Home » Blackberry Manuals » Computer Software » Blackberry PRD-10459-016 » Manual Viewer

Blackberry PRD-10459-016 User Guide - Page 254

Configuring EAP-TLS authentication

View all Blackberry PRD-10459-016 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 254 highlights

Administration Guide Configuring encryption and authentication methods for Wi-Fi enabled BlackBerry devices 9. If necesssary, in the Server subject field, type the server name in the server certificate, in URL format (for example, server1.domain.com or server1.domain.net). If you leave the field blank, the BlackBerry device skips over it during server authentication. 10. If necesssary, in the Server SAN field, type the alternative name for the server, in URL format (for example, server1.domain.com or server1.domain.net). If you leave the field blank, the BlackBerry device skips over it during server authentication. 11. If your organization uses dynamic IP addresses, verify that the Automatically obtain IP address and DNS option is selected. 12. Verify that the Allow inter-access point handover option is selected. 13. If necesssary, select the Prompt before connection check box. If you do not select the check box, the BlackBerry device connects to an available wireless access point automatically. 14. If necesssary, select the Notify on authentication failure check box. 15. If necesssary, select the VPN profile. Configuring EAP-TLS authentication If your organization implements EAP-TLS authentication, Wi-Fi enabled BlackBerry devices must authenticate to an authentication server so that they can connect to the enterprise Wi-Fi network. EAP-TLS authentication requires that BlackBerry devices trust the authentication server certificate and use a client-side certificate as the supplicant credentials. To trust the authentication server certificate, BlackBerry devices must trust the certificate authority that issued the certificate. A certificate authority that the BlackBerry devices and the authentication server trust mutually must generate the certificate for the authentication server and the certificate for each BlackBerry device. BlackBerry devices that use EAP-TLS authentication require a client certificate and the root certificate for the certificate authority server that created the certificate for the authentication server. You can obtain and install both certificates using the same distribution method. To distribute the certificates to BlackBerry devices, you can use the certificate synchronization tool in the BlackBerry Desktop Manager, or you can enroll the certificate over the wireless network. You must configure a Wi-Fi profile to provide the user name and password for authentication. For more information about how the BlackBerry Enterprise Solution supports EAP-TLS authentication, see the BlackBerry Enterprise Server Security Technical Overview. 254

Section	Page
Overview: BlackBerry Enterprise Server	21
Document revision history	21
Getting started in your BlackBerry Enterprise Server environment	22
Log in to the BlackBerry Administration Service for the first time	26
There is a problem with this website's security certificate	26
This connection is untrusted	27
Creating administrator accounts	29
Administrative roles and permissions	29
Preconfigured administrative roles	29
Creating roles	34
Create a role	34
Create a role based on an existing role	35
Create an administrator account	35
Add an administrator account to a group	36
Specify an email address for the BlackBerry Administration Service	37
Permit an administrator to log in to the BlackBerry Administration Service using a messaging server account	37
Assign a BlackBerry device to an administrator account	38
Using an IT policy to manage BlackBerry Enterprise Solution security	39
Using IT policy rules to manage BlackBerry Enterprise Solution security	39
Preconfigured IT policies	40
Default values for preconfigured IT policies	41
Creating and importing IT policies	44
Create an IT policy	44
Create an IT policy based on an existing IT policy	45
Import IT policy data	45
Import IT policy rules from an IT policy pack	46
Change the value for an IT policy rule	46
Assign an IT policy to a group	47
Assign an IT policy to a user account	47
Sending an IT policy over the wireless network	48
Resend an IT policy to a BlackBerry device manually	48
Resend an IT policy to a BlackBerry device automatically	48
Assigning IT policies and resolving IT policy conflicts	49
Option 1: Applying one IT policy to each user account	50
Reconciliation rules for conflicting IT policies when you apply one IT policy to the user account	50
Change the method that the BlackBerry Enterprise Server uses to resolve conflicting IT policies	51
Rank IT policies	51
Option 2: Applying multiple IT policies to each user account	51
Reconciliation rules for conflicting IT policies when you apply multiple IT policies to a user account	52
Change the method that the BlackBerry Enterprise Server uses to resolve conflicting IT policies	53
Rank IT policies	53
Preview how the BlackBerry Enterprise Server resolves IT policy conflicts	53
View the resolved IT policy rules that are assigned to a user account	54
Deactivating BlackBerry devices that do not have IT policies applied	54
Deactivate BlackBerry devices that do not have IT policies applied	55
Creating new IT policy rules to control third-party applications	55
Create an IT policy rule for a third-party application	55
Change or delete IT policy rules for third-party applications	56
Export all IT policy data to a data file	56
Delete an IT policy	57
Configuring security options	58
Encrypting data that the BlackBerry Enterprise Server and a BlackBerry device send to each other	58
Algorithms that the BlackBerry Enterprise Solution uses to encrypt data	58
Change the symmetric key encryption algorithm that the BlackBerry Enterprise Solution uses	59
Managing device access to the BlackBerry Enterprise Server	59
Turn on the Enterprise Service Policy	60
Configure the Enterprise Service Policy	60
Permit a user to override the Enterprise Service Policy	61
Extending messaging security to a BlackBerry device	61
Extending messaging security using PGP encryption	61
Configure the BlackBerry Enterprise Solution to support PGP encryption	62
Extending messaging security using S/MIME encryption	62
Configure the BlackBerry Enterprise Solution to support S/MIME encryption	63
Configure encryption options for S/MIME-protected messages	63
Turn off support for processing S/MIME-protected messages on the BlackBerry Enterprise Server	64
Enforcing secure messaging using classifications	65
Create a message classification	65
Create a message classification based on an existing message classification	66
Order message classifications	66
Delete a message classification	67
Generating organization-specific encryption keys for PIN-message encryption	67
Generate a PIN encryption key	67
Turn off BlackBerry services that the BlackBerry MDS Connection Service, BlackBerry Collaboration Service, and BlackBerry MVS provide	68
When a BlackBerry device overwrites data in the BlackBerry device memory	68
Changing when a BlackBerry device cleans the BlackBerry device memory	69
Best practice: Configuring additional memory cleaner settings for BlackBerry devices	70
Configuring the BlackBerry Enterprise Server environment	71
Best practice: Running the BlackBerry Enterprise Server	71
Configuring certain BlackBerry Enterprise Server components to use proxy servers	72
Configure a BlackBerry Enterprise Server component to use a .pac file	72
Configure a BlackBerry Enterprise Server component to use a proxy server	73
Configure a BlackBerry Enterprise Server component to authenticate to a proxy server on behalf of BlackBerry devices	74
Configuring the BlackBerry Administration Service to use a proxy server	74
Configuring proxy selection for the BlackBerry Administration Service	75
Configuring manual proxy selection for a BlackBerry Administration Service instance	75
Configure manual proxy selection for the Windows account that runs the BlackBerry Administration Service	75
Configure the BlackBerry Administration Service to use the Web Proxy Autodiscovery Protocol to select a proxy server automatically	76
Turn off Web Proxy Autodiscovery Protocol	76
Configure the BlackBerry Administration Service to use a PAC file to select a proxy server automatically	76
Configuring the BlackBerry Administration Service to authenticate with a proxy server	77
Configure the BlackBerry Administration Service to use HTTP basic authentication	77
Delete credentials for HTTP basic authentication	78
Configuring multiple BlackBerry Enterprise Server instances to use the same BlackBerry Enterprise Server component	79
Configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry MDS Connection Service	79
Configure multiple BlackBerry Enterprise Server instances to use the same BlackBerry Collaboration Service	80
Configuring support for Unicode languages	80
Configure support for Unicode languages	80
Change the character encoding that the BlackBerry Enterprise Server uses to send Unicode messages	81
Configure support for Unicode text in calendars on BlackBerry devices in a Microsoft Exchange environment	82
Configuring user accounts	84
Creating user groups	84
Create a group to manage similar user accounts	84
Add user accounts to a group	84
Adding a user account to the BlackBerry Enterprise Server	85
Add a user account	85
Create a user account that is not in the contact list in the BlackBerry Configuration Database	86
Export a list of user accounts	87
Importing a list of user accounts to a BlackBerry Enterprise Server	87
Fields in a .csv file that contain user account information	88
Import multiple user accounts from a .csv file	89
Create multiple user accounts by importing the user accounts from a .csv file	89
Assigning BlackBerry devices to users	91
Preparing to distribute a BlackBerry device	91
Change how the BlackBerry Enterprise Server downloads a user's existing email messages onto the BlackBerry device	91
Prevent the BlackBerry Enterprise Server from synchronizing existing email messages onto a BlackBerry device	92
Assigning BlackBerry devices to user accounts	92
Option 1: Activate a BlackBerry device using the BlackBerry Administration Service	93
Option 2: Activating a BlackBerry device over the wireless network	94
Save bandwidth by synchronizing organizer data over the LAN	94
Wireless activation	94
Activation passwords	95
Customize the activation password	96
Customize the activation message	96
Send an activation password to a user	96
Send an activation password to multiple users	97
Option 3: Activating BlackBerry devices over the LAN	97
Option 4: Activating BlackBerry devices using the BlackBerry Web Desktop Manager	98
Option 5: Activating BlackBerry devices over an enterprise Wi-Fi network	98
Prerequisites: Configuring a BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi network	99
Configure a BlackBerry Router to permit BlackBerry device activations over the enterprise Wi-Fi network	99
Activate a Wi-Fi enabled BlackBerry device	100
Configuring BlackBerry Enterprise Server high availability	101
Check the health of a BlackBerry Enterprise Server	101
Availability state and failover status of the BlackBerry Enterprise Server	101
How the BlackBerry Enterprise Server uses health parameters	102
Defining when failover occurs	102
Configuring failover to occur when the standby BlackBerry Enterprise Server is in an acceptable state	103
Configuring failover to occur when the standby BlackBerry Enterprise Server can provide the same services that the primary BlackBerry Enterprise Server can provide	103
Configuring failover to occur when the standby BlackBerry Enterprise Server is in a healther state than the active BlackBerry Enterprise Server	104
Changing the promotion threshold and failover threshold	104
Change the promotion threshold and failover threshold and the order of the health parameters	104
Health parameters for the failover threshold and promotion threshold	105
Changing when automatic failover occurs by customizing the health parameters for user accounts and messaging servers	106
Change when automatic failover occurs by customizing the health parameters for user accounts and messaging servers	107
Prerequisites: Configuring the BlackBerry Enterprise Server pair to fail over automatically	108
Configure the BlackBerry Enterprise Server to fail over automatically	108
Monitoring the BlackBerry Enterprise Server for an automatic failover event	109
Use the BlackBerry Administration Service to find the time and reason for the last automatic failover event	109
Fail over the BlackBerry Enterprise Server manually using the BlackBerry Administration Service	109
Fail over the BlackBerry Enterprise Server manually using the BlackBerry Configuration Panel	110
Configuring high availability for BlackBerry Enterprise Server components	111
Creating a BlackBerry MDS Connection Service pool for high availability	111
Create a BlackBerry MDS Connection Service pool for high availability	111
Configure the BlackBerry MDS Connection Service and BlackBerry Collaboration Service to fail over automatically	112
Create a BlackBerry Collaboration Service pool for high availability	113
Create a BlackBerry Attachment Service pool for high availability	114
You cannot determine the BlackBerry Attachment Connector that the BlackBerry Enterprise Server or the BlackBerry MDS Connection Service uses	115
Create a BlackBerry Router pool for high availability	116
Permit a BlackBerry Enterprise Server to connect to a remote BlackBerry Router	117
Creating a BlackBerry Administration Service pool that includes the BlackBerry Web Desktop Manager using DNS round robin	118
Configure the BlackBerry Administration Service instances in a pool to communicate across network subnets	119
Changing the name of the BlackBerry Administration Service pool	119
Change the name of the BlackBerry Administration Service pool	120
Fail over the BlackBerry MDS Connection Service or BlackBerry Collaboration Service manually	120
Monitoring the high availability status or job deployment status using the BlackBerry Administration Service	121
Monitor the high availability status or job deployment status using the BlackBerry Administration Service	122
Remove a BlackBerry MDS Connection Service instance from a pool	122
Remove a BlackBerry Collaboration Service instance from a pool	123
Remove a BlackBerry Attachment Service instance from a pool	123
Remove a BlackBerry Router instance from a pool	124
Configuring BlackBerry Configuration Database high availability	125
Prerequisites: Configuring database mirroring or database replication of the BlackBerry Configuration Database	125
Configuring database mirroring	126
Stop the BlackBerry Enterprise Server instances	126
Configure database mirroring for the BlackBerry Configuration Database	127
Start the BlackBerry Enterprise Server instances	127
Configure the BlackBerry Enterprise Solution to support database mirroring	128
Resend the database mirroring parameters to BlackBerry Enterprise Server components	129
Configuring the BlackBerry Configuration Database for one-way transactional replication in an environment that includes Microsoft SQL Server 2005 or 2008	130
Stop the BlackBerry Enterprise Server instances	130
Create the replicated BlackBerry Configuration Database from a backup	130
Permit access to the BlackBerry Configuration Database instances	131
Configure the publication for the BlackBerry Configuration Database	131
Increase the maximum data size for transactional replication	132
Prepare the database server that hosts the replicated BlackBerry Configuration Database and configure the subscription	133
Start the BlackBerry Enterprise Server instances	134
Reacting if the BlackBerry Configuration Database that you configured for transactional replication stops responding	134
Return to the BlackBerry Configuration Database when you configured transactional replication	135
Configuring a new mirror BlackBerry Configuration Database	135
Sending software and BlackBerry Java Applications to BlackBerry devices	136
Managing BlackBerry Java Applications and BlackBerry Device Software	136
Developing BlackBerry Java Applications for BlackBerry devices	137
Preparing to distribute BlackBerry Java Applications	137
Specify a shared network folder for BlackBerry Java Applications	138
Add a BlackBerry Java Application to the application repository	139
Add a collaboration client to the application repository	139
Specify keywords for a BlackBerry Java Application	140
Configuring application control policies	140
Standard application control policies	140
Change a standard application control policy	141
Create custom application control policies for a BlackBerry Java Application	141
IT policy rules take precedence on smartphones	143
Application control policies for unlisted applications	143
Change the standard application control policy for unlisted applications that are optional	143
Create an application control policy for unlisted applications	144
Configure the priority of application control policies for unlisted applications	144
Creating software configurations	145
Create a software configuration	146
Add a BlackBerry Java Application to a software configuration	146
Assign a software configuration to a group	147
Assign a software configuration to multiple user accounts	148
Assign a software configuration to a user account	148
Install BlackBerry Java Applications on a BlackBerry device at a central computer	149
View the status of a job	150
View the status of a task	150
Error messages: BlackBerry Java Application tasks	150
Error messages: BlackBerry Device Software tasks	153
Error messages: Standard application settings tasks	156
Error messages: IT policy tasks	157
Stopping a job that is running	158
Stop a job that is running	159
View the users that have a BlackBerry Java Application installed on their BlackBerry devices	159
View how the BlackBerry Administration Service resolved software configuration conflicts for a user account	160
Reconciliation rules for conflicting settings in software configurations	161
Reconciliation rules: BlackBerry Java Applications	162
Reconciliation rules: BlackBerry Device Software	164
Reconciliation rules: Standard application settings	165
Reconciliation rules: Application control policies	166
Reconciliation rules: Application control policies for unlisted applications	166
Alternative methods for installing BlackBerry Java Applications on BlackBerry devices	168
Installing BlackBerry Java Applications on BlackBerry devices without using the BlackBerry Administration Service	168
Developing BlackBerry Java Applications for BlackBerry devices	168
Methods you can use to install BlackBerry Java Applications on BlackBerry devices	169
Installing BlackBerry Java Applications using the BlackBerry Desktop Software	170
Prerequisites: Installing BlackBerry Java Applications using the BlackBerry Desktop Software	170
Make the BlackBerry Java Application available to the BlackBerry Desktop Software	171
Install the BlackBerry Java Application using the BlackBerry Desktop Software	171
Installing BlackBerry Java Applications using the BlackBerry Application Web Loader	172
Prerequisites: Installing BlackBerry Java Applications using the BlackBerry Application Web Loader	172
Enable the BlackBerry Application Web Loader on a web server	173
Install the BlackBerry Java Application using the BlackBerry Application Web Loader	174
Installing BlackBerry Java Applications using the standalone application loader tool	174
Prerequisites: Installing BlackBerry Java Applications using the standalone application loader tool	175
Add BlackBerry Java Application files to a shared network folder	176
Share the Research In Motion folder that contains the BlackBerry Java Application	176
Configure the standalone application loader tool to install the BlackBerry Java Application in automated mode	177
Install the BlackBerry Java Application using the standalone application loader tool	177
Installing BlackBerry Java Applications using a web browser on BlackBerry devices	178
Prerequisites: Installing BlackBerry Java Applications using a web browser on BlackBerry devices	178
Install the BlackBerry Java Application on a web server	179
Install the BlackBerry Java Application using a web browser on the BlackBerry device	179
Configuring how users access enterprise applications and web content	180
Specifying a BlackBerry MDS Connection Service as a central push server	180
Specify a BlackBerry MDS Connection Service as a central push server	181
Configuring how BlackBerry devices authenticate to content servers	181
Configure how BlackBerry devices authenticate to content servers	181
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use NTLM	182
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use Kerberos	183
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use LTPA	183
Configuring the BlackBerry MDS Connection Service to authenticate devices to the RSA Authentication Manager	184
Prerequisites: Configuring the BlackBerry MDS Connection Service to support RSA authentication when the BlackBerry MDS Connection Service runs on Windows Server 2008	184
Configure the BlackBerry MDS Connection Service to support RSA authentication when the BlackBerry MDS Connection Service runs on Windows Server 2008	184
Configure the BlackBerry MDS Connection Service to authenticate devices to the RSA Authentication Manager	185
Configuring how the BlackBerry MDS Connection Service manages requests for web content	186
Configure the BlackBerry MDS Connection Service to manage HTTP cookie storage	186
Configure the timeout limit for HTTP connections with BlackBerry devices	187
Configure the timeout limit for HTTP connections with web servers	187
Configure the maximum number of times that the BlackBerry Browser accepts HTTP redirections	188
Permitting push applications to make trusted connections to a BlackBerry MDS Connection Service	188
Create a key store to store certificates for use with HTTPS connections	189
Add a certificate for the BlackBerry MDS Connection Service	189
Export the BlackBerry MDS Connection Service certificate to make it available to push applications	190
Import the BlackBerry MDS Connection Service certificate to the key store of a push application	190
Permit push applications to select the transport protocol for PAP requests	191
Configuring a BlackBerry MDS Connection Service to trust web servers	191
Specify whether the BlackBerry MDS Connection Service requires trusted HTTPS connections from web servers	192
Specify whether the BlackBerry MDS Connection Service requires trusted TLS connections from web servers	192
Configuring certificate server information for the BlackBerry MDS Connection Service	193
Configure the LDAP servers that the BlackBerry MDS Connection Service uses to retrieve certificates	194
LDAP server settings	195
Configure the BlackBerry MDS Connection Service to use DSML to retrieve certificates	195
Configure the OCSP servers that the BlackBerry MDS Connection Service uses to retrieve the status of certificates	196
Configure the CRL servers that the BlackBerry MDS Connection Service uses to retrieve the status of certificates	197
Add communication information to a BlackBerry MDS Connection Service configuration set	198
Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance	199
Add a retrieved certificate for a web server to the key store	200
Permitting users to access intranet sites on BlackBerry devices using global login information	200
Configure global login information for intranet site access	201
Configuring how the BlackBerry MDS Connection Service connects to BlackBerry devices	201
Specify the maximum amount of data that a BlackBerry MDS Connection Service can send to BlackBerry devices	201
Specify the pending content timeout limit for a BlackBerry MDS Connection Service	202
Permit Java applications to use scalable socket connections with a BlackBerry MDS Connection Service	202
Specify the thread pool size of a BlackBerry MDS Connection Service	202
Specify the maximum number of scalable socket connections	203
Prevent the BlackBerry MDS Connection Service from using scalable HTTP	203
Specify the port number that the web server listens on for push application requests	204
Specify how often a BlackBerry MDS Connection Service polls for configuration information	205
Setting up the messaging environment	206
Creating email message filters	206
Create an email message filter that applies to all user accounts on a BlackBerry Enterprise Server	206
Turn on an email message filter that applies to all user accounts on a BlackBerry Enterprise Server	207
Create an email message filter that applies to a specific user account	207
Turn on an email message filter that applies to a specific user account	208
Copying existing email message filters to another BlackBerry Enterprise Server	209
Export email message filters for a BlackBerry Enterprise Server	209
Import email message filters for a BlackBerry Enterprise Server	209
Copying existing email message filters to user accounts	210
Export email message filters for a user account	210
Import email message filters for a user account	210
Extension plug-ins for processing messages	211
Install an extension plug-in application	211
Add an extension plug-in to a BlackBerry Messaging Agent	212
Change how a BlackBerry Messaging Agent uses extension plug-ins	213
Mapping contact information fields for synchronization and contact lookups	214
Map a contact information field in an email application to contact list fields on BlackBerry devices	214
Map a contact list field in an email application to a contact list field on a BlackBerry device	214
Map a contact information field in an email application to contact list fields on BlackBerry devices	215
Map a contact list field in an email application to a contact list field on a BlackBerry device	215
Configuring BlackBerry devices to enroll certificates over the wireless network	217
Configure the certificate information using IT policies	217
Configure the BlackBerry MDS Connection Service to connect to the certificate authority	218
Add communication information to a BlackBerry MDS Connection Service configuration set	219
Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance	220
Add certificate information to a Wi-Fi profile	221
Managing an enrolled certificate	221
Change the polling interval, logging, and pool size for the BlackBerry MDS Connection Service connection to the certificate authority	222
Properties in the rimpublic.properties file	223
Making the BlackBerry Web Desktop Manager available to users	224
Installing the client components of the BlackBerry Web Desktop Manager on users' computers	224
Publish the client files for the BlackBerry Web Desktop Manager in a Windows GPO for Windows XP	225
Publish the client files for the BlackBerry Web Desktop Manager in a Windows GPO for Windows Vista	226
Configure the Microsoft ActiveX Installer on Windows Vista	227
Configure users' computers to install the client file for the BlackBerry Web Desktop Manager automatically	227
Make the BlackBerry Web Desktop Manager available to users	229
Configuring the BlackBerry Web Desktop Manager	230
Permit users to perform administrative tasks using the BlackBerry Web Desktop Manager	230
Permit users to activate devices using the BlackBerry Web Desktop Manager	231
Permit users to back up and restore data using the BlackBerry Web Desktop Manager	231
Configure the domains for backing up data using the BlackBerry Web Desktop Manager	232
Change the text colors in the BlackBerry Web Desktop Manager	232
BlackBerry Web Desktop Manager text colors	233
Display a custom image in the BlackBerry Web Desktop Manager	234
Display the domain name on the login page of the BlackBerry Web Desktop Manager	234
Creating and configuring Wi-Fi profiles and VPN profiles	235
Creating and configuring Wi-Fi profiles	235
Prerequisites: Creating Wi-Fi profiles and VPN profiles	235
Connection types and port numbers for a Wi-Fi network	236
Create a Wi-Fi profile	237
Create a Wi-Fi profile based on an existing Wi-Fi profile	237
Configure a Wi-Fi profile on a BlackBerry device	238
Assign a Wi-Fi profile to a group	238
Assign a Wi-Fi profile to a user account	238
Configure a Wi-Fi profile	239
Creating and configuring VPN profiles	239
Create a VPN profile	240
Create a VPN profile based on an existing VPN profile	240
Configure a VPN profile	240
Assign a VPN profile to a group	241
Assign a VPN profile to a user account	241
Associate a VPN profile with a Wi-Fi profile	242
Delete a Wi-Fi profile	242
Delete a VPN profile	243
Importing profile information from a .csv file	243
Best practices: Creating a .csv file that contains profile information that you want to import	243
Create a .csv file that contains profile information that you want to import	244
Fields in the .csv file that contains profile information	245
Import profile information from a .csv file	246
Configuring encryption and authentication methods for Wi-Fi enabled BlackBerry devices	247
Configuring WEP encryption	247
Configure WEP keys for BlackBerry devices using a Wi-Fi profile	247
Configuring PSK encryption	248
Configure PSK encryption data for BlackBerry devices using a Wi-Fi profile	249
Configuring LEAP authentication	249
Configure LEAP authentication data for BlackBerry devices using a Wi-Fi profile	250
Configuring PEAP authentication	250
Configure PEAP authentication data for BlackBerry devices using a Wi-Fi profile	251
Prerequisites: Distributing a certificate using the BlackBerry Desktop Manager	252
Distribute a certificate using the BlackBerry Desktop Manager	252
Users cannot find the certificate synchronization tool in the BlackBerry Desktop Manager	253
Configure PEAP configuration settings in the Wi-Fi profile on a BlackBerry device	253
Configuring EAP-TLS authentication	254
Configure EAP-TLS authentication data for BlackBerry devices using a Wi-Fi profile	255
Configure EAP-TLS configuration settings in the Wi-Fi profile on a BlackBerry device	256
Configuring EAP-TTLS authentication	256
Configure EAP-TTLS authentication data for BlackBerry devices using a Wi-Fi profile	257
Configure EAP-TTLS configuration settings in the Wi-Fi profile on a BlackBerry device	258
Configuring EAP-FAST authentication	259
Configure EAP-FAST authentication	259
Send EAP-FAST authentication data to a BlackBerry device using a Wi-Fi profile	260
Configure EAP-FAST configuration settings in the Wi-Fi profile on BlackBerry devices	261
Configuring software tokens for BlackBerry devices	262
Prerequisites: Configuring BlackBerry devices for RSA authentication	262
Configure BlackBerry devices for RSA authentication	263
Configure RSA authentication over a Wi-Fi network using a software token	264
Configure RSA authentication over a VPN network using a software token	264
Assign software tokens to a user account	265
Changing the security settings of the BlackBerry Administration Service and BlackBerry Web Desktop Manager	266
Import a new SSL certificate for the BlackBerry Administration Service and BlackBerry Web Desktop Manager	266
Configuring Microsoft Active Directory authentication in an environment that includes a resource forest	267
Change the information for Microsoft Active Directory authentication	268
Configuring single sign-on authentication for the BlackBerry Administration Service and BlackBerry Web Desktop Manager	269
Configure constrained delegation for the Microsoft Active Directory account to support single sign-on authentication	270
Turn on single sign-on authentication for the BlackBerry Administration Service	270
BlackBerry Administration Service web addresses and BlackBerry Web Desktop Manager web addresses that support BlackBerry Administration Service single sign-on	271
Changing password settings for BlackBerry Administration Service authentication	272
Change password settings for BlackBerry Administration Service authentication	272
Regenerate the system credentials for the BlackBerry Administration Service	273
Protecting and redistributing devices	274
Preparing a device for redistribution to a new user	274
Use the BlackBerry Administration Service to delete user data and assign the device to a new user	274
Use the BlackBerry Administration Service to delete device data and disable the device before assigning the device to a new user	275
Deleting only work data from a device	275
Delete only work data from a device	277
Using IT administration commands to protect a lost or stolen device	278
Protect a stolen device	279
Protect a lost device	279
Protect a lost device that a user might not recover	280
Managing administrator accounts	282
Change role permissions	282
Change the roles for an administrator account	282
Delete a role	283
Delete an administrator account	283
Managing groups and user accounts	285
Managing groups	285
Using default groups to manage user accounts and administrator accounts	285
Remove a user account from a group	286
Change the properties of a group	287
Rename a group	287
Delete a group	287
Managing user accounts	288
Move a user account to a different group	288
Move a user account from one BlackBerry Enterprise Server to another	289
Delete a user account from the BlackBerry Enterprise Server	289
Update a user account manually	290
Add an administrator role to a user account	290
Update the contact list manually	290
Resend service books to a BlackBerry device	291
Managing the delivery of BlackBerry Java Applications, BlackBerry Device Software, and device settings to BlackBerry devices	292
Managing the default distribution settings for jobs	292
Change default settings for a job schedule	292
Change how IT policies are sent to BlackBerry devices	293
Change how to install, update, or remove BlackBerry Java Applications	294
Change how to install or update the BlackBerry Device Software	296
Change how the BlackBerry Enterprise Server sends standard application settings to BlackBerry devices	297
Managing the distribution settings for a specific job	298
Specify the start time and priority for a job	299
Change how a job sends IT policies to BlackBerry devices	299
Change how a job sends BlackBerry Java Applications to BlackBerry devices	300
Change how a job sends the BlackBerry Device Software to BlackBerry devices	302
Change how a job sends standard application settings to BlackBerry devices	303
Managing BlackBerry Java Applications on BlackBerry devices	304
Make a BlackBerry Java Application unavailable for installation	304
Remove a BlackBerry Java Application from BlackBerry devices over the wireless network	305
Managing software configurations	306
Remove a software configuration from a group	306
Remove a software configuration from multiple user accounts	306
Remove a software configuration from a user account	307
Delete a software configuration	307
Managing how users access enterprise applications and web content	308
Restricting user access to content on web servers	308
Restrict requests for content on web servers from BlackBerry devices	308
Specify web address patterns	309
Create a pull rule	309
Restrict or permit web addresses and Intranet addresses using a pull rule	310
Assign a pull rule to the members of a group	311
Assign a pull rule to user accounts	311
Restricting user access to media content in the BlackBerry Browser	312
Prevent users from accessing specific media types	312
Configure download limits for media content types	312
Default download limits for media content types	313
Configuring Integrated Windows authentication so that users can access resources on your organization's network	314
Configuring the Microsoft Active Directory account to delegate access	315
Prerequisites: Configuring the Microsoft Active Directory account to delegate access to an intranet site	315
Configure the Microsoft Active Directory account to delegate access to an intranet site	315
Prerequisites: Configuring the Microsoft Active Directory account to delegate access to a shared folder	316
Configure the Microsoft Active Directory account to delegate access to a shared folder	317
Configuring the BlackBerry MDS Connection Service when the messaging server is located in a remote Microsoft Active Directory domain	317
Configure the BlackBerry MDS Connection Service when the messaging server is located in a remote Microsoft Active Directory domain	318
Turn on Integrated Windows authentication so that users can access resources on your organization's network	318
Restricting the push application content that users can receive	320
Restrict push applications from sending data to BlackBerry devices	320
Create push initiators for push applications	320
Turn on push authorization	321
Create a push rule	322
Assign push initiators to a push rule	322
Assign a push rule to the members of a group	323
Assign a push rule to user accounts	323
Encrypt push requests that push applications send to BlackBerry devices	324
Managing push application requests	324
Specify device ports for application-reliable push requests	324
Store push application requests in the BlackBerry Configuration Database	325
Configure the settings for storing push requests in the BlackBerry Configuration Database	326
Configure the maximum number of active connections that a BlackBerry MDS Connection Service can process	326
Configure the maximum number of queued connections that a BlackBerry MDS Connection Service can process	327
Managing organizer data synchronization	328
Managing the wireless backup and recovery of organizer data	328
Turn off the wireless backup of organizer data for a user account	328
Delete organizer data for members of a user group from the BlackBerry Enterprise Server	329
Delete a user's organizer data from a BlackBerry Enterprise Server	329
Turning off organizer data synchronization	329

Match case Limit results 1 per page

If necesssary, in the

Server subject

field, type the server name in the server certificate, in URL format (for example,

server1.domain.com or server1.domain.net). If you leave the field blank, the BlackBerry device skips over it during

server authentication.

10.

If necesssary, in the

Server SAN

field, type the alternative name for the server, in URL format (for example,

server1.domain.com or server1.domain.net). If you leave the field blank, the BlackBerry device skips over it during

server authentication.

11.

If your organization uses dynamic IP addresses, verify that the

Automatically obtain IP address and DNS

option is

selected.

12.

Verify that the

Allow inter-access point handover

option is selected.

13.

If necesssary, select the

Prompt before connection

check box. If you do not select the check box, the BlackBerry

device connects to an available wireless access point automatically.

14.

If necesssary, select the

Notify on authentication failure

check box.

15.

If necesssary, select the VPN profile.

Configuring EAP-TLS authentication

If your organization implements EAP-TLS authentication, Wi-Fi enabled BlackBerry devices must authenticate to an

authentication server so that they can connect to the enterprise Wi-Fi network.

EAP-TLS authentication requires that BlackBerry devices trust the authentication server certificate and use a client-side

certificate as the supplicant credentials. To trust the authentication server certificate, BlackBerry devices must trust the

certificate authority that issued the certificate. A certificate authority that the BlackBerry devices and the authentication

server trust mutually must generate the certificate for the authentication server and the certificate for each BlackBerry

device.

BlackBerry devices that use EAP-TLS authentication require a client certificate and the root certificate for the certificate

authority server that created the certificate for the authentication server. You can obtain and install both certificates using

the same distribution method.

To distribute the certificates to BlackBerry devices, you can use the certificate synchronization tool in the BlackBerry

Desktop Manager, or you can enroll the certificate over the wireless network. You must configure a Wi-Fi profile to provide

the user name and password for authentication.

For more information about how the BlackBerry Enterprise Solution supports EAP-TLS authentication, see the

BlackBerry

Enterprise Server Security Technical Overview

Administration Guide

Configuring encryption and authentication methods for Wi-Fi enabled BlackBerry devices

254