BlackBerry Enterprise Server for Microsoft Exchange

BlackBerry Enterprise Server for Microsoft ExchangeVersion 4.0

Administration Guide

BlackBerry Enterprise Server Version 4.0 for Microsoft Exchange Administration Guide

Last modified: 10 November 2004

Part number: SWD_X_BES(EN)-043.001

At the time of publication, this documentation complies with BlackBerry Enterprise Server Version 4.0 for Microsoft Exchange.

© 2004 Research In Motion Limited. All rights reserved. The BlackBerry and RIM families of related marks, images and symbols are the exclusive properties of Research In Motion Limited. RIM, Research In Motion, BlackBerry and 'Always On, Always Connected' are registered with the U.S. Patent and Trademark Office and may be pending or registered in other countries.

Adobe and Acrobat are registered trademarks of Adobe Systems Incorporated in the United States, and/or other countries. The Bluetooth® word mark and logos are owned by the Bluetooth SIG, Inc. and any use of such marks by Research In Motion is under license. Corel and WordPerfect are registered trademarks of Corel Corporation and/or its subsidiaries in Canada, the United States and/or other countries. Java and JavaScript are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. or other countries. Microsoft, Windows, Windows NT, and PowerPoint are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. All other brands, product names, company names, trademarks, and service marks are the properties of their respective owners.

The handheld and/or associated software are protected by copyright, international treaties and various patents, including one or more of the following U.S. patents: 6,278,442; 6,271,605; 6,219,694; 6,075,470; 6,073,318; D,445,428; D,433,460; D,416,256. Other patents are registered or pending in various countries around the world. Please visit www.rim.net/patents.shtml for a current listing of applicable patents.

This document is provided �as is� and Research In Motion Limited (RIM) assumes no responsibility for any typographical, technical, or other inaccuracies in this document. RIM reserves the right to periodically change information that is contained in this document; however, RIM makes no commitment to provide any such changes, updates, enhancements, or other additions to this document to you in a timely manner or at all. RIM MAKES NO REPRESENTATIONS, WARRANTIES, CONDITIONS, OR COVENANTS, EITHER EXPRESS OR IMPLIED (INCLUDING, WITHOUT LIMITATION, ANY EXPRESS OR IMPLIED WARRANTIES OR CONDITIONS OF FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, MERCHANTABILITY, DURABILITY, TITLE, OR RELATED TO THE PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE REFERENCED HEREIN, OR PERFORMANCE OF ANY SERVICES REFERENCED HEREIN). IN CONNECTION WITH YOUR USE OF THIS DOCUMENTATION, NEITHER RIM NOR ITS AFFILIATED COMPANIES AND THEIR RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES, OR CONSULTANTS SHALL BE LIABLE TO YOU FOR ANY DAMAGES WHATSOEVER BE THEY DIRECT, ECONOMIC, COMMERCIAL, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR INDIRECT DAMAGES, EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INCLUDING, WITHOUT LIMITATION, LOSS OF BUSINESS REVENUE OR EARNINGS, LOST DATA, DAMAGES CAUSED BY DELAYS, LOST PROFITS, OR A FAILURE TO REALIZE EXPECTED SAVINGS.

This document might contain references to third-party sources of information and/or third-party web sites (�Third-Party Information�). RIM does not control, and is not responsible for, any Third-Party Information, including, without limitation, the content, accuracy, copyright compliance, legality, decency, links, or any other aspect of Third-Party Information. The inclusion of Third-Party Information in this document does not imply endorsement by RIM of the third party in any way. Any dealings with third parties, including, without limitation, compliance with applicable licenses, and terms and conditions are solely between you and the third party. RIM shall not be responsible or liable for any part of such dealings.

Certain features outlined in this document require a minimum version of BlackBerry Enterprise Server Software, BlackBerry Desktop Software, and/or BlackBerry Handheld Software and may require additional development or third-party products and/or services for access to corporate applications. Prior to subscribing to or implementing any third-party products and services, it is your responsibility to ensure that the airtime service provider you are working with has agreed to support all of the features of the third-party products and services. Installation and use of third-party products and services with RIM's products and services may require one or more patent, trademark, or copyright licenses in order to avoid infringement of the intellectual property rights of others. You are solely responsible for acquiring any such licenses. To the extent that such intellectually property licenses may be required, RIM expressly recommends that you do not install or use these products until all such applicable licenses have been acquired by you or on your behalf. Your use of third-party software shall be governed by and subject to you agreeing to the terms of separate software licenses, if any, for those products or services. Any third-party products and services that are provided with RIM's products and services are provided "as is." RIM makes no representation, warranty, or guarantee whatsoever in relation to the third-party products or services and RIM assumes no liability whatsoever in relation to the third-party products and services even if RIM has been advised of the possibility of such damages or can anticipate such damages.

This product includes software developed by the Apache Software Foundation (http://www.apache.org/) and/or licensed pursuant to Apache License, Version 2.0 (http://www.apache.org/licenses/). For more information, see the NOTICE.txt file included with the software.

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Published in Canada

Research In Motion Limited 295 Phillip Street Waterloo, ON N2L 3W8 Canada

Research In Motion UK Limited Centrum House, 36 Station Road Egham, Surrey TW20 9LF United Kingdom

Contents1 Managing the server...................................................................................................................................... 9

Configuring the server.....................................................................................................................................................9Configure the database view and authentication .........................................................................................9Refreshing the view from the configuration database.............................................................................. 10

Setting up the BlackBerry Manager......................................................................................................................... 10Set visual settings .................................................................................................................................................. 10Adding additional servers ................................................................................................................................... 10Remove a server ..................................................................................................................................................... 12Define handheld connection settings............................................................................................................. 12

Managing system information .................................................................................................................................. 12Change system information ............................................................................................................................... 12Export system information.................................................................................................................................. 13

Managing BlackBerry Windows services ................................................................................................................ 14Start and stop the services.................................................................................................................................. 14

Add handheld licenses................................................................................................................................................. 14

2 Managing users ............................................................................................................................................17Managing user accounts ............................................................................................................................................. 17

Add users.................................................................................................................................................................. 17Find users ................................................................................................................................................................. 18Manage users .......................................................................................................................................................... 19

Managing user properties and statistics ................................................................................................................ 19View user statistics ................................................................................................................................................ 19Clear user statistics................................................................................................................................................ 20View user status ..................................................................................................................................................... 20Modify user redirection settings ....................................................................................................................... 21Export user properties .......................................................................................................................................... 21

Managing redirection ................................................................................................................................................... 22Disable or enable redirection............................................................................................................................. 22Clear the in-cradle status .................................................................................................................................... 22Purge pending messages .................................................................................................................................... 22Generate encryption keys.................................................................................................................................... 23Manage the peer-to-peer encryption key....................................................................................................... 23

Managing handhelds.................................................................................................................................................... 24Activate handhelds wirelessly............................................................................................................................ 24Reset the individual activation password...................................................................................................... 25Delete the individual activation password.................................................................................................... 25Set automatic handheld management........................................................................................................... 25Change a user�s handheld .................................................................................................................................. 26Set handheld owner information...................................................................................................................... 26Set a password and lock the handheld .......................................................................................................... 26Disable a handheld and delete stored information ................................................................................... 27

Notifying users................................................................................................................................................................ 27

Send a message to a single user....................................................................................................................... 27Send an all points bulletin.................................................................................................................................. 27

3 Managing messaging and PIM categories..............................................................................................29Managing PIM synchronization ................................................................................................................................ 29

Set PIM synchronization ...................................................................................................................................... 29Set conflict resolution........................................................................................................................................... 30Set wireless backup............................................................................................................................................... 30Clear wireless backup data................................................................................................................................. 31Define address book field mappings............................................................................................................... 31

Managing wireless email reconciliation................................................................................................................. 31Disable or enable wireless email reconciliation on the server................................................................ 31Disable or enable on user accounts................................................................................................................. 32

Managing redirection filters....................................................................................................................................... 32Global and user filters .......................................................................................................................................... 32Create a filter .......................................................................................................................................................... 32Change filters.......................................................................................................................................................... 33Filter options ......................................................................................................................................................... 34

Setting a disclaimer....................................................................................................................................................... 34Set Auto BCC................................................................................................................................................................... 34Viewing server redirection statistics ........................................................................................................................ 35

Clear server redirection statistics ...................................................................................................................... 35

4 Managing IT policies....................................................................................................................................37Setting your Default IT policy.................................................................................................................................... 37

Add rules to your Default IT policy.................................................................................................................. 37Compatibility ................................................................................................................................................................... 37Creating additional IT policies .................................................................................................................................. 37

Create a new IT policy.......................................................................................................................................... 38Move users to a new policy ................................................................................................................................ 38

Using IT policy rules...................................................................................................................................................... 38Create a custom rule............................................................................................................................................. 38Change a rule.......................................................................................................................................................... 39

Viewing IT policy statistics.......................................................................................................................................... 40View policy summary............................................................................................................................................ 40View policy status .................................................................................................................................................. 41

Sending IT policies ........................................................................................................................................................ 41Resend the existing policy .................................................................................................................................. 42Schedule commands............................................................................................................................................. 42

5 Managing attachment viewing .................................................................................................................43View settings ................................................................................................................................................................... 43

Change connector settings................................................................................................................................. 43Change attachment server settings ................................................................................................................. 44

Setting supported attachments................................................................................................................................. 45Supported file formats ......................................................................................................................................... 45Set distiller ............................................................................................................................................................... 46

Set the maximum file size for a distiller setting .......................................................................................... 47

6 Managing HTTP browsing and push.........................................................................................................49Starting the Mobile Data Service.............................................................................................................................. 49

Enable or disable on the server......................................................................................................................... 49Enable or disable on user accounts ................................................................................................................. 49

Managing data connections ...................................................................................................................................... 50Change Mobile Data Service connection settings ...................................................................................... 50Change connection timeouts............................................................................................................................. 51Change cookie support ........................................................................................................................................ 51Configure connections through a proxy server............................................................................................ 51

Managing connections to servers............................................................................................................................. 53Change LDAP settings ......................................................................................................................................... 53Change OCSP settings ......................................................................................................................................... 53Change security settings ..................................................................................................................................... 53

Managing authentication ........................................................................................................................................... 55Set HTTP authentication ..................................................................................................................................... 55Configure network authentication................................................................................................................... 55Set proxy server authentication ........................................................................................................................ 56

Managing push............................................................................................................................................................... 57Push service overview........................................................................................................................................... 57Enable or disable the push server .................................................................................................................... 57Start and stop the Database Consistency Service....................................................................................... 58Set email-to-PIN update ...................................................................................................................................... 58Store and delete push submissions ................................................................................................................. 58Control traffic from the Mobile Data Service ............................................................................................... 59

Managing pull................................................................................................................................................................. 60Control traffic to the Mobile Data Service .................................................................................................... 60

7 Managing security........................................................................................................................................61Enable or disable S/MIME encryption ................................................................................................................... 61

Re-encrypt S/MIME messages .......................................................................................................................... 62Changing encryption keys........................................................................................................................................... 62Generate the master encryption key ....................................................................................................................... 62

Generate an encryption key automatically ................................................................................................... 63Generate an encryption key manually ............................................................................................................ 63

Appendix A: IT policy ...................................................................................................................................65IT policy rules .................................................................................................................................................................. 65Sample IT policies .......................................................................................................................................................... 85

1

Managing the server

Configuring the server When you installed the configuration database during the BlackBerry® Manager installation, you configured the database settings. You can view, modify, and add database settings.

Configure the database view and authenticationYou can change the database settings to view the BlackBerry Enterprise Server� on a database other than the database configured during installation. You can change the database authentication method for the data written to the database by the BlackBerry Manager.

1. In the BlackBerry Manager, right-click BlackBerry Manager, and then click Properties.

2. On the Database tab, modify the desired values.

3. Click OK.

� Configuring the server� Setting up the BlackBerry Manager� Managing system information� Managing BlackBerry Windows services� Add handheld licenses

Note: To change the authentication type for the other BlackBerry component services, use the BlackBerry Configuration Panel.

Option Action

Database Server ! Type the name of the database server. The value in this field defaults from the database installation settings.

Database Name ! Type the name of the database. The value in this field defaults from the database installation settings.

Windows NT® Authentication

! Select this option to set Windows NT as the authentication method.

SQL Server Authentication

! Select this option to set SQL Server as the authentication method. A password prompt for SQL Server authentication appears each time the BlackBerry Manager is opened.

SQL User Name ! Modify this field to control database access if you selected SQL Server Authentication.

Password ! This field cannot be modified. If you selected SQL User Name, it reads <Always Prompt>, indicating that a password prompt appears each time the BlackBerry Manager is opened.

Note: You must restart the BlackBerry Manager (close and reopen the console) for the changes to take effect.


Refreshing the view from the configuration databaseThe Refresh option synchronizes the server database (which contains all information about users on the BlackBerry Enterprise Server) in case changes from other computers have occurred in the server database.

! In the BlackBerry Manager, click Action > Refresh.

Setting up the BlackBerry ManagerThe BlackBerry Manager is the administration console through which you can manage the BlackBerry Enterprise Server. The BlackBerry Manager is installed by default with each BlackBerry Enterprise Server, but may also be installed remotely. See the BlackBerry Enterprise Server Maintenance Guide for more information on restricting the permissions of the BlackBerry Manager.

Set visual settings1. In the BlackBerry Manager, right-click BlackBerry Manager, and then click Properties.

2. On the Advanced tab, perform one of the following actions:

3. Click OK.

Set refresh ratesIf you have a slow connection (for example, if you are using a remote desktop connection), you might want to configure the refresh rate (set to None by default) of the BlackBerry Manager display screen.


2. On the Advanced tab, perform the following actions:

3. Click OK.

Adding additional serversThe BlackBerry Enterprise Server that you defined during installation is automatically available to the BlackBerry Manager. If you remove this server, you can re-add it, or you can add a new server to the BlackBerry Manager.

Action Procedure

Display server status information for selected servers.

Select the Show server status information only for selected servers check box.

Display server status information for all servers.

Clear the Show server status information only for selected servers check box.

Action Procedure

Set the refresh rate for the user list.

From the drop-down list, select an option to specify a length of time (between 30 seconds and 5 minutes) after which user lists are refreshed automatically in the BlackBerry Manager display.

Set the refresh rate for the server list.

From the drop-down list, select an option to specify a length of time (between 30 seconds and 5 minutes) after which server lists are refreshed automatically in the BlackBerry Manager display.

10

1: Setting up the BlackBerry Manager

You can add a server by entering the server information manually or by importing the server information from a file to which it was previously exported.

Add a server manually1. In the BlackBerry Manager, right-click BlackBerry Manager, and then click Import BlackBerry

Server(s) > enter server information.

2. Complete the following fields:

3. Click OK.

Add a server by importing a file1. In the BlackBerry Manager, right-click BlackBerry Manager, and then click Import BlackBerry

Server(s) > from file.

2. Click the file to which server information was previously exported.

3. Click Open.

4. Click the server to add.

5. Click OK.

Field Procedure

BlackBerry Server Name ! Type the server name that you used during the installation of the BlackBerry Enterprise Server that you are now adding to the BlackBerry Manager.

Warning: After you have assigned a server name, you cannot rename the BlackBerry Enterprise Server.

Version ! Select the BlackBerry Enterprise Server Software version number to add.

Administration Mailbox Note: If the server selected is version 4.0 or later, this field is unavailable for editing.

1. Click Select Mailbox or type the mailbox name that you created for BlackBerry Enterprise Server administration (this must be the same mailbox that you used during the installation).

2. Click Check Name to verify that there are no ambiguities within the mailbox name.

SRP Identifier 1. Type the SRP Identifier value that is located on the BlackBerry Enterprise Server installation CD label.

2. Click Import SRP info if you have saved the server SRP Identifier and SRP authentication key in an .srp file and want to add the values from that file.

3. Select the .srp file, and then click Open.

Authentication Key ! Type the SRP authentication key value that is located on the BlackBerry Enterprise Server installation CD label.

Host Routing Information ! If host routing information was also provided on the BlackBerry Enterprise Server installation CD label, define the necessary information to connect to the mobile network.

Warning: You should only define values in this field if values are provided with the installation material. If you are using the default Network Access Node (the SRP address value that is provided on your installation CD label), or are uncertain which values to use, leave this field blank. If you define incorrect values in this field, connection to the mobile network is not possible.

11


Remove a server

1. In the BlackBerry Manager, right-click a server, and then click Remove Server.

2. Click Yes.

Define handheld connection settingsYou can assign a handheld to a user by connecting the handheld to the computer on which the BlackBerry Manager is installed. See "Activate handhelds wirelessly" on page 24 for more information on wireless activation.

1. Connect the handheld to the server administration computer.


3. On the Ports tab, to detect the correct COM (serial) port or USB port, click Detect.

If the software cannot detect the handheld on a COM port or USB port, the �Device not found� message displays. Verify that the handheld and cradle cable or the USB cable appear to be connected securely, and that no other handhelds are sharing the port.

Managing system informationYou can change the configuration settings provided during the installation process and export system information.

Change system informationAfter you add a server, you can modify the server system information at any time.

Change system information in the BlackBerry Manager1. In the BlackBerry Manager, right-click a server, and then click BlackBerry Server Properties.

2. On the General tab, modify the desired fields:

Note: You must move all users from the server before you can remove the server from the BlackBerry Manager. All removed users that are not added to a different server become BlackBerry Desktop Redirector users. Notify users to warn them of this change.

Tip: If the handheld is connected to the computer on which the BlackBerry Manager is installed, when you open a user Properties window, you are prompted to assign the handheld to that user.

Warnings: Changing any of the information in the SRP Identifier, SRP Authentication Key, or Host Routing Information fields changes the routing information for all users on the server. If you modify the SRP Identifier, SRP Authentication Key, or Host Routing Information fields, all users must synchronize their handhelds.

The SRP information is unique to your installation; changing this information, or host routing information does not disconnect you from the wireless network. Handhelds that are not running Handheld Software version 4.0 or version 2.7 must be connected to the user�s computer for the new SRP information to take effect.

You can only use values from the BlackBerry Enterprise Server installation CD label (or imported from the SRP_AUTH.SRP file) as valid system information.

Field Description

Administration Mailbox

If you are administering a version 3.6 server, the mailbox that you specified during the installation process appears grayed out. This field does not appear for version 4.0 or later servers.

12

1: Managing system information

3. Click OK.

Change system information in the BlackBerry Configuration Panel1. In the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server

Configuration.

2. Modify the desired values.

Export system informationYou can export server information so that it can an imported if the servers are deleted from the BlackBerry Manager.

1. In the BlackBerry Manager, right-click BlackBerry Manager, and then click Export BlackBerry servers.

2. Define a location and name for the export file, and then click Save.

3. Click OK.

SRP Identifier If no value is assigned or you want to change the existing value, type the appropriate information (which is located on the BlackBerry Enterprise Server installation CD label). Click Import to retrieve the SRP Identifier from an .srp file if you created one to store your SRP identifier and SRP authentication key.

Verify that the SRP identifier is unique for each BlackBerry Enterprise Server.

SRP Authentication Key

If no value is assigned or you want to change the existing value, type the appropriate information (which is located on the BlackBerry Enterprise Server installation CD label).

Host Routing Information

If host routing information was also provided on the BlackBerry Enterprise Server installation CD, define the information that is necessary to connect to the mobile network.

Warning: You should only define values in this field if values are provided with the installation material. If you are using the default Network Access Node (the SRP address value that is provided on your installation CD label), or are uncertain which values to use, leave this field blank. If you define incorrect values in this field, connection to the mobile network is not possible.

Field Description

Field Procedure

Router (SRP) host 1. Click the BlackBerry Server tab.

2. In the Router host field, type the IP address of the connection to the BlackBerry Infrastructure, which connects the BlackBerry Enterprise Server to the wireless network. If the BlackBerry Router is installed locally, type localhost.

SRP port 1. Click the BlackBerry Router tab.

2. In the Port field, type the port on which the BlackBerry Enterprise Server connects to the BlackBerry Infrastructure.

SRP Address 1. Click the BlackBerry Router tab.

2. Type the SRP address used to connect to the BlackBerry Infrastructure.

13


Managing BlackBerry Windows servicesYou can manage all BlackBerry services in the BlackBerry Manager.

Start and stop the services

1. In the BlackBerry Manager, right-click a server.

2. Perform one of the following actions:

3. If prompted, click Yes.

Add handheld licensesWhen you exceed the number of permitted users, the license manager informs you that you require more licenses. If you exceed the permitted number of SME licenses, the BlackBerry Manager does not permit you to add more users until you have increased your number of permitted licenses.

License keys enable the use of client licenses across your organization. For example, if you purchase a license key for 20 users, you can have 20 users across your organization on the BlackBerry Enterprise Server that you install with the license key.

To add more users after the installation process, you must purchase a new license key for the number of extra client licenses, and then add them to the BlackBerry Enterprise Server.


2. On the License tab, type a new license key.

Tip: The installed services start automatically if the Start Services check box was selected on the final screen of the setup program. The BlackBerry Database Consistency service starts when the server is enabled as the Mobile Data Service push server and can be stopped and started manually thereafter.

Action Procedure

Start the BlackBerry Enterprise Server service. ! Click Service Control > Start Service > BlackBerry Dispatcher.

Stop the BlackBerry Enterprise Server service. ! Click Service Control > Stop Service > BlackBerry Dispatcher.

Start the Mobile Data Service. ! Click Service Control > Start Service > BlackBerry Mobile Data Service.

Stop the Mobile Data Service. ! Click Service Control > Stop Service > BlackBerry Mobile Data Service.

Note: For troubleshooting purposes only, all other services can be stopped and started using the BlackBerry Manager and using Microsoft® Windows® Services.

Warnings: If you used a temporary evaluation license key previously, you cannot reuse the temporary license key after you purchase a permanent license key.

If you exceed the number of permitted users, the BlackBerry Dispatcher Service turns off automatically, stopping all synchronization between the BlackBerry Enterprise Server and handhelds. You must remove the extra users or increase your number of permitted licenses, and then manually restart the BlackBerry Dispatcher Service using Microsoft Windows Services.

14

1: Add handheld licenses

3. Click Add License.

Notes: You receive an error message if the number of users exceeds the number of licenses. On the License tab, a grid shows the license limit, used licenses, and free licenses for BlackBerry Server users and Mobile Data Service users.

The license key value listed in the registry (HKEY_LOCAL_MACHINE\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\OwnerInformation\LicenseKey) is the license key that you added during the installation of the BlackBerry Enterprise Server Software. It is not updated after a new license key is added to the BlackBerry Manager to upgrade the number of client licenses.

15


16

2

Managing users

Managing user accountsUser accounts are added automatically as part of an upgrade. If you are managing a new BlackBerry Enterprise Server, you must select users from your messaging and collaboration server and add them to the BlackBerry Enterprise Server.

Add usersWhen you add users, one of the following scenarios applies:

Add users from the address bookWhen you add user from the address book, the mailbox that you choose does not have to be in the same Microsoft Exchange site/routing group as the BlackBerry Enterprise Server.

1. In the BlackBerry Manager, right-click a server, and then click Add Users > Global Address Book.

� Managing user accounts� Managing user properties and statistics� Managing redirection� Managing handhelds� Notifying users

Scenario Result of adding user to server

The user was neither on the BlackBerry Enterprise Server nor on the BlackBerry Desktop Redirector.

You have added the user to the server and can wirelessly synchronize PIM settings if the user does not install the Desktop Software. The email settings that users defined in the Desktop Software in previous releases can now be defined on the handheld. This, combined with wireless PIM synchronization, eliminates the need for Desktop Software.

The user was a BlackBerry Desktop Redirector user.

The user is now a BlackBerry Enterprise Server user. The BlackBerry Desktop Redirector continues to forward email messages to the user until the handheld is wirelessly activated or is connected at the server or to the user desktop, at which time the BlackBerry Enterprise Server redirection is activated for the handheld PIN. Until the handheld is activated on the BlackBerry Enterprise Server, the Redirector window Status field displays two asterisks (**) before the name of the BlackBerry Enterprise Server. The user does not need to load new application software onto the handheld for redirection to continue at the server level. In the user Properties window, you can check the Status field to see on which BlackBerry Enterprise Server the handheld is registered.

The user was previously on another BlackBerry Enterprise Server.

You moved the user to the selected server. If the user does not have the BlackBerry Desktop Redirector running, email is not redirected to the handheld until it is activated on the BlackBerry Enterprise Server.

Note: Handhelds that do not have Handheld Software version 4.0 or version 2.7 must be connected to the desktop computer to complete the move to the selected server.

Note: If you add users without connecting their handhelds to the server, you can wirelessly activate the handhelds or the users can connect their handheld to their computer for PIN recognition and key encryption. If the users were on another BlackBerry Enterprise Server previously, handheld connection or wireless activation is still necessary for correct email routing. The users� Status field indicates on which BlackBerry Enterprise Server the handheld is registered.


2. From the Show Names from the drop-down list, select Global Address List or another address group.

3. In the user list, click a user.

4. Click Select.

5. Click OK.

6. When prompted to clear the user statistics, perform one of the following actions:

Import users from a fileYou can use a tab-delimited text file to define the users to add to the BlackBerry Enterprise Server. On import, each mailbox name is resolved against the Global Address Book on the system. Any name ambiguities or conflicts open the Outlook Check Names window. Mailboxes that are listed in the import file do not need to be on the same Microsoft Exchange site/routing group as the BlackBerry Enterprise Server.

1. Create a text file with the users to add or re-add to the BlackBerry Enterprise Server by performing the following actions:

� Export a tab-delimited file without statistics from the user list in the BlackBerry Manager (or by right-clicking a server, and then clicking Export List). Verify that the file contains the required information in the required format. The file should list the users� mailbox names, PINs, redirection, Microsoft Exchange Server, and enable states. See "Export user properties" on page 21 for more information.

� Create a tab-delimited text file that lists the users� mailbox names, PINs, and enable states.


3. Click Add Users > Import Users from File.

4. Browse to the directory location of the text file, and then double-click it.

5. When prompted to clear the user statistics, perform one of the following actions:

Find usersYou can search the BlackBerry Manager for a specific user based on mailbox name. This function is useful for locating a user when you have more than one server added to the BlackBerry Manager and do not know to which server the user was added.

1. In the BlackBerry Manager, right-click BlackBerry Manager, and then click Find User.

2. From the Show Names from the drop-down list, select the address book within which you want to search for a user.

3. Type a user name.

Tip: Click Find to search for users by display name, first name, last name, title, alias, company, department, office, or city.

Action Procedure

Clear user statistics. ! Click Yes.

Retain user statistics. ! Click No.

Action Procedure

Clear user statistics. ! Click Yes.

Retain user statistics. ! Click No.

18

2: Managing user properties and statistics

4. Click OK. If the user exists on a server in the console, a dialog box appears indicating the name of the server on which the user is located. If the user does not exist on a server in the console, a dialog box appears indicating that the user was not found.

5. Click OK again.

Manage usersIf you move or change the display name of a mailbox, you must update the BlackBerry Enterprise Server to reflect this change by reloading the users on the server.

You can move a user from one BlackBerry Enterprise Server to another, and you can remove a user from a BlackBerry Enterprise Server.

1. In the BlackBerry Manager, click a server.

2. In the User Name list, right-click a user.


Managing user properties and statistics

View user statistics1. In the BlackBerry Manager, click a server.

2. In the User Name list, right-click a user, and then click User Stats. A list of properties and statistics displays.

Action Procedure

Reload users. ! Click Reload User.

The request to reload a user on the BlackBerry Enterprise Server might require a minute or two to complete.

Note: On a version 3.6 server, Reload User deletes and automatically re-adds the user, which re-adds the user to the default IT policy. The BlackBerry Enterprise Server detects a mailbox move automatically within 15 minutes, and reloads the user information without deleting and re-adding the user.

Note: If you move a hidden mailbox (one that does not appear in the Global Address List), the BlackBerry Enterprise Server does not detect the move. You must reload the user manually to update the mailbox information.

Move users. 1. Click Move User.

2. From the drop-down list, select a BlackBerry Enterprise Server.

3. Click OK.

Note: If the handheld does not have Handheld Software version 4.0 or version 2.7 installed, it must be connected to the user computer running the BlackBerry Desktop Software for the change to take effect.

Remove users. 1. Click Remove User.

2. Click Yes. You are prompted to remove BlackBerry information from the user mailbox. If you click Yes, the user handheld is removed from the server, and the handheld information is deleted from the user Microsoft Exchange mailbox. If you click No, the user is removed from the server only.

Property/Statistic Description

PIN The PIN of the handheld.

Status The general status of email redirection for the user. See "View user status" on page 20 for more information on the values that might appear in this field.

19


Clear user statistics1. In the BlackBerry Manager, click a server.

2. In the User Name list, right-click a user, and then click User Stats.

3. Click Clear Stats.

View user status1. In the BlackBerry Manager, click a server.

2. In the User Name list, double-click a user.

Forwarded The total number of messages forwarded to the user�s handheld. This total depends on the filters set at the user or administrator level.

Sent from handheld The total number of messages that were sent from the user�s handheld.

Pending to handheld The total number of messages that are currently queued for delivery to the user�s handheld.

Expired The total number of messages that have timed out without being forwarded to the user�s handheld.

Note: Messages time out after 7 days of non-delivery to the handheld.

Filtered The total number of messages to which the BlackBerry Enterprise Server applied filters and therefore did not forward to the user�s handheld.

Time the last message was received by the handheld

The date and time that the last message (email or calendar) was forwarded to the user�s handheld.

Time the last message was sent by the handheld

The date and time that the last message (email or calendar) was sent from the user�s handheld.

Time since last handheld contact

The amount of time since the last transaction occurred between the server and the handheld.

Result of last transaction to the handheld

The last result that was returned for the user.


Status Description

Initializing After you add a user to the BlackBerry Enterprise Server, the status reads Initializing until the user connects the handheld to the desktop computer or is wirelessly activated on a running BlackBerry Enterprise Server.

Running The handheld is running properly with redirection enabled.

Not configured � please run BlackBerry Desktop Manager

The user needs to run the BlackBerry Desktop Manager.

Redirection disabled The user has cleared the Redirect incoming messages to your handheld check box, or the administrator has cleared the Redirect incoming messages to user�s handheld check box. The handheld is not connected to the user�s computer.

Verifying forwarding address The email address that is used to forward messages to the user's handheld is being verified.

Invalid forwarding address The email address is invalid. Select the Override Address check box and type the email address for the user in the Email Address field.

No PIN The user does not have a valid PIN.

No desktop address The user does not have a valid desktop address.

In cradle � email redirection to handheld disabled

The handheld is connected to the user�s computer. The user has selected the Disable email redirection to handheld while your handheld is connected check box, or the administrator selected the Disable email redirection to handheld while in cradle check box.

20

2: Managing user properties and statistics

Modify user redirection settings1. In the BlackBerry Manager, click a server.



Export user propertiesYou might want to export user properties to upgrade from using the Microsoft Exchange 5.5 administration extensions to using the BlackBerry Manager tool or to move BlackBerry Enterprise Servers from one database to another.

You can export certain user information to a tab-delimited text file. When you export user statistics, you can also include usage statistics (for example, the number of messages forwarded, sent, pending, filtered, and expired).


2. Right-click a user, and then click Export User Info.

3. Perform one of the following actions.

4. Perform one of the following actions.

5. Set a location in which to save the user properties data.

6. Type a name for the user properties data file.

7. Click Save.

8. Click OK.

Property Procedure

Email Address ! Select the check box beside Override Address to edit the Email Address field.

Redirect incoming messages to user�s handheld

! Select the check box to enable redirection.

Disable email redirection to handheld while in cradle

! Select the check box to disable redirection while the handheld is connected to the computer.

Don�t save outgoing messages from handheld in �Sent Items�

! Select the check box to prevent messages that are sent from the handheld from being stored in the desktop email program�s Sent Items folder.

Inbox & Sent Items ! Select the Inbox & Sent Items option to redirect only messages that arrive in the handheld�s Inbox and Sent Items folders.

Selected folders 1. Select the Selected folders option to redirect only messages that arrive in selected folders on the desktop.

2. Click Choose Folders to select one or more redirection folders.

Auto Signature ! Type a message to appear at the end of all messages that are sent from the handheld.

Action Procedure

Export all user statistics including usage statistics. ! Click Yes.

Export only the basic statistics. ! Click No.

Action Procedure

Clear user statistics after the export. ! Click Yes.

Retain user statistics after the export. ! Click No.

21


Managing redirection

Disable or enable redirectionYou can stop message redirection to a handheld without removing the user from the server. For example, if a user is traveling out of a wireless coverage area and does not want messages forwarded to the handheld during that time, stop message redirection by disabling the handheld. While redirection to the handheld is disabled, the user can still send messages but cannot receive them. The user can re-enable redirection on the handheld.




Clear the in-cradle statusBy default, email is not redirected to the handheld when the handheld is connected to the computer. An interruption in network communications might prevent the BlackBerry Desktop Manager from clearing the In-cradle status after the handheld is disconnected from the computer. If this happens, messages are not forwarded to the handheld, even if it is not connected to the computer.



3. Click Clear In-Cradle.

Purge pending messagesSome situations might occur in which it is necessary for you to remove messages that are queued for delivery to the handheld.

You might want to purge pending messages when:

� a user, whose account was not disabled on the BlackBerry Enterprise Server, is returning to an area of wireless network coverage and does not want to receive the messages that arrived when the user was away

� a user receives a high volume of junk email messages and does not want to receive them on the handheld

� you are about to remove a user who has messages that are queued in the outbound database

Note: By default, users are enabled for redirection when they are first added to the BlackBerry Enterprise Server.

Action Procedure

Disable redirection. ! Click Disable Redirection.

Enable redirection. ! Click Enable Redirection.

Note: The In-cradle flag is ignored by wireless calendar synchronization, wireless PIM synchronization, and email pre-population.

Note: If the BlackBerry Desktop Manager is not in use, the BlackBerry Enterprise Server detects this and removes the In-cradle status within 10 minutes.

22

2: Managing redirection

� you are re-adding a user who has a high volume of messages that are pending to the handheld, and you do not want the messages to be redirected



3. Click Purge Pending.

Generate encryption keysThe handheld, the user�s mailbox, and the BlackBerry Manager database each store the encryption key. The encryption key can be generated by wireless activation or by the user at the desktop. If the user does not have access to the BlackBerry Desktop Software, you can generate a key.



3. Connect the user�s handheld to the administration computer.

4. On the Security tab, click Generate keys manually.

5. Click Generate and move the mouse as instructed.

6. Click Apply.

Manage the peer-to-peer encryption keyBy default, PIN messaging is insecure as peer-to-peer encryption keys are not generated automatically.

Update the keyIf you update the peer-to-peer encryption key, you prevent users from sending PIN messages to users who do not have the updated peer-to-peer encryption key. Users also cannot receive PIN messages from other users who have an updated or different peer-to-peer encryption key. Any handheld that is turned off or is out of a wireless coverage area is unable to receive PIN-to-PIN messages until it reconnects with the wireless network.

1. In the BlackBerry Manager, right-click BlackBerry Manager, and then click Update Peer-to-Peer Encryption Key.

2. Set the following options:

Note: If the user has wireless calendar synchronization enabled, pending calendar messages are also purged. However, those messages are resent later. Pending IT policies or IT admin commands are not purged.

Note: If the handheld is not connected to the computer, the key is still generated but the encryption key status is not updated until a handheld to computer connection is established and the activation completes. The handheld might need to be disconnected and reconnected to complete the activation.

Option Procedure

Set or update the Peer-to-Peer encryption key for all handhelds within this organization

! Select this option to generate a new key to send to all handhelds. It is selected by default.

Note: You must generate a new key if the current key is known to be compromised by handhelds that are not updated automatically. If you select this option, there will be a period during which users with the new key and cannot exchange PIN messages with users who do not have the new key. This is because handhelds that are unavailable do not receive the new encryption key immediately.

23


Resend the keyIf you have previously updated a peer-to-peer encryption key, you can resend the peer-to-peer encryption key to the user�s handheld. By resending the key, handhelds that were turned off or out of a wireless coverage area when the original encryption key was sent, receive the key and reconnect with the wireless network.


2. In the User Name list, right-click a user, and then click IT Admin > Resend Peer-to-Peer Encryption Key.

3. Click OK.

Managing handheldsSee the BlackBerry Enterprise Server Handheld Management Guide for more information on managing handhelds.

Activate handhelds wirelesslyIf one or more handhelds are not available to be connected to the BlackBerry Manager computer or the desktop computer after being added to the BlackBerry Enterprise Server, you can wirelessly activate multiple handhelds simultaneously using the BlackBerry Manager. Using the BlackBerry Manager, an email containing a unique, user-specific password is sent automatically to the handheld users.

1. In the BlackBerry Manager, in the left pane, click a server.

2. In the User Name list, right-click a user and click Generate and email activation password.

3. Click OK.

Remove the encryption keys used to encrypt Peer-to-Peer messages from all handhelds within this organization

! Select this option to remove the encryption keys from all handhelds. Selecting this option makes the Retain current Peer-to-Peer on all handhelds as a �previous� key check box unavailable.

Retain current Peer-to-Peer on all handhelds as a "previous" key.

! Select this check box to retain the current encryption key on the handheld so that messages from handhelds that do not have the new key can be encrypted.

Note: Clear this option if either you know that the current key is compromised or you want to remove all Peer-to-Peer encryption keys when using the Remove option. A side effect of selecting this option is that while Peer-to-Peer key updates propagate through the system, some handhelds are unable to send Peer-to-Peer messages to others.

Option Procedure

Note: The user must select Enterprise Activation on the handheld, type the password and their corporate email address, and then click Activate to complete the activation. The password is specific to that user account and times out after 48 hours or 5 unsuccessful password entry attempts on the handheld.

After the password is successfully typed and accepted on a handheld, the password becomes obsolete. To reactivate a handheld, the user must be assigned a new password.

Note: If a user has received an activation password in the past 48 hours, a new activation password cannot be generated and sent by email. To delete or overwrite an existing activation password, you can set or remove the activation password in the user Properties. See "Reset the individual activation password" on page 25 for more information.

24

2: Managing handhelds

Reset the individual activation passwordIf you generate and email an activation password to a user, setting the activation password in the user Properties overwrites the existing activation password even if the 48 hour activation period has not expired. This is useful for troubleshooting an individual handheld activation if the user cannot read the email containing the original activation password. You must inform the user of the new password by phone or by sending an email message manually.



3. On the General tab, click Set Activation Password.

4. In the dialog box, type a password.

5. Click OK.

6. Click Apply.

Delete the individual activation passwordYou can delete the activation password for an individual password before the 48-hour activation period has elapsed. The user can no longer activate the handheld using that password.



3. On the General tab, click Remove Password.

4. Click Yes.

5. Click Apply.

Set automatic handheld managementYou can enable or disable automatic handheld management for a user.



3. On the PIM Sync tab, perform one of the following actions:

4. Click Apply.

5. Click OK.

Note: The user must select Enterprise Activation on the handheld, type the password and their corporate email address, and then click Activate to complete the activation. The password is specific to that user account and times out after 48 hours or 5 unsuccessful password entry attempts on the handheld.

Action Procedure

Enable automatic handheld management.

! Select the Enable Wireless Device Management for this user check box.

Disable automatic handheld management.

! Clear the Enable Wireless Device Management for this user check box.

25


Change a user�s handheldIf a user receives a different handheld, you must register the new PIN for email redirection. If the user does not have access to the BlackBerry Desktop Software, you can register the new handheld using the BlackBerry Manager.

You can also enable the user to wirelessly activate the handheld without connecting the handheld to the BlackBerry Manger. See "Activate handhelds wirelessly" on page 24 for more information.



3. Connect the user�s handheld to the administration computer.

4. If prompted, click Yes.

Set handheld owner informationYou can set the owner information that is stored on the handheld.


2. In the User Name list, right-click a user, and then click IT Admin > Set Owner Info.

3. Type the handheld owner name and information.

4. Click OK.

Set a password and lock the handheldYou can set a new handheld password, which replaces the existing password. This action locks the handheld and prompts the user for the new password. If the handheld has an existing password, the user is prompted, but not required, to accept the password that you set.


2. In the User Name list, right-click a user, and then click IT Admin > Set Password and Lock.

3. In the New Password and New Password Again fields, type a password that is 4 to 14 characters long.

4. If desired, select the Set Owner Information as well check box.

5. In the Owner Name and Owner Information fields, type the information.

6. Click OK.

Note: When users receive a different handheld, and they want wireless calendar synchronization enabled, they must enable it from the optional BlackBerry Desktop Software or configure it on the handheld. See the BlackBerry Wireless Handheld User Guide for more information.

Note: If another handheld is already connected to the administration computer, or the port is being used for another purpose, it must be disabled or the connection is not detected.

Warning: Special characters in passwords are supported only on Java-based handhelds running 3.6.0.51 or later handheld code. Special characters are not supported on any C++-based handhelds.

26

2: Notifying users

Disable a handheld and delete stored informationYou can disable the use of a handheld and delete all the information stored on it. The handheld can later be re-enabled by running the Application Loader on the BlackBerry Desktop Manager.


2. In the User Name list, right-click a user, and then click IT Admin > Kill Handheld.

3. Click Yes.

Notifying users

Send a message to a single user1. In the BlackBerry Manager, click a server.

2. In the User Name list, right-click a user, and then click Send Message.

3. Type the subject and body of your message, and then click Send.

Send an all points bulletinUse the all points bulletin (APB) feature to send an email message to all users or to selected handheld users.

1. In the BlackBerry Manager, right-click BlackBerry Manager.

2. Click Send All-Points-Bulletin (APB).

3. In the Select Server(s) section, perform one of the following actions:

4. In the Select the Send Method section, specify how you want to send the APB.

5. In the Subject and Body fields, type the subject and message.

6. Click Send.

Action Procedure

Send the message to all servers. ! Select the All Servers option.

Send the message to selected servers.

1. Select the Selected Servers Only option.

2. From the list, click the desired server.

Method Description

Via Email to All Mailboxes Sends the message through the administration Microsoft Exchange mailbox. The users are blind carbon copied on the message.

Direct to All Handhelds Sends the message to all users by PIN. APBs that are sent directly to all handhelds are not encrypted.

Direct to Selected Handhelds Sends the message to the selected users by PIN. If you chose Selected PINs Only, select the desired PINs from the list.

27


28

3

Managing messaging and PIM categories

Managing PIM synchronizationYou can synchronize personal information management (PIM) items such as tasks, memos, email filters, and contacts so that the entries on a user�s handheld and on the server are consistent. You can use global synchronization, which applies to all servers and new users added to the BlackBerry Manager, or you can set synchronization options for a specific user.

Set PIM synchronizationYou can disable or enable the synchronization of personal information for a single user or at the global level, which applies to any new users who are added to the BlackBerry Manager.

If you enable synchronization at the global or user levels, you must set the synchronization type for the synchronization of individual PIM category (Address Book, Email Filters, Email Settings, Memos, and Tasks) databases:



� Managing PIM synchronization� Managing wireless email reconciliation� Managing redirection filters� Setting a disclaimer� Set Auto BCC� Viewing server redirection statistics

Action Procedure

Set synchronization at the global level.

! In the BlackBerry Manager, right-click BlackBerry Manager, and then click Properties.

Set synchronization at the user level.



Action Procedure

Enable all PIM synchronization.

Note: This action is only available for synchronization at the user level.

! Select the Wireless Synchronization enabled for this user check box.

Disable all PIM synchronization.

Note: This action is only available for synchronization at the user level.

! Clear the Wireless Synchronization enabled for this user check box.


3. Click Apply.

4. Click OK.

Set conflict resolutionYou can set the resolution for conflicts that occur when data conflicts between the server and a user�s handheld. Select Server Wins (default) to enable server information to overrule handheld information when a conflict occurs, or select Handheld Wins to enable handheld information to overrule server information when a conflict occurs. This option can be set for databases at the global or user synchronization level.


2. On the PIM Sync tab, click a PIM category tab.

3. In the Conflict Resolution section, click an option.

4. Click Apply.

5. Click OK.

Set wireless backupYou can enable or disable automatic wireless backup for a user. Automatic wireless backup enables you to back up user handheld settings and preferences to the BlackBerry Enterprise Server.




4. Click Apply.

5. Click OK.

Enable the synchronization of a PIM category database

! On the PIM category tab, select the type of synchronization:�Unidirectional - Synchronize Server to Handheld �Unidirectional - Synchronize Handheld to Server�Bidirectional Synchronization

Note: Unidirectional synchronization is not available for the email settings or email filters.

Disable the synchronization of a PIM category database

! On the PIM category tab, select Wireless Synchronization disabled for this database.

Action Procedure

Action Procedure

Set conflict resolution at the global level.


Set conflict resolution at the user level.



Action Procedure

Disable automatic wireless backup. ! Clear the Enable this user for Automatic Wireless Backup check box.

Enable automatic wireless backup. ! Select the Enable this user for Automatic Wireless Backup check box.

30

3: Managing wireless email reconciliation

Clear wireless backup dataYou can delete the user handheld settings and preferences are backed up automatically if you selected the Enable this user for Automatic Wireless Backup check box.



3. On the PIM Sync tab, click Clear Automatic Wireless Backup data for this user.

4. Click Yes.

5. Click OK.

Define address book field mappings This option can be set for the address book database at the global or user synchronization level.



3. To edit the mappings, follow the on-screen instructions.

4. Click OK.

Managing wireless email reconciliation

Disable or enable wireless email reconciliation on the server1. In the BlackBerry Manager, right-click a server, and then click BlackBerry Server Properties.

2. On the Email Options tab, perform one of the following actions:

Action Procedure

Set field mappings for all users.


Set field mappings for a specific user.



Action Procedure

Edit field mappings for all users.

1. On the Address Book tab, click Edit Global Field Mappings.

2. Click Yes.

Edit field mappings for a specific user.

! On the Address Book tab, click Edit Field Mappings.

Note: If the Enable Wireless Email Reconciliation policy rule is not included in the user�s IT policy, wireless email reconciliation support is enabled by default.

Action Procedure

Disable wireless email reconciliation. ! Clear the Enable Wireless Email Reconciliation on this server check box.

Enable wireless email reconciliation. ! Select the Enable Wireless Email Reconciliation on this server check box.

31


3. Click OK.

Disable or enable on user accountsTo disable wireless email reconciliation support for a user or group of users, verify that Enable Wireless Email Reconciliation policy rule is set to FALSE. To re-enable wireless email reconciliation support for a user or group of users, verify that the Enable Wireless Email Reconciliation policy rule is set to TRUE.

When wireless email reconciliation support is enabled for a user and the enabled user has upgraded the handheld to a supported version, the Wireless Reconcile field in the Email Reconciliation options screen is available on the user�s upgraded handheld and enabled. If it has been disabled, the user is enabled to set the handheld for wireless reconcile.

If you create a new IT policy and move users to that policy, you must verify that if the Enable Wireless Email Reconciliation policy rule is included, that it is set to TRUE; otherwise, wireless email reconciliation is disabled for those users. See "IT policy rules" on page 65 for more information about this IT policy rule.

Managing redirection filtersYou can use redirection filters to define which messages are redirected to users� handhelds. When a user receives an email message, the BlackBerry Enterprise Server applies the filters to determine how to direct the message: forward, forward with priority, or do not forward to the user�s handheld.

Global and user filtersYou can use global redirection filters, which apply to all users on a server. You can also create user redirection filters to apply filters to specific users. Global redirection filters take precedence over the filters that are defined by users in their Desktop Software. If none of the global filters apply, the user�s filters are applied. If you create user filters in the BlackBerry Manager, the users can change or remove the filters that you defined if they have the Desktop Software installed on their computer.

Create a filter! In the BlackBerry Manager, perform one of the following actions:

Tip: If you define global filters, inform users so that they understand why some of their filter rules might not be applied. Users cannot view global filters.

Action Procedure

Create a global filter.

1. Right-click a server, and then click BlackBerry Server Properties.2. On the Global Filters tab, click New.

3. Complete the Add Filter screen. See "Setting a disclaimer" on page 34 for more information.

4. Click OK

Create a user filter.

1. Click a server.

2. In the User Name list, double-click a user.3. On the Filters tab, click New.

4. Complete the Add Filter screen. See "Setting a disclaimer" on page 34 for more information.

5. Click OK

32

3: Managing redirection filters

Change filters1. In the BlackBerry Manager, perform one of the following actions:

2. On the Properties screen, perform one of the following actions.

3. Click OK.

Note: The BlackBerry Enterprise Server reads global filter changes every 15 minutes, so new filters might not be applied to messages immediately.

Action Procedure

Change a global filter.

1. Right-click a server, and then click BlackBerry Server Properties.2. Click the Global Filters tab.

Change a user filter.

1. Click a server.

2. In the User Name list, double-click a user.3. Click the Filters tab.

Action Procedure

Enable a filter. ! Select the check box beside a filter, and then click OK.

Note: Filters are enabled by default after they are created.

Edit a filter. 1. Click a filter.

2. Click Edit.

3. Make the desired changes. See "Setting a disclaimer" on page 34 for more information.

4. Click OK.

Disable a filter. 1. Clear the check box beside a filter.

2. Click OK.

Change the order of filters.

1. Click a filter.

2. Click Up or Down to move the filter higher or lower in the list.

3. Click OK.

Note: The BlackBerry Enterprise Server applies filters to new messages in the order in which they appear in the Filters dialog box. Verify that the filters appear from least to most restrictive.

Save the filter as a Redirector Filters (.rfi) file.

1. Click a filter.

2. Click Save.

3. Browse to a folder in which to save the file.

4. Click Save.

Load filter settings that were saved as an .rfi file.

1. Click Load.

2. Browse to an .rfi file.

3. Click Open.

Delete a filter. 1. Click a filter.

2. Click Delete.

3. Click Yes.

Note: The BlackBerry Enterprise Server reads global filter changes every 15 minutes, so filter changes might not be applied to messages immediately.

33


Filter options

Setting a disclaimerSet a disclaimer to add text below user signatures on all messages sent from handhelds.

1. In the BlackBerry Manager, right-click a server, and then click BlackBerry Server Properties.

2. On the Email Options tab, in the Disclaimer Text field, type the signature text.

3. Click OK.

Set Auto BCCSet one or more auto blind carbon copy (BCC) addresses to retain a copy of every message that is sent from a handheld on the BlackBerry Enterprise Server. A blind carbon copy is concealed from the sender and recipient of each message and is sent to the addresses that you specify.


2. On the Email Options tab, click Add Address.

3. From the list in the left pane, select one or more addresses to BCC.

Option Action

From ! Type the full email (SMTP) address or the first and last name of the user, in that order, with no commas (,) between the first and last name, of the person that you want the filter to detect. You can also click Import list to select users from the Global Address List. If you enter more than one name, separate user names with a semicolon(;).

Sent to ! Type the full email (SMTP) address or the first and last name of the user, in that order, with no commas (,) between the first and last name, of the person that you want the filter to detect. You can also click Import list to select users from the Global Address List.

Subject ! Type keywords that should appear in the subject line of messages that you want the filter to detect. If you want the filter to search for individual keywords, and not the entire string, separate the words with a semicolon.

Body ! Type keywords that should appear in the body of messages that you want the filter to detect. If you want the filter to search for individual keywords, and not the entire string, separate the words with a semicolon.

Recipient Types ! Set whether the recipient�s address appears in the To, CC, or BCC field of messages that you want the filter to detect. This field only applies to messages that are sent directly to the recipients. It does not apply to distribution lists of which the recipients are members.

Importance ! Set the importance level that is assigned to the messages that you want the filter to detect.

Sensitivity ! Set the sensitivity level that is assigned to the messages that you want the filter to detect.

Forward messages to the handheld

1. Select the Forward messages to the handheld option.

2. Select the Forward with Level 1 Notification check box or the Forward header only check box.

Don�t forward messages to the handheld

! Select the Don�t forward messages to the handheld option.

Tip: You can use wildcards when you create filter rules. However, if you use wildcards for email addresses, you should use the correct SMTP format (for example, *@acme.ca).

Note: In Microsoft Exchange 2000/2003, if the user who sends the message is on a different Microsoft Exchange Server or a different mail store than the user who is BCCd, the message that the BCCd user receives does not indicate that the user was BCCd. In Microsoft Exchange 5.5, if the user who sends the message is on a different site than the user who is BCCd, the message that the BCCd user receives does not indicate that the user was BCCd.

34

3: Viewing server redirection statistics

4. Click Select.

5. Click OK.

6. Click OK again.

Viewing server redirection statisticsYou can view the combined statistics of all handhelds that have been added to a particular BlackBerry Enterprise Server. The statistics that are retrieved are static.

! In the BlackBerry Manager, right-click a server, and then click Server Stats. The following properties and statistics are displayed:

Clear server redirection statisticsYou can set all values in a server�s Global Stats window to 0.

1. In the BlackBerry Manager, right-click a server, and then click Server Stats.

2. Click Clear Server Stats.


Time Captured The date and time that the server statistics were viewed.

Messages Forwarded to Handhelds

The total number of messages that were forwarded to handhelds since statistics were last cleared.

Messages Sent from Handhelds

The total number of messages that were sent from the handhelds since statistics were last cleared.

Messages Pending to Handhelds

The total number of messages that are currently queued for delivery to handhelds since statistics were last cleared.

Messages Filtered The total number of messages to which the BlackBerry Enterprise Server applied filters and did not forward since statistics were last cleared.

Messages Expired The total number of messages that timed out without being forwarded to handhelds since statistics were last cleared.

Note: Messages time out after 7 days of non-delivery to the handheld.

Note: Clicking Clear Server Stats does not clear all the individual statistics for users on this BlackBerry Enterprise Server. The pending count is not cleared because the messages in the pending queue are not removed from the queue. To delete the messages that are pending to a particular handheld, in the User Stats window, you must click Purge Pending for that user. Each handheld must be purged individually.

35


36

4

Managing IT policies

Setting your Default IT policyAll new users added to the BlackBerry Enterprise Server are added to a default policy, which houses a collection of policy rules. Applicable policy rule settings apply immediately to new users. See "IT policy rules" on page 65 for more information.

Add rules to your Default IT policy1. In the BlackBerry Manager, right-click a server, and then click IT Policy.

2. In the Policy Name list, select Default.

3. Click Edit.

4. In the Policy rule list, click the check box beside a policy rule name.

5. Assign a value to the IT policy rule or accept the default value.

6. Click OK.

7. If prompted, click Yes to send the IT policy to the user.

8. Click OK.

CompatibilityThere are specific handheld and software requirements for each IT policy rule. See "IT policy rules" on page 65 for more information.

Creating additional IT policiesYou create customized IT policies to reflect the needs of different types of users. For example, you might want to have a higher level of security on the handhelds of your sales team, who are typically out of the office. See "Sample IT policies" on page 85 for more information.

� Setting your Default IT policy� Compatibility� Creating additional IT policies� Using IT policy rules� Viewing IT policy statistics� Sending IT policies


Create a new IT policy1. In the BlackBerry Manager, right-click a server, and then click IT Policy.

2. Click New.

3. Type a new policy name.

4. From the Policy rule list, add policy rules to the IT policy.

5. Click OK.

Move users to a new policy

1. In the Policy Name list, click the new IT policy.

2. Click Edit User List.

3. Click Add Users to This Policy.

4. Click the user to add to the IT policy.

5. Click Add.

6. Click Close.

7. Click OK.

8. Click OK again.

Using IT policy rulesYou can use the BlackBerry Manager Properties Policy Rules tab to create, edit, delete, import, and export custom IT policy rules.

Create a custom ruleTo control custom applications that your company develops to run in the BlackBerry environment. For information on developing custom applications, create custom rules.


2. On the Policy Rules tab, click New rule.


Note: Users can belong to only one policy at a time.

Note: Custom rules can be used only in conjunction with your own custom applications.

Option Action

Rule Name ! Type a name for the IT policy rule.

38

4: Using IT policy rules

4. Click OK.

After you create a policy rule, it appears in the User Defined and Other Policy Rules group.

Change a ruleWhen you update an IT policy by changing its policy rules, the IT policy is resent to the list of users assigned to that IT policy.

Type ! Select either boolean, integer, string, bitmask, or multiline string. � If you select integer, you must type minimum and maximum integer values for the policy rule in the

Min value and Max value fields.� If you select bitmask, complete the Bit Value and Bit Option Name fields. The bitmask type enables

up to 8 related boolean values to be included in a policy as 1 byte as opposed to 8 bytes, which reduces the network traffic created by sending policy updates wirelessly. After you select a bit value, you must type a display name for that particular bit option in the Bit Option Name field. You can assign a bit option name for one, some, or all of the 8 bit values. For example, you might create a bitmask IT policy rule called AllowedFeatures with 3 boolean bit values where bit 0 is named Phone, bit 1 is named Browser, and bit 2 is named Third Party Apps.

Destination ! Select an option to apply the policy rule to the handheld, the desktop, or both the handheld and desktop.

Description ! Type the description of the IT policy rule.

Option Action

Note: Pre-defined rules cannot be edited or deleted. You can only change the value of the rule within a policy.

Action Procedure

Change the value of a rule in an existing policy.

1. In the BlackBerry Manager, right-click a server, and then click IT Policy.

2. Click a policy.

3. Click Edit.

4. Make the desired changes.

5. Click OK.

Edit a custom rule.


2. On the Policy Rules tab, click a policy rule.

3. Click Edit rule.

4. Make the desired changes.

5. Click OK.

Delete a custom policy rule.


2. On the Policy Rules tab, click a policy rule.

3. Click Delete rule.

4. Click Yes.

39


Viewing IT policy statisticsEach user�s IT policy status displays as part of the user summary. The policy status is included as a column in the user list in the BlackBerry Manager.

View policy summary1. In the BlackBerry Manager, click a server.


3. Click the IT Admin tab.

4. View the following information:

5. To refresh the IT policy status with the most recent result, click Refresh Status.

Import a policy rule list.

Enables you to restore default policy rules without overwriting any custom policy rules. You can also import IT policy template files that you have created.


2. On the Policy Rules tab, click Import Policy Definitions File.

3. Perform one of the following actions:� Import the default IT policy template file (ITPolicyTemplate.sql) by browsing to <drive:>\Program

Files\Research In Motion\BlackBerry Enterprise Server\Management\Database and selecting ITPolicyTemplate.sql. If the dialog does not open to this location, browse to the correct directory and select ITPolicyTemplate.sql.

� Import the S/MIME IT policy template file (SSPPolicyTemplate.sql), which is located on the BlackBerry Enterprise Server Installation CD, by browsing to <drive:>\tools and selecting SSPPolicyTemplate.sql. If the dialog does not open to this location, browse to the correct directory and select SSPPolicyTemplate.sql.

� Import a different IT policy template file by browsing to the correct directory and select that file.

4. Click Open.

5. Click OK.

6. On the Policy Rules tab, click Apply to apply the import changes. If you close the BlackBerry Manager without clicking Apply, the import does not take effect.

Export a custom IT policy list as a template.

Enables you to export the current list of custom IT policies as a template.


2. On the Policy Rules tab, click Export Policy Definitions File.

3. Specify a location and file name.

Warning: If you save the custom IT policy template to the same location as the default ITPolicyTemplate.sql file, use a different file name to avoid overwriting the default IT policy template file, which you might want to use again.

4. Click Save.

5. Click OK.

Action Procedure

IT Admin tab information Description

Policy name The name of the IT policy to which the user is assigned.

Status The status of the IT policy reception by the handheld.

Time sent The time that the IT policy was last sent to the handheld.

Time received The time that the IT policy was received by the handheld.

Policy rules applied Click View Policy to view a list of the policy rules assigned to the IT policy that do not have the default value applied.

40

4: Sending IT policies

Information on any IT admin commands that have been sent recently appears in the read-only field at the bottom of the IT Admin tab.

View policy statusWhen you apply an IT admin task or change the IT policy applied to a user, the status of the IT policy change is displayed in the right pane of the BlackBerry Manager, in the Policy Status column.

The Policy Time sent column in the right pane of the BlackBerry Manager displays the date and time that you sent the IT policy change, and the Policy time recvd column displays the date and time that the user's handheld and, or desktop received the IT policy change.

Sending IT policiesWhen you add a new user, that user is added to the default IT policy, which is automatically sent to the handheld. If you move a user to a new policy, that policy is also sent automatically to their handheld.

If you move a user from one BlackBerry Enterprise Server to another that shares the same configuration database, the same policy remains in effect, whether it is the default or a new policy, but is resent automatically by the new BlackBerry Enterprise Server.

If you move a user from one BlackBerry Enterprise Server to another that connects to a different configuration database, you must delete the handheld�s stored information, which deletes the current service books and also disables the handheld. The user must then be wirelessly activated on the new BlackBerry Enterprise Server, which sends the new service books and the IT policy wirelessly to the handheld.

Tip: Move the scroll box to the right to view the Policy Status column in the right pane of the BlackBerry Manager.

Status Description

Pending Indicates that there is new data waiting to be sent to the user�s handheld and, or desktop.

Processing Indicates that the BlackBerry Enterprise Server is sending the change to the user. You should not see this status displayed for an extended period of time. If the status does not change within a short time, the status of the BlackBerry Enterprise Server might have changed while it was processing the request.

Sent Indicates that the IT policy change has been sent wirelessly to the user�s handheld and, or desktop, but the user has not yet received the change.

Received Indicates that the user�s handheld and, or desktop has received the IT policy change, but the BlackBerry Enterprise Server has not received an error or a success message to indicate if the change has been applied.

Applied successfully Indicates that the user�s handheld and, or desktop received the IT policy change and successfully applied the change.

Error Indicates that an error occurred when the policy change was processed, sent, received, or applied.

Timed out Indicates that the IT policy change request timed out after 7 days. The user�s handheld might be turned off or out of a wireless coverage area.

Note: Sending a wireless IT policy creates a security association between the handheld and the BlackBerry Enterprise Server. After this association is made, the handheld does not accept IT policies from any other BlackBerry Enterprise Server. The handheld accepts IT policies from the user�s computer when it is connected to the Desktop Software.

41


Resend the existing policyYou can resend IT policy data to a user�s handheld.



3. On the IT Admin tab, click Resend policy.

Schedule commandsYou can configure the IT policy and IT admin commands to be resent to handhelds on the BlackBerry Enterprise Server on a specific timetable.


2. On the IT Admin tab, in the IT Policy field, type the rate (in hours) at which you want the automatic resends to occur. For example, if you type 12, resends occur every 12 hours.

3. Click OK.

Note: By default, a value of 0 is entered in the IT Policy field, disabling automatic resends.

42

5

Managing attachment viewing

View settings1. On the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server

Configuration.

2. Click the Attachment Server tab.

3. In the Configuration Option drop-down list, select one of the following:

If the BlackBerry Attachment Service is installed on a remote machine (that is, separate from the BlackBerry Enterprise Server), only certain settings can be configured on each machine. On the Attachment Service machine, the attachment server options are visible. On the BlackBerry Enterprise Server, the Connector Configuration options are visible.

Change connector settings

1. On the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration.

2. On the Attachment Server tab, from the Configuration Option drop-down list, select Connector Configuration.


� View settings� Setting supported attachments

Option Description

Connector Configuration Controls the connections between the Messaging Agent and the Attachment Service when attachments are requested on the handheld.

Attachment Server Controls the retrieval, distillation, and conversion of attachment data, as well as which attachment types you plan to support in your environment.

Test Attachment Service Provides tools to troubleshoot the Attachment Service. See the BlackBerry Enterprise Server Troubleshooting Guide for more information.

Note: You can modify connector configuration settings only on the computer on which the BlackBerry Enterprise Server with the attachment connector is installed.

Option Description Range

Server Set the server name or IP address of the computer on which the Attachment Service is installed. If the Attachment Service is installed on the same computer as the BlackBerry Enterprise Server, this value is set to the localhost name by default.

�


4. Click OK.

5. Restart the BlackBerry Dispatcher.

Change attachment server settings


2. On the Attachment Server tab, from the Configuration Option drop-down list, select Attachment Server.


Server Submit Port

Set the TCP/IP Port number that the attachment connector uses to send the attachment data requests to the Attachment Service.

Note: The port number for this setting must match the Submit Port field in the attachment server configuration options.

1024 to 65,535

Server Result Port

Set the TCP/IP Port number used to query and retrieve large attachment conversion data from the Attachment Service.

Note: The port number for this setting must match the Result Port field in the attachment server configuration options.

1024 to 65,535

Polling Time (seconds)

Set the interval, in seconds, used to query the server results time if large attachments are available for delivery from the Attachment Service.

10 to 300 seconds

Format Extensions

Specify the list of supported attachment extensions that this BlackBerry Enterprise Server supports for the attachment viewer.

Warning: If you turn off a distiller, you should also remove the file extension(s) for documents converted by that distiller from the Format Extensions field.

�

Extended Logging

Set the extended log to Enabled to enable the Attachment Service to write extended log information to the log file. See the BlackBerry Enterprise Server Troubleshooting Guide for more information.

Note: The Attachment Service logs successful conversions and any failures in the BlackBerry Messaging Agent log file by default. This setting is used only to enable extended logging for troubleshooting.

�

Tip: Click Default to return all fields to the original settings.


Note: You can modify attachment server settings only on the computer on which the Attachment Service is installed.


Submit Port Type the TCP/IP port number that the Attachment Service uses to receive document submissions and for which it returns conversion results.

Note: This port number should be identical to the number in the Server Submit Port field in the Connector Configuration options.

1024 to 65,535

Result Port Type the port number that the Attachment Service uses to send large attachment conversion data when polled from the attachment connector on the BlackBerry Enterprise Server.

Note: The port number for this setting must match the Server Result Port field in the Connector Configuration options.

1024 to 65,535

Configuration Port

Type the TCP/IP port number to use for configuration and administrative purposes. 1024 to 65,535

Concurrent Caching

Specify whether multiple requests for the same attachment can use the first cached copy of the attachment Document Object Model (DOM) in a conversion process for a new user.

�

44

5: Setting supported attachments

4. Click OK.

5. Restart the Attachment Service.

Setting supported attachmentsFor an attachment to be viewable on the handheld, the attachment format must be included in the supported format list, and a distiller for that format must be installed. See the Attachment Distiller API Reference Guide for more information on writing custom distillers.

Supported file formatsThe following file formats are supported by default:.

Document Cache Size (docs)

Specify the maximum number of converted documents that might reside in the document cache (as DOM) for an individual conversion process.

If the same user retrieves more content from the same document within a few minutes of the initial request, subsequent requests are served from cache. The cache is maintained for 25 minutes (the default recycle time), or until a new request exceeds the cache limit for that process and the least recently used document in the cache is deleted.

All cached data is kept in memory only and the original document is never cached.

Tip: A larger cache size means that more memory is allocated to each running conversion process. The maximum file size of the attachments affects the cached memory used. Use the Max File Size (Kb) setting for individual attachment formats to limit the cache size memory usage for the running conversion processes.

1 to 128

Conversion Processes

Set the number of conversion processes that are available to the Attachment Service. A higher number of conversion processes enables more conversion requests to be handled concurrently.

Every conversion process allocates memory on startup and uses memory on conversion. This value should be set in relation to available memory and competing services on the computer running the Attachment Service.

1 to 64

Max. Threads per Process

Set the maximum number of document conversions per conversion process. The number of allowed document conversions defines how many concurrent conversions a single conversion process accepts. This setting helps to control thread saturation for a high volume BlackBerry Enterprise Server configuration and is also useful for managing Attachment Service workload in conjunction with the Busy Threshold (seconds) setting.

2 to 32

Recycle Time (seconds)

Set the timeout for the BBConvert process recycling to stop any processes consuming CPU that have not completed or failed processing when the time out occurs.

Tip: Process recycling is also used by the Attachment Service to reclaim space used by the Attachment Service and prevent failed processes from keeping memory allocated.

300 seconds (5 minutes) to 3600 seconds (60 minutes)

Busy Threshold (seconds)

Set the threshold used to determine whether the Attachment Service is busy with conversion and should not accept new requests. The Attachment Service monitors the running conversions threads to check whether all conversion processes are busy when a new request arrives. When the threshold is reached, a �Server Busy, Retry� message displays.

60 seconds to 270 seconds

Distiller Settings

The distiller list displays all installed document-loading distillers for the Attachment Service along with the associated document extension and the maximum attachment size allowed. See "Set distiller" on page 46 for more information.

�


File format File Extensions

Adobe® Acrobat® versions 1.1, 1.2, 1.3, 1.4 .pdf

45


Remove support for a file format1. On the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server

Configuration.

2. On the Attachment Server tab, from the Configuration Option drop-down list, select Connector Configuration.

3. In the Format Extension field, remove the file extension.

4. Click OK.

5. Restart the BlackBerry Dispatcher.

Set distillerAll supported distillers-one distiller per supported file format-are enabled by default. A check mark signifies that the distiller is enabled.

Turning off an Attachment Service distiller file prevents the use of any attachment in the format that is converted by that distiller. For example, if you turn off the .pdf distiller, Adobe .pdf attachments are no longer supported on the handheld.



3. In the Distiller Settings section, perform one of the following actions:.

4. Click OK.

Microsoft Excel versions 97, 2000, 2003, XP .xls

Microsoft PowerPoint® versions 97, 2000, 2003, XP .ppt

Microsoft Word versions 97, 2000, 2003, XP .doc, .dot

Corel® WordPerfect® versions 6.0, 7.0, 8.0, 9.0(2000) .wpd

ASCII text .txt

HTML .html, .htm

ZIP archives .zip

images .bmp, .jpg, .gif, .png, .tif

File format File Extensions

Note: If your mail system is connected to a document management system that enforces extension renaming, you can add to the format list to support arbitrary extensions.

Warning: If you turn off a distiller, you should also remove the file extension for documents that are converted by that distiller from the Format Extension field in the Connector Configuration screen.

If you turn off a distiller, but the associated file extension is supported (in other words, it appears in the Format Extension field), Open Attachment still appears on the handheld menu when the handheld receives an attachment with that extension. If the user clicks Open Attachment, an �Error unknown file format� message appears and is logged. See the BlackBerry Enterprise Server Troubleshooting Guide for more information.

Action Procedure

Enable a distiller. ! Select the check box.

Turn off a distiller. ! Clear the check box.

Tip: To enable all image formats, select the Image Attachments check box.

46

5: Setting supported attachments

5. Restart the Attachment Service.

Set the maximum file size for a distiller settingThe recommended file size is based on the number of users on the BlackBerry Enterprise Server, the number of users requesting attachments, reasonable response time, server hardware, and document complexity. You can change the maximum file size for each distiller setting.



3. In the Distiller Settings section, in the Max. File Size (Kb) column, click the file size value beside the distiller that you are modifying, and then type a value.

Recommended file size for heavy usage BlackBerry Enterprise Server environmentsA BlackBerry Enterprise Server environment experiencing the following demands meets the definition of a heavy usage environment:

� multiple users requesting conversions for large or complex attachments (especially .pdf and ASCII text files larger than 2 MB), and either

� multiple users requesting the same large or complex documents in the same time frame (0 to 10 minutes) while large conversions are being processed or multiple users requesting different documents in the same time frame (0 to 10 minutes) while large conversions are being processed.

Note: If an attachment exceeds the defined size, the user receives a �Document Conversion Failed. Retry� message and an �Attachment Size Exceeds Specific Value� message is logged in the BlackBerry Enterprise Server log file.

Tip: The default value of 0 enables an unlimited file size.

File format Recommended size

Adobe Acrobat versions 1.1, 1.2, 1.3, 1.4 less than 2000 KB

Microsoft Excel versions 97, 2000, 2003, XP less than 2000 KB

Microsoft PowerPoint versions 97, 2000, 2003, XP less than 2000 KB

Microsoft Word versions 97, 2000, 2003, XP less than 2000 KB

Corel WordPerfect versions 6.0, 7.0, 8.0, 9.0(2000) less than 2000 KB

ASCII text less than 100 KB

HTML less than 100 KB

ZIP archives less than 2000 KB

Images less than 2000 KB

47


48

6

Managing HTTP browsing and push

Starting the Mobile Data ServiceEnable the Mobile Data Service on the server and on user accounts to provide users access to online content and applications on the corporate intranet or Internet.

Enable or disable on the server1. In the BlackBerry Manager, right-click a server.


Enable or disable on user accounts1. In the BlackBerry Manager, click a server.



� Starting the Mobile Data Service� Managing data connections� Managing connections to servers� Managing authentication� Managing push� Managing pull

Note: To use the Mobile Data Service, a user�s handheld must contain the appropriate IPPP service book entries. On the C++-based handhelds, these service books are installed by default. On the Java-based handhelds, the Internet Protocol Proxy Protocol (IPPP) service book must be provisioned by the network operator as part of handheld registration. See the BlackBerry Enterprise Server Feature and Technical Overview for more information on supported networks, handheld versions, and handheld and desktop software versions.

Warning: The service account used to install the Mobile Data Service requires permission to read from and write to the BlackBerry Manager database.

Action Procedure

Enable the Mobile Data Service. ! Click Enable Mobile Data Service.

Note: You must also enable the Mobile Data Service on user accounts before users on the server have the Mobile Data Service enabled on their handhelds.

Disable the Mobile Data Service. ! Click Disable Mobile Data Service.

Tip: Hold CTRL to select multiple users at the same time.


Managing data connectionsSet parameters to control how the Mobile Data Service manages data from the Internet, intranet, or routed through a corporate proxy server.

Change Mobile Data Service connection settings1. In the BlackBerry Manager, right-click a server, and then click Mobile Data Service Properties.

2. On the General tab, modify the desired values.

Action Procedure

Enable the Mobile Data Service. ! Click Enable Mobile Data Service.

Disable the Mobile Data Service. ! Click Disable Mobile Data Service.

Warning: Change the default port parameters only if there is a port conflict with another service on the same computer. If you change port or host information, the BlackBerry Enterprise Server stops and restarts the Mobile Data Service to reload the configuration information.

Option Description Default

Host The host name of the BlackBerry Enterprise Server. �

Port The port on which the BlackBerry Enterprise Server listens.

Warning: If the BlackBerry Enterprise Server host name and port number do not appear by default in the Host and Port fields, you might not have started the BlackBerry Dispatcher service. If this is the case, close the Mobile Data Service Properties window, start the BlackBerry Dispatcher service, and then reopen the Mobile Data Service Properties window.

3200

Push Server Connection Listen Port

The port on which the push server receives push requests from the destination web server.

81

Web Server Listen Port

The port number on which the web server listens for requests from push applications.

Warning: Notify your push application developer if you change the web server listen port number.

8080

Web Server SSL Listen Port

The port number on which the web server receives HTTPS requests from handhelds. 8443

Maximum number of kilobytes per connection

The maximum number of kilobytes that can be sent to the handheld for each Mobile Data Service connection.

256

Flow control timeout (milliseconds)

The length of time, in milliseconds, that the handheld has to send an acknowledgement before the Mobile Data Service discards all pending content to the handheld.

600,000

50

6: Managing data connections

Change connection timeouts1. In the BlackBerry Manager, right-click a server, and then click Mobile Data Service Properties.

2. On the HTTP tab, modify the desired values.

Change cookie support1. In the BlackBerry Manager, right-click a server, and then click Mobile Data Service Properties.

2. On the HTTP tab, select the Allow the Mobile Data Service to handle HTTP Cookie storage check box. The Mobile Data Service manages HTTP cookie storage, reducing the load on the handheld.

3. Click Apply.

Configure connections through a proxy server1. In the BlackBerry Manager, right-click a server, and then click Mobile Data Service Properties.

2. On the Proxy tab, modify the desired values.

Assign a URL to a proxy server or a group of proxy serversYou can assign URLs to a proxy server or a group of proxy servers.

1. In the BlackBerry Manager, right-click a server, and then click Mobile Data Service Properties.

2. On the Proxy tab, select the Use an HTTP Proxy Server for MDS traffic check box.

3. Select the Use Manual HTTP Proxy Configuration option.


HTTP handheld connection timeout (milliseconds)

The length of time, in milliseconds, that the HTTP connection waits for the handheld to send data.

120,000

HTTP server connection timeout (milliseconds)

The length of time, in milliseconds, that the HTTP connection waits for the origin server to send data.

120,000

Maximum number of redirects

The maximum number of HTTP redirections that the Mobile Data Service supports.

HTTP redirection occurs when the BlackBerry Browser requests a web page from the web server and the web server returns a redirection status code to the BlackBerry Browser to indicate the new URL for the web page.

5


Use an HTTP Proxy Server for MDS traffic

Enables the Mobile Data Service to use a proxy server for communication between the Mobile Data Service and an intranet or the Internet.

�

Use Manual HTTP Proxy Configuration

If you selected Use an HTTP Proxy Server for MDS traffic, select this option to configure the HTTP proxy server.

Type a host name and port numbers in the fields provided for the HTTP Proxy Server.

1 to 65,535

Use HTTP Proxy Server Auto Configuration

If you selected Use an HTTP Proxy Server for MDS traffic, select this option to configure the Mobile Data Service to use a Proxy Auto-Configuration (PAC) file, which explicitly identifies how particular destinations are accessed.

Select either Automatically Detect Proxy Server to automatically detect the proxy server or select URL and type the URL to specify the location of the PAC file.

�

51


4. Type the host name and a port number for the default proxy server in the fields.

5. Click View/Update Proxy Mappings.

6. Click New Proxy Mapping.

7. To type the URL, perform one of the following actions:

8. Select the Specify custom proxy settings option.

9. Type the host name and port for the proxy server in the field.

10. Click OK.

11. Click Apply.

Configure a URL to bypass the proxy server1. In the BlackBerry Manager, right-click a server, and then click Mobile Data Service Properties.

2. On the Proxy tab, select Use an HTTP Proxy Server for MDS traffic.

3. Select Use Manual HTTP Proxy Configuration option.

4. Type a host name and a port number.

5. Click View/Update Proxy Mappings.

6. To specify the URL, perform one of the following actions:

7. Select Exclude from proxy. The URL is not sent through the proxy server but is sent directly to the origin server.

8. Click OK.

9. Click Apply.

Note: URLs that are not listed in the Proxy Mappings window are routed through the default proxy server specified in the Manual HTTP Proxy Configuration.

Action Procedure

Use the template to set the URL.

1. Select the Use Template option.

2. Modify the desired values:� Scheme: Type the protocol for the URL

Note: Only HTTP and HTTPS schemes are applicable. � Host name: Type the host name or IP address for the URL.� Port: Type the port number for the URL.� Path: Type the URL path name.

Use a custom regular expression to set the URL.

1. Select the Use custom regular expression option.

2. Type the URL in the following format: scheme://host name:port/path/?query.

Action Procedure

Use the template URL. ! Select the Use Template option.

Use the custom regular expression URL.

! Select the Use custom regular expression option.

Tip: To edit a proxy mapping, click View/Update Proxy Mappings > Delete Proxy Mapping, and then add the URL again.

52

6: Managing connections to servers

Managing connections to servers

Change LDAP settingsDirectory Access Protocol (DAP) is an industry-standard method for accessing X.500 directory listings. Such information is stored in an LDAP-compliant directory, and consists of user profiles and approved certificates.


2. On the LDAP tab, modify the desired values.

Change OCSP settingsOCSP is used to query the current status of certificates. Developers use OCSP to find out if a stored certificate is currently valid, or if it is revoked and can no longer be trusted. The Certificate Revocation List (CRL) is a large file that lists the status of all certificates that are revoked.


2. On the OCSP tab, modify the desired values.

Change security settingsSSL and its new version, TLS, are both protocols that are used to enable the client and the server to negotiate a secure connection over which data can be safely exchanged at the socket level.

To establish a secure, private conversation with a server, the uses HTTPS. When a users types https:// (instead of http://) in a URL on the handheld, the client-server connection request is initiated using secure HTTP (HTTP over TLS/SSL protocols).


Warning: Do not change the default port parameters unless there is a port conflict with another service on the same computer. If you change port or host information, the BlackBerry Enterprise Server stops and restarts the Mobile Data Service to reload the configuration information.

Field Description

Host Name Type the name of the default LDAP Server. When there is no LDAP server specified in a query URL (LDAP:///), the request is sent to this server automatically.

Port Type the port on which the default LDAP server listens. If you provide a host name, you must specify a port number.

Default Server Base Query

Type the default base query for the default server. Each LDAP server can host multiple domains, but can only search in one of them at a time, so you must set a default query.

Query Limit The maximum number of entries that are returned for each base query.

Enable Data Compression

Enables compression of the result data stream.

Option Description

Use Device Responders Enables the OCSP handler to accept OCSP responders that are specified by the handheld. These responders are not considered to be secondary responders.

Use Certificate Extension Responders

Enables the OCSP handler to use the OCSP responder extension in the certificate (if a certificate is present). This is considered only if the primary responder does not respond.

Default Responder URL Type a default responder URL. This URL specifies an OCSP responder�s URL.

53


2. On the TLS/HTTPS tab, modify the desired values.

Add a certificate to the Mobile Data Service key store to permit untrusted connections

1. Copy the certificate from a secure web site to a .cer file.

2. Copy the certificate file into the j2re1.4.2\lib\security folder on the computer on which the Mobile Data Service is installed.

3. Import the certificate into the key store using the keytool, which is installed in the JRE bin folder, (typically, <drive:>\Program Files\Java\j2re1.4.2\bin). For example, type keytool -import -trustcacerts -alias <alias_name> -file <cert_filename> -keystore cacerts.

4. Type the key store password.

5. At the Trust this certificate prompt, click Yes. The certificate is added to the key store.

Visit http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html for more information on using the keytool.

Accept an SSL connection from the push applicationThe BlackBerry Server Configuration tool creates a keystore file, which enables the push application to establish an SSL connection with the Mobile Data Service when pushing content to the handheld.


2. On the Mobile Data Service tab, modify the desired values.

3. Click Create Keystore File.

4. If prompted, click Yes to overwrite the existing keystore file.

5. Click OK.

Option Description

Allow outbound connections to untrusted servers over HTTPS

This option enables the Mobile Data Service to encrypt the request sent to an untrusted server (on behalf of the handheld) using HTTPS.

Note: Untrusted servers are those servers for which no certificate is stored.

Allow outbound connections to untrusted servers over TLS

This option enables the Mobile Data Service to encrypt the request sent to an untrusted server (on behalf of the handheld) using TLS.

Warning: The keytool utility is not created or supported by Research In Motion.

Note: Only one keystore file can exist. The file must be called webserver.keystore and must be located at <drive:>\Program Files\Research in Motion\BlackBerry Enterprise Server\MDS. If you create a new keystore file, the existing file is overwritten.

Action Procedure

Set the keystore file password. ! In the Password field, type a password. The password must be at least six characters.

Confirm the keystore file password.

! In the Confirm field, type the password again.

Set user name. ! In the User Name field, type the user name of the keystore.

Set company name. ! In the Organization field, type the company name.

Set country. ! In the Country field, type the country name.

54

6: Managing authentication

Managing authentication

Set HTTP authentication1. In the BlackBerry Manager, right-click a server, and then click Mobile Data Service Properties.

2. On the HTTP tab, modify the desired values.

Configure network authenticationThe Mobile Data Service supports HTTP basic authentication, NTLM, and Kerberos authentication methods. Lightweight Third-Party Authentication (LTPA) is supported if cookie storage is enabled.

When network authentication is enabled, the handheld uses standard Internet protocols to link to the BlackBerry Enterprise Server as usual. The BlackBerry Enterprise Server, with Mobile Data Service enabled, then proxies the network authentication to a web server using the native method of that server. The web server determines which authentication method to use (NTLM, Kerberos or HTTP Basic) to access its content. If the Mobile Data Service is not configured to authenticate on behalf of the web server, then the handheld can authenticate using HTTP basic authentication, requiring users to login with a user name and password.

NTLM authenticationConfigure NTLM using the standard Java Authentication and Authorization Service (JAAS) configuration file, which is installed in the following location by default:

<drive:>\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\ServerInstance\config\MdsLogin.conf.

Visit http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/LoginConfigFile.html for more information on the JAAS configuration file.

The MDSLogin.conf file lists the three login modules used by the Mobile Data Service and for the application(s) for which they are used:

� Kerberos 5 login module for JAAS (com.sun.security.auth.module.Krb5LoginModule)

� NTLM authentication module for JAAS (net.rim.security.auth.module.ntlm.NtlmLoginModule)

� a clear password login module for JAAS (net.rim.security.auth.module.pwd.PwdLoginModule)

Option Description

Allow the Mobile Data Service to support HTTP Authentication

Enables the Mobile Data Service to perform authentication with the proxy server or content server on behalf of handhelds when an HTTP request is sent from the handheld.

This option enables authentication information storage by default. Enable this option to support network authentication.

Warning: In the case of an authentication failure, in which no valid name and password pair is found for a particular domain, the authentication failure is sent to the handheld. This failure notice alerts the handheld user that the name and password pair could not be found.

HTTP authentication timeout (milliseconds)

The length of time, in milliseconds, before the authentication information stored on the proxy or content server is removed.

55


Kerberos authentication

Configure Kerberos 5 using the standard Kerberos 5 configuration file (krb5.conf), which is installed in the following location by default:

<drive:>\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\ServerInstance\config\krb5.conf.

Visit http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.3/doc/krb5-admin.html for more information on the Kerberos 5 file.

The Kerberos 5 configuration file that is provided with the Mobile Data Service installation includes the following section:

Set proxy server authentication1. In the BlackBerry Manager, right-click a server, and then click Mobile Data Service Properties.

2. On the Proxy tab, select the Use an HTTP Proxy Server for MDS traffic check box.

3. Select the Use Mobile Data Service for Authentication check box.

4. In the User name field, type a user name.

5. In the Password field, type a password.

6. Type the password again.

7. Click Apply.

Note: Kerberos requires Microsoft® Windows® 2000 or 2003.

Section Subsection Description

[libdefaults] � This section contains default values used by the Kerberos 5 library. The encryption key types that are supported are listed in the subsections.

default_tkt_enctypes This value defines the supported encryption types that should be requested by the client.

� des3-hmac-sha1� des-cbc-md5� des-cbc-crc

Note: Visit http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.5/doc/admin.html for a complete list of available values.

default_tgs_enctypes This value defines the supported encryption types that should be returned by the Key Distribution Center (KDC) host (a computer issuing Kerberos tickets).

� des3-hmac-sha1� des-cbc-md5� des-cbc-crc

[realms] � This section contains subsections describing information specific to case-sensitive Kerberos realm names. Each subsection describes realm-specific information, including the location of the Kerberos servers for that realm. For each realm, you can specify the KDC host and an optional port number.

A Kerberos realm is an administrative domain/site with its own Kerberos database containing information about its users and services.

Note: If the Allow the Mobile Data Service to support HTTP Authentication check box is cleared, MDS authentication is disabled automatically.

56

6: Managing push

Managing pushThe Mobile Data Service provides capabilities for push applications. Push applications send content from a server to a handheld without first being prompted by a handheld user.

Push service overviewThe Mobile Data Service implements the Push Access Protocol (PAP) (Wireless Application Protocol (WAP) version 2.0) to push content to the handheld. Developers can also use the RIM push service to push content to the handheld. Both push service implementations support the following tasks:

� sending a server-side push submission

� specifying reliability mode for the push submission (transport-level versus application-level reliability)

� specifying the deliver before time stamp for the push submission, which assigns a date and time that content must be delivered

� requesting a result notification of the push submission

See the BlackBerry Java Development Environment version 3.6 Developer Guide, Volume 1: Fundamentals for more information on writing server-side push applications.

You can also use the PAP to send an HTTP POST request. The PAP push service supports the following additional tasks:

� specifying the deliver-after time stamp for the push submission

� cancelling a push submission that has already been sent to the Mobile Data Service

� querying the status of a push submission

Download the Wireless Application Protocol (WAP-247-PAP-20010429-1) from http://www.wapforum.org/what/technical.htm for more information on writing server-side push applications using the PAP.

Download the PAP 2.0 DTD from http://www.wapforum.org/DTD for information on the WAP Push DTDs for version 2.0.

Enable or disable the push serverThe push server receives push requests from applications, which results in establishing a connection to the handheld that data can be sent through.

1. In the BlackBerry Manager, right-click a server, and then click Set as Mobile Data Service Push Server.

If the Push Server is enabled, the Set as Mobile Data Service Push Server option has a check mark beside it on the server�s Action menu. If the Set as Mobile Data Service Push Server option is disabled, the check mark does not appear.

2. Click Yes. The service restarts automatically.

Warning: If you change the push server, you should notify your push application developer. Push applications need to use the correct push server.

Warning: You can enable centralized push for only one Mobile Data Service in a system.

57


Start and stop the Database Consistency ServiceThe Database Consistency Service updates users� email-to-PIN mapping automatically in the BlackBerry Enterprise Server configuration database.


2. Click Set as Mobile Data Service Push Server.

3. Right-click the server again, and then perform one of the following actions:

Set email-to-PIN updateChange the frequency with which the Database Consistency Service updates users� email-to-PIN mapping automatically in the configuration database. By default, if the BlackBerry Enterprise Server is enabled as the Mobile Data Service centralized push server, the email-to-PIN mapping is updated every 24 hours.


2. On the Push Server tab, in the Update the Email-to-PIN mapping every field, type a number of hours to specify the frequency with which the configuration database is updated.

3. Click Apply.

Store and delete push submissions1. In the BlackBerry Manager, right-click a server, and then click Mobile Data Service Properties.

2. On the PAP tab, modify the desired values.

Action Procedure

Start the Database Consistency Service 1. Click Service Control.

2. Click Start Service.

3. Click BlackBerry Database Consistency Service.

Stop the Database Consistency Service 1. Click Service Control.

2. Click Stop Service.

3. Click BlackBerry Database Consistency Service.

4. Click Yes.

Note: The Database Consistency Service is automatically started if the push server is enabled.

Note: The Push Server tab only appears for a BlackBerry Enterprise Server that has been enabled as the Mobile Data Service centralized push server.


Store Push Submissions in the database

Specifies whether push requests sent to the handheld using the Push Access Protocol are stored in the configuration database.

Note: If you use the deliver-after timestamp, or specify a status query or cancellation in your push request, you must select this option.

�

Purge submissions older than (minutes)

The age, in minutes, of push submissions that are eligible for purging from the database.

1440

Time between purge operations (minutes)

The length of time, in minutes, that push submissions are purged from the database. 720

58

6: Managing push

Control traffic from the Mobile Data Service1. In the BlackBerry Manager, right-click a server, and then click Mobile Data Service Properties.

2. On the Access Control tab, modify the desired values.


Option Description

Authentication Enabled Restricts the push initiators that can access the Mobile Data Service to push content to users.

Authorization Enabled (requires Authentication)

Restricts push initiators from pushing content to particular handhelds.

Note: To push content to the Mobile Data Service, the push application must enter the Authorization HTTP header in the push request submitted to the Mobile Data Service. The Authorization header is in HTTP Basic authentication format. The Authorization header contains the authentication information that the Mobile Data Service requires for the push initiator to push content to the handheld.

Encryption Enabled Encrypts the push request using SSL or TLS.

Action Procedure

Create a new role. 1. Click Configure Roles.

2. Click Add Role.

3. Type the name of the role in the Name field.

4. Type a description for the role above in the Description field.

5. Click OK.

6. Click OK again.

Assign a user to a role. 1. Click Configure Roles.

2. Click Edit Role.

3. In the Enabled Users field, click the users that can receive push content from the push initiators associated with this role.

4. Click OK.

5. Click OK again.

Create a push initiator. 1. Click Configure Push Initiators.

2. Click Add Initiator.

3. Type the name of the push initiator in the Name field.

4. Type the password for the push initiator in the Password field.

5. Type the description for the push initiator in the Description field.

6. Click OK.

7. Click OK again.

Assign the role to a push initiator.

1. Click Assign Roles.

2. Select a push initiator from the list.


4. Select the roles for the push initiator.

5. Click OK.

6. Click OK again.

59


Managing pull

Control traffic to the Mobile Data Service1. In the BlackBerry Manager, right-click a server, and then click Mobile Data Service Properties.

2. On the Access Control tab, modify the desired value.


Option Description

Authorization Enabled Restricts the URLs requested by BlackBerry users connecting to an intranet, or the Internet using HTTP, HTTPS, TCP, LDAP, and OCSP services.

Action Procedure

Create a new role.

1. Click Configure Roles.

2. Click Add Role.

3. Type the name of the role in the Name field.

4. Type a description for the role above in the Description field.

5. Click OK.

6. Click OK again.

Assign a URL to the role.

1. Click Configure Roles.

2. Click Edit Role.

3. Click Add URL.

4. From the drop-down list, select one of the following options:� HTTP: User requests a connection to an HTTP site. The Mobile Data Service provides access to content

on the Internet and corporate intranet using a standard Internet protocol such as HTTP. � HTTPS: User requests a connection to an HTTPS site when SSL or TLS are enabled in proxy mode.� TCP: User requests a connection to an HTTPS site when TLS is enabled in end-to-end mode.� LDAP: User attempts to access a user profile or certificate from the LDAP directory. � OCSP: User attempts to verify the revocation status of a certificate from their handheld. Certificate

revocation status is retrieved from the OCSP server.

5. In the URL field, type the URL for the role using the hostname:port/path format. For example, to specify all paths, use the wildcard character (*): hostname:port/*.

6. From the Policy drop-down menu, select one of the following:� Allow: The user assigned to this role is permitted access to the identified URL.

Note: If you created a different role that denies access to this URL, the user assigned to this role is not permitted access to the URL.

� Deny: The user assigned to this role is not permitted access to the identified URL.

7. Click OK.

8. Click OK again.

9. Click OK again.

Assign the role to a user.


2. Select the user�s email address from the user list.


4. Select the roles for the user.

5. Click OK.

6. Click OK again.

60

7

Managing security

Enable or disable S/MIME encryptionYou must enable S/MIME encryption on the server before you can enable S/MIME for the users on the server.

If S/MIME encryption is disabled on the server, it is disabled for all users on the server. When you disable S/MIME encryption on the server, users on the server can still send and receive encrypted messages until they connect their handhelds to their desktop computers.

� Enable or disable S/MIME encryption� Changing encryption keys� Generate the master encryption key

Warning: Before users can send and receive S/MIME messages, they must install the BlackBerry Desktop Software with S/MIME Support and update their handhelds to support S/MIME services. After S/MIME is enabled, they can send and receive encrypted messages, attach a signature to outgoing messages, and perform wireless certificate searches. If you enable or disable S/MIME on a BlackBerry Enterprise Server, the user must connect the handheld to the computer if the handheld is not running Handheld Software version 4.0.

Action Procedure

Enable S/MIME encryption on the server.


2. On the Email Options tab, select the Support S/MIME encrypted messages on this server check box.

3. Click OK.

Enable S/MIME encryption on user accounts.

1. Enable S/MIME encryption on the server.

2. Verify that the user installed the BlackBerry Desktop Software with S/MIME Support and updated the handheld to support S/MIME services. The S/MIME feature is enabled automatically for the user in the BlackBerry Manager.

Notes: You can verify the updated settings in the BlackBerry Manager by double-clicking a user. On the Security tab, verify that the Support S/MIME encrypted messages check box is selected.

The Support S/MIME encrypted messages option is not available if the server is not enabled for S/MIME.

Disable S/MIME encryption on the server.


2. On the Email Options tab, clear the Support S/MIME encrypted messages on this server check box.

3. Click OK.

Warning: After you disable S/MIME support on the server, you must connect the handheld to the user's computer or reboot the BlackBerry Enterprise Server for the change to take effect. If you do not do this, the user remains enabled for S/MIME and can still send and receive encrypted messages.

Disable S/MIME encryption on user accounts.

Warning: After S/MIME is disabled, users cannot send and receive encrypted messages, attach a signature to outgoing messages, or perform wireless certificate searches.



3. On the Security tab, clear the Support S/MIME encrypted messages check box.

4. Click OK.

Note: The Support S/MIME encrypted messages option is not available if the server that the user is on is not enabled for S/MIME.


See the S/MIME Support Package version 4.0 User Guide for more information on the S/MIME Support Package.

Re-encrypt S/MIME messagesEnable the BlackBerry Enterprise Server to re-encrypt S/MIME messages that are sent with a weak encryption algorithm or are sent signed and encrypted.


2. On the Email Options tab, select the Support S/MIME encrypted messages on this server check box.

3. Select the Enable S/MIME encryption of signed and weakly encrypted messages check box.

4. Click OK.

Changing encryption keys1. In the BlackBerry Manager, right-click a server and click BlackBerry Server Properties.

2. On the General tab, in the Supported Encryption Algorithms section, modify the desired values.

Generate the master encryption keyThe master encryption key authenticates the user and secures communication between the BlackBerry Enterprise Server and the handheld. The handheld, the user�s mailbox, and the configuration database each store the encryption key. The user can generate a master encryption key from the BlackBerry Desktop Software, or you can generate a master key on the user�s behalf.

By default, the BlackBerry Enterprise Server generates a new encryption key automatically when the old key expires, and sends the key wirelessly to the handheld. Research In Motion recommends that you leave the automatic setting enabled.

Option Description

3DES Only Data is encrypted between the BlackBerry Enterprise Server and the handheld using the Triple DES (Data Encryption Standard) cryptographic encryption algorithm. This encryption standard is supported by all versions of the BlackBerry Enterprise Server and BlackBerry Handheld Software.

AES Only Data is encrypted between the BlackBerry Enterprise Server and the handheld using the Advanced Encryption Standard (AES) cryptographic encryption algorithm. Only select this option if you are running BlackBerry Enterprise Server version 4.0 and Java-based Handheld Software version 4.0 is installed on handhelds.

Both 3DES & AES Data is encrypted between the BlackBerry Enterprise Server and the handheld using either the Triple-DES or AES cryptographic encryption algorithm.

If the administrator is running BlackBerry Enterprise Server version 4.0, BlackBerry Desktop Software version 4.0, and Handheld Software version 4.0, AES encryption is used. If the you are running an earlier version (a version before 4.0) of either component, Triple DES encryption is used.

Note: If you enabled AES encryption on the BlackBerry Enterprise Server version 4.0 and downgraded the BlackBerry Enterprise Server to an earlier version, you must run the downgrade utility on the BlackBerry Enterprise Server.

Warning: When AES is enabled on the BlackBerry Enterprise Server, users can not send, receive, and view new messages on C++-based handhelds.

62

7: Generate the master encryption key

Generate an encryption key automatically1. In the BlackBerry Manager, click a server.

2. In the User Name list, right-click a user, and then click Properties.

3. On the Security tab, select the Generate keys automatically option.

4. Click Apply.

5. Click OK.

After 31 days, users are prompted to generate a new key when they connect the handheld to their computer while the Desktop Software is running.

Generate an encryption key manually


2. In the User Name list, right-click a user, and then click Properties.

3. On the Security tab, select the Generate keys manually option.

4. Click Generate.

5. Click Apply.

6. Click OK.

Note: When you choose to generate encryption keys manually, you must generate a new key for the user every two weeks.

63


64

Appendix A: IT policy

IT policy rules

� IT policy rules� Sample IT policies

Note: Some rules might require that the desktop is closed and restarted before changes are applied.

Policy rule Policy group Description Default setting

Minimum RequirementsUsageHandheld

TypeHandheld Software

Server Software

Allow BCC Recipients

Non-Grouped Device-Only

Specifies whether users can include BCC recipients on email messages.

TRUE Java or 85x/95x

3.6 (Java) or 2.5 (85x/95x)

3.5

Allow Browser Non-Grouped Global

Specifies whether handheld users can use the default browser included on the handheld.


3.6 (Java) or 2.5 (85x/95x)

3.5

Allow External Connections

Security Controls whether applications can initiate external connections (for example, to WAP, SMS, or other public gateway) on the handheld.

TRUE Java 3.6 3.6

Allow Internal Connections

Security Controls whether applications can initiate internal connections (for example, to the Mobile Data Service) on the handheld.

TRUE Java 3.6 3.6

Allow Other Browser Services

Service Exclusivity

Specifies whether users can use other browser services on the handheld.

TRUE Java 3.6 3.5 Set this rule to FALSE to force all browser traffic through your organizations�s BlackBerry Enterprise Server and prevent users from installing other browser services.


Allow Other Email Services

Service Exclusivity

Specifies whether users can use other email services on the handheld.


3.6 (Java) or 2.5 (85x/95x)

3.5 Set this rule to FALSE to force all outbound email through your organizations�s BlackBerry Enterprise Server and prevent users from sending outbound email messages from other email services.

Warning: This rule does not prevent users from receiving inbound email messages from other email services.

Allow Outgoing Call When Locked

Security Specifies whether users can place calls when the handheld is security locked.

FALSE Java 4.0 4.0

Allow Peer-to-Peer Messages


Specifies whether users can send peer-to-peer (also known as PIN-to-PIN) messages on the handheld.


3.6 (Java) or 2.5 (85x/95x)

3.5 If this rule is set to FALSE, the functionality is hidden from users.

Warning: This rule does not prevent users from receiving PIN messages.

Allow Phone Non-Grouped Global

Specifies whether users can use phone capabilities on the handheld.

TRUE Java 3.6 3.5 If this rule is set to FALSE, the phone icon is still visible, but only emergency calls can be made.

Warning: Setting, modifying, or removing this rule causes the handheld to reset when the IT policy update is received.

Allow Public Yahoo! Messenger Services

Service Exclusivity

Specifies whether other public Yahoo! Messenger services are permitted on the handheld.


3.6 (Java) or 2.5 (85x/95x)

3.5 Set this rule to FALSE to force all messaging activity through Yahoo! Messenger Enterprise edition� if available � remove existing applications, and prevent users from installing other messaging services.




Server Software

66

IT policy rules

Allow Smart Card Password Caching

Security Specifies whether the smart card password can be cached.

FALSE Java 4.0 4.0 If this rule is set to TRUE, the password is cached for a period of time controlled by the key store private key timeout. Cached passwords are cleared by the memory cleaner.

Allow SMS Non-Grouped Device-Only

Specifies whether users can use Short Message Service (SMS) messaging on the handheld.

TRUE Java 3.6 3.5 If this rule is set to FALSE, the functionality is hidden from users.

Allow Split-Pipe Connections

Security Enables applications to open both internal and external connections simultaneously.

FALSE Java 3.6 3.6 Enabling split-pipe connections presents a security issue because, when enabled, applications can surreptitiously collect data from inside the firewall and send it outside the firewall without any auditing.

Allow Third Party Apps to Use Serial Port

Security Enables third party applications to use the serial port, IrDA, or USB ports on the handheld.

TRUE Java 3.6 3.6

Application Download Control

Security Contains a list of applications that are allowed to be downloaded and executed on the device.

NULL Java 4.0 4.0

Attachment Viewing

CMIME Application

Enables users to view attachments on the handheld.


3.7 (Java) or 2.6.1 (85x/95x)

3.6.1 For this rule to take effect, you must have the Attachment Service installed, running, and connected to the BlackBerry Enterprise Server through an attachment connector

Auto Backup Enabled

Non-Grouped Desktop-Only

Specifies whether the option to automatically backup the handheld is enabled.

FALSE Java or 85x/95x

N/A; Desktop Manager version 3.5

3.5 When this rule is set, the status is updated in the backup and restore settings of the BlackBerry Desktop Manager.

Set this rule to TRUE to enable clean recovery of handheld data in the event that the handheld must be replaced.




Server Software

67


Auto Backup Exclude Email


Specifies whether email can be excluded from automatic backups.



3.5 If this rule is set to TRUE, the Auto Backup Include All rule must be set to FALSE

Auto Backup Exclude Sync


Specifies whether synchronized application data (data configured for synchronization with Intellisync) can be excluded from automatic backups.



3.5 If this rule is set to TRUE, the Auto Backup Include All rule must be set to FALSE

Auto Backup Frequency


Specifies, in days, how often an automatic backup is performed.

7 Java or 85x/95x


3.5 Set this value to 2 or more days, to enable changes to be made on the handheld to data stored between backups, so that users do not need to wait for backups to occur when synchronizing the handheld while it is connected to the computer.

Backup files should be saved to a network drive if disk space on the user�s local hard drive is limited.

Auto Backup Include All


Specifies whether all data is included in automatic backups.



3.5 If this rule is set to TRUE, the "Backup all handheld application data" radio button in Backup and Restore Options of the BlackBerry Desktop Manager will be selected.

This rule must be set to FALSE if the Auto Backup Exclude Sync and Auto Backup Exclude Email rules are set to TRUE.

Auto Signature Non-Grouped Desktop-Only

Specifies the signature automatically attached to the handheld user�s email messages.

NULL Java or 85x/95x


3.5 Use this rule to add a disclaimer to the end of all outgoing email messages sent from the handheld.

BlackBerry Server Version

Common Specifies the BlackBerry Enterprise Server version number that is sent to the handheld.


4.0 (Java) or 2.7 (85x/95x)

4.0

Certificate Status Cache Timeout

Security Specifies the maximum number of days that the status of a given certificate remains cached on the handheld.

7 4.0




Server Software

68

IT policy rules

Certificate Status Maximum Expiry Time

Security Specifies the maximum length of time, in hours, that a certificate status can remain on the handheld before it should be updated in the Certificate Synchronization Manager (and handheld keystore).

4 Java 4.0 4.0

Confirm On Send

Common Requires users to confirm before sending an email, PIN, SMS, or MMS message.


4.0 (Java) or 2.7 (85x/95x)

4.0 Use this rule to customize a confirmation message. If not set, confirmation dialog is not displayed.

Content Protection Strength

Security Specifies the strength of the Elliptic Curve Cryptography (ECC) public key used to encrypt the data when the handheld is locked, from these options:

� 0 - A 160-bit ECC public key is used, which provides good security and good performance.

� 1 - A 256-bit ECC public key is used, which provides better security but slower performance.

� 2 - A 521-bit ECC public key is used, which provides top security but with the slowest performance.

0 Java 4.0 4.0 Note: The rule Password Required must be set to TRUE if this rule is set to TRUE.

This rule should correspond to password settings.

If the handheld password is greater than 12 characters, set this rule to 1.

If the handheld password is greater than 21 characters, set this rule to 2.

Default Browser Config UID


Specifies a unique ID for the Browser Config Service Record, which sets the default browser to use (for example, when opening links in email messages).

NULL Java 3.6 3.5

Desktop Allow Desktop Add-ins

Desktop Specifies whether the BlackBerry Desktop software enables the user to configure and execute desktop add-ins (third-party COM-based extensions that access the handheld databases during synchronization).



3.6

Desktop Allow Device Switch

Desktop Specifies whether the BlackBerry Desktop software allows users to switch handhelds.


N/A; Desktop Manager version 3.6.1

3.6.1 Set this rule to FALSE to prevent users from switching to devices with BlackBerry connectivity.




Server Software

69


Desktop Backup

Security Controls which handheld databases can be backed up by a desktop, from these options:

� 0 - All handheld databases can be backed up by a desktop.

� 1 - Minimal subset of handheld databases can be backed up by a desktop. Generally, these are databases which some desktop components require access to for proper operation, such as CertSync.

� 2 - No databases can be backed up by a desktop.

0 Java 4.0 4.0

Desktop Password Cache Timeout

Desktop Specifies the time, in minutes, that the desktop caches the handheld password in memory.

10 Java or 85x/95x


3.6 If this rule is set to 0, the password cache will be cleared only when the handheld is removed from the cradle, regardless of the length of time it is in the cradle.

Disable 3DES Transport Crypto

Security Disables the handheld from encrypting and decrypting packets to/from the BlackBerry Enterprise Server that sent the IT Policy.

FALSE Java 4.0 4.0

Disable Address Wireless Sync

PIM Sync Disables wireless synchronization of the address database.


4.0 (Java) or 2.7 (85x/95x)

4.0

Disable All Wireless Sync

PIM Sync Disables wireless synchronization of all databases.


4.0 (Java) or 2.7 (85x/95x)

4.0

Disable Bluetooth

Bluetooth Disables all Bluetooth® support. FALSE Java 3.8 4.0 Warning: If the Bluetooth radio is active when this rule is applied, the handheld is reset for the change to take effect.

Disable Calendar Wireless Sync

PIM Sync Disables wireless synchronization of the calendar database.


4.0 (Java) or 2.7 (85x/95x)

4.0

Disable Cut/Copy/Paste

Security Prevents the user from using the clipboard�s cut, copy, and paste features.

FALSE Java 4.0 4.0

Disable Email Normal Send

Security Specifies whether email messages can be sent as clear text (in other words, normally).

FALSE Java 3.6 3.6 If this rule is set to TRUE, a secure email package must be installed on the handheld and supported by the BlackBerry Enterprise Server in order to send email messages.




Server Software

70

IT policy rules

Disable Forwarding Between Services

Security Prevents the user from forwarding or replying to a message via a different BlackBerry Enterprise Server than the one that delivered the original message. Also prevents forwarding or replying to a PIN message with an email address or vice versa

FALSE Java 4.0 4.0

Disable Handsfree Profile

Bluetooth Disables the use of Bluetooth handsfree peripherals.

FALSE Java 3.8 4.0

Disable Headset Profile

Bluetooth Disables the use of Bluetooth headsets.

FALSE Java 3.8 4.0

Disable Invalid Certificate Use

Security Controls the user�s ability to send a message using a certificate that has expired or is not yet valid.

FALSE Java 3.6 3.6 If this rule is set to FALSE, the user will be warned about but not prevented from using a certificate that has expired or is not yet valid.

Disable IP Modem

Security Disables the IP Modem feature on applicable handhelds.

FALSE Java 4.0 4.0 Currently, this rule applies to BlackBerry 7290 and BlackBerry 7100.

Disable Java Script in Browser

Browser Disables execution of JavaScript� scripts in the Browser.

FALSE Java 4.0 4.0

Disable Key Store Backup

Security Controls the user�s ability to backup certificates and private keys in the handheld key stores.

FALSE Java 4.0 4.0

Disable Key Store Low Security

Security Disables setting the key store security level to Low.

FALSE Java 3.6 3.6 If this rule is set to TRUE, then keys will be automatically moved up to the next security level.

For handhelds running version 3.6, that level is High. For handhelds running version 4.0, that level is Medium.

Disable Memopad Wireless Sync

PIM Sync Disables wireless synchronization of the memopad database.


4.0 (Java) or 2.7 (85x/95x)

4.0

Disable MMS Common Specifies whether Multimedia Messaging Service (MMS) is permitted on the handheld.

FALSE Java 4.0 4.0 If this rule is set to TRUE, the functionality is hidden from users.

Disable Network Location Query

SIM Application Toolkit

Prevents the network or SIM from querying the handheld for certain location-related information.

The information is limited to current network and cell identities, the device IMEI, the date, time, and some measurement results.

FALSE Java 3.6 N/A;

S/MIME Support Package version 4.0




Server Software

71


Disable Pairing Bluetooth Disables the ability to establish a relationship � or pair � with another Bluetooth device.

FALSE Java 3.8 4.0 Once you have established a pairing with an approved device, (for example a headset), use this rule to prevent the user from establishing any subsequent pairings.

Disable Peer-to-Peer Normal Send

Security Disables sending plain text PIN-to-PIN messages when using a secure email package.

TRUE Java 3.6 3.6 If this rule is set to TRUE, messages must be signed and/or encrypted.

To disable peer-to-peer messaging entirely, set the Allow Peer-to-Peer Messages rule to FALSE.

Disable Persisted Plaintext

Security Prevents any application from persisting the plaintext form of a Content Protected object in the Persistent Store (for instance, the file system).

In such a case, the handheld will write information about the application in the handheld Event Log, and will then reset, returning the handheld to a valid known state.

FALSE Java 4.0 4.0 Warning: Not all applications can work with this rule set to TRUE.

This rule is only recommended for very security-conscious customers who need assurance that sensitive data cannot be persisted in plaintext form.

Disable Radio When Cradled

Security Controls whether the radio is disabled when the handheld is connected to the desktop, from these options:

� 0 - the radio is not disabled when connected

� 1 - the radio is disabled when a USB cable is connected

� 2 - the radio is disabled when the connected USB device enumerates

0 Java 4.0 4.0 Note: This policy is only supported on USB devices.

Disable Revoked Certificate Use

Security Specifies whether outgoing messages are encrypted with revoked certificates.

FALSE Java 3.6 3.6 If this rule is set to FALSE, the user will be warned about but not prevented from using a revoked certificate.

Disable Serial Port Profile

Bluetooth Disables the ability to communicate with a serial port that has been Bluetooth-enabled.

FALSE Java 3.8 4.0

Disable SIM Call Control


Prevents the SIM from modifying an outgoing call, supplementary service request, or short message.

FALSE Java 3.6 N/A;





Server Software

72

IT policy rules

Disable SIM Originated Calls


Prevents the SIM from making an outgoing call, performing a supplementary service operation, or sending a short message.

FALSE Java 3.6 N/A;


Disable Stale Status Use

Security Specifies whether a user can encrypt a message using a certificate with a stale status.

FALSE Java 4.0 4.0 If this rule is set to FALSE, the user will be warned about but not prevented from using a stale certificate.

Disable Task Wireless Sync

PIM Sync Disables wireless synchronization of the task database.


4.0 (Java) or 2.7 (85x/95x)

4.0

Disable Untrusted Certificate Use

Security Specifies whether outgoing email messages are encrypted with untrusted certificates.

FALSE Java 3.6 3.6 If this rule is set to FALSE, the user will be warned about but not prevented from using an untrusted certificate.

Disable Unverified Certificate Use

Security Specifies whether users can send a message encrypted using a certificate that cannot be verified.

FALSE Java 4.0 4.0 If this rule is set to FALSE, the user will be warned about but not prevented from using an unverified certificate.

Disable Unverified CRLs

Security Prevents users from accepting unverified CRLs on the Mobile Data Service when checking the status of a certificate.

FALSE Java 4.0 4.0

Disable Weak Certificate Use

Security Specifies whether users can send a message using a certificate that has a weak corresponding public key.

FALSE Java 3.6 3.6 If this rule is set to FALSE, the user will be warned about but not prevented from using a certificate that has a weak corresponding public key.

Disable Wireless Bulk Loads

PIM Sync Disables wireless synchronization of PIM data during activation or as part of a backup/restore. The handheld must be connected to a computer through cradle or USB before the data transfer will start.


4.0 (Java) or 2.7 (85x/95x)

4.0 Set this rule to TRUE to minimize wireless data transfers when activating or updating handhelds.

Note: If the handheld is disconnected during a bulk load, the remainder of the data is sent wirelessly.




Server Software

73


Disable Wireless Calendar


Specifies whether the wireless calendar synchronization option (BlackBerry Wireless Sync) is available to handheld users in the calendar option of the Personal Information Manager (PIM).



3.5 Wireless calendar synchronization is a significant feature of the BlackBerry solution.

Most organizations set this rule to FALSE to enable the wireless calendar synchronization feature.

Disallow Third Party Application Downloads

Security Specifies whether applications not authored by Research In Motion Limited are permitted on the handheld.

FALSE Java 3.6 3.6

Do Not Save Sent Messages


Specifies whether a copy of each message sent by the handheld user is saved to a Sent Messages folder.

Java or 85x/95x


3.5 Set this rule to FALSE to enable storage on the mail server of messages sent from the handheld.

Duress Notification Address

Password Specifies the email address that receives notification when a user enters a password under duress.

If no email is entered, the duress password function is not activated.

NULL Java 4.0 4.0 Note: This rule can only be used if the Password Required rule is set to TRUE.

Email Conflict Desktop Wins


Specifies what happens when a conflict occurs between the desktop and the handheld during Personal Information Manager (PIM) synchronization.



3.5

Enable Long Term Timeout


Specifies whether the handheld locks after a pre-defined period of time, regardless of user activity.

Java 3.6 3.5 If this rule is set to TRUE, the handheld will automatically lock after 60 minutes.

Use the Periodic Challenge Time rule to shorten this interval.

Enable WAP Config


Specifies whether the WAP Browser icon will appear on the handheld when the service provider has provisioned the WAP browser and the appropriate service books are present.

TRUE Java 3.6 3.5 If this rule is set to FALSE, the icon is hidden.




Server Software

74

IT policy rules

Enable Wireless Email Reconciliation

CMIME Application

Specifies whether wireless email reconciliation functionality is supported on the handheld.

Java or 85x/95x

3.6 (Java) or 2.6 (85x/95x)

3.6 If this rule is set to TRUE, or not part of the IT policy to which a user is assigned, wireless email reconciliation is still enabled on the handheld by default.

Note: Wireless email reconciliation must also be enabled on the BlackBerry Enterprise Server.

Entrust Messaging Server (EMS) Email Address

S/MIME Application

Specifies the address or URL for the organization�s Entrust Messaging Server (EMS, or NULL if the organization does not use an EMS).

NULL Java 4.0 N/A;


FIPS Level Security Specifies the level of FIPS compliance with which the BlackBerry Cryptographic Kernel software is forced to operate, from these options:

� 1 - FIPS 140-2 Level 1 compliance� 2 - FIPS 140-2 Level 2 compliance

Level 1 compliance can be applied to Java-based handhelds using handheld software version 3.3.0 and higher.

Level 2 compliance can be applied to Java-based handhelds using handheld software version 4.0 and higher.

1 Java 3.3/4.0 4.0 Warning: Selecting Level 2 prevents WTLS from using the RC5 cipher, which can result in problems using the WTLS protocol.

If this rule is set to 2, the following additional rules are enforced with these values:

� Password Required = True

� Minimum Password Length = 5

� Suppress Password Echo = True

� S/MIME Allowed Content Ciphers = AES (256-bit), AES (192-bit), AES (128-bit), Triple DES

� TLS Restrict FIPS Ciphers = True

� PGP Allowed Content Ciphers = AES (256-bit), AES (192-bit), AES (128-bit), Triple DES

� Disallow Third Party Application Download = True




Server Software

75


Force Load Count


Specifies the number of times a handheld user is allowed to decline when prompted to update the handheld before the update is forced.

No limit Java or 85x/95x


3.5 To disable the forced update functionality, set this rule to -1.

Force Load Message


Specifies the message that appears when users are prompted to update to a later version of the BlackBerry handheld software.



3.5 Note: This rule can only be used if the Force Load Count rule is set to a positive number.

Force Lock When Holstered

Security Specifies whether the handheld is security locked when placed in the holster.

FALSE Java 3.6 3.6

Force Memory Clean When Holstered

Memory Cleaner

Specifies whether the handheld performs a memory clean when holstered.

FALSE Java 3.6 N/A;


Force Memory Clean When Idle

Memory Cleaner

Specifies whether the handheld performs a memory clean when idle.

FALSE Java 3.6 N/A;


Force Smart Card Two Factor Authentication

Security Specifies whether the user must supply their handheld password as well as the password to the configured smart card.

FALSE Java 3.6 3.6 Note: This rule can only be used if the Password Required rule is set to TRUE.

When this rule is set, the user must have a smart card authenticator, smart card driver, and smart card reader driver installed on their handheld before they can use their handheld.

Forward Messages In Cradle


Specifies whether the handheld continues to receive messages while it is connected to the computer using the cradle or a USB cable.

Set by BlackBerry Enterprise Server

Java or 85x/95x


3.5 When this rule is set, the status is updated in the redirector settings of the BlackBerry Desktop Manager.

Home Page Address


Specifies the URL address of the home page used by the WML browser.

Java or 85x/95x

3.6 (Java) or 2.5 (85x/95x)

3.5 Most organizations set the URL to their intranet address.

If this rule is not set, the handheld will use the default Home Page URL.

Home Page Address is Read-Only


Specifies if the URL address of the home page can be modified by the handheld user.

Java or 85x/95x

3.6 (Java) or 2.5 (85x/95x)

3.5




Server Software

76

IT policy rules

IT Policy Notification

Common Specifies if warnings of IT policy changes are displayed to the user.


4.0 (Java) or 2.7 (85x/95x)

4.0

Key Store Password Maximum Timeout

Security Specifies the maximum number of minutes allowed before the cached keystore password times out and the user is prompted to enter the password.

1 Java 3.6 3.6 If this rule is set to 0, the keystore password cannot be cached.

Lock on Smart Card Removal

Security Specifies whether the handheld locks when the smart card is removed from the smart card reader, or the reader is removed from the handheld.

FALSE Java 3.6 3.6 Warning: Not all smart card reader drivers support smart card removal detection.

Note: This rule can only be used if the Password Required and Force Smart Card Two Factor Authentication rules are set to TRUE.

When this rule is set, the user must have a smart card authenticator, smart card driver, and smart card reader driver installed on their handheld before they can use their handheld.

Lock Owner Info

Common Locks specified fields in the Owner options screen of the handheld, from these options:

� 1 - Lock Information text.� 2 - Lock Name text.� 3 - Lock both Name and

Information text.

Java or 85x/95x

4.0 (Java) or 2.7 (85x/95x)

4.0 Use this rule to lock the text defined in the Set Owner Info and Set Owner Name rules.

Warning: This information is overwritten by the Set Owner Information IT Admin command.

Maximum Password Age


Specifies the number of days until a handheld password expires and the user is prompted to provide a new password.

Java or 85x/95x

3.6 (Java) or 2.5 (85x/95x)

3.6 Set this rule according to your organization�s password expiration policy. If no such policy exists, the recommendation is to set a maximum password age of 30 days.

If set to 0, password aging is disabled.

Note: This rule can only be used if the Password Required rule is set to TRUE.




Server Software

77


Maximum Password History

Password Specifies the maximum number of prior passwords against which new passwords can be checked to prevent reuse of the old passwords.

0 Java 3.6 3.6 Note: This rule can only be used if the Password Required rule is set to TRUE.

If set to 0, password checking is disabled.

Maximum Security Timeout


Specifies the maximum time, in minutes, allowed before a handheld security timeout occurs.

The handheld user can select any timeout value less than the maximum value.

Java or 85x/95x

3.6 (Java) or 2.5 (85x/95x)

3.6 Set this rule according to your organization�s security policy. If no such policy exists, the recommendation is to set a maximum timeout value of 30 minutes.

MDS Browser Title

Browser Sets the name that appears on the Home screen for the BlackBerry Browser icon.

BlackBerry Browser

Java 3.6 3.6

Memory Cleaner Maximum Idle Time

Memory Cleaner

Specifies the maximum idle time, in minutes, allowed before the memory cleaner starts.

1 Java 3.6 N/A;


Note: This rule can only be used if the Force Memory Clean When Idle rule is set to TRUE.

Message Prompt


Specifies a message to appear each time BlackBerry Desktop Manager is started.



3.5

Minimal Encryption Keystore Security Level

Security Specifies the minimum security level for the encryption key in the Keystore, from these options:

� 1 - Low security.� 2 - High security.� 3 - Medium security.

1 Java 4.0 4.0 All keys on the handheld will be forced to have this minimum security level as their minimum, but the user can set a higher security level if desired.

Minimal Signing Keystore Security Level

Security Specifies the minimum security level for the signing key in the Keystore, from these options:

� 1 - Low security.� 2 - High security.� 3 - Medium security.

1 Java 4.0 4.0 All keys on the handheld will be forced to have this minimum security level as their minimum, but the user can set a higher security level if desired.




Server Software

78

IT policy rules

Minimum Password Length


Specifies the minimum allowable length, in characters, of the handheld security password.

Java or 85x/95x

3.6 (Java) or 2.5 (85x/95x)

3.5 Set this rule according to your organization�s password length policy. If no such policy exists, the recommendation is to set a minimum of 6 characters.


Warning: If the FIPS Level rule is set to 2, then the setting of this rule is ignored and is explicitly set to 5.

Password Pattern Checks


Creates a pattern check on the handheld security password, from these options:

� 0 - No restriction.� 1 - Requires at least 1 alpha and 1

numeric.� 2 - Requires at least 1 alpha, 1

numeric and 1 special character.� 3 - Requires at least 1 alpha, 1

numeric and 1 special character and mix UPPER and lower case.

0 Java or 85x/95x

3.6 (Java) or 2.5 (85x/95x)

3.5 To enable a high level of security, the recommendation is to set this value to a minimum of 1.


Warning: If options 2 or 3 are selected, then password pattern checking is disabled on 85x/95x handhelds.

Password Required


Specifies whether a password is required on the handheld.


3.6 (Java) or 2.5 (85x/95x)

3.5 To enforce password requirements, set the User Can Disable Password rule to FALSE.

Warning: If the FIPS Level rule is set to 2, then the setting of this rule is ignored and is explicitly set to TRUE.

Periodic Challenge Time

Password Specifies the interval, in minutes, after which the user will be prompted to enter a password, regardless of whether the handheld has been idle or in use.

60 Java 4.0 4.0 Note: This rule can only be used if the Password Required rule is set to TRUE.




Server Software

79


S/MIME Allowed Content Ciphers

S/MIME Application

Specifies the content ciphers used to send S/MIME messages, using one of the following options:

� 0 - AES (256-bit)� 1 - AES (192-bit)� 2 - AES (128-bit)� 3 - CAST (128-bit)� 4 - RC2 (128-bit)� 5 - Triple DES� 6 - RC2 (64-bit)� 7 - RC2 (40-bit)

6,3 Java 3.6 N/A;


Warnings: If the FIPS Level rule is set to 2, then the setting of this rule is ignored and is explicitly set to 0,1,2,5.

To maintain compatibility with most S/MIME clients, either Triple DES or one of the RC2 ciphers should be enabled.

S/MIME Blind Copy Address

S/MIME Application

Specifies an email address that is added as a BCC recipient to all outgoing S/MIME messages.

NULL Java 3.6 N/A;


S/MIME Force Digital Signature

S/MIME Application

Specifies whether all outgoing S/MIME messages are digitally signed.

FALSE Java 3.6 N/A;


S/MIME Force Encrypted Email

S/MIME Application

Specifies whether all outgoing S/MIME messages are encrypted.

FALSE Java 3.6 N/A;


S/MIME Force Smartcard Use

S/MIME Application

Specifies whether all key operations must be performed using an attached smartcard reader.

FALSE Java 3.6 N/A;


S/MIME Minimum Strong DH Key Length

S/MIME Application

Specifies the minimum DH key size, in bits, allowed for use in the S/MIME application.

1024 Java 3.6 N/A;


S/MIME Minimum Strong DSA Key Length

S/MIME Application

Specifies the minimum DSA key size, in bits, allowed for use in the S/MIME application.

1024 Java 3.6 N/A;





Server Software

80

IT policy rules

S/MIME Minimum Strong ECC Key Length

S/MIME Application

Specifies the minimum ECC key size, in bits, allowed for use in the S/MIME application.

163 Java 3.6 N/A;


S/MIME Minimum Strong RSA Key Length

S/MIME Application

Specifies the minimum RSA key size, in bits, allowed for use in the S/MIME application.

1024 Java 3.6 N/A;


Security Service Colours

Security Specifies the background color of all email messages, in RGB (hexadecimal) format.

The first color represents the background color of messages sent from the BlackBerry Enterprise Server that sent the IT Policy. The second color represents the background color of messages sent from all other services.

NULL Java 4.0 4.0 Example colors are:

� Oxffffff: white� 0x000000: black� 0xff0000: red� 0x00ff00: green� 0x0000ff: blue� 0xffeeee: light red� 0xffaaaa: dark red� 0xeeffee: light

green� 0xaaffaa: dark

green� 0xeeeeff: light

blue� 0xaaaaff: dark

blue

Set Maximum Password Attempts

Password Specifies the number of security password attempts (incorrect passwords entered) allowed on the handheld before the handheld data is erased and the handheld disabled.

10 Java 3.6 3.6 Maximum password attempts is set to 10 by default on the handheld. Use this rule to lower the number of password attempts.


Set Owner Info Common Specifies the owner information that will be set on the handheld.

Java or 85x/95x

4.0 (Java) or 2.7 (85x/95x)

4.0 Use the Lock Owner Info rule to prevent the handheld user from editing this information.





Server Software

81


Set Owner Name

Common Specifies the owner name that will be set on the handheld.

Java or 85x/95x

4.0 (Java) or 2.7 (85x/95x)

4.0 Use the Lock Owner Info rule to prevent the handheld user from editing this information.


Set Password Timeout

Password Specifies the amount of time, in minutes, before the security timeout occurs on the handheld.

60 Java 3.6 3.6 Password timeout is set to 60 minutes by default on the handheld. Use this rule to lower the timeout interval.

The value specified must be less than or equal to the value set for the Maximum Security Timeout rule.


Show Application Loader


Specifies whether the handheld user has access to the application loader in the desktop software.

TRUE Java 3.5 3.5

Show Web Link Non-Grouped Desktop-Only

Specifies whether the handheld user has access to the Web Link icon in the desktop software.



3.5 Note: The icon will only appear if the default URL is set via the WebLinkURL rule.

Suppress Password Echo

Password Disables the echoing (printing to the screen) of characters typed into the Security password screen after a given number of failed attempts at unlocking the handheld.

TRUE Java 3.6 3.6 Password echo is enabled by default on the handheld. Use this rule to override the default.


Warning: If the FIPS Level rule is set to 2, then the setting of this rule is ignored and is explicitly set to TRUE.

Sync Email Instead Of Import


Specifies whether the Personal Information Manager (PIM) allows email and folder synchronization to occur instead of an import of moves and deletes on the handheld.



3.5




Server Software

82

IT policy rules

TCP APN TCP Enables IT Policy to impose a default Access Point Name (APN) on the handheld for TCP.

Java 4.0 4.0

TCP Password TCP Enables IT Policy to impose a default APN password on the handheld for TCP.

Java 4.0 4.0

TCP Username TCP Enables IT Policy to impose a default APN username on the handheld for TCP.

Java 4.0 4.0

TLS Device Side Only

TLS Controls use of proxy mode TLS or proxy HTTPS between the handheld and the BlackBerry Enterprise Server.

FALSE Java 4.0 4.0 If this rule is set to TRUE, all HTTPS connections must use device-side TLS.

Warning: If this rule has been set and device-side TLS is not available, an exception will occur.

TLS Disable Invalid Connection

TLS Controls the use of connections to servers with invalid certificates during TLS connections, from these options:

� 0 - Disable invalid connections.� 1 - Allow invalid connections.� 2 - Prompt user on the handheld.

2 Java 3.6.1 3.6

TLS Disable Untrusted Connection

TLS Controls the use of connections to untrusted servers during a TLS connection, from these options:

� 0 - Disallow untrusted connections.

� 1 - Allow untrusted connections.� 2 - Prompt user on the handheld.

2 Java 3.6.1 3.6

TLS Disable Weak Ciphers

TLS Disables the use of weak ciphers during a TLS connection, from these options:

� 0 - Disable weak ciphers.� 1 - Allow weak ciphers.� 2 - Prompt user on the handheld.

2 Java 3.6.1 3.6

TLS Minimum Strong DH Key Length

TLS Specifies the minimum DH key size, in bits, allowed for use in the TLS connection.

1024 Java 3.6.1 3.6

TLS Minimum Strong DSA Key Length

TLS Specifies the minimum DSA key size, in bits, allowed for use in TLS connections.

1024 Java 3.6.1 3.6.1

TLS Minimum Strong ECC Key Length

TLS Specifies the minimum ECC key size, in bits, allowed for use in the TLS connection.

163 Java 3.6.1 3.6

TLS Minimum Strong RSA Key Length

TLS Specifies the minimum RSA key size, in bits, allowed for use in TLS connections.

1024 Java 3.6.1 3.6




Server Software

83


TLS Restrict FIPS Ciphers

TLS Disables the use of any cipher that is not FIPS-compliant.

FALSE Java 3.6.1 3.6 Warning: If the FIPS Level rule is set to 2, then the setting of this rule is ignored and is explicitly set to TRUE.

Trusted Certificate Thumbprints

Security Defines a string that contains a semi-colon-separated list of Hex-ASCII certificate thumbprints, generated using either SHA1 or MD5.

If the string is present, the user cannot add any certificate with a thumbprint that does not appear in the defined list to the trusted key store.

Java 3.6 3.6

User Can Change Timeout


Specifies whether the handheld user can change the specified security timeout.

TRUE Java 3.6 3.5 Set this rule according to your organization�s security policy. If no such policy exists, the recommendation is to set this rule to FALSE.

Web Link Label Non-Grouped Desktop-Only

Specifies the label for the Web Link icon, if it appears. Setting this value does not imply that the WebLink icon is visible.

Downloads

Java or 85x/95x


3.5 Set the label according to your organization�s requirements.

Note: When setting this rule, also set the Show Web Link rule to TRUE.

Web Link URL Non-Grouped Desktop-Only

Specifies the URL for the Web Link icon, if it appears.Setting this value does not imply that the WebLink icon is visible.



3.5 Set the URL according to your organization�s requirements.

Note: When setting this rule, also set the Show Web Link rule to TRUE.

WTLS Disable Invalid Connection

WTLS Controls the use of connections to servers with invalid certificates during WTLS connections, from these options:

� 0 - Disable invalid connections.� 1 - Allow invalid connections.� 2 - Prompt user on the handheld.

2 Java 3.6 3.6

WTLS Disable Untrusted Connection

WTLS Controls the use of connections to untrusted servers during WTLS connections, from these options:

� 0 - Disallow untrusted connections.

� 1 - Allow untrusted connections.� 2 - Prompt user on the handheld.

2 Java 3.6 3.6




Server Software

84

Sample IT policies

Sample IT policiesConsider these scenarios when designing your own IT policies.

WTLS Disable Weak Ciphers

WTLS Controls the use of weak ciphers during WTLS connections, from these options:

� 0 - Disable weak ciphers.� 1 - Allow weak ciphers.� 2 - Prompt user on the handheld.

2 Java 3.6 3.6

WTLS Minimum Strong DH Key Length

WTLS Specifies the minimum DH key size, in bits, allowed for use in the WTLS connection.

1024 Java 3.6 3.6

WTLS Minimum Strong ECC Key Length

WTLS Specifies the minimum ECC key size, in bits, allowed for use in the WTLS connection.

163 Java 3.6 3.6

WTLS Minimum Strong RSA Key Length

WTLS Specifies the minimum RSA key size, in bits, allowed for use in WTLS connections.

1024 Java 3.6 3.6

WTLS Restrict FIPS Ciphers

WTLS Disables the use of any cipher that is not FIPS-compliant.

FALSE Java 4.0 4.0 Warning: If the FIPS Level rule is set to 2, then the setting of this rule is ignored and is explicitly set to TRUE.




Server Software

If you want to... Use these rules... With these settings...

Make sure that all electronic communication between your employees and their clients is recorded in order to comply with industry regulations.

Allow Other Browser Services FALSE

Allow Other Email Services FALSE

Allow Peer-to-Peer Message FALSE

Allow SMS FALSE

Disable Forwarding Between Services TRUE

Disable Cut/Copy/Paste TRUE

Implement your corporate password policy on all handhelds.

Password Required TRUE

Maximum Password Age 60 (days)

Minimum Password Length 15 (characters)

Password Pattern Checks 2 (requires at least one alpha, one numeric, and one special character)

Set Password Timeout 30 (minutes)

User Can Change Timeout FALSE

85


86

BlackBerry Enterprise Server for Microsoft Exchange

Documents

Transcript of BlackBerry Enterprise Server for Microsoft Exchange