Blackberry For IBM Lotus Domino

BlackBerry Enterprise Server for IBM Lotus Domino
Version 4.0
Administration Guide
BlackBerry Enterprise Server Version 4.0 for IBM Lotus Domino Administration Guide Last revised: 10 November 2004 Part number: SWD_X_BES(EN)-015.003 At the time of publication, this documentation complies with BlackBerry Enterprise Server Version 4.0 for IBM Lotus Domino 2004 Research In Motion Limited. All rights reserved. The BlackBerry and RIM families of related marks, images and symbols are the exclusive properties and trademarks of Research In Motion Limited. RIM, Research In Motion, 'Always On, Always Connected' and BlackBerry are registered with the U.S. Patent and Trademark Office and may be pending or registered in other countries. The Bluetooth word mark and logos are owned by the Bluetooth SIG, Inc. and any use of such marks by Research In Motion is under license. Microsoft, Windows, PowerPoint, and Windows NT are registered trademarks of Microsoft Corporation in the United States and/or other countries. Adobe and Acrobat are registered trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Java and JavaScript are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Corel and WordPerfect are registered trademarks of Corel Corporation and/or its subsidiaries in Canada, the United States and/or other countries. IBM, Lotus, Domino, Lotus Notes, and Web Access (iNotes) are trademarks of International Business Machines Corporation in the United States, other countries, or both. All other brands, product names, company names, trademarks, and service marks are the properties of their respective owners. The BlackBerry handheld and/or associated software are protected by copyright, international treaties, and various patents, including one or more of the following U.S. patents: 6,278,442; 6,271,605; 6,219,694; 6,075,470; 6,073,318; D445,428; D433,460; D416,256. Other patents are registered or pending in various countries around the world. Visit www.rim.com/patents.shtml for a current listing of applicable patents. This document is provided as is and Research In Motion Limited (RIM) assumes no responsibility for any typographical, technical, or other inaccuracies in this document. RIM reserves the right to periodically change information that is contained in this document; however, RIM makes no commitment to provide any such changes, updates, enhancements, or other additions to this document to you in a timely manner or at all. RIM MAKES NO REPRESENTATIONS, WARRANTIES, CONDITIONS, OR COVENANTS, EITHER EXPRESS OR IMPLIED (INCLUDING, WITHOUT LIMITATION, ANY EXPRESS OR IMPLIED WARRANTIES OR CONDITIONS OF FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, MERCHANTABILITY, DURABILITY, TITLE, OR RELATED TO THE PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE REFERENCED HEREIN, OR PERFORMANCE OF ANY SERVICES REFERENCED HEREIN). IN CONNECTION WITH YOUR USE OF THIS DOCUMENTATION, NEITHER RIM NOR ITS AFFILIATED COMPANIES AND THEIR RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES, OR CONSULTANTS SHALL BE LIABLE TO YOU FOR ANY DAMAGES WHATSOEVER BE THEY DIRECT, ECONOMIC, COMMERCIAL, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR INDIRECT DAMAGES, EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INCLUDING, WITHOUT LIMITATION, LOSS OF BUSINESS REVENUE OR EARNINGS, LOST DATA, DAMAGES CAUSED BY DELAYS, LOST PROFITS, OR A FAILURE TO REALIZE EXPECTED SAVINGS. This document might contain references to third-party sources of information and/or third-party web sites (Third-Party Information). RIM does not control, and is not responsible for, any Third-Party Information, including, without limitation, the content, accuracy, copyright compliance, legality, decency, links, or any other aspect of Third-Party Information. The inclusion of Third-Party Information in this document does not imply endorsement by RIM of the third party in any way. Any dealings with third parties, including, without limitation, compliance with applicable licenses, and terms and conditions are solely between you and the third party. RIM shall not be responsible or liable for any part of such dealings. Certain features outlined in this document require a minimum version of BlackBerry Enterprise Server Software, BlackBerry Desktop Software, and/or BlackBerry Handheld Software and may require additional development or third-party products and/or services for access to corporate applications. Prior to subscribing to or implementing any third-party products and services, it is your responsibility to ensure that the airtime service provider you are working with has agreed to support all of the features of the third-party products and services. Installation and use of third-party products and services with RIM's products and services may require one or more patent, trademark, or copyright licenses in order to avoid infringement of the intellectual property rights of others. You are solely responsible for acquiring any such licenses. To the extent that such intellectually property licenses may be required, RIM expressly recommends that you do not install or use these products until all such applicable licenses have been acquired by you or on your behalf. Your use of third-party software shall be governed by and subject to you agreeing to the terms of separate software licenses, if any, for those products or services. Any third-party products and services that are provided with RIM's products and services are provided "as is." RIM makes no representation, warranty, or guarantee whatsoever in relation to the third-party products or services and RIM assumes no liability whatsoever in relation to the third-party products and services even if RIM has been advised of the possibility of such damages or can anticipate such damages. This product includes software developed by the Apache Software Foundation (http://www.apache.org/) and/or licensed pursuant to Apache License, Version 2.0 (http://www.apache.org/licenses/). For more information, see the NOTICE.txt file included with the software.
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Research In Motion Limited 295 Phillip Street Waterloo, ON N2L 3W8 Canada Published in Canada Research In Motion UK Limited Centrum House, 36 Station Road Egham, Surrey TW20 9LF United Kingdom
Contents
1 Managing the server...................................................................................................................................... 8 Getting started tasks........................................................................................................................................................8 Managing BlackBerry Windows services ...................................................................................................................8 Start and stop the Mobile Data Service ............................................................................................................8 Start and stop the BlackBerry Enterprise Server .............................................................................................8 Setting up the BlackBerry Manager............................................................................................................................9 Set the administration email address ................................................................................................................9 Set user and server list display .............................................................................................................................9 Set the time and date format ............................................................................................................................ 10 Set data refresh rates............................................................................................................................................ 10 Managing the server..................................................................................................................................................... 10 Refresh the display................................................................................................................................................ 10 Set message polling interval .............................................................................................................................. 10 Set state database pruning ................................................................................................................................ 11 Export server information to a text file........................................................................................................... 11 Managing the BlackBerry Domain........................................................................................................................... 11 Remove a server from the BlackBerry Domain............................................................................................. 11 Add a server by importing a file ....................................................................................................................... 12 Manage a different BlackBerry Domain......................................................................................................... 12 Managing wireless network connection................................................................................................................. 12 Change the SRP address ..................................................................................................................................... 13 Managing licenses......................................................................................................................................................... 13 Add a license........................................................................................................................................................... 13 Remove a license ................................................................................................................................................... 14 Managing users ............................................................................................................................................16 Managing user accounts ............................................................................................................................................. 16 Add users from local or foreign domains....................................................................................................... 16 Find users on all BlackBerry Enterprise Servers in the BlackBerry Domain ........................................ 17 Move or remove users .......................................................................................................................................... 17 Managing redirection ................................................................................................................................................... 18 Disable or enable redirection............................................................................................................................. 18 Set the auto-signature.......................................................................................................................................... 18 Set whether messages sent on the handheld are saved in the Sent view in Lotus Notes ............ 19 Purge pending messages .................................................................................................................................... 19 Generate encryption keys.................................................................................................................................... 19 Manage the peer-to-peer encryption key....................................................................................................... 19 Resend service book.............................................................................................................................................. 20 Notifying users................................................................................................................................................................ 20 Send a message to selected users.................................................................................................................... 20 Send a message to all users ............................................................................................................................... 21
Managing messaging and PIM ..................................................................................................................22 Managing PIM synchronization ................................................................................................................................ 22 Configure PIM synchronization......................................................................................................................... 22 Disable or enable PIM synchronization.......................................................................................................... 23 Define PIM application synchronization settings ....................................................................................... 24 Set conflict resolution........................................................................................................................................... 25 Set wireless backup............................................................................................................................................... 25 Set address book field mappings ..................................................................................................................... 26 Disabling or enabling wireless email reconciliation on the server................................................................ 26 Managing redirection filters....................................................................................................................................... 27 Create a filter .......................................................................................................................................................... 27 Change filters.......................................................................................................................................................... 28 Set default forwarding action............................................................................................................................ 29 Setting a disclaimer....................................................................................................................................................... 29 Setting Auto BCC........................................................................................................................................................... 29 Managing IT policies....................................................................................................................................30 Compatibility................................................................................................................................................................... 30 Setting your default IT policy..................................................................................................................................... 30 Add rules to your default IT policy .................................................................................................................. 30 Creating IT policies........................................................................................................................................................ 31 Create a new IT policy.......................................................................................................................................... 31 Change a users policy assignment.................................................................................................................. 31 Using IT policy rules...................................................................................................................................................... 32 Change the value of a rule in an existing policy......................................................................................... 32 Create custom rules .............................................................................................................................................. 33 Manage custom rules ........................................................................................................................................... 33 Viewing IT policy statistics.......................................................................................................................................... 34 Sending IT policies ........................................................................................................................................................ 34 Resend the existing policy.................................................................................................................................. 35 Schedule commands............................................................................................................................................. 35 Deleting IT policies........................................................................................................................................................ 35 Managing attachment viewing .................................................................................................................36 View settings ................................................................................................................................................................... 36 Change connector settings................................................................................................................................. 36 Change attachment server settings................................................................................................................. 37 Setting supported attachments................................................................................................................................. 38 Supported file formats ......................................................................................................................................... 38 Set distiller ............................................................................................................................................................... 39 Set the maximum file size for a distiller setting .......................................................................................... 40 Managing HTTP browsing and push.........................................................................................................42 Starting the Mobile Data Service.............................................................................................................................. 42 Start or stop the Mobile Data Service............................................................................................................. 42 Enable or disable on the server......................................................................................................................... 42 Enable or disable on user accounts ................................................................................................................. 43
Managing data connections ...................................................................................................................................... 43 Change Mobile Data Service connection settings...................................................................................... 43 Change connection timeouts............................................................................................................................. 43 Enable cookie support.......................................................................................................................................... 44 Manage connections through a proxy server ............................................................................................... 44 Managing connections to servers............................................................................................................................. 45 Change LDAP settings ......................................................................................................................................... 45 Change OCSP settings ......................................................................................................................................... 46 Change security settings ..................................................................................................................................... 46 Managing authentication ........................................................................................................................................... 48 Set HTTP authentication ..................................................................................................................................... 48 Configure network authentication................................................................................................................... 48 Set proxy server authentication ........................................................................................................................ 49 Managing push............................................................................................................................................................... 50 Push service ............................................................................................................................................................. 50 Enable the push server......................................................................................................................................... 50 Store and delete push submissions ................................................................................................................. 50 Create push roles and assign push initiators ............................................................................................... 51 Set push authorization for a specific server .................................................................................................. 52 Managing pull................................................................................................................................................................. 52 Create pull roles and assignments................................................................................................................... 52 Set pull authorization for a specific server .................................................................................................... 53 7 Managing security........................................................................................................................................54 Change the data encryption type............................................................................................................................. 54 Generating encryption keys........................................................................................................................................ 54 Set encryption key generation........................................................................................................................... 54 Appendix A: IT policy ...................................................................................................................................56 IT policy rules .................................................................................................................................................................. 56 Sample IT policies .......................................................................................................................................................... 75
1 Managing the server

Getting started tasks Managing BlackBerry Windows services Setting up the BlackBerry Manager Managing the server Managing the BlackBerry Domain Managing wireless network connection Managing licenses
Getting started tasks

Action Procedure Enable the BlackBerry Mobile Data Service on both the server ! See Starting the Mobile Data Service on page 42. and on user accounts. Set the BlackBerry Manager administration email address. Configure the global personal information management (PIM) synchronization settings.
! See Set the administration email address on page 9. ! See Managing PIM synchronization on page 22.
Managing BlackBerry Windows services

Note: All other BlackBerry services can be stopped and started using Microsoft Windows services for troubleshooting purposes only.
Start and stop the Mobile Data Service

By default, the Mobile Data Service is disabled. See "Managing HTTP browsing and push" on page 42 for more information on configuring Mobile Data Service settings. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Service tab, click Common. 3. Perform one of the following actions:
Action Start the Mobile Data Service. Stop the Mobile Data Service. Restart the Mobile Data Service. Procedure
! Click Start Service. ! Click Stop Service. ! Click Restart Service.
Start and stop the BlackBerry Enterprise Server

You can control the BlackBerry Enterprise Server remotely using the BlackBerry Manager. 1. In the BlackBerry Manager, in the left pane, click a server.
2. On the Server Configuration tab, click Service Control & Customization. 3. Perform one of the following actions:
Action Start the BlackBerry Enterprise Server. Stop the BlackBerry Enterprise Server. Procedure
! Click Start BES. ! Click Stop BES.
Restart the BlackBerry Enterprise Server. ! Click Restart BES.
Setting up the BlackBerry Manager

The BlackBerry Manager is the administration console through which you can manage all BlackBerry Enterprise Servers in the same BlackBerry Domain. The BlackBerry Manager is installed by default with each BlackBerry Enterprise Server, but may also be installed remotely. See the BlackBerry Enterprise Server Maintenance Guide for more information on restricting the permissions of the BlackBerry Manager
Set the administration email address

You can define the address from which system emails are sent from the BlackBerry Manager. Email that is sent from the BlackBerry Manager must be in SMTP format. 1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Edit Properties. 3. In the Administration section, double-click Email Sender Address. 4. Type an email address. 5. Click OK.
Set user and server list display

1. Perform one of the following actions:
Action Customize the user list. Customize the server list. Procedure 1. In the BlackBerry Manager, in the left pane, click a server. 2. Click the User List tab. 1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. Click the Server List tab.
2. Right-click any column heading. 3. Perform one of the following actions:

Action Add columns. Remove columns. Make a column first or last in the list. Move a column up or down in the list. Procedure
! In the Available columns list, double-click a column. ! In the Visible columns list, double-click a column.
1. In the Visible columns list, click a column. 2. Click Make First or Make Last. 1. In the Visible columns list, click a column. 2. Click Move Up or Move Down.
1: Managing the server
4. Click OK.
Tip: Press CTRL to select multiple columns at the same time.
Set the time and date format

1. On the Tools menu, click Options. 2. Click General. 3. In the Date Time Format section, modify the desired values.
Option Date Format Time Format Force 24-Hour Format No Time Marker Description Defines the date format string. Specifies whether to show minutes and seconds in the time string. Defines whether to use the 24-hour time format. Specifies whether to set a time marker.
4. Click OK.
Set data refresh rates

1. On the Tools menu, click Options. 2. Click General. 3. In the Auto Refresh section, click Refresh Timer. 4. From the drop-down list, select a refresh rate. 5. Click OK.
Managing the server

You can change the configuration settings provided during installation and customize the message polling and pruning settings.
Refresh the display

You can manually synchronize the BlackBerry Manager with the configuration database to see if any changes have occurred. Data is automatically synchronized every ten minutes. See "Set data refresh rates" on page 10 for more information. ! In the BlackBerry Manager toolbar, click Refresh.
Set message polling interval

You can edit the time after which a users mailbox is polled for new messages. By default, message polling occurs every 20 seconds. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Service Control & Customization.
10
3. Click Set Polling Interval. 4. Type the time, in seconds, after which mailbox polling occurs. 5. Click OK.
Set state database pruning

You can edit the time after which messages are cleared from the state database, and the time when the pruning occurs. By default, messages are retained for 6 months after deletion, and 18 months after creation. Pruning occurs daily at 3:00 AM. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Service Control & Customization. 3. Click State Database Pruning. 4. Modify the desired values.
Option Days after deleted Days after created Run daily at Description Defines the number of days after deletion that a message is retained for. Defines the number of days after creation that a message is retained for. Defines the hour at which pruning occurs.
5. Click OK.
Export server information to a text file

1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Account. 3. Click Export BES. 4. Define a location and name for the export file, and click Save.
Managing the BlackBerry Domain

A BlackBerry Domain is a collection of BlackBerry Enterprise Servers that share a configuration database.
Remove a server from the BlackBerry Domain

Removing a server from the BlackBerry Domain means all server information is removed from the configuration database. If you plan to re-add the server, you should export the server information to a text file prior to removal. See "Export server information to a text file" on page 11 for more information.
Note: You must move or remove all users before you can remove the server.
1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Account. 3. Click Remove BES. 4. Click Yes.
11
Add a server by importing a file

1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. Perform one of the following actions:
Action Add the first server. Procedure 1. On the Global tab, click Account. 2. Click Import BES. 3. Define the location and name for the server information file to import, and then click Open. Add subsequent servers. 1. On the Server List tab, click Account. 2. Click Import BES. 3. Define the location and name for the server information file to import, and then click Open.
Manage a different BlackBerry Domain

You manage a different BlackBerry Domain by connecting the BlackBerry Manager to a different configuration database. 1. On the Tools menu, click Options. 2. Click Database. 3. In the Database section, modify the desired values.
Option Database Server Name Database Name Authentication Log Database Calls Description Defines the server on which the configuration database is located. Defines the name of the configuration database. Specifies whether Microsoft Windows NT or Microsoft SQL Server authentication is used. Specifies whether verbose logging is enabled for all calls to the database. Note: Verbose logging is disabled by default.
4. Click OK.
Managing wireless network connection

Warning: Changing any of the information in the Identifier, Authentication Key, or Host Routing Information fields changes the routing information for all users on the BlackBerry Enterprise Server. You can only use values from the BlackBerry Enterprise Server installation CD label as valid system information.
1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Edit Properties. 3. On the General tab, modify the desired values.
Option Identifier Authentication Key SRP Host Description Defines the unique identifier by which the BlackBerry Enterprise Server connects to the wireless network. Defines the key used to authenticate the identifier when connecting to the wireless network. Defines the name of the server on which the BlackBerry Router is installed. Note: If the BlackBerry Router is installed on the same server as the BlackBerry Enterprise Server, use localhost in this field. SRP Port Defines the port on which the BlackBerry Router connects to the wireless network.
12
Option Host Routing Information
Description Defines optional routing information used to connect to the wireless network. Warning: Only set values in this field if the installation material contains specific values. If you are using the default Network Access Node (the SRP Address value that is provided on your installation CD label), or are uncertain which values to use, leave this field blank. If you define incorrect values in this field, connection to the wireless network is not possible.
4. Click OK.
Change the SRP address

1. In the task bar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration. 2. On the BlackBerry Router tab, in the SRP Address field, type the DNS name or IP address of the wireless network.
Tip: Click Test Network Connection to confirm that the address is entered correctly.
3. Click OK.
Managing licenses
License keys enable the use of client licenses in your organization. For example, if you purchase a license key for 20 users, you can install 20 users on the BlackBerry Enterprise Server. When you exceed the number of permitted users, the BlackBerry Manager informs you that you require more licenses. To add more users to the BlackBerry Enterprise Server, you must purchase a new license key for the number of extra client licenses that you require and then add the license keys to the BlackBerry Enterprise Server.
Warning: If you use a temporary evaluation license key, you cannot reuse the temporary license key after you purchase a permanent license key.
Add a license
1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Account. 3. Click License Management. 4. Type the new license key information. 5. Click Add License. 6. Click Close.
13
Remove a license
If only one license key is active, the remove option is not available. 1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Account. 3. Click License Management. 4. Right-click the license key to remove, and then click Remove License Key. 5. Click Close.
14
15
2 Managing users
Managing user accounts Managing redirection Notifying users
Managing user accounts

User accounts are added automatically as part of an upgrade. If you are managing a new BlackBerry Enterprise Server, you must select users from your messaging and collaboration server and add them to the BlackBerry Enterprise Server.
Add users from local or foreign domains

To access foreign directory servers, you must establish cross-certification. After you add users from foreign IBM Lotus Notes domains, they are managed in the same way as users from the local domain. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Common. 3. Click Add Users. 4. Perform one of the following actions:
Action Connect to a foreign directory server. Procedure
! In the Server drop-down list, type the name of the foreign Directory Server, and click
Connect to the local address book. ! From the Server drop-down list, click a server. Go.
5. Click a user, and then click Add. 6. Click OK.

Tip: Press CTRL to select multiple users at the same time.
Import users from a legacy server

You can import users from a legacy server rather than upgrading that server.
Note: After users are imported, you must activate their handhelds.
1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Account. 3. Click Import Users from Legacy Server.
4. Complete the import wizard:

Action Select a legacy server. Select users to import. Confirm the users to import. Procedure
! From the Server Name drop-down list, select a server. ! Select the check box to import that user. ! Review the list of imported users, and then click Finish.
Find users on all BlackBerry Enterprise Servers in the BlackBerry Domain

1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. Click Common. 3. Click Find User. 4. From the Server drop-down list, select either the local address book or the foreign directory server from which you added the user. 5. Select a user, and then click OK.
Move or remove users

You can seamlessly move users from one BlackBerry Enterprise Server in the BlackBerry Domain to another. A replica of the users BlackBerry state database is created automatically on the destination BlackBerry Enterprise Server, and new service books are sent to the handheld. See the BlackBerry Enterprise Server Maintenance Guide for more information on using sourceless user moves as part of disaster recovery.
Tip: You can drag and drop users into the destination server.
1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, click a user. 3. In the lower pane, click Common. 4. Perform one of the following actions:
Action Move users to a different server. Procedure 1. Click Move User. 2. Select the destination server. 3. Click OK. Remove users from a server. 1. Click Delete User. 2. Click OK. Tip: Press CTRL to select multiple users at the same time.
17
2: Managing users
Export users to a legacy server

Warnings: Exporting users to a legacy server (version 2.2.x) prevents users from using version 4.0 features. See the BlackBerry Enterprise Server Feature and Technical Overview for more information on supported features. Before the export, you must assign the necessary permissions to the .id file of the server running BlackBerry Enterprise Server version 4.0 so that it can create database replicas on the legacy server.
1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, click a user. 3. In the lower pane, click Account. 4. Click Export to legacy server. 5. Complete the export wizard:
Action Select a legacy server. Confirm the users to export. Procedure
! Use the drop-down list to select the server ! Review the list of imported users, and then click Finish.
Managing redirection
Disable or enable redirection
You can stop message redirection to a handheld without removing the user from the server. For example, if a user is traveling out of a wireless coverage area and does not want messages forwarded to the handheld during that time, disable message redirection to the handheld. While redirection is disabled, the user can send messages but cannot receive them. The user can re-enable redirection on the handheld. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, click a user.
3. In the lower pane, click Service Access. 4. Perform one of the following actions:
Action Disable redirection. Enable redirection. Procedure
! Click Disable Redirection. ! Click Enable Redirection.
5. Click OK.
Set the auto-signature

1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, double-click a user. 3. In the Signature field, type the signature to appear on email messages sent from the users handheld.
18
Set whether messages sent on the handheld are saved in the Sent view in Lotus Notes
By default, messages are saved in the Sent view. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, double-click a user. 3. Click Do Not Save Sent Messages. 4. Perform one of the following actions:
Action Save messages in the Sent view. Do not save messages in the Sent view. Procedure
! From the drop-down list, select False. ! From the drop-down list, select True.
5. Click OK.
Purge pending messages

Purging pending messages removes them from the queue to the users handheld; however, the messages still appear in the users Lotus Notes inbox. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, click a user.
3. In the lower pane, click Service Control and Customization. 4. Click Purge Pending Messages.
Generate encryption keys

By default, new encryption keys are generated automatically each time the old key expires, and delivered wirelessly to the handheld. See "Generating encryption keys" on page 54 for more information.
Manage the peer-to-peer encryption key

Peer-to-peer encryption keys enable users in the same BlackBerry Domain to send PIN messages between handhelds, bypassing the email server.
Set or update the key

If you set or update the peer-to-peer encryption key, you prevent users from sending PIN messages to external PINs. Users can still receive external PIN messages. Any handheld that is turned off or out of a wireless coverage area is unable to receive PIN messages until it reconnects with the wireless network. 1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Service Control and Customization. 3. Click Update Peer-to-Peer Encryption Key.
19
2: Managing users
4. Set the following options:

Option Set or update the Peer-to-Peer encryption key for all handhelds within this organization. Description Select this option to generate a new key to send to all handhelds. It is selected by default. Note: You must generate a new key if the current key is known to be compromised by handhelds that are not updated automatically. If you select this option, there will be a period during which users with the new key cannot exchange PIN messages with users who do not yet have the new key. This is because handhelds that are unavailable do not receive the new encryption key immediately. Select this check box to retain the current encryption key on the handheld so that messages from handhelds that do not have the new key can be decrypted.
Retain current Peer-to-Peer on all handhelds as a "previous" key.
Remove the encryption keys used to Select this option to remove the encryption keys from all handhelds. Selecting this encrypt Peer-to-Peer messages from option makes the Retain current Peer-to-Peer on all handhelds as a "previous" key unavailable. all handhelds within this organization
Resend the key

If you previously updated a peer-to-peer encryption key, you can resend the peer-to-peer encryption key to the users handheld. By resending the key, handhelds that were turned off or out of a wireless coverage area when the original encryption key was sent, receive the key and reconnect with the wireless network. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, click a user. 3. In the lower pane, click IT Admin. 4. Click Resend Peer-to-Peer Key.
Resend service book

1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, click a user.
3. In the lower pane, click IT Admin. 4. Click Resend Service Book.
Notifying users
You use the BlackBerry Manager to send an email or PIN message to users in the BlackBerry Domain. Because the mail server does not process PIN messages, this feature is useful for informing BlackBerry users about mail server outages. PIN messages that are sent from the BlackBerry Manager are not filtered using the user's handheld filter configuration. PIN messages appear on the handheld in bold, which indicates a priority message.
Send a message to selected users

1. In the BlackBerry Manager, in the left pane, click a server.
20
2. On the User List tab, click a user.

3. In the lower pane, click Account. 4. Click Send Message. 5. Complete the message wizard.
Action Select a delivery method. Type the message. Procedure
! Select the By Email option to send the message by email or select the By PIN option
to send a PIN message. 1. In the Subject field, type a subject for the message. 2. In the field, type the message. 3. Click Next to send the message.
Send a message to all users

1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Account. 3. Click Send Message. 4. Complete the message wizard.
Action Select a delivery method. Procedure
! Perform one of the following actions:
Select the By Email option to send the message by email. Select the By PIN option to send a PIN message.
Select the users to send the message to.
! Perform one of the following actions:
Select the Send to all users option to send the message to all users. Select the Send to selected users option to specified users, and then select the check
box beside the user. 1. In the Subject field, type a subject for the message. 2. In the field, type the message. 3. Click Next to send the message.
Type the message.
21
3 Managing messaging and PIM

Managing PIM synchronization Disabling or enabling wireless email reconciliation on the server Managing redirection filters Setting a disclaimer Setting Auto BCC
Managing PIM synchronization

You synchronize personal information management (PIM) items such as tasks, memos, contacts, and calendar entries so that the entries on a users handheld and on the server are consistent. You can use global synchronization, which applies to all servers and users in the BlackBerry Domain or you can set synchronization options for a specific user.
Configure PIM synchronization

To support synchronizing PIM data, the BlackBerry Enterprise Server requires access to PIM databases that are normally stored on the users local computer. To enable PIM synchronization for BlackBerry users, perform one of the following actions: set up users as roaming users (recommended) manually create replicas on the mail server and configure replication on users computers set up users as Lotus Domino Web Access (iNotes) users.:
Set up users as roaming users

Note: Roaming functionality requires IBM Lotus Domino R6 or later.
1. In Lotus Domino Administrator, on the People and Groups tab, select the users to configure for PIM synchronization. 2. On the Tools pane, expand People. 3. Click Roaming. 4. In the Assign Roaming Profiles dialog box, define the desired roaming settings. 5. Click OK. 6. Perform one of the following actions:
Action Activate PIM synchronization for new BlackBerry users. Procedure
! In the BlackBerry Manager, add the users to the BlackBerry Enterprise Server. See
"Add users from local or foreign domains" on page 16 for more information.
Action Activate PIM synchronization for existing BlackBerry users.
Procedure
! In the BlackBerry Manager, activate the users handhelds. See the BlackBerry
Enterprise Server Handheld Management Guide for more information.
Create replicas on the mail server

1. Create replicas of the users local databases (names.nsf and journal.nsf) and place them on a suitable server. 2. For the new replicas, define a replication schedule that enables PIM data to remain current without taxing network resources. 3. If the user is a new user, in the BlackBerry Manager, add the user to the BlackBerry Enterprise Server. 4. On the User List tab, double-click the user. 5. Click PIM Sync. 6. In the Memos and Address Book sections, perform the following actions:
Action Set the server location. Set the relative path to the data directory. Procedure
! Type the canonical name of the server on which the databases reside (for example,
CN=<servername>/OU=<servers>/O=<companyname>).
! Type the path, relative to the data directory, in which the databases reside (for
example, names\cwarren_names.nsf and journal\cwarren_journal.nsf).
7. Click OK.
Set up users as Lotus Domino Web Access (iNotes) users

1. Instruct the users to update their mail templates to the correct iNotes (R5) or Lotus Domino Web Access (R6) template. 2. Instruct the users to synchronize their Lotus Notes address book and journal with their Lotus Domino Web Access contacts list and notebook.
Note: The users must synchronize regularly to keep their address and journal data current.
3. Perform one if the following actions:

Action Activate PIM synchronization for new BlackBerry users. Activate PIM synchronization for existing BlackBerry users. Procedure
! In the BlackBerry Manager, add the users to the BlackBerry Enterprise Server. See
"Add users from local or foreign domains" on page 16 for more information.
! In the BlackBerry Manager, activate the users handhelds. See the BlackBerry
Enterprise Server Handheld Management Guide for more information.
Disable or enable PIM synchronization

PIM synchronization is enabled on the BlackBerry Enterprise Server by default. You can disable or enable PIM synchronization globally for all users in the BlackBerry Domain or for a specific user.
Note: You must configure users in IBM Lotus Domino and enable them on the BlackBerry Enterprise Server for PIM synchronization to work. See "Configure PIM synchronization" on page 22 for more information.
23
3: Managing messaging and PIM

Action Set up for synchronization globally. Procedure 1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Edit Properties. 3. Click Global PIM Sync. Set up for synchronization for a specific user. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, double-click a user. 3. Click PIM Sync.

Action Disable or enable all PIM synchronization. Note: This action is available only when you select a single user. Disable or enable email filter synchronization. Procedure 1. Click Wireless Synchronization Enabled. 2. Perform one of the following actions: From the drop-down list, select False to disable PIM synchronization. From the drop-down list, select True to enable PIM synchronization. 1. In the Email Filters section, click Synchronization enabled. 2. Perform one of the following actions:
From the drop-down list, select False to disable email filter synchronization. From the drop-down list, select True to enable email filter synchronization.
Disable or enable tasks synchronization. 1. In the Tasks section, click Synchronization enabled. 2. Perform one of the following actions:
From the drop-down list, select False to disable tasks synchronization. From the drop-down list, select True to enable tasks synchronization.
Disable or enable email setting synchronization. 1. In the Email Settings section, click Synchronization enabled. 2. Perform one of the following actions:
From the drop-down list, select False to disable email setting synchronization. From the drop-down list, select True to enable email setting synchronization.
Disable or enable memo synchronization. 1. In the Memos section, click Synchronization enabled. 2. Perform one of the following actions:
From the drop-down list, select False to disable memo synchronization. From the drop-down list, select True to enable memo synchronization.
Disable or enable address book synchronization. 1. In the Address Book section, click Synchronization enabled. 2. Perform one of the following actions: From the drop-down list, select False to disable address book synchronization. From the drop-down list, select True to enable address book synchronization.
3. Click OK.
Define PIM application synchronization settings

You can set the synchronization type for the global synchronization of individual databases across the BlackBerry Domain or for user accounts. 1. Perform one of the following actions:
Action Set up for synchronization globally. Procedure 1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Edit Properties. 3. Click Global PIM Sync.
24
Action Set up for synchronization for a specific user.
Procedure 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, double-click a user. 3. Click PIM Sync.
2. Locate a PIM application in the list and select one of the following synchronization types:
Option Bidirectional Handheld To Server Server To Handheld Description Synchronizes data from the handheld to the server and from the server to the handheld. Synchronizes data from the handheld to the server only. Synchronizes data from the server to the handheld only.
3. Click OK.
Note: Bidirectional synchronization is the only option available for email filters and email settings.
Set conflict resolution

You set how to resolve conflicts that occur when data conflicts between the server and a users handheld. 1. Perform one of the following actions:
Action Set how to resolve conflicts for all users. Set how to resolve conflicts for a specific user. Procedure 1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Edit Properties. 3. Click Global PIM Sync. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, double-click a user. 3. Click PIM Sync.
2. Locate a PIM application in the list, and then select one of the following conflict resolutions:
Option Server Wins Handheld Wins Description The server information overrules the handheld information. The handheld information overrules the server information.
3. Click OK.
Set wireless backup

User handheld settings and preferences are backed up automatically to the BlackBerry Enterprise Server. This feature is enabled by default. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, double-click a user. 3. Click PIM Sync. 4. Click Automatic Wireless Backup Enabled.
25

Action Enable automatic wireless backup. Disable automatic wireless backup. Procedure
! From the drop-down list, select True. ! From the drop-down list, select False.
6. Click OK.
Set address book field mappings

Action Set field mappings for all users. Procedure 1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Service Control and Customization. 3. Click PIM Sync Global Field Mapping. Set field mappings for a specific user. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, click a user. 3. In the lower pane, click Service Control and Customization. 4. Click PIM Sync Field Mapping.
2. In the Desktop Field column, click a field. 3. In the Device Field column, from the drop-down list, select the handheld address book field to map to the desktop field. 4. Click OK.
Disabling or enabling wireless email reconciliation on the server

Wireless email reconciliation is enabled on the server by default. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Edit Properties. 3. Click Email. 4. In the Email Options section, click Wireless Email Reconciliation Enabled. 5. Perform one of the following actions:
Action Procedure Disable wireless email reconciliation. ! From the drop-down list, select False. Enable wireless email reconciliation. ! From the drop-down list, select True.
6. Click OK.
26
Managing redirection filters

Redirection filters define which messages are redirected to users handhelds. When a user receives an email message, the BlackBerry Enterprise Server applies filters to determine how to direct the message: forward, forward with priority, or do not forward to the users handheld. Filters set on the server take precedence over the filters that are defined by users. If none of the server filters apply, the users filters are applied.
Note: Users cannot view global filters, so if you define global filters, inform users so that they understand why some of their filter rules might not be applied.
Create a filter
Use global filters to apply filters to all users on a server and user filters to apply filters to specific users.
Note: Global filters take precedence over user filters.
1. In the BlackBerry Manager, in the left pane, click a server. 2. Perform one of the following actions:
Action Create a global filter for all users. Procedure 1. On the Server Configuration tab, click Edit Properties. 2. Click Global Filters. 3. Double-click Global Filter Definitions. Create a filter for a specific user. 1. On the User List tab, double-click a user. 2. Click Filters. 3. Double-click Filter Rules.
3. Click New. 4. In the dialog box, double-click Filter Name. 5. Type a name for the new filter. 6. Double-click a condition and perform one of the following actions:
Tip: You can use wildcards when you create filter rules; however, if you use wildcards for email addresses, you should use the correct SMTP format (for example, *@acme.ca). Specify recipient method. 1. Click Recipient Types. 2. Select one, some, or all of Sent Directly, Cc, or Bcc for the filter to detect. Note: This field only applies to messages that are sent directly to the recipients. It does not apply to distribution lists to which they belong.
7. In the Action section, click Action. 8. Perform one of the following actions:
Action Hold messages to which no filters apply. Procedure
! From the drop-down list, select Hold.
27
Action
Procedure
Forward messages to which no filters 1. From the drop-down list, select Forward. apply. 2. Perform one of the following actions: Select Heading Only to forward only the message header. Select Level1 Notification to forward messages with Level 1 notification (messages with Level 1 filter notification appear with a bold subject line by default on the recipients handheld). Select Heading Only and Level1 Notification to forward the message header of messages with Level 1 notification.
9. Click OK.
Note: Messages are filtered based on the order in which the filters appear. If the filter that you are adding applies to messages to which another filter also applies, you must decide which filter should be applied first. See "Change filters" below for more information.
Change filters
1. In the BlackBerry Manager, in the left pane, click a server. 2. Perform one of the following actions:
Action Change a global filter. Procedure 1. On the Server Configuration tab, click Edit Properties. 2. In the left pane, click Global Filters. 3. Double-click Global Filter Items. 4. In the Filter Name list, click a filter. Change a filter for a specific user. 1. On the User List tab, double-click a user. 2. In the left pane, click Filters. 3. Double-click Filter items. 4. In the Filter Name list, click a filter.
3. Perform one of the following tasks:

Action Enable a filter. Procedure 1. Click Properties. 2. Click Enabled. 3. From the drop-down list, select True. Edit a filter. 1. Click Properties. 2. Make the desired changes. See "Set default forwarding action" on page 29 for more information. 3. Click OK. Disable a filter. 1. Click Properties. 2. Click Enabled. 3. From the drop-down list, select False. Change the order of filters. 1. Click Move Up or Move Down to move the filter higher or lower in the list. 2. Click OK. Note: The BlackBerry Enterprise Server applies filters to new messages in the order in which they appear in the Filters dialog box. Make sure the filters appear from least to most restrictive. Delete a filter.
! Click Remove.
Note: The BlackBerry Enterprise Server reads global filter changes every 15 minutes, so filter changes might not be applied to messages immediately.
28
Set default forwarding action

Use the default action to define whether messages are held or forwarded if no filter rules apply. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, double-click a user. 3. In the left pane, click Filters. 4. In the Default Action section, click Forward messages to handheld. 5. Perform one of the following actions:
Action Forward messages to the handheld. Procedure
! From the drop-down list, select True.
Do not forward messages to the handheld. ! From the drop-down list, select False.
6. Click OK.
Setting a disclaimer
Set a disclaimer to add text below user signatures on all messages that are sent from the handheld. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Edit Properties. 3. Click Email. 4. In the Email Options section, click Disclaimer Text. 5. Type a disclaimer. 6. Click OK.
Setting Auto BCC

The auto blind carbon copy (BCC) feature enables the BlackBerry Enterprise Server to force all email messages that are sent from handhelds to be blind carbon copied to a specified recipient. This feature does not populate the BCC field of the original email, so the sender is unaware that the message is being BCCed. You can specify multiple recipients to receive the BCCs. These BCC settings apply to all users on the specified BlackBerry Enterprise Server. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Edit Properties. 3. Click Email. 4. In the Email Options section, double-click Auto BCC Addresses. 5. Type the email addresses, separated by a semicolon(;).
Tip: Click Import List to select from the address book.
6. Click OK.
29
4 Managing IT policies
Compatibility Setting your default IT policy Creating IT policies Using IT policy rules Viewing IT policy statistics Sending IT policies Deleting IT policies
Compatibility
There are specific handheld and software requirements for each IT policy rule. See "IT policy rules" on page 56 for more information.
Setting your default IT policy

All new users in a BlackBerry Domain are added to a default policy, which houses a collection of policy rules. Applicable policy rule settings apply immediately to new users.
Note: The default settings for each rule do not display in their respective field. Review the on-screen description for details.
Add rules to your default IT policy

1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Edit Properties. 3. Click IT Policy. 4. In the IT Policy Administration section, double-click IT Policies. 5. In the list of policies, click Default. 6. Click Properties. 7. Configure the policy rules. In the left pane, click to select a policy group. In the right pane, double-click the rule to assign a value or to choose between True or False.
Tip: See the lower pane for the rule description, default information, requirements, and interdependences with other rules.
8. Click OK.
Creating IT policies
You create customized IT policies to reflect the needs of different types of users. For example, you might want to have a higher level of security on the handhelds of your sales team, who are typically out of the office. See "Sample IT policies" on page 75 for more information
Create a new IT policy

1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Edit Properties. 3. Click IT Policy. 4. In the IT Policy Administration section, double-click IT Policies. 5. Click New. 6. Double-click IT Policy Name. 7. Type a name for the new policy. 8. Configure the policy rules. In the left pane, click to select a policy group. In the right pane, double-click the rule to assign a value or to choose between True or False.
Tip: See the lower pane for the rule description, default information, requirements, and interdependences with other rules.
9. Click OK.
Change a users policy assignment

Manage the policy-to-user assignment from either the policy or the user account. If you already created a new policy, to which you want to add multiple users, manage the policy assignment in the policy or in selected user accounts. To change only one users policy assignment, manage the policy assignment in the user account.
Note: Users can belong to only one policy.
Manage assignment in the policy

1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Edit Properties. 3. Click IT Policy. 4. In the IT Policy Administration section, double-click IT Policy To User Mapping. 5. In the left pane, click a user. 6. In the right pane, click a policy. 7. Repeat steps 5 and 6 to move additional users to the policy. 8. Click OK.
31
4: Managing IT policies
Manage assignment in the user account

1. In the BlackBerry Manager, in the left pane, click a server. 2. In the User List, double-click a user. 3. Click IT Policy. 4. Click IT Policy Name. 5. From the drop-down list, select a new policy. 6. Click OK.
Manage assignment in a selected user account

1. In the BlackBerry Manager, in the left pane, click a server. 2. In the User List, click users.
3. Click IT Admin. 4. Click Assign IT Policy. 5. From the drop-down list, select a new policy. 6. Click OK.
Using IT policy rules

Pre-defined policy rules are included with the BlackBerry Enterprise Server. You set the behavior of the rule inside each policy using the values permitted by the rule. You cannot change the way that the rule functions, or add/remove permitted values. You also cannot delete these rules.
Change the value of a rule in an existing policy

1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Edit Properties. 3. Click IT Policy. 4. In the IT Policy Administration section, double-click IT Policies. 5. Click the policy to edit, and then click Properties. 6. From the Properties list, choose the rule you want to edit. 7. Make the desired changes. 8. Click OK.
32
Create custom rules

To control custom applications that your company develops to run in the BlackBerry environment. For information on developing custom applications, create custom rules.
Note: Custom rules can be used only in conjunction with your own custom applications.
1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Edit Properties. 3. Click IT Policy. 4. In the IT Policy Administration section, double-click IT Policies. 5. Click the policy to add a custom rule to, and then click Properties. 6. From the Properties list, select User-Defined Items. 7. Double-click IT Policy Template. 8. Click New. 9. Complete the available fields:
Action Define the rule name. Procedure
! Type a name for the custom rule.
Outline how the rule can be ! Type a description for the custom rule. used. Identify the type of values that the rule uses. Identify where the rule will be enforced.
! From the drop-down list, select Boolean, Integer, String, Bitmask, or Multiline String. ! From the drop-down list, select Handheld, Desktop, or Both the handheld and desktop.
Set minimum integer value. ! Specify the minimum value that an integer rule can accept. Set maximum integer value. ! Specify the maximum value that an integer rule can accept. Define bitmask data.
! Specify the data that a bitmask rule can accept. Include up to 8 related boolean values. You can
assign a bit option name for 1, some, or all of the 8 bit values. For example, you might create a bitmask IT policy rule called AllowedFeatures with 3 boolean bit values where bit 0 is named Phone, bit 1 is named Browser, and bit 2 is named Third Party Apps.
10. Click OK. 11. In the Policy Items Settings section, provide a value for the custom rule in this policy.
Note: After you create a custom rule, you can assign a value to it in any new or existing policy.
Manage custom rules

You change the value of a custom rule in a policy the same way that you change a pre-defined rule. You can also edit and delete custom rules. When you change a custom rule, all policies that contain the rule are resent to their list of assigned users. 1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Edit Properties. 3. Click IT Policy. 4. In the IT Policy Administration section, double-click IT Policies.
33
4: Managing IT policies
5. Click the Default policy, and then click Properties. 6. From the Properties list, select User-Defined Items. 7. Double-click IT Policy Template. 8. Perform one of the following actions:
Action Edit a custom rule. Procedure 1. Click the rule to edit, and then click Properties. 2. Modify the desired values. 3. Click OK. Delete a custom rule. 1. Choose the rule to delete, and then click Remove. 2. Click OK.
Viewing IT policy statistics

Each users IT policy status displays as part of the user summary. You can include the policy status as a column in the user list.
Option Pending Processing Description Indicates that there is new data waiting to be sent to the users handheld and, or desktop. Indicates that the BlackBerry Enterprise Server is sending the change to the user. You should not see this status display for an extended period. If the status does not change within a short time, the status of the BlackBerry Enterprise Server might have changed while it was processing the request. Indicates that the policy change has been sent wirelessly to the users handheld and, or desktop, but the user has not yet received the change. Indicates that the users handheld and, or desktop has received the IT policy change, but the BlackBerry Enterprise Server has not received an error or a success message to indicate if the change has been applied. Indicates that the users handheld and, or desktop received the IT policy change and successfully applied the change. Indicates that an error occurred while the policy change was being processed, sent, received, or applied. Indicates that the IT policy change request timed out after 7 days. The users handheld might be turned off or out of a wireless coverage area.
Sent Received
Applied successfully Error Timed out
Sending IT policies
When you add new users, they are added to the default IT policy, which is sent automatically to their handhelds. If you move users to a new policy, that policy is also sent automatically to their handhelds.
Note: Sending a wireless IT policy creates a security association between the handheld and the BlackBerry Enterprise Server. After this association is made, the handheld does not accept IT policies from any other BlackBerry Enterprise Server or from the users computer over the serial or USB port.
If you move a user from one BlackBerry Enterprise Server to another in the same BlackBerry Domain, the same policy remains in effect, but is resent automatically by the new BlackBerry Enterprise Server. If you move a user from one BlackBerry Enterprise Server to another outside the BlackBerry Domain, the user is treated like a new user and is assigned to the default IT policy, which is sent automatically by the new BlackBerry Enterprise Server.
34
Resend the existing policy

If, for any reason, the IT policy is not received by the handheld, you can manually resend the policy. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the User List tab, click a user. 3. Click IT Admin. 4. Click Resend IT Policy.
Schedule commands
By default, automatic resends are turned off. You can configure IT policies to be resent to handhelds on the BlackBerry Enterprise Server at a scheduled time. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Edit Properties. 3. In the IT Admin section, double-click Policy Resend Interval. 4. Type the rate, in hours, at which you want the automatic resends to occur. 5. Click OK.
Deleting IT policies
If you delete a policy to which users are assigned, they are assigned automatically to the default IT policy. For this reason, you cannot delete the default IT policy. 1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Edit Properties. 3. Click IT Policy. 4. In the IT Policy Administration section, double-click IT Policies. 5. Click the policy to delete, and then click Remove. 6. Click OK.
35
5 Managing attachment viewing

View settings Setting supported attachments
View settings
1. On the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration. 2. Click the Attachment Server tab. 3. In the Configuration Option drop-down list, select one of the following:
Option Connector Configuration Attachment Server Test Attachment Service Description Controls the connections between the Messaging Agent and the Attachment Service when attachments are requested on the handheld. Controls the retrieval, distillation, and conversion of attachment data, as well as which attachment types you plan to support in your environment. Provides tools to troubleshoot the Attachment Service. See the BlackBerry Enterprise Server
Troubleshooting Guide for more information.
If the BlackBerry Attachment Service is installed on a remote machine (that is, separate from the BlackBerry Enterprise Server), only certain settings can be configured on each machine. On the Attachment Service machine, the attachment server options are visible. On the BlackBerry Enterprise Server, the Connector Configuration options are visible.
Change connector settings

Note: You can modify connector configuration settings only on the computer on which the BlackBerry Enterprise Server with the attachment connector is installed.
1. On the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration. 2. On the Attachment Server tab, from the Configuration Option drop-down list, select Connector Configuration. 3. Modify the desired values.
Option Server Description Set the server name or IP address of the computer on which the Attachment Service is installed. If the Attachment Service is installed on the same computer as the BlackBerry Enterprise Server, this value is set to the localhost name by default. Range
Option Server Submit Port
Description Set the TCP/IP Port number that the attachment connector uses to send the attachment data requests to the Attachment Service. Note: The port number for this setting must match the Submit Port field in the attachment server configuration options.
Range 1024 to 65,535
Server Result Port
Set the TCP/IP Port number used to query and retrieve large attachment conversion data from the Attachment Service. Note: The port number for this setting must match the Result Port field in the attachment server configuration options.
1024 to 65,535
Polling Time (seconds) Format Extensions
Set the interval, in seconds, used to query the server results time if large attachments are available for delivery from the Attachment Service. Specify the list of supported attachment extensions that this BlackBerry Enterprise Server supports for the attachment viewer. Warning: If you turn off a distiller, you should also remove the file extension(s) for documents converted by that distiller from the Format Extensions field.
10 to 300 seconds
Extended Logging
Set the extended log to Enabled to enable the Attachment Service to write extended log information to the log file. See the BlackBerry Enterprise Server Troubleshooting Guide for more information. Note: The Attachment Service logs successful conversions and any failures in the BlackBerry Messaging Agent log file by default. This setting is used only to enable extended logging for troubleshooting.
Tip: Click Default to return all fields to the original settings.
4. Click OK. 5. Restart the BlackBerry Dispatcher.
Change attachment server settings

Note: You can modify attachment server settings only on the computer on which the Attachment Service is installed.
1. On the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration. 2. On the Attachment Server tab, from the Configuration Option drop-down list, select Attachment Server. 3. Modify the desired values.
Option Submit Port Description Type the TCP/IP port number that the Attachment Service uses to receive document submissions and for which it returns conversion results. Note: This port number should be identical to the number in the Server Submit Port field in the Connector Configuration options. Result Port Type the port number that the Attachment Service uses to send large attachment conversion 1024 to data when polled from the attachment connector on the BlackBerry Enterprise Server. 65,535 Note: The port number for this setting must match the Server Result Port field in the Connector Configuration options. Configuration Port Concurrent Caching Type the TCP/IP port number to use for configuration and administrative purposes. Specify whether multiple requests for the same attachment can use the first cached copy of the attachment Document Object Model (DOM) in a conversion process for a new user. 1024 to 65,535 Range 1024 to 65,535
37
5: Setting supported attachments
Option Document Cache Size (docs)
Description Specify the maximum number of converted documents that might reside in the document cache (as DOM) for an individual conversion process. If the same user retrieves more content from the same document within a few minutes of the initial request, subsequent requests are served from cache. The cache is maintained for 25 minutes (the default recycle time), or until a new request exceeds the cache limit for that process and the least recently used document in the cache is deleted. All cached data is kept in memory only and the original document is never cached. Tip: A larger cache size means that more memory is allocated to each running conversion process. The maximum file size of the attachments affects the cached memory used. Use the Max File Size (Kb) setting for individual attachment formats to limit the cache size memory usage for the running conversion processes.
Range 1 to 128
Conversion Processes
Set the number of conversion processes that are available to the Attachment Service. A higher 1 to 64 number of conversion processes enables more conversion requests to be handled concurrently. Every conversion process allocates memory on startup and uses memory on conversion. This value should be set in relation to available memory and competing services on the computer running the Attachment Service.
Max. Threads per Process
2 to 32 Set the maximum number of document conversions per conversion process. The number of allowed document conversions defines how many concurrent conversions a single conversion process accepts. This setting helps to control thread saturation for a high volume BlackBerry Enterprise Server configuration and is also useful for managing Attachment Service workload in conjunction with the Busy Threshold (seconds) setting. Set the timeout for the BBConvert process recycling to stop any processes consuming CPU that 300 have not completed or failed processing when the time out occurs. seconds (5 minutes) Tip: Process recycling is also used by the Attachment Service to reclaim space used by the to 3600 Attachment Service and prevent failed processes from keeping memory allocated. seconds (60 minutes) 60 seconds to 270 seconds
Recycle Time (seconds)
Busy Threshold Set the threshold used to determine whether the Attachment Service is busy with conversion (seconds) and should not accept new requests. The Attachment Service monitors the running conversions threads to check whether all conversion processes are busy when a new request arrives. When the threshold is reached, a Server Busy, Retry message displays. Distiller Settings The distiller list displays all installed document-loading distillers for the Attachment Service along with the associated document extension and the maximum attachment size allowed. See "Set distiller" on page 39 for more information.
4. Click OK. 5. Restart the Attachment Service.
Setting supported attachments

For an attachment to be viewable on the handheld, the attachment format must be included in the supported format list, and a distiller for that format must be installed. See the Attachment Distiller API Reference Guide for more information on writing custom distillers.
Supported file formats

The following file formats are supported by default:.
File format Adobe Acrobat versions 1.1, 1.2, 1.3, 1.4 File Extensions .pdf
38
File format Microsoft Excel versions 97, 2000, 2003, XP Microsoft PowerPoint versions 97, 2000, 2003, XP Microsoft Word versions 97, 2000, 2003, XP Corel WordPerfect versions 6.0, 7.0, 8.0, 9.0(2000) ASCII text HTML ZIP archives images
File Extensions .xls .ppt .doc, .dot .wpd .txt .html, .htm .zip .bmp, .jpg, .gif, .png, .tif
Remove support for a file format

1. On the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration. 2. On the Attachment Server tab, from the Configuration Option drop-down list, select Connector Configuration. 3. In the Format Extension field, remove the file extension. 4. Click OK. 5. Restart the BlackBerry Dispatcher.
Note: If your mail system is connected to a document management system that enforces extension renaming, you can add to the format list to support arbitrary extensions.
Set distiller
All supported distillers-one distiller per supported file format-are enabled by default. A check mark signifies that the distiller is enabled. Turning off an Attachment Service distiller file prevents the use of any attachment in the format that is converted by that distiller. For example, if you turn off the .pdf distiller, Adobe .pdf attachments are no longer supported on the handheld.
Warning: If you turn off a distiller, you should also remove the file extension for documents that are converted by that distiller from the Format Extension field in the Connector Configuration screen. If you turn off a distiller, but the associated file extension is supported (in other words, it appears in the Format Extension field), Open Attachment still appears on the handheld menu when the handheld receives an attachment with that extension. If the user clicks Open Attachment, an Error unknown file format message appears and is logged. See the BlackBerry Enterprise Server Troubleshooting Guide for more information.
1. On the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration. 2. On the Attachment Server tab, from the Configuration Option drop-down list, select Attachment Server. 3. In the Distiller Settings section, perform one of the following actions:.
Action Enable a distiller. Turn off a distiller. Procedure
! Select the check box. ! Clear the check box.
Tip: To enable all image formats, select the Image Attachments check box.
4. Click OK.
39
5: Setting supported attachments
5. Restart the Attachment Service.
Set the maximum file size for a distiller setting

The recommended file size is based on the number of users on the BlackBerry Enterprise Server, the number of users requesting attachments, reasonable response time, server hardware, and document complexity. You can change the maximum file size for each distiller setting.
Note: If an attachment exceeds the defined size, the user receives a Document Conversion Failed. Retry message and an Attachment Size Exceeds Specific Value message is logged in the BlackBerry Enterprise Server log file.
1. On the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration. 2. On the Attachment Server tab, from the Configuration Option drop-down list, select Attachment Server. 3. In the Distiller Settings section, in the Max. File Size (Kb) column, click the file size value beside the distiller that you are modifying, and then type a value.
Tip: The default value of 0 enables an unlimited file size.
Recommended file size for heavy usage BlackBerry Enterprise Server environments
A BlackBerry Enterprise Server environment experiencing the following demands meets the definition of a heavy usage environment: multiple users requesting conversions for large or complex attachments (especially .pdf and ASCII text files larger than 2 MB), and either multiple users requesting the same large or complex documents in the same time frame (0 to 10 minutes) while large conversions are being processed or multiple users requesting different documents in the same time frame (0 to 10 minutes) while large conversions are being processed.
File format Adobe Acrobat versions 1.1, 1.2, 1.3, 1.4 Microsoft Excel versions 97, 2000, 2003, XP Microsoft PowerPoint versions 97, 2000, 2003, XP Microsoft Word versions 97, 2000, 2003, XP Corel WordPerfect versions 6.0, 7.0, 8.0, 9.0(2000) ASCII text HTML ZIP archives Images Recommended size less than 2000 KB less than 2000 KB less than 2000 KB less than 2000 KB less than 2000 KB less than 100 KB less than 100 KB less than 2000 KB less than 2000 KB
40
41
6 Managing HTTP browsing and push

Starting the Mobile Data Service Managing data connections Managing connections to servers Managing authentication Managing push Managing pull
Starting the Mobile Data Service

Enable the Mobile Data Service on the server and on user accounts to provide users access to online content and applications on the corporate intranet or Internet.
Note: To use the Mobile Data Service, the handheld must contain the appropriate Internet Protocol Proxy Protocol (IPPP) service book entries. On C++-based handhelds, these service books are installed by default. On Java-based handhelds, the IPPP service book must be provisioned by the network operator as part of the handheld registration. See the BlackBerry Enterprise Server Feature and Technical Overview for more information on supported networks, handheld versions, and handheld and desktop software versions.
Start or stop the Mobile Data Service

1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Services tab, click Common. 3. Perform one of the following actions:
Action Start the Mobile Data Service. Stop the Mobile Data Service. Procedure
! Click Start Service. ! Click Stop Service.
Enable or disable on the server

1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Service Control and Customization. 3. Perform one of the following actions:
Action Enable the Mobile Data Service. Procedure
! Click Enable MDS.
Note: You must reenable the Mobile Data Service for user accounts on that server to enable the Mobile Data Service on their handhelds Disable the Mobile Data Service.
! Click Disable MDS.
Enable or disable on user accounts

3. In the lower pane, click Service Access. 4. Perform one of the following actions:
Action Enable the Mobile Data Service. Disable the Mobile Data Service. Procedure
! Click Enable MDS Access. ! Click Disable MDS Access.
Managing data connections

Set parameters to control how the Mobile Data Service manages data from the Internet, intranet, or routed through a corporate proxy server.
Change Mobile Data Service connection settings

1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Services tab, click Edit Properties. 3. Click General. 4. Modify the desired values:
Warning: Change the default port parameters only if there is a port conflict with another service on the same computer. If you change port or host information, the BlackBerry Enterprise Server stops and restarts the Mobile Data Service to reload the configuration information. Option SRP Host SRP Port Description The host name of the BlackBerry Enterprise Server. The port on which the BlackBerry Enterprise Server listens. Warning: If the BlackBerry Enterprise Server host name and port number do not appear by default in the Host and Port fields, you might not have started the BlackBerry Dispatcher service. If this is the case, close the Mobile Data Service Properties window, start the BlackBerry Dispatcher service, and then reopen the Mobile Data Service Properties window. Web Server Listen Port Web Server SSL Listen Port Maximum KB/Connection Flow Control Timeout The port number on which the web server listens for requests from push applications. Warning: Notify your push application developer if you change the web server listen port number. The port number on which the web server receives HTTPS requests from handhelds. The maximum number of kilobytes that can be sent to the handheld for each Mobile Data Service connection. The length of time, in milliseconds, that the handheld has to send an acknowledgement before the Mobile Data Service discards all pending content to the handheld.
Change connection timeouts

1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Services tab, click Edit Properties.
43
6: Managing HTTP browsing and push
3. Click HTTP. 4. Modify the desired values:

Option Description HTTP Handheld Connection The length of time, in milliseconds, that the HTTP connection waits for the handheld to send data. Timeout HTTP Server Connection Timeout Maximum Number of Redirects The length of time, in milliseconds, that the HTTP connection waits for the origin server to send data. The maximum number of HTTP redirections that the Mobile Data Service supports. HTTP redirection occurs when the BlackBerry Browser requests a web page from the web server and the web server returns a redirection status code to the BlackBerry Browser to indicate the new URL for the web page.
Enable cookie support

1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Services tab, click Edit Properties. 3. Click HTTP. 4. Click Support HTTP Cookie Storage. 5. From the drop-down list, select True. The Mobile Data Service manages HTTP cookie storage, reducing the load on the handheld.
Manage connections through a proxy server

You can specify whether the Mobile Data Service uses a proxy server for communication with an intranet or the Internet, or uses a Proxy Auto-Configuration (PAC) file that explicitly identifies how particular destinations are accessed.
Configure the Mobile Data Service to use the proxy server

1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Services tab, click Edit Properties. 3. Click Proxy. 4. Click HTTP Proxy Enabled. 5. From the drop-down list, select True. 6. Click Proxy Auto Configuration. 7. From the drop-down list, select False. 8. In the Manual Proxy section, modify the desired values:
Option Host Name Port SSL Port Description The host name or IP address for the URL. The port number for the URL. The proxy SSL port number for the URL. This is optional (if supported by your proxy server) and specifies the handhelds connection to an HTTPS site through an end-to-end TLS connection.
Assign a URL to a proxy server or a group of proxy servers

44
2. On the Mobile Data Services tab, click Edit Properties. 3. Click Proxy. 4. Click HTTP Proxy Enabled. 5. From the drop-down list, select True. 6. Click Proxy Auto Configuration. 7. From the drop-down list, select False. 8. In the Manual Proxy section, double-click Proxy Mappings. 9. Click New. 10. Double-click Universal Resource Locator. 11. Type the URL in the field. Use the following format: scheme://host name:port/path/?query. 12. Double-click Proxy String. 13. Type the host name and port for the proxy server in the field.
Note: URLs that are not listed in the Proxy Mappings window are routed through the proxy server specified on the Proxy tab, in the Manual Proxy section.
14. Click OK. 15. Click OK again.
Configure the Mobile Data Service to use a PAC file

1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Services tab, click Edit Properties. 3. Click Proxy. 4. Click HTTP Proxy Enabled. 5. From the drop-down list, select True. 6. Click Proxy Auto Configuration. 7. From the drop-down list, select True. 8. In the Auto Proxy section, perform one of the following actions:
Action Automatically detect the proxy server. Specify the PAC location. Procedure
! In the Auto Detect section, from the drop-down list, select True. ! In the URL section, in the field, type the URL.
Managing connections to servers

Change LDAP settings
Directory Access Protocol (DAP) is an industry-standard method for accessing X.500 directory listings. Such information is stored in an LDAP-compliant directory, and consists of user profiles and approved certificates.
Warning: Do not change the default port parameters unless there is a port conflict with another service on the same computer. If you change port or host information, you must stop and restart the Mobile Data Service to reload the configuration information.
45
1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Services tab, click Edit Properties. 3. Click LDAP. 4. Modify the desired values.
Option Host Name Port Default Server Base Query Query Limit Enable Data Compression Description Type the name of the default LDAP server. When there is no LDAP server specified in a query URL (LDAP:///), the request is sent automatically to this server. Type the port number on which the default LDAP server listens. If you provide a host name, you must specify a port number. Type the default base query for the default server. Each LDAP server can host multiple domains, but can only search in one of them at a time, so you must set a default query. The maximum number of entries that are returned for each base query. Enables compression of the result data stream.
Change OCSP settings

OCSP is used to query the current status of certificates. Developers use OCSP to find out if a stored certificate is currently valid, or if it is revoked and can no longer be trusted. The Certificate Revocation List (CRL) is a large file that lists the status of all certificates that are revoked. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Services tab, click Edit Properties. 3. Click OCSP. 4. Modify the desired values.
Option Use Device Responders Use Certificate Extension Responders Default Responder URL Description Enables the OCSP handler to accept OCSP responders that are specified by the handheld. These responders are not considered to be secondary responders. Enables the OCSP handler to use the OCSP responder extension in the certificate (if a certificate is present). This is considered only if the primary responder does not respond. Type a default responder URL. This URL specifies an OCSP responders URL.
Change security settings

SSL and its new version, TLS, are both protocols that are used to enable the client and the server to negotiate a secure connection on which data can be safely exchanged at the socket level. To establish a secure, private conversation with a server, the handheld uses HTTPS. When a user types https:// (instead of http://) in a URL on the handheld, the client-server connection request is initiated using secure HTTP (HTTP over TLS/SSL protocols). 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Services tab, click Edit Properties. 3. Click TLS/HTTPS.
46
4. Modify the desired values.

Option Allow Untrusted HTTPS Connections Allow Untrusted TLS Connections Description Enables the Mobile Data Service to encrypt the request sent to an untrusted server (on behalf of the handheld) using HTTPS. Note: Untrusted servers are servers for which no certificate is stored. Enables the Mobile Data Service to encrypt the request sent to an untrusted server (on behalf of the handheld) using TLS.
Add a certificate to the Mobile Data Service key store to permit untrusted connections
Warning: The keytool utility is not created or supported by Research In Motion.
1. Copy the certificate from a secure web site to a .cer file. 2. Copy the certificate file into the j2re1.4.2\lib\security folder on the computer on which the Mobile Data Service is installed. 3. Import the certificate into the key store using the keytool, which is installed in the JRE bin folder, (typically, drive:\Program Files\Java\j2re1.4.2\bin). For example, type keytool -import -trustcacerts -alias <alias_name> -file <cert_filename> -keystore cacerts. 4. Type the key store password. 5. At the Trust this certificate prompt, click Yes. The certificate is added to the key store. Visit http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html for more information on using the keytool.
Accept an SSL connection from the push application using a keystore file
The BlackBerry Server Configuration tool creates a keystore file, which enables the push application to establish an SSL connection with the Mobile Data Service when pushing content to the handheld.
Note: Only one keystore file can exist. The file must be called webserver.keystore and must be located at ...\Research in Motion\BlackBerry Enterprise Server\MDS. If you create a new keystore file, the existing file is overwritten.
1. On the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration. 2. On the Mobile Data Service tab, modify the desired values.
Action Set the keystore file password. Confirm the keystore file password. Set user name. Set company name. Set country. Procedure
! In the Password field, type a password. The password must be at least six characters. ! In the Confirm field, type the password again. ! In the User Name field, type the user name of the keystore. ! In the Organization field, type the company name. ! In the Country field, type the country name.
3. Click Create Keystore File. 4. If prompted, click Yes to overwrite the existing keystore file. 5. Click OK.
47
Managing authentication
Set HTTP authentication
1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Services tab, click Edit Properties. 3. Click HTTP. 4. Modify the desired values:
Option Support HTTP Authentication Description Enables the Mobile Data Service to perform authentication with the proxy server or content server on behalf of handhelds when an HTTP request is sent from the handheld. This option enables authentication information storage by default. Enable this option to support network authentication. Warning: In the case of an authentication failure, in which no valid name and password pair is found for a particular domain, the authentication failure is sent to the handheld. This failure notice alerts the handheld user that the name and password pair could not be found. Authentication Timeout The length of time, in milliseconds, before the authentication information stored on the proxy or content server is removed.
Configure network authentication

The Mobile Data Service supports HTTP basic authentication, NTLM, and Kerberos authentication methods. Lightweight Third-Party Authentication (LTPA) is supported if cookie storage is enabled. When network authentication is enabled, the handheld uses standard Internet protocols to link to the BlackBerry Enterprise Server as usual. The BlackBerry Enterprise Server, with Mobile Data Service enabled, then proxies the network authentication to a web server using the native method of that server. The web server determines which authentication method to use (NTLM, Kerberos or HTTP Basic) to access its content. If the Mobile Data Service is not configured to authenticate on behalf of the web server, then the handheld can authenticate using HTTP basic authentication, which requires users to log in with a user name and password.
NTLM authentication
Configure NTLM using the standard Java Authentication and Authorization Service (JAAS) configuration file, which is installed in the following location by default: root_directory:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\ServerInstance\config\MdsLogin.conf. Visit http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/LoginConfigFile.html for more information on the JAAS configuration file. The MDSLogin.conf file lists the three login modules used by the Mobile Data Service and for the application(s) for which they are used. Kerberos 5 login module for JAAS (com.sun.security.auth.module.Krb5LoginModule) NTLM authentication module for JAAS (net.rim.security.auth.module.ntlm.NtlmLoginModule) a clear password login module for JAAS (net.rim.security.auth.module.pwd.PwdLoginModule)
48
Kerberos authentication
Note: Kerberos requires Microsoft Windows 2000 or 2003.
Configure Kerberos 5 using the standard Kerberos 5 configuration file (krb5.conf), which is installed in the following location by default: root_directory:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\ServerInstance\config\krb5.conf. Visit http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.3/doc/krb5-admin.html for more information on the Kerberos 5 file. The Kerberos 5 configuration file that is provided with the Mobile Data Service installation includes the following section:
Section [libdefaults] Subsection default_tkt_enctypes Description This section contains default values used by the Kerberos 5 library. The encryption key types that are supported are listed in the subsections. This value defines the supported encryption types that should be requested by the client. Note: Visit http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.5/doc/admin.html for a complete list of available values. default_tgs_enctypes [realms] This value defines the supported encryption types that should be returned by the Key Distribution Center (KDC) host (a computer issuing Kerberos tickets). This section contains subsections describing information specific to case-sensitive Kerberos realm names. Each subsection describes realm-specific information, including the location of the Kerberos servers for that realm. For each realm, you can specify the KDC host and an optional port number. A Kerberos realm is an administrative domain/site with its own Kerberos database containing information about its users and services.
Set proxy server authentication

1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Services tab, click Edit Properties. 3. Click Proxy. 4. Click HTTP Proxy Enabled. 5. From the drop-down list, select True. 6. In the MDS Authentication section, click Enabled. 7. From the drop-down list, select True. 8. In the User name field, type a user name. 9. In the Password field, type a password. 10. In the Password (confirmation) field, type the password.
Note: If Support HTTP Authentication is set to False, MDS Authentication is automatically turned off.
49
Managing push
The Mobile Data Service provides capabilities for push applications. Push applications send content from a server to a handheld without first being prompted by a handheld user.
Push service
The Mobile Data Service implements the Push Access Protocol (PAP) [Wireless Application Protocol (WAP) version 2.0] to push content to the handheld. Developers can also use the RIM push service to push content to the handheld. Both push service implementations support the following tasks: sending a server-side push submission specifying reliability mode for the push submission (transport-level versus application-level reliability) specifying the deliver before time-stamp for the push submission, which assigns a date and time before which content must be delivered before requesting a result notification of the push submission See the BlackBerry Java Development Environment version 3.6 Developer Guide, Volume 1: Fundamentals for more information on writing server-side push applications. You can also use the PAP to send an HTTP POST request. The PAP push service supports the following additional tasks: specifying the deliver-after timestamp for the push submission cancelling a push submission that has already been sent to the Mobile Data Service querying the status of a push submission Download the Wireless Application Protocol (WAP-247-PAP-20010429-1) from http:// www.wapforum.org/what/technical.htm for more information on writing server-side push applications using the PAP. Download the PAP 2.0 DTD from http://www.wapforum.org/DTD for information on the WAP Push DTDs for version 2.0.
Enable the push server

The push server receives push requests from applications, which results in establishing a connection to the handheld that data can be sent through.
Warning: If you change the push server, notify your push application developer. Push applications need to use the correct push server.
1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Services tab, click Common. 3. Click Set as Push Server.
Warning: You can enable centralized push for only one Mobile Data Service in a BlackBerry Domain.
Store and delete push submissions

50
2. On the Mobile Data Services tab, click Edit Properties. 3. Click PAP. 4. Modify the desired values:
Option Store Push Submissions Description Default Specifies whether push requests sent to the handheld using the Push Access Protocol are stored in the configuration database. Note: If you use the deliver-after timestamp, or specify a status query or cancellation in your push request, you must select this option. Purge Submissions Age Purge Operations Interval The age, in minutes, of push submissions that are eligible for purging from the database. 1440 The length of time, in minutes, that push submissions are purged from the database. 720
Create push roles and assign push initiators

Use push roles to create groups of BlackBerry users who can receive push content. Use push initiators to control which application developers can push content to those groups. After you configure push roles and push initiators, set push authorization at the server level. See "Set push authorization for a specific server" on page 52 for more information. 1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Edit Properties. 3. In the left pane, click MDS Access Control. 4. Perform one of the following actions:
Action Create a new role. Procedure 1. Double-click Push Roles. 2. Click New. 3. Double-click Name and type the name of the role. 4. Double-click Description, and then type a description for the role. 5. Click OK. 6. Click OK again. Assign a user to a role. 1. Double-click User to Role Mapping. 2. In the left pane, click the role. 3. In the right pane, select the user to receive push content from the push initiators associated with this role. Tip: Press CTRL to select multiple users at the same time. 4. Click OK. Create a push initiator. 1. Double-click Push Initiators. 2. Click New. 3. Double-click Push Principal Name, and then type the name of the push initiator. 4. Double-click Credentials, and then type the password for the push initiator. 5. Double-click Description, and then type a description for the push initiator. 6. Click OK. Assign the role to a push initiator. 1. Double-click Push Initiator to Role Mapping. 2. In the left pane, click the role. 3. In the right pane, click the push initiator. 4. Click OK.
51
Set push authorization for a specific server

After you configure push roles and push initiators, set push authorization at the server level. See "Create push roles and assign push initiators" on page 51 for more information. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Services tab, click Edit Properties. 3. Click Local Access Control. 4. Modify the desired values:
Option Push Authentication Push Authorization (requires Authentication) Description Restricts the push initiators that can access the Mobile Data Service to push content to users. Restricts push initiators from pushing content to particular handhelds. Note: To push content to the Mobile Data Service, the push application must add the Authorization HTTP header to the push request submitted to the Mobile Data Service. The Authorization header is in HTTP Basic authentication format. The Authorization header contains the authentication information that the Mobile Data Service requires for the push initiator to push content to the handheld. Encrypts the push request using SSL or TLS.
Push Encryption
Managing pull
Create pull roles and assignments
Use URL patterns and roles to control which URLs can be accessed through the Mobile Data Service. After you configure URL patterns and roles, set pull authorization at the server level. See "Set pull authorization for a specific server" on page 53 for more information. 1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain. 2. On the Global tab, click Edit Properties. 3. In the left pane, click MDS Access Control. 4. Perform one of the following actions:
Action Create a URL pattern. Procedure 1. Double-click URL Patterns. 2. Click New. 3. Double-click URL pattern for the role using the format <hostname:port/path>. For example, to specify all paths, use the wildcard character (*): <hostname:port/*>. 4. From the Service Name drop-down list, select one of the following options:
HTTP: User requests a connection to an HTTP site. The Mobile Data Service provides access to content
on the Internet and corporate intranet using a standard Internet protocol such as HTTP.
HTTPS: User requests a connection to an HTTPS site when SSL or TLS are enabled in proxy mode. TCP: User requests a connection to an HTTPS site when TLS is enabled in end-to-end mode. LDAP: User attempts to access a user profile or certificate from the LDAP directory. OCSP: User attempts to verify the revocation status of a certificate from their handheld. Certificate
revocation status is retrieved from the OCSP server. 5. Double-click Description and type the description for the URL pattern. 6. Click OK. 7. Click OK again.
52
Action Create a new role.
Procedure 1. Double-click Pull Roles. 2. Click New. 3. Double-click Name and type the name of the role. 4. Double-click Description, and then type a description for the role. 5. Click OK. 6. Click OK again.
Assign a URL to the role.
1. Double-click URL Pattern to Role Mapping. 2. In the left pane, click the role. 3. In the right pane, perform one of the following actions: Select Allow to permit the user assigned to this role is permitted access to the identified URL. Note: If you created a different role that denies access to this URL, the user assigned to this role is not permitted access to the URL.
Select Deny to permit the user assigned to this role is not permitted access to the identified URL.
1. Click OK. Assign the role to 1. Double-click User to Role Mapping. a user. 2. In the left pane, click the role. 3. In the right pane, click the user. 4. Click OK.
Set pull authorization for a specific server

After you configure URL patterns and roles, set pull authorization at the server level. See "Create pull roles and assignments" on page 52 for more information. 1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Mobile Data Services tab, click Edit Properties. 3. Click Local Access Control. 4. Click Pull Authorization. 5. From the drop-down list, select True. 6. Click OK.
53
7 Managing security
Change the data encryption type Generating encryption keys
Change the data encryption type

1. In the BlackBerry Manager, in the left pane, click a server. 2. On the Server Configuration tab, click Edit Properties. 3. Click General. 4. In the Security section, double-click Encryption Algorithm. 5. From the drop-down list, select one of the following options:
Option 3DES Description Data is encrypted between the BlackBerry Enterprise Server and the handheld using the Triple Data Encryption Standard (Triple DES) cryptographic encryption algorithm. This encryption standard is supported by all versions of the BlackBerry Enterprise Server and BlackBerry Handheld Software. Data is encrypted between the BlackBerry Enterprise Server and the handheld using the Advanced Encryption Standard (AES) cryptographic encryption algorithm. Select this option only if you are running the BlackBerry Enterprise Server version 4.0 and Handheld Software version 4.0 is installed on Java-based handhelds.
AES
3DES Data is encrypted between the BlackBerry Enterprise Server and the handheld using either the Triple DES or AES and AES cryptographic encryption algorithm. If you are running version 4.0 of the BlackBerry Enterprise Server, BlackBerry Desktop Software, and BlackBerry Handheld Software, AES encryption is used. If you are running a version earlier than 4.0, TripleDES encryption is used. Warning: When AES is enabled on the BlackBerry Enterprise Server, users can not send, receive, or view new messages on C++-based handhelds. If AES is enabled, you must make sure that Java-based handhelds are running BlackBerry Handheld Software version 4.0.
Generating encryption keys

The master encryption key authenticates the user and secures communication between the BlackBerry Enterprise Server and the handheld. The handheld, the users mailbox, and the configuration database each store the encryption key. By default, the BlackBerry Enterprise Server generates a new encryption key automatically when the old key expires, and sends the key wirelessly to the handheld. Users can also generate an encryption key from the BlackBerry Desktop Software or from their handheld. Research In Motion recommends that you leave the automatic setting enabled.
Set encryption key generation

3. Click Edit Properties. 4. Click Security. 5. Click Generate keys automatically. 6. Perform one of the following actions:
Action Enable keys to be generated automatically. Procedure
! From the drop-down list, select True.
Require keys to be generated manually by users. ! From the drop-down list, select False.
7. Click OK.
55
Appendix A: IT policy
IT policy rules Sample IT policies
IT policy rules
Note: Some rules might require that the desktop is closed and restarted before changes are applied. Policy rule Allow BCC Recipients Allow Browser Policy group Description Device-Only Specifies whether users can include BCC recipients on email messages. Default setting TRUE Minimum Requirements Handheld Handheld Type Software Java or 85x/95x Java or 85x/95x Java 3.6 (Java) or 2.5 (85x/95x) 3.6 (Java) or 2.5 (85x/95x) 3.6 Server Software 4.0 Usage
Global
Specifies whether handheld users can TRUE use the default browser included on the handheld. Controls whether applications can initiate external connections (for example, to WAP, SMS, or other public gateway) on the handheld. TRUE
4.0
Allow External Connections
Security
4.0
Allow Internal Connections
Security
TRUE Controls whether applications can initiate internal connections (for example, to the Mobile Data Service) on the handheld. Specifies whether users can use other TRUE browser services on the handheld.
Java
3.6
4.0
Allow Other Browser Services
Service Exclusivity
Java
3.6
4.0
Set this rule to FALSE to force all browser traffic through your organizationss BlackBerry Enterprise Server and prevent users from installing other browser services.
Policy rule Allow Other Email Services
Policy group Description Service Exclusivity
Default setting
Minimum Requirements Handheld Handheld Type Software Java or 85x/95x 3.6 (Java) or 2.5 (85x/95x) Server Software 4.0 Usage Set this rule to FALSE to force all outbound email through your organizationss BlackBerry Enterprise Server and prevent users from sending outbound email messages from other email services. Warning: This rule does not prevent users from receiving inbound email messages from other email services.
Specifies whether users can use other TRUE email services on the handheld.
Allow Outgoing Security Call When Locked Allow Peer-toPeer Messages Device-Only
Specifies whether users can place calls when the handheld is security locked. Specifies whether users can send peer-to-peer (also known as PIN-toPIN) messages on the handheld.
FALSE
Java
4.0
4.0
TRUE
Java or 85x/95x
3.6 (Java) or 2.5 (85x/95x)
4.0
If this rule is set to FALSE, the functionality is hidden from users. Warning: This rule does not prevent users from receiving PIN messages.
Allow Phone
Global
Specifies whether users can use phone capabilities on the handheld.
TRUE
Java
3.6
4.0
If this rule is set to FALSE, the phone icon is still visible, but only emergency calls can be made. Warning: Setting, modifying, or removing this rule causes the handheld to reset when the IT policy update is received.
Allow Public Yahoo! Messenger Services
Service Exclusivity
Specifies whether other public Yahoo! Messenger services are permitted on the handheld.
TRUE
Java or 85x/95x
3.6 (Java) or 2.5 (85x/95x)
4.0
Set this rule to FALSE to force all messaging activity through Yahoo! Messenger Enterprise edition if available remove existing applications, and prevent users from installing other messaging services.
57
IT policy rules
Policy rule Allow Smart Card Password Caching
Policy group Description Security Specifies whether the smart card password can be cached.
Default setting FALSE
Minimum Requirements Handheld Handheld Type Software Java 4.0 Server Software 4.0 Usage If this rule is set to TRUE, the password is cached for a period of time controlled by the key store private key timeout. Cached passwords are cleared by the memory cleaner. If this rule is set to FALSE, the functionality is hidden from users. Enabling split-pipe connections presents a security issue because, when enabled, applications can surreptitiously collect data from inside the firewall and send it outside the firewall without any auditing.
Allow SMS
Device-Only
Specifies whether users can use Short TRUE Message Service (SMS) messaging on the handheld. Enables applications to open both internal and external connections simultaneously. FALSE
Java
3.6
4.0
Allow Split-Pipe Security Connections
Java
3.6
4.0
Allow Third Party Apps to Use Serial Port Application Download Control Attachment Viewing
Security
TRUE Enables third party applications to use the serial port, IrDA, or USB ports on the handheld. Contains a list of applications that are NULL allowed to be downloaded and executed on the device. Enables users to view attachments on TRUE the handheld.
Java
3.6
4.0
Security
Java
4.0
4.0
CMIME Application
Java or 85x/95x
3.7 (Java) or 2.6.1 (85x/95x)
4.0
For this rule to take effect, you must have the Attachment Service installed, running, and connected to the BlackBerry Enterprise Server through an attachment connector When this rule is set, the status is updated in the backup and restore settings of the BlackBerry Desktop Manager. Set this rule to TRUE to enable clean recovery of handheld data in the event that the handheld must be replaced.
Auto Backup Enabled
FALSE Desktop-Only Specifies whether the option to automatically backup the handheld is enabled.
Java or 85x/95x
N/A; Desktop Manager version 3.5
4.0
58
Policy rule Auto Backup Exclude Email
Policy group Description Desktop-Only Specifies whether email can be excluded from automatic backups.
Minimum Requirements Handheld Handheld Type Software Java or 85x/95x N/A; Desktop Manager version 3.5 N/A; Desktop Manager version 3.5 N/A; Desktop Manager version 3.5 Server Software 4.0 Usage If this rule is set to TRUE, the Auto Backup Include All rule must be set to FALSE If this rule is set to TRUE, the Auto Backup Include All rule must be set to FALSE Set this value to 2 or more days, to enable changes to be made on the handheld to data stored between backups, so that users do not need to wait for backups to occur when synchronizing the handheld while it is connected to the computer. Backup files should be saved to a network drive if disk space on the users local hard drive is limited.
Auto Backup Exclude Sync
FALSE Desktop-Only Specifies whether synchronized application data (data configured for synchronization with Intellisync) can be excluded from automatic backups. Desktop-Only Specifies, in days, how often an automatic backup is performed. 7
Java or 85x/95x
4.0
Auto Backup Frequency
Java or 85x/95x
4.0
Auto Backup Include All
Desktop-Only Specifies whether all data is included TRUE in automatic backups.
Java or 85x/95x
4.0
If this rule is set to TRUE, the "Backup all handheld application data" radio button in Backup and Restore Options of the BlackBerry Desktop Manager will be selected. This rule must be set to FALSE if the Auto Backup Exclude Sync and Auto Backup Exclude Email rules are set to TRUE.
Auto Signature
Desktop-Only Specifies the signature automatically NULL attached to the handheld users email messages.
Java or 85x/95x
N/A; Desktop Manager version 3.5 4.0 (Java) or 2.7 (85x/95x)
4.0
Use this rule to add a disclaimer to the end of all outgoing email messages sent from the handheld.
BlackBerry Server Version Certificate Status Cache Timeout
Common
NULL Specifies the BlackBerry Enterprise Server version number that is sent to the handheld. Specifies the maximum number of days that the status of a given certificate remains cached on the handheld. 7
Java or 85x/95x
4.0
Security
4.0
59
IT policy rules
Policy rule Certificate Status Maximum Expiry Time
Policy group Description Security
Default setting
Minimum Requirements Handheld Handheld Type Software Java 4.0 Server Software 4.0 Usage
4 Specifies the maximum length of time, in hours, that a certificate status can remain on the handheld before it should be updated in the Certificate Synchronization Manager (and handheld keystore). Requires users to confirm before sending an email, PIN, SMS, or MMS message. NULL
Confirm On Send
Common
Java or 85x/95x
4.0 (Java) or 2.7 (85x/95x)
4.0
Use this rule to customize a confirmation message. If not set, confirmation dialog is not displayed. Note: The rule Password Required must be set to TRUE if this rule is set to TRUE. This rule should correspond to password settings. If the handheld password is greater than 12 characters, set this rule to 1. If the handheld password is greater than 21 characters, set this rule to 2.
Content Protection Strength
Security
Specifies the strength of the Elliptic 0 Curve Cryptography (ECC) public key used to encrypt the data when the handheld is locked, from these options:
Java
4.0
4.0
0 - A 160-bit ECC public key is

used, which provides good security and good performance. 1 - A 256-bit ECC public key is used, which provides better security but slower performance. 2 - A 521-bit ECC public key is used, which provides top security but with the slowest performance.
Default Browser Device-Only Config UID
Specifies a unique ID for the Browser NULL Config Service Record, which sets the default browser to use (for example, when opening links in email messages). TRUE Specifies whether the BlackBerry Desktop software enables the user to configure and execute desktop addins (third-party COM-based extensions that access the handheld databases during synchronization). Specifies whether the BlackBerry Desktop software allows users to switch handhelds. TRUE
Java
3.6
4.0
Desktop Allow Desktop Addins
Desktop
Java or 85x/95x
4.0
Desktop Allow Device Switch
Desktop
Java or 85x/95x
N/A; Desktop Manager version 3.6.1
4.0
Set this rule to FALSE to prevent users from switching to devices with BlackBerry connectivity.
60
Policy rule Desktop Backup
Default setting
Controls which handheld databases 0 can be backed up by a desktop, from these options:
0 - All handheld databases can be

backed up by a desktop.
1 - Minimal subset of handheld

databases can be backed up by a desktop. Generally, these are databases which some desktop components require access to for proper operation, such as CertSync. 2 - No databases can be backed up by a desktop. 10 Java or 85x/95x N/A; Desktop Manager version 3.6 4.0 If this rule is set to 0, the password cache will be cleared only when the handheld is removed from the cradle, regardless of the length of time it is in the cradle.
Desktop Desktop Password Cache Timeout
Specifies the time, in minutes, that the desktop caches the handheld password in memory.
Disable 3DES Transport Crypto
Security
Disables the handheld from encrypting and decrypting packets to/from the BlackBerry Enterprise Server that sent the IT Policy. Disables wireless synchronization of the address database. Disables wireless synchronization of all databases. Disables all Bluetooth support.
FALSE
Java
4.0
4.0
Disable Address PIM Sync Wireless Sync Disable All Wireless Sync Disable Bluetooth PIM Sync
FALSE
Java or 85x/95x Java or 85x/95x Java
4.0 (Java) or 2.7 (85x/95x) 4.0 (Java) or 2.7 (85x/95x) 3.8
4.0
FALSE
4.0
Bluetooth
FALSE
4.0
Warning: If the Bluetooth radio is active when this rule is applied, the handheld is reset for the change to take effect.
Disable Calendar Wireless Sync Disable Cut/ Copy/Paste Disable Email Normal Send
PIM Sync
Disables wireless synchronization of the calendar database. Prevents the user from using the clipboards cut, copy, and paste features. Specifies whether email messages can be sent as clear text (in other words, normally).
FALSE
Java or 85x/95x Java
4.0 (Java) or 2.7 (85x/95x) 4.0
4.0
Security
FALSE
4.0
Security
FALSE
Java
3.6
4.0
If this rule is set to TRUE, a secure email package must be installed on the handheld and supported by the BlackBerry Enterprise Server in order to send email messages.
61
IT policy rules
Policy rule Disable Forwarding Between Services
Default setting
Prevents the user from forwarding or FALSE replying to a message via a different BlackBerry Enterprise Server than the one that delivered the original message. Also prevents forwarding or replying to a PIN message with an email address or vice versa Disables the use of Bluetooth handsfree peripherals. Disables the use of Bluetooth headsets. Controls the users ability to send a message using a certificate that has expired or is not yet valid. FALSE
Disable Handsfree Profile
Bluetooth
Java
3.8
4.0
Disable Bluetooth Headset Profile Disable Invalid Certificate Use Security
FALSE FALSE
Java Java
3.8 3.6
4.0 4.0 If this rule is set to FALSE, the user will be warned about but not prevented from using a certificate that has expired or is not yet valid. Currently, this rule applies to BlackBerry 7290 and BlackBerry 7100.
Disable IP Modem
Security
Disables the IP Modem feature on applicable handhelds.
FALSE
Java
4.0
4.0
Disable Java Script in Browser Disable Key Store Backup Disable Key Store Low Security
Browser
Disables execution of JavaScript scripts in the Browser. Controls the users ability to backup certificates and private keys in the handheld key stores.
FALSE
Java
4.0
4.0
Security
FALSE
Java
4.0
4.0
Security
Disables setting the key store security FALSE level to Low.
Java
3.6
4.0
If this rule is set to TRUE, then keys will be automatically moved up to the next security level. For handhelds running version 3.6, that level is High. For handhelds running version 4.0, that level is Medium.
Disable Memopad Wireless Sync Disable MMS
PIM Sync
Disables wireless synchronization of the memopad database. Specifies whether Multimedia Messaging Service (MMS) is permitted on the handheld.
FALSE
Java or 85x/95x Java
4.0 (Java) or 2.7 (85x/95x) 4.0
4.0
Common
FALSE
4.0
If this rule is set to TRUE, the functionality is hidden from users.
62
Policy rule Disable Pairing
Policy group Description Bluetooth
Default setting
Minimum Requirements Handheld Handheld Type Software Java 3.8 Server Software 4.0 Usage Once you have established a pairing with an approved device, (for example a headset), use this rule to prevent the user from establishing any subsequent pairings. If this rule is set to TRUE, messages must be signed and/or encrypted. To disable peer-topeer messaging entirely, set the Allow Peer-to-Peer Messages rule to FALSE.
FALSE Disables the ability to establish a relationship or pair with another Bluetooth device.
Disable Peer-to- Security Peer Normal Send
Disables sending plain text PIN-toPIN messages when using a secure email package.
TRUE
Java
3.6
4.0
Disable Persisted Plaintext
Security
FALSE Prevents any application from persisting the plaintext form of a Content Protected object in the Persistent Store (for instance, the file system). In such a case, the handheld will write information about the application in the handheld Event Log, and will then reset, returning the handheld to a valid known state.
Java
4.0
4.0
Warning: Not all applications can work with this rule set to TRUE. This rule is only recommended for very security-conscious customers who need assurance that sensitive data cannot be persisted in plaintext form.
Disable Radio When Cradled
Security
Controls whether the radio is disabled 0 when the handheld is connected to the desktop, from these options:
Java
4.0
4.0
Note: This policy is only supported on USB devices.
0 - the radio is not disabled when

connected
1 - the radio is disabled when a

USB cable is connected
2 - the radio is disabled when the

connected USB device enumerates Disable Revoked Certificate Use Security Specifies whether outgoing messages FALSE are encrypted with revoked certificates. Java 3.6 4.0 If this rule is set to FALSE, the user will be warned about but not prevented from using a revoked certificate.
Disable Serial Port Profile Disable Stale Status Use
Bluetooth
Disables the ability to communicate with a serial port that has been Bluetooth-enabled.
FALSE
Java
3.8
4.0
Security
Specifies whether a user can encrypt a FALSE message using a certificate with a stale status.
Java
4.0
4.0
If this rule is set to FALSE, the user will be warned about but not prevented from using a stale certificate.
63
IT policy rules
Policy rule Disable Task Wireless Sync Disable Untrusted Certificate Use
Policy group Description PIM Sync Disables wireless synchronization of the task database. Specifies whether outgoing email messages are encrypted with untrusted certificates.
Minimum Requirements Handheld Handheld Type Software Java or 85x/95x Java 4.0 (Java) or 2.7 (85x/95x) 3.6 Server Software 4.0 Usage
Security
FALSE
4.0
If this rule is set to FALSE, the user will be warned about but not prevented from using an untrusted certificate. If this rule is set to FALSE, the user will be warned about but not prevented from using an unverified certificate.
Disable Unverified Certificate Use
Security
FALSE Specifies whether users can send a message encrypted using a certificate that cannot be verified.
Java
4.0
4.0
Disable Security Unverified CRLs
FALSE Prevents users from accepting unverified CRLs on the Mobile Data Service when checking the status of a certificate. FALSE Specifies whether users can send a message using a certificate that has a weak corresponding public key.
Java
4.0
4.0
Disable Weak Certificate Use
Security
Java
3.6
4.0
If this rule is set to FALSE, the user will be warned about but not prevented from using a certificate that has a weak corresponding public key. Set this rule to TRUE to minimize wireless data transfers when activating or updating handhelds. Note: If the handheld is disconnected during a bulk load, the remainder of the data is sent wirelessly.
Disable Wireless Bulk Loads
PIM Sync
Disables wireless synchronization of FALSE PIM data during activation or as part of a backup/restore. The handheld must be connected to a computer through cradle or USB before the data transfer will start.
Java or 85x/95x
4.0 (Java) or 2.7 (85x/95x)
4.0
Disable Wireless Calendar
FALSE Desktop-Only Specifies whether the wireless calendar synchronization option (BlackBerry Wireless Sync) is available to handheld users in the calendar option of the Personal Information Manager (PIM).
Java or 85x/95x
4.0
Wireless calendar synchronization is a significant feature of the BlackBerry solution. Most organizations set this rule to FALSE to enable the wireless calendar synchronization feature.
Disallow Third Party Application Downloads
Security
Specifies whether applications not authored by Research In Motion Limited are permitted on the handheld.
FALSE
Java
3.6
4.0
64
Policy rule Do Not Save Sent Messages
Policy group Description Desktop-Only Specifies whether a copy of each message sent by the handheld user is saved to a Sent Messages folder.
Default setting
Minimum Requirements Handheld Handheld Type Software Java or 85x/95x N/A; Desktop Manager version 3.5 4.0 Server Software 4.0 Usage Set this rule to FALSE to enable storage on the mail server of messages sent from the handheld. Note: This rule can only be used if the Password Required rule is set to TRUE.
Duress Notification Address
Password
Specifies the email address that receives notification when a user enters a password under duress. If no email is entered, the duress password function is not activated.
NULL
Java
4.0
Email Conflict Desktop Wins
Desktop-Only Specifies what happens when a conflict occurs between the desktop and the handheld during Personal Information Manager (PIM) synchronization. Device-Only Specifies whether the handheld locks after a pre-defined period of time, regardless of user activity.
TRUE
Java or 85x/95x
N/A; Desktop Manager version 3.5 3.6
4.0
Enable Long Term Timeout
Java
4.0
If this rule is set to TRUE, the handheld will automatically lock after 60 minutes. Use the Periodic Challenge Time rule to shorten this interval.
Enable WAP Config
Device-Only
Specifies whether the WAP Browser TRUE icon will appear on the handheld when the service provider has provisioned the WAP browser and the appropriate service books are present. Specifies whether wireless email reconciliation functionality is supported on the handheld.
Java
3.6
4.0
If this rule is set to FALSE, the icon is hidden.
Enable Wireless CMIME Application Email Reconciliation
Java or 85x/95x
3.6 (Java) or 2.6 (85x/95x)
4.0
If this rule is set to TRUE, or not part of the IT policy to which a user is assigned, wireless email reconciliation is still enabled on the handheld by default. Note: Wireless email reconciliation must also be enabled on the BlackBerry Enterprise Server.
65
IT policy rules
Policy rule FIPS Level
Default setting
Minimum Requirements Handheld Handheld Type Software Java 3.3/4.0 Server Software 4.0 Usage Warning: Selecting Level 2 prevents WTLS from using the RC5 cipher, which can result in problems using the WTLS protocol. If this rule is set to 2, the following additional rules are enforced with these values:
Specifies the level of FIPS compliance 1 with which the BlackBerry Cryptographic Kernel software is forced to operate, from these options:
1 - FIPS 140-2 Level 1 compliance 2 - FIPS 140-2 Level 2 compliance

Level 1 compliance can be applied to Java-based handhelds using handheld software version 3.3.0 and higher. Level 2 compliance can be applied to Java-based handhelds using handheld software version 4.0 and higher.
Password Required
= True
Minimum
Password Length = 5 Suppress Password Echo = True S/MIME Allowed Content Ciphers = AES (256-bit), AES (192-bit), AES (128-bit), Triple DES TLS Restrict FIPS Ciphers = True PGP Allowed Content Ciphers = AES (256-bit), AES (192-bit), AES (128-bit), Triple DES Disallow Third Party Application Download = True
Force Load Count No limit Desktop-Only Specifies the number of times a handheld user is allowed to decline when prompted to update the handheld before the update is forced. Desktop-Only Specifies the message that appears when users are prompted to update to a later version of the BlackBerry handheld software. Security Specifies whether the handheld is security locked when placed in the holster. NULL Java or 85x/95x N/A; Desktop Manager version 3.5 N/A; Desktop Manager version 3.5 3.6 4.0
To disable the forced update functionality, set this rule to -1. Note: This rule can only be used if the Force Load Count rule is set to a positive number.
Force Load Message
Java or 85x/95x
4.0
Force Lock When Holstered
FALSE
Java
4.0
66
Policy rule
Policy group Description Specifies whether the user must supply their handheld password as well as the password to the configured smart card.
Minimum Requirements Handheld Handheld Type Software Java 3.6 Server Software 4.0 Usage Note: This rule can only be used if the Password Required rule is set to TRUE. When this rule is set, the user must have a smart card authenticator, smart card driver, and smart card reader driver installed on their handheld before they can use their handheld.
Security Force Smart Card Two Factor Authentication
Forward Messages In Cradle
Desktop-Only Specifies whether the handheld continues to receive messages while it is connected to the computer using the cradle or a USB cable.
Java or Set by BlackBerry 85x/95x Enterprise Server
4.0
When this rule is set, the status is updated in the redirector settings of the BlackBerry Desktop Manager. Most organizations set the URL to their intranet address. If this rule is not set, the handheld will use the default Home Page URL.
Home Page Address
Device-Only
Specifies the URL address of the home page used by the WML browser.
Java or 85x/95x
3.6 (Java) or 2.5 (85x/95x)
4.0
Home Page Address is Read-Only IT Policy Notification Key Store Password Maximum Timeout
Device-Only
Specifies if the URL address of the home page can be modified by the handheld user. Specifies if warnings of IT policy changes are displayed to the user. FALSE
Java or 85x/95x Java or 85x/95x Java
3.6 (Java) or 2.5 (85x/95x) 4.0 (Java) or 2.7 (85x/95x) 3.6
4.0
Common
4.0
Security
1 Specifies the maximum number of minutes allowed before the cached keystore password times out and the user is prompted to enter the password.
4.0
If this rule is set to 0, the keystore password cannot be cached.
67
IT policy rules
Policy rule Lock on Smart Card Removal
Default setting
Minimum Requirements Handheld Handheld Type Software Java 3.6 Server Software 4.0 Usage Warning: Not all smart card reader drivers support smart card removal detection. Note: This rule can only be used if the Password Required and Force Smart Card Two Factor Authentication rules are set to TRUE. When this rule is set, the user must have a smart card authenticator, smart card driver, and smart card reader driver installed on their handheld before they can use their handheld.
Specifies whether the handheld locks FALSE when the smart card is removed from the smart card reader, or the reader is removed from the handheld.
Lock Owner Info
Common
Locks specified fields in the Owner options screen of the handheld, from these options:
Java or 85x/95x
4.0 (Java) or 2.7 (85x/95x)
4.0
1 - Lock Information text. 2 - Lock Name text. 3 - Lock both Name and
Information text.
Use this rule to lock the text defined in the Set Owner Info and Set Owner Name rules. Warning: This information is overwritten by the Set Owner Information IT Admin command.
Maximum Password Age
Device-Only
Specifies the number of days until a handheld password expires and the user is prompted to provide a new password.
Java or 85x/95x
3.6 (Java) or 2.5 (85x/95x)
4.0
Set this rule according to your organizations password expiration policy. If no such policy exists, the recommendation is to set a maximum password age of 30 days. If set to 0, password aging is disabled. Note: This rule can only be used if the Password Required rule is set to TRUE.
Maximum Password History
Password
0 Specifies the maximum number of prior passwords against which new passwords can be checked to prevent reuse of the old passwords.
Java
3.6
4.0
Note: This rule can only be used if the Password Required rule is set to TRUE. If set to 0, password checking is disabled.
68
Policy rule Maximum Security Timeout
Policy group Description Device-Only Specifies the maximum time, in minutes, allowed before a handheld security timeout occurs. The handheld user can select any timeout value less than the maximum value.
Default setting
Minimum Requirements Handheld Handheld Type Software Java or 85x/95x 3.6 (Java) or 2.5 (85x/95x) Server Software 4.0 Usage Set this rule according to your organizations security policy. If no such policy exists, the recommendation is to set a maximum timeout value of 30 minutes.
MDS Browser Title Message Prompt
Browser
Sets the name that appears on the Home screen for the BlackBerry Browser icon.
BlackBerry Java Browser NULL Java or 85x/95x
3.6
4.0
Desktop-Only Specifies a message to appear each time BlackBerry Desktop Manager is started. Security
4.0
Minimal Encryption Keystore Security Level
Specifies the minimum security level 1 for the encryption key in the Keystore, from these options:
Java
4.0
1 - Low security. 2 - High security. 3 - Medium security.
All keys on the handheld will be forced to have this minimum security level as their minimum, but the user can set a higher security level if desired. All keys on the handheld will be forced to have this minimum security level as their minimum, but the user can set a higher security level if desired. Set this rule according to your organizations password length policy. If no such policy exists, the recommendation is to set a minimum of 6 characters. Note: This rule can only be used if the Password Required rule is set to TRUE. Warning: If the FIPS Level rule is set to 2, then the setting of this rule is ignored and is explicitly set to 5.
Minimal Signing Keystore Security Level
Security
Specifies the minimum security level for the signing key in the Keystore, from these options:
Java
4.0
4.0
1 - Low security. 2 - High security. 3 - Medium security.
Minimum Password Length
Device-Only
Specifies the minimum allowable length, in characters, of the handheld security password.
Java or 85x/95x
3.6 (Java) or 2.5 (85x/95x)
4.0
69
IT policy rules
Policy rule Password Pattern Checks
Policy group Description Device-Only Creates a pattern check on the handheld security password, from these options:
Default setting 0
Minimum Requirements Handheld Handheld Type Software Java or 85x/95x 3.6 (Java) or 2.5 (85x/95x) Server Software 4.0 Usage To enable a high level of security, the recommendation is to set this value to a minimum of 1. Note: This rule can only be used if the Password Required rule is set to TRUE. Warning: If options 2 or 3 are selected, then password pattern checking is disabled on 85x/95x handhelds.
0 - No restriction. 1 - Requires at least 1 alpha and 1

numeric.
2 - Requires at least 1 alpha, 1

numeric and 1 special character.
3 - Requires at least 1 alpha, 1

numeric and 1 special character and mix UPPER and lower case.
Password Required
Device-Only
Specifies whether a password is required on the handheld.
FALSE
Java or 85x/95x
3.6 (Java) or 2.5 (85x/95x)
4.0
To enforce password requirements, set the User Can Disable Password rule to FALSE. Warning: If the FIPS Level rule is set to 2, then the setting of this rule is ignored and is explicitly set to TRUE.
Periodic Password Challenge Time
60 Specifies the interval, in minutes, after which the user will be prompted to enter a password, regardless of whether the handheld has been idle or in use. Specifies the background color of all email messages, in RGB (hexadecimal) format. The first color represents the background color of messages sent from the BlackBerry Enterprise Server that sent the IT Policy. The second color represents the background color of messages sent from all other services. NULL
Java
4.0
4.0
Note: This rule can only be used if the Password Required rule is set to TRUE. Example colors are:
Security Service Security Colours
Java
4.0
4.0
Oxffffff: white 0x000000: black 0xff0000: red 0x00ff00: green 0x0000ff: blue 0xffeeee: light red 0xffaaaa: dark red 0xeeffee: light
green
0xaaffaa: dark
green
0xeeeeff: light
blue
0xaaaaff: dark
blue
70
Policy rule Set Maximum Password Attempts
Policy group Description Password
Default setting
Minimum Requirements Handheld Handheld Type Software Java 3.6 Server Software 4.0 Usage Maximum password attempts is set to 10 by default on the handheld. Use this rule to lower the number of password attempts. Note: This rule can only be used if the Password Required rule is set to TRUE.
10 Specifies the number of security password attempts (incorrect passwords entered) allowed on the handheld before the handheld data is erased and the handheld disabled.
Set Owner Info
Common
Specifies the owner information that will be set on the handheld.
Java or 85x/95x
4.0 (Java) or 2.7 (85x/95x)
4.0
Use the Lock Owner Info rule to prevent the handheld user from editing this information. Warning: This information is overwritten by the Set Owner Information IT Admin command.
Set Owner Name
Common
Specifies the owner name that will be set on the handheld.
Java or 85x/95x
4.0 (Java) or 2.7 (85x/95x)
4.0
Use the Lock Owner Info rule to prevent the handheld user from editing this information. Warning: This information is overwritten by the Set Owner Information IT Admin command.
Set Password Timeout
Password
Specifies the amount of time, in minutes, before the security timeout occurs on the handheld.
60
Java
3.6
4.0
Password timeout is set to 60 minutes by default on the handheld. Use this rule to lower the timeout interval. The value specified must be less than or equal to the value set for the Maximum Security Timeout rule. Note: This rule can only be used if the Password Required rule is set to TRUE.
Show Application Loader
Desktop-Only Specifies whether the handheld user has access to the application loader in the desktop software.
TRUE
Java
3.5
4.0
71
IT policy rules
Policy rule
Policy group Description
Default setting
Minimum Requirements Handheld Handheld Type Software Java or 85x/95x N/A; Desktop Manager version 3.5 3.6 Server Software 4.0 Usage Note: The icon will only appear if the default URL is set via the WebLinkURL rule. Password echo is enabled by default on the handheld. Use this rule to override the default. Note: This rule can only be used if the Password Required rule is set to TRUE. Warning: If the FIPS Level rule is set to 2, then the setting of this rule is ignored and is explicitly set to TRUE.
Show Web Link Desktop-Only Specifies whether the handheld user FALSE has access to the Web Link icon in the desktop software. Suppress Password Echo Password Disables the echoing (printing to the TRUE screen) of characters typed into the Security password screen after a given number of failed attempts at unlocking the handheld.
Java
4.0
Sync Email Instead Of Import
Desktop-Only Specifies whether the Personal Information Manager (PIM) allows email and folder synchronization to occur instead of an import of moves and deletes on the handheld. TCP Enables IT Policy to impose a default Access Point Name (APN) on the handheld for TCP. Enables IT Policy to impose a default APN password on the handheld for TCP. Enables IT Policy to impose a default APN username on the handheld for TCP.
TRUE
Java or 85x/95x
4.0
TCP APN
Java
4.0
TCP Password
TCP
Java
4.0
4.0
TCP Username
TCP
Java
4.0
4.0
TLS Device Side TLS Only
FALSE Controls use of proxy mode TLS or proxy HTTPS between the handheld and the BlackBerry Enterprise Server.
Java
4.0
4.0
If this rule is set to TRUE, all HTTPS connections must use device-side TLS. Warning: If this rule has been set and device-side TLS is not available, an exception will occur.
TLS Disable Invalid Connection
TLS
Controls the use of connections to 2 servers with invalid certificates during TLS connections, from these options:
Java
3.6.1
4.0
0 - Disable invalid connections. 1 - Allow invalid connections. 2 - Prompt user on the handheld.
72
Policy rule TLS Disable Untrusted Connection
Policy group Description TLS Controls the use of connections to untrusted servers during a TLS connection, from these options:
Default setting 2
Minimum Requirements Handheld Handheld Type Software Java 3.6.1 Server Software 4.0 Usage
0 - Disallow untrusted
connections.
1 - Allow untrusted connections. 2 - Prompt user on the handheld.

TLS Disable Weak Ciphers TLS Disables the use of weak ciphers during a TLS connection, from these options: 2 Java 3.6.1 4.0
0 - Disable weak ciphers. 1 - Allow weak ciphers. 2 - Prompt user on the handheld.
TLS Minimum Strong DH Key Length TLS Specifies the minimum DH key size, in 1024 bits, allowed for use in the TLS connection. Specifies the minimum DSA key size, 1024 in bits, allowed for use in TLS connections. Specifies the minimum ECC key size, in bits, allowed for use in the TLS connection. Specifies the minimum RSA key size, in bits, allowed for use in TLS connections. 163 Java 3.6.1 4.0
TLS TLS Minimum Strong DSA Key Length TLS TLS Minimum Strong ECC Key Length TLS TLS Minimum Strong RSA Key Length TLS Restrict FIPS Ciphers TLS
Java
3.6.1
4.0
Java
3.6.1
4.0
1024
Java
3.6.1
4.0
Disables the use of any cipher that is FALSE not FIPS-compliant.
Java
3.6.1
4.0
Warning: If the FIPS Level rule is set to 2, then the setting of this rule is ignored and is explicitly set to TRUE.
Trusted Certificate Thumbprints
Security
Defines a string that contains a semicolon-separated list of Hex-ASCII certificate thumbprints, generated using either SHA1 or MD5. If the string is present, the user cannot add any certificate with a thumbprint that does not appear in the defined list to the trusted key store.
Java
3.6
4.0
User Can Change Timeout
Device-Only
Specifies whether the handheld user can change the specified security timeout.
TRUE
Java
3.6
4.0
Set this rule according to your organizations security policy. If no such policy exists, the recommendation is to set this rule to FALSE.
73
IT policy rules
Policy rule
Policy group Description
Default setting
Minimum Requirements Handheld Handheld Type Software N/A; Desktop Manager version 3.5 Server Software 4.0 Usage Set the label according to your organizations requirements. Note: When setting this rule, also set the Show Web Link rule to TRUE.
Web Link Label Desktop-Only Specifies the label for the Web Link Download Java or 85x/95x icon, if it appears. Setting this value s does not imply that the WebLink icon is visible.
Web Link URL
NULL Desktop-Only Specifies the URL for the Web Link icon, if it appears.Setting this value does not imply that the WebLink icon is visible.
Java or 85x/95x
4.0
Set the URL according to your organizations requirements. Note: When setting this rule, also set the Show Web Link rule to TRUE.
WTLS Disable Invalid Connection
WTLS
Controls the use of connections to 2 servers with invalid certificates during WTLS connections, from these options:
Java
3.6
4.0
0 - Disable invalid connections. 1 - Allow invalid connections. 2 - Prompt user on the handheld.
WTLS Disable Untrusted Connection WTLS Controls the use of connections to untrusted servers during WTLS connections, from these options: 2 Java 3.6 4.0
0 - Disallow untrusted
connections.
1 - Allow untrusted connections. 2 - Prompt user on the handheld.

WTLS Disable Weak Ciphers WTLS Controls the use of weak ciphers 2 during WTLS connections, from these options: Java 3.6 4.0
0 - Disable weak ciphers. 1 - Allow weak ciphers. 2 - Prompt user on the handheld.
WTLS Minimum WTLS Strong DH Key Length WTLS Minimum WTLS Strong ECC Key Length WTLS Minimum WTLS Strong RSA Key Length WTLS Restrict FIPS Ciphers WTLS Specifies the minimum DH key size, in 1024 bits, allowed for use in the WTLS connection. Specifies the minimum ECC key size, in bits, allowed for use in the WTLS connection. Specifies the minimum RSA key size, in bits, allowed for use in WTLS connections. 163 Java 3.6 4.0
Java
3.6
4.0
1024
Java
3.6
4.0
Disables the use of any cipher that is FALSE not FIPS-compliant.
Java
4.0
4.0
Warning: If the FIPS Level rule is set to 2, then the setting of this rule is ignored and is explicitly set to TRUE.
74
Sample IT policies
Consider these scenarios when designing your own IT policies.
If you want to... Make sure that all electronic communication between your employees and their clients is recorded in order to comply with industry regulations. Use these rules... Allow Other Browser Services Allow Other Email Services Allow Peer-to-Peer Message Allow SMS Disable Cut/Copy/Paste Implement your corporate password policy on all handhelds. Password Required Maximum Password Age Minimum Password Length Password Pattern Checks Set Password Timeout User Can Change Timeout With these settings... FALSE FALSE FALSE FALSE TRUE TRUE 60 (days) 15 (characters) 2 (requires at least one alpha, one numeric, and one special character) 30 (minutes) FALSE
Disable Forwarding Between Services TRUE
75
2004 Research In Motion Limited Published in Canada.

Blackberry For IBM Lotus Domino

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Blackberry For IBM Lotus Domino

Uploaded by

Copyright:

Available Formats

BlackBerry Enterprise Server for IBM Lotus Domino

1 Managing the server

Getting started tasks

Managing BlackBerry Windows services

Start and stop the Mobile Data Service

Start and stop the BlackBerry Enterprise Server

Restart the BlackBerry Enterprise Server. ! Click Restart BES.

Setting up the BlackBerry Manager

Set the administration email address

Set user and server list display

2. Right-click any column heading. 3. Perform one of the following actions:

1: Managing the server

Set the time and date format

Set data refresh rates

Managing the server

Refresh the display

Set message polling interval

Set state database pruning

Export server information to a text file

Managing the BlackBerry Domain

Remove a server from the BlackBerry Domain

1: Managing the server

Add a server by importing a file

Manage a different BlackBerry Domain

Managing wireless network connection

Option Host Routing Information

Change the SRP address

1: Managing the server

Managing user accounts

Add users from local or foreign domains

5. Click a user, and then click Add. 6. Click OK.

Import users from a legacy server

4. Complete the import wizard:

Find users on all BlackBerry Enterprise Servers in the BlackBerry Domain

Move or remove users

Export users to a legacy server

Set the auto-signature

Purge pending messages

Generate encryption keys

Manage the peer-to-peer encryption key

Set or update the key

4. Set the following options:

Retain current Peer-to-Peer on all handhelds as a "previous" key.

Resend the key

Resend service book

3. In the lower pane, click IT Admin. 4. Click Resend Service Book.

Send a message to selected users

2. On the User List tab, click a user.

Send a message to all users

Type the message.

3 Managing messaging and PIM

Managing PIM synchronization

Configure PIM synchronization

Set up users as roaming users

Action Activate PIM synchronization for existing BlackBerry users.

Enterprise Server Handheld Management Guide for more information.

Create replicas on the mail server

example, names\cwarren_names.nsf and journal\cwarren_journal.nsf).

Set up users as Lotus Domino Web Access (iNotes) users

3. Perform one if the following actions:

Enterprise Server Handheld Management Guide for more information.

Disable or enable PIM synchronization

3: Managing messaging and PIM