forms
for later use.
Related rules
This rule is not valid if the Hide the default web browser rule is selected.
IT policy type
Device
78
MDM controls
Administration Guide
Minimum OS requirements
IT policy rules
iOS 5.0
Selecting this rule disables JavaScript in the Safari browser. The browser ignores all
JavaScript on websites.
Related rules
This rule is not valid if the Hide the default browser rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule blocks pop-up windows in the Safari web browser.
Related rules
This rule is not valid if the Hide the default web browser rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
This rule specifies how the Safari web browser handles cookies. If you select Always,
cookies are always accepted. If you select From visited websites, cookies are only
accepted from websites that the user visits directly in the browser. If you select Never,
cookies are never accepted.
Related rules
This rule is not valid if the Hide the default web browser rule is selected.
79
Administration Guide
IT policy rules
IT policy type
Device
MDM controls
Never
Always
Default value
Minimum OS requirements
iOS 5.0
Possible values
Selecting this rule turns on fraud warnings in the Safari web browser. The browser
attempts to prevent the user from visiting websites identified as being fraudulent or
compromised.
Related rules
This rule is not valid if the Hide the default web browser rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
80
Selecting this rule prevents the device from streaming videos or sending the device
display to another device, such as a projector or television screen. Selecting this rule
also prevents users from taking screen captures of the device display.
Administration Guide
IT policy rules
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule prevents users from taking a screen capture of the device display.
Related rules
Selecting the Disable output rule also prevents users from taking screen captures.
Users cannot take screen captures if either rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule disables the device cameras. Users cannot take photographs or
videos.
IT policy type
Device
MDM controls
iOS 5.0
Android OS 4.0
Minimum OS requirements
Selecting this rule removes the FaceTime app icon from the Home screen. Users
cannot make video calls.
81
Administration Guide
IT policy rules
Related rules
Selecting the Hide the default camera application rule also hides the FaceTime app
icon. Users cannot use FaceTime if either rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule prevents users from trusting certificates that cannot be verified.
Related rules
Also selecting the Disable untrusted certificates after prompt rule displays a message
to the user when the device disables an untrusted certificate.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule displays a message to the user when the device disables a
certificate that cannot be trusted.
Related rules
This rule is only valid if the Disable untrusted certificates rule is selected.
IT policy type
Device
MDM controls
82
Administration Guide
Minimum OS requirements
IT policy rules
iOS 5.0
IT policy type
Device
MDM controls
iOS 7.0
Minimum OS requirements
Selecting this rule prevents the use of all iCloud services, including backup,
document, and picture services.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule prevents users from backing up their device data to iCloud.
Related rules
Selecting the Disable cloud services rule disables all iCloud services, including the
iCloud backup service.
IT policy type
Device
83
Administration Guide
Minimum OS requirements
IT policy rules
MDM controls
iOS 5.0
Related rules
Selecting the Disable cloud services rule disables all iCloud services, including iCloud
document services.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule prevents users from using Photo Stream. Sending this rule to a
device deletes Photo Stream photos from the device and prevents photos from the
camera roll from being sent to Photo Stream.
Related rules
Selecting the Disable cloud services rule disables all iCloud services, including Photo
Stream.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule prevents users from using Shared Photo Streams.
This rule requires Universal Device Service 6.1 MR2 or later.
84
Administration Guide
Related rules
IT policy rules
Selecting the Disable cloud picture services rule prevents users from using Photo
Stream.
Selecting the Disable cloud services rule disables all iCloud services, including Photo
Stream.
IT policy type
Device
MDM controls
iOS 6.0
Minimum OS requirements
Selecting this rule prevents managed apps from using cloud sync.
IT policy type
Device
MDM controls
iOS 8.0
Minimum OS requirements
Selecting this rule prevents users from using AirDrop to share data with other devices.
This rule applies only to devices that are supervised using Apple Configurator.
IT policy type
Device
MDM controls
iOS 7.0
Minimum OS requirements
85
Administration Guide
IT policy rules
Selecting this rule prevents the device from pairing with any computer other than the
Apple Configurator host. This rule applies only to devices that are supervised using
Apple Configurator.
IT policy type
Device
MDM controls
iOS 7.0
Minimum OS requirements
Selecting this rule prevents users from connecting the device to a Wi-Fi or wireless
network.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule prevents users from changing the wireless data usage for apps. This
rule applies only to devices that are supervised using Apple Configurator.
Related rules
This rule is not valid if the Disable network connectivity rule is selected.
IT policy type
Device
MDM controls
iOS 7.0
Minimum OS requirements
86
Administration Guide
IT policy rules
Selecting this rule prevents users from connecting the device to a wireless network.
Related rules
Selecting the Disable network connectivity rule also prevents users from connecting
the device to a wireless network. Users cannot connect the device to a wireless
network if either rule is selected.
This rule is not valid if the Disable network connectivity rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule prevents users from connecting the device to a wireless network
when the device is roaming.
Related rules
This rule is not valid if the Disable network connectivity or Disable wireless
connectivity rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule prevents the device from using the data connection when the
device is roaming. For iOS 4.x devices, selecting this rule disables background data
service when the device is roaming.
Related rules
This rule is not valid if the Disable network connectivity, Disable wireless connectivity,
or Disable roaming rule is selected.
IT policy type
Device
87
Administration Guide
Minimum OS requirements
IT policy rules
MDM controls
iOS 5.0
Selecting this rule prevents devices from automatically synchronizing message and
organizer data when roaming. Devices that are roaming will sync only when the user
requests it.
Related rules
This rule is not valid if the Disable network connectivity, Disable wireless connectivity,
Disable roaming, or Disable data service when roaming rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule prevents users from making voice calls over the wireless network
when the device is roaming.
Related rules
This rule is not valid if the Disable network connectivity, Disable wireless connectivity,
or Disable roaming rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
88
Administration Guide
IT policy rules
Selecting this rule specifies whether a password is required on the first AirPlay pairing.
If this rule is selected, all devices that receive AirPlay requests from another device
must use a pairing password.
IT policy type
Device
MDM controls
iOS 7.1
Minimum OS requirements
Selecting this rule sets the maximum allowed rating for movies, TV shows, and apps to
0. Movies and TV shows downloaded from the iTunes Store are hidden and users
cannot preview or download movies or TV shows. The icons for work and personal
apps are removed from the Home screen and users cannot install or update apps. On
iOS devices with Secure Work Space, the BES12 Client and work space apps,
including default work space apps, are also removed from the Home screen.
This rule applies only to movies and TV shows that users can download from the
iTunes Store and apps that users can download from the App Store. This rule does not
apply to built-in iOS apps.
Related rules
The Hide the default music store rule removes the iTunes Store from the Home
screen.
The Hide the default application store rule removes the App Store from the Home
screen.
IT policy type
Device
MDM controls
89
Administration Guide
Minimum OS requirements
IT policy rules
iOS 5.0
Selecting this rule hides any explicit content downloaded from the iTunes Store and
the App Store.
Related rules
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
This rule sets the maximum allowed content rating for apps that users can download
to the device from the App Store..
Specify a number between 0 and 100 to define the maximum allowed content rating
for apps. The number corresponds to ratings such as E, T, and M, or 9+, 12+, and
17+, which vary by country. The lower the number the greater the content restriction.
For instance, 0 allows no apps and 100 allows all apps.
Related rules
IT policy type
Device
MDM controls
Possible values
Default value
100
Minimum OS requirements
90
iOS 5.0
Administration Guide
IT policy rules
This rule sets the maximum allowed content rating for movies that users can download
to the device from theiTunes Store.
Specify a number between 0 and 100 to define the maximum allowed content rating
for movies. The number corresponds to ratings such as G, PG, and R, and age-based
ratings, which vary by country. The lower the number the greater the content
restriction. For instance, 0 allows no movies and 100 allows all movies.
Related rules
IT policy type
Device
MDM controls
Possible values
Default value
100
Minimum OS requirements
iOS 5.0
This rule sets the maximum allowed content rating for television shows that users can
download to the device from the iTunes Store.
Specify a number between 0 and 100 to define the maximum allowed content rating
for TV shows. The number corresponds to ratings such as G, PG, and R, and agebased ratings, which vary by country. The lower the number the greater the content
restriction. For instance, 0 allows no TV shows and 100 allows all TV shows.
Related rules
IT policy type
Device
MDM controls
Possible values
Default value
100
91
Administration Guide
Minimum OS requirements
IT policy rules
iOS 5.0
This rule sets the country or region whose ratings are used for the content. This setting
is not required.
Related rules
IT policy type
Device
MDM controls
Possible values
A two-letter code indicating the country that the content ratings system applies to.
Default value
None
Minimum OS requirements
iOS 5.0
Selecting this rule prevents devices from sending diagnostic information to Apple.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
92
Administration Guide
IT policy rules
IT policy type
Device
MDM controls
Android OS 3.0
Minimum OS requirements
Related rules
This rule is only valid if the Apply encryption rules rule is selected.
IT policy type
Device
MDM controls
Android OS 3.0
Minimum OS requirements
Selecting this rule prevents the device from displaying notifications from the Passbook
app when the device is locked.
93
Administration Guide
IT policy rules
Device
MDM controls
iOS 6.0
Minimum OS requirements
Selecting this rule prevents users from swiping up to view the Control Center while the
screen is locked.
IT policy type
Device
MDM controls
iOS 7.0
Minimum OS requirements
Selecting this rule prevents users from accessing the Notifications view in the
Notification Center when the screen is locked. New mail notifications still appear.
IT policy type
Device
MDM controls
iOS 7.0
Minimum OS requirements
Selecting this rule prevents users from swiping down to see the Notification Center
using the Today view while the screen is locked.
IT policy type
Device
94
Administration Guide
Minimum OS requirements
IT policy rules
MDM controls
iOS 7.0
Selecting this rule prevents users from using the iMessage software feature.
This rule requires Universal Device Service 6.1 MR2 or later. This rule only applies to
devices that are supervised using the Apple Configurator.
IT policy type
Device
MDM controls
iOS 6.0
Minimum OS requirements
Selecting this rule prevents users from using all online content stores. Users cannot
make in-app purchases or use the App Store and iTunes Store on the device.
IT policy type
Device
MDM controls
95
Administration Guide
Minimum OS requirements
IT policy rules
iOS 5.0
Related rules
Selecting the Disable online stores rule also prevents users from making purchases
within apps. Users cannot make purchases within apps if either rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule prevents the online store from saving the user's password. Users
must enter their password for all content purchases. This rule is selected by default.
Related rules
This rule is not valid if the Disable online stores rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule disables the App Store on the device and removes its icon from the
Home screen.
Related rules
Selecting the Disable online stores rule also disables the App Store and removes its
icon from the Home screen.
IT policy type
Device
96
Administration Guide
Minimum OS requirements
IT policy rules
MDM controls
iOS 5.0
Selecting this rule disables the iBooks Store on the device and removes its icon from
the Home screen.
This rule requires Universal Device Service 6.1 MR2 or later. This rule only applies to
devices that are supervised using Apple Configurator.
Related rules
Selecting the Disable online stores rule also disables the iBooks Store and removes its
icon from the Home screen.
IT policy type
Device
MDM controls
iOS 6.0
Minimum OS requirements
Selecting this rule prevents users from downloading media that has been tagged as
erotica from the iBooks Store.
This rule requires Universal Device Service 6.1 MR2 or later. This rule only applies to
devices that are supervised using Apple Configurator.
Related rules
Selecting the Hide the default book store rule disables the iBooks Store and removes
its icon from the Home screen.
Selecting the Disable online stores rule disables the iBooks Store and removes its icon
from the Home screen.
IT policy type
Device
MDM controls
97
Administration Guide
Minimum OS requirements
IT policy rules
iOS 6.0
Selecting this rule disables the iTunes Store on the device and removes its icon from
the Home screen.
Related rules
Selecting the Disable online stores rule also disables the iTunes Store and removes its
icon from the Home screen.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule allows you to set parameters that users must follow when setting
the device password.
Related rules
The Avoid repetition and simple patterns rule, Require alphanumeric value rule,
Require letters rule, Require lowercase letters rule, Require numbers rule, Require
special characters rule, and Require uppercase letters rule set the parameters for
user password requirements.
IT policy type
Device
MDM controls
98
Administration Guide
Minimum OS requirements
IT policy rules
iOS 5.0
Android OS 2.3
Selecting this rule prevents users from using sequential or repeated characters in the
device password.
Related rules
This rule is only valid if the Define password properties rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule requires users to create a device password that contains at least
one letter and one number.
Related rules
This rule is only valid if the Define password properties rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule requires users to create a device password that contains letters. For
Android OS 3.0 and later, you can also specify the minimum number of letters
required.
If you select this rule and then specify the minimum number of letters, a user must
create a password that includes at least the number of letters that you specify.
Related rules
This rule is only valid if the Define password properties rule is selected.
99
Administration Guide
IT policy rules
IT policy type
Device
MDM controls
Possible values
Default value
Minimum OS requirements
Android OS 2.3
This rule specifies the minimum number of lowercase letters required in the device
password.
If you select this rule and then specify the minimum number of lowercase letters, a
user must create a password that includes at least the number of lowercase letters
that you specify.
Related rules
This rule is only valid if the Define password properties rule is selected.
IT policy type
Device
MDM controls
Possible values
Default value
Minimum OS requirements
Android OS 3.0
Selecting this rule requires users to create a device password that contains numerals.
For Android OS 3.0 and later, you can also specify the minimum number of numerals
required.
If you select this rule and then specify the minimum number of numerals, a user must
create a password that includes at least the number of numerals that you specify.
Related rules
100
This rule is only valid if the Define password properties rule is selected.
Administration Guide
IT policy rules
IT policy type
Device
MDM controls
Possible values
Default value
Minimum OS requirements
Android OS 2.3
This rule specifies the minimum number of special characters required in the device
password.
If you select this rule and then specify the minimum number of special characters, a
user must create a password that includes at least the number of special characters
that you specify.
Related rules
This rule is only valid if the Define password properties rule is selected.
IT policy type
Device
MDM controls
Possible values
Default value
Minimum OS requirements
iOS 5.0
Android OS 3.0
This rule specifies the minimum number of uppercase letters required in the device
password.
If you select this rule and then specify the minimum number of uppercase letters, a
user must create a password that includes at least the number of uppercase letters
that you specify.
Related rules
This rule is only valid if the Define password properties rule is selected.
101
Administration Guide
IT policy rules
IT policy type
Device
MDM controls
Possible values
Default value
Minimum OS requirements
Android OS 3.0
Delete data and applications from the device after incorrect password
attempts rule
Description
Selecting this rule specifies the number of times that a user can try an incorrect
password before the device deletes all user information and application data.
For Android devices, the device does not recognize an entry of less than four
characters as a password. If the user enters an incorrect password of less than four
characters, it will not be counted as an attempt.
IT policy type
Device
MDM controls
For iOS devices, a number between 4 and 10. If you set a value less than 4, a value
of 4 will be used. If you set a number greater than 10, a value of 10 will be used.
Possible values
Default value
Minimum OS requirements
iOS 5.0
Android OS 2.3
Selecting this rule requires users to enter the device password after a period of
inactivity.
IT policy type
Device
102
Administration Guide
Minimum OS requirements
IT policy rules
MDM controls
iOS 5.0
Android OS 2.3
This rule specifies the maximum period of inactivity that can elapse before a device
locks. The value specified in this rule is the maximum value that a user can set on the
device.
Related rules
IT policy type
Device
MDM controls
Possible values
Default value
15 minutes
Minimum OS requirements
iOS 5.0
Android OS 2.3
Time after a device locks that it can be unlocked without a password rule
Description
This rule specifies the maximum period of time that can elapse before a password is
required to unlock a device. The grace period begins after the device locks. The value
specified in this rule is the maximum value that a user can set on the device.
Related rules
IT policy type
Device
MDM controls
Possible values
103
Administration Guide
IT policy rules
Default value
1 minute
Minimum OS requirements
iOS 5.0
Selecting this rule allows you to specify the period of time after a password is set until
the device password expires and the user must set a new password. You can specify
any number of days, hours, minutes, or seconds.
IT policy type
Device
MDM controls
Possible values
A number greater than 0 and a time period of days, hours, minutes, or seconds.
Default value
90 days
Minimum OS requirements
iOS 5.0
Android OS 3.0
Selecting this rule allows you to specify the number of previous passwords that the
device checks to prevent a user from reusing passwords.
Possible values
IT policy type
Device
MDM controls
Default value
Minimum OS requirements
iOS 5.0
Android OS 3.0
104
Administration Guide
IT policy rules
IT policy type
Device
MDM controls
iOS 5.0
Android OS 2.3
Minimum OS requirements
Selecting this rule allows you to specify the minimum number characters required in
the device password.
Related rules
This rule is only valid if the Restrict password length rule is selected.
IT policy type
Device
MDM controls
Possible values
Default value
Minimum OS requirements
iOS 5.0
Android OS 2.3
Selecting this rule prevents users from making telephone calls on the device using Siri.
105
Administration Guide
IT policy rules
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule prevents users from installing configuration profiles and
certificates.
This rule requires Universal Device Service 6.1 MR2 or later. This rule only applies to
devices that are supervised using Apple Configurator.
IT policy type
Device
MDM controls
iOS 6.0
Minimum OS requirements
Selecting this rule prevents users from using the activity continuation feature to
transfer user activities among multiple devices associated with the user.
IT policy type
Device
106
Administration Guide
Minimum OS requirements
IT policy rules
MDM controls
iOS 8.0
Selecting this rule prevents users from adding, deleting, or changing accounts on the
device. This rule applies only to devices that are supervised using Apple Configurator.
IT policy type
Device
MDM controls
iOS 7.0
Minimum OS requirements
Selecting this rule prevents users from using the Erase All Content And Settings
option on a device to wipe it.
This rule applies only to devices that are supervised using Apple Configurator.
IT policy type
Device
MDM controls
iOS 8.0
Minimum OS requirements
Selecting this rule prevents users from using the Enable Restrictions option to
prevent access to apps or features on a device.
This rule applies only to devices that are supervised using Apple Configurator.
IT policy type
Device
107
Administration Guide
Minimum OS requirements
IT policy rules
MDM controls
iOS 8.0
Selecting this rule prevents a Spotlight search from returning Internet search results
when searching for content on a device.
This rule applies only to devices that are supervised using Apple Configurator.
IT policy type
Device
MDM controls
iOS 8.0
Minimum OS requirements
Selecting this rule prevents users from using Touch ID to unlock the device. When this
option is selected, users must use a password to unlock the device.
IT policy type
Device
MDM controls
iOS 7.0
Minimum OS requirements
IT policy type
Device
MDM controls
108
Administration Guide
Minimum OS requirements
IT policy rules
iOS 7.0
Selecting this rule displays only personal apps and accounts as possible destinations
when users attempt to open data such as attachments from a personal app or account
on the device. Safari and AirDrop will continue to display all apps and accounts as
possible destinations.
IT policy type
Device
MDM controls
iOS 7.0
Minimum OS requirements
Selecting this rule displays only work apps and accounts as possible destinations
when users attempt to open data such as attachments from a work app or account on
the device.
IT policy type
Device
MDM controls
iOS 7.0
Minimum OS requirements
Selecting this rule prevents users from changing the settings for the Find My Friends
app. This rule applies only to devices that are supervised using Apple Configurator.
109
Administration Guide
IT policy rules
IT policy type
Device
MDM controls
iOS 7.0
Minimum OS requirements
Selecting this rule prevents the use of the Game Center app and the YouTube app.
The apps are disabled and the YouTube app is removed from the Home screen. On
supervised devices, the Game Center app is removed from the Home screen.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Hide the Game Center app and disable game functionality rule
Description
Selecting this rule prevents the use of the Game Center app. On devices that are
supervised using Apple Configurator, the icon is removed from the Home screen.
Related rules
Selecting the Hide the Game Center and YouTube apps rule also disables the Game
Center app.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
110
Selecting this rule prevents users from adding friends in the Game Center app.
Administration Guide
IT policy rules
Related rules
This rule is not valid if the Hide the Game Center app and disable game functionality
rule or Hide the Game Center and YouTube apps rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule prevents users from playing multiplayer games in the Game Center
app.
Related rules
This rule is not valid if the Hide the Game Center app and disable game functionality
rule or Hide the Game Center and YouTube apps rule is selected.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule prevents the use of the Game Center app on supervised iOS
devices. The Game Center app is disabled and its icon is removed from the Home
screen.
This rule requires Universal Device Service 6.1 MR2 or later. This rule only applies to
devices that are supervised using Apple Configurator.
Related rules
Selecting the Hide the Game Center app and disable game functionality rule also
disables the Game Center app.
Selecting the Hide the Game Center and YouTube apps rule also disables the Game
Center app.
IT policy type
Device
111
Administration Guide
Minimum OS requirements
IT policy rules
MDM controls
iOS 6.0
Selecting this rule prevents the use of the YouTube app. The app is disabled and the
icon is removed from the Home screen.
This rule is obsolete in iOS 6.0 and later.
Related rules
Selecting the Hide the Game Center and YouTube apps rule also disables the
YouTube app.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule stores all backup data in an encrypted format on the user's
computer.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
112
Administration Guide
IT policy rules
IT policy type
Device
MDM controls
iOS 8.0
Minimum OS requirements
Selecting this rule forces devices to synchronize enterprise book metadata, such as
notes and highlights.
IT policy type
Device
MDM controls
iOS 8.0
Minimum OS requirements
Selecting this rule prevents users from using Siri, voice commands, and dictation.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
113
Administration Guide
IT policy rules
Selecting this rule prevents users from using Siri voice commands when the device is
locked and prevents users from unlocking the device using Siri voice commands. This
rule applies only if the user has set a password for the device.
Related rules
If you select this rule, you should also select the Device password rule to require that
the user sets a password.
This rule is not valid if the Disable the default voice assistant application rule is
selected.
IT policy type
Device
MDM controls
iOS 5.0
Minimum OS requirements
Selecting this rule prevents users from adding their own content to Siri. This rule
applies only to devices that are supervised using Apple Configurator.
IT policy type
Device
MDM controls
iOS 7.0
Minimum OS requirements
114
Administration Guide
IT policy rules
Related information
Create a work space IT policy, 44
Selecting this rule allows a user to set a work space password that uses sequential
characters, such as abcd, or repeated characters, such as 1111.
IT policy type
Work space
iOS 5.0
Android OS 2.3
Minimum OS requirements
This rule specifies the minimum number of letters required in the work space
password.
If you select this rule and then specify the minimum number of letters, a user must
create a password that includes at least the number of letters that you specify.
IT policy type
Work space
Possible values
Default value
Minimum OS requirements
iOS 5.0
Android OS 2.3
115
Administration Guide
IT policy rules
This rule specifies the minimum number of lowercase letters required in the work
space password.
If you select this rule and then specify the minimum number of lowercase letters, a
user must create a password that includes at least the number of lowercase letters
that you specify.
IT policy type
Work space
Possible values
Default value
Minimum OS requirements
iOS 5.0
Android OS 2.3
This rule specifies the minimum number of numerals required in the work space
password.
If you select this rule and then specify the minimum number of numerals, a user must
create a password that includes at least the number of numerals that you specify.
IT policy type
Work space
Possible values
Default value
Minimum OS requirements
116
iOS 5.0
Administration Guide
IT policy rules
Android OS 2.3
This rule specifies the minimum number of special characters required in the work
space password.
If you select this rule and then specify the minimum number of special characters, a
user must create a password that includes at least the number of special characters
that you specify.
IT policy type
Work space
Possible values
Default value
Minimum OS requirements
iOS 5.0
Android OS 2.3
This rule specifies the minimum number of uppercase letters required in the work
space password.
If you select this rule and then specify the minimum number of uppercase letters, a
user must create a password that includes at least the number of uppercase letters
that you specify.
IT policy type
Work space
Possible values
Default value
117
Administration Guide
Minimum OS requirements
IT policy rules
iOS 5.0
Android OS 2.3
Selecting this rule restricts the length of the work space password.
IT policy type
Work space
iOS 5.0
Android OS 2.3
Minimum OS requirements
This rule allows you to specify the minimum number of characters required in the work
space password.
Related rules
This rule is only valid if the Restrict password length rule is selected.
IT policy type
Work space
Possible values
Default value
Minimum OS requirements
iOS 5.0
Android OS 2.3
118
Administration Guide
IT policy rules
This rule allows you to specify the maximum number of characters required in the
work space password.
Related rules
This rule is only valid if the Restrict password length rule is selected.
IT policy type
Work space
Possible values
Default value
32
Minimum OS requirements
iOS 5.0
Android OS 2.3
This rule specifies the number of previous work space passwords that the device
checks to prevent a user from reusing work space passwords.
IT policy type
Work space
Possible values
Default value
Minimum OS requirements
iOS 5.0
Android OS 2.3
119
Administration Guide
IT policy rules
This rule specifies whether the work space locks when a device locks after a period of
inactivity.
If this rule is selected, when a user is in the work space, the work space locks after the
period of inactivity specified in the Lock device after inactivity in work space rule.
When the user is in the personal space, or if the Lock device after inactivity in work
space rule is not selected, the work space locks after the period of inactivity specified
in the auto-lock setting on the device.
IT policy type
Work space
iOS 5.0
Android OS 2.3
Minimum OS requirements
This rule specifies the period of inactivity in the work space that can elapse before a
device locks.
If you configure this rule, the following behavior occurs after the specified inactivity
period:
On iOS devices, the work space locks when a work space app is open. The device
doesnt lock and the screen doesnt turn off.
On Android devices with a password, the device locks when a work space app is
open. The work space isnt locked.
On Android devices without a password, the device turns off the screen when a
work space app is open. The work space isnt locked.
On Android devices, the inactivity period that you specify is the maximum time for
inactivity. A user can set a shorter inactivity period on the device. If the user sets a
shorter inactivity period, the screen locks when that inactivity period is met.
IT policy type
120
Work space
Administration Guide
IT policy rules
Possible values
Default value
15 minutes
Minimum OS requirements
iOS 5.0
Android OS 2.3
This rule specifies the period of inactivity in the personal space that can elapse before
the work space locks.
IT policy type
Work space
Possible values
Default value
30 minutes
Minimum OS requirements
iOS 5.0
Android OS 2.3
Selecting this rule specifies the number of times that a user can try an incorrect
password before the action specified in the Action after maximum incorrect password
attempts rule occurs.
IT policy type
Work space
121
Administration Guide
IT policy rules
Possible values
Default value
Minimum OS requirements
iOS 5.0
Android OS 2.3
This rule specifies the action that occurs after the maximum number of incorrect
password attempts has been reached.
If you select Disable work space, the work space is disabled and can only be restored
by an administrator.
If you select Deactivate device, the work space is disabled and all data in the work
space is deleted immediately. iOS devices are deactivated.
If you select Disable work space and after N days, deactivate device, you must also
specify a number of days. The work space is disabled immediately and can only be
restored by an administrator. If the work space is not restored before the specified
number of days elapse, all data in the work space is deleted. iOS devices are
deactivated.
Related rules
This rule is only valid if the Track incorrect password attempts rule is selected.
IT policy type
Work space
Deactivate device
Possible values
Default value
Minimum OS requirements
iOS 5.0
Android OS 2.3
122
Administration Guide
IT policy rules
This rule specifies how the browser app in the work space handles plug-ins.
If you select On, the browser allows all plug-ins to run.
If you select Off, the browser does not allow plug-ins to run.
If you select On Demand, the device prompts the user when the browser tries to run a
plug-in.
IT policy type
Work space
On
Off
On Demand
Possible values
Default value
On
Minimum OS requirements
Android OS 2.3
This rule specifies the number of days of inactivity in the work space that can elapse
before all data in the work space is deleted, including work email messages, contacts,
and files. iOS devices are deactivated.
IT policy type
Work space
Possible values
Default value
60 days
123
Administration Guide
Minimum OS requirements
IT policy rules
iOS 5.0
Android OS 2.3
This rule specifies whether work contacts are exported from the Work Connect app in
the work space to the personal address book on the device. The Contacts app is the
personal address book on an iOS device.
If you select Export to personal address book, only work contacts with phone numbers
are exported. When you deactivate the device, work contacts are removed from the
personal address book.
If you select Do not export to personal address book, work contacts are not exported
and calls and SMS text messages from work contacts do not display the contact name.
If you select Allow user to configure, the user can choose to export work contacts from
the Work Connect app to the personal address book.
IT policy type
Work space
Possible values
Default value
Minimum OS requirements
iOS 6.0
124
Select this rule to allow apps in the personal space on devices to access files in the
work space.
Administration Guide
IT policy rules
If you allow apps in the personal space to access files in the work space and later
update the policy to change this setting, personal apps on devices will still have
access to existing files in the work space. Personal apps will not have access to files
added after the rule is updated on the device to disallow access.
IT policy type
Work space
Android OS 2.3
Minimum OS requirements
This rule specifies the level of notifications that a user sees for apps in the work space
when the work space is locked.
If you select Show notifications without details, the user sees that an app has a
notification but does not see the name of the app or any details about the notification.
If you select Show app name, the user sees only the name of the app that has a
notification.
If you select Show all information, the user sees details about the notification such as
the title and, if applicable for the notification, the summary and ticker. For example,
the title of the meeting in the calendar, the line below the title, and a scrolling
message when the notification first appears.
IT policy type
Work space
Possible values
Default value
Minimum OS requirements
Android OS 2.3
125
Administration Guide
IT policy rules
Selecting this rule allows a user to choose whether to enable S/MIME in the Work
Connect app on the device.
IT policy type
Work space
iOS 5.0
Android OS 2.3
Minimum OS requirements
126
Administration Guide
Product documentation
Product documentation
Resource
Description
Overview
Introduction to BlackBerry
Enterprise Service 10
Architecture
Release notes
Installation and
upgrade
Administration Guide
Category
Configuration
Product documentation
Resource
Description
System requirements
Installation instructions
System requirements
Upgrade instructions
128
Administration Guide
Category
Security
Product documentation
Resource
Description
129
Administration Guide
Provide feedback
To provide feedback on this content, visit www.blackberry.com/docsfeedback.
Provide feedback
10
Administration Guide
Glossary
Glossary
BSSID
CA
certification authority
DNS
EAP-FAST
HTTP
HTTPS
IP
Internet Protocol
NTLM
NT LAN Manager
PEAP
S/MIME
SCEP
SMTP
SRP
SSL
SSID
TLS
TTLS
URI
VPN
11
Administration Guide
Legal notice
Legal notice
12
2015 BlackBerry. All rights reserved. BlackBerry and related trademarks, names, and logos are the property of
BlackBerry Limited and are registered and/or used in the U.S. and countries around the world.
Apple, AirDrop, AirPlay, App Store, Apple Configurator, FaceTime, iBooks Store, iCloud, iMessage, iPhone, iTunes Store,
Passbook, Safari, Siri, and Spotlight are trademarks of Apple Inc. Cisco is a trademark of Cisco Systems, Inc. and/or its
affiliates in the United States and certain other countries. Android, Google Play, and YouTube are trademarks of Google
Inc. iOS is a trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. iOS is used under
license by Apple Inc. JavaScript is a trademark of Oracle and/or its affiliates. Microsoft, ActiveSync, and Active Directory
are trademarks of Microsoft Corporation. Motorola is a trademark of Motorola Trademark Holdings, LLC. TouchDown is a
trademark of NitroDesk Inc. Wi-Fi is a trademark of the Wi-Fi Alliance. All other trademarks are the property of their
respective owners.
This documentation including all documentation incorporated by reference herein such as documentation provided or
made available on the BlackBerry website provided or made accessible "AS IS" and "AS AVAILABLE" and without
condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its affiliated
companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical, or other
inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and confidential
information and/or trade secrets, this documentation may describe some aspects of BlackBerry technology in generalized
terms. BlackBerry reserves the right to periodically change information that is contained in this documentation; however,
BlackBerry makes no commitment to provide any such changes, updates, enhancements, or other additions to this
documentation to you in a timely manner or at all.
This documentation might contain references to third-party sources of information, hardware or software, products or
services including components and content such as content protected by copyright and/or third-party websites
(collectively the "Third Party Products and Services"). BlackBerry does not control, and is not responsible for, any Third
Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility,
performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The
inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by
BlackBerry of the Third Party Products and Services or the third party in any way.
EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS,
ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR
WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE
QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A
COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE
OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES
REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR
PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND
CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE
DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE
Administration Guide
Legal notice
HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM
THAT IS THE SUBJECT OF THE CLAIM.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL
BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR
PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY
PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING
DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED
DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS,
BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION
OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY
APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF
THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST
OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR
PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF
BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO
OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING
ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.
THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF
THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT,
NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL
BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY
CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS,
AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO
INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT
CONTRACTORS.
IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR,
EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF
BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.
Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that
your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer
Internet browsing functionality with a subscription to the BlackBerry Internet Service. Check with your service provider for
availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with
BlackBerry's products and services may require one or more patent, trademark, copyright, or other licenses in order to
avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party
Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring
them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any
Third Party Products and Services that are provided with BlackBerry's products and services are provided as a
convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees,
representations, or warranties of any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation
thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of
136
Administration Guide
Legal notice
separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a
license or other agreement with BlackBerry.
The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry
applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN
AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR
SERVICE OTHER THAN THIS DOCUMENTATION.
BlackBerry Limited
2200 University Avenue East
Waterloo, Ontario
Canada N2K 0A7
BlackBerry UK Limited
200 Bath Road
Slough, Berkshire SL1 3XE
United Kingdom
Published in Canada
137