Professional Documents
Culture Documents
Version 4.0
Administration Guide
BlackBerry Enterprise Server Version 4.0 for IBM Lotus Domino Administration Guide Last revised: 10 November 2004 Part number: SWD_X_BES(EN)-015.003 At the time of publication, this documentation complies with BlackBerry Enterprise Server Version 4.0 for IBM Lotus Domino 2004 Research In Motion Limited. All rights reserved. The BlackBerry and RIM families of related marks, images and symbols are the exclusive properties and trademarks of Research In Motion Limited. RIM, Research In Motion, 'Always On, Always Connected' and BlackBerry are registered with the U.S. Patent and Trademark Office and may be pending or registered in other countries. The Bluetooth word mark and logos are owned by the Bluetooth SIG, Inc. and any use of such marks by Research In Motion is under license. Microsoft, Windows, PowerPoint, and Windows NT are registered trademarks of Microsoft Corporation in the United States and/or other countries. Adobe and Acrobat are registered trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Java and JavaScript are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Corel and WordPerfect are registered trademarks of Corel Corporation and/or its subsidiaries in Canada, the United States and/or other countries. IBM, Lotus, Domino, Lotus Notes, and Web Access (iNotes) are trademarks of International Business Machines Corporation in the United States, other countries, or both. All other brands, product names, company names, trademarks, and service marks are the properties of their respective owners. The BlackBerry handheld and/or associated software are protected by copyright, international treaties, and various patents, including one or more of the following U.S. patents: 6,278,442; 6,271,605; 6,219,694; 6,075,470; 6,073,318; D445,428; D433,460; D416,256. Other patents are registered or pending in various countries around the world. Visit www.rim.com/patents.shtml for a current listing of applicable patents. This document is provided as is and Research In Motion Limited (RIM) assumes no responsibility for any typographical, technical, or other inaccuracies in this document. RIM reserves the right to periodically change information that is contained in this document; however, RIM makes no commitment to provide any such changes, updates, enhancements, or other additions to this document to you in a timely manner or at all. RIM MAKES NO REPRESENTATIONS, WARRANTIES, CONDITIONS, OR COVENANTS, EITHER EXPRESS OR IMPLIED (INCLUDING, WITHOUT LIMITATION, ANY EXPRESS OR IMPLIED WARRANTIES OR CONDITIONS OF FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, MERCHANTABILITY, DURABILITY, TITLE, OR RELATED TO THE PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE REFERENCED HEREIN, OR PERFORMANCE OF ANY SERVICES REFERENCED HEREIN). IN CONNECTION WITH YOUR USE OF THIS DOCUMENTATION, NEITHER RIM NOR ITS AFFILIATED COMPANIES AND THEIR RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES, OR CONSULTANTS SHALL BE LIABLE TO YOU FOR ANY DAMAGES WHATSOEVER BE THEY DIRECT, ECONOMIC, COMMERCIAL, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR INDIRECT DAMAGES, EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INCLUDING, WITHOUT LIMITATION, LOSS OF BUSINESS REVENUE OR EARNINGS, LOST DATA, DAMAGES CAUSED BY DELAYS, LOST PROFITS, OR A FAILURE TO REALIZE EXPECTED SAVINGS. This document might contain references to third-party sources of information and/or third-party web sites (Third-Party Information). RIM does not control, and is not responsible for, any Third-Party Information, including, without limitation, the content, accuracy, copyright compliance, legality, decency, links, or any other aspect of Third-Party Information. The inclusion of Third-Party Information in this document does not imply endorsement by RIM of the third party in any way. Any dealings with third parties, including, without limitation, compliance with applicable licenses, and terms and conditions are solely between you and the third party. RIM shall not be responsible or liable for any part of such dealings. Certain features outlined in this document require a minimum version of BlackBerry Enterprise Server Software, BlackBerry Desktop Software, and/or BlackBerry Handheld Software and may require additional development or third-party products and/or services for access to corporate applications. Prior to subscribing to or implementing any third-party products and services, it is your responsibility to ensure that the airtime service provider you are working with has agreed to support all of the features of the third-party products and services. Installation and use of third-party products and services with RIM's products and services may require one or more patent, trademark, or copyright licenses in order to avoid infringement of the intellectual property rights of others. You are solely responsible for acquiring any such licenses. To the extent that such intellectually property licenses may be required, RIM expressly recommends that you do not install or use these products until all such applicable licenses have been acquired by you or on your behalf. Your use of third-party software shall be governed by and subject to you agreeing to the terms of separate software licenses, if any, for those products or services. Any third-party products and services that are provided with RIM's products and services are provided "as is." RIM makes no representation, warranty, or guarantee whatsoever in relation to the third-party products or services and RIM assumes no liability whatsoever in relation to the third-party products and services even if RIM has been advised of the possibility of such damages or can anticipate such damages. This product includes software developed by the Apache Software Foundation (http://www.apache.org/) and/or licensed pursuant to Apache License, Version 2.0 (http://www.apache.org/licenses/). For more information, see the NOTICE.txt file included with the software.
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Research In Motion Limited 295 Phillip Street Waterloo, ON N2L 3W8 Canada Published in Canada Research In Motion UK Limited Centrum House, 36 Station Road Egham, Surrey TW20 9LF United Kingdom
Contents
1 Managing the server...................................................................................................................................... 8 Getting started tasks........................................................................................................................................................8 Managing BlackBerry Windows services ...................................................................................................................8 Start and stop the Mobile Data Service ............................................................................................................8 Start and stop the BlackBerry Enterprise Server .............................................................................................8 Setting up the BlackBerry Manager............................................................................................................................9 Set the administration email address ................................................................................................................9 Set user and server list display .............................................................................................................................9 Set the time and date format ............................................................................................................................ 10 Set data refresh rates............................................................................................................................................ 10 Managing the server..................................................................................................................................................... 10 Refresh the display................................................................................................................................................ 10 Set message polling interval .............................................................................................................................. 10 Set state database pruning ................................................................................................................................ 11 Export server information to a text file........................................................................................................... 11 Managing the BlackBerry Domain........................................................................................................................... 11 Remove a server from the BlackBerry Domain............................................................................................. 11 Add a server by importing a file ....................................................................................................................... 12 Manage a different BlackBerry Domain......................................................................................................... 12 Managing wireless network connection................................................................................................................. 12 Change the SRP address ..................................................................................................................................... 13 Managing licenses......................................................................................................................................................... 13 Add a license........................................................................................................................................................... 13 Remove a license ................................................................................................................................................... 14 Managing users ............................................................................................................................................16 Managing user accounts ............................................................................................................................................. 16 Add users from local or foreign domains....................................................................................................... 16 Find users on all BlackBerry Enterprise Servers in the BlackBerry Domain ........................................ 17 Move or remove users .......................................................................................................................................... 17 Managing redirection ................................................................................................................................................... 18 Disable or enable redirection............................................................................................................................. 18 Set the auto-signature.......................................................................................................................................... 18 Set whether messages sent on the handheld are saved in the Sent view in Lotus Notes ............ 19 Purge pending messages .................................................................................................................................... 19 Generate encryption keys.................................................................................................................................... 19 Manage the peer-to-peer encryption key....................................................................................................... 19 Resend service book.............................................................................................................................................. 20 Notifying users................................................................................................................................................................ 20 Send a message to selected users.................................................................................................................... 20 Send a message to all users ............................................................................................................................... 21
Managing messaging and PIM ..................................................................................................................22 Managing PIM synchronization ................................................................................................................................ 22 Configure PIM synchronization......................................................................................................................... 22 Disable or enable PIM synchronization.......................................................................................................... 23 Define PIM application synchronization settings ....................................................................................... 24 Set conflict resolution........................................................................................................................................... 25 Set wireless backup............................................................................................................................................... 25 Set address book field mappings ..................................................................................................................... 26 Disabling or enabling wireless email reconciliation on the server................................................................ 26 Managing redirection filters....................................................................................................................................... 27 Create a filter .......................................................................................................................................................... 27 Change filters.......................................................................................................................................................... 28 Set default forwarding action............................................................................................................................ 29 Setting a disclaimer....................................................................................................................................................... 29 Setting Auto BCC........................................................................................................................................................... 29 Managing IT policies....................................................................................................................................30 Compatibility................................................................................................................................................................... 30 Setting your default IT policy..................................................................................................................................... 30 Add rules to your default IT policy .................................................................................................................. 30 Creating IT policies........................................................................................................................................................ 31 Create a new IT policy.......................................................................................................................................... 31 Change a users policy assignment.................................................................................................................. 31 Using IT policy rules...................................................................................................................................................... 32 Change the value of a rule in an existing policy......................................................................................... 32 Create custom rules .............................................................................................................................................. 33 Manage custom rules ........................................................................................................................................... 33 Viewing IT policy statistics.......................................................................................................................................... 34 Sending IT policies ........................................................................................................................................................ 34 Resend the existing policy.................................................................................................................................. 35 Schedule commands............................................................................................................................................. 35 Deleting IT policies........................................................................................................................................................ 35 Managing attachment viewing .................................................................................................................36 View settings ................................................................................................................................................................... 36 Change connector settings................................................................................................................................. 36 Change attachment server settings................................................................................................................. 37 Setting supported attachments................................................................................................................................. 38 Supported file formats ......................................................................................................................................... 38 Set distiller ............................................................................................................................................................... 39 Set the maximum file size for a distiller setting .......................................................................................... 40 Managing HTTP browsing and push.........................................................................................................42 Starting the Mobile Data Service.............................................................................................................................. 42 Start or stop the Mobile Data Service............................................................................................................. 42 Enable or disable on the server......................................................................................................................... 42 Enable or disable on user accounts ................................................................................................................. 43
Managing data connections ...................................................................................................................................... 43 Change Mobile Data Service connection settings...................................................................................... 43 Change connection timeouts............................................................................................................................. 43 Enable cookie support.......................................................................................................................................... 44 Manage connections through a proxy server ............................................................................................... 44 Managing connections to servers............................................................................................................................. 45 Change LDAP settings ......................................................................................................................................... 45 Change OCSP settings ......................................................................................................................................... 46 Change security settings ..................................................................................................................................... 46 Managing authentication ........................................................................................................................................... 48 Set HTTP authentication ..................................................................................................................................... 48 Configure network authentication................................................................................................................... 48 Set proxy server authentication ........................................................................................................................ 49 Managing push............................................................................................................................................................... 50 Push service ............................................................................................................................................................. 50 Enable the push server......................................................................................................................................... 50 Store and delete push submissions ................................................................................................................. 50 Create push roles and assign push initiators ............................................................................................... 51 Set push authorization for a specific server .................................................................................................. 52 Managing pull................................................................................................................................................................. 52 Create pull roles and assignments................................................................................................................... 52 Set pull authorization for a specific server .................................................................................................... 53 7 Managing security........................................................................................................................................54 Change the data encryption type............................................................................................................................. 54 Generating encryption keys........................................................................................................................................ 54 Set encryption key generation........................................................................................................................... 54 Appendix A: IT policy ...................................................................................................................................56 IT policy rules .................................................................................................................................................................. 56 Sample IT policies .......................................................................................................................................................... 75
Administration Guide
2. On the Server Configuration tab, click Service Control & Customization. 3. Perform one of the following actions:
Action Start the BlackBerry Enterprise Server. Stop the BlackBerry Enterprise Server. Procedure
! Click Start BES. ! Click Stop BES.
1. In the Visible columns list, click a column. 2. Click Make First or Make Last. 1. In the Visible columns list, click a column. 2. Click Move Up or Move Down.
4. Click OK.
Tip: Press CTRL to select multiple columns at the same time.
4. Click OK.
Administration Guide
3. Click Set Polling Interval. 4. Type the time, in seconds, after which mailbox polling occurs. 5. Click OK.
5. Click OK.
1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Account. 3. Click Remove BES. 4. Click Yes.
11
4. Click OK.
1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Edit Properties. 3. On the General tab, modify the desired values.
Option Identifier Authentication Key SRP Host Description Defines the unique identifier by which the BlackBerry Enterprise Server connects to the wireless network. Defines the key used to authenticate the identifier when connecting to the wireless network. Defines the name of the server on which the BlackBerry Router is installed. Note: If the BlackBerry Router is installed on the same server as the BlackBerry Enterprise Server, use localhost in this field. SRP Port Defines the port on which the BlackBerry Router connects to the wireless network.
12
Administration Guide
Description Defines optional routing information used to connect to the wireless network. Warning: Only set values in this field if the installation material contains specific values. If you are using the default Network Access Node (the SRP Address value that is provided on your installation CD label), or are uncertain which values to use, leave this field blank. If you define incorrect values in this field, connection to the wireless network is not possible.
4. Click OK.
3. Click OK.
Managing licenses
License keys enable the use of client licenses in your organization. For example, if you purchase a license key for 20 users, you can install 20 users on the BlackBerry Enterprise Server. When you exceed the number of permitted users, the BlackBerry Manager informs you that you require more licenses. To add more users to the BlackBerry Enterprise Server, you must purchase a new license key for the number of extra client licenses that you require and then add the license keys to the BlackBerry Enterprise Server.
Warning: If you use a temporary evaluation license key, you cannot reuse the temporary license key after you purchase a permanent license key.
Add a license
1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Account. 3. Click License Management. 4. Type the new license key information. 5. Click Add License. 6. Click Close.
13
Remove a license
If only one license key is active, the remove option is not available. 1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Account. 3. Click License Management. 4. Right-click the license key to remove, and then click Remove License Key. 5. Click Close.
14
Administration Guide
15
2 Managing users
Managing user accounts Managing redirection Notifying users
Connect to the local address book. ! From the Server drop-down list, click a server. Go.
1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Account. 3. Click Import Users from Legacy Server.
Administration Guide
1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, click a user. 3. In the lower pane, click Common. 4. Perform one of the following actions:
Action Move users to a different server. Procedure 1. Click Move User. 2. Select the destination server. 3. Click OK. Remove users from a server. 1. Click Delete User. 2. Click OK. Tip: Press CTRL to select multiple users at the same time.
17
2: Managing users
1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, click a user. 3. In the lower pane, click Account. 4. Click Export to legacy server. 5. Complete the export wizard:
Action Select a legacy server. Confirm the users to export. Procedure
! Use the drop-down list to select the server ! Review the list of imported users, and then click Finish.
Managing redirection
Disable or enable redirection
You can stop message redirection to a handheld without removing the user from the server. For example, if a user is traveling out of a wireless coverage area and does not want messages forwarded to the handheld during that time, disable message redirection to the handheld. While redirection is disabled, the user can send messages but cannot receive them. The user can re-enable redirection on the handheld. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, click a user.
Tip: Press CTRL to select multiple users at the same time.
3. In the lower pane, click Service Access. 4. Perform one of the following actions:
Action Disable redirection. Enable redirection. Procedure
! Click Disable Redirection. ! Click Enable Redirection.
5. Click OK.
18
Administration Guide
Set whether messages sent on the handheld are saved in the Sent view in Lotus Notes
By default, messages are saved in the Sent view. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, double-click a user. 3. Click Do Not Save Sent Messages. 4. Perform one of the following actions:
Action Save messages in the Sent view. Do not save messages in the Sent view. Procedure
! From the drop-down list, select False. ! From the drop-down list, select True.
5. Click OK.
3. In the lower pane, click Service Control and Customization. 4. Click Purge Pending Messages.
19
2: Managing users
Remove the encryption keys used to Select this option to remove the encryption keys from all handhelds. Selecting this encrypt Peer-to-Peer messages from option makes the Retain current Peer-to-Peer on all handhelds as a "previous" key unavailable. all handhelds within this organization
Notifying users
You use the BlackBerry Manager to send an email or PIN message to users in the BlackBerry Domain. Because the mail server does not process PIN messages, this feature is useful for informing BlackBerry users about mail server outages. PIN messages that are sent from the BlackBerry Manager are not filtered using the user's handheld filter configuration. PIN messages appear on the handheld in bold, which indicates a priority message.
Administration Guide
3. In the lower pane, click Account. 4. Click Send Message. 5. Complete the message wizard.
Action Select a delivery method. Type the message. Procedure
! Select the By Email option to send the message by email or select the By PIN option
to send a PIN message. 1. In the Subject field, type a subject for the message. 2. In the field, type the message. 3. Click Next to send the message.
Select the By Email option to send the message by email. Select the By PIN option to send a PIN message.
Select the users to send the message to.
! Perform one of the following actions:
Select the Send to all users option to send the message to all users. Select the Send to selected users option to specified users, and then select the check
box beside the user. 1. In the Subject field, type a subject for the message. 2. In the field, type the message. 3. Click Next to send the message.
21
1. In Lotus Domino Administrator, on the People and Groups tab, select the users to configure for PIM synchronization. 2. On the Tools pane, expand People. 3. Click Roaming. 4. In the Assign Roaming Profiles dialog box, define the desired roaming settings. 5. Click OK. 6. Perform one of the following actions:
Action Activate PIM synchronization for new BlackBerry users. Procedure
! In the BlackBerry Manager, add the users to the BlackBerry Enterprise Server. See
"Add users from local or foreign domains" on page 16 for more information.
Administration Guide
Procedure
! In the BlackBerry Manager, activate the users handhelds. See the BlackBerry
CN=<servername>/OU=<servers>/O=<companyname>).
! Type the path, relative to the data directory, in which the databases reside (for
7. Click OK.
"Add users from local or foreign domains" on page 16 for more information.
! In the BlackBerry Manager, activate the users handhelds. See the BlackBerry
23
From the drop-down list, select False to disable email filter synchronization. From the drop-down list, select True to enable email filter synchronization.
Disable or enable tasks synchronization. 1. In the Tasks section, click Synchronization enabled. 2. Perform one of the following actions:
From the drop-down list, select False to disable tasks synchronization. From the drop-down list, select True to enable tasks synchronization.
Disable or enable email setting synchronization. 1. In the Email Settings section, click Synchronization enabled. 2. Perform one of the following actions:
From the drop-down list, select False to disable email setting synchronization. From the drop-down list, select True to enable email setting synchronization.
Disable or enable memo synchronization. 1. In the Memos section, click Synchronization enabled. 2. Perform one of the following actions:
From the drop-down list, select False to disable memo synchronization. From the drop-down list, select True to enable memo synchronization.
Disable or enable address book synchronization. 1. In the Address Book section, click Synchronization enabled. 2. Perform one of the following actions: From the drop-down list, select False to disable address book synchronization. From the drop-down list, select True to enable address book synchronization.
3. Click OK.
24
Administration Guide
Procedure 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, double-click a user. 3. Click PIM Sync.
2. Locate a PIM application in the list and select one of the following synchronization types:
Option Bidirectional Handheld To Server Server To Handheld Description Synchronizes data from the handheld to the server and from the server to the handheld. Synchronizes data from the handheld to the server only. Synchronizes data from the server to the handheld only.
3. Click OK.
Note: Bidirectional synchronization is the only option available for email filters and email settings.
2. Locate a PIM application in the list, and then select one of the following conflict resolutions:
Option Server Wins Handheld Wins Description The server information overrules the handheld information. The handheld information overrules the server information.
3. Click OK.
25
6. Click OK.
2. In the Desktop Field column, click a field. 3. In the Device Field column, from the drop-down list, select the handheld address book field to map to the desktop field. 4. Click OK.
6. Click OK.
26
Administration Guide
Create a filter
Use global filters to apply filters to all users on a server and user filters to apply filters to specific users.
Note: Global filters take precedence over user filters.
1. In the BlackBerry Manager, in the left pane, click a server. 2. Perform one of the following actions:
Action Create a global filter for all users. Procedure 1. On the Server Configuration tab, click Edit Properties. 2. Click Global Filters. 3. Double-click Global Filter Definitions. Create a filter for a specific user. 1. On the User List tab, double-click a user. 2. Click Filters. 3. Double-click Filter Rules.
3. Click New. 4. In the dialog box, double-click Filter Name. 5. Type a name for the new filter. 6. Double-click a condition and perform one of the following actions:
Tip: You can use wildcards when you create filter rules; however, if you use wildcards for email addresses, you should use the correct SMTP format (for example, *@acme.ca). Specify recipient method. 1. Click Recipient Types. 2. Select one, some, or all of Sent Directly, Cc, or Bcc for the filter to detect. Note: This field only applies to messages that are sent directly to the recipients. It does not apply to distribution lists to which they belong.
7. In the Action section, click Action. 8. Perform one of the following actions:
Action Hold messages to which no filters apply. Procedure
! From the drop-down list, select Hold.
27
Action
Procedure
Forward messages to which no filters 1. From the drop-down list, select Forward. apply. 2. Perform one of the following actions: Select Heading Only to forward only the message header. Select Level1 Notification to forward messages with Level 1 notification (messages with Level 1 filter notification appear with a bold subject line by default on the recipients handheld). Select Heading Only and Level1 Notification to forward the message header of messages with Level 1 notification.
9. Click OK.
Note: Messages are filtered based on the order in which the filters appear. If the filter that you are adding applies to messages to which another filter also applies, you must decide which filter should be applied first. See "Change filters" below for more information.
Change filters
1. In the BlackBerry Manager, in the left pane, click a server. 2. Perform one of the following actions:
Action Change a global filter. Procedure 1. On the Server Configuration tab, click Edit Properties. 2. In the left pane, click Global Filters. 3. Double-click Global Filter Items. 4. In the Filter Name list, click a filter. Change a filter for a specific user. 1. On the User List tab, double-click a user. 2. In the left pane, click Filters. 3. Double-click Filter items. 4. In the Filter Name list, click a filter.
Note: The BlackBerry Enterprise Server reads global filter changes every 15 minutes, so filter changes might not be applied to messages immediately.
28
Administration Guide
Do not forward messages to the handheld. ! From the drop-down list, select False.
6. Click OK.
Setting a disclaimer
Set a disclaimer to add text below user signatures on all messages that are sent from the handheld. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Edit Properties. 3. Click Email. 4. In the Email Options section, click Disclaimer Text. 5. Type a disclaimer. 6. Click OK.
6. Click OK.
29
4 Managing IT policies
Compatibility Setting your default IT policy Creating IT policies Using IT policy rules Viewing IT policy statistics Sending IT policies Deleting IT policies
Compatibility
There are specific handheld and software requirements for each IT policy rule. See "IT policy rules" on page 56 for more information.
8. Click OK.
Administration Guide
Creating IT policies
You create customized IT policies to reflect the needs of different types of users. For example, you might want to have a higher level of security on the handhelds of your sales team, who are typically out of the office. See "Sample IT policies" on page 75 for more information
9. Click OK.
31
4: Managing IT policies
3. Click IT Admin. 4. Click Assign IT Policy. 5. From the drop-down list, select a new policy. 6. Click OK.
32
Administration Guide
1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Edit Properties. 3. Click IT Policy. 4. In the IT Policy Administration section, double-click IT Policies. 5. Click the policy to add a custom rule to, and then click Properties. 6. From the Properties list, select User-Defined Items. 7. Double-click IT Policy Template. 8. Click New. 9. Complete the available fields:
Action Define the rule name. Procedure
! Type a name for the custom rule.
Outline how the rule can be ! Type a description for the custom rule. used. Identify the type of values that the rule uses. Identify where the rule will be enforced.
! From the drop-down list, select Boolean, Integer, String, Bitmask, or Multiline String. ! From the drop-down list, select Handheld, Desktop, or Both the handheld and desktop.
Set minimum integer value. ! Specify the minimum value that an integer rule can accept. Set maximum integer value. ! Specify the maximum value that an integer rule can accept. Define bitmask data.
! Specify the data that a bitmask rule can accept. Include up to 8 related boolean values. You can
assign a bit option name for 1, some, or all of the 8 bit values. For example, you might create a bitmask IT policy rule called AllowedFeatures with 3 boolean bit values where bit 0 is named Phone, bit 1 is named Browser, and bit 2 is named Third Party Apps.
10. Click OK. 11. In the Policy Items Settings section, provide a value for the custom rule in this policy.
Note: After you create a custom rule, you can assign a value to it in any new or existing policy.
4: Managing IT policies
5. Click the Default policy, and then click Properties. 6. From the Properties list, select User-Defined Items. 7. Double-click IT Policy Template. 8. Perform one of the following actions:
Action Edit a custom rule. Procedure 1. Click the rule to edit, and then click Properties. 2. Modify the desired values. 3. Click OK. Delete a custom rule. 1. Choose the rule to delete, and then click Remove. 2. Click OK.
Sent Received
Sending IT policies
When you add new users, they are added to the default IT policy, which is sent automatically to their handhelds. If you move users to a new policy, that policy is also sent automatically to their handhelds.
Note: Sending a wireless IT policy creates a security association between the handheld and the BlackBerry Enterprise Server. After this association is made, the handheld does not accept IT policies from any other BlackBerry Enterprise Server or from the users computer over the serial or USB port.
If you move a user from one BlackBerry Enterprise Server to another in the same BlackBerry Domain, the same policy remains in effect, but is resent automatically by the new BlackBerry Enterprise Server. If you move a user from one BlackBerry Enterprise Server to another outside the BlackBerry Domain, the user is treated like a new user and is assigned to the default IT policy, which is sent automatically by the new BlackBerry Enterprise Server.
34
Administration Guide
Schedule commands
By default, automatic resends are turned off. You can configure IT policies to be resent to handhelds on the BlackBerry Enterprise Server at a scheduled time. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Edit Properties. 3. In the IT Admin section, double-click Policy Resend Interval. 4. Type the rate, in hours, at which you want the automatic resends to occur. 5. Click OK.
Deleting IT policies
If you delete a policy to which users are assigned, they are assigned automatically to the default IT policy. For this reason, you cannot delete the default IT policy. 1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Edit Properties. 3. Click IT Policy. 4. In the IT Policy Administration section, double-click IT Policies. 5. Click the policy to delete, and then click Remove. 6. Click OK.
35
View settings
1. On the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration. 2. Click the Attachment Server tab. 3. In the Configuration Option drop-down list, select one of the following:
Option Connector Configuration Attachment Server Test Attachment Service Description Controls the connections between the Messaging Agent and the Attachment Service when attachments are requested on the handheld. Controls the retrieval, distillation, and conversion of attachment data, as well as which attachment types you plan to support in your environment. Provides tools to troubleshoot the Attachment Service. See the BlackBerry Enterprise Server
If the BlackBerry Attachment Service is installed on a remote machine (that is, separate from the BlackBerry Enterprise Server), only certain settings can be configured on each machine. On the Attachment Service machine, the attachment server options are visible. On the BlackBerry Enterprise Server, the Connector Configuration options are visible.
1. On the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration. 2. On the Attachment Server tab, from the Configuration Option drop-down list, select Connector Configuration. 3. Modify the desired values.
Option Server Description Set the server name or IP address of the computer on which the Attachment Service is installed. If the Attachment Service is installed on the same computer as the BlackBerry Enterprise Server, this value is set to the localhost name by default. Range
Administration Guide
Description Set the TCP/IP Port number that the attachment connector uses to send the attachment data requests to the Attachment Service. Note: The port number for this setting must match the Submit Port field in the attachment server configuration options.
Set the TCP/IP Port number used to query and retrieve large attachment conversion data from the Attachment Service. Note: The port number for this setting must match the Result Port field in the attachment server configuration options.
1024 to 65,535
Set the interval, in seconds, used to query the server results time if large attachments are available for delivery from the Attachment Service. Specify the list of supported attachment extensions that this BlackBerry Enterprise Server supports for the attachment viewer. Warning: If you turn off a distiller, you should also remove the file extension(s) for documents converted by that distiller from the Format Extensions field.
10 to 300 seconds
Extended Logging
Set the extended log to Enabled to enable the Attachment Service to write extended log information to the log file. See the BlackBerry Enterprise Server Troubleshooting Guide for more information. Note: The Attachment Service logs successful conversions and any failures in the BlackBerry Messaging Agent log file by default. This setting is used only to enable extended logging for troubleshooting.
1. On the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration. 2. On the Attachment Server tab, from the Configuration Option drop-down list, select Attachment Server. 3. Modify the desired values.
Option Submit Port Description Type the TCP/IP port number that the Attachment Service uses to receive document submissions and for which it returns conversion results. Note: This port number should be identical to the number in the Server Submit Port field in the Connector Configuration options. Result Port Type the port number that the Attachment Service uses to send large attachment conversion 1024 to data when polled from the attachment connector on the BlackBerry Enterprise Server. 65,535 Note: The port number for this setting must match the Server Result Port field in the Connector Configuration options. Configuration Port Concurrent Caching Type the TCP/IP port number to use for configuration and administrative purposes. Specify whether multiple requests for the same attachment can use the first cached copy of the attachment Document Object Model (DOM) in a conversion process for a new user. 1024 to 65,535 Range 1024 to 65,535
37
Description Specify the maximum number of converted documents that might reside in the document cache (as DOM) for an individual conversion process. If the same user retrieves more content from the same document within a few minutes of the initial request, subsequent requests are served from cache. The cache is maintained for 25 minutes (the default recycle time), or until a new request exceeds the cache limit for that process and the least recently used document in the cache is deleted. All cached data is kept in memory only and the original document is never cached. Tip: A larger cache size means that more memory is allocated to each running conversion process. The maximum file size of the attachments affects the cached memory used. Use the Max File Size (Kb) setting for individual attachment formats to limit the cache size memory usage for the running conversion processes.
Range 1 to 128
Conversion Processes
Set the number of conversion processes that are available to the Attachment Service. A higher 1 to 64 number of conversion processes enables more conversion requests to be handled concurrently. Every conversion process allocates memory on startup and uses memory on conversion. This value should be set in relation to available memory and competing services on the computer running the Attachment Service.
2 to 32 Set the maximum number of document conversions per conversion process. The number of allowed document conversions defines how many concurrent conversions a single conversion process accepts. This setting helps to control thread saturation for a high volume BlackBerry Enterprise Server configuration and is also useful for managing Attachment Service workload in conjunction with the Busy Threshold (seconds) setting. Set the timeout for the BBConvert process recycling to stop any processes consuming CPU that 300 have not completed or failed processing when the time out occurs. seconds (5 minutes) Tip: Process recycling is also used by the Attachment Service to reclaim space used by the to 3600 Attachment Service and prevent failed processes from keeping memory allocated. seconds (60 minutes) 60 seconds to 270 seconds
Busy Threshold Set the threshold used to determine whether the Attachment Service is busy with conversion (seconds) and should not accept new requests. The Attachment Service monitors the running conversions threads to check whether all conversion processes are busy when a new request arrives. When the threshold is reached, a Server Busy, Retry message displays. Distiller Settings The distiller list displays all installed document-loading distillers for the Attachment Service along with the associated document extension and the maximum attachment size allowed. See "Set distiller" on page 39 for more information.
38
Administration Guide
File format Microsoft Excel versions 97, 2000, 2003, XP Microsoft PowerPoint versions 97, 2000, 2003, XP Microsoft Word versions 97, 2000, 2003, XP Corel WordPerfect versions 6.0, 7.0, 8.0, 9.0(2000) ASCII text HTML ZIP archives images
File Extensions .xls .ppt .doc, .dot .wpd .txt .html, .htm .zip .bmp, .jpg, .gif, .png, .tif
Set distiller
All supported distillers-one distiller per supported file format-are enabled by default. A check mark signifies that the distiller is enabled. Turning off an Attachment Service distiller file prevents the use of any attachment in the format that is converted by that distiller. For example, if you turn off the .pdf distiller, Adobe .pdf attachments are no longer supported on the handheld.
Warning: If you turn off a distiller, you should also remove the file extension for documents that are converted by that distiller from the Format Extension field in the Connector Configuration screen. If you turn off a distiller, but the associated file extension is supported (in other words, it appears in the Format Extension field), Open Attachment still appears on the handheld menu when the handheld receives an attachment with that extension. If the user clicks Open Attachment, an Error unknown file format message appears and is logged. See the BlackBerry Enterprise Server Troubleshooting Guide for more information.
1. On the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration. 2. On the Attachment Server tab, from the Configuration Option drop-down list, select Attachment Server. 3. In the Distiller Settings section, perform one of the following actions:.
Action Enable a distiller. Turn off a distiller. Procedure
! Select the check box. ! Clear the check box.
Tip: To enable all image formats, select the Image Attachments check box.
4. Click OK.
39
1. On the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration. 2. On the Attachment Server tab, from the Configuration Option drop-down list, select Attachment Server. 3. In the Distiller Settings section, in the Max. File Size (Kb) column, click the file size value beside the distiller that you are modifying, and then type a value.
Tip: The default value of 0 enables an unlimited file size.
Recommended file size for heavy usage BlackBerry Enterprise Server environments
A BlackBerry Enterprise Server environment experiencing the following demands meets the definition of a heavy usage environment: multiple users requesting conversions for large or complex attachments (especially .pdf and ASCII text files larger than 2 MB), and either multiple users requesting the same large or complex documents in the same time frame (0 to 10 minutes) while large conversions are being processed or multiple users requesting different documents in the same time frame (0 to 10 minutes) while large conversions are being processed.
File format Adobe Acrobat versions 1.1, 1.2, 1.3, 1.4 Microsoft Excel versions 97, 2000, 2003, XP Microsoft PowerPoint versions 97, 2000, 2003, XP Microsoft Word versions 97, 2000, 2003, XP Corel WordPerfect versions 6.0, 7.0, 8.0, 9.0(2000) ASCII text HTML ZIP archives Images Recommended size less than 2000 KB less than 2000 KB less than 2000 KB less than 2000 KB less than 2000 KB less than 100 KB less than 100 KB less than 2000 KB less than 2000 KB
40
Administration Guide
41
Note: You must reenable the Mobile Data Service for user accounts on that server to enable the Mobile Data Service on their handhelds Disable the Mobile Data Service.
! Click Disable MDS.
Administration Guide
3. In the lower pane, click Service Access. 4. Perform one of the following actions:
Action Enable the Mobile Data Service. Disable the Mobile Data Service. Procedure
! Click Enable MDS Access. ! Click Disable MDS Access.
Administration Guide
2. On the Mobile Data Services tab, click Edit Properties. 3. Click Proxy. 4. Click HTTP Proxy Enabled. 5. From the drop-down list, select True. 6. Click Proxy Auto Configuration. 7. From the drop-down list, select False. 8. In the Manual Proxy section, double-click Proxy Mappings. 9. Click New. 10. Double-click Universal Resource Locator. 11. Type the URL in the field. Use the following format: scheme://host name:port/path/?query. 12. Double-click Proxy String. 13. Type the host name and port for the proxy server in the field.
Note: URLs that are not listed in the Proxy Mappings window are routed through the proxy server specified on the Proxy tab, in the Manual Proxy section.
45
1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Services tab, click Edit Properties. 3. Click LDAP. 4. Modify the desired values.
Option Host Name Port Default Server Base Query Query Limit Enable Data Compression Description Type the name of the default LDAP server. When there is no LDAP server specified in a query URL (LDAP:///), the request is sent automatically to this server. Type the port number on which the default LDAP server listens. If you provide a host name, you must specify a port number. Type the default base query for the default server. Each LDAP server can host multiple domains, but can only search in one of them at a time, so you must set a default query. The maximum number of entries that are returned for each base query. Enables compression of the result data stream.
46
Administration Guide
Add a certificate to the Mobile Data Service key store to permit untrusted connections
Warning: The keytool utility is not created or supported by Research In Motion.
1. Copy the certificate from a secure web site to a .cer file. 2. Copy the certificate file into the j2re1.4.2\lib\security folder on the computer on which the Mobile Data Service is installed. 3. Import the certificate into the key store using the keytool, which is installed in the JRE bin folder, (typically, drive:\Program Files\Java\j2re1.4.2\bin). For example, type keytool -import -trustcacerts -alias <alias_name> -file <cert_filename> -keystore cacerts. 4. Type the key store password. 5. At the Trust this certificate prompt, click Yes. The certificate is added to the key store. Visit http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html for more information on using the keytool.
Accept an SSL connection from the push application using a keystore file
The BlackBerry Server Configuration tool creates a keystore file, which enables the push application to establish an SSL connection with the Mobile Data Service when pushing content to the handheld.
Note: Only one keystore file can exist. The file must be called webserver.keystore and must be located at ...\Research in Motion\BlackBerry Enterprise Server\MDS. If you create a new keystore file, the existing file is overwritten.
1. On the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration. 2. On the Mobile Data Service tab, modify the desired values.
Action Set the keystore file password. Confirm the keystore file password. Set user name. Set company name. Set country. Procedure
! In the Password field, type a password. The password must be at least six characters. ! In the Confirm field, type the password again. ! In the User Name field, type the user name of the keystore. ! In the Organization field, type the company name. ! In the Country field, type the country name.
3. Click Create Keystore File. 4. If prompted, click Yes to overwrite the existing keystore file. 5. Click OK.
47
Managing authentication
Set HTTP authentication
1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Services tab, click Edit Properties. 3. Click HTTP. 4. Modify the desired values:
Option Support HTTP Authentication Description Enables the Mobile Data Service to perform authentication with the proxy server or content server on behalf of handhelds when an HTTP request is sent from the handheld. This option enables authentication information storage by default. Enable this option to support network authentication. Warning: In the case of an authentication failure, in which no valid name and password pair is found for a particular domain, the authentication failure is sent to the handheld. This failure notice alerts the handheld user that the name and password pair could not be found. Authentication Timeout The length of time, in milliseconds, before the authentication information stored on the proxy or content server is removed.
NTLM authentication
Configure NTLM using the standard Java Authentication and Authorization Service (JAAS) configuration file, which is installed in the following location by default: root_directory:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\ServerInstance\config\MdsLogin.conf. Visit http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/LoginConfigFile.html for more information on the JAAS configuration file. The MDSLogin.conf file lists the three login modules used by the Mobile Data Service and for the application(s) for which they are used. Kerberos 5 login module for JAAS (com.sun.security.auth.module.Krb5LoginModule) NTLM authentication module for JAAS (net.rim.security.auth.module.ntlm.NtlmLoginModule) a clear password login module for JAAS (net.rim.security.auth.module.pwd.PwdLoginModule)
48
Administration Guide
Kerberos authentication
Note: Kerberos requires Microsoft Windows 2000 or 2003.
Configure Kerberos 5 using the standard Kerberos 5 configuration file (krb5.conf), which is installed in the following location by default: root_directory:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\ServerInstance\config\krb5.conf. Visit http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.3/doc/krb5-admin.html for more information on the Kerberos 5 file. The Kerberos 5 configuration file that is provided with the Mobile Data Service installation includes the following section:
Section [libdefaults] Subsection default_tkt_enctypes Description This section contains default values used by the Kerberos 5 library. The encryption key types that are supported are listed in the subsections. This value defines the supported encryption types that should be requested by the client. Note: Visit http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.5/doc/admin.html for a complete list of available values. default_tgs_enctypes [realms] This value defines the supported encryption types that should be returned by the Key Distribution Center (KDC) host (a computer issuing Kerberos tickets). This section contains subsections describing information specific to case-sensitive Kerberos realm names. Each subsection describes realm-specific information, including the location of the Kerberos servers for that realm. For each realm, you can specify the KDC host and an optional port number. A Kerberos realm is an administrative domain/site with its own Kerberos database containing information about its users and services.
49
Managing push
The Mobile Data Service provides capabilities for push applications. Push applications send content from a server to a handheld without first being prompted by a handheld user.
Push service
The Mobile Data Service implements the Push Access Protocol (PAP) [Wireless Application Protocol (WAP) version 2.0] to push content to the handheld. Developers can also use the RIM push service to push content to the handheld. Both push service implementations support the following tasks: sending a server-side push submission specifying reliability mode for the push submission (transport-level versus application-level reliability) specifying the deliver before time-stamp for the push submission, which assigns a date and time before which content must be delivered before requesting a result notification of the push submission See the BlackBerry Java Development Environment version 3.6 Developer Guide, Volume 1: Fundamentals for more information on writing server-side push applications. You can also use the PAP to send an HTTP POST request. The PAP push service supports the following additional tasks: specifying the deliver-after timestamp for the push submission cancelling a push submission that has already been sent to the Mobile Data Service querying the status of a push submission Download the Wireless Application Protocol (WAP-247-PAP-20010429-1) from http:// www.wapforum.org/what/technical.htm for more information on writing server-side push applications using the PAP. Download the PAP 2.0 DTD from http://www.wapforum.org/DTD for information on the WAP Push DTDs for version 2.0.
1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Services tab, click Common. 3. Click Set as Push Server.
Warning: You can enable centralized push for only one Mobile Data Service in a BlackBerry Domain.
Administration Guide
2. On the Mobile Data Services tab, click Edit Properties. 3. Click PAP. 4. Modify the desired values:
Option Store Push Submissions Description Default Specifies whether push requests sent to the handheld using the Push Access Protocol are stored in the configuration database. Note: If you use the deliver-after timestamp, or specify a status query or cancellation in your push request, you must select this option. Purge Submissions Age Purge Operations Interval The age, in minutes, of push submissions that are eligible for purging from the database. 1440 The length of time, in minutes, that push submissions are purged from the database. 720
51
Push Encryption
Managing pull
Create pull roles and assignments
Use URL patterns and roles to control which URLs can be accessed through the Mobile Data Service. After you configure URL patterns and roles, set pull authorization at the server level. See "Set pull authorization for a specific server" on page 53 for more information. 1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Edit Properties. 3. In the left pane, click MDS Access Control. 4. Perform one of the following actions:
Action Create a URL pattern. Procedure 1. Double-click URL Patterns. 2. Click New. 3. Double-click URL pattern for the role using the format <hostname:port/path>. For example, to specify all paths, use the wildcard character (*): <hostname:port/*>. 4. From the Service Name drop-down list, select one of the following options:
HTTP: User requests a connection to an HTTP site. The Mobile Data Service provides access to content
on the Internet and corporate intranet using a standard Internet protocol such as HTTP.
HTTPS: User requests a connection to an HTTPS site when SSL or TLS are enabled in proxy mode. TCP: User requests a connection to an HTTPS site when TLS is enabled in end-to-end mode. LDAP: User attempts to access a user profile or certificate from the LDAP directory. OCSP: User attempts to verify the revocation status of a certificate from their handheld. Certificate
revocation status is retrieved from the OCSP server. 5. Double-click Description and type the description for the URL pattern. 6. Click OK. 7. Click OK again.
52
Administration Guide
Procedure 1. Double-click Pull Roles. 2. Click New. 3. Double-click Name and type the name of the role. 4. Double-click Description, and then type a description for the role. 5. Click OK. 6. Click OK again.
1. Double-click URL Pattern to Role Mapping. 2. In the left pane, click the role. 3. In the right pane, perform one of the following actions: Select Allow to permit the user assigned to this role is permitted access to the identified URL. Note: If you created a different role that denies access to this URL, the user assigned to this role is not permitted access to the URL.
Select Deny to permit the user assigned to this role is not permitted access to the identified URL.
1. Click OK. Assign the role to 1. Double-click User to Role Mapping. a user. 2. In the left pane, click the role. 3. In the right pane, click the user. 4. Click OK.
53
7 Managing security
Change the data encryption type Generating encryption keys
AES
3DES Data is encrypted between the BlackBerry Enterprise Server and the handheld using either the Triple DES or AES and AES cryptographic encryption algorithm. If you are running version 4.0 of the BlackBerry Enterprise Server, BlackBerry Desktop Software, and BlackBerry Handheld Software, AES encryption is used. If you are running a version earlier than 4.0, TripleDES encryption is used. Warning: When AES is enabled on the BlackBerry Enterprise Server, users can not send, receive, or view new messages on C++-based handhelds. If AES is enabled, you must make sure that Java-based handhelds are running BlackBerry Handheld Software version 4.0.
Administration Guide
3. Click Edit Properties. 4. Click Security. 5. Click Generate keys automatically. 6. Perform one of the following actions:
Action Enable keys to be generated automatically. Procedure
! From the drop-down list, select True.
Require keys to be generated manually by users. ! From the drop-down list, select False.
7. Click OK.
55
Appendix A: IT policy
IT policy rules Sample IT policies
IT policy rules
Note: Some rules might require that the desktop is closed and restarted before changes are applied. Policy rule Allow BCC Recipients Allow Browser Policy group Description Device-Only Specifies whether users can include BCC recipients on email messages. Default setting TRUE Minimum Requirements Handheld Handheld Type Software Java or 85x/95x Java or 85x/95x Java 3.6 (Java) or 2.5 (85x/95x) 3.6 (Java) or 2.5 (85x/95x) 3.6 Server Software 4.0 Usage
Global
Specifies whether handheld users can TRUE use the default browser included on the handheld. Controls whether applications can initiate external connections (for example, to WAP, SMS, or other public gateway) on the handheld. TRUE
4.0
Security
4.0
Security
TRUE Controls whether applications can initiate internal connections (for example, to the Mobile Data Service) on the handheld. Specifies whether users can use other TRUE browser services on the handheld.
Java
3.6
4.0
Service Exclusivity
Java
3.6
4.0
Set this rule to FALSE to force all browser traffic through your organizationss BlackBerry Enterprise Server and prevent users from installing other browser services.
Administration Guide
Default setting
Minimum Requirements Handheld Handheld Type Software Java or 85x/95x 3.6 (Java) or 2.5 (85x/95x) Server Software 4.0 Usage Set this rule to FALSE to force all outbound email through your organizationss BlackBerry Enterprise Server and prevent users from sending outbound email messages from other email services. Warning: This rule does not prevent users from receiving inbound email messages from other email services.
Specifies whether users can use other TRUE email services on the handheld.
Allow Outgoing Security Call When Locked Allow Peer-toPeer Messages Device-Only
Specifies whether users can place calls when the handheld is security locked. Specifies whether users can send peer-to-peer (also known as PIN-toPIN) messages on the handheld.
FALSE
Java
4.0
4.0
TRUE
Java or 85x/95x
4.0
If this rule is set to FALSE, the functionality is hidden from users. Warning: This rule does not prevent users from receiving PIN messages.
Allow Phone
Global
TRUE
Java
3.6
4.0
If this rule is set to FALSE, the phone icon is still visible, but only emergency calls can be made. Warning: Setting, modifying, or removing this rule causes the handheld to reset when the IT policy update is received.
Service Exclusivity
Specifies whether other public Yahoo! Messenger services are permitted on the handheld.
TRUE
Java or 85x/95x
4.0
Set this rule to FALSE to force all messaging activity through Yahoo! Messenger Enterprise edition if available remove existing applications, and prevent users from installing other messaging services.
57
IT policy rules
Policy group Description Security Specifies whether the smart card password can be cached.
Minimum Requirements Handheld Handheld Type Software Java 4.0 Server Software 4.0 Usage If this rule is set to TRUE, the password is cached for a period of time controlled by the key store private key timeout. Cached passwords are cleared by the memory cleaner. If this rule is set to FALSE, the functionality is hidden from users. Enabling split-pipe connections presents a security issue because, when enabled, applications can surreptitiously collect data from inside the firewall and send it outside the firewall without any auditing.
Allow SMS
Device-Only
Specifies whether users can use Short TRUE Message Service (SMS) messaging on the handheld. Enables applications to open both internal and external connections simultaneously. FALSE
Java
3.6
4.0
Java
3.6
4.0
Allow Third Party Apps to Use Serial Port Application Download Control Attachment Viewing
Security
TRUE Enables third party applications to use the serial port, IrDA, or USB ports on the handheld. Contains a list of applications that are NULL allowed to be downloaded and executed on the device. Enables users to view attachments on TRUE the handheld.
Java
3.6
4.0
Security
Java
4.0
4.0
CMIME Application
Java or 85x/95x
4.0
For this rule to take effect, you must have the Attachment Service installed, running, and connected to the BlackBerry Enterprise Server through an attachment connector When this rule is set, the status is updated in the backup and restore settings of the BlackBerry Desktop Manager. Set this rule to TRUE to enable clean recovery of handheld data in the event that the handheld must be replaced.
FALSE Desktop-Only Specifies whether the option to automatically backup the handheld is enabled.
Java or 85x/95x
4.0
58
Administration Guide
Policy group Description Desktop-Only Specifies whether email can be excluded from automatic backups.
Minimum Requirements Handheld Handheld Type Software Java or 85x/95x N/A; Desktop Manager version 3.5 N/A; Desktop Manager version 3.5 N/A; Desktop Manager version 3.5 Server Software 4.0 Usage If this rule is set to TRUE, the Auto Backup Include All rule must be set to FALSE If this rule is set to TRUE, the Auto Backup Include All rule must be set to FALSE Set this value to 2 or more days, to enable changes to be made on the handheld to data stored between backups, so that users do not need to wait for backups to occur when synchronizing the handheld while it is connected to the computer. Backup files should be saved to a network drive if disk space on the users local hard drive is limited.
FALSE Desktop-Only Specifies whether synchronized application data (data configured for synchronization with Intellisync) can be excluded from automatic backups. Desktop-Only Specifies, in days, how often an automatic backup is performed. 7
Java or 85x/95x
4.0
Java or 85x/95x
4.0
Java or 85x/95x
4.0
If this rule is set to TRUE, the "Backup all handheld application data" radio button in Backup and Restore Options of the BlackBerry Desktop Manager will be selected. This rule must be set to FALSE if the Auto Backup Exclude Sync and Auto Backup Exclude Email rules are set to TRUE.
Auto Signature
Desktop-Only Specifies the signature automatically NULL attached to the handheld users email messages.
Java or 85x/95x
4.0
Use this rule to add a disclaimer to the end of all outgoing email messages sent from the handheld.
Common
NULL Specifies the BlackBerry Enterprise Server version number that is sent to the handheld. Specifies the maximum number of days that the status of a given certificate remains cached on the handheld. 7
Java or 85x/95x
4.0
Security
4.0
59
IT policy rules
Default setting
Minimum Requirements Handheld Handheld Type Software Java 4.0 Server Software 4.0 Usage
4 Specifies the maximum length of time, in hours, that a certificate status can remain on the handheld before it should be updated in the Certificate Synchronization Manager (and handheld keystore). Requires users to confirm before sending an email, PIN, SMS, or MMS message. NULL
Confirm On Send
Common
Java or 85x/95x
4.0
Use this rule to customize a confirmation message. If not set, confirmation dialog is not displayed. Note: The rule Password Required must be set to TRUE if this rule is set to TRUE. This rule should correspond to password settings. If the handheld password is greater than 12 characters, set this rule to 1. If the handheld password is greater than 21 characters, set this rule to 2.
Security
Specifies the strength of the Elliptic 0 Curve Cryptography (ECC) public key used to encrypt the data when the handheld is locked, from these options:
Java
4.0
4.0
Specifies a unique ID for the Browser NULL Config Service Record, which sets the default browser to use (for example, when opening links in email messages). TRUE Specifies whether the BlackBerry Desktop software enables the user to configure and execute desktop addins (third-party COM-based extensions that access the handheld databases during synchronization). Specifies whether the BlackBerry Desktop software allows users to switch handhelds. TRUE
Java
3.6
4.0
Desktop
Java or 85x/95x
4.0
Desktop
Java or 85x/95x
4.0
Set this rule to FALSE to prevent users from switching to devices with BlackBerry connectivity.
60
Administration Guide
Default setting
Minimum Requirements Handheld Handheld Type Software Java 4.0 Server Software 4.0 Usage
Controls which handheld databases 0 can be backed up by a desktop, from these options:
Specifies the time, in minutes, that the desktop caches the handheld password in memory.
Security
Disables the handheld from encrypting and decrypting packets to/from the BlackBerry Enterprise Server that sent the IT Policy. Disables wireless synchronization of the address database. Disables wireless synchronization of all databases. Disables all Bluetooth support.
FALSE
Java
4.0
4.0
Disable Address PIM Sync Wireless Sync Disable All Wireless Sync Disable Bluetooth PIM Sync
FALSE
4.0
FALSE
4.0
Bluetooth
FALSE
4.0
Warning: If the Bluetooth radio is active when this rule is applied, the handheld is reset for the change to take effect.
Disable Calendar Wireless Sync Disable Cut/ Copy/Paste Disable Email Normal Send
PIM Sync
Disables wireless synchronization of the calendar database. Prevents the user from using the clipboards cut, copy, and paste features. Specifies whether email messages can be sent as clear text (in other words, normally).
FALSE
4.0
Security
FALSE
4.0
Security
FALSE
Java
3.6
4.0
If this rule is set to TRUE, a secure email package must be installed on the handheld and supported by the BlackBerry Enterprise Server in order to send email messages.
61
IT policy rules
Default setting
Minimum Requirements Handheld Handheld Type Software Java 4.0 Server Software 4.0 Usage
Prevents the user from forwarding or FALSE replying to a message via a different BlackBerry Enterprise Server than the one that delivered the original message. Also prevents forwarding or replying to a PIN message with an email address or vice versa Disables the use of Bluetooth handsfree peripherals. Disables the use of Bluetooth headsets. Controls the users ability to send a message using a certificate that has expired or is not yet valid. FALSE
Bluetooth
Java
3.8
4.0
FALSE FALSE
Java Java
3.8 3.6
4.0 4.0 If this rule is set to FALSE, the user will be warned about but not prevented from using a certificate that has expired or is not yet valid. Currently, this rule applies to BlackBerry 7290 and BlackBerry 7100.
Disable IP Modem
Security
FALSE
Java
4.0
4.0
Disable Java Script in Browser Disable Key Store Backup Disable Key Store Low Security
Browser
Disables execution of JavaScript scripts in the Browser. Controls the users ability to backup certificates and private keys in the handheld key stores.
FALSE
Java
4.0
4.0
Security
FALSE
Java
4.0
4.0
Security
Java
3.6
4.0
If this rule is set to TRUE, then keys will be automatically moved up to the next security level. For handhelds running version 3.6, that level is High. For handhelds running version 4.0, that level is Medium.
PIM Sync
Disables wireless synchronization of the memopad database. Specifies whether Multimedia Messaging Service (MMS) is permitted on the handheld.
FALSE
4.0
Common
FALSE
4.0
62
Administration Guide
Default setting
Minimum Requirements Handheld Handheld Type Software Java 3.8 Server Software 4.0 Usage Once you have established a pairing with an approved device, (for example a headset), use this rule to prevent the user from establishing any subsequent pairings. If this rule is set to TRUE, messages must be signed and/or encrypted. To disable peer-topeer messaging entirely, set the Allow Peer-to-Peer Messages rule to FALSE.
FALSE Disables the ability to establish a relationship or pair with another Bluetooth device.
Disables sending plain text PIN-toPIN messages when using a secure email package.
TRUE
Java
3.6
4.0
Security
FALSE Prevents any application from persisting the plaintext form of a Content Protected object in the Persistent Store (for instance, the file system). In such a case, the handheld will write information about the application in the handheld Event Log, and will then reset, returning the handheld to a valid known state.
Java
4.0
4.0
Warning: Not all applications can work with this rule set to TRUE. This rule is only recommended for very security-conscious customers who need assurance that sensitive data cannot be persisted in plaintext form.
Security
Controls whether the radio is disabled 0 when the handheld is connected to the desktop, from these options:
Java
4.0
4.0
Bluetooth
Disables the ability to communicate with a serial port that has been Bluetooth-enabled.
FALSE
Java
3.8
4.0
Security
Specifies whether a user can encrypt a FALSE message using a certificate with a stale status.
Java
4.0
4.0
If this rule is set to FALSE, the user will be warned about but not prevented from using a stale certificate.
63
IT policy rules
Policy rule Disable Task Wireless Sync Disable Untrusted Certificate Use
Policy group Description PIM Sync Disables wireless synchronization of the task database. Specifies whether outgoing email messages are encrypted with untrusted certificates.
Minimum Requirements Handheld Handheld Type Software Java or 85x/95x Java 4.0 (Java) or 2.7 (85x/95x) 3.6 Server Software 4.0 Usage
Security
FALSE
4.0
If this rule is set to FALSE, the user will be warned about but not prevented from using an untrusted certificate. If this rule is set to FALSE, the user will be warned about but not prevented from using an unverified certificate.
Security
FALSE Specifies whether users can send a message encrypted using a certificate that cannot be verified.
Java
4.0
4.0
FALSE Prevents users from accepting unverified CRLs on the Mobile Data Service when checking the status of a certificate. FALSE Specifies whether users can send a message using a certificate that has a weak corresponding public key.
Java
4.0
4.0
Security
Java
3.6
4.0
If this rule is set to FALSE, the user will be warned about but not prevented from using a certificate that has a weak corresponding public key. Set this rule to TRUE to minimize wireless data transfers when activating or updating handhelds. Note: If the handheld is disconnected during a bulk load, the remainder of the data is sent wirelessly.
PIM Sync
Disables wireless synchronization of FALSE PIM data during activation or as part of a backup/restore. The handheld must be connected to a computer through cradle or USB before the data transfer will start.
Java or 85x/95x
4.0
FALSE Desktop-Only Specifies whether the wireless calendar synchronization option (BlackBerry Wireless Sync) is available to handheld users in the calendar option of the Personal Information Manager (PIM).
Java or 85x/95x
4.0
Wireless calendar synchronization is a significant feature of the BlackBerry solution. Most organizations set this rule to FALSE to enable the wireless calendar synchronization feature.
Security
Specifies whether applications not authored by Research In Motion Limited are permitted on the handheld.
FALSE
Java
3.6
4.0
64
Administration Guide
Policy group Description Desktop-Only Specifies whether a copy of each message sent by the handheld user is saved to a Sent Messages folder.
Default setting
Minimum Requirements Handheld Handheld Type Software Java or 85x/95x N/A; Desktop Manager version 3.5 4.0 Server Software 4.0 Usage Set this rule to FALSE to enable storage on the mail server of messages sent from the handheld. Note: This rule can only be used if the Password Required rule is set to TRUE.
Password
Specifies the email address that receives notification when a user enters a password under duress. If no email is entered, the duress password function is not activated.
NULL
Java
4.0
Desktop-Only Specifies what happens when a conflict occurs between the desktop and the handheld during Personal Information Manager (PIM) synchronization. Device-Only Specifies whether the handheld locks after a pre-defined period of time, regardless of user activity.
TRUE
Java or 85x/95x
4.0
Java
4.0
If this rule is set to TRUE, the handheld will automatically lock after 60 minutes. Use the Periodic Challenge Time rule to shorten this interval.
Device-Only
Specifies whether the WAP Browser TRUE icon will appear on the handheld when the service provider has provisioned the WAP browser and the appropriate service books are present. Specifies whether wireless email reconciliation functionality is supported on the handheld.
Java
3.6
4.0
Java or 85x/95x
4.0
If this rule is set to TRUE, or not part of the IT policy to which a user is assigned, wireless email reconciliation is still enabled on the handheld by default. Note: Wireless email reconciliation must also be enabled on the BlackBerry Enterprise Server.
65
IT policy rules
Default setting
Minimum Requirements Handheld Handheld Type Software Java 3.3/4.0 Server Software 4.0 Usage Warning: Selecting Level 2 prevents WTLS from using the RC5 cipher, which can result in problems using the WTLS protocol. If this rule is set to 2, the following additional rules are enforced with these values:
Specifies the level of FIPS compliance 1 with which the BlackBerry Cryptographic Kernel software is forced to operate, from these options:
Password Required
= True
Minimum
Password Length = 5 Suppress Password Echo = True S/MIME Allowed Content Ciphers = AES (256-bit), AES (192-bit), AES (128-bit), Triple DES TLS Restrict FIPS Ciphers = True PGP Allowed Content Ciphers = AES (256-bit), AES (192-bit), AES (128-bit), Triple DES Disallow Third Party Application Download = True
Force Load Count No limit Desktop-Only Specifies the number of times a handheld user is allowed to decline when prompted to update the handheld before the update is forced. Desktop-Only Specifies the message that appears when users are prompted to update to a later version of the BlackBerry handheld software. Security Specifies whether the handheld is security locked when placed in the holster. NULL Java or 85x/95x N/A; Desktop Manager version 3.5 N/A; Desktop Manager version 3.5 3.6 4.0
To disable the forced update functionality, set this rule to -1. Note: This rule can only be used if the Force Load Count rule is set to a positive number.
Java or 85x/95x
4.0
FALSE
Java
4.0
66
Administration Guide
Policy rule
Policy group Description Specifies whether the user must supply their handheld password as well as the password to the configured smart card.
Minimum Requirements Handheld Handheld Type Software Java 3.6 Server Software 4.0 Usage Note: This rule can only be used if the Password Required rule is set to TRUE. When this rule is set, the user must have a smart card authenticator, smart card driver, and smart card reader driver installed on their handheld before they can use their handheld.
Desktop-Only Specifies whether the handheld continues to receive messages while it is connected to the computer using the cradle or a USB cable.
4.0
When this rule is set, the status is updated in the redirector settings of the BlackBerry Desktop Manager. Most organizations set the URL to their intranet address. If this rule is not set, the handheld will use the default Home Page URL.
Device-Only
Specifies the URL address of the home page used by the WML browser.
Java or 85x/95x
4.0
Home Page Address is Read-Only IT Policy Notification Key Store Password Maximum Timeout
Device-Only
Specifies if the URL address of the home page can be modified by the handheld user. Specifies if warnings of IT policy changes are displayed to the user. FALSE
4.0
Common
4.0
Security
1 Specifies the maximum number of minutes allowed before the cached keystore password times out and the user is prompted to enter the password.
4.0
67
IT policy rules
Default setting
Minimum Requirements Handheld Handheld Type Software Java 3.6 Server Software 4.0 Usage Warning: Not all smart card reader drivers support smart card removal detection. Note: This rule can only be used if the Password Required and Force Smart Card Two Factor Authentication rules are set to TRUE. When this rule is set, the user must have a smart card authenticator, smart card driver, and smart card reader driver installed on their handheld before they can use their handheld.
Specifies whether the handheld locks FALSE when the smart card is removed from the smart card reader, or the reader is removed from the handheld.
Common
Locks specified fields in the Owner options screen of the handheld, from these options:
Java or 85x/95x
4.0
1 - Lock Information text. 2 - Lock Name text. 3 - Lock both Name and
Information text.
Use this rule to lock the text defined in the Set Owner Info and Set Owner Name rules. Warning: This information is overwritten by the Set Owner Information IT Admin command.
Device-Only
Specifies the number of days until a handheld password expires and the user is prompted to provide a new password.
Java or 85x/95x
4.0
Set this rule according to your organizations password expiration policy. If no such policy exists, the recommendation is to set a maximum password age of 30 days. If set to 0, password aging is disabled. Note: This rule can only be used if the Password Required rule is set to TRUE.
Password
0 Specifies the maximum number of prior passwords against which new passwords can be checked to prevent reuse of the old passwords.
Java
3.6
4.0
Note: This rule can only be used if the Password Required rule is set to TRUE. If set to 0, password checking is disabled.
68
Administration Guide
Policy group Description Device-Only Specifies the maximum time, in minutes, allowed before a handheld security timeout occurs. The handheld user can select any timeout value less than the maximum value.
Default setting
Minimum Requirements Handheld Handheld Type Software Java or 85x/95x 3.6 (Java) or 2.5 (85x/95x) Server Software 4.0 Usage Set this rule according to your organizations security policy. If no such policy exists, the recommendation is to set a maximum timeout value of 30 minutes.
Browser
Sets the name that appears on the Home screen for the BlackBerry Browser icon.
3.6
4.0
Desktop-Only Specifies a message to appear each time BlackBerry Desktop Manager is started. Security
4.0
Specifies the minimum security level 1 for the encryption key in the Keystore, from these options:
Java
4.0
All keys on the handheld will be forced to have this minimum security level as their minimum, but the user can set a higher security level if desired. All keys on the handheld will be forced to have this minimum security level as their minimum, but the user can set a higher security level if desired. Set this rule according to your organizations password length policy. If no such policy exists, the recommendation is to set a minimum of 6 characters. Note: This rule can only be used if the Password Required rule is set to TRUE. Warning: If the FIPS Level rule is set to 2, then the setting of this rule is ignored and is explicitly set to 5.
Security
Specifies the minimum security level for the signing key in the Keystore, from these options:
Java
4.0
4.0
Device-Only
Specifies the minimum allowable length, in characters, of the handheld security password.
Java or 85x/95x
4.0
69
IT policy rules
Policy group Description Device-Only Creates a pattern check on the handheld security password, from these options:
Default setting 0
Minimum Requirements Handheld Handheld Type Software Java or 85x/95x 3.6 (Java) or 2.5 (85x/95x) Server Software 4.0 Usage To enable a high level of security, the recommendation is to set this value to a minimum of 1. Note: This rule can only be used if the Password Required rule is set to TRUE. Warning: If options 2 or 3 are selected, then password pattern checking is disabled on 85x/95x handhelds.
Password Required
Device-Only
FALSE
Java or 85x/95x
4.0
To enforce password requirements, set the User Can Disable Password rule to FALSE. Warning: If the FIPS Level rule is set to 2, then the setting of this rule is ignored and is explicitly set to TRUE.
60 Specifies the interval, in minutes, after which the user will be prompted to enter a password, regardless of whether the handheld has been idle or in use. Specifies the background color of all email messages, in RGB (hexadecimal) format. The first color represents the background color of messages sent from the BlackBerry Enterprise Server that sent the IT Policy. The second color represents the background color of messages sent from all other services. NULL
Java
4.0
4.0
Note: This rule can only be used if the Password Required rule is set to TRUE. Example colors are:
Java
4.0
4.0
Oxffffff: white 0x000000: black 0xff0000: red 0x00ff00: green 0x0000ff: blue 0xffeeee: light red 0xffaaaa: dark red 0xeeffee: light
green
0xaaffaa: dark
green
0xeeeeff: light
blue
0xaaaaff: dark
blue
70
Administration Guide
Default setting
Minimum Requirements Handheld Handheld Type Software Java 3.6 Server Software 4.0 Usage Maximum password attempts is set to 10 by default on the handheld. Use this rule to lower the number of password attempts. Note: This rule can only be used if the Password Required rule is set to TRUE.
10 Specifies the number of security password attempts (incorrect passwords entered) allowed on the handheld before the handheld data is erased and the handheld disabled.
Common
Java or 85x/95x
4.0
Use the Lock Owner Info rule to prevent the handheld user from editing this information. Warning: This information is overwritten by the Set Owner Information IT Admin command.
Common
Java or 85x/95x
4.0
Use the Lock Owner Info rule to prevent the handheld user from editing this information. Warning: This information is overwritten by the Set Owner Information IT Admin command.
Password
Specifies the amount of time, in minutes, before the security timeout occurs on the handheld.
60
Java
3.6
4.0
Password timeout is set to 60 minutes by default on the handheld. Use this rule to lower the timeout interval. The value specified must be less than or equal to the value set for the Maximum Security Timeout rule. Note: This rule can only be used if the Password Required rule is set to TRUE.
Desktop-Only Specifies whether the handheld user has access to the application loader in the desktop software.
TRUE
Java
3.5
4.0
71
IT policy rules
Policy rule
Default setting
Minimum Requirements Handheld Handheld Type Software Java or 85x/95x N/A; Desktop Manager version 3.5 3.6 Server Software 4.0 Usage Note: The icon will only appear if the default URL is set via the WebLinkURL rule. Password echo is enabled by default on the handheld. Use this rule to override the default. Note: This rule can only be used if the Password Required rule is set to TRUE. Warning: If the FIPS Level rule is set to 2, then the setting of this rule is ignored and is explicitly set to TRUE.
Show Web Link Desktop-Only Specifies whether the handheld user FALSE has access to the Web Link icon in the desktop software. Suppress Password Echo Password Disables the echoing (printing to the TRUE screen) of characters typed into the Security password screen after a given number of failed attempts at unlocking the handheld.
Java
4.0
Desktop-Only Specifies whether the Personal Information Manager (PIM) allows email and folder synchronization to occur instead of an import of moves and deletes on the handheld. TCP Enables IT Policy to impose a default Access Point Name (APN) on the handheld for TCP. Enables IT Policy to impose a default APN password on the handheld for TCP. Enables IT Policy to impose a default APN username on the handheld for TCP.
TRUE
Java or 85x/95x
4.0
TCP APN
Java
4.0
TCP Password
TCP
Java
4.0
4.0
TCP Username
TCP
Java
4.0
4.0
FALSE Controls use of proxy mode TLS or proxy HTTPS between the handheld and the BlackBerry Enterprise Server.
Java
4.0
4.0
If this rule is set to TRUE, all HTTPS connections must use device-side TLS. Warning: If this rule has been set and device-side TLS is not available, an exception will occur.
TLS
Controls the use of connections to 2 servers with invalid certificates during TLS connections, from these options:
Java
3.6.1
4.0
0 - Disable invalid connections. 1 - Allow invalid connections. 2 - Prompt user on the handheld.
72
Administration Guide
Policy group Description TLS Controls the use of connections to untrusted servers during a TLS connection, from these options:
Default setting 2
Minimum Requirements Handheld Handheld Type Software Java 3.6.1 Server Software 4.0 Usage
0 - Disallow untrusted
connections.
0 - Disable weak ciphers. 1 - Allow weak ciphers. 2 - Prompt user on the handheld.
TLS Minimum Strong DH Key Length TLS Specifies the minimum DH key size, in 1024 bits, allowed for use in the TLS connection. Specifies the minimum DSA key size, 1024 in bits, allowed for use in TLS connections. Specifies the minimum ECC key size, in bits, allowed for use in the TLS connection. Specifies the minimum RSA key size, in bits, allowed for use in TLS connections. 163 Java 3.6.1 4.0
TLS TLS Minimum Strong DSA Key Length TLS TLS Minimum Strong ECC Key Length TLS TLS Minimum Strong RSA Key Length TLS Restrict FIPS Ciphers TLS
Java
3.6.1
4.0
Java
3.6.1
4.0
1024
Java
3.6.1
4.0
Java
3.6.1
4.0
Warning: If the FIPS Level rule is set to 2, then the setting of this rule is ignored and is explicitly set to TRUE.
Security
Defines a string that contains a semicolon-separated list of Hex-ASCII certificate thumbprints, generated using either SHA1 or MD5. If the string is present, the user cannot add any certificate with a thumbprint that does not appear in the defined list to the trusted key store.
Java
3.6
4.0
Device-Only
Specifies whether the handheld user can change the specified security timeout.
TRUE
Java
3.6
4.0
Set this rule according to your organizations security policy. If no such policy exists, the recommendation is to set this rule to FALSE.
73
IT policy rules
Policy rule
Default setting
Minimum Requirements Handheld Handheld Type Software N/A; Desktop Manager version 3.5 Server Software 4.0 Usage Set the label according to your organizations requirements. Note: When setting this rule, also set the Show Web Link rule to TRUE.
Web Link Label Desktop-Only Specifies the label for the Web Link Download Java or 85x/95x icon, if it appears. Setting this value s does not imply that the WebLink icon is visible.
NULL Desktop-Only Specifies the URL for the Web Link icon, if it appears.Setting this value does not imply that the WebLink icon is visible.
Java or 85x/95x
4.0
Set the URL according to your organizations requirements. Note: When setting this rule, also set the Show Web Link rule to TRUE.
WTLS
Controls the use of connections to 2 servers with invalid certificates during WTLS connections, from these options:
Java
3.6
4.0
0 - Disable invalid connections. 1 - Allow invalid connections. 2 - Prompt user on the handheld.
WTLS Disable Untrusted Connection WTLS Controls the use of connections to untrusted servers during WTLS connections, from these options: 2 Java 3.6 4.0
0 - Disallow untrusted
connections.
0 - Disable weak ciphers. 1 - Allow weak ciphers. 2 - Prompt user on the handheld.
WTLS Minimum WTLS Strong DH Key Length WTLS Minimum WTLS Strong ECC Key Length WTLS Minimum WTLS Strong RSA Key Length WTLS Restrict FIPS Ciphers WTLS Specifies the minimum DH key size, in 1024 bits, allowed for use in the WTLS connection. Specifies the minimum ECC key size, in bits, allowed for use in the WTLS connection. Specifies the minimum RSA key size, in bits, allowed for use in WTLS connections. 163 Java 3.6 4.0
Java
3.6
4.0
1024
Java
3.6
4.0
Java
4.0
4.0
Warning: If the FIPS Level rule is set to 2, then the setting of this rule is ignored and is explicitly set to TRUE.
74
Administration Guide
Sample IT policies
Consider these scenarios when designing your own IT policies.
If you want to... Make sure that all electronic communication between your employees and their clients is recorded in order to comply with industry regulations. Use these rules... Allow Other Browser Services Allow Other Email Services Allow Peer-to-Peer Message Allow SMS Disable Cut/Copy/Paste Implement your corporate password policy on all handhelds. Password Required Maximum Password Age Minimum Password Length Password Pattern Checks Set Password Timeout User Can Change Timeout With these settings... FALSE FALSE FALSE FALSE TRUE TRUE 60 (days) 15 (characters) 2 (requires at least one alpha, one numeric, and one special character) 30 (minutes) FALSE
75