Home » Blackberry Manuals » Computer Software » Blackberry PRD-10459-003 » Manual Viewer

Blackberry PRD-10459-003 Administration Guide - Page 187

Configuring BlackBerry devices to enroll certificates over the wireless network

View all Blackberry PRD-10459-003 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 187 highlights

Administration Guide Configuring BlackBerry devices to enroll certificates over the wireless network Configuring BlackBerry devices to enroll 16 certificates over the wireless network You can configure the BlackBerry® Enterprise Serverto permit BlackBerry devices to enroll certificates that the devices can use with any PKI-enabled application or process. You can permit devices to enroll the certificates instead of instructing users to send the certificates to themselves in an email message or use the certificate synchronization tool in the BlackBerry® Desktop Software. When you configure the BlackBerry Enterprise Server to permit devices to enroll certificates, you can control how users request certificates and which certification authority issues the certificates. For example, you might want Wi-Fi® enabled BlackBerry devices to enroll certificates so that they can authenticate to an enterprise Wi-Fi network. You can enroll certificates from one of the following certification authorities: • RSA® certification authority • Microsoft® standalone certification authority • Microsoft enterprise certification authority During the enrollment process, the BlackBerry MDS Connection Service can verify the certificate if the certificate includes an email address in the subject DN. The BlackBerry MDS Connection Service verifies the certificate by checking if the email address in the subject DN of the certificate matches the email address that is assigned to the device. For more information about the enrollment process, see the BlackBerry Enterprise Solution Security Technical Overview. You can make the certificate enrollment process required so that devices automatically start the certificate enrollment process after the devices receive the updated IT policy from the BlackBerry Enterprise Server. If you do not make the certificate enrollment process required, you must instruct users to start the CA Profile Manager on the devices manually. Configure the certificate information using IT policies You must configure the certificate information that BlackBerry® devices can use to create certificate requests so that the certificate enrollment process can occur. If you configured the BlackBerry MDS Connection Service to retrieve the status of the certificates using an OCSP server or a CRL server and pull authorization is turned on, devices may not be able to enroll some certificates over the mobile network. The devices might not be able to enroll some certificates because, devices that initiate the request to the web addresses follow pull authorization rules that restrict access to some of the web addresses for OCSP servers and CRL servers. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy. 2. Click Manage IT policies. 3. Click an IT policy. 4. Click Edit IT policy. 185

Section	Page
Overview: BlackBerry Enterprise Server	23
Document revision history	23
Getting started in your BlackBerry Enterprise Server environment	24
Log in to the BlackBerry Administration Service for the first time	27
There is a problem with this website's security certificate	27
This connection is untrusted	28
Creating administrator accounts	29
Administrative roles and permissions	29
Preconfigured administrative roles	29
Creating roles	33
Create a role	33
Create a role based on an existing role	34
Create an administrator account	34
Add an administrator account to a group	35
Specify an email address for the BlackBerry Administration Service	35
Permit an administrator to log in to the BlackBerry Administration Service using a messaging server account	36
Assign a BlackBerry device to an administrator account	36
Using an IT policy to manage BlackBerry Enterprise Solution security	37
Using IT policy rules to manage BlackBerry Enterprise Solution security	37
Preconfigured IT policies	38
Default values for preconfigured IT policies	39
Creating and importing IT policies	42
Create an IT policy	42
Create an IT policy based on an existing IT policy	42
Import IT policy data	42
Import IT policy rules from an IT policy pack	43
Change the value for an IT policy rule	43
Assign an IT policy to a group	43
Assign an IT policy to a user account	44
Sending an IT policy over the wireless network	44
Resend an IT policy to a BlackBerry device manually	44
Resend an IT policy to a BlackBerry device automatically	45
Assigning IT policies and resolving IT policy conflicts	45
Option 1: Applying one IT policy to each user account	46
Option 2: Applying multiple IT policies to each user account	47
View the resolved IT policy rules that are assigned to a user account	50
Deactivating BlackBerry devices that do not have IT policies applied	50
Deactivate BlackBerry devices that do not have IT policies applied	50
Creating new IT policy rules to control third-party applications	51
Create an IT policy rule for a third-party application	51
Change or delete IT policy rules for third-party applications	51
Export all IT policy data to a data file	52
Delete an IT policy	52
Configuring security options	53
Encrypting data that the BlackBerry Enterprise Server and a BlackBerry device send to each other	53
Algorithms that the BlackBerry Enterprise Solution uses to encrypt data	53
Change the symmetric key encryption algorithm that the BlackBerry Enterprise Solution uses	53
Managing device access to the BlackBerry Enterprise Server	54
Turn on the Enterprise Service Policy	54
Configure the Enterprise Service Policy	55
Permit a user to override the Enterprise Service Policy	55
Extending messaging security to a BlackBerry device	55
Extending messaging security using PGP encryption	56
Extending messaging security using S/MIME encryption	56
Extending messaging security using IBM Lotus Notes encryption	59
Enforcing secure messaging using classifications	60
Create a message classification	60
Create a message classification based on an existing message classification	61
Order message classifications	61
Delete a message classification	62
Generating organization-specific encryption keys for PIN-message encryption	62
Generate a PIN encryption key	62
Turn off BlackBerry services that the BlackBerry MDS Connection Service, BlackBerry Collaboration Service, and BlackBerry MVS provide	63
When a BlackBerry device overwrites data in the BlackBerry device memory	63
Changing when a BlackBerry device cleans the BlackBerry device memory	64
Best practice: Configuring additional memory cleaner settings for BlackBerry devices	64
Configuring the BlackBerry Enterprise Server environment	65
Best practice: Running the BlackBerry Enterprise Server	65
Configuring certain BlackBerry Enterprise Server components to use proxy servers	66
Configure a BlackBerry Enterprise Server component to use a .pac file	66
Configure a BlackBerry Enterprise Server component to use a proxy server	67
Configure a BlackBerry Enterprise Server component to authenticate to a proxy server on behalf of BlackBerry devices	67
Configuring the BlackBerry Administration Service to use a proxy server	68
Configuring proxy selection for the BlackBerry Administration Service	68
Configuring the BlackBerry Administration Service to authenticate with a proxy server	70
Configuring multiple BlackBerry Enterprise Server instances to use the same BlackBerry Enterprise Server component	72
Configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry MDS Connection Service	72
Configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry Collaboration Service	73
Configuring user accounts	74
Creating user groups	74
Create a group to manage similar user accounts	74
Add user accounts to a group	74
Adding a user account to the BlackBerry Enterprise Server	75
Add a user account	75
Create a user account that is not in the contact list in the BlackBerry Configuration Database	76
Export a list of user accounts	77
Importing a list of user accounts to a BlackBerry Enterprise Server	77
Assigning BlackBerry devices to users	80
Preparing to distribute a BlackBerry device	80
Change how the BlackBerry Enterprise Server downloads a user's existing email messages onto the BlackBerry device	80
Prevent the BlackBerry Enterprise Server from synchronizing existing email messages onto a BlackBerry device	80
Assigning BlackBerry devices to user accounts	81
Option 1: Activate a BlackBerry device using the BlackBerry Administration Service	81
Option 2: Activating a BlackBerry device over the wireless network	82
Option 3: Activating BlackBerry devices over the LAN	85
Option 4: Activating BlackBerry devices using the BlackBerry Web Desktop Manager	85
Option 5: Activating BlackBerry devices over an enterprise Wi-Fi network	86
Configuring BlackBerry Enterprise Server high availability	89
Check the health of a BlackBerry Enterprise Server	89
Availability state and failover status of the BlackBerry Enterprise Server	89
How the BlackBerry Enterprise Server uses health parameters	89
Defining when failover occurs	90
Changing the promotion threshold and failover threshold	92
Change the promotion threshold and failover threshold and the order of the health parameters	92
Changing when automatic failover occurs by customizing the health parameters for user accounts and messaging servers	94
Prerequisites: Configuring the BlackBerry Enterprise Server pair to fail over automatically	95
Configure the BlackBerry Enterprise Server to fail over automatically	95
Monitoring the BlackBerry Enterprise Server for an automatic failover event	96
Use the BlackBerry Administration Service to find the time and reason for the last automatic failover event	96
Fail over the BlackBerry Enterprise Server manually using the BlackBerry Administration Service	97
Fail over the BlackBerry Enterprise Server manually using the BlackBerry Configuration Panel	97
Configuring high availability for BlackBerry Enterprise Server components	98
Creating a BlackBerry MDS Connection Service pool for high availability	98
Create a BlackBerry MDS Connection Service pool for high availability	98
Configure the BlackBerry MDS Connection Service and BlackBerry Collaboration Service to fail over automatically	99
Create a BlackBerry Collaboration Service pool for high availability	99
Create a BlackBerry Attachment Service pool for high availability	100
You cannot determine the BlackBerry Attachment Connector that the BlackBerry Enterprise Server or the BlackBerry MDS Connection Service uses	101
Create a BlackBerry Router pool for high availability	102
Permit a BlackBerry Enterprise Server to connect to a remote BlackBerry Router	103
Creating a BlackBerry Administration Service pool using DNS round robin that includes the BlackBerry Web Desktop Manager	103
Configure the BlackBerry Administration Service instances in a pool to communicate across network subnets	104
Changing the name of the BlackBerry Administration Service pool	104
Change the name of the BlackBerry Administration Service pool	105
Fail over the BlackBerry MDS Connection Service or BlackBerry Collaboration Service manually	105
Monitoring the high availability status or job deployment status using the BlackBerry Administration Service	106
Monitor the high availability status or job deployment status using the BlackBerry Administration Service	106
Remove a BlackBerry MDS Connection Service instance from a pool	107
Remove a BlackBerry Collaboration Service instance from a pool	107
Remove a BlackBerry Attachment Service instance from a pool	108
Remove a BlackBerry Router instance from a pool	108
Configuring BlackBerry Configuration Database high availability	109
Prerequisites: Configuring database mirroring or database replication of the BlackBerry Configuration Database	109
Configuring database mirroring	110
Stop the BlackBerry Enterprise Server instances	110
Configure database mirroring for the BlackBerry Configuration Database	110
Start the BlackBerry Enterprise Server instances	111
Configure the BlackBerry Enterprise Solution to support database mirroring	111
Resend the database mirroring parameters to BlackBerry Enterprise Server components	112
Configuring the BlackBerry Configuration Database for one-way transactional replication in an environment that includes Microsoft SQL Server 2005 or 2008	113
Stop the BlackBerry Enterprise Server instances	113
Create the replicated BlackBerry Configuration Database from a backup	113
Permit access to the BlackBerry Configuration Database instances	114
Configure the publication for the BlackBerry Configuration Database	114
Increase the maximum data size for transactional replication	115
Prepare the database server that hosts the replicated BlackBerry Configuration Database and configure the subscription	115
Start the BlackBerry Enterprise Server instances	116
Reacting if the BlackBerry Configuration Database that you configured for transactional replication stops responding	116
Return to the BlackBerry Configuration Database when you configured transactional replication	117
Configuring a new mirror BlackBerry Configuration Database	117
Sending software and BlackBerry Java Applications to BlackBerry devices	118
Managing BlackBerry Java Applications and BlackBerry Device Software	118
Developing BlackBerry Java Applications for BlackBerry devices	119
Preparing to distribute BlackBerry Java Applications	119
Specify a shared network folder for BlackBerry Java Applications	120
Add a BlackBerry Java Application to the application repository	120
Add a collaboration client to the application repository	121
Specify keywords for a BlackBerry Java Application	121
Configuring application control policies	121
Standard application control policies	122
Change a standard application control policy	122
Create custom application control policies for a BlackBerry Java Application	123
IT policy rules take precedence on the device	124
Application control policies for unlisted applications	124
Change the standard application control policy for unlisted applications that are optional	125
Create an application control policy for unlisted applications	125
Configure the priority of application control policies for unlisted applications	126
Creating software configurations	126
Create a software configuration	127
Add a BlackBerry Java Application to a software configuration	127
Assign a software configuration to a group	128
Assign a software configuration to multiple user accounts	128
Assign a software configuration to a user account	129
Install BlackBerry Java Applications on a BlackBerry device at a central computer	129
View the status of a job	130
View the status of a task	130
Stopping a job that is running	138
Stop a job that is running	139
View the users that have a BlackBerry Java Application installed on their BlackBerry devices	139
View how the BlackBerry Administration Service resolved software configuration conflicts for a user account	140
Reconciliation rules for conflicting settings in software configurations	140
Reconciliation rules: BlackBerry Java Applications	141
Reconciliation rules: BlackBerry Device Software	144
Reconciliation rules: Standard application settings	144
Reconciliation rules: Application control policies	145
Reconciliation rules: Application control policies for unlisted applications	146
Alternative methods for installing BlackBerry Java Applications on BlackBerry devices	147
Installing BlackBerry Java Applications on BlackBerry devices without using the BlackBerry Administration Service	147
Developing BlackBerry Java Applications for BlackBerry devices	147
Methods you can use to install BlackBerry Java Applications on BlackBerry devices	147
Installing BlackBerry Java Applications using the BlackBerry Desktop Software	148
Prerequisites: Installing BlackBerry Java Applications using the BlackBerry Desktop Software	149
Make the BlackBerry Java Application available to the BlackBerry Desktop Software	149
Install the BlackBerry Java Application using the BlackBerry Desktop Software	150
Installing BlackBerry Java Applications using the BlackBerry Application Web Loader	150
Prerequisites: Installing BlackBerry Java Applications using the BlackBerry Application Web Loader	150
Enable the BlackBerry Application Web Loader on a web server	151
Install the BlackBerry Java Application using the BlackBerry Application Web Loader	152
Installing BlackBerry Java Applications using the standalone application loader tool	152
Prerequisites: Installing BlackBerry Java Applications using the standalone application loader tool	153
Add BlackBerry Java Application files to a shared network folder	153
Share the Research In Motion folder that contains the BlackBerry Java Application	154
Configure the standalone application loader tool to install the BlackBerry Java Application in automated mode	154
Install the BlackBerry Java Application using the standalone application loader tool	154
Installing BlackBerry Java Applications using a web browser on BlackBerry devices	155
Prerequisites: Installing BlackBerry Java Applications using a web browser on BlackBerry devices	155
Install the BlackBerry Java Application on a web server	156
Install the BlackBerry Java Application using a web browser on the BlackBerry device	156
Configuring how users access enterprise applications and web content	157
Specifying a BlackBerry MDS Connection Service as a central push server	157
Specify a BlackBerry MDS Connection Service as a central push server	157
Configuring how BlackBerry devices authenticate to content servers	158
Configure how BlackBerry devices authenticate to content servers	158
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use NTLM	158
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use Kerberos	159
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use LTPA	159
Configuring the BlackBerry MDS Connection Service to authenticate devices to the RSA Authentication Manager	160
Configuring how the BlackBerry MDS Connection Service manages requests for web content	161
Configure the BlackBerry MDS Connection Service to manage HTTP cookie storage	162
Configure the timeout limit for HTTP connections with BlackBerry devices	162
Configure the timeout limit for HTTP connections with web servers	162
Configure the maximum number of times that the BlackBerry Browser accepts HTTP redirections	163
Permitting push applications to make trusted connections to a BlackBerry MDS Connection Service	163
Create a key store to store certificates for use with HTTPS connections	163
Add a certificate for the BlackBerry MDS Connection Service	164
Export the BlackBerry MDS Connection Service certificate to make it available to push applications	164
Import the BlackBerry MDS Connection Service certificate to the key store of a push application	165
Permit push applications to select the transport protocol for PAP requests	165
Configuring a BlackBerry MDS Connection Service to trust web servers	166
Specify whether the BlackBerry MDS Connection Service requires trusted HTTPS connections from web servers	166
Specify whether the BlackBerry MDS Connection Service requires trusted TLS connections from web servers	166
Configuring certificate server information for the BlackBerry MDS Connection Service	167
Add a retrieved certificate for a web server to the key store	173
Permitting users to access intranet sites on BlackBerry devices using global login information	173
Configure global login information for intranet site access	174
Configuring how the BlackBerry MDS Connection Service connects to BlackBerry devices	174
Specify the maximum amount of data that a BlackBerry MDS Connection Service can send to BlackBerry devices	174
Specify the pending content timeout limit for a BlackBerry MDS Connection Service	174
Permit Java applications to use scalable socket connections with a BlackBerry MDS Connection Service	175
Specify the thread pool size of a BlackBerry MDS Connection Service	175
Specify the maximum number of scalable socket connections	175
Prevent the BlackBerry MDS Connection Service from using scalable HTTP	176
Specify the port number that the web server listens on for push application requests	176
Specify how often a BlackBerry MDS Connection Service polls for configuration information	177
Setting up the messaging environment	178
Creating email message filters	178
Create an email message filter that applies to all user accounts on a BlackBerry Enterprise Server	178
Turn on an email message filter that applies to all user accounts on a BlackBerry Enterprise Server	179
Create an email message filter that applies to a specific user account	179
Turn on an email message filter that applies to a specific user account	180
Copying existing email message filters to another BlackBerry Enterprise Server	180
Export email message filters for a BlackBerry Enterprise Server	180
Import email message filters for a BlackBerry Enterprise Server	180
Copying existing email message filters to user accounts	181
Export email message filters for a user account	181
Import email message filters for a user account	181
Extension plug-ins for processing messages	182
Install an extension plug-in application	182
Add an extension plug-in to a BlackBerry Messaging Agent	183
Change how a BlackBerry Messaging Agent uses extension plug-ins	183
Configure how a BlackBerry Messaging Agent deletes email messages from a BlackBerry state database	184
Mapping contact information fields for synchronization and contact lookups	184
Map a contact information field in an email application to contact list fields on BlackBerry devices	185
Map a contact list field in an email application to a contact list field on a BlackBerry device	185
Map a contact information field in an email application to contact list fields on BlackBerry devices	185
Map a contact list field in an email application to a contact list field on a BlackBerry device	186
Configuring BlackBerry devices to enroll certificates over the wireless network	187
Configure the certificate information using IT policies	187
Configure the BlackBerry MDS Connection Service to connect to the certificate authority	188
Add communication information to a BlackBerry MDS Connection Service configuration set	189
Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance	190
Add certificate information to a Wi-Fi profile	190
Managing an enrolled certificate	191
Change the polling interval, logging, and pool size for the BlackBerry MDS Connection Service connection to the certificate authority	191
Properties in the rimpublic.properties file	192
Making the BlackBerry Web Desktop Manager available to users	193
Installing the client components of the BlackBerry Web Desktop Manager on users' computers	193
Publish the client files for the BlackBerry Web Desktop Manager in a Windows GPO for Windows XP	193
Publish the client files for the BlackBerry Web Desktop Manager in a Windows GPO for Windows Vista	194
Configure the Microsoft ActiveX Installer on Windows Vista	195
Configure users' computers to install the client file for the BlackBerry Web Desktop Manager automatically	195
Make the BlackBerry Web Desktop Manager available to users	197
Configuring the BlackBerry Web Desktop Manager	198
Permit users to activate BlackBerry devices using the BlackBerry Web Desktop Manager	198
Permit users to back up and restore data using the BlackBerry Web Desktop Manager	198
Configure the domains for backing up data using the BlackBerry Web Desktop Manager	199
Change the text colors in the BlackBerry Web Desktop Manager	199
BlackBerry Web Desktop Manager text colors	200
Display a custom image in the BlackBerry Web Desktop Manager	200
Display the domain name on the login page of the BlackBerry Web Desktop Manager	201
Creating and configuring Wi-Fi profiles and VPN profiles	202
Creating and configuring Wi-Fi profiles	202
Prerequisites: Creating Wi-Fi profiles and VPN profiles	202
Create a Wi-Fi profile	204
Create a Wi-Fi profile based on an existing Wi-Fi profile	204
Configure a Wi-Fi profile on a BlackBerry device	204
Assign a Wi-Fi profile to a group	204
Assign a Wi-Fi profile to a user account	205
Configure a Wi-Fi profile	205
Creating and configuring VPN profiles	206
Create a VPN profile	206
Create a VPN profile based on an existing VPN profile	206
Configure a VPN profile	207
Assign a VPN profile to a group	207
Assign a VPN profile to a user account	207
Associate a VPN profile with a Wi-Fi profile	208
Delete a Wi-Fi profile	208
Delete a VPN profile	208
Importing profile information from a .csv file	209
Best practices: Creating a .csv file that contains profile information that you want to import	209
Create a .csv file that contains profile information that you want to import	209
Import profile information from a .csv file	211
Configuring encryption and authentication methods for Wi-Fi enabled BlackBerry devices	212
Configuring WEP encryption	212
Configure WEP keys for BlackBerry devices using a Wi-Fi profile	212
Configuring PSK encryption	213
Configure PSK encryption data for BlackBerry devices using a Wi-Fi profile	213
Configuring LEAP authentication	214
Configure LEAP authentication data for BlackBerry devices using a Wi-Fi profile	214
Configuring PEAP authentication	215
Configure PEAP authentication data for BlackBerry devices using a Wi-Fi profile	215
Prerequisites: Distributing a certificate using the BlackBerry Desktop Manager	216
Distribute a certificate using the BlackBerry Desktop Manager	216
Configure PEAP configuration settings in the Wi-Fi profile on a BlackBerry device	217
Configuring EAP-TLS authentication	218
Configure EAP-TLS authentication data for BlackBerry devices using a Wi-Fi profile	218
Configure EAP-TLS configuration settings in the Wi-Fi profile on a BlackBerry device	219
Configuring EAP-TTLS authentication	219
Configure EAP-TTLS authentication data for BlackBerry devices using a Wi-Fi profile	220
Configure EAP-TTLS configuration settings in the Wi-Fi profile on a BlackBerry device	221
Configuring EAP-FAST authentication	221
Configure EAP-FAST authentication	222
Send EAP-FAST authentication data to a BlackBerry device using a Wi-Fi profile	222
Configure EAP-FAST configuration settings in the Wi-Fi profile on BlackBerry devices	223
Configuring software tokens for BlackBerry devices	224
Prerequisites: Configuring BlackBerry devices for RSA authentication	224
Configure BlackBerry devices for RSA authentication	225
Configure RSA authentication over a Wi-Fi network using a software token	225
Configure RSA authentication over a VPN network using a software token	226
Assign software tokens to a user account	226
Changing the security settings of the BlackBerry Administration Service and BlackBerry Web Desktop Manager	228
Import a new SSL certificate for the BlackBerry Administration Service and BlackBerry Web Desktop Manager	228
Configuring which IBM Lotus Domino server with DIIOP the BlackBerry Administration Service uses	229
Change the IBM Lotus Domino server with DIIOP that the BlackBerry Administration Service uses	229
Change the information for Microsoft Active Directory authentication	230
Configuring single sign-on authentication for the BlackBerry Administration Service and BlackBerry Web Desktop Manager	231
Configure constrained delegation for the Microsoft Active Directory account to support single sign-on authentication	231
Turn on single sign-on authentication for the BlackBerry Administration Service	232
BlackBerry Administration Service web addresses and BlackBerry Web Desktop Manager web addresses that support BlackBerry Administration Service single sign-on	232
Changing password settings for BlackBerry Administration Service authentication	233
Change password settings for BlackBerry Administration Service authentication	233
Regenerate the system credentials for the BlackBerry Administration Service	233
Protecting and redistributing devices	235
Preparing a device for redistribution to a new user	235
Use the BlackBerry Administration Service to delete user data and assign the device to a new user	235
Use the BlackBerry Administration Service to delete user data and remove the BlackBerry Device Software before assigning the device to a new user	235
Deleting only work data from a device	236
Delete only work data from a device	237
Using IT administration commands to protect a lost or stolen device	238
Protect a stolen device	239
Protect a lost device	240
Protect a lost device that a user might not recover	240
Managing administrator accounts	242
Change role permissions	242
Change the roles for an administrator account	242
Delete a role	242
Delete an administrator account	243
Managing groups and user accounts	244
Managing groups	244
Using default groups to manage user accounts and administrator accounts	244
Remove a user account from a group	245
Change the properties of a group	245
Rename a group	245
Delete a group	246
Managing user accounts	246
Move a user account to a different group	246
Move a user account from one BlackBerry Enterprise Server to another	246
Delete a user account from the BlackBerry Enterprise Server	247
Add an administrator role to a user account	247
Update the contact list manually	248
Resend service books to a BlackBerry device	248
Managing the delivery of BlackBerry Java Applications, BlackBerry Device Software, and device settings to BlackBerry devices	249
Managing the default distribution settings for jobs	249
Change default settings for a job schedule	249
Change how IT policies are sent to BlackBerry devices	250
Change how to install, update, or remove BlackBerry Java Applications	251
Change how to install or update the BlackBerry Device Software	252
Change how the BlackBerry Enterprise Server sends standard application settings to BlackBerry devices	253
Managing the distribution settings for a specific job	254
Specify the start time and priority for a job	255
Change how a job sends IT policies to BlackBerry devices	255
Change how a job sends BlackBerry Java Applications to BlackBerry devices	256
Change how a job sends the BlackBerry Device Software to BlackBerry devices	257
Change how a job sends standard application settings to BlackBerry devices	259
Managing BlackBerry Java Applications on BlackBerry devices	260
Make a BlackBerry Java Application unavailable for installation	260
Remove a BlackBerry Java Application from BlackBerry devices over the wireless network	260
Managing software configurations	261
Remove a software configuration from a group	261
Remove a software configuration from multiple user accounts	261
Remove a software configuration from a user account	262
Delete a software configuration	262
Managing how users access enterprise applications and web content	263
Restricting user access to content on web servers	263
Restrict requests for content on web servers from BlackBerry devices	263
Specify web address patterns	263
Create a pull rule	264
Restrict or permit web addresses and Intranet addresses using a pull rule	264
Assign a pull rule to the members of a group	265
Assign a pull rule to user accounts	266
Restricting user access to media content in the BlackBerry Browser	266
Prevent users from accessing specific media types	266
Configure download limits for media content types	267
Default download limits for media content types	267
Configuring Integrated Windows authentication so that users can access resources on your organization's network	268
Configuring the Microsoft Active Directory account to delegate access	268
Configuring the BlackBerry MDS Connection Service when the messaging server is located in a remote Microsoft Active Directory domain	271
Turn on Integrated Windows authentication so that users can access resources on your organization's network	272
Restricting the push application content that users can receive	273
Restrict push applications from sending data to BlackBerry devices	273
Create push initiators for push applications	274
Turn on push authorization	274
Create a push rule	275
Assign push initiators to a push rule	275
Assign a push rule to the members of a group	275
Assign a push rule to user accounts	276
Encrypt push requests that push applications send to BlackBerry devices	276
Managing push application requests	277
Specify device ports for application-reliable push requests	277
Store push application requests in the BlackBerry Configuration Database	277
Configure the settings for storing push requests in the BlackBerry Configuration Database	278
Configure the maximum number of active connections that a BlackBerry MDS Connection Service can process	278
Configure the maximum number of queued connections that a BlackBerry MDS Connection Service can process	279
Managing organizer data synchronization	280
Managing the wireless backup and recovery of organizer data	280
Turn off the wireless backup of organizer data for a user account	280
Delete organizer data for members of a user group from the BlackBerry Enterprise Server	280
Delete a user's organizer data from a BlackBerry Enterprise Server	281
Turning off organizer data synchronization	281
Turn off organizer data synchronization for all user accounts that are associated with a BlackBerry Enterprise Server	281
Turn off organizer data synchronization for a specific user account	281
Changing how organizer data synchronizes	282
Change the direction of organizer data synchronization for all user accounts on a BlackBerry Enterprise Server	282
Change the direction of organizer data synchronization for a specific user account	282
Change how the BlackBerry Administration Service resolves conflicts during organizer data synchronization for all user accounts on a BlackBerry Enterprise Server	283
Change how the BlackBerry Administration Service resolves conflicts during organizer data synchronization for a specific user account	283
Specify the location of organizer data	284
Specify the location that the BlackBerry Messaging Agent uses to find organizer data	284
Managing your organization's messaging environment and attachment support	285
Managing message forwarding	285
Forward email messages to a BlackBerry device when no filter rules apply	285
Do not deliver email messages to a BlackBerry device when no filter rules apply	285
Forward email messages from inbox subfolders to a BlackBerry device	286
Turn off email message forwarding to user accounts in a group	286
Turn off email message forwarding to a user account	287
Turn off synchronization for email messages sent from a BlackBerry device	287
Turn off email message forwarding when a user connects a BlackBerry device to a computer	287
Managing the incoming message queue	288
Delete email messages for user accounts from the incoming message queue	288
Managing wireless message reconciliation	288
Turn off wireless message reconciliation for a BlackBerry Enterprise Server	289
Managing access to remote message data	289
Prevent a user from checking the availability of meeting participants on the BlackBerry device	289
Prevent a user from searching for remote email messages using a device	290
Managing email messages that contain HTML and rich content	290
View whether a user turned on support for email messages that contain HTML and rich content for a BlackBerry device	291
Turn off support for rich text formatting and inline images in email messages for users on a BlackBerry Enterprise Server	291
Turn off support for rich text formatting and inline images in email messages using an IT policy rule	292
Configuring IBM Lotus Notes links on devices	292
Configure the BlackBerry Enterprise Server to support IBM Lotus Notes links to different IBM Lotus Domino domains	293
Updating the map for IBM Lotus Domino server names and host names	293
Change how often the BlackBerry Messaging Agent updates the map for IBM Lotus Domino server names and host names	294
Turn off support for IBM Lotus Notes links	294
Synchronizing folders on the BlackBerry device	295
Control which published public contact folders a user can synchronize to a BlackBerry device	295
Control which personal contact subfolders a user can synchronize to a BlackBerry device	295
Control which personal mail folders a user can synchronize with a BlackBerry device	296
Specify public contact databases that users can access from their BlackBerry devices	296
Control which public contact databases a user can access from the BlackBerry device	297
Configuring access to documents on remote file systems	297
Configure the BlackBerry MDS Connection Service to communicate with a remote file system	298
Add communication information to a BlackBerry MDS Connection Service configuration set	299
Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance	300
Managing signatures and disclaimers in email messages	300
Add a signature to email messages that a user sends from a BlackBerry device	300
Add a disclaimer to email messages that users send from BlackBerry devices	301
Add a disclaimer to email messages that a user sends from a BlackBerry device	301
Specify conflict rules for disclaimers	302
Turn off disclaimers for email messages	302
Monitor email messages that users send from BlackBerry devices	302
Sending notification messages to users	303
Send a notification message to all users in a BlackBerry Domain	303
Send a notification message to all users on a BlackBerry Enterprise Server	303
Send a notification message to group members	304
Send a notification message to a user	304
Automated notification messages	304
Change the subject for automated notification messages	304
Turn off automated notification messages	305
How the BlackBerry Attachment Connector communicates with BlackBerry Attachment Service instances	305
Change how a BlackBerry Attachment Connector retries sending requests to a BlackBerry Attachment Service	306

Match case Limit results 1 per page

Configuring BlackBerry devices to enroll

certificates over the wireless network

You can configure the BlackBerry® Enterprise Server to permit BlackBerry devices to enroll certificates that the devices

can use with any PKI-enabled application or process. You can permit devices to enroll the certificates instead of

instructing users to send the certificates to themselves in an email message or use the certificate synchronization

tool in the BlackBerry® Desktop Software. When you configure the BlackBerry Enterprise Server to permit devices

to enroll certificates, you can control how users request certificates and which certification authority issues the

certificates.

For example, you might want Wi-Fi® enabled BlackBerry devices to enroll certificates so that they can authenticate

to an enterprise Wi-Fi network.

You can enroll certificates from one of the following certification authorities:

•

RSA® certification authority

•

Microsoft® standalone certification authority

•

Microsoft enterprise certification authority

During the enrollment process, the BlackBerry MDS Connection Service can verify the certificate if the certificate

includes an email address in the subject DN. The BlackBerry MDS Connection Service verifies the certificate by

checking if the email address in the subject DN of the certificate matches the email address that is assigned to the

device. For more information about the enrollment process, see the

BlackBerry Enterprise Solution Security Technical

Overview

You can make the certificate enrollment process required so that devices automatically start the certificate

enrollment process after the devices receive the updated IT policy from the BlackBerry Enterprise Server. If you do

not make the certificate enrollment process required, you must instruct users to start the CA Profile Manager on the

devices manually.

Configure the certificate information using IT policies

You must configure the certificate information that BlackBerry® devices can use to create certificate requests so that

the certificate enrollment process can occur.

If you configured the BlackBerry MDS Connection Service to retrieve the status of the certificates using an OCSP

server or a CRL server and pull authorization is turned on, devices may not be able to enroll some certificates over

the mobile network. The devices might not be able to enroll some certificates because, devices that initiate the

request to the web addresses follow pull authorization rules that restrict access to some of the web addresses for

OCSP servers and CRL servers.

In the BlackBerry Administration Service, on the

BlackBerry solution management

menu, expand

Policy

Click

Manage IT policies

Click an IT policy.

Click

Edit IT policy

Administration Guide

Configuring BlackBerry devices to enroll certificates over the wireless network

185