Home » Blackberry Manuals » Computer Software » Blackberry PRD-10459-016 » Manual Viewer

Blackberry PRD-10459-016 Administration Guide - Page 232

Configuring single sign-on authentication for the BlackBerry Administration Service and BlackBerry Web Desktop Manager, Con constrained delegation for the Microsoft Active Directory account to support single sign-on authentication, Turn on single sign-on

View all Blackberry PRD-10459-016 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 232 highlights

Administration Guide Configuring single sign-on authentication for the BlackBerry Administration Service and BlackBerry Web Desktop Manager Configuring single sign-on authentication for the BlackBerry Administration Service and BlackBerry Web Desktop Manager If you configure the BlackBerry® Administration Service to support Microsoft® Active Directory® authentication, you can turn on single sign-on authentication. Single sign-on authentication permits you to access the BlackBerry Administration Service and BlackBerry device users to access the BlackBerry Web Desktop Manager without requiring that you or the users type a Microsoft Active Directory user name and password. By default, if you log in to the BlackBerry Administration Service or users log in to the BlackBerry Web Desktop Manager using Microsoft Active Directory authentication, the browser prompts you or the users to type a Microsoft Active Directory user name and password. If you turn on single sign-on authentication, and you log in to a computer using a Microsoft Active Directory account, you can bypass the login screen and access the BlackBerry Administration Service and BlackBerry Web Desktop Manager directly. The BlackBerry Monitoring Service does not support single sign-on authentication. Before you turn on single sign-on, you must configure constrained delegation for the Microsoft Active Directory account for the BlackBerry Administration Service. Configure constrained delegation for the Microsoft Active Directory account to support single sign-on authentication 1. Use the Windows Server® ADSI Edit tool to add the following SPNs for the BlackBerry® Administration Service pool to the Microsoft® Active Directory® account : • HTTP/ (for example, HTTP/BASconsole104.example.com) • BASPLUGIN111/ (for example, BASPLUGIN111/BASconsole104.example.com) 2. If you create separate pools of BlackBerry Administration Service instances and BlackBerry Web Desktop Manager instances in the BlackBerry Administration Service pool, add the HTTP/ SPN for each pool to the Microsoft Active Directory account. 3. Configure the Microsoft Active Directory account for constrained delegation using the following settings: • trust this user for delegation to specific services only • use Kerberos™ only 4. In the Microsoft Active Directory account properties, on the Delegation tab, add BASPLUGIN111/ to the list of services. After you finish: For more information about configuring constrained delegation for the Microsoft Active Directory account so you can access the BlackBerry Administration Service, visit www.blackberry.com/btsc to read article KB22717. Turn on single sign-on authentication for the BlackBerry Administration Service 1. In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view. 230

Section	Page
Overview: BlackBerry Enterprise Server	23
Document revision history	23
Getting started in your BlackBerry Enterprise Server environment	24
Log in to the BlackBerry Administration Service for the first time	27
There is a problem with this website's security certificate	27
This connection is untrusted	28
Creating administrator accounts	29
Administrative roles and permissions	29
Preconfigured administrative roles	29
Creating roles	33
Create a role	33
Create a role based on an existing role	34
Create an administrator account	34
Add an administrator account to a group	35
Specify an email address for the BlackBerry Administration Service	35
Permit an administrator to log in to the BlackBerry Administration Service using a messaging server account	36
Assign a BlackBerry device to an administrator account	36
Using an IT policy to manage BlackBerry Enterprise Solution security	37
Using IT policy rules to manage BlackBerry Enterprise Solution security	37
Preconfigured IT policies	38
Default values for preconfigured IT policies	39
Creating and importing IT policies	42
Create an IT policy	42
Create an IT policy based on an existing IT policy	42
Import IT policy data	42
Import IT policy rules from an IT policy pack	43
Change the value for an IT policy rule	43
Assign an IT policy to a group	43
Assign an IT policy to a user account	44
Sending an IT policy over the wireless network	44
Resend an IT policy to a BlackBerry device manually	44
Resend an IT policy to a BlackBerry device automatically	45
Assigning IT policies and resolving IT policy conflicts	45
Option 1: Applying one IT policy to each user account	46
Option 2: Applying multiple IT policies to each user account	47
View the resolved IT policy rules that are assigned to a user account	50
Deactivating BlackBerry devices that do not have IT policies applied	50
Deactivate BlackBerry devices that do not have IT policies applied	50
Creating new IT policy rules to control third-party applications	51
Create an IT policy rule for a third-party application	51
Change or delete IT policy rules for third-party applications	51
Export all IT policy data to a data file	52
Delete an IT policy	52
Configuring security options	53
Encrypting data that the BlackBerry Enterprise Server and a BlackBerry device send to each other	53
Algorithms that the BlackBerry Enterprise Solution uses to encrypt data	53
Change the symmetric key encryption algorithm that the BlackBerry Enterprise Solution uses	53
Managing device access to the BlackBerry Enterprise Server	54
Turn on the Enterprise Service Policy	54
Configure the Enterprise Service Policy	55
Permit a user to override the Enterprise Service Policy	55
Extending messaging security to a BlackBerry device	55
Extending messaging security using PGP encryption	56
Extending messaging security using S/MIME encryption	56
Enforcing secure messaging using classifications	59
Create a message classification	59
Create a message classification based on an existing message classification	60
Order message classifications	60
Delete a message classification	60
Generating organization-specific encryption keys for PIN-message encryption	61
Generate a PIN encryption key	61
Turn off BlackBerry services that the BlackBerry MDS Connection Service, BlackBerry Collaboration Service, and BlackBerry MVS provide	61
When a BlackBerry device overwrites data in the BlackBerry device memory	62
Changing when a BlackBerry device cleans the BlackBerry device memory	62
Best practice: Configuring additional memory cleaner settings for BlackBerry devices	63
Configuring the BlackBerry Enterprise Server environment	64
Best practice: Running the BlackBerry Enterprise Server	64
Configuring certain BlackBerry Enterprise Server components to use proxy servers	64
Configure a BlackBerry Enterprise Server component to use a .pac file	65
Configure a BlackBerry Enterprise Server component to use a proxy server	65
Configure a BlackBerry Enterprise Server component to authenticate to a proxy server on behalf of BlackBerry devices	66
Configuring the BlackBerry Administration Service to use a proxy server	67
Configuring proxy selection for the BlackBerry Administration Service	67
Configuring the BlackBerry Administration Service to authenticate with a proxy server	69
Configuring multiple BlackBerry Enterprise Server instances to use the same BlackBerry Enterprise Server component	71
Configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry MDS Connection Service	71
Configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry Collaboration Service	71
Configuring support for Unicode languages	72
Configure support for Unicode languages	72
Change the character encoding that the BlackBerry Enterprise Server uses to send Unicode messages	73
Configure support for Unicode text in calendars on BlackBerry devices in a Microsoft Exchange environment	74
Configuring user accounts	75
Creating user groups	75
Create a group to manage similar user accounts	75
Add user accounts to a group	75
Adding a user account to the BlackBerry Enterprise Server	76
Add a user account	76
Create a user account that is not in the contact list in the BlackBerry Configuration Database	77
Export a list of user accounts	77
Importing a list of user accounts to a BlackBerry Enterprise Server	78
Assigning BlackBerry devices to users	81
Preparing to distribute a BlackBerry device	81
Change how the BlackBerry Enterprise Server downloads a user's existing email messages onto the BlackBerry device	81
Prevent the BlackBerry Enterprise Server from synchronizing existing email messages onto a BlackBerry device	81
Assigning BlackBerry devices to user accounts	82
Option 1: Activate a BlackBerry device using the BlackBerry Administration Service	82
Option 2: Activating a BlackBerry device over the wireless network	83
Option 3: Activating BlackBerry devices over the LAN	86
Option 4: Activating BlackBerry devices using the BlackBerry Web Desktop Manager	86
Option 5: Activating BlackBerry devices over an enterprise Wi-Fi network	87
Configuring BlackBerry Enterprise Server high availability	90
Check the health of a BlackBerry Enterprise Server	90
Availability state and failover status of the BlackBerry Enterprise Server	90
How the BlackBerry Enterprise Server uses health parameters	90
Defining when failover occurs	91
Changing the promotion threshold and failover threshold	93
Change the promotion threshold and failover threshold and the order of the health parameters	93
Changing when automatic failover occurs by customizing the health parameters for user accounts and messaging servers	95
Prerequisites: Configuring the BlackBerry Enterprise Server pair to fail over automatically	96
Configure the BlackBerry Enterprise Server to fail over automatically	96
Monitoring the BlackBerry Enterprise Server for an automatic failover event	97
Use the BlackBerry Administration Service to find the time and reason for the last automatic failover event	97
Fail over the BlackBerry Enterprise Server manually using the BlackBerry Administration Service	97
Fail over the BlackBerry Enterprise Server manually using the BlackBerry Configuration Panel	98
Configuring high availability for BlackBerry Enterprise Server components	99
Creating a BlackBerry MDS Connection Service pool for high availability	99
Create a BlackBerry MDS Connection Service pool for high availability	99
Configure the BlackBerry MDS Connection Service and BlackBerry Collaboration Service to fail over automatically	100
Create a BlackBerry Collaboration Service pool for high availability	100
Create a BlackBerry Attachment Service pool for high availability	101
You cannot determine the BlackBerry Attachment Connector that the BlackBerry Enterprise Server or the BlackBerry MDS Connection Service uses	102
Create a BlackBerry Router pool for high availability	103
Permit a BlackBerry Enterprise Server to connect to a remote BlackBerry Router	104
Creating a BlackBerry Administration Service pool using DNS round robin that includes the BlackBerry Web Desktop Manager	104
Configure the BlackBerry Administration Service instances in a pool to communicate across network subnets	105
Changing the name of the BlackBerry Administration Service pool	105
Change the name of the BlackBerry Administration Service pool	106
Fail over the BlackBerry MDS Connection Service or BlackBerry Collaboration Service manually	106
Monitoring the high availability status or job deployment status using the BlackBerry Administration Service	107
Monitor the high availability status or job deployment status using the BlackBerry Administration Service	107
Remove a BlackBerry MDS Connection Service instance from a pool	108
Remove a BlackBerry Collaboration Service instance from a pool	108
Remove a BlackBerry Attachment Service instance from a pool	109
Remove a BlackBerry Router instance from a pool	109
Configuring BlackBerry Configuration Database high availability	110
Prerequisites: Configuring database mirroring or database replication of the BlackBerry Configuration Database	110
Configuring database mirroring	111
Stop the BlackBerry Enterprise Server instances	111
Configure database mirroring for the BlackBerry Configuration Database	111
Start the BlackBerry Enterprise Server instances	112
Configure the BlackBerry Enterprise Solution to support database mirroring	112
Resend the database mirroring parameters to BlackBerry Enterprise Server components	113
Configuring the BlackBerry Configuration Database for one-way transactional replication in an environment that includes Microsoft SQL Server 2005 or 2008	114
Stop the BlackBerry Enterprise Server instances	114
Create the replicated BlackBerry Configuration Database from a backup	114
Permit access to the BlackBerry Configuration Database instances	115
Configure the publication for the BlackBerry Configuration Database	115
Increase the maximum data size for transactional replication	116
Prepare the database server that hosts the replicated BlackBerry Configuration Database and configure the subscription	116
Start the BlackBerry Enterprise Server instances	117
Reacting if the BlackBerry Configuration Database that you configured for transactional replication stops responding	117
Return to the BlackBerry Configuration Database when you configured transactional replication	118
Configuring a new mirror BlackBerry Configuration Database	118
Sending software and BlackBerry Java Applications to BlackBerry devices	119
Managing BlackBerry Java Applications and BlackBerry Device Software	119
Developing BlackBerry Java Applications for BlackBerry devices	120
Preparing to distribute BlackBerry Java Applications	120
Specify a shared network folder for BlackBerry Java Applications	121
Add a BlackBerry Java Application to the application repository	121
Add a collaboration client to the application repository	122
Specify keywords for a BlackBerry Java Application	122
Configuring application control policies	122
Standard application control policies	123
Change a standard application control policy	123
Create custom application control policies for a BlackBerry Java Application	124
IT policy rules take precedence on the device	125
Application control policies for unlisted applications	125
Change the standard application control policy for unlisted applications that are optional	126
Create an application control policy for unlisted applications	126
Configure the priority of application control policies for unlisted applications	127
Creating software configurations	127
Create a software configuration	128
Add a BlackBerry Java Application to a software configuration	128
Assign a software configuration to a group	129
Assign a software configuration to multiple user accounts	129
Assign a software configuration to a user account	130
Install BlackBerry Java Applications on a BlackBerry device at a central computer	130
View the status of a job	131
View the status of a task	131
Stopping a job that is running	139
Stop a job that is running	140
View the users that have a BlackBerry Java Application installed on their BlackBerry devices	140
View how the BlackBerry Administration Service resolved software configuration conflicts for a user account	141
Reconciliation rules for conflicting settings in software configurations	141
Reconciliation rules: BlackBerry Java Applications	142
Reconciliation rules: BlackBerry Device Software	145
Reconciliation rules: Standard application settings	145
Reconciliation rules: Application control policies	146
Reconciliation rules: Application control policies for unlisted applications	147
Alternative methods for installing BlackBerry Java Applications on BlackBerry devices	148
Installing BlackBerry Java Applications on BlackBerry devices without using the BlackBerry Administration Service	148
Developing BlackBerry Java Applications for BlackBerry devices	148
Methods you can use to install BlackBerry Java Applications on BlackBerry devices	148
Installing BlackBerry Java Applications using the BlackBerry Desktop Software	149
Prerequisites: Installing BlackBerry Java Applications using the BlackBerry Desktop Software	150
Make the BlackBerry Java Application available to the BlackBerry Desktop Software	150
Install the BlackBerry Java Application using the BlackBerry Desktop Software	151
Installing BlackBerry Java Applications using the BlackBerry Application Web Loader	151
Prerequisites: Installing BlackBerry Java Applications using the BlackBerry Application Web Loader	151
Enable the BlackBerry Application Web Loader on a web server	152
Install the BlackBerry Java Application using the BlackBerry Application Web Loader	153
Installing BlackBerry Java Applications using the standalone application loader tool	153
Prerequisites: Installing BlackBerry Java Applications using the standalone application loader tool	154
Add BlackBerry Java Application files to a shared network folder	154
Share the Research In Motion folder that contains the BlackBerry Java Application	155
Configure the standalone application loader tool to install the BlackBerry Java Application in automated mode	155
Install the BlackBerry Java Application using the standalone application loader tool	155
Installing BlackBerry Java Applications using a web browser on BlackBerry devices	156
Prerequisites: Installing BlackBerry Java Applications using a web browser on BlackBerry devices	156
Install the BlackBerry Java Application on a web server	157
Install the BlackBerry Java Application using a web browser on the BlackBerry device	157
Configuring how users access enterprise applications and web content	158
Specifying a BlackBerry MDS Connection Service as a central push server	158
Specify a BlackBerry MDS Connection Service as a central push server	158
Configuring how BlackBerry devices authenticate to content servers	159
Configure how BlackBerry devices authenticate to content servers	159
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use NTLM	159
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use Kerberos	160
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use LTPA	160
Configuring the BlackBerry MDS Connection Service to authenticate devices to the RSA Authentication Manager	161
Configuring how the BlackBerry MDS Connection Service manages requests for web content	162
Configure the BlackBerry MDS Connection Service to manage HTTP cookie storage	163
Configure the timeout limit for HTTP connections with BlackBerry devices	163
Configure the timeout limit for HTTP connections with web servers	163
Configure the maximum number of times that the BlackBerry Browser accepts HTTP redirections	164
Permitting push applications to make trusted connections to a BlackBerry MDS Connection Service	164
Create a key store to store certificates for use with HTTPS connections	164
Add a certificate for the BlackBerry MDS Connection Service	165
Export the BlackBerry MDS Connection Service certificate to make it available to push applications	165
Import the BlackBerry MDS Connection Service certificate to the key store of a push application	166
Permit push applications to select the transport protocol for PAP requests	166
Configuring a BlackBerry MDS Connection Service to trust web servers	167
Specify whether the BlackBerry MDS Connection Service requires trusted HTTPS connections from web servers	167
Specify whether the BlackBerry MDS Connection Service requires trusted TLS connections from web servers	167
Configuring certificate server information for the BlackBerry MDS Connection Service	168
Add a retrieved certificate for a web server to the key store	174
Permitting users to access intranet sites on BlackBerry devices using global login information	174
Configure global login information for intranet site access	175
Configuring how the BlackBerry MDS Connection Service connects to BlackBerry devices	175
Specify the maximum amount of data that a BlackBerry MDS Connection Service can send to BlackBerry devices	175
Specify the pending content timeout limit for a BlackBerry MDS Connection Service	175
Permit Java applications to use scalable socket connections with a BlackBerry MDS Connection Service	176
Specify the thread pool size of a BlackBerry MDS Connection Service	176
Specify the maximum number of scalable socket connections	176
Prevent the BlackBerry MDS Connection Service from using scalable HTTP	177
Specify the port number that the web server listens on for push application requests	177
Specify how often a BlackBerry MDS Connection Service polls for configuration information	178
Setting up the messaging environment	179
Creating email message filters	179
Create an email message filter that applies to all user accounts on a BlackBerry Enterprise Server	179
Turn on an email message filter that applies to all user accounts on a BlackBerry Enterprise Server	180
Create an email message filter that applies to a specific user account	180
Turn on an email message filter that applies to a specific user account	181
Copying existing email message filters to another BlackBerry Enterprise Server	181
Export email message filters for a BlackBerry Enterprise Server	181
Import email message filters for a BlackBerry Enterprise Server	181
Copying existing email message filters to user accounts	182
Export email message filters for a user account	182
Import email message filters for a user account	182
Extension plug-ins for processing messages	183
Install an extension plug-in application	183
Add an extension plug-in to a BlackBerry Messaging Agent	184
Change how a BlackBerry Messaging Agent uses extension plug-ins	184
Mapping contact information fields for synchronization and contact lookups	185
Map a contact information field in an email application to contact list fields on BlackBerry devices	185
Map a contact list field in an email application to a contact list field on a BlackBerry device	185
Map a contact information field in an email application to contact list fields on BlackBerry devices	186
Map a contact list field in an email application to a contact list field on a BlackBerry device	186
Configuring BlackBerry devices to enroll certificates over the wireless network	188
Configure the certificate information using IT policies	188
Configure the BlackBerry MDS Connection Service to connect to the certificate authority	189
Add communication information to a BlackBerry MDS Connection Service configuration set	190
Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance	191
Add certificate information to a Wi-Fi profile	191
Managing an enrolled certificate	192
Change the polling interval, logging, and pool size for the BlackBerry MDS Connection Service connection to the certificate authority	192
Properties in the rimpublic.properties file	193
Making the BlackBerry Web Desktop Manager available to users	194
Installing the client components of the BlackBerry Web Desktop Manager on users' computers	194
Publish the client files for the BlackBerry Web Desktop Manager in a Windows GPO for Windows XP	194
Publish the client files for the BlackBerry Web Desktop Manager in a Windows GPO for Windows Vista	195
Configure the Microsoft ActiveX Installer on Windows Vista	196
Configure users' computers to install the client file for the BlackBerry Web Desktop Manager automatically	196
Make the BlackBerry Web Desktop Manager available to users	198
Configuring the BlackBerry Web Desktop Manager	199
Permit users to activate BlackBerry devices using the BlackBerry Web Desktop Manager	199
Permit users to back up and restore data using the BlackBerry Web Desktop Manager	199
Configure the domains for backing up data using the BlackBerry Web Desktop Manager	200
Change the text colors in the BlackBerry Web Desktop Manager	200
BlackBerry Web Desktop Manager text colors	201
Display a custom image in the BlackBerry Web Desktop Manager	201
Display the domain name on the login page of the BlackBerry Web Desktop Manager	202
Creating and configuring Wi-Fi profiles and VPN profiles	203
Creating and configuring Wi-Fi profiles	203
Prerequisites: Creating Wi-Fi profiles and VPN profiles	203
Create a Wi-Fi profile	205
Create a Wi-Fi profile based on an existing Wi-Fi profile	205
Configure a Wi-Fi profile on a BlackBerry device	205
Assign a Wi-Fi profile to a group	205
Assign a Wi-Fi profile to a user account	206
Configure a Wi-Fi profile	206
Creating and configuring VPN profiles	207
Create a VPN profile	207
Create a VPN profile based on an existing VPN profile	207
Configure a VPN profile	208
Assign a VPN profile to a group	208
Assign a VPN profile to a user account	208
Associate a VPN profile with a Wi-Fi profile	209
Delete a Wi-Fi profile	209
Delete a VPN profile	209
Importing profile information from a .csv file	210
Best practices: Creating a .csv file that contains profile information that you want to import	210
Create a .csv file that contains profile information that you want to import	210
Import profile information from a .csv file	212
Configuring encryption and authentication methods for Wi-Fi enabled BlackBerry devices	213
Configuring WEP encryption	213
Configure WEP keys for BlackBerry devices using a Wi-Fi profile	213
Configuring PSK encryption	214
Configure PSK encryption data for BlackBerry devices using a Wi-Fi profile	214
Configuring LEAP authentication	215
Configure LEAP authentication data for BlackBerry devices using a Wi-Fi profile	215
Configuring PEAP authentication	216
Configure PEAP authentication data for BlackBerry devices using a Wi-Fi profile	216
Prerequisites: Distributing a certificate using the BlackBerry Desktop Manager	217
Distribute a certificate using the BlackBerry Desktop Manager	217
Configure PEAP configuration settings in the Wi-Fi profile on a BlackBerry device	218
Configuring EAP-TLS authentication	219
Configure EAP-TLS authentication data for BlackBerry devices using a Wi-Fi profile	219
Configure EAP-TLS configuration settings in the Wi-Fi profile on a BlackBerry device	220
Configuring EAP-TTLS authentication	220
Configure EAP-TTLS authentication data for BlackBerry devices using a Wi-Fi profile	221
Configure EAP-TTLS configuration settings in the Wi-Fi profile on a BlackBerry device	222
Configuring EAP-FAST authentication	222
Configure EAP-FAST authentication	223
Send EAP-FAST authentication data to a BlackBerry device using a Wi-Fi profile	223
Configure EAP-FAST configuration settings in the Wi-Fi profile on BlackBerry devices	224
Configuring software tokens for BlackBerry devices	225
Prerequisites: Configuring BlackBerry devices for RSA authentication	225
Configure BlackBerry devices for RSA authentication	226
Configure RSA authentication over a Wi-Fi network using a software token	226
Configure RSA authentication over a VPN network using a software token	227
Assign software tokens to a user account	227
Changing the security settings of the BlackBerry Administration Service and BlackBerry Web Desktop Manager	229
Import a new SSL certificate for the BlackBerry Administration Service and BlackBerry Web Desktop Manager	229
Configuring Microsoft Active Directory authentication in an environment that includes a resource forest	230
Change the information for Microsoft Active Directory authentication	231
Configuring single sign-on authentication for the BlackBerry Administration Service and BlackBerry Web Desktop Manager	232
Configure constrained delegation for the Microsoft Active Directory account to support single sign-on authentication	232
Turn on single sign-on authentication for the BlackBerry Administration Service	232
BlackBerry Administration Service web addresses and BlackBerry Web Desktop Manager web addresses that support BlackBerry Administration Service single sign-on	233
Changing password settings for BlackBerry Administration Service authentication	234
Change password settings for BlackBerry Administration Service authentication	234
Regenerate the system credentials for the BlackBerry Administration Service	234
Protecting and redistributing devices	235
Preparing a device for redistribution to a new user	235
Use the BlackBerry Administration Service to delete user data and assign the device to a new user	235
Use the BlackBerry Administration Service to delete user data and remove the BlackBerry Device Software before assigning the device to a new user	235
Deleting only work data from a device	236
Delete only work data from a device	237
Using IT administration commands to protect a lost or stolen device	238
Protect a stolen device	239
Protect a lost device	240
Protect a lost device that a user might not recover	240
Managing administrator accounts	242
Change role permissions	242
Change the roles for an administrator account	242
Delete a role	242
Delete an administrator account	243
Managing groups and user accounts	244
Managing groups	244
Using default groups to manage user accounts and administrator accounts	244
Remove a user account from a group	245
Change the properties of a group	245
Rename a group	245
Delete a group	246
Managing user accounts	246
Move a user account to a different group	246
Move a user account from one BlackBerry Enterprise Server to another	247
Delete a user account from the BlackBerry Enterprise Server	247
Update a user account manually	248
Add an administrator role to a user account	248
Update the contact list manually	248
Resend service books to a BlackBerry device	248
Managing the delivery of BlackBerry Java Applications, BlackBerry Device Software, and device settings to BlackBerry devices	250
Managing the default distribution settings for jobs	250
Change default settings for a job schedule	250
Change how IT policies are sent to BlackBerry devices	251
Change how to install, update, or remove BlackBerry Java Applications	252
Change how to install or update the BlackBerry Device Software	253
Change how the BlackBerry Enterprise Server sends standard application settings to BlackBerry devices	254
Managing the distribution settings for a specific job	255
Specify the start time and priority for a job	256
Change how a job sends IT policies to BlackBerry devices	256
Change how a job sends BlackBerry Java Applications to BlackBerry devices	257
Change how a job sends the BlackBerry Device Software to BlackBerry devices	258
Change how a job sends standard application settings to BlackBerry devices	260
Managing BlackBerry Java Applications on BlackBerry devices	261
Make a BlackBerry Java Application unavailable for installation	261
Remove a BlackBerry Java Application from BlackBerry devices over the wireless network	261
Managing software configurations	262
Remove a software configuration from a group	262
Remove a software configuration from multiple user accounts	262
Remove a software configuration from a user account	263
Delete a software configuration	263
Managing how users access enterprise applications and web content	264
Restricting user access to content on web servers	264
Restrict requests for content on web servers from BlackBerry devices	264
Specify web address patterns	264
Create a pull rule	265
Restrict or permit web addresses and Intranet addresses using a pull rule	265
Assign a pull rule to the members of a group	266
Assign a pull rule to user accounts	267
Restricting user access to media content in the BlackBerry Browser	267
Prevent users from accessing specific media types	267
Configure download limits for media content types	268
Default download limits for media content types	268
Configuring Integrated Windows authentication so that users can access resources on your organization's network	269
Configuring the Microsoft Active Directory account to delegate access	269
Configuring the BlackBerry MDS Connection Service when the messaging server is located in a remote Microsoft Active Directory domain	272
Turn on Integrated Windows authentication so that users can access resources on your organization's network	273
Restricting the push application content that users can receive	274
Restrict push applications from sending data to BlackBerry devices	274
Create push initiators for push applications	274
Turn on push authorization	275
Create a push rule	276
Assign push initiators to a push rule	276
Assign a push rule to the members of a group	276
Assign a push rule to user accounts	277
Encrypt push requests that push applications send to BlackBerry devices	277
Managing push application requests	277
Specify device ports for application-reliable push requests	278
Store push application requests in the BlackBerry Configuration Database	278
Configure the settings for storing push requests in the BlackBerry Configuration Database	279
Configure the maximum number of active connections that a BlackBerry MDS Connection Service can process	279
Configure the maximum number of queued connections that a BlackBerry MDS Connection Service can process	280
Managing organizer data synchronization	281
Managing the wireless backup and recovery of organizer data	281
Turn off the wireless backup of organizer data for a user account	281
Delete organizer data for members of a user group from the BlackBerry Enterprise Server	281
Delete a user's organizer data from a BlackBerry Enterprise Server	282
Turning off organizer data synchronization	282
Turn off organizer data synchronization for all user accounts that are associated with a BlackBerry Enterprise Server	282
Turn off organizer data synchronization for a specific user account	282
Changing how organizer data synchronizes	283
Change the direction of organizer data synchronization for all user accounts on a BlackBerry Enterprise Server	283
Change the direction of organizer data synchronization for a specific user account	283
Change how the BlackBerry Administration Service resolves conflicts during organizer data synchronization for all user accounts on a BlackBerry Enterprise Server	284
Change how the BlackBerry Administration Service resolves conflicts during organizer data synchronization for a specific user account	284
Synchronizing contact pictures	285
Turn off synchronization of contact pictures for a user account	285
Managing your organization's messaging environment and attachment support	286
Managing message forwarding	286
Forward email messages to a BlackBerry device when no filter rules apply	286
Do not deliver email messages to a BlackBerry device when no filter rules apply	286
Forward email messages from inbox subfolders to a BlackBerry device	287
Turn off email message forwarding to user accounts in a group	287
Turn off email message forwarding to a user account	288
Turn off synchronization for email messages sent from a BlackBerry device	288
Turn off email message forwarding when a user connects a BlackBerry device to a computer	289
Managing the incoming message queue	289
Delete email messages for user accounts from the incoming message queue	289
Managing wireless message reconciliation	290
Turn off wireless message reconciliation for a BlackBerry Enterprise Server	290
Turn on reconciliation for email messages that are hard deleted	290
Managing access to remote message data	291
Prevent a user from checking the availability of meeting participants on the BlackBerry device	291
Prevent a user from searching for remote email messages using a device	291
Managing email messages that contain HTML and rich content	292
View whether a user turned on support for email messages that contain HTML and rich content for a BlackBerry device	292
Turn off support for rich text formatting and inline images in email messages for users on a BlackBerry Enterprise Server	293
Turn off support for rich text formatting and inline images in email messages using an IT policy rule	293
Synchronizing folders on the BlackBerry device	294
Control which published public contact folders a user can synchronize to a BlackBerry device	294
Control which personal contact subfolders a user can synchronize to a BlackBerry device	295
Control which personal mail folders a user can synchronize with a BlackBerry device	295
Configuring access to documents on remote file systems	296
Configure the BlackBerry MDS Connection Service to communicate with a remote file system	296
Add communication information to a BlackBerry MDS Connection Service configuration set	297
Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance	298
Managing signatures and disclaimers in email messages	299
Add a signature to email messages that a user sends from a BlackBerry device	299
Add a disclaimer to email messages that users send from BlackBerry devices	299
Add a disclaimer to email messages that a user sends from a BlackBerry device	300
Specify conflict rules for disclaimers	300
Turn off disclaimers for email messages	300
Monitor email messages that users send from BlackBerry devices	301
Sending notification messages to users	302
Send a notification message to all users in a BlackBerry Domain	302
Send a notification message to all users on a BlackBerry Enterprise Server	302
Send a notification message to group members	302
Send a notification message to a user	303
Change the size of the message state database	303
How the BlackBerry Attachment Connector communicates with BlackBerry Attachment Service instances	303
Change how a BlackBerry Attachment Connector retries sending requests to a BlackBerry Attachment Service	304
Change how a BlackBerry Attachment Connector restores a lost connection to a BlackBerry Attachment Service	305
Attachment file formats that the BlackBerry Attachment Service supports	305
Limitations for supported attachment file formats	306
Changing how a BlackBerry Attachment Service converts attachments	307
Change how a BlackBerry Attachment Service converts attachments	307
Change the maximum file size for attachments that users can receive	309

Match case Limit results 1 per page

Configuring single sign-on authentication for the

BlackBerry Administration Service and BlackBerry Web

Desktop Manager

If you configure the BlackBerry® Administration Service to support Microsoft® Active Directory® authentication, you

can turn on single sign-on authentication. Single sign-on authentication permits you to access the BlackBerry

Administration Service and BlackBerry device users to access the BlackBerry Web Desktop Manager without requiring

that you or the users type a Microsoft Active Directory user name and password. By default, if you log in to the

BlackBerry Administration Service or users log in to the BlackBerry Web Desktop Manager using Microsoft Active

Directory authentication, the browser prompts you or the users to type a Microsoft Active Directory user name and

password. If you turn on single sign-on authentication, and you log in to a computer using a Microsoft Active Directory

account, you can bypass the login screen and access the BlackBerry Administration Service and BlackBerry Web

Desktop Manager directly. The BlackBerry Monitoring Service does not support single sign-on authentication.

Before you turn on single sign-on, you must configure constrained delegation for the Microsoft Active Directory

account for the BlackBerry Administration Service.

Configure constrained delegation for the Microsoft Active Directory

account to support single sign-on authentication

Use the Windows Server® ADSI Edit tool to add the following SPNs for the BlackBerry® Administration Service

pool to the Microsoft® Active Directory® account :

•

HTTP/<

BAS_pool_FQDN

> (for example, HTTP/BASconsole104.example.com)

•

BASPLUGIN111/<

BAS_pool_FQDN

> (for example, BASPLUGIN111/BASconsole104.example.com)

If you create separate pools of BlackBerry Administration Service instances and BlackBerry Web Desktop

Manager instances in the BlackBerry Administration Service pool, add the HTTP/<

BAS_pool_FQDN

> SPN for each

pool to the Microsoft Active Directory account.

Configure the Microsoft Active Directory account for constrained delegation using the following settings:

•

trust this user for delegation to specific services only

•

use Kerberos™ only

In the Microsoft Active Directory account properties, on the

Delegation

tab, add BASPLUGIN111/

BAS_pool_FQDN

> to the list of services.

After you finish:

For more information about configuring constrained delegation for the Microsoft Active Directory

account so you can access the BlackBerry Administration Service, visit

www.blackberry.com/btsc

to read article

KB22717.

Turn on single sign-on authentication for the BlackBerry Administration

Service

In the BlackBerry® Administration Service, on the

Servers and components

menu, expand

BlackBerry Solution

topology

BlackBerry Domain

Component view

Administration Guide

Configuring single sign-on authentication for the BlackBerry Administration Service and BlackBerry

Web Desktop Manager

230