BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Transcription

1 BlackBerry Enterprise Service 10 Universal Service Version: 10.2 Administration Guide

2

3 Published: SWD

4

5 Contents 1 Introduction...9 About this guide...10 What is BlackBerry Enterprise Service 10?...10 Key features of BlackBerry Enterprise Service About the Universal Service Using the Universal Service console Log in to the Universal Service console About BES10 Self-Service Setting up administrator accounts...15 Administrative roles and permissions...16 Administrator permissions...16 Create an administrator account Setting up device controls...21 Creating and assigning profiles...22 Using variables Use custom variables Sending certificates to devices Setting up encrypted using S/MIME Create a CA certificate profile Create a client certificate profile for SCEP Create a client certificate profile for a shared certificate Create a user certificate profile and assign it to a user account Controlling how devices can connect to your organization's network Create a Microsoft ActiveSync profile...28 Create a Wi-Fi profile Create a VPN profile Routing data for ios devices through a proxy server Create a global HTTP proxy profile for ios devices...33 Enforcing compliance rules Assigning and reconciling compliance profiles Change the default compliance profile...35 Create a compliance profile Update the template for the device compliance notification Returning devices to compliance...39 Controlling how ios and Android devices are activated and managed...40

6 Change the default activation type...41 Create an activation type profile...41 What is the BES12 Client?...41 Managing devices that have a work space...42 Upgrading work space apps Controlling the capabilities of devices Create an IT policy...43 Create a work space IT policy Routing data for the work browser through a proxy server...44 Create a proxy profile for Secure Work Space Managing app availability on devices...46 Create an application definition Create a software configuration Assign a software configuration to a user account Assign a software configuration to a group View whether work apps are installed on a device...48 Installing apps in the work space Managing groups and user accounts...53 Creating and managing groups...54 Create a group Change the properties of a group Assign an account to a group...55 Remove an account from a group Assign an IT policy to a group...56 Assign a profile to a group...56 Synchronizing groups with Microsoft Active Directory...56 Creating and managing user accounts...58 Add a user account View a user account Assign an IT policy to a user account...60 Assign a profile to a user account...60 Edit user account information...60 Change the device activation password for a user Activating and managing devices Activating devices Configure the default settings to activate a device Update the template for the activation message Send an activation message Activate an ios device Activate an Android device... 67

7 Setting an activation password using BES10 Self-Service Managing devices Using IT administration commands to manage devices Users with multiple devices Jailbroken or rooted status Disable new device activations Change the device ownership setting...71 View and save a device report...71 View device communication logs Deactivating devices Maintaining and monitoring Check the status of the BlackBerry Secure Connect Service...74 Logging...74 Log files Audit logs IT policy rules s of IT policy rules Browser policy group...78 Camera and video policy group...80 Certificates policy group Cloud service policy group...83 Connectivity policy group...85 Content policy group Diagnostics and usage policy group Encryption policy group Lock screen policy group Messaging policy group Online store policy group Password policy group...98 Phone and messaging policy group Profiles and certificates policy group Security policy group Social policy group Storage and backup policy group Voice assistant policy group s of work space IT policy rules Allow sequential and repeated character passwords rule Require letters rule Require lowercase letters rule Require numbers rule...116

8 Require special characters rule Require uppercase letters rule Restrict password length rule Minimum length for the work space password rule Maximum length for the work space password rule Maximum password history rule Lock work space when device locks rule Lock device after inactivity in work space rule Lock work space after inactivity rule Track incorrect password attempts rule Action after maximum incorrect password attempts rule Enable plugins in secure browser rule Deactivate device after period of inactivity rule Work Connect contacts rule Allow apps in the personal space to access files in the work space rule Notification level rule Allow S/MIME rule Product documentation Provide feedback Glossary Legal notice...135

9 Introduction Chapter 1 Introduction Topics: About this guide What is BlackBerry Enterprise Service 10? About the Universal Service About BES10 Self-Service

10 Introduction About this guide The Universal Service allows you to manage ios devices and Android devices in your organization's environment. This guide provides instructions on how to manage user accounts and devices after the Universal Service is installed and configured. This guide is intended for IT professionals who are responsible for activating devices and managing user accounts. Before you can use the tasks in this guide, you need to complete the tasks to configure the Universal Service. You can find instructions on configuring the Universal Service in the BlackBerry Enterprise Service 10 Configuration Guide. What is BlackBerry Enterprise Service 10? BlackBerry Enterprise Service 10 helps you manage mobile devices for your organization. You can manage BlackBerry devices and BlackBerry PlayBook tablets, as well as ios and Android devices, all from a unified interface. BlackBerry Enterprise Service 10 is designed to help protect business information, keep mobile workers connected with the information they need, and provide administrators with efficient tools that help keep business moving forward. BlackBerry Enterprise Service 10 includes the following components: Component BlackBerry Service Universal Service Provides advanced administration for BlackBerry 10 devices and BlackBerry PlayBook tablets Provides advanced administration for ios and Android devices BlackBerry Management Studio Provides a unified interface to administer common tasks for BlackBerry 10 devices, BlackBerry PlayBook tablets, BlackBerry 7.1 and earlier devices, ios devices, and Android devices BES10 Self-Service Provides a console to users so that they can perform some self-service tasks. For example, users can create activation passwords, remotely change the password on their device, or delete data from the device. Key features of BlackBerry Enterprise Service 10 The table below describes some of the key features for BlackBerry Enterprise Service

11 Introduction Feature Management of most types of devices Single, unified interface Trusted and secure experience Balance of work and personal needs BlackBerry Enterprise Service 10 supports all types of BlackBerry devices and tablets, as well as ios devices and Android devices. BlackBerry Management Studio is a single, web-based interface where you can view all devices in one place and access the most common management tasks across multiple domains. These tasks include creating and managing groups, managing device controls, and activating mobile devices. controls give you precise management of how devices connect to your network, what capabilities are enabled, and what apps are available. Whether the devices are owned by your organization or your users, you can protect your organization's information. BlackBerry Balance and Secure Work Space technology are designed to ensure that personal and work information are kept separate and secure on devices. If the device is lost or the employee leaves the organization, you can delete only work-related information or all information from the device. Additional security features are available depending on the device type. About the Universal Service The Universal Service is designed to permit you to manage devices that run ios or Android OS in your organization's environment. If you activate devices using the Universal Service, you can use the Universal Service to: Manage devices using the IT policies and IT administration commands that the devices support Configure profiles for devices so that you can control the connections to your organization's environment Assign activation type profiles to user accounts to control how devices are managed Provision and manage work applications on devices View the device inventory for your organization To provide a single interface for helpdesk administrators to manage all the devices in your organization's environment, you can connect BlackBerry Management Studio to the Universal Service. 11

12 Introduction Using the Universal Service console Feature Drag and drop functionality User list Required fields Available settings Online help When viewing a group or user account, you can quickly apply IT policies, profiles and software configurations using drag and drop functionality. In the user list, each row is a link that you can click to view the properties of the user account. You can sort and reverse sort the information in the user list by clicking any of the column headers. To display user accounts with multiple devices, sort by user. Fields that have a red asterisk (*) beside them are required. You must submit a value in all required fields to complete a task. Default values, which you can customize, are often displayed in the fields. In the Available Settings pane, you can view the number of users that are assigned to an IT policy, profile, or software configuration. The value shown represents the number of unique users that are assigned to a particular policy, profile, or software configuration. The user is not counted twice if they are assigned directly and by group assignment. Click the Help link in the upper-right corner of the screen to access online help. The online help is updated regularly to provide the most recent information. Log in to the Universal Service console Also known as the Administration Console, the Universal Service console allows you to manage the Universal Service and the user accounts associated with it. To open the Administration Console, you can use a browser on any computer that has access to the computer that hosts the Administration Console. When you install BlackBerry Enterprise Service 10, you specify the username and password that you use to log in for the first time. 1. In the browser, type where <server_name> is the FQDN of the computer that hosts the Administration Console. The default port for the Administration Console is port In the Username field, type your username. 3. In the Password field, type your password. 4. Click Log in. 12

13 Introduction About BES10 Self-Service BES10 Self-Service is a web-based application that you can make available to users so that they can perform certain tasks such as creating activation passwords, remotely locking their devices, or deleting data from their devices. Users do not need to install any software on their computers to use BES10 Self-Service. You must provide the BES10 Self-Service web address and login information to users. You can send this information in an message, or edit the activation template to include the information. Provide the following information: Web address. The web address for BES10 Self-Service is where <server_name> is the FQDN of the computer that hosts the console, and 7445 is the default port. You can change the port in the BES10 Configuration Tool. Username and password. Company directory users can log in with their organization usernames and passwords. For local users that have BlackBerry 10 devices, you must create their usernames and passwords in the BlackBerry Service. Local users that have ios or Android devices cannot use BES10 Self-Service. Domain name (for Microsoft Active Directory users) 13

14

15 Setting up administrator accounts Chapter 2 Setting up administrator accounts Topics: Administrative roles and permissions Create an administrator account

16 Setting up administrator accounts Administrative roles and permissions When you create administrator accounts, you assign roles to the accounts so that you can control who can perform tasks in the Universal Service. Each role has a set of associated permissions. Permissions specify the information that you can view and the tasks that you can perform using the Administration Console. Each action that you perform in the Administration Console is associated with a specific permission. Assign the Security role to the administrator account that you use to change other administrator account permissions. Related information Create an administrator account, 18 Administrator permissions Each role contains multiple permissions that are turned on. The roles make sure that administrators who do not have specific administrative permissions cannot escalate their permissions. For example, junior helpdesk administrators cannot escalate their roles to senior helpdesk administrator roles. Permission Security role Enterprise role Senior Helpdesk role Junior Helpdesk role Create a group Delete a group View a group Edit a group Add user to a group Create a user Delete a user View a user Edit a user Assign an administrative role View a device 16

17 Setting up administrator accounts Permission Security role Enterprise role Senior Helpdesk role Junior Helpdesk role Edit a device Specify device ownership Specify an activation password Generate an activation View device activation settings Edit device activation settings Create an IT policy Delete an IT policy View an IT policy Edit an IT policy Assign an IT policy or a profile to a user Create a software configuration View a software configuration Edit a software configuration Delete a software configuration Create an application definition View an application Edit an application Delete an application Assign a software configuration to a user Delete all device data and remove device Delete only the organization data and remove device 17

18 Setting up administrator accounts Create an administrator account Before you begin: If you configured the Universal Service to connect to a company directory, you can add an administrator account directly from your organization's list of users. If you did not configure these settings, you can create local administrator accounts only. 1. In the left pane, beside Administrators, click the + icon. 2. In the Add a user window, perform one of the following tasks: Task Add an administrator account from the company directory. If you have not configured the Universal Service to connect to a company directory, the Directory tab is not shown. Create a local administrator account. Steps 1. On the Directory tab, search for an administrator account. 2. In the Name drop-down list, select the administrator account. 3. If you want to add the administrator account to a group, in the Group membership drop-down list, select a group. 4. To specify if this administrator will use a work or personal device, in the ownership drop-down list, select an option. 5. Verify that the Administrator account check box is selected. 6. In the Administrator role drop-down list, select a role for the administrator. 1. Select the Local tab. 2. Specify the administrator details. 3. If you want to add the administrator account to a group, in the Group membership drop-down list, select a group. 4. To specify if this administrator will be using a corporate or personal device, in the ownership drop-down list, select an option. 5. Verify that the Administrator account check box is selected. 6. Type a password. 7. In the Administrator role drop-down list, select a role for the administrator. 3. To specify device activation settings for the administrator account, in the Activation section, select Enable new device activations. 4. Select one of the following options: Use directory password to allow the administrator to use the company directory password to activate a device. Specify an activation password to specify a password that the administrator must enter to activate a device. 18

19 Setting up administrator accounts 5. To specify when the activation password expires, select a time and date in the Activation expiration (date) and Activation expiration (time) fields. If you do not specify an expiration date and time, the activation password will never expire. 6. To specify a maximum number of activation attempts the administrator is allowed to make before the device is locked, in the Maximum number of activations per device field, type a value. 7. To specify a maximum number of devices the administrator is allowed to have associated with this user account, in the Maximum number of devices to activate field, type a value. 8. To specify the device platforms that are supported, select Permitted devices and select one or more platforms. 9. To specify the device versions that are supported, in the drop-down list, select one or more versions. 10. To send an message that contains the information that the administrator requires to activate the device, select Send activation If you are using custom variables, click the arrow beside Custom Variables and fill in the fields. 12. Do one of the following: To save this administrator account and create another, click Save & New. To save this administrator account, click Save. Related information Administrative roles and permissions, 16 19

20

21 Setting up device controls Chapter 3 Setting up device controls Topics: Creating and assigning profiles Using variables Sending certificates to devices Controlling how devices can connect to your organization's network Routing data for ios devices through a proxy server Enforcing compliance rules Controlling how ios and Android devices are activated and managed Controlling the capabilities of devices Routing data for the work browser through a proxy server Managing app availability on devices

22 Setting up device controls Creating and assigning profiles You can use profiles to define the settings on devices. After you create profiles, you can assign them to a user account or to a group of user accounts. Profile VPN Wi-Fi Microsoft ActiveSync Global HTTP proxy CA certificate Client certificate User certificate Compliance Activation type Work space HTTP proxy Allows you to specify how devices connect to your organization's VPN Allows you to specify how devices connect to your organization's Wi-Fi network Allows you to specify how devices connect to your organization's messaging server and synchronize messages and organizer data using Microsoft ActiveSync Allows you to direct all HTTP traffic to and from the personal space on ios devices through a proxy server behind your organization s firewall. Supported for ios devices that run ios 6.0 or later and are supervised using Apple Configurator Allows devices that use certificate-based authentication to trust network or server certificates in your organization's environment Allows you to provide client certificates to users' devices using SCEP or a shared certificate Allows you to assign a client certificate to an individual user account and send the certificate file to the user's devices Allows you to set conditions that require or restrict apps and restrict jailbroken or rooted devices Allows you to specify how a device is managed after a user activates it. The profile applies only to the next device that a user activates, and not to any currently activated devices. Allows you to direct all HTTP traffic for the work browser on supported ios and Android devices through a proxy server behind your organization s firewall Using variables You can use variables and custom variables to replace user account attributes and other attributes in the activation template and in profiles. Note: You cannot use variables in the template for the device compliance notification. 22

23 Setting up device controls The following table lists the variables that are available to use in the Universal Service. Variable %DisplayName% %User Address% %UserName% %ActivationExpirationFinish% %ActivationPassword% %BSCAddress% %SRPID% %BSCAddress%/%SRPID%/ca %EnterpriseAppStoreURL% %SSLCertCommon% %SSLCertSHA% %Custom1%, %Custom2%, %Custom3%, %Custom4%, %Custom5% User's display name User's address User's username Date and time when the activation password expires Activation password that you created for the user Server address of the BlackBerry Secure Connect Service Unique SRP identifier for each BlackBerry Enterprise Service 10 instance Internal web address where users can download the SSL certificate for the Communication Module Internal web address where users with ios devices that are activated with user privacy, can download work apps. Common Name of the SSL certificate for the Communication Module Fingerprint of the SSL certificate for the Communication Module You can use up to five different variables for user attributes that you define. For security reasons, you should not use a custom variable for a password. Related information Update the template for the activation message, 65 Use custom variables Use custom variables to define your own user attributes in addition to the standard user attributes such as display name, contact , and work phone number. You can use custom variables in the same way that you use other variables in the activation template or when you create profiles. Note: For security reasons, you should not use a custom variable for a password. For example, for local users, a user's ActiveSync username might not be the same as their local account username, so you can use a custom variable to represent the ActiveSync username. In this example, Custom variable 1 is defined as the ActiveSync username. 1. Search for a user account. 2. In the search results, click the name of a user account. 3. Click the edit icon. 23

24 Setting up device controls 4. Expand Custom Variables. 5. In the Custom variable 1 field, type the user's ActiveSync username. Click Save. 6. When you create a Microsoft ActiveSync profile, type %Custom1% in the username field. Sending certificates to devices A certificate is a digital document that binds the identity and public key of a certificate subject. Each certificate has a corresponding private key that is stored separately. A CA signs the certificate to verify that it can be trusted. A device can use certificates to: Authenticate using SSL/TLS when it connects to web pages that use HTTPS Authenticate with a work messaging server Authenticate with a work Wi-Fi network or VPN Encrypt and sign messages using S/MIME protection Many certificates that are used for different purposes can be stored on a device. You can use certificate profiles to send client certificates and CA certificates to devices. Setting up encrypted using S/MIME You can extend security for ios and Android device users by permitting users to send and receive S/MIME-protected messages. You cannot force users to use S/MIME. There are two types of S/MIME protection available: S/MIME for the native ios app. You enable this type of S/MIME in a Microsoft ActiveSync profile. S/MIME for the ios and Android apps in the work space. You enable this type of S/MIME in a work space IT policy. To use either type of S/MIME, a user must enable S/MIME on the device and specify whether to encrypt, sign, or encrypt and sign s. Users must store their private keys and a certificate for each recipient that they want to send an encrypted message to on their devices. Users can store a key and certificates by importing the files from an message. Create a CA certificate profile You can use CA certificate profiles to distribute CA certificates to devices if the devices use certificate-based authentication to connect to a network or server in your organization s environment. When a device has the certificate for the CA that signed a server certificate, the device recognizes and trusts the server certificate. The CA certificate has a.cer,.crt, or.der file name extension. 24

25 Setting up device controls Note: You cannot send CA certificates to devices that are activated with the "Work and Personal - User Privacy" activation type. 1. On the menu bar, click Library. 2. In the CA certificate pane, click the + icon. 3. In the Certificate name field, type a name for the CA certificate profile. Each CA certificate profile must have a unique name. Some names (for example, ca_1) are reserved by default. 4. In the Certificate description field, type a description for the CA certificate profile. 5. In the Certificate file field, click Browse to specify the location of the certificate file. 6. Click Save. Related information Assign a profile to a group, 56 Assign a profile to a user account, 60 Create a client certificate profile for SCEP You can use a client certificate profile for SCEP to specify how devices obtain certificates from your organization's CA. SCEP is a protocol that is used to automate the submission of certificate requests to a SCEP service and issue client certificates to supported devices. s use the certificates to authenticate with your organization's servers. Android devices do not support SCEP. Before you begin: If you want the Universal Service to use a dynamic password obtained from an external SCEP service, configure the external SCEP settings. For instructions, see Configure the external SCEP settings. 1. On the menu bar, click Library. 2. In the Shared certificate pane, click the + icon. 3. In the Certificate name field, type a name for the profile. 4. In the Certificate description field, type a description for the profile. 5. In the Certificate source drop-down list, click SCEP. 6. If the certificates need a subject alternative name, perform the following actions: a. In the Alternative subject name type drop-down list, click the appropriate type. b. In the Alternative representation of the certificate subject field, type the subject alternative name. The value must be an address, the DNS name of the CA server, or the fully qualified URL of the server. c. In the NT principal name for certificate generation field, type the user principal name. 7. If your CA uses HTTP instead of HTTPS, in the Fingerprint for enrolling a SCEP certificate field, paste the CA certificate fingerprint. s use the fingerprint to confirm the identity of the CA during the enrollment process. 25

26 Setting up device controls 8. If you want to permit users to use the certificate for digital signatures, select the Use the generated certificate for digital signatures check box. 9. If you want to permit users to use the certificate for encryption, select the Use the generated certificate for key encipherment check box. 10. In the Key size for certificate generation field, type the key size. The default value is If necessary for your organization's SCEP configuration, in the Subject field, type CN=<common_name>,O=<domain_name>. 12. If you want to permit devices to retry the server connection if the first attempt fails, perform the following actions: a. Select the Retry SCEP connection check box. b. In the Number of times SCEP connection should be retried field, type the type the number of times that devices can try to connect. c. In the Time in seconds before the SCEP connection should be retried field, type number of seconds that devices should wait between each attempt. 13. If you want to proxy SCEP requests from devices through the Universal Service, select the Proxy SCEP requests through the Universal Service check box. 14. In the SCEP server configuration type drop-down list, perform one of the following actions: If you want the system to use the external SCEP settings that you configured, click External. If you want to specify the SCEP settings, click Defined. 15. If you selected Defined in step 14, perform the following actions: a. In the CA-IDENT attribute of the SCEP configuration field, type the name of the CA. b. In the Pre-shared secret type to use in certificate generation drop-down list, click None or Plain text. If you select Plain text, type the pre-shared secret. c. In the Base URL of the SCEP server field, type the URL of the SCEP server. 16. Click Save. Related information Assign a profile to a group, 56 Assign a profile to a user account, 60 Configure the external SCEP settings You can configure external SCEP settings that allow the Universal Service to request a dynamic password from the SCEP service. The Universal Service injects the password into the client certificate profile for SCEP when it sends the profile to devices. The default service type for the external SCEP is MSCA-NDES. 1. On the menu bar, click Settings. 2. In the External Integration pane, click External SCEP. 26

27 Setting up device controls 3. Select the Enable SCEP check box. 4. In the Authentication type drop-down list, click the appropriate authentication type. 5. If you selected NTLM authentication, in the Domain of the credentials for the external SCEP service field, type the domain of the external SCEP service. 6. In the Username field, type the user name for the external SCEP service. 7. In the Password field, type the password for the external SCEP service. 8. In the URL for generating the challenge secret key of the directory field, type the URL. 9. In the CA-IDENT attribute field, type the CA-IDENT attribute of the external SCEP service. 10. In the URL for enrollment requests of the directory field, type the URL. 11. Click Save. Create a client certificate profile for a shared certificate You can use a client certificate profile for a shared certificate to send the same client certificate to multiple devices. The devices present the client certificate for authentication to a network or server in your organization's environment. You might want to use this profile to distribute certificates when your environment or users' devices do not support SCEP. The client certificate has a.pfx file extension. 1. On the menu bar, click Library. 2. In the Shared certificate pane, click the + icon. 3. In the Certificate name field, type a name for the profile. Each client certificate profile for a shared certificate must have a unique name. Some names (for example, ca_1) are reserved by default. 4. In the Certificate description field, type a description for the profile. 5. In the Certificate source drop-down list, click File. 6. In the Certificate file field, click Browse to specify the location of the certificate file. 7. In the Password field, type a password for the profile. 8. Click Save. Related information Assign a profile to a group, 56 Assign a profile to a user account, 60 27

28 Setting up device controls Create a user certificate profile and assign it to a user account You can use a user certificate profile to assign a client certificate to an individual user account and send the certificate to the user's devices. The devices present the client certificate for authentication to a network or server in your organization's environment. You might want to use user certificate profiles to distribute certificates when your environment or devices do not support SCEP. The client certificate has a.pfx file extension. User certificate profiles are only available for individual user accounts and are not available in the Profiles pane. 1. Search for a user account. 2. In the search results, click the name of a user account. 3. In the IT policies and profiles section, click the + icon. 4. Click User certificate. 5. In the Certificate name field, type a name for the user certificate profile. 6. In the Certificate description field, type a description for the user certificate profile. 7. In the Password field, type a password for the user certificate profile. 8. In the Certificate file field, click Browse to specify the location of the certificate file. 9. Click Apply. Controlling how devices can connect to your organization's network You can specify how users' devices can connect to your organization's network and messaging servers. Create a Microsoft ActiveSync profile You can use Microsoft ActiveSync profiles to specify how devices connect to your organization's messaging server and synchronize messages and organizer data using Microsoft ActiveSync. You can also specify whether users can use S/ MIME to encrypt or sign messages in the native ios app. You cannot force users to use S/MIME. Before you begin: 28

29 Setting up device controls If you use certificate-based authentication, create a CA certificate profile and a client certificate profile, or user certificate profile, and assign them to users. Certificate-based authentication is for ios devices only. For more information, see Sending certificates to devices. For Android devices that do not have a work space, users must install TouchDown on their devices or use a Motorola device that supports the Enterprise Management API. If you want to use Notes Traveler, devices must have a work space. 1. On the menu bar, click Library. 2. In the Microsoft ActiveSync pane, click the + icon. 3. In the Profile name field, type the profile name. 4. In the Profile description field, type a description for the profile. 5. In the Credentials drop-down list, perform one of the following actions: If you want to use basic authentication (for example, a username and password), click None. If you want to use a certificate profile for authentication (ios devices only), click Certificate. In the Credential name or description field, type a description. 6. If you selected Certificate in step 5, perform the following actions: In the Certificate identifier drop-down list, click the certificate profile that you want to use. If you want to prompt users for a password when their devices try to authenticate with the server or network, select the Prompt the user for a password check box. 7. In the Domain field, type the user domain name. 8. In the address field, perform one of the following actions: If the profile is for one user, type the address of the user. If the profile is for multiple users, type %User Address%. 9. In the Host name or IP address field, type the host name or IP address of the Microsoft ActiveSync server. 10. In the Username field, perform one of the following actions: If the profile is for one user, type the username. If the profile is for multiple users, type %UserName%. If the profile is for multiple users in a Notes Traveler environment, type %DisplayName%. 11. If you want to permit users to encrypt or sign messages in the native ios app, select the Use S/MIME check box. Perform any of the following actions: In the Encryption certificate identifier drop-down list, click the client certificate profile that users can use to encrypt messages. In the Signing certificate identifier drop-down list, click the client certificate profile that users can use to sign messages. 12. If you want to control how devices manage messages, select the Disable moving or sending messages and limit sync time check box. Perform any of the following actions: 29

30 Setting up device controls To prevent moving messages from this account to another existing account on the device, select the Disable moving messages to another account check box. To prevent third-party applications on the device from using this account to send messages, select the Disable sending messages from this account in third-party applications check box. To specify how long to keep existing messages for this account on the device, select the Limit time to sync messages check box. Specify the synchronization period. 13. If you do not want devices to synchronize new recipients to the device address book, select the Disable synchronizing new recipients to device address book check box. 14. If the Microsoft ActiveSync server requires SSL authentication, select the Use SSL check box. If you want to permit work space apps to accept any server certificate when connecting to the Microsoft ActiveSync server (including the default ActiveSync self-signed certificate), select the Accept all SSL certificates check box. 15. Click Add. Related information Assign a profile to a group, 56 Assign a profile to a user account, 60 Create a Wi-Fi profile Before you begin: If you use certificate-based authentication, create a CA certificate profile and a client certificate profile, or user certificate profile, and assign them to users. For more information, see Sending certificates to devices. 1. On the menu bar, click Library. 2. In the Wi-Fi pane, click the + icon. 3. In the Profile name field, type the profile name. 4. In the Profile description field, type a description for the profile. 5. If required, in the BSSID field, type the BSSID of the Wi-Fi network. 6. If you do not want to broadcast the SSID for the Wi-Fi network, select the Hidden network check box. 7. In the SSID field, type the network name of the Wi-Fi network. 8. If you want ios device users to be able to connect to the Wi-Fi network automatically, verify that the Automatically join the network check box is selected. 9. In the Network configuration drop-down list, select the appropriate network configuration. 10. In the Proxy type drop-down list, perform one of the following actions: Task Do not select a proxy server. Steps Select None. 30

31 Setting up device controls Task Automatically select an available proxy server. Steps Select Automatic and type the URL used to retrieve proxy settings. Specify a proxy server. 1. Select Manual. 2. In the Host name or IP address for the proxy server field, type the host name or IP address. 3. In the Port number for the proxy server field, type the port number. 4. In the Username for the proxy server field, type the login name. 5. In the Password for the proxy server field, type the password. 11. In the Security type drop-down list, perform one of the following actions: Task Do not select a security type. Specify the Wi-Fi settings for a Personal security type. Specify the Wi-Fi settings for an Enterprise security type. Steps Select None. 1. Select Personal. 2. In the Password field, type the password. 3. In the Security type of the personal Wi-Fi profile drop-down list, click the appropriate security type. 1. Select Enterprise. 2. In the Security type of the enterprise Wi-Fi profile drop-down list, click the appropriate security type. 3. On the Protocols tab, select the protocols that apply to the Wi-Fi network. 4. On the Authentication tab, perform any of the following actions as required: a b c d In the Identification for TTLS, PEAP and EAP-FAST field, type the appropriate identifier. If the Wi-Fi network requires a password, and you don't want users to have to type the password, select the Password provided by the Wi-Fi configuration check box. In the Wi-Fi connection password field, type the password. If the Wi-Fi network requires that users provide a username, and you don't want users to have to type their username, in the Username field, type %UserName%. In the Authentication type for enterprise Wi-Fi configuration drop-down list, click the appropriate authentication type. If you select Certificate, in the Certificate identifier drop-down list, click the certificate profile that you want to use. 31

32 Setting up device controls Task Steps 5. On the Trust tab, perform the following actions as required: a b c Click the + icon next to Trusted certificate identifiers expected for authentication. In the drop-down list, click a certificate identifier. To specify an expected certificate common name, click the + icon next to Certificate common names expected from the authentication server and type the common name. If you want to permit ios device users to allow exceptions to trust rules, select the Trust user decisions check box. 12. Click Save. Related information Assign a profile to a group, 56 Assign a profile to a user account, 60 Create a VPN profile Android devices do not support VPN profiles. Note: To allow affected third-party devices to store the XAuth password, you can modify the group-policy attributes of the VPN profile in your Cisco VPN system to include the password-storage enable option. For more information, visit to read KB Before you begin: If you use certificate-based authentication, create a CA certificate profile and a client certificate profile, or user certificate profile, and assign them to users. For more information, see Sending certificates to devices. 1. On the menu bar, click Library. 2. In the VPN pane, click the + icon. 3. In the Profile name field, type the profile name. 4. In the of the VPN profile field, type a description for the profile. 5. In the VPN profile type drop-down list, click the appropriate profile type. 6. In the Authentication drop-down list, click the appropriate authentication type. The available authentication types depend on the profile type that you selected. 7. Specify the VPN settings for your organization and select the appropriate options. The required settings and available options depend on the profile type and authentication type that you selected. 8. In the Hostname or IP address of VPN server field, type the host name or IP address of the VPN gateway. 32

33 Setting up device controls 9. If the VPN gateway requires that users provide a username, and you don't want users to have to type their username, in the Username for authenticating the connection field, type %UserName%. 10. In the Proxy type drop-down list, perform one of the following actions: Task Do not select a proxy server. Automatically select an available proxy server. Steps Select None. Select Automatic and type the URL used to retrieve proxy settings. Specify a proxy server. 1. Select Manual. 2. In the Host name or IP address for the proxy server field, type the host name or IP address. 3. In the Port number for the proxy server field, type the port number. 4. In the Username for the proxy server field, type the login name. 5. In the Password for the proxy server field, type the password. 11. Click Save. Related information Assign a profile to a group, 56 Assign a profile to a user account, 60 Routing data for ios devices through a proxy server For ios devices that run ios 6.0 or later that are supervised using Apple Configurator, you can direct all HTTP traffic to and from the personal space on devices through a proxy server behind your organization s firewall. To route data from the personal space through a proxy server, you must create and assign a global HTTP proxy profile to user accounts or groups. Global HTTP proxy profiles support proxy servers that use Basic Authentication, Integrated Authentication, or no authentication. Create a global HTTP proxy profile for ios devices 1. On the menu bar, click Library. 2. In the left pane, click the + icon next to Global HTTP Proxy. 33

34 Setting up device controls 3. Type a name and a description for the proxy profile. 4. In the Proxy type drop-down list, perform one of the following actions: If you want to select the proxy server automatically using a PAC file, click Automatic. In the PAC URL field, type the URL for the PAC file. If you want to specify the proxy server, click Manual. Specify the FQDN or IP address of the proxy server, the port number, and the username and password of the administrator account that you want to use to authenticate with the proxy server. 5. Click Save. After you finish: Assign the global HTTP proxy profile to user accounts or groups. Related information Assign a profile to a group, 56 Assign a profile to a user account, 60 Enforcing compliance rules You can use compliance profiles to encourage ios and Android device users to follow your organization s standards for the use of mobile devices. A compliance profile specifies the device conditions that are not acceptable in your organization. For example, you can choose to disallow jailbroken or rooted devices. A compliance profile specifies the following information: Conditions that would make a device non-compliant with BlackBerry Enterprise Service 10. You can specify any of the following conditions: is jailbroken or rooted Non-assigned application is installed Optional application is not updated Required application is not installed Required application is not updated Notifications that users receive if they violate the compliance conditions and the amount of time that users have to correct the issue Action that is taken if the user does not correct the issue, including limiting a user s access to your organization s resources, deleting work data from the device, or deleting all data from the device 34

35 Setting up device controls Assigning and reconciling compliance profiles Each user account can only be assigned one compliance profile. If you try to assign more than one compliance profile to a user account, BlackBerry Enterprise Service 10 resolves the conflict and assigns the appropriate compliance profile using the following rules: A compliance profile assigned directly to a user account takes precedence over a compliance profile assigned to a group, and over the default compliance profile A compliance profile assigned to a group takes precedence over the default compliance profile The default compliance profile is assigned to a user account only if the user is not assigned a compliance profile directly or through group membership Change the default compliance profile The default compliance profile is assigned to user accounts only if the user is not assigned a compliance profile directly or through group membership. You can change the settings of the default compliance profile but you cannot delete it. 1. On the menu bar, click Library. 2. In the left pane, click Compliance > Default. 3. Type a description for the default compliance profile. 4. Select the check box next to the settings that you want to configure. Do any of the following: If you want jailbroken or rooted devices to be considered non-compliant, select Jailbroken or rooted device. If you want devices with applications that you did not install to be considered non-compliant, select Non-assigned application is installed. Non-assigned applications do not include core applications that are installed with the device operating system. If you want devices that have not installed the latest update for optional applications to be considered noncompliant, select Optional application is not updated. If you want devices that do not have a required application to be considered non-compliant, select Required application is not installed. If you want devices that have not installed the latest update for required applications to be considered noncompliant, select Required application is not updated. 5. In the Enforcement action drop-down list, for each setting that you selected in step 4, configure the Universal Service to perform one of the following tasks when user accounts do not meet your organization's requirements: Task Automatically send an message, a device notification Steps 1. Select Prompt for compliance. 35

36 Setting up device controls Task message, or both that advises users of a compliance issue and of the consequences. Steps 2. In the Prompt method drop-down list, select the type of message that you want the Universal Service to send. The message body comes from the compliance notification template, which you can update. Do one of the following: To send an message, select . To send a device notification message, select Notification. Users can view the notification on the device. To send an message and a device notification message, select Both. 3. In the Prompt count field, specify the number of times an message or a device notification message should be sent before the required action is enforced. 4. In the Prompt interval fields, specify the time between prompts. 5. In the Prompt interval expired action drop-down list, select the action that you want the Universal Service to take when the prompt period expires. For example, if the prompt count is three and the prompt interval is 10 minutes, the prompt period expires after 30 minutes. Do one of the following: If you do not want to choose any options, select None. To block users from accessing your organization's resources and applications from their device, select Untrust. Data and applications are not deleted from the device. To delete your organization's data from the device, select Delete only work data (unmanage). To delete all data from the device, select Delete all data (full control device) or unmanage (user privacy device). Block users from accessing work resources and applications from their device. Delete work data from the device and remove the device from the user account. For devices that are activated with MDM controls or Work and personal - full control, delete all data from the devices and return the device to factory settings. Select Untrust. Data and applications are not deleted from the device. Select Delete only work data (unmanage). Select Delete all data (full control device) or unmanage (user privacy device). 36

37 Setting up device controls Task Steps For devices that are activated with Work and personal - user privacy, delete work data and remove the device from the user account. 6. Click Save. Create a compliance profile 1. On the menu bar, click Library. 2. In the Compliance pane, click the + icon. 3. Type a name and description for the compliance profile. 4. Select the check box next to the settings that you want to configure. Do any of the following: If you want jailbroken or rooted devices to be considered non-compliant, select Jailbroken or rooted device. If you want devices with applications that you did not install to be considered non-compliant, select Non-assigned application is installed. Non-assigned applications do not include core applications that are installed with the device operating system. If you want devices that have not installed the latest update for optional applications to be considered noncompliant, select Optional application is not updated. If you want devices that do not have a required application to be considered non-compliant, select Required application is not installed. If you want devices that have not installed the latest update for required applications to be considered noncompliant, select Required application is not updated. 5. In the Enforcement action drop-down list, for each setting that you selected in step 4, configure the Universal Service to perform one of the following tasks when user accounts do not meet your organization's requirements: Task Automatically send an message, a device notification message, or both that advises users of a compliance issue and of the consequences. Steps 1. Select Prompt for compliance. 2. In the Prompt method drop-down list, select the type of message that you want the Universal Service to send. The message body comes from the compliance notification template, which you can update. Do one of the following: To send an message, select . To send a device notification message, select Notification. Users can view the notification on the device. 37

38 Setting up device controls Task Steps To send an message and a device notification message, select Both. 3. In the Prompt count field, specify the number of times an message or a device notification message should be sent before the required action is enforced. 4. In the Prompt interval fields, specify the time between prompts. 5. In the Prompt interval expired action drop-down list, select the action that you want the Universal Service to take when the prompt period expires. For example, if the prompt count is three and the prompt interval is 10 minutes, the prompt period expires after 30 minutes. Do one of the following: If you do not want to choose any options, select None. To block users from accessing your organization's resources and applications from their device, select Untrust. Data and applications are not deleted from the device. To delete your organization's data from the device, select Delete only work data (unmanage). To delete all data from the device, select Delete all data (full control device) or unmanage (user privacy device). Block users from accessing work resources and applications from their device. Delete work data from the device and remove the device from the user account. For devices that are activated with MDM controls or Work and personal - full control, delete all data from the devices and return the device to factory settings. For devices that are activated with Work and personal - user privacy, delete work data and remove the device from the user account. 1. Select Untrust. Data and applications are not deleted from the device. 1. Select Delete only work data (unmanage). 1. Select Delete all data (full control device) or unmanage (user privacy device). 6. Click Save. Related information 38

39 Setting up device controls Assign a profile to a group, 56 Assign a profile to a user account, 60 Update the template for the device compliance notification You can use the Universal Service to automatically send an message, a device notification message, or both, to users when they do not comply with your organization s requirements. In the body of the message, you can tell users what the compliance issue is and the consequences if they do not correct it. You can also include information about how to return devices to compliance, and what actions users might need complete if an enforcement action is applied to their devices. Before you begin: Create a compliance profile to configure device compliance settings. 1. On the menu bar, click Settings > Compliance Notification. 2. In the From address field, type the address that you want to send the message from. You might want to use an address that does not accept replies. If your organization's messaging server is Microsoft Exchange Server and you selected Credentials as the authentication type in the SMTP server settings, if the address that you specify in the From address field does not match the account in the SMTP server settings, verify that the address has the Send As permission in Microsoft Exchange. 3. In the subject field, update the default text if necessary. 4. In the message field, update the default text if necessary. 5. In the notification message field, update the default text if necessary. 6. Click Save. Returning devices to compliance To return devices to compliance, users must correct the condition that made the device non-compliant. If the condition is corrected before any enforcement action is taken, devices are automatically returned to compliance. If an enforcement action is taken, the user might have to reactivate the device. The following table describes the actions required by users to return their device to compliance. Enforcement action Prompt for compliance Untrust Delete only work data (unmanage) Action required by the user Correct the compliance condition. Correct the compliance condition. The untrusted state is automatically removed when the condition is corrected. Correct the compliance condition and reactivate the device. 39

40 Setting up device controls Enforcement action Delete all data (full control device) or unmanage (user privacy device) Action required by the user Correct the compliance condition and reactivate the device. Controlling how ios and Android devices are activated and managed The Activation Type profile determines how devices are activated, whether devices have a separate work space installed, and how you can manage the data on the device. The assigned profile applies only to the next device that a user activates, and not to devices that are already activated. There are three ways to activate devices: Activation type MDM controls Work and personal - full control Work and personal - user privacy Provides basic device management using device controls made available by ios and Android. There is no separate work space installed on the device, and no added security for work data. You can control the device using IT administration commands and IT policies. During activation, users must install a mobile device management profile for ios devices, and permit Administrator permissions for Android devices. A Silver license or Gold - Secure Work Space license is required for this activation type. Provides full control of devices. When a device is activated, a separate work space is created on the device and the user must create a password to access the work space. Work data is protected using encryption and by requiring authentication for connections to the work space. You can control the work space, and some other aspects of the device using IT policies and commands. During activation, users must install a mobile device management profile for ios devices, and permit Administrator permissions for Android devices. A Gold - Secure Work Space license is required for this activation type. Provides control of work data on devices, while ensuring privacy for personal data. When a device is activated, a separate work space is created on the device and the user must create a password to access the work space. Work data is protected using encryption and by requiring authentication for connections to the work space. You can control the work space on the device using IT administration commands and IT policies, but you cannot control any aspects of the personal space on the device. Users are not required to install a mobile device management profile for ios devices, or permit Administrator permissions for Android devices. 40

41 Setting up device controls Activation type For ios devices, you cannot send notifications to install internal work apps, and you cannot view the status of work apps in the Administration Console. Users with ios devices must download internal work space apps from an internal website (workspace://apps). A Gold - Secure Work Space license is required for this activation type. Change the default activation type The default activation type profile is assigned to user accounts only if the user is not assigned a profile directly or through group membership. You can change the default activation type, but you cannot delete the default profile. 1. On the menu bar, click Library. 2. In the left pane, click Activation type > Default. 3. Type a description for the default activation type profile. 4. In the Activation type drop-down list, select the activation type that you want to be the default. 5. Click Save. Create an activation type profile If you want to assign different activation types to different users, you can create activation type profiles, in addition to the default profile. 1. On the menu bar, click Library. 2. In the Activation type pane, click the + icon. 3. Type a name and description for the profile. 4. In the Activation type drop-down list, select the activation type to be associated with the profile. 5. Click Save. What is the BES12 Client? The BES12 Client is an app that allows BlackBerry Enterprise Service 10 to communicate with ios and Android devices. If users want to activate ios or Android devices on BlackBerry Enterprise Service 10, they must install the BES12 Client on their devices. Users can download the latest version of the BES12 Client from the App Store for ios devices, or from Google Play for Android devices. After users activate their devices, the BES12 Client allows users to do the following: 41

42 Setting up device controls Verify whether their devices are compliant with the organization's standards View the profiles that have been assigned to their user accounts View the IT policy rules that have been assigned to their user accounts Deactivate their devices Managing devices that have a work space Having a work space on devices helps to keep work information separate and secure, and allows you to manage the work data on devices. Data that any of the apps in the work space use is saved securely and cannot be accessed outside of the work space. For more information about work space security, visit docs.blackberry.com/bes10 to see the Secure Work Space for ios and Android Security Note. If you assign the "Work and personal - full control", or "Work and personal - user privacy" activation type to user accounts, during activation a work space is installed on the devices and users are prompted to create work space passwords. To complete the work space setup, users must download the following apps on their devices: type Apps ios Work Connect - for , calendar, contacts, notes, and tasks Work Browser - for browsing Documents To Go - for securely viewing and editing work documents Android Work Space Manager - required to run the other work space apps on the device Secure Work Space - for , calendar, contacts, and browsing Documents To Go - for securely viewing and editing work documents The work space allows you to take advantage of the following features: Convert your organization's internal apps into work space apps that can be installed and run in the work space, or obtain work space apps from the App Store or Google Play. Use software configurations to install and manage work space apps. For more information, see Installing apps in the work space. Control specific behaviors of the work space on devices, such as password requirements and connection preferences, by applying a work space IT policy to user accounts. A default work space IT policy is automatically applied to devices with a work space. Use IT administration commands to reset the work space password or delete the work space on devices. For information about the requirements to enable the work space, visit to read the BlackBerry Enterprise Service 10 Configuration Guide. 42

43 Setting up device controls Upgrading work space apps To support new features and additional operating systems, BlackBerry posts new versions of the work space apps in the App Store and Google Play. Notify users that they should upgrade the work space apps when prompted. If users upgrade their device operating system and do not upgrade to the latest version of the work space apps, the work space may not function as expected. For more information about the supported device operating systems, visit docs.blackberry.com/bes10 to see the BlackBerry Enterprise Service 10 Compatibility Matrix. Controlling the capabilities of devices IT policies and work space IT policies control and manage the devices in your organization's environment. An IT policy consists of multiple IT policy rules that manage the security and behavior of devices. IT policies control the behavior of devices. Work space IT policies control the behavior of the work space on devices. You can create several IT policies and work space IT policies, but you can apply only one IT policy and one work space IT policy to each user account. After a user activates a device, the Universal Service automatically sends the applied IT policy to the device. If the user's device has a work space, the Universal Service also sends the applied work space IT policy to the device. If you do not apply an IT policy or a work space IT policy to a user account or to a group that the user belongs to, the Universal Service sends the default IT policy or the default work space IT policy to the device. You can view and edit IT policies and work space IT policies in the Universal Service console. The default IT policy and the default work space IT policy include the default settings for each IT policy rule. You can edit the default IT policy and the default work space IT policy, but you cannot delete them. Create an IT policy 1. On the menu bar, click Library. 2. In the IT Policies pane, click the + icon. 3. Type a name and description for the IT policy. 4. Configure the appropriate values for the IT policy rules. 5. Click Save. Related information s of IT policy rules, 78 43

44 Setting up device controls Create a work space IT policy 1. On the menu bar, click Library. 2. In the Work Space IT Policy pane, click the + icon. 3. Type a name and description for the work space IT policy. 4. Configure the appropriate values for the work space IT policy rules. 5. Click Save. Related information s of work space IT policy rules, 114 Routing data for the work browser through a proxy server You can choose to direct all HTTP traffic for the work browser on supported ios and Android devices through a proxy server behind your organization s firewall. To route work browser data through a proxy server, you must create and assign a proxy profile for Secure Work Space to user accounts or groups. Proxy profiles for Secure Work Space support proxy servers that use Basic Authentication, Integrated Authentication, or no authentication. Proxy profiles for Secure Work Space are supported for: Any version of ios 5.0 or later that supports Secure Work Space Any version of Android 2.3 or later that supports Secure Work Space For more information about OS compatibility, visit docs.blackberry.com/bes10 to read the BlackBerry Enterprise Service 10 Compatibility Matrix. You can select the proxy server automatically using a PAC file, or you can specify the proxy server manually. Create a proxy profile for Secure Work Space 1. On the menu bar, click Library. 2. In the left pane, click the + icon next to Work Space HTTP Proxy. 3. Type a name and a description for the proxy profile. 4. Perform one of the following actions: 44

45 Setting up device controls If you want to select the proxy server automatically using a PAC file, select the Automatic check box. In the PAC URL field, type the URL for the PAC file. If you want to specify the proxy server, select the Manual check box. Specify the FQDN or IP address of the proxy server and the port number (default 8080). Type the username and password of the administrator account that you want to use to authenticate with the proxy server. For the username, use the format <domain>\<username>. 5. Click Save. Optionally, type <domain>\%username% in the username field to have users authenticate with the proxy server using their company directory passwords. After you finish: Assign the proxy profile for the Secure Work Space to user accounts or groups. Related information Assign a profile to a group, 56 Assign a profile to a user account, 60 45

46 Setting up device controls Managing app availability on devices You can manage apps on devices by creating a software configuration that includes one or more application definitions, and then assigning the software configuration to a user account or group. If you want to update the version of an app in an application definition that is assigned to a user account or group, you can replace the app in the application definition with the updated version. Do not create a new application definition with the updated app version and assign it to the same user account or group. Create an application definition Create an application definition for each app that you want to install on devices. You can include many application sources for an app, with a maximum of two application sources for each platform version; one for the regular app and one for the secure version of the app. For example, you can include one application source for the regular version of an app for ios 4.0, and one application source for the secure version of an app for ios 4.0. Before you begin: If you want to add a paid app to an application definition for ios 5 and later devices, you should use the manual installation method. You should not select the Prompt once installation method, the option to remove the app when the device is removed from management in the Universal Service, or the option to disable backup to the icloud online service or itunes Store. If you select any of these options, the app is treated as a work app and is subject to actions that you perform as administrator. For example, if you remove work data from the device, the app is also removed. To create an application definition for an internal app that you want to install in the work space, you must first secure the app and have the developer re-sign it. For more information, see Installing apps in the work space. If you want to distribute a secured and re-signed work space app from the App Store or Google Play, you can follow this task and then use a software configuration to distribute the work space app to users and groups. For more information, see Installing apps in the work space. Some secured apps that are available in the App Store or Google Play require specific ports to be open on BlackBerry Enterprise Service 10. Contact the app vendor for information. 1. On the menu bar, click Library. 2. In the Application Definitions pane, click the + icon. 3. Type a definition name and definition description. 4. In the Default installation method drop-down list, perform one of the following actions: If you want users to receive one prompt to install the app on their ios 5 and later devices, select Prompt once. If users dismiss the prompt they can install the app later using the Work Apps screen in the BES12 Client or the Work Apps icon on the device. The default installation method is supported for ios 5 and later devices only for 46

47 Setting up device controls application sources that are either.ipa files (apps that are internally hosted by your organization) or free apps in the App Store. If you want users to install the app on the Work Apps screen in the BES12 Client or using the Work Apps icon on the device, select Manual. This is the default installation method and it is supported for ios devices and Android devices for all application sources. 5. If you want to remove the app from ios 5 and later devices when the devices are removed from management in the Universal Service, select the check box for that option. 6. If you want to prevent apps on ios 5 and later devices from being backed up to the icloud online service or itunes Store, select the check box for that option. 7. In the Applications sources section, click the + icon and select Upload binary (for an internal app) or App store app. 8. In the Application name field, type the app name. 9. In the Vendor field, type the name of the app vendor. 10. In the Application version field, type the app version. 11. In the Platform drop-down list, select a platform. 12. In the Application icon field, click Browse. Locate and select an icon for the app. 13. In the Application identifier field, type the identifier. For ios devices, the application identifier can be found by connecting the device to a computer and using the iphone Configuration Utility. For Android devices, the application identifier is part of the URL for the app in Google Play. 14. If you want to install a secured and re-signed app in the work space on devices, select the Secure application check box. 15. In the Application source drop-down list, select one of the following: For public apps, select Application web address and type the web address of the app in the App Store or Google Play. For internally hosted apps or work space apps, select Application file (.apk,.ipa) and type the file name for the app or click Browse and locate the application file..ipa files are supported only for ios 5 and later devices (available from the Work Apps icon on the device). 16. Click Save. Related information Installing apps in the work space, 49 Create a software configuration You can create a software configuration that you can assign to user accounts and groups. A software configuration is a collection of application definitions. 1. On the menu bar, click Library. 2. In the left pane, in the Software Configurations pane, click the + icon. 47

48 Setting up device controls 3. In the Configuration name field, type the name. 4. In the Configuration description field, type a description. 5. Click the + icon to add an application definition to the software configuration. 6. Select an application definition. 7. Click Add. 8. In the Disposition drop-down list, select Required or Optional. 9. Click Save. Assign a software configuration to a user account 1. Search for a user account. 2. In the search results, click the name of a user account. 3. In the Software configurations section, click the + icon. 4. In the drop-down list, select the software configuration that you want to assign to the user account. 5. Click Apply. Assign a software configuration to a group 1. On the menu bar, click Users & s. 2. In the left pane, click the name of a group. 3. On the Settings tab, in the Software configurations section, click the + icon. 4. In the drop-down list, select the software configuration that you want to assign to the group. 5. Click Apply. View whether work apps are installed on a device 1. Search for a user account. 2. In the search results, click the name of a user account. 3. In the Software configurations window, click on a software configuration name to display the list of work apps. Apps that the user did not install are indicated by a red icon. Apps that the user installed but that are not the correct version are indicated by a red and white icon. 48

49 Setting up device controls Installing apps in the work space If you want to install an app developed by your organization in the work space on users devices, you must complete the following steps: 1. Obtain the app binary file (.apk or.ipa) from the developer. 2. Secure the app by uploading the app binary file in the Universal Service administration console. This process repackages the app so that it can be installed in the work space. Download the secured app and give it to the app developer. 3. The app developer re-signs the app, and if necessary, creates an entitlements file. The developer gives you the app for distribution. For more information about re-signing apps, visit developer.blackberry.com/devzone/develop/enterprise/ resign_work_space_app.html. 4. You create an application definition for the secured and re-signed app, then add the application definition to a software configuration. 5. You assign the software configuration to users or groups. This section explains how to secure and re-sign internal apps to convert them into work space apps. Third-party app developers can secure and re-sign their applications and make them available on the App Store or Google Play. To distribute a work space app from the App Store or Google Play, you can create an application definition for the app, add it to a software configuration, and assign the software configuration to users. Apps from the App Store or Google Play that are not designated as work space apps cannot be installed or run in the work space. Only the app vendor can secure and re-sign an app so that it can be installed in the work space. In previous releases, an app only had to be secured and re-signed to be permitted in the work space. In BlackBerry Enterprise Service 10 version and later, secured and re-signed apps can only be installed and run in the work space if you assign them to users with a software configuration. This requirement gives you more control over the apps that are permitted in the work space. For more information about work space apps, visit docs.blackberry.com/bes10 to read the Secure Work Space for ios and Android Security Technical Note. Secure an app You can use the Universal Service administration console to secure an app so that it can be installed in the work space on devices. Before you begin: Obtain the app binary file (.apk or.ipa) from the developer. The size of the app file must be no larger than 50 MB..ipa apps must be developed using ios 7 SDK or later 1. On the menu bar, click Settings. 2. In the left pane, click Work Space. 3. In the Secure Applications window, click the + icon. 49

50 Setting up device controls 4. Browse to the application file (.apk or.ipa) and click Upload. 5. Check the status of the app. The process can take a few minutes to several hours. The status column displays one of the following states: Processing In progress Failed - Retry Securing complete 6. When the status is Securing complete, click Download secure file to download the secured app to your local computer. After you finish: Give the secured app to the developer to re-sign. For more information about re-signing apps, visit developer.blackberry.com/devzone/develop/enterprise/resign_work_space_app.html. After the app is secured and re-signed, create an application definition for the app and include it in a software configuration. Assign the software configuration to users or groups. Related information Create an application definition, 46 Types of apps Work space-enabled devices can run three different types of apps: Type of app Personal app Work app Work space app An app that the user installs on the device, or an app that the manufacturer or wireless service provider installs on the device. BlackBerry Enterprise Service 10 treats these apps, and the data that they store, as personal data. An app that you install and manage on a user's device. BlackBerry Enterprise Service 10 treats these apps, and the data that they store, as work data. A work app that the work space secures with additional protections. BlackBerry Enterprise Service 10 treats these apps, and the data that they store, as work space data. There are three different types of work space apps: Type of app Default work space app Internal work space app A work space app that appears on every work space-enabled device. An app that your organization develops and specifically prepares to run in the work space. 50

51 Setting up device controls Type of app External work space app An app that a third-party develops and the app vendor specifically prepares to run in the work space. 51

52

53 Managing groups and user accounts Chapter 4 Managing groups and user accounts Topics: Creating and managing groups Creating and managing user accounts

54 Managing groups and user accounts Creating and managing groups You can manage multiple user accounts by adding the user accounts to a group and managing the group. A group is a collection of related device users who share commonly configured properties. Administering users as a group is more efficient than administering individual users because properties can be set, applied, or changed simultaneously for all members of the group. You can assign group properties, such as software configurations or IT policies, to a group using the Administration Console. If you remove a user account from a group, the account name remains in the global list of user accounts but it does not appear in the group list. Create a group 1. In the left pane, beside Groups, click the + icon. 2. In the Group name field, type a name for the group. 3. To add an IT policy, certificate, profile, or software configuration to the group, in the IT policies and profiles section, click the + icon. a. Click IT policy, Software configuration, or the type of certificate or profile. b. Select the specific IT policy, certificate, profile, or software configuration in the drop-down list. c. Click Apply. 4. When you are finished specifying the group properties, click Add. Change the properties of a group After you create a group, you can change the properties for the group. When you add user and administrator accounts to a group, the accounts inherit the properties of the group. 1. In the left pane, expand Groups. 2. Click the name of the group you want to change. 3. Click the edit icon. 4. To change the properties of the group, click the Settings tab and do the following: 54

55 Managing groups and user accounts Option Change the IT policies and profiles applied to the group Change the software configurations applied to the group Delete a group property Step 1. In the IT policies and profiles section, click the + icon. 2. Click IT policy or the type of certificate or profile. 3. Select the specific IT policy, certificate, or profile in the drop-down list. 4. Click Apply. 1. In the Software configurations section, click the + icon. 2. Select the software configuration in the drop-down list. 3. Click Apply. Click the delete icon beside the group property you would like to remove from the group. Assign an account to a group A user or administrator account can only be in one group at a time. If you assign an account to a new group, the account is removed from their current group. 1. In the left pane, click All Users. 2. Click the selection box beside the names of the accounts you want to add to a group. 3. Click Assign To Group. 4. In the New group drop-down list, select a group. 5. Click Assign. Remove an account from a group User or administrator accounts that are removed from a group are not deleted. 1. In the left pane, click the name of a group. 2. Click the selection box beside the names of the accounts you want to delete from the group. 3. Click Remove From Group. 4. Click Remove. 55

56 Managing groups and user accounts Assign an IT policy to a group When you assign an IT policy or work space IT policy to a group, it replaces any IT policy or work space IT policy that is currently applied to the group. The IT policy is applied to all members of the group. If a member of the group has a different IT policy assigned to the user account, the IT policy assigned to the user account takes precedence and the group IT policy is not applied to the user account. 1. On the menu bar, click Users & s. 2. In the left pane, click the name of a group. 3. On the Available Settings tab, complete one of the following actions: In the IT policies section, select the IT policy that you want to assign. In the Work Space section, select the work space IT policy that you want to assign. 4. Drag the IT policy or work space IT policy to the group name in the left pane. 5. Click Apply. Related information Controlling the capabilities of devices, 43 Assign a profile to a group Before you begin: Create profiles. 1. On the menu bar, click Users & s. 2. In the left pane, click the name of a group. 3. On the Available Settings tab, in the Profiles section, select the profile that you want to assign. 4. Drag the profile to the group name in the left pane. 5. Click Apply. Synchronizing groups with Microsoft Active Directory You can use the BlackBerry Directory Sync Tool to synchronize the membership of security groups and distribution groups in Microsoft Active Directory with groups in the Universal Service. After you map one-to-one relationships between Microsoft Active Directory groups and Universal Service groups, you can start the synchronization process manually, or you can use a task scheduling application to run the synchronization at a set interval. When you run a synchronization process using the BlackBerry Directory Sync Tool, it compares the Microsoft Active Directory group to the Universal Service group that you mapped it to. If the tool finds any differences in group 56

57 Managing groups and user accounts membership, it assigns user accounts to, or removes user accounts from, the Universal Service group until the membership matches the Microsoft Active Directory group. For more information about the BlackBerry Directory Sync Tool, visit to read the BlackBerry Resource Kit for BlackBerry Enterprise Service 10 documentation. 57

58 Managing groups and user accounts Creating and managing user accounts You can create user accounts and manage user accounts and their associated devices. You can manage user accounts by adding user accounts to a group so that the properties of the group are assigned to the user accounts automatically. A group can contain user accounts that you want to manage collectively. Options that you configure at the user level take priority over options that you configure at the group level. You can also assign an IT policy to a user account to control the actions users can perform using their devices. Add a user account Before you begin: If you configured the Universal Service to connect to a company directory, you can add a user account directly from your organization's list of users. If you did not configure these settings, you can create local user accounts only. Update the template for the activation message that you send to users when you add them to the Universal Service. You can send the activation message to a user when you add the user, or at anytime after you add the user. 1. In the left pane, beside All Users, click the + icon. 2. In the Add a user window, perform one of the following tasks: Task Add a user account from the company directory. If you have not configured the Universal Service to connect to a company directory, the Directory tab is not shown. Steps 1. On the Directory tab, search for a user account. 2. In the Name drop-down list, select the user account. 3. If you want to add the user account to a group, in the Group membership drop-down list, select a group. 4. To specify whether the user will use a work or personal device, in the ownership drop-down list, select an option. 5. Verify that the Administrator account check box is clear. Create a local user account. 1. Select the Local tab, and specify the details for the user account. 2. If you want to add the user account to a group, in the Group membership drop-down list, select a group. 3. To specify whether the user will use a work or personal device, in the ownership drop-down list, select an option. 58

59 Managing groups and user accounts Task Steps 4. Verify that the Administrator account check box is clear. 3. To specify device activation settings for the user account, in the Activation section, select Enable new device activations. 4. Select one of the following options: Use directory password to allow the user to use the company directory password to activate a device. Specify an activation password to specify a password that the user must enter to activate a device. 5. To specify when the activation password expires, select a time and date in the Activation expiration (date) and Activation expiration (time) fields. If you do not specify an expiration date and time, the activation password will never expire. 6. To specify a maximum number of times that the user is allowed to activate the device before the device is locked, in the Maximum number of activations per device field, type a value. 7. To specify a maximum number of devices that can be associated with the user account, in the Maximum number of devices to activate field, type a value. 8. To specify the device platforms that are supported, select Permitted devices and select one or more platforms. 9. To specify the device versions that are supported, in the drop-down list, select one or more versions. 10. To send an message to the user immediately after you save the user account, select Send activation . The message will contain the activation information that you specified in the activation template. If you do not want the user to activatethe device with the default activation type, clear the Send activation option and send the after you apply the desired activation type to the user account. 11. If you use custom variables, click the arrow beside Custom Variables and complete the fields. 12. Do one of the following: To save the user account and create another user account, click Save & New. To save the user account, click Save. View a user account You can view information about a user account by accessing the user account in the Universal Service. For example, you can view the following information: User information such as address and display name Smartphone model number or tablet model number, operating system, wireless service provider, phone number, software version, and current state Assigned IT policies, profiles, and software configurations 59

60 Managing groups and user accounts Groups the user account is assigned to 1. Search for a user account. 2. In the search results, click the name of a user account. Assign an IT policy to a user account When you assign an IT policy or work space IT policy to a user account, it replaces the IT policy or work space IT policy that is currently applied to the user account. If a user account belongs to a group that is assigned a different IT policy, the IT policy assigned to the user account takes precedence and the group IT policy is not applied to the user account. 1. Search for a user account. 2. In the search results, click the name of a user account. 3. On the Available Settings tab, complete one of the following actions: In the IT policies section, select the IT policy that you want to assign. In the Work Space section, select the work space IT policy that you want to assign. 4. Drag the IT policy or work space IT policy to anywhere in the user account window. 5. Click Apply. Related information Controlling the capabilities of devices, 43 Assign a profile to a user account Before you begin: Create profiles. 1. Search for a user account. 2. In the search results, click the name of a user account. 3. On the Available Settings tab, in the Profiles section, select the profile that you want to assign. 4. Drag the profile to anywhere in the user account window. 5. Click Apply. Edit user account information 1. Search for a user account. 2. In the search results, click the name of a user account. 60

61 Managing groups and user accounts 3. Click the edit icon. 4. Edit the user account information. 5. In the ownership drop-down list, select the type of device ownership. The selection is applied to the next device that the user activates. It does not change the ownership status of the user's existing devices. 6. Click Save. Change the device activation password for a user Users must provide a username and password when they activate devices. When you add a user account in the Universal Service, you can specify an activation password. To create a new activation password complete the following steps: 1. Search for a user account. 2. In the search results, click the name of a user account. 3. Click the + icon. 4. In the Activation window, click the edit icon. 5. Perform one of the following actions: Click Change activation password. Select Use directory password or Specify activation password. 6. If you selected Change activation password, or Specify activation password, type an activation password in the Activation password field. 7. To specify when the activation password expires, select a date and time in the Activation expiration (date) and Activation expiration (time) drop-down lists. 8. To send an message to a user that contains the information that the user requires to activate their device, select Send activation Click Save. 61

62

63 Activating and managing devices Chapter 5 Activating and managing devices Topics: Activating devices Managing devices

64 Activating and managing devices Activating devices When a user activates a device in the Universal Service, the device is associated with your organization's environment so that the user can access work data on their device. To activate their devices, users must type a username and an activation password. If the user account is associated with your company directory, you can allow the user to use their company username and password, or you can specify an activation password. For local user accounts, you must create a username and activation password for the user. Complete the following tasks before you send activation s to users: Ensure that you have the required licenses available. For more information about licenses, see the BlackBerry Enterprise Service 10 Licensing Guide. Update the template for the activation so that it includes all of the information that users need to activate their devices. If you do not want users to activate their devices using the default activation type, assign an activation type profile to the user account or group. You cannot change the activation type for a user's device after the user has activated their device. Assign other profiles, software configurations, and IT policies as required. Configure the default settings to activate a device You can configure the default settings that are displayed in the Add a user window. If necessary, you can change the default settings when you add a user account to the Universal Service. 1. On the menu bar, click Settings > Activation Defaults. 2. In the ownership drop-down list, perform one of the following actions: Select Personal if users typically activate personal devices. Select Corporate if users typically activate devices that belong to your organization. Select Not specified, if some users activate personal devices and some users activate devices that belong to your organization. 3. In the Activation expiration fields, select a default date and time when the user must activate a device by. 4. In the Maximum number of activations per device field, change the value to be the number of times that a user can activate a device. 5. In the Maximum number of devices to activate field, change the value to be the total number of devices that a user can activate. 6. Select Permitted devices if you want to specify the type and version of devices that users can activate. 64

65 Activating and managing devices 7. Click Save. Update the template for the activation message You must update the template for the activation message that you send to users. You can send the activation when you add a user account to the Universal Service, or any time after you add a user account. 1. In the Administration Console, on the menu bar, click Settings > Activation In the From address field, replace the default text with the address that you want to send the message from. You might want to use an address that does not accept replies. If your organization uses Microsoft Exchange Server and you selected Credentials as the authentication type in the SMTP server settings, and the address that you specify in the From address field does not match the account in the SMTP server settings, verify that the address has the Send As permission in Microsoft Exchange. 3. In the Subject field, update the default text. 4. In the Message field, update the default text. You can use variables in the text to customize the message for different users. For a list of variables, see Using variables. You can complete some or all of the following changes: Replace <CompanyName> with your organization's name. Review the paragraph in the Before you begin section. The variable is replaced by the web address where the user can install the SSL certificate on the device. If the user installs the certificate before activating the device, the certificate is displayed as a trusted certificate in step 4 of the default text. In step 1 of the default text, you can remove one of the app store web addresses if it is not required. For example, if you support only ios devices, you can remove the Google Play web address. In step 3 of the default text, the variables %BSCAddress%/%SRPID% are automatically replaced in the message with the required server address and SRP ID. In step 4 of the default text, you can replace <X or checkmark> with X (SSL certificate is not trusted) or checkmark (SSL certificate is trusted). For more information about the SSL certificate, see the BlackBerry Enterprise Service 10 Configuration Guide. In step 5 of the default text, include information about the activation password. The password might be the user's directory password or a password that you create. If you create the password, you can insert the %ActivationPassword% variable in the message to provide the password, or you can send the password to the user separately. If you did not select an expiry date for the activation password, you can remove the related statement in step 5. Step 8 in the default text is applicable only to users with ios devices that are activated with user privacy. If the step is applicable, remove the text in the square brackets. If the step is not applicable, remove the entire step. 5. Optionally, you can include login information for BES10 Self-Service. The web address for BES10 Self-Service is where <server_name> is the FQDN of the computer that hosts the console. Company directory users can log in with their directory usernames and passwords. For local users with BlackBerry 10 devices, you must create each user's username and password in the BlackBerry Service. Local users with ios or Android devices cannot use BES10 Self-Service. 65

66 Activating and managing devices 6. Click Save. Related information Using variables, 22 Send an activation message When you add a user account to the Universal Service you can select the Send activation check box to automatically send an activation message to a user. You can perform the following steps to send an activation at any time. Before you begin: Update the template for the activation message. 1. In the Administration Console, search for a user account. 2. In the search results, click the name of the user account. 3. Beside the device tab, or tabs, click the + icon. 4. In the Activation window, perform one of the following actions: Click the icon to send the activation to the user. Click the edit icon to change the device activation settings. Confirm that the Send activation check box is selected, and click Save. Activate an ios device Before you begin: Confirm that the required licenses are available. Create a user account. Assign profiles and software configurations to the user account, if required. Send an activation message to the user. Send the following activation instructions to the device user. When you send the instructions to a user, indicate whether the user needs to install the Communication Module SSL certificate and whether the user is a directory user (can use their directory usernames and passwords) or a local user (must use the username and password that you specified). 1. If your administrator notes that it is required, open the web address in your activation to install the Communication Module SSL certificate on your device. Installing the certificate before activation ensures that the device recognizes and trusts BlackBerry Enterprise Service Install the BES12 Client. The BES12 Client is available from the App Store. 3. Tap the BES10 icon. Tap Continue. 4. If you are prompted to turn on location services, complete the following steps: 66

67 Activating and managing devices a. Tap Settings. b. Verify that Location Services is turned on. c. Verify that BES10 is turned on. d. Close Settings. 5. Read the end user agreement and tap I Agree. 6. Type your organization's server address and tap Go. You can find the server address in the activation message. 7. Confirm that the certificate details match your organization's information and tap Accept. 8. Type your username and password and tap Activate My. 9. If necessary, tap OK to install the required certificate. 10. Follow the instructions on the screen to complete the activation. 11. If you are prompted to enter the password for your account or the passcode for your device, follow the instructions on the screen. 12. If you are prompted, create a work space password and download work space apps. After you finish: Open the BES12 Client and tap About. In the Activated section, you should see your device information. Activate an Android device Before you begin: Confirm that the required licenses are available. Create a user account. Assign profiles and software configurations to the user account, if required. Send an activation message to the user. Send the following activation instructions to the device user. When you send the instructions to a user, indicate whether the user needs to install the Communication Module SSL certificate and whether the user is a directory user (can use their directory usernames and passwords) or a local user (must use the username and password that you specified). 1. If your administrator notes that it is required, open the web address in your activation to install the Communication Module SSL certificate on your device. Installing the certificate before activation ensures that the device recognizes and trusts BlackBerry Enterprise Service Install the BES12 Client. The BES12 Client is available from Google Play. 3. On the device, tap the BES10 icon. 4. Read the end user agreement and tap I Agree. 67

68 Activating and managing devices 5. Type your organization's server address and tap Next. You can find the server address in the activation message. 6. Confirm that the certificate details match your organization's information and tap Accept. 7. Type your username and password and tap Activate My. 8. Tap Activate to activate the security policies. 9. If you are prompted, create a work space password and download work space apps. After you finish: Open the BES12 Client and tap About. In the Activated section, you should see your device information. Setting an activation password using BES10 Self- Service Using BES10 Self-Service, BlackBerry Enterprise Service 10 users can create activation passwords so that they can activate their devices over the wireless network. Users can select the type of device that they want to activate and specify an activation password. Instructions for activating devices are also provided in BES10 Self-Service. The web address for BES10 Self-Service is where <server_name> is the FQDN of the computer that hosts the console. Company directory users can log in with their organization usernames and passwords. For local users that have BlackBerry 10 devices, you must create their usernames and passwords in the BlackBerry Service. Local users that have ios or Android devices cannot use BES10 Self-Service. For more information about BES10 Self-Service, visit blackberry.com/go/docs to read the BES10 Self-Service User Guide. Managing devices The Universal Service includes IT administration commands that you can send to devices over the wireless network to protect data on devices. You can view detailed information about individual devices in device reports and view a history of all communication that occurs between devices and the Universal Service in the communication logs. If devices are jailbroken or rooted, the Universal Service displays an indicator beside the name of the user account that is associated with the jailbroken device or rooted device in the list of user accounts. Using IT administration commands to manage devices The Universal Service includes IT administration commands that you can send to a device over the wireless network to help protect your organization's data on a device. If the device supports the commands, you can use them to lock the device, unlock the device, reset the device password, permanently delete work data, or return the device settings to the default values. 68

69 Activating and managing devices IT administration command Activation types Specify device password and lock Lock device For Android devices, this command allows you to create a new device password and lock the device. You must create a password that complies with existing password rules. When the user unlocks the device, the device prompts the user to accept or reject the new password. You can use this command if the device is lost or stolen. This command locks a device. The user must type the existing device password to unlock the device. You can use this command if the device is lost or stolen. MDM controls Work and personal - full control MDM controls Work and personal - full control Unlock and clear password Delete only work data Delete all device data This command allows you to unlock a device and clear the existing password. The user is prompted to create a new device password. You can use this command if the user forgets the device password. This command deletes any profiles that are assigned to the device and removes the device from the Universal Service. Work apps that are installed on the device are not deleted. If the device has a work space, the work space information is deleted and the work space is removed from the device. You can send this command to a personal device when a user no longer works at your organization and you want to delete the work data from the device. The user account is not deleted when you send this command. This command deletes all user information and application data that the device stores including information in the work space, returns the device to factory defaults, and removes the device from the Universal Service. For Motorola devices that support the Enterprise Management API, information on the media card is also deleted. You can send this command to a device when you want to redistribute a previously used device to another user in your organization, or to a device that is lost and unlikely to be recovered. You can specify whether you want to delete or disable a user account from the Universal Service after the device deletes all user information and application data. MDM controls Work and personal - full control MDM controls Work and personal - full control Work and personal - user privacy MDM controls Work and personal - full control 69

70 Activating and managing devices IT administration command Activation types Lock work space This command locks the work space on a device so that the user must type the existing work space password to unlock the device. You can use this command if the device is lost or stolen. Work and personal - full control Work and personal - user privacy Disable/enable work space This command allows you to temporarily prevent access to the work space apps on the device. Work and personal - full control Work and personal - user privacy Users with multiple devices Users can activate multiple devices with the Universal Service. If a user activates multiple devices, you can view the list of device models that are associated with the user account in the user list, beside the user account name. To see details about each device, you can click on the user account name and select the tab for a specific device. Jailbroken or rooted status If a device is jailbroken or rooted, someone ran software or performed an action on the device that allows the user to have root access to the operating system of the device. The Universal Service is designed to detect if a device is jailbroken or rooted and displays an indicator beside the name of the user account in the list of user accounts. If you configure device compliance settings, users can be notified or required to remove jailbreaking software or rooting software from their devices. Users cannot access the work space on their devices if the devices are jailbroken or rooted. You might have to help a user remove the jailbreaking software or rooting software from the device or perform an action on the device to restore the device to the default state. Disable new device activations You can prevent users from activating devices by disabling new device activations. s that are already activated are not deactivated when you disable device activations. 1. Search for a user account. 2. In the search results, click the name of a user account. 3. Click the + icon. 70

71 Activating and managing devices 4. On the Activation page, click the edit icon. 5. Clear the Enable new device activations check box. 6. Click Save. Change the device ownership setting You can change the ownership type for a user's device. The ownership type is displayed in the device information and in the device report. 1. Search for a user account. 2. In the search results, click the name of a user account. 3. Select the device tab. 4. In the Activated device pane, click the edit icon. 5. In the ownership drop-down list, select the type of device ownership. 6. Click Save. View and save a device report You can view detailed information about each device that is associated with the Universal Service by generating a device report. 1. Search for a user account. 2. In the search results, click the name of a user account. 3. In the Manage window, click the View device report icon. 4. Click File > Save As... to save the device report to a file on the computer, if required. View device communication logs You can view the device communication logs to find out the history of communication between a device and the Universal Service. Each device has its own communication log. Entries older than 14 days are cleared from the logs. 1. Search for a user account. 2. In the search results, click the name of a user account. 3. In the Manage window, click the Communications Log icon. 71

72 Activating and managing devices Deactivating devices When you or a user deactivates a device, the connection between the device and the user account in the Universal Service is removed. You cannot manage the device, and the device is not displayed in the Administration Console. The user cannot access work data on the device. You can deactivate a device using the Delete only work data IT administration command. For more information, see Using IT administration commands to manage devices. A user can deactivate a device by selecting Deactivate My on the About screen in the BES12 Client. Users cannot deactivate a device Possible cause You recently restored a backup of the Management Database and the user activated the device after you created the backup version. Possible solution To deactivate the device, you or the user must delete the BES12 Client from the device. The Work Apps icon remains on ios device after the device is deactivated Possible cause If a user has an ios device that is running ios 5 or later, a blank Work Apps icon might remain on the device after the device is deactivated. Possible solution The user can delete the blank Work Apps icon manually. 72

73 Maintaining and monitoring Chapter 6 Maintaining and monitoring Topics: Check the status of the BlackBerry Secure Connect Service Logging

74 Maintaining and monitoring Check the status of the BlackBerry Secure Connect Service The BlackBerry Secure Connect Service is a web service that provides a single access port for activation and management traffic for ios devices and Android devices. If the BlackBerry Secure Connect Service is not running, or is experiencing connectivity issues, users cannot activate devices or receive profile updates. 1. On the menu bar, click Settings. 2. In the left pane, click Secure Connect Service. 3. Confirm the status for the BlackBerry Secure Connect Service. Logging The Universal Service creates log files for each Universal Service component and audit logs that record administrator requests, for example, to create, update, or delete user accounts or groups. Log files and audit logs can be used to determine the cause of an issue. Log files The Universal Service creates log files for each Universal Service component and saves the log files on the computer that hosts the Universal Service. You can configure the location where the log files are stored when you install the Universal Service. By default, the Universal Service saves log files in C:\Program Files (x86)\research in Motion\BlackBerry Enterprise Service 10\Logs. Log files are organized in the following folders: Audit BWS Comm Core EAS Installer RIM.UDS.GUI 74

75 Maintaining and monitoring Scheduler The Installer logs files are named Setup<yyyymmdd><log_number>.log. All other log files are saved in sub-folders that are named by date (yyyymmdd). The log files are named <server_name>_<component_identifier>_<instance>_<yyyymmdd>_log _number>.csv, where the component identifier is one of the following: UCOM: Communication Module UCOR: Core Module USRV: Scheduler BWS: BlackBerry Web Services Audit: Audit log files EAS: Microsoft ActiveSync gatekeeping Audit logs Audit logs record requests that you make to create, update, and delete user accounts or groups, send IT administration commands to devices, add user accounts to groups or remove user accounts from groups, and create or assign profiles, software configurations and IT policies to devices. Audit logs are saved in the Audit folder and are named <server_name>_<component_identifier>_audit_<instance>_<yyyymmdd>_<log_number>.csv. 75

76

77 IT policy rules Chapter 7 IT policy rules Topics: s of IT policy rules s of work space IT policy rules

78 IT policy rules s of IT policy rules The mobile operating system defines the rules that the device supports. For more information on the device settings, visit the Apple Configurator Help for ios devices and the Android Developers website for Android devices. There are minimum OS requirements for each IT policy rule, however BlackBerry Enterprise Service 10 might not support all versions of ios or Android OS. For more information about supported versions, visit docs.blackberry.com/bes10 to read the BlackBerry Enterprise Service 10 Compatibility Matrix. Related information Create an IT policy, 43 Browser policy group The rules in this policy group specify restrictions for the default browser on the device. The rules apply only to ios devices. Hide the default web browser rule Selecting this rule disables the Safari browser and removes its icon from the Home screen. This rule also prevents users from opening web clips on the device. Disable autofill in the default browser rule Related rules Selecting this rule prevents the Safari browser from saving user entries in web forms for later use. This rule is not valid if the Hide the default web browser rule is selected. 78

79 IT policy rules Disable JavaScript in the default browser rule Related rules Selecting this rule disables JavaScript in the Safari browser. The browser ignores all JavaScript on websites. This rule is not valid if the Hide the default browser rule is selected. Disable popups in the default browser rule Related rules Selecting this rule blocks pop-up windows in the Safari web browser. This rule is not valid if the Hide the default web browser rule is selected. Enable cookies rule Related rules This rule specifies how the Safari web browser handles cookies. If you select Always, cookies are always accepted. If you select From visited websites, cookies are only accepted from websites that the user visits directly in the browser. If you select Never, cookies are never accepted. This rule is not valid if the Hide the default web browser rule is selected. 79

80 IT policy rules Possible values Never From visited websites Always Default value From visited websites Force fraud warnings rule Related rules Selecting this rule turns on fraud warnings in the Safari web browser. The browser attempts to prevent the user from visiting websites identified as being fraudulent or compromised. This rule is not valid if the Hide the default web browser rule is selected. Camera and video policy group The rules in this policy group specify restrictions for cameras and device screen capture. All rules apply to ios devices. One rule applies to Android devices. Disable output rule Selecting this rule prevents the device from streaming videos or sending the device display to another device, such as a projector or television screen. Selecting this rule also prevents users from taking screen captures of the device display. 80

81 IT policy rules Disable screen capture rule Related rules Selecting this rule prevents users from taking a screen capture of the device display. Selecting the Disable output rule also prevents users from taking screen captures. Users cannot take screen captures if either rule is selected. Hide the default camera application rule Selecting this rule disables the device cameras. Users cannot take photographs or videos. Android OS 4.0 Hide the default video-conferencing application rule Selecting this rule removes the FaceTime app icon from the Home screen. Users cannot make video calls. 81

82 IT policy rules Related rules Selecting the Hide the default camera application rule also hides the FaceTime app icon. Users cannot use FaceTime if either rule is selected. Certificates policy group The rules in this policy group specify settings for using certificates on the device. The rules apply only to ios devices. Disable untrusted certificates rule Related rules Selecting this rule prevents users from trusting certificates that cannot be verified. Also selecting the Disable untrusted certificates after prompt rule displays a message to the user when the device disables an untrusted certificate. Disable untrusted certificates after prompt rule Related rules Selecting this rule displays a message to the user when the device disables a certificate that cannot be trusted. This rule is only valid if the Disable untrusted certificates rule is selected. 82

83 IT policy rules Disable wireless certificate updates rule Selecting this rule disables certificate updates over a wireless connection. Minimum OS requirements ios 7.0 Cloud service policy group The rules in this policy group specify restrictions for using cloud services on the device. The rules apply only to ios devices. Disable cloud services rule Selecting this rule prevents the use of all icloud services, including backup, document, and picture services. Disable cloud backup service rule Related rules Selecting this rule prevents users from backing up their device data to icloud. Selecting the Disable cloud services rule disables all icloud services, including the icloud backup service. 83

84 IT policy rules Disable cloud document services rule Related rules Selecting this rule prevents users from storing documents in icloud. Selecting the Disable cloud services rule disables all icloud services, including icloud document services. Disable cloud picture services rule Related rules Selecting this rule prevents users from using Photo Stream. Sending this rule to a device deletes Photo Stream photos from the device and prevents photos from the camera roll from being sent to Photo Stream. Selecting the Disable cloud services rule disables all icloud services, including Photo Stream. Disable cloud picture sharing services rule Selecting this rule prevents users from using Shared Photo Streams. This rule requires Universal Service 6.1 MR2 or later. 84

85 IT policy rules Related rules Selecting the Disable cloud picture services rule prevents users from using Photo Stream. Selecting the Disable cloud services rule disables all icloud services, including Photo Stream. Minimum OS requirements ios 6.0 Disable managed apps to use cloud sync rule Selecting this rule prevents managed apps from using cloud sync. Minimum OS requirements ios 8.0 Connectivity policy group The rules in this policy group specify restrictions for network connectivity. The rules apply only to ios devices. Disable AirDrop rule Selecting this rule prevents users from using AirDrop to share data with other devices. This rule applies only to devices that are supervised using Apple Configurator. Minimum OS requirements ios

86 IT policy rules Disable host pairing rule Applicable activation types Selecting this rule prevents the device from pairing with any computer other than the Apple Configurator host. This rule applies only to devices that are supervised using Apple Configurator. MDM controls Minimum OS requirements ios 7.0 Disable network connectivity rule Selecting this rule prevents users from connecting the device to a Wi-Fi or wireless network. Disable changes to wireless data usage for apps rule Related rules Selecting this rule prevents users from changing the wireless data usage for apps. This rule applies only to devices that are supervised using Apple Configurator. This rule is not valid if the Disable network connectivity rule is selected. Minimum OS requirements ios

87 IT policy rules Disable wireless connectivity rule Related rules Selecting this rule prevents users from connecting the device to a wireless network. Selecting the Disable network connectivity rule also prevents users from connecting the device to a wireless network. Users cannot connect the device to a wireless network if either rule is selected. This rule is not valid if the Disable network connectivity rule is selected. Disable roaming rule Related rules Selecting this rule prevents users from connecting the device to a wireless network when the device is roaming. This rule is not valid if the Disable network connectivity or Disable wireless connectivity rule is selected. Disable data service when roaming rule Related rules Selecting this rule prevents the device from using the data connection when the device is roaming. For ios 4.x devices, selecting this rule disables background data service when the device is roaming. This rule is not valid if the Disable network connectivity, Disable wireless connectivity, or Disable roaming rule is selected. 87

88 IT policy rules Disable background data service when roaming rule Related rules Selecting this rule prevents devices from automatically synchronizing message and organizer data when roaming. s that are roaming will sync only when the user requests it. This rule is not valid if the Disable network connectivity, Disable wireless connectivity, Disable roaming, or Disable data service when roaming rule is selected. Disable voice service when roaming rule Related rules Selecting this rule prevents users from making voice calls over the wireless network when the device is roaming. This rule is not valid if the Disable network connectivity, Disable wireless connectivity, or Disable roaming rule is selected. 88

89 IT policy rules Require passcode on first AirPlay pairing rule Selecting this rule specifies whether a password is required on the first AirPlay pairing. If this rule is selected, all devices that receive AirPlay requests from another device must use a pairing password. Minimum OS requirements ios 7.1 Content policy group The rules in this policy group specify restrictions for downloading content. This includes hiding explicit content and setting the maximum allowed rating for apps, movies, and TV shows. The rules apply only to ios devices. Disable content rule Related rules Selecting this rule sets the maximum allowed rating for movies, TV shows, and apps to 0. Movies and TV shows downloaded from the itunes Store are hidden and users cannot preview or download movies or TV shows. The icons for work and personal apps are removed from the Home screen and users cannot install or update apps. On ios devices with Secure Work Space, the BES12 Client and work space apps, including default work space apps, are also removed from the Home screen. This rule applies only to movies and TV shows that users can download from the itunes Store and apps that users can download from the App Store. This rule does not apply to built-in ios apps. The Hide the default music store rule removes the itunes Store from the Home screen. The Hide the default application store rule removes the App Store from the Home screen. 89

90 IT policy rules Hide explicit content rule Related rules Selecting this rule hides any explicit content downloaded from the itunes Store and the App Store. This rule is not valid if the Disable content rule is selected. Maximum allowed rating for applications rule Related rules This rule sets the maximum allowed content rating for apps that users can download to the device from the App Store.. Specify a number between 0 and 100 to define the maximum allowed content rating for apps. The number corresponds to ratings such as E, T, and M, or 9+, 12+, and 17+, which vary by country. The lower the number the greater the content restriction. For instance, 0 allows no apps and 100 allows all apps. This rule is not valid if the Disable content rule is selected. Possible values A number from 0 to 100. Default value

91 IT policy rules Maximum allowed rating for movies rule Related rules This rule sets the maximum allowed content rating for movies that users can download to the device from theitunes Store. Specify a number between 0 and 100 to define the maximum allowed content rating for movies. The number corresponds to ratings such as G, PG, and R, and age-based ratings, which vary by country. The lower the number the greater the content restriction. For instance, 0 allows no movies and 100 allows all movies. This rule is not valid if the Disable content rule is selected. Possible values A number from 0 to 100. Default value 100 Maximum allowed rating for TV shows rule Related rules This rule sets the maximum allowed content rating for television shows that users can download to the device from the itunes Store. Specify a number between 0 and 100 to define the maximum allowed content rating for TV shows. The number corresponds to ratings such as G, PG, and R, and agebased ratings, which vary by country. The lower the number the greater the content restriction. For instance, 0 allows no TV shows and 100 allows all TV shows. This rule is not valid if the Disable content rule is selected. Possible values A number from 0 to 100. Default value

92 IT policy rules Region that defines the rating restrictions rule Related rules This rule sets the country or region whose ratings are used for the content. This setting is not required. This rule is not valid if the Disable content rule is selected. Possible values Default value A two-letter code indicating the country that the content ratings system applies to. None Diagnostics and usage policy group The rule in this policy group specifies restrictions for sending device diagnostic information to the device manufacturer. The rule applies only to ios devices. Disable submission of device diagnostic logs to device vendor rule Selecting this rule prevents devices from sending diagnostic information to Apple. 92

93 IT policy rules Encryption policy group The rules in this policy group specify encryption requirements for device storage space. The rules only apply to Android devices. Apply encryption rules rule Selecting this rule encrypts portions of the device internal memory. Minimum OS requirements Android OS 3.0 Encrypt internal device storage rule Related rules Selecting this rule encrypts the device data storage. This rule is only valid if the Apply encryption rules rule is selected. Minimum OS requirements Android OS 3.0 Lock screen policy group The rules in this policy group specify restrictions for the lock screen on the device. The rules apply only to ios devices. Disable Passbook notifications when device is locked rule Selecting this rule prevents the device from displaying notifications from the Passbook app when the device is locked. 93

94 IT policy rules This rule requires Universal Service 6.1 MR2 or later. Minimum OS requirements ios 6.0 Hide Control Center in lock screen rule Selecting this rule prevents users from swiping up to view the Control Center while the screen is locked. Minimum OS requirements ios 7.0 Hide Notification Center in lock screen rule Selecting this rule prevents users from accessing the Notifications view in the Notification Center when the screen is locked. New mail notifications still appear. Minimum OS requirements ios 7.0 Hide Today view in lock screen rule Selecting this rule prevents users from swiping down to see the Notification Center using the Today view while the screen is locked. 94

95 IT policy rules Minimum OS requirements ios 7.0 Messaging policy group The rule in this policy group specifies restrictions for messaging apps. The rule applies only to ios devices. Hide the default messaging application rule Selecting this rule prevents users from using the imessage software feature. This rule requires Universal Service 6.1 MR2 or later. This rule only applies to devices that are supervised using the Apple Configurator. Minimum OS requirements ios 6.0 Online store policy group The rules in this policy group specify restrictions for online stores available on devices. The rules apply only to ios devices. Disable online stores rule Selecting this rule prevents users from using all online content stores. Users cannot make in-app purchases or use the App Store and itunes Store on the device. 95

96 IT policy rules Disable purchases in applications rule Related rules Selecting this rule prevents users from making in-app purchases. Selecting the Disable online stores rule also prevents users from making purchases within apps. Users cannot make purchases within apps if either rule is selected. Disable storage of online store password rule Related rules Selecting this rule prevents the online store from saving the user's password. Users must enter their password for all content purchases. This rule is selected by default. This rule is not valid if the Disable online stores rule is selected. Hide the default application store rule Related rules Selecting this rule disables the App Store on the device and removes its icon from the Home screen. Selecting the Disable online stores rule also disables the App Store and removes its icon from the Home screen. 96

97 IT policy rules Hide the default book store rule Related rules Selecting this rule disables the ibooks Store on the device and removes its icon from the Home screen. This rule requires Universal Service 6.1 MR2 or later. This rule only applies to devices that are supervised using Apple Configurator. Selecting the Disable online stores rule also disables the ibooks Store and removes its icon from the Home screen. Minimum OS requirements ios 6.0 Disable erotica purchases from the default book store rule Related rules Selecting this rule prevents users from downloading media that has been tagged as erotica from the ibooks Store. This rule requires Universal Service 6.1 MR2 or later. This rule only applies to devices that are supervised using Apple Configurator. Selecting the Hide the default book store rule disables the ibooks Store and removes its icon from the Home screen. Selecting the Disable online stores rule disables the ibooks Store and removes its icon from the Home screen. 97

98 IT policy rules Minimum OS requirements ios 6.0 Hide the default music store rule Related rules Selecting this rule disables the itunes Store on the device and removes its icon from the Home screen. Selecting the Disable online stores rule also disables the itunes Store and removes its icon from the Home screen. Password policy group They rules in this policy group specify password requirements and rules for creating passwords. Most of the rules apply to both ios devices and Android devices. Note: For some Android device models, if a user did not previously have a password set for a device and an IT policy is pushed to the device that requires the user to set a password, the user cannot set a password. For more information, please see the support information for the device. Define password properties rule Related rules Selecting this rule allows you to set parameters that users must follow when setting the device password. The Avoid repetition and simple patterns rule, Require alphanumeric value rule, Require letters rule, Require lowercase letters rule, Require numbers rule, Require special characters rule, and Require uppercase letters rule set the parameters for user password requirements. 98

99 IT policy rules Android OS 2.3 Avoid repetition and simple patterns rule Related rules Selecting this rule prevents users from using sequential or repeated characters in the device password. This rule is only valid if the Define password properties rule is selected. Require alphanumeric value rule Related rules Selecting this rule requires users to create a device password that contains at least one letter and one number. This rule is only valid if the Define password properties rule is selected. Require letters rule Related rules Selecting this rule requires users to create a device password that contains letters. For Android OS 3.0 and later, you can also specify the minimum number of letters required. If you select this rule and then specify the minimum number of letters, a user must create a password that includes at least the number of letters that you specify. This rule is only valid if the Define password properties rule is selected. 99

100 IT policy rules Possible values A number greater than 0. Default value 1 Minimum OS requirements Android OS 2.3 Require lowercase letters rule Related rules This rule specifies the minimum number of lowercase letters required in the device password. If you select this rule and then specify the minimum number of lowercase letters, a user must create a password that includes at least the number of lowercase letters that you specify. This rule is only valid if the Define password properties rule is selected. Possible values A number greater than 0. Default value 1 Minimum OS requirements Android OS 3.0 Require numbers rule Related rules Selecting this rule requires users to create a device password that contains numerals. For Android OS 3.0 and later, you can also specify the minimum number of numerals required. If you select this rule and then specify the minimum number of numerals, a user must create a password that includes at least the number of numerals that you specify. This rule is only valid if the Define password properties rule is selected. 100

101 IT policy rules Possible values A number greater than 0. Default value 1 Minimum OS requirements Android OS 2.3 Require special characters rule Related rules This rule specifies the minimum number of special characters required in the device password. If you select this rule and then specify the minimum number of special characters, a user must create a password that includes at least the number of special characters that you specify. This rule is only valid if the Define password properties rule is selected. Possible values A number greater than 0. Default value 1 Android OS 3.0 Require uppercase letters rule Related rules This rule specifies the minimum number of uppercase letters required in the device password. If you select this rule and then specify the minimum number of uppercase letters, a user must create a password that includes at least the number of uppercase letters that you specify. This rule is only valid if the Define password properties rule is selected. 101

102 IT policy rules Possible values A number greater than 0. Default value 1 Minimum OS requirements Android OS 3.0 Delete data and applications from the device after incorrect password attempts rule Selecting this rule specifies the number of times that a user can try an incorrect password before the device deletes all user information and application data. For Android devices, the device does not recognize an entry of less than four characters as a password. If the user enters an incorrect password of less than four characters, it will not be counted as an attempt. Possible values For ios devices, a number between 4 and 10. If you set a value less than 4, a value of 4 will be used. If you set a number greater than 10, a value of 10 will be used. For Android devices, a number greater than 0. Default value 1 Android OS 2.3 password rule Selecting this rule requires users to enter the device password after a period of inactivity. 102

103 IT policy rules Android OS 2.3 Enable auto-lock rule Related rules This rule specifies the maximum period of inactivity that can elapse before a device locks. The value specified in this rule is the maximum value that a user can set on the device. This rule is only valid if the password rule is selected. Possible values Default value A number greater than 0 and a period of days, hours, minutes, or seconds. 15 minutes Android OS 2.3 Time after a device locks that it can be unlocked without a password rule Related rules This rule specifies the maximum period of time that can elapse before a password is required to unlock a device. The grace period begins after the device locks. The value specified in this rule is the maximum value that a user can set on the device. This rule is only valid if the password rule is selected. Possible values A number greater than 0 and a period of days, hours, minutes, or seconds. 103

104 IT policy rules Default value 1 minute Limit password age rule Selecting this rule allows you to specify the period of time after a password is set until the device password expires and the user must set a new password. You can specify any number of days, hours, minutes, or seconds. Possible values Default value A number greater than 0 and a time period of days, hours, minutes, or seconds. 90 days Android OS 3.0 Limit password history rule Selecting this rule allows you to specify the number of previous passwords that the device checks to prevent a user from reusing passwords. Possible values A number greater than 0. Default value 1 Android OS

105 IT policy rules Restrict password length rule Selecting this rule restricts the length of the device password. Android OS 2.3 Minimum length for the device password that is allowed rule Related rules Selecting this rule allows you to specify the minimum number characters required in the device password. This rule is only valid if the Restrict password length rule is selected. Possible values A number equal to or greater than 4. Default value 4 Android OS 2.3 Phone and messaging policy group The rule in this policy group specifies restrictions for the default phone app. The rule applies only to ios devices. Disable voice dialing rule Selecting this rule prevents users from making telephone calls on the device using Siri. 105

106 IT policy rules Profiles and certificates policy group The rule in this policy group specifies restrictions for installing profiles and certificates on devices. The rule applies only to ios devices. Disable interactive installation of profiles and certificates rule Selecting this rule prevents users from installing configuration profiles and certificates. This rule requires Universal Service 6.1 MR2 or later. This rule only applies to devices that are supervised using Apple Configurator. Minimum OS requirements ios 6.0 Security policy group The rules in this policy group specify restrictions for security on the device. The rules apply only to ios devices. Disable activity continuation rule Selecting this rule prevents users from using the activity continuation feature to transfer user activities among multiple devices associated with the user. 106

107 IT policy rules Minimum OS requirements ios 8.0 Disable changes to accounts on the device rule Selecting this rule prevents users from adding, deleting, or changing accounts on the device. This rule applies only to devices that are supervised using Apple Configurator. Minimum OS requirements ios 7.0 Disable erase content and settings rule Selecting this rule prevents users from using the Erase All Content And Settings option on a device to wipe it. This rule applies only to devices that are supervised using Apple Configurator. Minimum OS requirements ios 8.0 Disable enabling restrictions rule Selecting this rule prevents users from using the Enable Restrictions option to prevent access to apps or features on a device. This rule applies only to devices that are supervised using Apple Configurator. 107

108 IT policy rules Minimum OS requirements ios 8.0 Disable spotlight internet results rule Selecting this rule prevents a Spotlight search from returning Internet search results when searching for content on a device. This rule applies only to devices that are supervised using Apple Configurator. Minimum OS requirements ios 8.0 Disable Touch ID to unlock device rule Selecting this rule prevents users from using Touch ID to unlock the device. When this option is selected, users must use a password to unlock the device. Minimum OS requirements ios 7.0 Limit ad tracking rule Selecting this rule limits ad tracking in apps on the device. 108

109 IT policy rules Minimum OS requirements ios 7.0 Limit personal data to personal apps and accounts rule Selecting this rule displays only personal apps and accounts as possible destinations when users attempt to open data such as attachments from a personal app or account on the device. Safari and AirDrop will continue to display all apps and accounts as possible destinations. Minimum OS requirements ios 7.0 Limit work data to work apps and accounts rule Selecting this rule displays only work apps and accounts as possible destinations when users attempt to open data such as attachments from a work app or account on the device. Minimum OS requirements ios 7.0 Social policy group The rules in this policy group specify restrictions for social apps. The rules apply only to ios devices. Disable changes to Find My Friends settings rule Selecting this rule prevents users from changing the settings for the Find My Friends app. This rule applies only to devices that are supervised using Apple Configurator. 109

110 IT policy rules Minimum OS requirements ios 7.0 Hide the Game Center and YouTube apps rule Selecting this rule prevents the use of the Game Center app and the YouTube app. The apps are disabled and the YouTube app is removed from the Home screen. On supervised devices, the Game Center app is removed from the Home screen. Hide the Game Center app and disable game functionality rule Related rules Selecting this rule prevents the use of the Game Center app. On devices that are supervised using Apple Configurator, the icon is removed from the Home screen. Selecting the Hide the Game Center and YouTube apps rule also disables the Game Center app. Disable adding Game Center friends rule Selecting this rule prevents users from adding friends in the Game Center app. 110

111 IT policy rules Related rules This rule is not valid if the Hide the Game Center app and disable game functionality rule or Hide the Game Center and YouTube apps rule is selected. Disable multiplayer gaming rule Related rules Selecting this rule prevents users from playing multiplayer games in the Game Center app. This rule is not valid if the Hide the Game Center app and disable game functionality rule or Hide the Game Center and YouTube apps rule is selected. Hide the Game Center app rule Related rules Selecting this rule prevents the use of the Game Center app on supervised ios devices. The Game Center app is disabled and its icon is removed from the Home screen. This rule requires Universal Service 6.1 MR2 or later. This rule only applies to devices that are supervised using Apple Configurator. Selecting the Hide the Game Center app and disable game functionality rule also disables the Game Center app. Selecting the Hide the Game Center and YouTube apps rule also disables the Game Center app. 111

112 IT policy rules Minimum OS requirements ios 6.0 Hide the YouTube app rule Related rules Selecting this rule prevents the use of the YouTube app. The app is disabled and the icon is removed from the Home screen. This rule is obsolete in ios 6.0 and later. Selecting the Hide the Game Center and YouTube apps rule also disables the YouTube app. Storage and backup policy group The rules in this policy group specify restrictions for backing up device data. The rules apply only to ios devices. Require that the device backup data is encrypted rule Selecting this rule stores all backup data in an encrypted format on the user's computer. 112

113 IT policy rules Disable enterprise book backup rule Selecting this rule prevents users from backing up enterprise books. Minimum OS requirements ios 8.0 Disabe enterprise book metadata sync rule Selecting this rule forces devices to synchronize enterprise book metadata, such as notes and highlights. Minimum OS requirements ios 8.0 Voice assistant policy group The rules in this policy group specify restrictions for using voice commands with the device. The rules apply only to ios devices. Disable the default voice assistant application rule Selecting this rule prevents users from using Siri, voice commands, and dictation. 113

114 IT policy rules Disable voice assistant application when device is locked rule Related rules Selecting this rule prevents users from using Siri voice commands when the device is locked and prevents users from unlocking the device using Siri voice commands. This rule applies only if the user has set a password for the device. If you select this rule, you should also select the password rule to require that the user sets a password. This rule is not valid if the Disable the default voice assistant application rule is selected. Hide user-generated content in voice assistant apps rule Selecting this rule prevents users from adding their own content to Siri. This rule applies only to devices that are supervised using Apple Configurator. Minimum OS requirements ios 7.0 s of work space IT policy rules The work space IT policy rules apply only to the work space on the device. There are minimum OS requirements for each work space IT policy rule, however BlackBerry Enterprise Service 10 might not support all versions of ios or Android OS. For more information about supported versions, visit docs.blackberry.com/ BES10 to read the BlackBerry Enterprise Service 10 Compatibility Matrix. 114

115 IT policy rules Related information Create a work space IT policy, 44 Allow sequential and repeated character passwords rule Selecting this rule allows a user to set a work space password that uses sequential characters, such as abcd, or repeated characters, such as Work space Applicable activation types Work and personal - user privacy Android OS 2.3 Require letters rule This rule specifies the minimum number of letters required in the work space password. If you select this rule and then specify the minimum number of letters, a user must create a password that includes at least the number of letters that you specify. Work space Applicable activation types Work and personal - user privacy Possible values A number greater than 0. Default value 1 Android OS

116 IT policy rules Require lowercase letters rule This rule specifies the minimum number of lowercase letters required in the work space password. If you select this rule and then specify the minimum number of lowercase letters, a user must create a password that includes at least the number of lowercase letters that you specify. Work space Applicable activation types Work and personal - user privacy Possible values A number greater than 0. Default value 1 Android OS 2.3 Require numbers rule This rule specifies the minimum number of numerals required in the work space password. If you select this rule and then specify the minimum number of numerals, a user must create a password that includes at least the number of numerals that you specify. Work space Applicable activation types Work and personal - user privacy Possible values A number greater than 0. Default value 1 116

117 IT policy rules Android OS 2.3 Require special characters rule This rule specifies the minimum number of special characters required in the work space password. If you select this rule and then specify the minimum number of special characters, a user must create a password that includes at least the number of special characters that you specify. Work space Applicable activation types Work and personal - user privacy Possible values A number greater than 0. Default value 1 Android OS 2.3 Require uppercase letters rule This rule specifies the minimum number of uppercase letters required in the work space password. If you select this rule and then specify the minimum number of uppercase letters, a user must create a password that includes at least the number of uppercase letters that you specify. Work space Applicable activation types Work and personal - user privacy Possible values A number greater than 0. Default value 1 117

118 IT policy rules Android OS 2.3 Restrict password length rule Selecting this rule restricts the length of the work space password. Work space Applicable activation types Work and personal - user privacy Android OS 2.3 Minimum length for the work space password rule Related rules This rule allows you to specify the minimum number of characters required in the work space password. This rule is only valid if the Restrict password length rule is selected. Work space Applicable activation types Work and personal - user privacy Possible values A number equal to or greater than 1. Default value 4 Android OS

119 IT policy rules Maximum length for the work space password rule Related rules This rule allows you to specify the maximum number of characters required in the work space password. This rule is only valid if the Restrict password length rule is selected. Work space Applicable activation types Work and personal - user privacy Possible values A number equal to or greater than 1. Default value 32 Android OS 2.3 Maximum password history rule This rule specifies the number of previous work space passwords that the device checks to prevent a user from reusing work space passwords. Work space Applicable activation types Work and personal - user privacy Possible values A number greater than 0. Default value 3 Android OS

120 IT policy rules Lock work space when device locks rule This rule specifies whether the work space locks when a device locks after a period of inactivity. If this rule is selected, when a user is in the work space, the work space locks after the period of inactivity specified in the Lock device after inactivity in work space rule. When the user is in the personal space, or if the Lock device after inactivity in work space rule is not selected, the work space locks after the period of inactivity specified in the auto-lock setting on the device. Work space Applicable activation types Work and personal - user privacy Android OS 2.3 Lock device after inactivity in work space rule This rule specifies the period of inactivity in the work space that can elapse before a device locks. If you configure this rule, the following behavior occurs after the specified inactivity period: On ios devices, the work space locks when a work space app is open. The device doesn t lock and the screen doesn t turn off. On Android devices with a password, the device locks when a work space app is open. The work space isn t locked. On Android devices without a password, the device turns off the screen when a work space app is open. The work space isn t locked. On Android devices, the inactivity period that you specify is the maximum time for inactivity. A user can set a shorter inactivity period on the device. If the user sets a shorter inactivity period, the screen locks when that inactivity period is met. Work space 120

121 IT policy rules Applicable activation types Work and personal - user privacy Possible values Default value A number greater than 0 and a period of days, hours, minutes, or seconds. 15 minutes Android OS 2.3 Lock work space after inactivity rule This rule specifies the period of inactivity in the personal space that can elapse before the work space locks. Work space Applicable activation types Work and personal - user privacy Possible values Default value A number greater than 0 and a period of days, hours, minutes, or seconds. 30 minutes Android OS 2.3 Track incorrect password attempts rule Selecting this rule specifies the number of times that a user can try an incorrect password before the action specified in the Action after maximum incorrect password attempts rule occurs. Work space Applicable activation types Work and personal - user privacy 121

122 IT policy rules Possible values A number equal to or greater than 1. Default value 1 Android OS 2.3 Action after maximum incorrect password attempts rule Related rules This rule specifies the action that occurs after the maximum number of incorrect password attempts has been reached. If you select Disable work space, the work space is disabled and can only be restored by an administrator. If you select Deactivate device, the work space is disabled and all data in the work space is deleted immediately. ios devices are deactivated. If you select Disable work space and after N days, deactivate device, you must also specify a number of days. The work space is disabled immediately and can only be restored by an administrator. If the work space is not restored before the specified number of days elapse, all data in the work space is deleted. ios devices are deactivated. This rule is only valid if the Track incorrect password attempts rule is selected. Work space Applicable activation types Work and personal - user privacy Possible values Disable work space Deactivate device Disable work space and after N days, deactivate device Default value Disable work space Android OS

123 IT policy rules Enable plugins in secure browser rule This rule specifies how the browser app in the work space handles plug-ins. If you select On, the browser allows all plug-ins to run. If you select Off, the browser does not allow plug-ins to run. If you select On Demand, the device prompts the user when the browser tries to run a plug-in. Work space Applicable activation types Work and personal - user privacy Possible values On Off On Demand Default value On Minimum OS requirements Android OS 2.3 Deactivate device after period of inactivity rule This rule specifies the number of days of inactivity in the work space that can elapse before all data in the work space is deleted, including work messages, contacts, and files. ios devices are deactivated. Work space Applicable activation types Work and personal - user privacy Possible values A number greater than 0. Default value 60 days 123

124 IT policy rules Android OS 2.3 Work Connect contacts rule This rule specifies whether work contacts are exported from the Work Connect app in the work space to the personal address book on the device. The Contacts app is the personal address book on an ios device. If you select Export to personal address book, only work contacts with phone numbers are exported. When you deactivate the device, work contacts are removed from the personal address book. If you select Do not export to personal address book, work contacts are not exported and calls and SMS text messages from work contacts do not display the contact name. If you select Allow user to configure, the user can choose to export work contacts from the Work Connect app to the personal address book. Work space Applicable activation types Work and personal - user privacy Possible values Export to personal address book Do not export to personal address book Allow user to configure Default value Allow user to configure Minimum OS requirements ios 6.0 Allow apps in the personal space to access files in the work space rule Select this rule to allow apps in the personal space on devices to access files in the work space. 124

125 IT policy rules If you allow apps in the personal space to access files in the work space and later update the policy to change this setting, personal apps on devices will still have access to existing files in the work space. Personal apps will not have access to files added after the rule is updated on the device to disallow access. Work space Applicable activation types Work and personal - user privacy Minimum OS requirements Android OS 2.3 Notification level rule This rule specifies the level of notifications that a user sees for apps in the work space when the work space is locked. If you select Show notifications without details, the user sees that an app has a notification but does not see the name of the app or any details about the notification. If you select Show app name, the user sees only the name of the app that has a notification. If you select Show all information, the user sees details about the notification such as the title and, if applicable for the notification, the summary and ticker. For example, the title of the meeting in the calendar, the line below the title, and a scrolling message when the notification first appears. Work space Applicable activation types Work and personal - user privacy Possible values Show notifications without details Show app name Show all information Default value Show notifications without details Minimum OS requirements Android OS

126 IT policy rules Allow S/MIME rule Selecting this rule allows a user to choose whether to enable S/MIME in the Work Connect app on the device. Work space Applicable activation types Work and personal - user privacy Android OS

127 Product documentation Product documentation 9 To read the following guides or other related materials, visit docs.blackberry.com/bes10. Category Resource Overview Introduction to BlackBerry Enterprise Service 10 Quick, visual introduction to BlackBerry Enterprise Service 10 at a high level What's New in BlackBerry Enterprise Service 10 Quick Reference BlackBerry Enterprise Service 10 Product Overview Summary of new features, enhancements, and updates in BlackBerry Enterprise Service 10 Introduction to BlackBerry Enterprise Service 10 and its features Finding your way through the documentation Architecture Enterprise Solution Comparison Chart Comparison of what features are available across different BlackBerry enterprise solutions Supported Features by Type Comparison of what features are supported for each type of device in BlackBerry Enterprise Service 10 BlackBerry Enterprise Service 10 Architecture and Data Flow Quick Reference Guide s of BlackBerry Enterprise Service 10 components s of activation and data flows for different types of devices Release notes Installation and upgrade BlackBerry Enterprise Service 10 Release Notes BlackBerry Enterprise Service 10 Compatibility Matrix s of known issues and potential workarounds Software that is compatible with BlackBerry Enterprise Service 10

128 Product documentation Category Resource BlackBerry Enterprise Service 10 Performance Calculator Tool to estimate the hardware required to support a given workload for BlackBerry Enterprise Service 10 BlackBerry Enterprise Service 10 Installation Guide System requirements Installation instructions BlackBerry Enterprise Service 10 Upgrade Guide System requirements Upgrade instructions Configuration BlackBerry Enterprise Service 10 Licensing Guide s of different types of licenses Instructions for activating and managing licenses in BlackBerry Management Studio BlackBerry Enterprise Service 10 Configuration Guide Instructions for how to configure server components before you start administering users and their devices Administration BlackBerry Management Studio Basic Administration Guide Basic administration for all supported device types, including BlackBerry 10 devices, BlackBerry PlayBook tablets, ios devices, Android devices, and BlackBerry 7.1 and earlier devices Instructions for creating and managing user accounts in multiple Services Instructions for managing multiple devices for each user account BlackBerry Service Advanced Administration Guide Advanced administration for BlackBerry 10 devices and BlackBerry PlayBook tablets Instructions for creating user accounts, groups, roles, and administrator accounts Instructions for activating devices Instructions for creating and sending IT policies and profiles Instructions for managing apps on devices Universal Service Advanced Administration Guide Advanced administration for ios and Android devices 128

129 Product documentation Category Resource Instructions for creating user accounts, groups, and administrator accounts Instructions for activating devices Instructions for creating and sending IT policies and profiles Instructions for managing apps on devices s of IT policy rules for ios and Android devices BlackBerry Service Policy Reference Spreadsheet s of IT policy rules for BlackBerry 10 devices and BlackBerry PlayBook tablets Security BlackBerry Service Solution Security Technical Overview of the security maintained by the BlackBerry Service, BlackBerry Infrastructure, and BlackBerry 10 devices and BlackBerry PlayBook tablets to protect data and connections of the BlackBerry 10 OS of the BlackBerry PlayBook OS of how work data is protected on BlackBerry 10 devices and BlackBerry PlayBook tablets when you use the BlackBerry Service Secure Work Space for ios and Android Security Note of the security maintained by the Universal Service, BlackBerry Infrastructure, and work spaceenabled devices to protect work space data at rest and in transit of how work space apps are protected on work space-enabled devices when you use the Universal Service 129

130

131 Provide feedback Provide feedback 10 To provide feedback on this content, visit

132

133 Glossary Glossary 11 BSSID CA DNS EAP-FAST HTTP HTTPS IP NTLM PEAP S/MIME SCEP SMTP SRP SSL SSID TLS TTLS URI VPN Basic Service Set Identifier certification authority Domain Name System Extensible Authentication Protocol Flexible Authentication via Secure Tunneling Hypertext Transfer Protocol over Secure Sockets Layer Hypertext Transfer Protocol over Secure Sockets Layer Internet Protocol NT LAN Manager Protected Extensible Authentication Protocol Secure Multipurpose Internet Mail Extensions simple certificate enrollment protocol Simple Mail Transfer Protocol Server Routing Protocol Secure Sockets Layer service set identifier Transport Layer Security Tunneled Transport Layer Security Uniform Resource Identifier virtual private network

134

135 Legal notice Legal notice BlackBerry. All rights reserved. BlackBerry and related trademarks, names, and logos are the property of BlackBerry Limited and are registered and/or used in the U.S. and countries around the world. Apple, AirDrop, AirPlay, App Store, Apple Configurator, FaceTime, ibooks Store, icloud, imessage, iphone, itunes Store, Passbook, Safari, Siri, and Spotlight are trademarks of Apple Inc. Cisco is a trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. Android, Google Play, and YouTube are trademarks of Google Inc. ios is a trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. ios is used under license by Apple Inc. JavaScript is a trademark of Oracle and/or its affiliates. Microsoft, ActiveSync, and Active Directory are trademarks of Microsoft Corporation. Motorola is a trademark of Motorola Trademark Holdings, LLC. TouchDown is a trademark of NitroDesk Inc. Wi-Fi is a trademark of the Wi-Fi Alliance. All other trademarks are the property of their respective owners. This documentation including all documentation incorporated by reference herein such as documentation provided or made available on the BlackBerry website provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its affiliated companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of BlackBerry technology in generalized terms. BlackBerry reserves the right to periodically change information that is contained in this documentation; however, BlackBerry makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all. This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or third-party websites (collectively the "Third Party Products and Services"). BlackBerry does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the third party in any way. EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE

136 Legal notice HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY. THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS. IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION. Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with BlackBerry's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with BlackBerry's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of 136

137 Legal notice separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with BlackBerry. The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION. BlackBerry Limited 2200 University Avenue East Waterloo, Ontario Canada N2K 0A7 BlackBerry UK Limited 200 Bath Road Slough, Berkshire SL1 3XE United Kingdom Published in Canada 137

138