admin guide bes12 v12.0 en

Administration GuideBlackBerry Enterprise Service 12

Version 12.0

Published: 2014-11-28SWD-20141128112224389

ContentsIntroduction..................................................................................................................... 9

About this guide..............................................................................................................................................................10

What is BES12?...............................................................................................................................................................11

Key features of BES12............................................................................................................................................. 11

About BES12 Self-Service............................................................................................................................................... 12

How to use this guide...................................................................................................................................................... 13

Steps to administer BES12.......................................................................................................................................13

Examples of everyday administration scenarios........................................................................................................ 14

How to use the management console.............................................................................................................................. 15

Log in to BES12 ...................................................................................................................................................... 18

Administrators................................................................................................................21Setting up administrators................................................................................................................................................ 22

Steps to set up administrators..................................................................................................................................22

How BES12 chooses which role to assign................................................................................................................. 22

Creating and managing administrator groups .......................................................................................................... 23

Creating and managing administrators.....................................................................................................................24

Managing roles ....................................................................................................................................................... 25

Secure Work Space........................................................................................................ 35Setting up Secure Work Space for iOS and Android devices............................................................................................. 36

Managing devices that have a work space................................................................................................................ 36

Upgrading work space apps.....................................................................................................................................37

Test the Secure Work Space connection.................................................................................................................. 37

Recreating the Secure Work Space connection........................................................................................................ 37

Work connections...........................................................................................................39Setting up work connections for devices.......................................................................................................................... 40

Steps to set up work connections for devices............................................................................................................40

Managing work connections using profiles............................................................................................................... 40

Best practice: Creating profiles................................................................................................................................ 42

Sending certificates to devices.................................................................................................................................43

Setting up work email for devices............................................................................................................................. 47

Creating connection profiles.................................................................................................................................... 52

Managing profiles........................................................................................................................................................... 63

Assigning profiles.....................................................................................................................................................63

How BES12 chooses which profiles to assign............................................................................................................64

Rank profiles........................................................................................................................................................... 65

View a profile........................................................................................................................................................... 65

Change profile settings............................................................................................................................................ 66

Remove a profile from user accounts or user groups.................................................................................................66

Delete a profile........................................................................................................................................................ 67

Using variables............................................................................................................................................................... 68

Using variables in profiles........................................................................................................................................ 68

Default variables......................................................................................................................................................68

Custom variables..................................................................................................................................................... 70

Device standards............................................................................................................73Setting your organization's standards for devices.............................................................................................................74

Steps to set up your organization's standards for devices..........................................................................................74

Managing your organization's standards using profiles............................................................................................. 74

Enforcing compliance rules for devices.................................................................................................................... 75

Filtering web content on iOS devices........................................................................................................................ 77

Limiting iOS devices to a single app..........................................................................................................................79

Managing email and web domains for iOS 8 devices................................................................................................. 80

Creating organization notices to display on BlackBerry 10 devices............................................................................81

Displaying organization information on devices ........................................................................................................82

IT policies.......................................................................................................................85Controlling device capabilities using IT policies................................................................................................................86

Steps to manage IT policies......................................................................................................................................86

Restricting or allowing device capabilities.................................................................................................................86

How BES12 chooses which IT policy to assign.......................................................................................................... 87

Creating and managing IT policies............................................................................................................................88

Controlling BlackBerry OS device capabilities using IT policies.........................................................................................91

Steps to manage BlackBerry OS IT policies...............................................................................................................91

Restricting or allowing BlackBerry OS device capabilities......................................................................................... 91

Preconfigured BlackBerry OS IT policies.................................................................................................................. 92

Assigning BlackBerry OS IT policies and resolving IT policy conflicts......................................................................... 93

Deactivating BlackBerry OS devices that do not have IT policies applied................................................................... 94

Creating and managing BlackBerry OS IT policies.....................................................................................................95

Apps.............................................................................................................................. 99

Managing apps on devices............................................................................................................................................ 100

Steps to manage apps........................................................................................................................................... 100

Adding and deleting apps from the available app list.............................................................................................. 100

Preventing users from installing specific iOS, Android, and Windows Phone apps....................................................107

Managing app groups............................................................................................................................................ 109

Managing Apple VPP accounts.............................................................................................................................. 110

Change whether an app is required or optional....................................................................................................... 112

View the status of apps and app groups assigned to user accounts......................................................................... 112

View which apps are assigned to user groups......................................................................................................... 113

Update the information in the available app list...................................................................................................... 113

Set the organization name for BlackBerry World..................................................................................................... 113

Managing apps on BlackBerry OS devices..................................................................................................................... 114

Managing apps on BlackBerry OS devices..............................................................................................................114

Preparing to distribute BlackBerry Java Applications ............................................................................................. 114

Configuring application control policies..................................................................................................................115

Application control policies for unlisted applications...............................................................................................118

Creating software configurations............................................................................................................................120

Install BlackBerry Java Applications on a BlackBerry OS device at a central computer............................................ 122

View the users that have a BlackBerry Java Application installed on their BlackBerry OS devices............................ 123

Reconciliation rules for conflicting settings in software configurations.....................................................................123

Users and devices........................................................................................................ 131Managing user groups and user accounts......................................................................................................................132

Steps to create user groups and user accounts.......................................................................................................132

Creating and managing user groups....................................................................................................................... 133

Creating and managing user accounts................................................................................................................... 142

Using filters to customize the users and devices view .............................................................................................154

Managing device groups............................................................................................................................................... 156

Steps to create and manage device groups............................................................................................................ 156

Creating a device group......................................................................................................................................... 156

View a device group............................................................................................................................................... 159

Change the name of a device group....................................................................................................................... 159

Delete a device group............................................................................................................................................ 160

Activating devices.........................................................................................................................................................161

Steps to activate devices........................................................................................................................................161

Requirements: Activation.......................................................................................................................................161

License requirements for activation types...............................................................................................................162

Controlling device activation settings using activation profiles.................................................................................163

Manage default activation password expiration and length..................................................................................... 166

Turn off user registration with the BlackBerry Infrastructure................................................................................... 167

Update the template for the activation email ......................................................................................................... 167

Set an activation password and send an activation email message..........................................................................168

Allowing users to set activation passwords..............................................................................................................168

Activate a BlackBerry 10 device.............................................................................................................................169

Activate a BlackBerry OS device............................................................................................................................ 170

Activate an iOS device........................................................................................................................................... 170

Activate an Android device.................................................................................................................................... 171

Activate a Windows Phone device.......................................................................................................................... 171

Troubleshooting.................................................................................................................................................... 172

Managing devices.........................................................................................................................................................176

Using dashboard reports........................................................................................................................................176

Using IT administration commands to manage devices...........................................................................................177

View and save a device report................................................................................................................................ 182

Verifying that a device is allowed to access work email and organizer data.............................................................. 183

Exchange Gatekeeping.......................................................................................................................................... 183

Deactivating devices..............................................................................................................................................184

Maintenance and monitoring........................................................................................ 185Using log files............................................................................................................................................................... 186

Managing BES12 log files.......................................................................................................................................186

Finding log files..................................................................................................................................................... 188

Reading log files.................................................................................................................................................... 189

Auditing app activity on BlackBerry 10 and BlackBerry OS devices.........................................................................194

Viewing device actions...........................................................................................................................................194

Retrieving log files from devices............................................................................................................................. 195

Auditing actions in BES12.............................................................................................................................................197

Configure audit settings......................................................................................................................................... 197

View and filter the audit log.................................................................................................................................... 197

Export the audit log to a .csv file............................................................................................................................. 198

Delete old audit records.........................................................................................................................................198

Using SNMP to monitor BES12..................................................................................................................................... 199

Profile settings..............................................................................................................201Email profile settings.....................................................................................................................................................202

Common settings...................................................................................................................................................202

BlackBerry 10 settings...........................................................................................................................................203

iOS settings........................................................................................................................................................... 211

Android settings.................................................................................................................................................... 214

Windows Phone settings........................................................................................................................................ 215

SCEP profile settings.....................................................................................................................................................217

Common settings...................................................................................................................................................217


iOS settings........................................................................................................................................................... 220

Wi-Fi profile settings..................................................................................................................................................... 223

Common settings...................................................................................................................................................223


iOS settings........................................................................................................................................................... 228

Android settings.................................................................................................................................................... 233

Windows Phone settings........................................................................................................................................ 236

VPN profile settings...................................................................................................................................................... 240


iOS settings........................................................................................................................................................... 249

Product documentation................................................................................................253

Provide feedback......................................................................................................... 257

Glossary....................................................................................................................... 259

Legal notice..................................................................................................................263

IntroductionLearn more about BES12 and how to use this guide.

About this guideBES12 helps you manage the devices in your organization. This guide describes how to administer BES12, from creating administrators to getting your device users up and running to maintaining and monitoring BES12.

This guide is intended for senior and junior IT professionals who are responsible for setting up and administering BES12. Before using this guide, a senior IT professional should configure the BES12 environment as described in the BlackBerry Enterprise Service 12 Configuration Guide.

1

Introduction

10

What is BES12?BES12 is an EMM solution from BlackBerry. EMM solutions help you do the following:

Manage mobile devices for your organization to protect business information

Keep mobile workers connected with the information that they need

Provide administrators with efficient business tools

With BES12, you can manage the following device types:

BlackBerry 10

BlackBerry OS (version 5.0 to 7.1)

iOS

Android

Windows Phone

You can manage these devices from a single, simplified UI with industry-leading security.

Key features of BES12Feature Description

Management of many types of devices You can manage BlackBerry 10, BlackBerry OS (version 5.0 to 7.1), iOS, Android, and Windows Phone devices.

Single, unified UI You can view all devices in one place and access all management tasks in a single, web-based UI. You can share administrative duties with multiple administrators who can access the management console at the same time.

Trusted and secure experience Device controls give you precise management of how devices connect to your network, what capabilities are enabled, and what apps are available. Whether the devices are owned by your organization or your users, you can protect your organization's information.

Balance of work and personal needs BlackBerry Balance and Secure Work Space technologies are designed to make sure that personal information and work information are kept separate and secure on devices. If the device is lost or the employee leaves the organization, you can delete only work-related information or all information from the device.

2

Introduction

11

About BES12 Self-ServiceBES12 Self-Service is a web application that you can make available to users so that they can perform certain tasks such as creating activation passwords, locking devices, or deleting data from devices. Users do not need to install any software on their computers to use BES12 Self-Service.

You must provide the BES12 Self-Service login information to users. You can send this information in an email message, or edit the activation email template to include the information. Users need the following information:

Web address: The web address for BES12 Self-Service is displayed in the management console at Settings > Self-Service.

Username and password: Company directory users can log in with their organization usernames and passwords. For local users, you must create the usernames and temporary passwords.

Domain name: The domain name is required by Microsoft Active Directory users.

3

Introduction

12

How to use this guideThe tasks in this guide are presented in a particular order to help get you up and running in the most efficient way, particularly if you are administering BES12 for the first time.

You might not need to complete all of these tasks. You can choose to activate certain device types, separate work and personal data in different ways, or enforce different compliance rules, device capabilities, and connections.

Steps to administer BES12When you administer BES12, you perform the following actions. These actions are reflected in the sections of this guide.

If you want to share administration work with other IT staff, set up administrators.

Set up work connections (for example, email, Wi-Fi, and VPN).

Set up device standards (for example, compliance rules).

Update the Default IT policy or create new IT policies.

Determine which apps to send to devices.

Create users and groups.

Assign work connections, device standards, IT policies, and apps to users and groups.

Help users activate their devices.

Maintain and monitor BES12.

4

Introduction

13

Examples of everyday administration scenariosThe following scenarios provide examples of choices that you might make when setting up different devices for different users.

Scenario You might want to

Manage BlackBerry 10 devices for work and personal

Create profiles for certificates

Create a profile for single sign-on to secure work domains

Create a profile for a proxy server

Choose the "Work and personal - Corporate" or "Work and personal - Regulated" activation type

Manage iOS, Android, or Windows Phone devices with basic management

Create profiles for work email and work Wi-Fi

Change the Default IT policy to enforce a device password

Choose a work app to send to the device

Choose the "MDM controls" activation type

Manage BlackBerry OS (version 5.0 to 7.1) devices

Change the Default BlackBerry OS IT policy to enforce a device password

Resend the BlackBerry OS IT policy to devices

Set up iOS or Android devices with extra security for work data

Create a profile for enterprise connectivity for extra security for data in transit

Enable S/MIME for extra email security

Create a compliance profile to prevent access to work resources if the device is jailbroken or rooted

Create a web content filter profile to limit the websites that the device user can access

Set up Secure Work Space to separate and secure work data

Secure an app to send to the device

Set up BlackBerry 10 devices for work only

Create profiles for certificates and VPN

Enable S/MIME for extra email security

Create an IT policy to prevent the use of the device camera

Choose the "Work space only" activation type

Set up an iOS device that is limited to one app for software demonstrations

Create a single app mode profile

Introduction

14

How to use the management consoleThe management console is the UI that you use to administer BES12.

Set up administrators

You can click Add user to add a user, and then use the settings to make the user an administrator.

Set up work connections and device standards

You can set up work connections and device standards using IT policies and profiles.

Find users and devices

5

Introduction

15

You can use filters to find the users and devices that you want to manage.

Choose apps to send to devices

You can add and manage apps and app groups, as well as view information about them.

Create groups of users

Groups simplify the management of users and devices. You can create groups to share IT policies, profiles, apps, and other configuration settings among similar users or devices.

Assign IT policies, profiles, and apps to groups

When you assign IT policies, profiles, and apps to a group, you assign the settings to all of the users in the group.

Introduction

16

Help your users activate devices

You can configure how you want devices to activate by using activation profiles and related settings. Users can then perform the activations themselves.

Maintain and monitor BES12

With the dashboard, you can view information about BES12 and its users and devices.

Introduction

17

When you view the details of a user's device, you can perform commands like resetting the password, locking the device, or deleting data.

Log in to BES12The management console allows you to perform administrative tasks for devices in your organization that are managed by BES12.

Before you begin:

Locate the web address (for example, http://:8008/admin/index.jsp) and login information for the management console. You can find the information in the inbox of the email account that is associated with your BES12 account.

You must know the authentication method and the domain (applicable for Microsoft Active Directory authentication only).

1. In the browser, type the web address for the BES12 management console of your organization.

Introduction

18

2. In the Username field, type your username.

3. In the Password field, type your password.

4. If necessary, in the Sign in using drop-down list, do one of the following:

Click Direct authentication.

Click LDAP authentication.

Click Microsoft Active Directory authentication. In the Domain field, type the Microsoft Active Directory domain.

5. Click Sign in.

After you finish: You can change your login password by clicking the user icon in the top-right corner of the management console.

Introduction

19

AdministratorsSet up administrators with permissions that are appropriate for their job responsibilities. Si

mpl

e

Setting up administratorsAdministrators are users that are assigned an administrative role by user group or user account. The actions that administrators can perform are defined in the role that is assigned to them. You can assign a preconfigured role or a custom role that you create. Each role has a set of permissions that specifies the information that administrators can view and the actions that they can perform in the BES12 management console.

Roles help your organization to do the following:

Reduce security risks associated with allowing all administrators to access all administrative options

Define different types of administrators to better distribute job responsibilities

Increase efficiency for administrators by limiting accessible options to their job responsibilities

Steps to set up administratorsWhen you set up administrators, you perform the following actions:

If necessary, create a custom role.

If necessary, rank the roles.

Create a user group for administrators.

Assign a role to a user group for administrators.

Create a user account with an email address and add it to an administrator group.

How BES12 chooses which role to assignOnly one role is assigned to each administrator. BES12 uses the following rules to determine which role to assign to an administrator:

The role that is assigned directly to a user account takes precedence over a role that is assigned indirectly by a user group.

If an administrator is a member of multiple groups that have been assigned a role, BES12 assigns the role that has a higher rank. You can specify the ranking of roles.

6

Administrators

22

Creating and managing administrator groupsAdministrator groups are user groups that have a role assigned to them. You can assign a role to a directory-linked group or local group. A user can be a member of multiple administrator groups but is assigned only one role. For more information, see How BES12 chooses which role to assign.

Only Security Administrators can add or remove members of a user group that has a role assigned to it. For more information about user groups, see Creating and managing user groups.

Create an administrator groupWhen you create an administrator group, you assign a role to a user group.

Before you begin:

You must be a Security Administrator to create an administrator group.

Create a user group for administrators.

Create a custom role, if necessary.

1. On the menu bar, click Settings.

2. In the left pane, expand Administrators.

3. Click Groups.

4. Click .

5. Search for and select the user group that you want to assign a role to.

6. In the Role drop-down list, click the role that you want to assign.

7. Click Save.

BES12 sends the users an email message with their username and a link to the management console. BES12 also sends the users a separate email message with their password to the management console. If a user does not have a console password, BES12 generates a temporary password and sends it to the user.

After you finish: To add users to the administrator group, add them to the user group that is assigned a role. For more information, see Creating and managing user groups

Assign a different role to an administrator groupBefore you begin: You must be a Security Administrator to assign a different role to an administrator group.



3. Click Groups.

4. Click the group of administrators whose role you want to change.

Administrators

23


6. Click Save.

Remove a role from an administrator groupWhen you remove a role from an administrator group, the users in the group are no longer administrators (unless they have other roles assigned to them). The users and the user group remain in the management console. The users' devices are not affected.

Before you begin: You must be a Security Administrator to remove a role from an administrator group.



3. Click Groups.

4. Select the name of the administrator group that you want to remove a role from.

5. Click .

6. Click Delete.

Creating and managing administratorsYou can create an individual administrator by assigning a role to a user account. Only one role can be assigned directly to a user account. For more information, see How BES12 chooses which role to assign.

Create an administratorBefore you begin:

You must be a Security Administrator to create an administrator.

Create a user account that has an email address associated with it.

Create a role, if necessary.



3. Click Users.

4. Click .

5. Search for and select the user account that you want to assign a role to.


7. Click Save.

Administrators

24

BES12 sends the user an email message with the username and a link to the management console. BES12 also sends the user a separate email message with the password for the management console. If the user does not have a console password, BES12 generates a temporary password and sends it to the user.

Assign a different role to an administratorYou can change the role of another administrator. You cannot change your own role.

Before you begin: You must be a Security Administrator to assign a different role to an administrator.



3. Click Users.

4. Click the administrator whose role you want to change.


6. Click Save.

Remove a role from an administratorWhen you remove a role from an administrator, you remove the role that is assigned directly to the user account. If no other roles are assigned by user group, the user is no longer an administrator. The user can still be found in the management console and the user's devices are not affected.

Before you begin: You must be a Security Administrator to remove a role from an administrator.



3. Click Users.

4. Select the name of the administrator that you want to remove a role from.

5. Click .

6. Click Delete.

Managing rolesYou can create roles and assign them to user accounts or user groups. When you assign a role, you grant administrator permissions to a user or user group. You must be a Security Administrator to create, view, change, rank, or assign roles.

Administrators

25

Preconfigured rolesIn BES12, the Security Administrator role has full permissions to the management console, including creating and changing administrator users and roles. The Security Administrator role cannot be edited or removed. At least one administrator must be a Security Administrator.

BES12 includes preconfigured roles in addition to the Security Administrator role. You can edit or remove all roles except the Security Administrator role.

If you upgraded from BES5, the roles configuration from BES5 is copied to BES12.

If you did not upgrade from BES5, the following preconfigured roles are available:

Role Description

Security Administrator Full permissions

Enterprise Administrator All permissions except for creating and changing administrator users and roles

Senior HelpDesk Intermediate administrative tasks

Junior HelpDesk Basic administrative tasks

Best practice: Reviewing the permissions of each role after upgrading from BES5Review the permissions of each role after you upgrade from BES5. When you upgrade from BES5, the roles configuration in BES5 is copied to BES12. Because roles work differently in BES12, there may be permissions that you want to add or remove.

Permissions for preconfigured rolesThe following tables list the permissions that are turned on for each preconfigured role in BES12. The Security Administrator role in BES12 has full permissions to the management console, including managing administrator users and roles.

Note: If you upgrade from BES5, the role configuration from BES5 is copied to BES12. Roles that are copied may have similar names but different permissions.

Users and devices

Permission Enterprise Administrator Senior HelpDesk Junior HelpDesk

View users and activated devices

Create users

Edit users

Delete users

Export user list

Administrators

26


Generate an activation password and send email

Specify an activation password

Specify console password

Manage devices

Specify device password

Lock device and set message

Unlock and clear password

Delete only work data

Delete all device data

Specify work password and lock

Groups


View group settings

Create and edit user groups

Add and remove users from user groups

Delete user groups

Create and edit device groups

Delete device groups

Policies and profiles


View IT policies and profiles

Create and edit IT policies and profiles

Delete IT policies and profiles

Assign IT policies and profiles to users

Administrators

27


Assign IT policies and profiles to user groups

Assign IT policies and profiles to device groups

Rank IT policies and profiles

Apps


View apps and app groups

Create and edit apps and app groups

Delete apps and app groups

Assign apps and app groups to users

Assign apps and app groups to user groups

Assign apps and app groups to device groups

View app licenses

Create app licenses

Edit app licenses

Delete app licenses

Assign app license to apps or app groups

Restricted apps


View restricted apps

Create restricted apps

Delete restricted apps

Administrators

28

Settings


View general settings

Edit activation defaults

Edit activation email

Edit console password settings

Edit self-service console settings

Edit default variables

Edit custom variables

View app management

Edit BlackBerry World for Work

Edit internal app storage

Edit internal app distribution

View external integration settings

iOS management

Edit SMTP server settings

Company directory settings

Microsoft Exchange configuration

View administrator users and roles

View licensing summary

Manage subscriptions

Edit licensing settings

View servers

Edit servers

Delete servers

Manage servers

Administrators

29


View audit settings

Edit audit settings and purge data

View migration settings

Edit migration settings

View BlackBerry Work Connect Notification Service settings

Edit BlackBerry Work Connect Notification Service settings

View server certificates

Update server certificates

Dashboard


View dashboard

Auditing


View audit information

BlackBerry OS permissions

If you upgrade from BES5, the following additional permissions are available:

View BlackBerry OS IT policies

Create and edit BlackBerry OS IT policies

Delete BlackBerry OS IT policies

View jobs

Edit jobs

View default distribution settings for jobs

Edit default distribution settings for jobs

Manage job tasks

Administrators

30

Change status of job tasks

Custom rolesIf the preconfigured roles do not meet the needs of your organization, you can create custom roles for administrators. You can also create custom roles to restrict administrative tasks to a defined list of user groups. For example, you can create a role for new administrators that restricts their permissions to a user group for training only.

Create a custom roleBefore you begin: You must be a Security Administrator to create a role.



3. Click Roles.

4. Click .

5. Type a name and description for the role.

6. To copy permissions from another role, click a role in the Permissions copied from role drop-down list.

7. Perform one of the following tasks:

Task Steps

Allow administrators in this role to search all company directories

1. Select the All company directories option.

Allow administrators in this role to search selected company directories

1. Select the Selected company directories only option.

2. Click Select directories.

3. Select one or more directories and click .

4. Click Save.


Task Steps

Allow administrators in this role to manage all users and groups

1. Select the All groups and users option.

Allow administrators in this role to manage selected groups

1. Select the Selected groups only option.

2. Click Select groups.

3. Select one or more groups and click .

Administrators

31

Task Steps

4. Click Save.

9. Select the permissions for administrators in this role.

10. Click Save.

After you finish: If necessary, adjust the ranking of the role that you created.

View the settings of a roleBefore you begin: You must be a Security Administrator to view the settings of a role.



3. Click Roles.

4. Click the role that you want to view.

Change the settings of a roleYou can change the settings of all roles except the Security Administrator role.

Before you begin: You must be a Security Administrator to change the settings of a role.



3. Click Roles.

4. Click the role that you want to change.

5. Click .

6. Type a name and description for the role.


Task Steps

Allow administrators in this role to search all company directories

1. Select the All company directories option.

Allow administrators in this role to search selected company directories

1. Select the Selected company directories only option.

2. Click Select directories.

3. Select one or more directories and click .

Administrators

32

Task Steps

4. Click Save.


Task Steps

Allow administrators in this role to manage all users and groups

1. Select the All groups and users option.

Allow administrators in this role to manage selected groups

1. Select the Selected groups only option.

2. Click Select groups.

3. Select one or more groups and click .

4. Click Save.

9. Change the permissions for administrator users in this role.

10. Click Save.

Delete a roleYou can delete all roles except the Security Administrator role.

Before you begin:

You must be a Security Administrator to delete a role.

You must remove all administrators and administrator groups from the role that you want to delete.



3. Click Roles.

4. Click the role that you want to delete.

5. Click .

Ranking rolesWhen an administrator belongs to more than one administrator group, the role that is ranked higher is assigned to the administrator. For example, if an administrator belongs to both Director and Supervisor administrator groups, and the Director role is ranked higher, the administrator is assigned the Director role.

Administrators

33

After you create a custom role, the role is ranked lowest by default. You can adjust the ranking of roles to help BES12 choose which role to assign. For more information, see How BES12 chooses which role to assign.

Rank rolesBefore you begin: You must be a Security Administrator to rank roles.



3. Click Roles.

4. Use the arrows to move the roles up or down the ranking.

5. Click Save.

Administrators

34

Secure Work SpaceSeparate work data and personal data on iOS and Android devices. Se

cure

Setting up Secure Work Space for iOS and Android devicesSecure Work Space is an option for providing extra security for work data on iOS and Android devices. Secure Work Space is similar to the BlackBerry Balance feature on BlackBerry devices.

Using containerization and app wrapping, Secure Work Space separates personal information from work information by creating a personal space and a work space on devices. You can choose whether you want administrative control of the entire device, or only the work space on a user's device.

To set up Secure Work Space so that users can activate devices with a work space, you must complete the following tasks:

Purchase Gold - Secure Work Space licenses

Create an activation profile with the appropriate activation type and assign it to users or groups

Send activation information to users

When users activate their devices, they are prompted to set up a work space, create a work space password, and install the default work space apps.

Managing devices that have a work spaceHaving a work space on devices helps to keep work information separate and secure, and allows you to manage the work data on devices. Data that any of the apps in the work space use is saved securely and cannot be accessed outside of the work space. For more information about work space security, visit docs.blackberry.com/BES12 to see the BlackBerry Enterprise Service 12 Security Guide for iOS, Android, and Windows Phone.

If you assign the "Work and personal - full control" or "Work and personal - user privacy" activation type to user accounts, a work space is installed on the devices during activation and users are prompted to create work space passwords. To complete the work space setup, users must download the following apps on their devices:

Device type Apps

iOS Work Connect: for email, calendar, contacts, notes, and tasks

Work Browser: for browsing

Documents To Go: for securely viewing and editing work documents

Android Work Space Manager: required to run the other work space apps on the device

Secure Work Space: for email, calendar, contacts, and browsing

Documents To Go: for securely viewing and editing work documents

7

Secure Work Space

36

The work space allows you to take advantage of the following features:

Convert your organization's internal apps into secured apps that can be installed and run in the work space, or obtain secured apps from the App Store or Google Play. Use app lists and app groups to install and manage secured apps. For more information, see Adding and deleting apps from the available app list.

Control specific behaviors of the work space on devices, such as password requirements and connection preferences, by applying an IT policy to user accounts.

Use IT administration commands to reset the work space password or delete the work space on devices.

Upgrading work space appsTo support new features and more operating systems, BlackBerry posts new versions of the work space apps in the App Store and Google Play.

Users should upgrade the work space apps when new versions become available. If users upgrade their device operating system and do not upgrade to the latest version of the work space apps, the work space may not function as expected.

For more information about the supported device operating systems, visit docs.blackberry.com/BES12 to see the BlackBerry Enterprise Service 12 Compatibility Matrix.

Test the Secure Work Space connectionYou can test the connection between BES12 and the Secure Work Space infrastructure at any time to verify that Secure Work Space is enabled.


2. In the left pane, in the External integration section, click Secure Work Space.

3. Verify that Secure Work Space is enabled and the connection to the Secure Work Space infrastructure is Successful.

4. Optionally, click Test connection to test the work space connection.

Recreating the Secure Work Space connectionIf the Secure Work Space connection to the BlackBerry Infrastructure is disabled, you must recreate the connection.

For example, if you create a BES12 test environment that includes a virtual computer, BES12 instance, Secure Work Space, and BES12 database using an SRP ID and you decide to uninstall the BES12 test environment and create a BES12 production environment using the same SRP ID, you must recreate the Secure Work Space connection in the production environment because it contains a new virtual computer, BES12 instance, Secure Work Space, and BES12 database. The new production environment cannot connect to the BlackBerry Infrastructure because the original Secure Work Space connection that used the SRP ID used in the test environment still exists in the BlackBerry Infrastructure.

Secure Work Space

37

Recreate the Secure Work Space connection1. On the menu bar, click Settings.

2. In the left pane, in the External integration section, click Secure Work Space.

3. Click Recreate Secure Work Space tenant.In the Recreate Secure Work Space connection window, you are notified of the number of devices that require reactivation when you recreate the Secure Work Space connection.

4. Click Recreate.

5. Verify that Secure Work Space is enabled.

After you finish: Make sure that users reactivate their iOS and Android devices that use Secure Work Space.

Secure Work Space

38

Work connectionsUse profiles to configure work connections for BlackBerry 10, iOS, Android, and Windows Phone devices.

Mul

tipla

tform

Setting up work connections for devicesYou can use profiles to set up and manage work connections for devices in your organization. A profile contains configuration information for devices and each profile type supports a particular configuration, such as email settings, network settings, or certificates. You can specify settings for BlackBerry 10, iOS, Android, and Windows Phone devices in the same profile and then distribute the configuration information to devices by assigning the profile to user accounts, user groups, or device groups.

BES12 supports email profiles and different types of certificate and connection profiles. You can use certificate profiles to specify the certificates that devices can use for authentication, and you can use email and connection profiles to configure how devices connect to work resources, such as a work mail server and work Wi-Fi network.

Steps to set up work connections for devicesWhen you set up work connections for devices, you perform the following actions:

If devices use certificate-based authentication to connect to work resources, create certificate profiles.

Create email and connection profiles to configure how devices connect to work resources in your organization's environment.

If necessary, rank profiles.

Assign profiles to user accounts, user groups, or device groups.

Managing work connections using profilesYou can manage work connections using the profiles available in the Policies and Profiles library.

Certificate profiles

You can use the following profiles to send certificates to devices:

Profile Description

CA certificate A CA certificate profile specifies a CA certificate that devices can use to establish trust with a work network or server.

SCEP A SCEP profile specifies how devices obtain certificates used for authentication with a work network or mail server from your organization's CA using a SCEP service.

8

Work connections

40

Profile Description

Shared certificate A shared certificate profile specifies a client certificate that iOS and Android devices can use to authenticate users with a work network or server. BES12 sends the same client certificate to every user that the profile is assigned to.

To specify a different client certificate for each user, you can add a client certificate to a user account on the User summary tab and BES12 sends the certificate to the user's iOS and Android devices.

For more information, see Add a client certificate to a user account.

Email and connection profiles

You can use the following profiles to configure how devices connect to work resources:

Profile Description

Email An email profile specifies how devices connect to a work mail server and synchronize data.

Certificate retrieval A certificate retrieval profile specifies how BlackBerry 10 devices retrieve certificates from LDAP servers.

OCSP An OCSP profile specifies the OCSP responders that BlackBerry 10 devices can use to check the status of certificates.

CRL A CRL profile specifies the CRL configurations that BES12 can use to check the status of certificates.

Single sign-on A single sign-on profile specifies how devices authenticate with secure domains automatically after users type their username and password for the first time.

Proxy A proxy profile specifies how devices use a proxy server to access web services on the Internet or a work network.

Enterprise connectivity An enterprise connectivity profile specifies whether secured apps on iOS and Android devices with Secure Work Space must connect to a work network through the BlackBerry Infrastructure. Work apps on BlackBerry 10 devices use the BlackBerry Infrastructure if a work VPN or Wi-Fi connection is not available.

BES12 includes a Default enterprise connectivity profile.

VPN A VPN profile specifies how devices connect to a work VPN.

Wi-Fi A Wi-Fi profile specifies how devices connect to a work Wi-Fi network.

Work connections

41

Best practice: Creating profilesSome connection profiles can include one or more associated profiles. When you specify an associated profile, you link an existing profile to a connection profile, and devices must use the associated profile when they use the connection profile.

Consider the following guidelines:

Determine which work connections are required for devices in your organization.

Create profiles that you can associate with other profiles before you create the connection profiles that use them.

Use variables where appropriate. For more information, see Using variables in profiles.

The following table lists profiles in the order that you should create them. You can associate profiles listed earlier with profiles listed later. For example, if you create a Wi-Fi profile first, you cannot associate a proxy profile with the Wi-Fi profile when you create it. After you create a proxy profile, you must change the Wi-Fi profile to associate the proxy profile with it.

Profile Can associate with Applicable devices

CA certificate VPN (BlackBerry 10 only)

Wi-Fi

BlackBerry 10

iOS

Android

Windows Phone

SCEP Email

VPN

Wi-Fi

BlackBerry 10

iOS

Shared certificate Email

VPN (iOS only)

Wi-Fi

iOS

Android

Email BlackBerry 10

iOS

Android

Windows Phone

Certificate retrieval BlackBerry 10

OCSP BlackBerry 10

CRL BlackBerry 10

Work connections

42

Profile Can associate with Applicable devices

Single sign-on BlackBerry 10

iOS

Proxy Enterprise connectivity

VPN (BlackBerry 10 and iOS)

Wi-Fi (BlackBerry 10 and iOS)

BlackBerry 10

iOS

Android with Secure Work Space

Enterprise connectivity BlackBerry 10

iOS with Secure Work Space

Android with Secure Work Space

VPN Wi-Fi (BlackBerry 10 only) BlackBerry 10

iOS

Wi-Fi BlackBerry 10

iOS

Android

Windows Phone

Sending certificates to devicesA certificate is a digital document issued by a CA that verifies the identity of certificate subject and binds the identity to a public key. Each certificate has a corresponding private key that is stored separately. The public key and private key form an asymmetric key pair that can be used for data encryption and identity authentication. A CA signs the certificate to verify that entities that trust the CA can also trust the certificate.

Devices can use certificates to:

Authenticate using SSL/TLS when connecting to webpages that use HTTPS

Authenticate with a work mail server

Authenticate with a work Wi-Fi network or VPN

Encrypt and sign email messages using S/MIME protection

Many certificates used for different purposes can be stored on a device. You can use certificate profiles to send CA certificates and client certificates to devices.

Related informationCreating CA certificate profiles, on page 44

Work connections

43

Creating SCEP profiles, on page 45Creating shared certificate profiles, on page 46Add a client certificate to a user account, on page 151

Creating CA certificate profilesYou might need to distribute CA certificates to devices if your organization uses S/MIME or if the devices use certificate-based authentication to connect to a network or server in your organizations environment.

When you send a CA certificate to a device, the device trusts the identity associated with any client or server certificate signed by the CA. When the certificate for the CA that signed your organization's network and server certificates is stored on devices, the devices can trust your networks and servers when they make secure connections. When the CA certificate that signed your organization's S/MIME certificates is stored on devices, the devices can trust the sender's certificate when a secure email message is received.

Many CA certificates that are used for different purposes can be stored on a device. You can use CA certificate profiles to send CA certificates to devices.

Create a CA certificate profileBefore you begin: You must obtain the CA certificate file that you want to send to devices. It must have a .der file name extension.

1. On the menu bar, click Policies and Profiles.

2. Click beside CA certificate.

3. Type a name and description for the profile. Each CA certificate profile must have a unique name. Some names (for example, ca_1) are reserved.

4. In the Certificate file field, click Browse to locate the certificate file.

5. If the CA certificate is sent to BlackBerry devices, specify one or more of the following certificate stores to send the certificate to on the device:

Browser certificate store

VPN certificate store

Wi-Fi certificate store

Enterprise certificate store

6. Click Add.

Related informationAssign a profile to a user account, on page 150Assign a profile to a user group, on page 138

Work connections

44

CA certificate stores on BlackBerry 10 devicesCA certificates that are sent to BlackBerry 10 devices can be stored in different certificate stores, depending on the purpose of the certificate.

Store Description

Browser certificate store The work browser on BlackBerry 10 devices uses the certificates in this store to establish SSL connections with servers in your organization's environment.

Devices that are running BlackBerry 10 OS version 10.0 also use the certificates in this store to authenticate S/MIME-protected email messages that are received.

VPN certificate store BlackBerry 10 devices use certificates in this store for VPN connections. You must set the "Trusted certificate source" setting in the VPN profile to "Trusted certificate store" to use the certificates in this store for work VPN connections.

Wi-Fi certificate store BlackBerry 10 devices use certificates in this store for Wi-Fi connections. You must set the "Trusted certificate source" setting in the Wi-Fi profile to "Trusted certificate store" to use certificates in this store for work Wi-Fi connections.

Enterprise certificate store Devices that are running BlackBerry 10 OS version 10.1 and later use certificates in this store to authenticate S/MIME-protected email messages that are received.

Creating SCEP profilesYou can use a SCEP profile to specify how BlackBerry 10 and iOS devices obtain certificates from your organization's CA through a SCEP service. SCEP is an IETF protocol that simplifies the process of enrolling certificates to a large number of devices without any administrator input or approval required to issue each certificate. Devices can use SCEP to request and obtain client certificates from a SCEP-compliant CA that is used by your organization. The CA that you use must support challenge passwords. The CA uses challenge passwords to verify that the device is authorized to submit a certificate request.

Devices can use the certificates obtained using SCEP to connect to a work Wi-Fi network, work VPN, or work mail server.

Android and Windows Phone devices do not support SCEP.

Create a SCEP profileThe required profile settings vary for each device type and depend on the SCEP service configuration in your environment. For more information about the profile settings for each device type, see SCEP profile settings.


2. Click beside SCEP.

3. Type a name and description for the profile.

4. In the URL field, type the URL for the SCEP service. The URL should include the protocol, FQDN, port number, and SCEP path.

Work connections

45

5. In the Instance name field, type the instance name for the CA.

6. In the SCEP challenge type list, select Static or Dynamic, and then specify the required settings for the challenge type.

7. Optionally, clear the check box for any device type that you do not want to configure the profile for.

8. Perform the following actions:

a. Click the tab for a device type.

b. Configure the appropriate values for each profile setting to match the SCEP service configuration in your environment.

9. Repeat step 8 for each device type in your organization.

10. Click Add.

After you finish: If devices will use the certificate to authenticate with a work Wi-Fi network, work VPN, or work mail server, associate the SCEP profile with a Wi-Fi, VPN, or email profile.

Creating shared certificate profilesIf your organization uses certificate-based authentication for connections to networks or servers in your environment, you may need to use BES12 to send client certificates to devices.

Shared certificate profiles send a client certificate to all of the assigned users' iOS and Android devices. The devices can present the client certificate for authentication to a network or server in your organization's environment. You should use shared certificate profiles only if you need to allow more than one user to share a client certificate.

If your organization has a SCEP service, you can use SCEP profiles to distribute client certificates to BlackBerry 10 and iOS devices. Alternatively, if you want to send a client certificate to Android or iOS devices associated with only one user account, you can add a client certificate to a user account.

Related informationAdd a client certificate to a user account, on page 151

Create a shared certificate profileBefore you begin: You must obtain the client certificate file that you want to send to devices. It must have a .pfx or .p12 file name extension.


2. Click beside Shared certificate.

3. Type a name and description for the profile. Each shared certificate profile must have a unique name. Some names (for example, ca_1) are reserved.

4. In the Password field, type a password for the shared certificate profile.

5. In the Certificate file field, click Browse to locate the certificate file.

6. Click Add.

Work connections

46

Related informationAssign a profile to a user group, on page 138Assign a profile to a user account, on page 150

Setting up work email for devicesYou can use email profiles to specify how devices connect to your organization's mail server and synchronize email messages, calendar entries, and organizer data using Exchange ActiveSync or IBM Notes Traveler.

If you want to use Exchange ActiveSync, you should note the following:

If you require support for extended email security, you can enable S/MIME for iOS devices and S/MIME or PGP for BlackBerry 10 devices. PGP is supported by versions later than BlackBerry 10 OS version 10.3.

If you enable S/MIME for BlackBerry 10 devices, you can use additional profiles to allow devices to automatically retrieve S/MIME certificates and check certificate status.

If you want to use Notes Traveler, you should note the following:

To use Notes Traveler with iOS or Android devices, you must enable Secure Work Space.

To use Notes Traveler with BlackBerry 10 or Windows Phone devices, you must configure the appropriate settings in the email profile.

To Do data synchronization is only supported on BlackBerry 10 devices. It uses the SyncML communication protocol on the Notes Traveler server.

If you require support for extended email security on BlackBerry 10 devices, only IBM Notes encryption is supported (S/MIME is not supported).

Create an email profileThe required profile settings vary for each device type and depend on the settings that you select. For more information about the profile settings, see Email profile settings.

Before you begin:

If you use certificate-based authentication for BlackBerry 10 or iOS devices, create a CA certificate profile and assign it to users. For iOS devices, you may also need to create a shared certificate profile or SCEP profile and associate it with the email profile. BlackBerry 10 devices support SCEP profiles. iOS devices support SCEP profiles and shared certificate profiles.

To automatically apply an email profile to Android devices, use any of the following options. If you do not use one of these options, BES12 still sends the email profile to Android devices, but the user must manually configure the connection to the mail server:

Set up Secure Work Space by activating Android devices using the "Work and personal - full control" or "Work and personal - user privacy" activation type.

Install the TouchDown app on Android devices. For more information about the TouchDown app, visit nitrodesk.com.

Work connections

47

Motorola devices support the automatic application of an email profile.


2. Click beside Email.

3. Type a name and description for the profile.

4. If necessary, type the domain name of the mail server. If the profile is for multiple users who may be in different Microsoft Active Directory domains, you can use the %UserDomain% variable.

5. In the Email address field, perform one of the following actions:

If the profile is for one user, type the email address of the user.

If the profile is for multiple users, type %UserEmailAddress%.

6. Type the host name or IP address of the mail server.

7. In the Username field, perform one of the following actions:

If the profile is for one user, type the username.

If the profile is for multiple users, type %UserName%.

If the profile is for multiple users in an IBM Notes Traveler environment, type %UserDisplayName%.

8. If you are using automatic gatekeeping, click Select servers, select the appropriate Microsoft Exchange servers from the available servers list, and then click Save.

9. Click the tab for each device type in your organization and configure the appropriate values for each profile setting.

10. Click Add.

After you finish: If you create more than one email profile, Rank profiles.


Extending email security using S/MIMEYou can extend email security for BlackBerry 10 and iOS device users by enabling S/MIME. S/MIME provides a standard method of encrypting and signing email messages. Users can sign, encrypt, or sign and encrypt email messages using S/MIME protection when they use a work email account that supports S/MIME-protected messages on devices. S/MIME cannot be enabled for personal email addresses.

Users can store recipients' S/MIME certificates on their devices. Users can store their private keys on their devices or a smart card.

You enable S/MIME for users in an email profile. You can force BlackBerry 10 device users to use S/MIME, but not iOS device users. When S/MIME use is optional, a user can enable S/MIME on the device and specify whether to encrypt, sign, or encrypt and sign email messages.

Work connections

48

S/MIME settings take precedence over PGP settings. When S/MIME support is set to "Required," PGP settings are ignored.

For more information about S/MIME, visit docs.blackberry.com/BES12 to read the BlackBerry Enterprise Service 12 Security Guide for BlackBerry.

Retrieving S/MIME certificates on BlackBerry 10 devicesYou can use certificate retrieval profiles to allow BlackBerry 10 devices to search for and retrieve recipients' S/MIME certificates from LDAP servers. If a required S/MIME certificate is not already in a device's certificate store, the device retrieves it from the server and imports it into the certificate store automatically.

A device searches each LDAP server that you specify in the profile and retrieves the S/MIME certificate. If there is more than one S/MIME certificate and the device is unable to determine the preferred one, the device displays all the S/MIME certificates so that the user can choose which one to use.

If you do not create a certificate retrieval profile and assign it to user accounts, user groups, or device groups, users must manually import S/MIME certificates from a work email attachment or a computer.

You can require that devices use either simple authentication or Kerberos to authenticate with LDAP servers. If you require that devices use simple authentication, you can include the required authentication credentials in certificate retrieval profiles so that devices can automatically authenticate with LDAP servers. If you require that devices use Kerberos authentication, you can include the required authentication credentials in certificate retrieval profiles so that devices that are running a version of BlackBerry 10 OS that is later than 10.3 can automatically authenticate with LDAP servers. Otherwise, the device prompts the user for the required authentication credentials the first time that the device tries to authenticate with an LDAP server. For devices that are running BlackBerry 10 OS version 10.2.1 to 10.3, the device prompts the user for the required authentication credentials the first time that the device tries to authenticate with an LDAP server.

Create a certificate retrieval profileBefore you begin: To allow devices to trust LDAP servers when they make secure connections, you might need to distribute CA certificates to devices. If necessary, create CA certificate profiles and assign them to user accounts, user groups, or device groups.


2. Click beside Certificate retrieval.

3. Type a name and description for the certificate retrieval profile.

4. In the table, click .

5. In the Service URL field, type the FQDN of an LDAP server using the format ldap://: (for example, ldap://server01.example.com:389). For secure connections, use the format ldaps://:.

6. In the Search base field, type the base DN that is the starting point for LDAP server searches.

7. In the Search scope drop-down list, perform one of the following actions:

To search the base object only (base DN), click Base. This option is the default value.

To search one level below the base object, but not the base object itself, click One level.

To search the base object and all levels below it, click Subtree.

Work connections

49

To search all levels below the base object, but not the base object itself, click Children.

8. If authentication is required, perform the following actions:

a. In the Authentication type drop-down list, click Simple or Kerberos.

b. In the LDAP user ID field, type the DN of an account that has search permissions on the LDAP server (for example, cn=admin,dc=example,dc=com).

c. In the LDAP password field, type the password for the account that has search permissions on the LDAP server.

9. If necessary, select the Use secure connection check box.

10. In the Connection timeout field, type the amount of time, in seconds, that the device waits for the LDAP server to respond.

11. Click Add.

12. Repeat steps 4 to 11 for each LDAP server.

13. Click Add.

After you finish:

To allow devices to check certificate status, Create an OCSP profile or Create a CRL profile.

If you create more than one certificate retrieval profile, Rank profiles.


Determining the status of S/MIME certificates on BlackBerry 10 devicesYou can use OCSP and CRL profiles to allow BlackBerry 10 devices to check the status of S/MIME certificates. You can assign an OCSP profile and a CRL profile to user accounts, user groups, or device groups.

A device searches each OCSP responder that you specify in an OCSP profile and retrieves the S/MIME certificate status. Devices that are running a version of BlackBerry 10 OS that is later than 10.3 can send certificate status requests to BES12, and you can use CRL profiles to configure BES12 to search for the status of S/MIME certificates using HTTP, HTTPS, or LDAP.

For more information about certificate status indicators, see the user guide for the device to read about secure email icons.

Create an OCSP profile1. On the menu bar, click Policies and Profiles.

2. Click beside OCSP.

3. Type a name and description for the OCSP profile.

4. Perform the following actions:

a. In the table, click .

b. In the Service URL field, type the web address of an OCSP responder.

Work connections

50

c. In the Connection timeout field, type the amount of time, in seconds, that the device waits for the OCSP response.

d. Click Add.

5. Repeat step 4 for each OCSP responder.

6. Click Add.

After you finish: If you create more than one OCSP profile, Rank profiles.


Create a CRL profile1. On the menu bar, click Policies and Profiles.

2. Click beside CRL.

3. Type a name and description for the CRL profile.

4. To allow devices to use responder URLs defined in the certificate, select the Use certificate extension responders check box.

5. Perform any of the following tasks:

Task Steps

Specify an HTTP CRL configuration 1. In the HTTP for CRL section, click .

2. Type a name and description for the HTTP CRL configuration.

3. In the Service URL field, type the web address of an HTTP or HTTPS server.

4. Click Add.

5. Repeat steps 1 to 4 for each HTTP or HTTPS server.

Specify an LDAP CRL configuration 1. In the LDAP for CRL section, click .

2. Type a name and description for the LDAP CRL configuration.

3. In the Service URL field, type the FQDN of an LDAP server using the format ldap://: (for example, ldap://server01.example.com:389). For secure connections, use the format ldaps://:.

4. In the Search base field, type the base DN that is the starting point for LDAP server searches.

5. If necessary, select the Use secure connection check box.

Work connections

51

Task Steps

6. In the LDAP user ID field, type the DN of an account that has search permissions on the LDAP server (for example, cn=admin,dc=example,dc=com).

7. In the LDAP password field, type the password for the account that has search permissions on the LDAP server.

8. Click Add.

9. Repeat steps 1 to 8 for each LDAP server.

6. Click Add.

After you finish: If you create more than one CRL profile, Rank profiles.


Extending email security using PGPFor devices that are running a version of BlackBerry 10 OS that is later than 10.3, you can extend email security for device users by enabling PGP. PGP protects email messages on devices using OpenPGP format. Users can sign, encrypt, or sign and encrypt email messages using PGP protection when they use a work email address. PGP cannot be enabled for personal email addresses.

You enable PGP for users in an email profile. You can force BlackBerry 10 device users to use PGP, disallow the use of PGP, or make it optional. When PGP use is optional (the default setting), a user can enable PGP on the device and specify whether to encrypt, sign, or encrypt and sign email messages.

To sign and encrypt email messages, users must store PGP keys for each recipient on their devices. Users can store PGP keys by importing the files from a work email message.

You can configure PGP using the appropriate email profile settings.

Related informationBlackBerry 10 settings, on page 203

Creating connection profilesYou can create connection profiles to configure how devices connect to work resources in your organization's environment. You can configure how devices connect to a proxy server, work VPN, and work Wi-Fi network. You can also configure enterprise connectivity for devices and single sign-on authentication for specific domains.

Work connections

52

Creating single sign-on profilesUsing a single sign-on profile, you can enable BlackBerry 10 devices and certain iOS devices to authenticate automatically with domains and web services in your organizations network. After you assign a single sign-on profile, the user is prompted for a username and password the first time they try to access a secure domain that you specified. The login information is saved on the users device and used automatically when the user tries to access any of the secure domains specified in the profile. When the user changes the password, the user is prompted the next time they try to access a secure domain.

Single sign-on profiles support the following authentication types:

Authentication type Device OS Applies to

Kerberos iOS 7.0 and later Browser and apps

Can restrict which apps can use the profile

BlackBerry 10 OS Browser in the work space

NTLM BlackBerry 10 OS version 10.2.1 and later

Browser and apps in the work space

Prerequisites: Using Kerberos authentication for BlackBerry 10 devicesTo configure Kerberos authentication for specific domains, you can upload your organizations Kerberos configuration file (krb5.conf). BES12 supports the Heimdal implementation of Kerberos.

Verify that the configuration file meets the following requirements:

The Kerberos configuration must use TCP by default instead of UDP. Use the prefix tcp/ for KDC hosts.

If your organization uses VPN, the VPN gateway mu

admin guide bes12 v12.0 en

Documents

secure work space

managing devices

android devices

administrator groups

management console