BlackBerry Enterprise Server Express for IBM Lotus Domino Administration Guide

BlackBerry Enterprise Server Express for IBM Lotus Domino Administration Guide
BlackBerry Enterprise Server
Express for IBM Lotus Domino
Version: 5.0 | Service Pack: 3
Administration Guide
Published: 2011-05-05
SWDT487521-1601381-0505023455-001
Contents
1 Overview: BlackBerry Enterprise Server Express..............................................................................................
Getting started in your BlackBerry Enterprise Server Express environment....................................................
17
17
2 Log in to the BlackBerry Administration Service for the first time...................................................................
There is a problem with this website's security certificate...............................................................................
This connection is untrusted.............................................................................................................................
20
20
21
3 Creating administrator accounts......................................................................................................................
Administrative roles and permissions...............................................................................................................
Preconfigured administrative roles...........................................................................................................
Create an administrator account......................................................................................................................
Add an administrator account to a group.........................................................................................................
Specify an email address for the BlackBerry Administration Service...............................................................
Permit an administrator to log in to the BlackBerry Administration Service using a messaging server
account.............................................................................................................................................................
Assign a BlackBerry device to an administrator account..................................................................................
22
22
22
26
26
27
4 Using an IT policy to manage BlackBerry Enterprise Solution security.............................................................
Using IT policy rules to manage BlackBerry Enterprise Solution security.........................................................
Default IT policy................................................................................................................................................
Creating IT policies............................................................................................................................................
Create an IT policy.....................................................................................................................................
Create an IT policy based on an existing IT policy.....................................................................................
Change the value for an IT policy rule..............................................................................................................
Assign an IT policy to a group...........................................................................................................................
Assign an IT policy to a user account................................................................................................................
Sending an IT policy over the wireless network...............................................................................................
Resend an IT policy to a BlackBerry device manually................................................................................
Resend an IT policy to a BlackBerry device automatically.........................................................................
Assigning IT policies and resolving IT policy conflicts.......................................................................................
Option 1: Applying one IT policy to each user account.............................................................................
Option 2: Applying multiple IT policies to each user account...................................................................
View the resolved IT policy rules that are assigned to a user account......................................................
Deactivating BlackBerry devices that do not have IT policies applied..............................................................
Deactivate BlackBerry devices that do not have IT policies applied..........................................................
Creating new IT policy rules to control third-party applications......................................................................
Create an IT policy rule for a third-party application................................................................................
Change or delete IT policy rules for third-party applications....................................................................
29
29
30
30
30
30
31
31
31
32
32
32
33
33
35
38
38
38
39
39
39
27
27
Delete an IT policy............................................................................................................................................
39
5 Configuring security options.............................................................................................................................
Encrypting data that the BlackBerry Enterprise Server Express and a BlackBerry device send to each other.
Algorithms that the BlackBerry Enterprise Solution uses to encrypt data................................................
Change the symmetric key encryption algorithm that the BlackBerry Enterprise Solution uses..............
Managing BlackBerry device access to the BlackBerry Enterprise Server Express...........................................
Turn on the Enterprise Service Policy........................................................................................................
Configure the Enterprise Service Policy.....................................................................................................
Permit a user to override the Enterprise Service Policy............................................................................
Extending messaging security to a BlackBerry device......................................................................................
Extending messaging security using PGP encryption................................................................................
Extending messaging security using S/MIME encryption..........................................................................
Extending messaging security using IBM Lotus Notes encryption............................................................
Generating organization-specific encryption keys for PIN-message encryption..............................................
Generate a PIN encryption key..................................................................................................................
Turn off BlackBerry services that the BlackBerry MDS Connection Service provides.......................................
41
41
41
41
42
42
43
43
43
44
44
46
48
48
48
6 Configuring the BlackBerry Enterprise Server Express environment................................................................
Best practice: Running the BlackBerry Enterprise Server Express....................................................................
Configuring the BlackBerry MDS Connection Service to use a proxy server....................................................
Configure the BlackBerry MDS Connection Service to use a .pac file........................................................
Configure the BlackBerry MDS Connection Service to use a proxy server................................................
Configure the BlackBerry MDS Connection Service to authenticate to a proxy server on behalf of
BlackBerry devices.....................................................................................................................................
Configuring the BlackBerry Administration Service to use a proxy server.......................................................
Configuring proxy selection for the BlackBerry Administration Service....................................................
Configuring the BlackBerry Administration Service to authenticate with a proxy server.........................
Configuring multiple BlackBerry Enterprise Server Express instances to use the same BlackBerry MDS
Connection Service...........................................................................................................................................
Configure multiple BlackBerry Enterprise Server Express instances to use the same BlackBerry MDS
Connection Service....................................................................................................................................
50
50
51
51
51
7 Configuring user accounts................................................................................................................................
Creating user groups.........................................................................................................................................
Create a group to manage similar user accounts......................................................................................
Add user accounts to a group....................................................................................................................
Adding a user account to the BlackBerry Enterprise Server Express................................................................
Add a user account....................................................................................................................................
58
58
58
58
59
59
52
53
53
55
57
57
Create a user account that is not in the contact list in the BlackBerry Configuration Database...............
Export a list of user accounts.....................................................................................................................
Importing a list of user accounts to a BlackBerry Enterprise Server Express............................................
60
61
61
8 Assigning BlackBerry devices to users..............................................................................................................
Preparing to distribute a BlackBerry device......................................................................................................
Change how the BlackBerry Enterprise Server Express downloads a user's existing email messages
onto the BlackBerry device........................................................................................................................
Prevent the BlackBerry Enterprise Server Express from synchronizing existing email messages onto a
BlackBerry device......................................................................................................................................
Identify whether a BlackBerry device is associated with the BlackBerry Internet Service...............................
Assigning BlackBerry devices to user accounts.................................................................................................
Option 1: Activate a BlackBerry device using the BlackBerry Administration Service...............................
Option 2: Activating a BlackBerry device over the wireless network........................................................
Option 3: Activating BlackBerry devices over the LAN..............................................................................
Option 4: Activating BlackBerry devices using the BlackBerry Web Desktop Manager............................
Option 5: Activating BlackBerry devices over an enterprise Wi-Fi network..............................................
64
64
9 Sending software and BlackBerry Java Applications to BlackBerry devices......................................................
Managing BlackBerry Java Applications and BlackBerry Device Software........................................................
Developing BlackBerry Java Applications for BlackBerry devices.....................................................................
Preparing to distribute BlackBerry Java Applications.......................................................................................
Specify a shared network folder for BlackBerry Java Applications............................................................
Add a BlackBerry Java Application to the application repository..............................................................
Specify keywords for a BlackBerry Java Application..................................................................................
Configuring application control policies...........................................................................................................
Standard application control policies........................................................................................................
Change a standard application control policy...........................................................................................
Create custom application control policies for a BlackBerry Java Application..........................................
IT policy rules take precedence on the device...........................................................................................
Application control policies for unlisted applications.......................................................................................
Change the standard application control policy for unlisted applications that are optional....................
Create an application control policy for unlisted applications..................................................................
Configure the priority of application control policies for unlisted applications........................................
Creating software configurations.....................................................................................................................
Create a software configuration................................................................................................................
Add a BlackBerry Java Application to a software configuration................................................................
Assign a software configuration to a group...............................................................................................
Assign a software configuration to multiple user accounts......................................................................
74
74
75
75
76
76
77
77
77
78
78
79
80
80
80
81
81
82
83
83
84
64
64
65
65
66
67
70
71
71
Assign a software configuration to a user account................................................................................... 84
Install BlackBerry Java Applications on a BlackBerry device at a central computer......................................... 85
View the status of a job.................................................................................................................................... 85
View the status of a task............................................................................................................................ 86
Stopping a job that is running........................................................................................................................... 94
Stop a job that is running.......................................................................................................................... 94
View the users that have a BlackBerry Java Application installed on their BlackBerry devices........................ 95
View how the BlackBerry Administration Service resolved software configuration conflicts for a user
account............................................................................................................................................................. 95
Reconciliation rules for conflicting settings in software configurations........................................................... 96
Reconciliation rules: BlackBerry Java Applications.................................................................................... 97
Reconciliation rules: BlackBerry Device Software..................................................................................... 99
Reconciliation rules: Standard application settings................................................................................... 100
Reconciliation rules: Application control policies...................................................................................... 101
Reconciliation rules: Application control policies for unlisted applications.............................................. 101
10 Alternative methods for installing BlackBerry Java Applications on BlackBerry devices..................................
Installing BlackBerry Java Applications on BlackBerry devices without using the BlackBerry Administration
Service...............................................................................................................................................................
Developing BlackBerry Java Applications for BlackBerry devices.....................................................................
Methods you can use to install BlackBerry Java Applications on BlackBerry devices.......................................
Installing BlackBerry Java Applications using the BlackBerry Desktop Software..............................................
Prerequisites: Installing BlackBerry Java Applications using the BlackBerry Desktop Software................
Make the BlackBerry Java Application available to the BlackBerry Desktop Software.............................
Install the BlackBerry Java Application using the BlackBerry Desktop Software.......................................
Installing BlackBerry Java Applications using the BlackBerry Application Web Loader....................................
Prerequisites: Installing BlackBerry Java Applications using the BlackBerry Application Web Loader......
Enable the BlackBerry Application Web Loader on a web server..............................................................
Install the BlackBerry Java Application using the BlackBerry Application Web Loader.............................
Installing BlackBerry Java Applications using the standalone application loader tool.....................................
Prerequisites: Installing BlackBerry Java Applications using the standalone application loader tool.......
Add BlackBerry Java Application files to a shared network folder............................................................
Share the Research In Motion folder that contains the BlackBerry Java Application...............................
Configure the standalone application loader tool to install the BlackBerry Java Application in
automated mode.......................................................................................................................................
Install the BlackBerry Java Application using the standalone application loader tool..............................
Installing BlackBerry Java Applications using a web browser on BlackBerry devices.......................................
Prerequisites: Installing BlackBerry Java Applications using a web browser on BlackBerry devices.........
Install the BlackBerry Java Application on a web server...........................................................................
103
103
103
103
104
105
105
106
106
106
107
108
108
109
109
110
110
110
111
111
112
Install the BlackBerry Java Application using a web browser on the BlackBerry device........................... 112
11 Configuring how users access enterprise applications and web content.........................................................
Specifying a BlackBerry MDS Connection Service as a central push server......................................................
Specify a BlackBerry MDS Connection Service as a central push server...................................................
Configuring how BlackBerry devices authenticate to content servers.............................................................
Configure how BlackBerry devices authenticate to content servers.........................................................
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content
servers that use NTLM...............................................................................................................................
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content
servers that use Kerberos..........................................................................................................................
Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content
servers that use LTPA................................................................................................................................
Configuring the BlackBerry MDS Connection Service to authenticate devices to the RSA
Authentication Manager...........................................................................................................................
Configuring how the BlackBerry MDS Connection Service manages requests for web content......................
Configure the BlackBerry MDS Connection Service to manage HTTP cookie storage...............................
Configure the timeout limit for HTTP connections with BlackBerry devices.............................................
Configure the timeout limit for HTTP connections with web servers.......................................................
Configure the maximum number of times that the BlackBerry Browser accepts HTTP redirections........
Permitting push applications to make trusted connections to a BlackBerry MDS Connection Service............
Create a key store to store certificates for use with HTTPS connections..................................................
Add a certificate for the BlackBerry MDS Connection Service..................................................................
Export the BlackBerry MDS Connection Service certificate to make it available to push applications.....
Import the BlackBerry MDS Connection Service certificate to the key store of a push application.........
Configuring a BlackBerry MDS Connection Service to trust web servers.........................................................
Specify whether the BlackBerry MDS Connection Service requires trusted HTTPS connections from
web servers................................................................................................................................................
Specify whether the BlackBerry MDS Connection Service requires trusted TLS connections from web
servers.......................................................................................................................................................
Configuring certificate server information for the BlackBerry MDS Connection Service..........................
Add a retrieved certificate for a web server to the key store...................................................................
Permitting users to access intranet sites on BlackBerry devices using global login information.....................
Configure global login information for intranet site access......................................................................
Configuring how the BlackBerry MDS Connection Service connects to BlackBerry devices.............................
Specify the maximum amount of data that a BlackBerry MDS Connection Service can send to
BlackBerry devices.....................................................................................................................................
Specify the pending content timeout limit for a BlackBerry MDS Connection Service.............................
113
113
113
114
114
114
115
115
116
117
118
118
118
119
119
119
120
120
121
121
121
122
123
128
129
129
129
129
130
Permit Java applications to use scalable socket connections with a BlackBerry MDS Connection
Service.......................................................................................................................................................
Specify the thread pool size of a BlackBerry MDS Connection Service.....................................................
Specify the maximum number of scalable socket connections.................................................................
Prevent the BlackBerry MDS Connection Service from using scalable HTTP.............................................
Specify the port number that the web server listens on for push application requests...........................
Specify how often a BlackBerry MDS Connection Service polls for configuration information................
130
130
131
131
132
132
12 Setting up the messaging environment............................................................................................................
Creating email message filters..........................................................................................................................
Create an email message filter that applies to all user accounts on a BlackBerry Enterprise Server
Express.......................................................................................................................................................
Turn on an email message filter that applies to all user accounts on a BlackBerry Enterprise Server
Express.......................................................................................................................................................
Create an email message filter that applies to a specific user account.....................................................
Turn on an email message filter that applies to a specific user account...................................................
Copying existing email message filters to another BlackBerry Enterprise Server Express...............................
Export email message filters for a BlackBerry Enterprise Server Express.................................................
Import email message filters for a BlackBerry Enterprise Server Express.................................................
Copying existing email message filters to user accounts..................................................................................
Export email message filters for a user account........................................................................................
Import email message filters for a user account.......................................................................................
Extension plug-ins for processing messages.....................................................................................................
Install an extension plug-in application.....................................................................................................
Add an extension plug-in to a BlackBerry Messaging Agent.....................................................................
Change how a BlackBerry Messaging Agent uses extension plug-ins........................................................
Configure how a BlackBerry Messaging Agent deletes email messages from a BlackBerry state database....
Mapping contact information fields for synchronization and contact lookups................................................
Map a contact information field in an email application to a contact list field on BlackBerry devices.....
Map a contact list field in an email application to a contact list field on a BlackBerry device..................
Map a contact information field in an email application to contact list fields on BlackBerry devices......
Map a contact list field in an email application to a contact list field on a BlackBerry device..................
133
133
13 Making the BlackBerry Web Desktop Manager available to users...................................................................
Installing the client components of the BlackBerry Web Desktop Manager on users' computers..................
Publish the client files for the BlackBerry Web Desktop Manager in a Windows GPO for Windows XP..........
Publish the client files for the BlackBerry Web Desktop Manager in a Windows GPO for Windows Vista......
Configure the Microsoft ActiveX Installer on Windows Vista....................................................................
142
142
142
143
144
133
134
134
135
135
135
135
136
136
136
137
137
138
138
139
139
140
140
140
141
Configure users' computers to install the client file for the BlackBerry Web Desktop Manager
automatically.................................................................................................................................................... 144
Make the BlackBerry Web Desktop Manager available to users...................................................................... 146
14 Configuring the BlackBerry Web Desktop Manager.........................................................................................
Permit users to perform administrative tasks using the BlackBerry Web Desktop Manager...........................
Permit users to create activation passwords using the BlackBerry Web Desktop Manager............................
Permit users to activate BlackBerry devices using the BlackBerry Web Desktop Manager.............................
Permit users to back up and restore data using the BlackBerry Web Desktop Manager.................................
Configure the domains for backing up data using the BlackBerry Web Desktop Manager..............................
Change the text colors in the BlackBerry Web Desktop Manager....................................................................
BlackBerry Web Desktop Manager text colors..........................................................................................
Display a custom image in the BlackBerry Web Desktop Manager..................................................................
Display the domain name on the login page of the BlackBerry Web Desktop Manager..................................
147
147
147
148
148
149
149
149
150
151
15 Creating and configuring Wi-Fi profiles and VPN profiles.................................................................................
Creating and configuring Wi-Fi profiles............................................................................................................
Prerequisites: Creating Wi-Fi profiles and VPN profiles............................................................................
Create a Wi-Fi profile.................................................................................................................................
Create a Wi-Fi profile based on an existing Wi-Fi profile..........................................................................
Configure a Wi-Fi profile on a BlackBerry device.......................................................................................
Assign a Wi-Fi profile to a group................................................................................................................
Assign a Wi-Fi profile to a user account....................................................................................................
Configure a Wi-Fi profile............................................................................................................................
Creating and configuring VPN profiles..............................................................................................................
Create a VPN profile..................................................................................................................................
Create a VPN profile based on an existing VPN profile.............................................................................
Configure a VPN profile.............................................................................................................................
Assign a VPN profile to a group.................................................................................................................
Assign a VPN profile to a user account......................................................................................................
Associate a VPN profile with a Wi-Fi profile..............................................................................................
Delete a Wi-Fi profile........................................................................................................................................
Delete a VPN profile.........................................................................................................................................
Importing profile information from a .csv file..................................................................................................
Best practices: Creating a .csv file that contains profile information that you want to import................
Create a .csv file that contains profile information that you want to import............................................
Import profile information from a .csv file................................................................................................
152
152
152
154
154
154
154
155
155
156
156
156
157
157
157
158
158
158
159
159
159
161
16 Configuring encryption and authentication methods for Wi-Fi enabled BlackBerry devices........................... 162
Configuring WEP encryption.............................................................................................................................
Configure WEP keys for BlackBerry devices using a Wi-Fi profile.............................................................
Configuring PSK encryption..............................................................................................................................
Configure PSK encryption data for BlackBerry devices using a Wi-Fi profile.............................................
Configuring LEAP authentication......................................................................................................................
Configure LEAP authentication data for BlackBerry devices using a Wi-Fi profile....................................
Configuring PEAP authentication......................................................................................................................
Configure PEAP authentication data for BlackBerry devices using a Wi-Fi profile....................................
Prerequisites: Distributing a certificate using the BlackBerry Desktop Manager......................................
Distribute a certificate using the BlackBerry Desktop Manager................................................................
Configure PEAP configuration settings in the Wi-Fi profile on a BlackBerry device..................................
Configuring EAP-TLS authentication.................................................................................................................
Configure EAP-TLS authentication data for BlackBerry devices using a Wi-Fi profile...............................
Configure EAP-TLS configuration settings in the Wi-Fi profile on a BlackBerry device.............................
Configuring EAP-TTLS authentication...............................................................................................................
Configure EAP-TTLS authentication data for BlackBerry devices using a Wi-Fi profile.............................
Configure EAP-TTLS configuration settings in the Wi-Fi profile on a BlackBerry device...........................
Configuring EAP-FAST authentication...............................................................................................................
Configure EAP-FAST authentication..........................................................................................................
Send EAP-FAST authentication data to a BlackBerry device using a Wi-Fi profile.....................................
Configure EAP-FAST configuration settings in the Wi-Fi profile on BlackBerry devices............................
162
162
163
163
163
164
164
165
165
166
167
167
168
168
169
170
170
171
171
172
172
17 Configuring software tokens for BlackBerry devices........................................................................................
Prerequisites: Configuring BlackBerry devices for RSA authentication............................................................
Configure BlackBerry devices for RSA authentication......................................................................................
Configure RSA authentication over a Wi-Fi network using a software token...................................................
Configure RSA authentication over a VPN network using a software token....................................................
Assign software tokens to a user account........................................................................................................
174
174
175
175
176
176
18 Changing the security settings of the BlackBerry Administration Service and BlackBerry Web Desktop
Manager............................................................................................................................................................
Import a new SSL certificate for the BlackBerry Administration Service and BlackBerry Web Desktop
Manager............................................................................................................................................................
Configuring which IBM Lotus Domino server with DIIOP the BlackBerry Administration Service uses............
Change the IBM Lotus Domino server with DIIOP that the BlackBerry Administration Service uses........
Change the information for Microsoft Active Directory authentication..........................................................
Configuring single sign-on authentication for the BlackBerry Administration Service and BlackBerry Web
Desktop Manager.............................................................................................................................................
178
178
179
179
180
181
Configure constrained delegation for the Microsoft Active Directory account to support single sign-on
authentication...........................................................................................................................................
Turn on single sign-on authentication for the BlackBerry Administration Service....................................
BlackBerry Administration Service web addresses and BlackBerry Web Desktop Manager web
addresses that support BlackBerry Administration Service single sign-on................................................
Changing password settings for BlackBerry Administration Service authentication........................................
Change password settings for BlackBerry Administration Service authentication....................................
Regenerate the system credentials for the BlackBerry Administration Service...............................................
181
182
182
183
183
183
19 Protecting and redistributing devices...............................................................................................................
Preparing a device for redistribution to a new user.........................................................................................
Use the BlackBerry Administration Service to delete user data and assign the device to a new user......
Use the BlackBerry Administration Service to delete user data and remove the BlackBerry Device
Software before assigning the device to a new user.................................................................................
Deleting only work data from a device.............................................................................................................
Delete only work data from a device.........................................................................................................
Using IT administration commands to protect a lost or stolen device.............................................................
Protect a stolen device..............................................................................................................................
Protect a lost device..................................................................................................................................
Protect a lost device that a user might not recover..................................................................................
184
184
184
20 Managing administrator accounts....................................................................................................................
Change the roles for an administrator account................................................................................................
Delete a role.....................................................................................................................................................
Delete an administrator account......................................................................................................................
191
191
191
191
21 Managing groups and user accounts................................................................................................................
Managing groups..............................................................................................................................................
Using default groups to manage user accounts and administrator accounts...........................................
Remove a user account from a group.......................................................................................................
Change the properties of a group..............................................................................................................
Rename a group........................................................................................................................................
Delete a group...........................................................................................................................................
Managing user accounts...................................................................................................................................
Move a user account to a different group.................................................................................................
Move a user account from one BlackBerry Enterprise Server Express to another....................................
Delete a user account from the BlackBerry Enterprise Server Express.....................................................
Add an administrator role to a user account.............................................................................................
Update the contact list manually...............................................................................................................
193
193
193
194
194
194
195
195
195
195
196
196
197
184
185
186
187
188
189
189
Resend service books to a BlackBerry device............................................................................................ 197
22 Managing the delivery of BlackBerry Java Applications, BlackBerry Device Software, and device settings to
BlackBerry devices............................................................................................................................................
Managing the default distribution settings for jobs.........................................................................................
Change default settings for a job schedule...............................................................................................
Change how IT policies are sent to BlackBerry devices.............................................................................
Change how to install, update, or remove BlackBerry Java Applications..................................................
Change how to install or update the BlackBerry Device Software............................................................
Change how the BlackBerry Enterprise Server Express sends standard application settings to
BlackBerry devices.....................................................................................................................................
Managing the distribution settings for a specific job.......................................................................................
Specify the start time and priority for a job..............................................................................................
Change how a job sends IT policies to BlackBerry devices........................................................................
Change how a job sends BlackBerry Java Applications to BlackBerry devices..........................................
Change how a job sends the BlackBerry Device Software to BlackBerry devices......................................
Change how a job sends standard application settings to BlackBerry devices.........................................
Managing BlackBerry Java Applications on BlackBerry devices........................................................................
Make a BlackBerry Java Application unavailable for installation..............................................................
Remove a BlackBerry Java Application from BlackBerry devices over the wireless network....................
Managing software configurations...................................................................................................................
Remove a software configuration from a group.......................................................................................
Remove a software configuration from multiple user accounts...............................................................
Remove a software configuration from a user account............................................................................
Delete a software configuration................................................................................................................
23 Managing how users access enterprise applications and web content............................................................
Restricting user access to content on web servers...........................................................................................
Restrict requests for content on web servers from BlackBerry devices....................................................
Specify web address patterns....................................................................................................................
Create a pull rule.......................................................................................................................................
Restrict or permit web addresses and Intranet addresses using a pull rule..............................................
Assign a pull rule to the members of a group............................................................................................
Assign a pull rule to user accounts............................................................................................................
Restricting user access to media content in the BlackBerry Browser...............................................................
Prevent users from accessing specific media types...................................................................................
Configure download limits for media content types.................................................................................
Default download limits for media content types.....................................................................................
198
198
198
199
200
201
202
203
204
204
205
206
208
209
209
209
210
210
210
211
211
212
212
212
212
213
213
214
215
215
215
216
216
Configuring Integrated Windows authentication so that users can access resources on your organization's
network.............................................................................................................................................................
Configuring the Microsoft Active Directory account to delegate access...................................................
Configuring the BlackBerry MDS Connection Service when the messaging server is located in a
remote Microsoft Active Directory domain...............................................................................................
Turn on Integrated Windows authentication so that users can access resources on your organization's
network.....................................................................................................................................................
Restricting the push application content that users can receive......................................................................
Restrict push applications from sending data to BlackBerry devices........................................................
Create push initiators for push applications..............................................................................................
Turn on push authorization.......................................................................................................................
Create a push rule......................................................................................................................................
Assign push initiators to a push rule..........................................................................................................
Assign a push rule to the members of a group..........................................................................................
Assign a push rule to user accounts..........................................................................................................
Encrypt push requests that push applications send to BlackBerry devices...............................................
Managing push application requests................................................................................................................
Specify device ports for application-reliable push requests......................................................................
Store push application requests in the BlackBerry Configuration Database.............................................
Configure the settings for storing push requests in the BlackBerry Configuration Database...................
Configure the maximum number of active connections that a BlackBerry MDS Connection Service can
process.......................................................................................................................................................
Configure the maximum number of queued connections that a BlackBerry MDS Connection Service
can process................................................................................................................................................
24 Managing organizer data synchronization........................................................................................................
Managing the wireless backup and recovery of organizer data.......................................................................
Turn off the wireless backup of organizer data for a user account...........................................................
Delete organizer data for members of a user group from the BlackBerry Enterprise Server Express......
Delete a user's organizer data from a BlackBerry Enterprise Server Express............................................
Turning off organizer data synchronization......................................................................................................
Turn off organizer data synchronization for all user accounts that are associated with a BlackBerry
Enterprise Server Express..........................................................................................................................
Turn off organizer data synchronization for a specific user account.........................................................
Changing how organizer data synchronizes......................................................................................................
Change the direction of organizer data synchronization for all user accounts on a BlackBerry
Enterprise Server Express..........................................................................................................................
Change the direction of organizer data synchronization for a specific user account................................
217
217
220
221
222
222
223
223
224
224
224
225
225
226
226
226
227
227
228
229
229
229
229
230
230
230
230
231
231
231
Change how the BlackBerry Administration Service resolves conflicts during organizer data
synchronization for all user accounts on a BlackBerry Enterprise Server Express....................................
Change how the BlackBerry Administration Service resolves conflicts during organizer data
synchronization for a specific user account...............................................................................................
Specify the location of organizer data.......................................................................................................
Specify the location that the BlackBerry Messaging Agent uses to find organizer data...........................
25 Managing your organization's messaging environment and attachment support...........................................
Managing message forwarding.........................................................................................................................
Forward email messages to a BlackBerry device when no filter rules apply.............................................
Do not deliver email messages to a BlackBerry device when no filter rules apply....................................
Forward email messages from inbox subfolders to a BlackBerry device...................................................
Turn off email message forwarding to user accounts in a group..............................................................
Turn off email message forwarding to a user account..............................................................................
Turn off synchronization for email messages sent from a BlackBerry device...........................................
Turn off email message forwarding when a user connects a BlackBerry device to a computer...............
Managing the incoming message queue..........................................................................................................
Delete email messages for user accounts from the incoming message queue.........................................
Managing wireless message reconciliation......................................................................................................
Turn off wireless message reconciliation for a BlackBerry Enterprise Server Express..............................
Managing access to remote message data.......................................................................................................
Prevent a user from checking the availability of meeting participants on the BlackBerry device.............
Prevent a user from searching for remote email messages using a device...............................................
Managing email messages that contain HTML and rich content......................................................................
View whether a user turned on support for email messages that contain HTML and rich content for a
BlackBerry device......................................................................................................................................
Turn off support for rich text formatting and inline images in email messages for users on a
BlackBerry Enterprise Server Express........................................................................................................
Turn off support for rich text formatting in email messages using an IT policy rule.................................
Configuring IBM Lotus Notes links on devices..................................................................................................
Configure the BlackBerry Enterprise Server Express to support IBM Lotus Notes links to different IBM
Lotus Domino domains..............................................................................................................................
Updating the map for IBM Lotus Domino server names and host names.................................................
Change how often the BlackBerry Messaging Agent updates the map for IBM Lotus Domino server
names and host names..............................................................................................................................
Turn off support for IBM Lotus Notes links...............................................................................................
Synchronizing folders on the BlackBerry device...............................................................................................
Control which published public contact folders a user can synchronize to a BlackBerry device..............
Control which personal contact subfolders a user can synchronize to a BlackBerry device.....................
232
232
233
233
234
234
234
234
235
235
236
236
236
237
237
237
238
238
238
239
240
240
240
241
241
242
243
243
243
244
244
244
Control which personal mail folders a user can synchronize with a BlackBerry device............................
Specify public contact databases that users can access from their BlackBerry devices............................
Control which public contact databases a user can access from the BlackBerry device...........................
Configuring access to documents on remote file systems...............................................................................
Configure the BlackBerry MDS Connection Service to communicate with a remote file system..............
Add communication information to a BlackBerry MDS Connection Service configuration set.................
Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS Connection
Service instance.........................................................................................................................................
Managing signatures and disclaimers in email messages.................................................................................
Add a signature to email messages that a user sends from a BlackBerry device......................................
Add a disclaimer to email messages that users send from BlackBerry devices.........................................
Add a disclaimer to email messages that a user sends from a BlackBerry device.....................................
Specify conflict rules for disclaimers.........................................................................................................
Turn off disclaimers for email messages...................................................................................................
Monitor email messages that users send from BlackBerry devices..................................................................
Sending notification messages to users............................................................................................................
Send a notification message to all users in a BlackBerry Domain.............................................................
Send a notification message to all users on a BlackBerry Enterprise Server Express................................
Send a notification message to group members.......................................................................................
Send a notification message to a user.......................................................................................................
Automated notification messages....................................................................................................................
Change the subject for automated notification messages........................................................................
Turn off automated notification messages...............................................................................................
How the BlackBerry Attachment Connector communicates with BlackBerry Attachment Service instances..
Change how a BlackBerry Attachment Connector retries sending requests to a BlackBerry Attachment
Service.......................................................................................................................................................
Change how a BlackBerry Attachment Connector restores a lost connection to a BlackBerry
Attachment Service...................................................................................................................................
Attachment file formats that the BlackBerry Attachment Service supports....................................................
Limitations for supported attachment file formats...................................................................................
Changing how a BlackBerry Attachment Service converts attachments..........................................................
Change how a BlackBerry Attachment Service converts attachments......................................................
Change the maximum file size for attachments that users can receive....................................................
Turn off support for an attachment file format for a BlackBerry Attachment Service.....................................
Add support for an additional attachment file format to a BlackBerry Attachment Service............................
Changing how the BlackBerry Messaging Agent reconciles attachments to the messaging server.................
Change the maximum file size for attachments that users can send........................................................
Prevent users from sending large attachments.........................................................................................
Change the maximum file size of attachments that users can download.................................................
245
245
246
246
247
248
249
249
249
250
250
251
251
251
252
252
253
253
253
253
253
254
255
255
256
256
257
258
258
260
261
261
262
263
263
263
26 Managing calendars..........................................................................................................................................
Correcting calendar synchronization errors on devices....................................................................................
Configuration levels using the BlackBerry Enterprise Trait Tool...............................................................
Turn on corrective calendar synchronization............................................................................................
View the current settings for corrective calendar synchronization...........................................................
Permit corrective calendar synchronization to correct errors automatically............................................
Configure the range of days to check for calendar synchronization errors...............................................
Configure when corrective calendar synchronization runs.......................................................................
Configure throttling for corrective calendar synchronization...................................................................
Logging information for corrective calendar synchronization...................................................................
Delete a setting for corrective calendar synchronization..........................................................................
Start corrective calendar synchronization manually for a user account..........................................................
265
265
265
265
266
267
267
268
269
270
270
271
27 Managing a BlackBerry Domain........................................................................................................................
Restarting BlackBerry Enterprise Server Express components.........................................................................
Restart a BlackBerry Enterprise Server Express component using the BlackBerry Administration
Service.......................................................................................................................................................
Restart a BlackBerry Enterprise Server Express component using Windows Services..............................
Best practice: Restarting more than one BlackBerry Administration Service instance.............................
Using the BlackBerry Enterprise Trait Tool.......................................................................................................
Use the BlackBerry Enterprise Trait Tool...................................................................................................
BlackBerry Enterprise Trait Tool traits..............................................................................................................
Managing BlackBerry CAL keys.........................................................................................................................
Add or delete a BlackBerry CAL key...........................................................................................................
Copy a BlackBerry CAL key to a text file....................................................................................................
Configuring the BlackBerry Mail Store Service instance that updates the contact list.....................................
How the BlackBerry Mail Store Service instances update multiple contact lists.......................................
Configure the BlackBerry Mail Store Service instance that updates the contact list................................
Configuring BlackBerry Policy Service throttling...............................................................................................
View the current settings for BlackBerry Policy Service throttling............................................................
Configuring BlackBerry Policy Service throttling for IT policies and service books...................................
Configuring BlackBerry Policy Service throttling for PIN encryption keys.................................................
Configuring BlackBerry Policy Service throttling for application polling...................................................
Delete a BlackBerry Policy Service throttling setting.................................................................................
Change the port number that BlackBerry Enterprise Server Express components use to connect to the
BlackBerry Configuration Database..................................................................................................................
Change the port number that the syslog tools use to monitor BlackBerry Enterprise Server Express events.
272
272
272
273
273
273
273
274
282
283
283
283
284
284
284
285
285
287
287
288
288
289
28 BlackBerry Controller and BlackBerry Enterprise Server Express Component Monitoring..............................
How the BlackBerry Controller monitors the BlackBerry Enterprise Server Express components...................
Change how the BlackBerry Controller restarts the BlackBerry Messaging Agent....................................
Change how the BlackBerry Controller restarts a BlackBerry Enterprise Server Express service..............
BlackBerry Enterprise Server Alert Tool............................................................................................................
Configuring notifications using the BlackBerry Enterprise Server Alert Tool............................................
290
290
290
293
295
295
29 BlackBerry Enterprise Server Express log files..................................................................................................
Log files for BlackBerry Enterprise Server Express components.......................................................................
Changing the location where BlackBerry Enterprise Server Express components save log files...............
Changing how BlackBerry Enterprise Server Express components create log files...................................
Component identifiers for log files............................................................................................................
BlackBerry MDS Connection Service log files...................................................................................................
Changing how the BlackBerry MDS Connection Service creates a log file................................................
Using BlackBerry MDS Connection Service log files to view information for proxied connections to
BlackBerry devices.....................................................................................................................................
297
297
297
298
302
303
303
30 BlackBerry Enterprise Solution connection types and port numbers...............................................................
BlackBerry Administration Service connection types and port numbers.........................................................
BlackBerry Attachment Service connection types and port numbers..............................................................
BlackBerry Configuration Database connection types and port numbers........................................................
BlackBerry Controller connection types and port numbers.............................................................................
BlackBerry Dispatcher connection types and port numbers............................................................................
BlackBerry Messaging Agent connection types and port numbers..................................................................
BlackBerry MDS Connection Service connection types and port numbers......................................................
BlackBerry Policy Service connection types and port numbers........................................................................
BlackBerry Router connection types and port numbers...................................................................................
BlackBerry Synchronization Service connection types and port numbers.......................................................
IBM Lotus Domino connection types and port numbers..................................................................................
SNMP agent connection types and port numbers............................................................................................
Syslog connection type and port number.........................................................................................................
308
308
310
311
312
313
315
317
318
319
321
322
323
323
31 Troubleshooting................................................................................................................................................
Troubleshooting: Connecting to the BlackBerry Administration Service..........................................................
The web browser displays an HTTP 404 or HTTP 504 error message when it tries to connect to a
BlackBerry Administration Service instance..............................................................................................
Troubleshooting: BlackBerry Enterprise Server Express Performance.............................................................
A BlackBerry Enterprise Server Express that you installed remotely from the BlackBerry Configuration
Database uses an unexpected amount of system resources and increases wireless network traffic.......
325
325
306
325
325
325
Microsoft SQL Server uses a considerable amount of disk space..............................................................
Troubleshooting: Using IBM Lotus Notes encryption.......................................................................................
The BlackBerry device does not prompt the user for the Notes .id password when it decrypts an IBM
Lotus Notes encrypted message................................................................................................................
Troubleshooting: Setting up user accounts......................................................................................................
You cannot create a user account in the BlackBerry Administration Service............................................
You cannot find a new user account in the directory using the BlackBerry Administration Service.........
Troubleshooting: Messaging.............................................................................................................................
Messages are not delivered to BlackBerry devices...................................................................................
Troubleshooting: BlackBerry Web Desktop Manager.......................................................................................
Troubleshooting: Users cannot log in to the BlackBerry Web Desktop Manager.....................................
Troubleshooting: Connections to the Wi-Fi network.......................................................................................
A BlackBerry device cannot connect to a Wi-Fi network...........................................................................
A BlackBerry device cannot open a VPN connection.................................................................................
A BlackBerry device cannot connect to the mobile network using UMA or GAN.....................................
Verify whether a BlackBerry device can resolve an IP address.................................................................
Look up a computer name to resolve an IP address..................................................................................
Troubleshooting: BlackBerry Administration Service pools..............................................................................
BlackBerry Administration Service instances located in different network segments are not
connecting to each other...........................................................................................................................
326
327
327
327
327
328
328
328
329
329
329
329
337
338
338
339
339
339
32 Glossary............................................................................................................................................................ 341
33 Provide feedback.............................................................................................................................................. 350
34 Legal notice....................................................................................................................................................... 351
Administration Guide
Overview: BlackBerry Enterprise Server Express
Overview: BlackBerry Enterprise Server Express
1
The BlackBerry® Enterprise Server Express is designed to be a secure, centralized link between an organization's
wireless network, communications software, applications, and BlackBerry devices. The BlackBerry Enterprise Server
Express integrates with your organization's existing infrastructure, which can include messaging software, calendar
and contact information, wireless Internet and intranet access, and custom applications, to provide BlackBerry device
users with mobile access to your organization's resources.
The BlackBerry Enterprise Server Express supports devices that are provisioned for a BlackBerry Enterprise Server or
for the BlackBerry® Internet Service.
The BlackBerry Enterprise Server Express supports AES and Triple DES encryption to protect and ensure the integrity
of wireless data that is transmitted between the BlackBerry Enterprise Server Express components and devices. You
can configure IT policy rules to control the features of the devices that are used in your organization's environment.
You can manage the BlackBerry Enterprise Server Express, devices, and user accounts using the BlackBerry
Administration Service, a web application that is accessible from any computer that can access the computer that
hosts the BlackBerry Administration Service. You can use the BlackBerry Administration Service to manage a
BlackBerry Domain, which consists of one or more BlackBerry Enterprise Server Express instances and remote
components that use a single BlackBerry Configuration Database.
Getting started in your BlackBerry Enterprise Server Express
environment
The following table lists the tasks that administrators typically perform after installing a BlackBerry® Enterprise Server
Express, and the chapter or section in the BlackBerry Enterprise Server Express Administration Guide that contains
the information required to complete the task. Some of the tasks might not be required in your organization's
environment.
Task
Create administrator accounts.
Review the default IT policies. If necessary, change
existing IT policies or create new IT policies.
Add user accounts to the BlackBerry Enterprise Server
Express.
Create groups.
Add user accounts to groups.
Chapter
Creating administrator accounts
Configuring security options
• Section: Using an IT policy to manage BlackBerry
Enterprise Solution security
Configuring user accounts
• Section: Adding a user account to the BlackBerry
Enterprise Server
Configuring user accounts
• Section: Creating groups
Configuring user accounts
• Section: Add a user account to a group
17
Administration Guide
Getting started in your BlackBerry Enterprise Server Express environment
Task
Chapter
Review the default distribution settings for IT policies. If Managing the delivery of BlackBerry Java Applications,
necessary, change the default distribution settings.
BlackBerry Device Software, and device settings to
BlackBerry devices
• Section: Change how IT policies are sent to
BlackBerry devices
Assign IT policies to groups or user accounts.
Setting up security options
• Section: Assign an IT policy to a group
• Section: Assign an IT policy to a user account
Assign BlackBerry devices to user accounts.
Assigning BlackBerry devices to users
If necessary, change the default messaging settings for Setting up the messaging environment
your organization's environment.
Managing your messaging environment and attachment
support
Prepare to distribute BlackBerry Java® Applications.
Sending software and BlackBerry Java Applications to
BlackBerry devices
• Section: Preparing to distribute BlackBerry Java
Applications
Review the default distribution settings for BlackBerry Managing the delivery of BlackBerry Java Applications,
Java Applications. If necessary, change the default
BlackBerry Device Software, and device settings to
distribution settings.
BlackBerry devices
• Section: Change how to install, update, or remove
BlackBerry Java Applications on BlackBerry devices
Review the default application control policies and
Sending software and BlackBerry Java Applications to
application control policies for unlisted applications. If BlackBerry devices
necessary, change the existing application control
• Section: Configuring application control policies
policies.
• Section: Application control policies for unlisted
applications
Create software configurations for BlackBerry Java
Sending software and BlackBerry Java Applications to
Applications.
BlackBerry devices
• Section: Creating software configurations
Assign software configurations for BlackBerry Java
Sending software and BlackBerry Java Applications to
Applications to groups, multiple user accounts, or
BlackBerry devices
individual user accounts.
• Section: Assign a software configuration to a group
• Section: Assign a software configuration to multiple
user accounts
• Section: Assign a software configuration to a user
account
Optional tasks
18
Administration Guide
Getting started in your BlackBerry Enterprise Server Express environment
Task
Chapter
Update BlackBerry® Device Software on BlackBerry
Visit www.blackberry.com/go/serverdocs to see the
devices.
BlackBerry Device Software Update Guide.
Make the BlackBerry® Web Desktop Manager available Making the BlackBerry Web Desktop Manager available
to users and configure the BlackBerry Web Desktop
to users
Manager.
Configuring the BlackBerry Web Desktop Manager
Create and configure Wi-Fi® and VPN profiles.
Creating and configuring Wi-Fi profiles and VPN profiles
Change how the BlackBerry Enterprise Server Express
BlackBerry Enterprise Server log files
creates log files.
19
Administration Guide
Log in to the BlackBerry Administration Service for the first time
Log in to the BlackBerry Administration Service
for the first time
2
To open the BlackBerry® Administration Service, you can use a browser on any computer that has access to the
computer that hosts the BlackBerry Administration Service.
Before you begin: To manage a BlackBerry device using the BlackBerry Administration Service while the BlackBerry
device is connected to the computer, the browser must permit Microsoft® ActiveX® controls.
1.
2.
3.
4.
5.
In the browser, type https://<server_name>:<https_port>/webconsole/app, where <server_name> is the
name of the computer that hosts the BlackBerry Administration Service.
In the User name field, type admin.
In the Password field, type the password that you created during the installation process.
In the Log in using drop-down list, click BlackBerry Administration Service.
Click Log in.
Related topics
Best practice: Running the BlackBerry Enterprise Server Express, 50
The web browser displays an HTTP 404 or HTTP 504 error message when it tries to connect to a BlackBerry Administration Service instance,
325
There is a problem with this website's security certificate
Description
The browser displays this error message when you try to navigate to the BlackBerry® Administration Service using
Windows® Internet Explorer® version 7 or later.
Possible solution
Add the web address for the BlackBerry Administration Service to the list of trusted web sites in Windows Internet
Explorer, and install the certificate for the BlackBerry Administration Service in the certificate store of your computer.
1.
In Windows Internet Explorer, navigate to the BlackBerry Administration Service console.
2.
Click Continue to this website (not recommended).
3.
On the Tools menu, click Internet Options.
4.
On the Security tab, click Local Intranet.
5.
Click Sites.
6.
Click Add to add the console to the list of trusted web sites.
7.
Click Close.
8.
Click OK.
9.
In the browser window, on the toolbar, click Certificate Error.
10. Click View certificates.
20
Administration Guide
This connection is untrusted
11. Click Install certificate. The Certificate Import Wizard opens.
12. Complete the instructions in the Certificate Import Wizard. If you are trying to log in to the BlackBerry
Administration Service using a computer that runs Windows Vista®, perform the following actions in the
Certificate Import Wizard.
a.
In the Certificate Store dialog box, click Place all certificates in the following store.
b.
Click Browse.
c.
Click Trusted Root Certification Authorities.
d.
Click OK.
13. Close and reopen the browser.
This connection is untrusted
Description
The browser displays this error message when you try to navigate to the BlackBerry® Administration Service using
Mozilla® Firefox® 3.6.
Possible solution
Install the certificate for the BlackBerry Administration Service in the certificate store of your computer.
1.
In Firefox, navigate to the BlackBerry Administration Service console.
2.
Click I Understand the Risks.
3.
Click Add Exception.
4.
Click Confirm Security Exception.
5.
Close and reopen the browser.
21
Creating administrator accounts
Administration Guide
Creating administrator accounts
3
Administrative roles and permissions
You assign roles to administrator accounts so that you can control who can perform tasks on the BlackBerry®
Enterprise Server Express.
You can assign multiple roles to administrator accounts. If you assign multiple roles to an administrator account, the
administrator is assigned all the permissions that are turned on for each of the roles.
You can also assign roles to groups and add administrator accounts to groups. This allows you to specify administrative
role permissions at a group level instead of at an individual level. If the group contains BlackBerry device users, the
roles are also assigned to the users and the users become administrators.
Preconfigured administrative roles
The BlackBerry® Enterprise Server Express installation process includes preconfigured administrative roles. You can
use the preconfigured administrative roles in your organization's environment instead of creating customize
administrative roles. Each preconfigured administrative role contains multiple permissions that are turned on. The
preconfigured administrative roles make sure that users that do not have specific administrative permissions cannot
escalate their permissions. For example, junior helpdesk administrators cannot escalate their roles to senior helpdesk
administrator roles. You can configure additional permissions in the preconfigured administrative roles or turn off
any of the permissions.
Senior
Helpdesk
role
X
Junior
Helpdesk
role
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Permission name
Security role
Enterprise
role
Create a group
Delete a group
View a group (across
Group)
Edit a group (across
Group)
Create a user
Delete a user
View a user (across Group)
Edit a user (across Group)
View a device (across
Group)
Edit a device (across
Group)
X
X
X
X
X
X
X
22
Server only
role
User only
role
Administrative roles and permissions
Administration Guide
Senior
Helpdesk
role
Junior
Helpdesk
role
Permission name
Security role
Enterprise
role
View device activation
settings
Edit device activation
settings
Create an IT policy
Delete an IT policy
View an IT policy
Edit an IT policy
Create a user-defined IT
policy template
Delete a user-defined IT
policy template
Edit a user-defined IT
policy template
Resend data to devices
Create a software
configuration
View a software
configuration
Edit a software
configuration
Delete a software
configuration
View BlackBerry
Administration Service
software management
Edit BlackBerry
Administration Service
software management
Create an application
View an application
Edit an application
Delete an application
Create an administrator
user
Specify an activation
password
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Server only
role
X
User only
role
X
X
X
X
X
X
X
X
X
X
X
X
X
23
Administrative roles and permissions
Administration Guide
X
Senior
Helpdesk
role
X
Junior
Helpdesk
role
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Permission name
Security role
Enterprise
role
Generate an activation
email
Assign the current device
to a user
Turn off and on external
services
Clear activation password
Clear synchronization
backup data
Clear user statistics
Export statistics
Reset user field mapping
Turn on redirection
Turn off redirection
Refresh available user list
from company directory
Add User from Company
Directory
View a server
Edit a server
View a component
Edit a component
View an instance
Edit an instance
Change the status of an
instance
Edit an instance
relationship
View a job
Edit a job
Manage deployment job
tasks
Change the status of a job
task
Update peer-to-peer
encryption key
View job distribution
settings
X
24
Server only
role
User only
role
X
X
X
X
X
X
X
X
X
Administrative roles and permissions
Administration Guide
Senior
Helpdesk
role
Junior
Helpdesk
role
Permission name
Security role
Enterprise
role
Server only
role
User only
role
Edit job distribution
settings
Delete an instance
Edit license keys
View license keys
Manually fail a job
Clear instance statistics
View push rules for the
BlackBerry MDS
Connection Service
View pull rules for the
BlackBerry MDS
Connection Service
Send message (across
Group)
View a role
Add or remove role
Import or export groups
within roles
Import new users
Import or export users
Import user updates
Import or export email
message filters for a user
Export asset summary
data
Add or remove to user
configuration
Delete all device data and
remove device
Delete only the
organization data and
remove device
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
25
Administration Guide
Create an administrator account
Create an administrator account
You create an account for administrators to enable them to log in to the BlackBerry® Administration Service and
manage the BlackBerry® Enterprise Server Express. You create an administrator account and assign the account to
one or more administrator roles. The roles control the actions that an administrator can perform in the BlackBerry
Administration Service.
Before you begin: Verify that you can configure the authentication type and roles for an administrator account.
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand
Administrator user.
Click Create an administrator user.
Type the required information.
In the Role drop-down list, click the role that you want to assign to the administrator account.
Click Create an administrator user.
After you finish: To configure the administrator account, provide the login information to the administrator and add
the administrator account to a group or assign additional roles to the administrator account.
Related topics
Managing administrator accounts, 191
Assigning BlackBerry devices to user accounts, 65
Add an administrator account to a group
When you add an administrator account to one or more groups, you can manage role permissions at a group level
instead of at an individual level. If you use groups to manage administrator roles and administrator accounts in your
organization's environment, you can add multiple administrator accounts to specific groups and assign the
appropriate roles to each group.
Note: If you add a role to a group, all accounts in the group become administrator accounts and have all of the
permissions that are assigned to that role, even if the accounts are user accounts for BlackBerry® device users.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for an administrator account.
In the search results, click the display name for the administrator account.
Click Edit user.
On the Groups tab, in the Available groups list, click the group that you want to add the administrator account
to.
Click Add.
8.
Click Save all.
Related topics
26
Administration Guide
Specify an email address for the BlackBerry Administration Service
Create a group to manage similar user accounts, 58
Specify an email address for the BlackBerry Administration
Service
You can specify the email address that the BlackBerry® Administration Service sends BlackBerry® Enterprise Server
Express system messages or activation passwords from.
Before you begin: Create an email account on your organization's messaging server.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Devices menu, expand Wireless activations.
Click Device activation settings.
Click Edit activation settings.
In the Sender address field, type the email address that you want the BlackBerry Administration Service to send
system messages or activation passwords from.
Click Save all.
Permit an administrator to log in to the BlackBerry
Administration Service using a messaging server account
You can permit an administrator to log in to the BlackBerry® Administration Service using a user name and password
for the messaging server.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the display name for the user account.
Click Edit user.
In the Authentication type section, click the Edit icon.
In the User information section, in the Display name field, type the user name.
In the Authentication type section, type and verify a password.
Click the Update icon.
Click Save all.
Assign a BlackBerry device to an administrator account
You can assign a BlackBerry® device to an administrator without creating a separate user account.
1.
2.
3.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for an administrator account.
27
Administration Guide
4.
5.
6.
7.
8.
9.
10.
28
Assign a BlackBerry device to an administrator account
Click the display name for the administrator account.
In the BlackBerry Enterprise Server status list, click Enable as BlackBerry user.
Search for the messaging server display name or email address of the administrator.
Select the check box beside the administrator account.
Click Next.
Click the BlackBerry® Enterprise Server Express that you want to assign the administrator account to.
Click Save all.
Administration Guide
Using an IT policy to manage BlackBerry Enterprise Solution security
Using an IT policy to manage BlackBerry
Enterprise Solution security
4
You can use an IT policy to control and manage BlackBerry® devices, the BlackBerry® Desktop Software, and the
BlackBerry® Web Desktop Manager in your organization's environment. An IT policy consists of multiple IT policy
rules that manage the security and behavior of the BlackBerry® Enterprise Solution. For example, you can use IT
policy rules to manage the following security features and behaviors of the device:
• encryption (for example, encryption of user data and messages that the BlackBerry® Enterprise Server Express
forwards to message recipients) and encryption strength
• use of a password or pass phrase
• protection of user data and device transport keys on the device
• control of device resources, such as the camera or GPS, that are available to third-party applications
The Default IT policy includes IT policy rules that are configured to indicate the default behavior of the device or
BlackBerry Desktop Software.
After a device user activates a device, the BlackBerry Enterprise Server Express automatically sends to the device the
IT policy that you assigned to the user account or group. By default, if you do not assign an IT policy to the user
account or group, the BlackBerry Enterprise Server Express sends the Default IT policy. If you delete an IT policy that
you assigned to the user account or group, the BlackBerry Enterprise Server Express automatically re-assigns the
Default IT policy to the user account and resends the Default IT policy to the device.
For more information, see the BlackBerry Enterprise Server Express Policy Reference Guide.
Using IT policy rules to manage BlackBerry Enterprise
Solution security
You can use IT policy rules to customize and control the actions that the BlackBerry® Enterprise Solution can perform.
To use an IT policy rule on a BlackBerry device, you must verify that the BlackBerry® Device Software version supports
the IT policy rule. For example, you cannot use the Disable Camera IT policy rule to control whether a BlackBerry
device user can access the camera on the device if the BlackBerry Device Software version does not support the IT
policy rule. For information about the BlackBerry Device Software version that is required for a specific IT policy rule,
see the BlackBerry Enterprise Server Policy Reference Guide.
If you create a custom IT policy that does not permit users to change their user information on their devices, you can
only apply this custom IT policy to devices running BlackBerry Device Software 5.0 or later.
The BlackBerry Administration Service groups the IT policy rules by common properties or by application. Most IT
policy rules are designed so that you can assign them to multiple user accounts and groups.
29
Administration Guide
Default IT policy
Default IT policy
The BlackBerry® Enterprise Server Express includes a default IT policy. When you install the BlackBerry Enterprise
Server Express, the IT policy rules in the default IT policy do not contain any values. If you do not specify a value for
an IT policy rule, the default value is used. You can configure and apply the default IT policy to user accounts, or you
can create new IT policies and assign the new IT policies to user accounts to control the BlackBerry devices in your
organization's environment.
Creating IT policies
Create an IT policy
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy.
Click Create an IT policy.
Type a name and description for the IT policy.
Click Save.
To configure the IT policy, perform the following actions:
a. In the IT policy information section, click the IT policy.
b. Click Edit IT policy.
c. On a tab for an IT policy group, configure values for the IT policy rules.
d. Click Save All.
After you finish: For more information, see the BlackBerry Enterprise Server Policy Reference Guide.
Create an IT policy based on an existing IT policy
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy.
Click Manage IT policies.
In the list of IT policies, click the IT policy that you want to copy.
Click Copy IT policy.
Type a name and description for the new IT policy.
Click Save.
7.
To change the IT policy settings, perform the following actions:
a. In the IT policy information section, click the IT policy.
b. Click Edit IT policy.
c. On a tab for an IT policy group, change the appropriate values for the IT policy rules.
d. Click Save all.
After you finish: For more information, see the BlackBerry Enterprise Server Policy Reference Guide.
30
Administration Guide
Change the value for an IT policy rule
Change the value for an IT policy rule
1.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy.
2.
3.
4.
5.
6.
Click Manage IT policies.
In the IT policy information section, click the IT policy.
Click Edit IT policy.
On a tab for an IT policy group, change the appropriate values for the IT policy rules.
Click Save all.
Assign an IT policy to a group
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Group.
Click Manage groups.
In the Manage groups section, click the group that you want to assign an IT policy to.
On the Policies tab, click Edit group.
In the drop-down list, click an IT policy.
6.
Click Save all.
Related topics
Adding a user account to the BlackBerry Enterprise Server Express, 59
Assigning IT policies and resolving IT policy conflicts, 33
Assign an IT policy to a user account
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the display name of the user account.
On the Policies tab, click Edit user.
In the drop-down list, click an IT policy.
Click Save all.
Related topics
Adding a user account to the BlackBerry Enterprise Server Express, 59
Assigning IT policies and resolving IT policy conflicts, 33
31
Administration Guide
Sending an IT policy over the wireless network
Sending an IT policy over the wireless network
If your organization's environment includes C++ based BlackBerry® devices that are running BlackBerry® Device
Software version 2.5 or later or Java® based BlackBerry devices that are running BlackBerry Device Software version
3.6 or later, the BlackBerry® Enterprise Server Express can send changes to IT policies to a BlackBerry device over
the wireless network automatically. When the BlackBerry device receives an updated IT policy or a new IT policy, the
BlackBerry device, BlackBerry® Desktop Software, and BlackBerry® Web Desktop Manager apply the configuration
changes immediately.
By default, the BlackBerry Enterprise Server Express is designed to resend an IT policy to the BlackBerry device within
a short period of time after you update the IT policy using the BlackBerry Administration Service. You can also resend
an IT policy to a specific BlackBerry device manually. You can configure the BlackBerry Enterprise Server Express to
resend the IT policy to the BlackBerry device at scheduled intervals regardless of whether you changed the IT policy.
Related topics
Using IT policy rules to manage BlackBerry Enterprise Solution security, 29
Assigning IT policies and resolving IT policy conflicts, 33
Resend an IT policy to a BlackBerry device manually
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the display name for the user account.
On the Policies tab, click View resolved IT policy data.
Click Resend IT policy to a device.
Resend an IT policy to a BlackBerry device automatically
1.
2.
3.
4.
5.
6.
32
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology.
Expand BlackBerry Domain > Component view.
In the Policy section, click an instance.
Click Edit instance.
In the General section, in the Policy resend interval (hours) field, type an interval that you want the BlackBerry
device to resend the IT policy at.
Click Save All.
Assigning IT policies and resolving IT policy conflicts
Administration Guide
Assigning IT policies and resolving IT policy conflicts
You can assign IT policies directly to a user account or to a group. By default, if you do not assign an IT policy to a
user account or a group that the user is a member of, the BlackBerry® Enterprise Server Express applies the Default
IT policy to the user account. If you assign an IT policy to a group that a user account is a member of, the BlackBerry
Enterprise Server Express applies the group IT policy to the user account. If you assign an IT policy to the user account
directly, the BlackBerry Enterprise Server Express applies this IT policy to the user account instead of the group IT
policy or Default IT policy.
If a user account is a member of multiple groups that have different IT policies, the BlackBerry Enterprise Server
Express must determine which IT policy to apply to the user account. You must use one of the following reconciliation
options:
Method
Apply one IT policy to the user
account
Apply multiple IT policies to the user
account
Description
The BlackBerry Enterprise Server Express applies one of the group IT policies
to the user account. You specify rankings for the available IT policies using
the BlackBerry Administration Service and the BlackBerry Enterprise Server
Express applies the IT policy with the highest ranking.
If you upgrade to BlackBerry Enterprise Server Express 5.0 SP2 or later from
a previous version of the BlackBerry Enterprise Server Express, this is the
default method for resolving IT policy conflicts.
The BlackBerry Enterprise Server Express applies all of the group IT policies
to the user account, resulting in a combined IT policy that has a unique ID.
The BlackBerry Enterprise Server Express resolves conflicting IT policy rules
using the ranking of the available IT policies that you specified using the
BlackBerry Administration Service. If an IT policy rule is different in the
multiple IT policies, the BlackBerry Enterprise Server Express applies the
rule setting from the IT policy that you ranked the highest.
If you install BlackBerry Enterprise Server Express 5.0 SP2 or later, this is the
default method for resolving IT policy conflicts.
Related topics
Option 1: Applying one IT policy to each user account, 33
Option 2: Applying multiple IT policies to each user account, 35
Option 1: Applying one IT policy to each user account
You can configure the BlackBerry® Enterprise Server Express to apply only one IT policy to a user account when a
user account is a member of multiple groups that have different IT policies. In this scenario, the BlackBerry Enterprise
Server Express applies the IT policy that you ranked the highest in the BlackBerry Administration Service.
33
Administration Guide
Assigning IT policies and resolving IT policy conflicts
If you upgrade to BlackBerry Enterprise Server Express 5.0 SP2 or later from a previous version of the BlackBerry
Enterprise Server Express, this is the default method for resolving IT policy conflicts. If you install BlackBerry Enterprise
Server Express 5.0 SP2 or later, the default method for resolving IT policy conflicts is to apply multiple IT policies to
each user account and create a combined IT policy that has a unique ID for the user account.
Reconciliation rules for conflicting IT policies when you apply one IT policy to the user
account
The BlackBerry® Enterprise Server Express can apply only one IT policy to a user account. Since you can assign IT
policies to user accounts, groups, or the BlackBerry Domain, the BlackBerry Administration Service uses predefined
rules to determine which IT policy it can apply to a user account.
The BlackBerry Administration Service might have to reconcile conflicting IT policies if you perform any of the
following actions:
•
•
•
•
add an IT policy to or remove an IT policy from a user account or group
change an IT policy
change the ranking of IT policies
delete an IT policy
Scenario
Rule
You add a new user account to a BlackBerry Enterprise The IT policy that you assigned to the BlackBerry
Server Express. You do not assign an IT policy directly to Domain, or the Default IT policy that is assigned to the
the user account and you do not add the user to a group. BlackBerry Domain, is assigned to the user account.
You assign an IT policy to a user account and a different The IT policy that you assign to a user account takes
IT policy to a group that the user account belongs to.
precedence over an IT policy that you assign to a group.
An IT policy that you assign to a group takes precedence
over the IT policy that you assign to the BlackBerry
Domain (or the Default IT policy).
A user account belongs to multiple groups. You assign The BlackBerry Enterprise Server Express applies the IT
multiple IT policies to the groups but do not assign an IT policy that you ranked the highest in the BlackBerry
policy to the user account.
Administration Service to the user account.
Change the method that the BlackBerry Enterprise Server Express uses to resolve
conflicting IT policies
You can change the method that the BlackBerry® Enterprise Server Express uses to determine what IT policy to apply
to a user account when a user account belongs to multiple groups that have different IT policies. If you change the
method used to resolve conflicting IT policies, the next IT policy reconciliation process that occurs might have a
significant impact on the performance of your organization's BlackBerry Enterprise Server Express environment. It
is a best practice to configure this feature during low usage periods.
1.
2.
34
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view.
Click BlackBerry Administration Service.
Administration Guide
3.
4.
Assigning IT policies and resolving IT policy conflicts
At the bottom of the page, click Switch method to resolve multiple IT policies.
Click Yes - Switch the method.
Related topics
Option 1: Applying one IT policy to each user account, 33
Option 2: Applying multiple IT policies to each user account, 35
Rank IT policies
You must rank the IT policies that you create so that the BlackBerry® Enterprise Server Express can resolve IT policy
conflicts when a user account is a member of multiple groups that have different IT policies.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
Click Manage IT policies.
Click Set priority of IT policies.
To move the IT policies higher or lower in the list, click the up arrow icon or down arrow icon.
Click Save.
Option 2: Applying multiple IT policies to each user account
You can configure the BlackBerry® Enterprise Server Express to apply multiple IT policies to a user account when a
user account is a member of multiple groups that have different IT policies. The BlackBerry Enterprise Server Express
creates a combined IT policy for the user account that has a unique ID by applying the policy rules from the multiple
IT policies and resolving any conflicting rule settings. The BlackBerry Enterprise Server Express resolves conflicting
rule settings by applying the rule setting from the IT policy that you ranked the highest in the BlackBerry
Administration Service.
If you install BlackBerry Enterprise Server Express 5.0 SP2 or later, this is the default method for resolving IT policy
conflicts. If you upgrade to BlackBerry Enterprise Server Express 5.0 SP2 or later from a previous version of the
BlackBerry Enterprise Server Express, the default method for resolving IT policy conflicts is to assign one IT policy to
each user account according to the rankings of the IT policies that you specify in the BlackBerry Administration Service.
Reconciliation rules for conflicting IT policies when you apply multiple IT policies to a
user account
The BlackBerry® Enterprise Server Express can apply multiple IT policies to a user account if the user account is a
member of multiple groups that have different IT policies. Since you can assign IT policies to user accounts, groups,
or the BlackBerry Domain, the BlackBerry Administration Service uses predefined rules to apply an IT policy to a user
account.
The BlackBerry Administration Service might have to reconcile conflicting IT policies if you perform any of the
following actions:
•
•
•
•
add an IT policy to or remove an IT policy from a user account or group
change an IT policy
change the ranking of IT policies
delete an IT policy
35
Administration Guide
Assigning IT policies and resolving IT policy conflicts
Scenario
Rule
You add a new user account to a
The IT policy that you assigned to the BlackBerry Domain, or the default IT
BlackBerry Enterprise Server
policy for the BlackBerry Domain, is assigned to the user account.
Express. You do not assign an IT
policy directly to the user account
and you do not add the user account
to a group.
You assign an IT policy to a user
The IT policy that you assign to a user account takes precedence over the
account and different IT policies to IT policies that you assign to the groups that the user belongs to. An IT policy
the groups that the user account
that you assign to a group takes precedence over the IT policy that you
belongs to.
assigned to the BlackBerry Domain (or the Default IT policy).
A user account belongs to multiple If you assign multiple IT policies to the groups that the user account belongs
groups. You assign multiple IT
to, the BlackBerry Enterprise Server Express resolves the IT policy rule
policies to the groups but you do not settings in the multiple IT policies and assigns a combined IT policy that has
assign an IT policy to the user
a unique ID to the user account. The BlackBerry Enterprise Server Express
account.
resolves conflicting settings for IT policy rules by applying the rule setting
from the IT policy that you ranked the highest in the BlackBerry
Administration Service.
A user account belongs to two
groups. You assign the first group IT
policy A, which has the Allow
Browser IT policy rule as blank
(which means that it uses the default
value of Yes). You assign the second
group IT policy B, which has the
Allow Browser IT policy rule set to
No. You ranked IT policy A higher
than IT policy B in the BlackBerry
Administration Service.
36
For example, you configure the Disable Photo Camera IT policy rule to Yes
in IT policy A and to No in IT policy B. If you rank IT policy A higher than IT
policy B, the Yes setting is applied for this rule.
When the BlackBerry Enterprise Server Express resolves conflicting rule
settings, any rule settings that have been explicitly configured to a value
take precedence over IT policy rule settings that are blank (these rules revert
to the default value).
For example, in this scenario, the Allow Browser IT policy rule setting from
IT policy B, No, is applied to the user account even though IT policy A is
ranked higher than IT policy B, because the Allow Browser IT policy rule is
blank in IT policy A. If the Allower Browser IT policy rule was configured to
Yes in IT policy A, the Yes value would be applied to the user account.
Administration Guide
Assigning IT policies and resolving IT policy conflicts
Change the method that the BlackBerry Enterprise Server Express uses to resolve
conflicting IT policies
You can change the method that the BlackBerry® Enterprise Server Express uses to determine what IT policy to apply
to a user account when a user account belongs to multiple groups that have different IT policies. If you change the
method used to resolve conflicting IT policies, the next IT policy reconciliation process that occurs might have a
significant impact on the performance of your organization's BlackBerry Enterprise Server Express environment. It
is a best practice to configure this feature during low usage periods.
1.
2.
3.
4.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view.
Click BlackBerry Administration Service.
At the bottom of the page, click Switch method to resolve multiple IT policies.
Click Yes - Switch the method.
Related topics
Option 1: Applying one IT policy to each user account, 33
Option 2: Applying multiple IT policies to each user account, 35
Rank IT policies
You must rank the IT policies that you create so that the BlackBerry® Enterprise Server Express can resolve IT policy
conflicts when a user account is a member of multiple groups that have different IT policies.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
Click Manage IT policies.
Click Set priority of IT policies.
To move the IT policies higher or lower in the list, click the up arrow icon or down arrow icon.
Click Save.
Preview how the BlackBerry Enterprise Server Express resolves IT policy conflicts
You can preview how the BlackBerry® Enterprise Server Express resolves conflicting settings for IT policy rules for
multiple IT policies that you select. You can use this feature to determine which IT policies have conflicting IT policy
rules and how the BlackBerry Enterprise Server Express resolves the conflicting rules. The preview displays the
conflicting IT policy rules and the resolved settings for each rule. If an IT policy rule is not conflicting in the multiple
IT policies that you selected, the preview does not display the policy rule in the results.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
Click Manage IT policies.
Click Preview resolved IT policies.
Select two or more IT policies.
Click Preview.
37
Administration Guide
Deactivating BlackBerry devices that do not have IT policies applied
View the resolved IT policy rules that are assigned to a user account
If a user account belongs to multiple groups, and you assign a different IT policy to each group, the BlackBerry®
Enterprise Server Express resolves conflicting IT policies or IT policy rule settings using the reconciliation method that
you select in the BlackBerry Administration Service. You can view the results of the IT policy reconciliation and the
settings that the BlackBerry Enterprise Server Express resolves for each rule in the BlackBerry Administration
Service. If an IT policy rule is not conflicting in the multiple IT policies that were applied to the user account, the
preview does not display the IT policy rule.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the display name for a user account.
On the Policies tab, in the Resolved IT Policy name section, click the name of the IT policy.
Deactivating BlackBerry devices that do not have IT policies
applied
To prevent BlackBerry® devices that do not have IT policies applied to them from remaining active on a BlackBerry®
Enterprise Server Express, you can change the Disable users with unapplied IT policy option to True. The Disable user
time limit (hours) option specifies the amount of time that BlackBerry devices can be active on a BlackBerry Enterprise
Server Express without having an IT policy applied to the BlackBerry devices.
If you change the Disable users with unapplied IT policy option to True, by default, the BlackBerry Enterprise Server
Express sends the IT policy to the BlackBerry devices every 30 minutes until the BlackBerry devices apply the IT policy
or the time limit expires. If the time limit expires, the BlackBerry Enterprise Server Express deactivates the BlackBerry
device PINs. The permitted range for this option is 0 hours to 8760 hours. If you specify 0 hours, BlackBerry devices
deactivate when the IT policy cannot apply automatically.
Deactivate BlackBerry devices that do not have IT policies applied
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view > Policy.
Click the instance that you want to change.
In the Disable Users with Unapplied IT Policy drop-down list, click True.
In the Disable user time limit (hours) field, type the time (in hours) that can occur before the PINs for BlackBerry
devices that you did not apply an IT policy to are deactivated on the BlackBerry® Enterprise Server Express.
Click Save All.
After you finish: Before you re-activate the BlackBerry devices on the BlackBerry Enterprise Server Express, on the
BlackBerry devices, in the Security Options list, instruct users to click Wipe Handheld or Security Wipe to delete all
of the data on the BlackBerry devices.
38
Administration Guide
Creating new IT policy rules to control third-party applications
Creating new IT policy rules to control third-party
applications
You can create IT policy rules to control the applications that your organization creates for BlackBerry® devices that
are running in your organization's environment. After you create an IT policy rule, you can add it to a new or existing
IT policy and assign a value to it. Only applications that your organization creates can use the IT policy rule that you
create. You cannot create new IT policy rules to control device applications and features.
Create an IT policy rule for a third-party application
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy.
Click Create an IT policy rule.
Type a name and description for the IT policy rule.
In the Type drop-down list, click the type of value that the IT policy rule uses.
In the Destination drop-down list, choose whether you want the BlackBerry device, the BlackBerry® Desktop
Software, or both to be able to use the IT policy rule.
Click Save.
After you finish: Add the IT policy rule to an IT policy.
Change or delete IT policy rules for third-party applications
1.
2.
3.
4.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy.
Click Manage IT policy rules.
Click an IT policy rule.
Perform one of the following actions:
• To change the IT policy rule, click Edit IT policy rule. Change the appropriate values.
• To delete the IT policy rule, click Delete IT policy rule. Verify that you want to delete the IT policy rule.
5.
Click Save.
Delete an IT policy
If you delete an IT policy, the BlackBerry Administration Service identifies the users or groups that use the IT policy
and determines what IT policy to apply to the users or groups instead. For example, if an IT policy is assigned to a
user account and then you delete the IT policy, and the user account is not a member of a group, the BlackBerry
Administration Service starts a job to apply the default IT policy to the user account.
1.
2.
3.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy.
Click Manage IT policies.
In the list of IT policies, click an IT policy.
39
Administration Guide
4.
5.
Click Delete IT policy.
Click Yes – Delete the IT policy.
Related topics
Assigning IT policies and resolving IT policy conflicts, 33
40
Delete an IT policy
Administration Guide
Configuring security options
Configuring security options
5
Encrypting data that the BlackBerry Enterprise Server
Express and a BlackBerry device send to each other
To encrypt data that is in transit between the BlackBerry® Enterprise Server Express and a BlackBerry device in your
organization, the BlackBerry® Enterprise Solution uses BlackBerry transport layer encryption. BlackBerry transport
layer encryption is designed to encrypt data from the time that a BlackBerry device user sends a message from the
BlackBerry device to when the BlackBerry Enterprise Server Express receives the message, and from the time that
the BlackBerry Enterprise Server Express sends a message to when the BlackBerry device receives the message.
Before the BlackBerry device sends a message, it compresses and encrypts the message using the device transport
key. When the BlackBerry Enterprise Server Express receives a message from the BlackBerry device, the BlackBerry
Dispatcher decrypts the message using the device transport key, and then decompresses the message.
Algorithms that the BlackBerry Enterprise Solution uses to encrypt data
The BlackBerry® Enterprise Solution uses AES or Triple DES as the symmetric key cryptographic algorithm for
encrypting data. By default, the BlackBerry® Enterprise Server Express uses the strongest algorithm that both the
BlackBerry Enterprise Server Express and the BlackBerry device support for BlackBerry transport layer encryption.
If you configure the BlackBerry Enterprise Server Express to support AES and Triple DES, by default, the BlackBerry
Enterprise Solution generates device transport keys using AES encryption. If a BlackBerry device uses BlackBerry®
Device Software version 3.7 or earlier or BlackBerry® Desktop Software version 3.7 or earlier, the BlackBerry
Enterprise Solution generates the device transport keys of the BlackBerry device using Triple DES.
Change the symmetric key encryption algorithm that the BlackBerry
Enterprise Solution uses
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
In the BlackBerry Enterprise Server section, click the instance that you want to change.
Click Edit instance.
In the Security information section, in the Encryption algorithm drop-down list, click the encryption algorithm
that you want the BlackBerry® Enterprise Solution to use.
Click Save All.
After you finish: Re-activate all of the BlackBerry devices that are located in the BlackBerry Domain so that users can
send and receive email messages on their BlackBerry devices.
Related topics
Assigning BlackBerry devices to user accounts, 65
41
Administration Guide
Managing BlackBerry device access to the BlackBerry Enterprise Server Express
Managing BlackBerry device access to the BlackBerry
Enterprise Server Express
You can use the Enterprise Service Policy to control which BlackBerry® devices can connect to a BlackBerry® Enterprise
Server Express. By default, after you turn on the Enterprise Service Policy, the BlackBerry Enterprise Server Express
permits connections from any BlackBerry device that you previously associated with the BlackBerry Enterprise Server
Express. The BlackBerry Enterprise Server Express also prevents connections from any BlackBerry device that you
associate with the BlackBerry Enterprise Server Express after you turn on the Enterprise Service Policy.
You can configure an allowed list to determine which BlackBerry devices can access a BlackBerry Enterprise Server
Express. A BlackBerry device that meets the criteria that you specify in the allowed list can associate with the
BlackBerry Enterprise Server Express when the BlackBerry device activates over the wireless network.
You can define the following types of criteria:
• specific BlackBerry device PINs
• range of BlackBerry device PINs
• specific manufacturers
• specific BlackBerry device models
The BlackBerry Administration Service includes lists of permitted manufacturers and models of BlackBerry devices
that you associated with the BlackBerry Enterprise Server Express previously.
You can permit a user to override the Enterprise Service Policy so that a BlackBerry device can connect to the
BlackBerry Enterprise Server Express even if you configure the allowed list with criteria that exclude that BlackBerry
device.
Turn on the Enterprise Service Policy
You can turn on the Enterprise Service Policy to control which BlackBerry® devices can connect to the BlackBerry®
Enterprise Server Express.
1.
2.
3.
4.
42
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click BlackBerry Enterprise Server.
Click Turn on Enterprise Service Policy.
Click Yes - Turn on enterprise service policy.
Administration Guide
Extending messaging security to a BlackBerry device
Configure the Enterprise Service Policy
By default, when you turn on the Enterprise Service Policy, all BlackBerry® devices that you activated can access the
BlackBerry® Enterprise Server Express. You must configure the Enterprise Service Policy to specify the BlackBerry
devices that you want to access the BlackBerry Enterprise Server Express. To add a new BlackBerry device to the
BlackBerry Enterprise Server Express, you must add the PIN for the BlackBerry device to the Enterprise Service Policy
before a user can activate the BlackBerry device.
Before you begin: Turn on the Enterprise Service Policy.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click BlackBerry Enterprise Server.
Click Edit component.
In the Enterprise Service Policy section, in the Allowed drop-down list, click Yes for each BlackBerry device
model that you want to permit to access the BlackBerry Enterprise Server Express.
To add a new BlackBerry device, on the Add New Allowed PINs tab, in the New Allowed PINs field, type the PIN
for the BlackBerry device. Click the Add icon.
To remove a BlackBerry device from the list, on the Removing Existing Allowed Pins tab, in the PINs section,
select the PIN for the BlackBerry device.
Click Save All.
Permit a user to override the Enterprise Service Policy
Before you begin: Turn on the Enterprise Service Policy.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
Click the display name for the user account.
Click Edit user.
On the Component information tab, in the BlackBerry Enterprise Server information section, in the Enterprise
service policy override drop-down list, click True.
Click Save All.
Extending messaging security to a BlackBerry device
If your organization's messaging environment supports highly secure messaging technology such as PGP® encryption
or S/MIME encryption, you can configure the BlackBerry® Enterprise Solution to encrypt a message using PGP
encryption or S/MIME encryption so that the message remains encrypted when the BlackBerry® Enterprise Server
Express forwards the message to the email applications of recipients. To extend messaging security, the sender and
43
Administration Guide
Extending messaging security to a BlackBerry device
recipient must install highly secure messaging technology on the computers that host the email applications and on
their BlackBerry devices, and you must configure the BlackBerry devices to use the highly secure messaging
technology.
Extending messaging security using PGP encryption
You can extend messaging security for the BlackBerry® Enterprise Solution and permit a BlackBerry device user to
send and receive PGP® protected email messages and PGP protected PIN messages on a BlackBerry device. The
BlackBerry Enterprise Solution supports the OpenPGP format and PGP/MIME format on the BlackBerry device.
To extend messaging security, you must instruct the BlackBerry device user to install the PGP® Support Package for
BlackBerry® smartphones on the BlackBerry device and to transfer the PGP private key of the BlackBerry device user
to the BlackBerry device. The BlackBerry device user can use the PGP private key to digitally sign, encrypt, and send
PGP protected messages from the BlackBerry device. If a BlackBerry device user does not install the PGP Support
Package for BlackBerry smartphones, the BlackBerry device displays an error message when the BlackBerry device
user tries to open PGP protected messages.
To require the BlackBerry device user to use PGP encryption when forwarding or replying to messages, you can
configure the PGP Force Digital Signature IT policy rule and the PGP Force Encrypted Messages IT policy rule.
The PGP Support Package for BlackBerry smartphones is designed to support encoding and decoding Unicode
messages and permits PGP encryption using keys or passwords. The PGP Support Package for BlackBerry smartphones
permits the BlackBerry device to encrypt PGP protected email messages or PGP protected PIN messages using a
password that the sender and recipient both know.
For more information about the OpenPGP format, see RFC 2440. For more information about the PGP/MIME format,
see RFC 3156.
Configure the BlackBerry Enterprise Solution to support PGP encryption
1.
2.
3.
Configure the PGP Universal Server Address IT policy rule in the IT policy that you assign to BlackBerry® device
users.
Instruct users to install the PGP® Support Package for BlackBerry® smartphones on BlackBerry devices.
Instruct users to enroll with the PGP® Universal Server when the BlackBerry devices prompt them to so that the
BlackBerry devices can process PGP protected messages.
Extending messaging security using S/MIME encryption
You can extend messaging security for the BlackBerry® Enterprise Solution and permit a BlackBerry device user to
send and receive S/MIME-protected email messages and S/MIME-protected PIN messages on a BlackBerry device.
To extend messaging security, you or the BlackBerry device user must install the S/MIME Support Package for
BlackBerry® smartphones on the BlackBerry device and transfer the S/MIME private key of the BlackBerry device
user to the BlackBerry device. The S/MIME Support Package for BlackBerry smartphones is designed to work with
email applications such as Microsoft® Outlook®, Microsoft Outlook Express, and IBM® Lotus Notes®, and with PKIs
such as Netscape®, Entrust Authority™ Security Manager version 5 and later, and Microsoft certification authorities.
44
Administration Guide
Extending messaging security to a BlackBerry device
The BlackBerry device user uses the S/MIME private key to decrypt S/MIME-protected messages on the BlackBerry
device and to sign, encrypt, and send S/MIME-protected messages from the BlackBerry device. If the BlackBerry®
Enterprise Server Express receives an S/MIME-encrypted message but the BlackBerry device user did not install the
S/MIME Support Package for BlackBerry smartphones, the BlackBerry Enterprise Server Express sends a message to
the BlackBerry device to indicate that the BlackBerry device does not support S/MIME-encrypted messages.
After the BlackBerry device user installs the S/MIME Support Package for BlackBerry smartphones, the BlackBerry
device user can synchronize and manage S/MIME certificates and S/MIME private keys using the certificate
synchronization tool of the BlackBerry® Desktop Manager. The BlackBerry Enterprise Server Express does not apply
an appended disclaimer to S/MIME-protected messages that the BlackBerry device user sends from the BlackBerry
device. Digital signatures on S/MIME-protected messages that the BlackBerry device sends are not valid if disclaimers
are appended to the messages.
To require the BlackBerry device user to use S/MIME encryption when forwarding or replying to messages, you can
configure the S/MIME Force Digital Signature IT policy rule and the S/MIME Force Encrypted Messages IT policy rule.
The S/MIME Support Package for BlackBerry smartphones is also designed to support the following features:
• encoding and decoding of Unicode messages
• ability to use a password, which the sender and recipient each know, to encrypt S/MIME-protected email
messages or PIN messages
• ability to read S/MIME certificates that are stored on a smart card
Configure the BlackBerry Enterprise Solution to support S/MIME encryption
1.
2.
3.
4.
Configure encryption options for S/MIME-protected messages on the BlackBerry® Enterprise Server Express.
If required, configure the BlackBerry MDS Connection Service to retrieve certificates and the status of certificates
from LDAP servers, DSML certificate servers, OCSP servers, or CRL servers.
Instruct users to install the S/MIME Support Package for BlackBerry® smartphones on BlackBerry devices.
Perform one of the following tasks:
• Instruct users to add the Certificate Synchronization Manager to the BlackBerry® Desktop Manager so that
the BlackBerry Desktop Manager can manage certificates for the BlackBerry devices.
• Configure the BlackBerry Enterprise Server Express to permit users to enroll certificates over the wireless
network.
Configure encryption options for S/MIME-protected messages
You can configure encryption options to control how the BlackBerry® Enterprise Server Express processes S/MIMEprotected messages.
1.
2.
3.
4.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
In the Email section, click the instance that you want to change.
Click Edit instance.
On the Messaging tab, in the Security settings section, perform any of the following actions:
45
Administration Guide
Extending messaging security to a BlackBerry device
• To require that the BlackBerry Enterprise Server Express encrypts messages using S/MIME encryption for a
second time when the BlackBerry Enterprise Server Express processes S/MIME-protected messages that an
S/MIME-enabled application weakly encrypted or only signed, in the Turn on S/MIME encryption on signed
and weakly encrypted messages drop-down list, click True.
• To permit BlackBerry device users that have email applications that do not support S/MIME to read the text
of an S/MIME-protected message, in the Send S/MIME messages in clear-signed format drop-down list, click
True.
• To require that the BlackBerry Enterprise Server Express deletes attachment data from any signed-only S/
MIME-protected messages so that the BlackBerry Enterprise Server Express conserves bandwidth, in the
Remove attachment data from signed S/MIME messages drop-down list, click True.
• To require that the BlackBerry Enterprise Server Express sends encrypted S/MIME-protected messages using
an updated MIME content-type that is in accordance with PKCS#7 instead of the default legacy MIME contenttype, in the Use PKCS #7 MIME type drop-down list, click True.
5.
6.
Click Save all.
To make sure that the changes take effect immediately, perform the following actions to restart the BlackBerry
Messaging Agent:
a. On the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain >
Component view > BlackBerry Enterprise Server.
b. Click the BlackBerry Enterprise Server Express instance that includes the BlackBerry Messaging Agent.
c.
Click Restart instance.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Turn off support for processing S/MIME-protected messages on the BlackBerry
Enterprise Server Express
By default, the BlackBerry® Enterprise Server Express can process S/MIME-protected messages. You can turn off
support for processing S/MIME-protected messages if the BlackBerry Enterprise Server Express experiences issues
when it processes S/MIME-protected messages or if your organization does not use S/MIME encryption.
1.
2.
3.
4.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
In the Email section, click the instance that you want to change.
On the Messaging tab, click Edit instance.
In the Security settings section, in the Turn on S/MIME message processing drop-down list, click False.
5.
Click Save All.
Extending messaging security using IBM Lotus Notes encryption
By default, if your organization's environment includes the BlackBerry® Enterprise Server Express for IBM® Lotus®
Domino® 5.0 SP2 or later and IBM® Lotus Notes® API 7.0 or later, a BlackBerry device can decrypt messages that are
encrypted using Lotus Notes encryption.
46
Administration Guide
Extending messaging security to a BlackBerry device
In BlackBerry Enterprise Server Express 5.0 SP2 or later and BlackBerry® Device Software 5.0 or later, a BlackBerry
device user can encrypt messages using Lotus Notes encryption. When the BlackBerry device user creates, forwards,
or replies to a message, the BlackBerry device user can indicate whether the BlackBerry Enterprise Server Express
must encrypt the message before it sends the message to the recipients.
To use Lotus Notes encryption on the BlackBerry device, the BlackBerry device user must import a copy of the Lotus
Notes .id file into the user's message database using the BlackBerry Desktop Software or Lotus® iNotes®. If your
organization's environment includes Lotus Domino 8.5.1 or later and BlackBerry Enterprise Server Express 5.0 SP2
or later, you can configure the BlackBerry Enterprise Server Express to import the Lotus Notes .id file automatically
into the BlackBerry device from the Lotus Notes ID vault.
Configure BlackBerry Enterprise Server Express instances to import Lotus Notes .id
files to BlackBerry devices
If your organization's environment includes IBM® Lotus® Domino® 8.5.1 or later and BlackBerry® Enterprise Server
Express 5.0 SP2 or later, you can configure the BlackBerry Enterprise Server Express to export the IBM® Lotus
Notes® .id file automatically from the Lotus Notes ID vault and send it to the BlackBerry device.
1.
2.
3.
4.
5.
Copy the BlackBerry Enterprise Server Express installation files to the computer that hosts a BlackBerry Enterprise
Server Express instance.
Extract the contents to a folder on the computer.
At the command prompt, navigate to <extracted_folder>\tools.
Perform one of the following actions:
• To configure all BlackBerry Enterprise Server Express instances to import Lotus Notes .id files, type
traittool.exe -global -trait EnableNNEIDFileProvisioning -set true.
• To configure a specific BlackBerry Enterprise Server Express instance to import Lotus Notes .id files for the
user accounts that you assigned to the BlackBerry Enterprise Server Express instance, type traittool.exe server <instance_name> -trait EnableNNEIDFileProvisioning -set true, where <instance_name> is the name
of the BlackBerry Enterprise Server Express instance.
In the Windows® Services, restart the BlackBerry Controller service and BlackBerry Dispatcher service.
After you finish:
• To stop a BlackBerry Enterprise Server Express from importing Lotus Notes .id files, type traittool.exe -server
<instance_name> -trait EnableNNEIDFileProvisioning -set false, where <instance_name> is the name of the
BlackBerry Enterprise Server Express instance.
• To stop all BlackBerry Enterprise Server Express instances from importing the Lotus Notes .id files, type
traittool.exe -global -trait EnableNNEIDFileProvisioning -set false.
Turning off support for IBM Lotus Notes encryption
To turn off support for decrypting IBM® Lotus Notes® encrypted messages and S/MIME-encrypted messages on
BlackBerry® devices, users can detach their Notes .id files from their mail files using the BlackBerry® Desktop Software
or IBM® Lotus® Domino® Web Access software.
For more information about turning off support for decrypting IBM Lotus Notes encrypted messages and S/MIMEencrypted messages, see the online help that is available in the BlackBerry® Desktop Software.
47
Administration Guide
Generating organization-specific encryption keys for PIN-message encryption
Generating organization-specific encryption keys for PINmessage encryption
By default, all BlackBerry® devices store a common PIN encryption key that they use to protect PIN messages. To
limit the number of devices that can decrypt PIN messages that BlackBerry device users in your organization send
from their devices, you can generate a new PIN encryption key that is stored on and known only to devices in your
organization. A device that has a PIN encryption key that is specific to your organization can perform the following
actions:
• can only encrypt PIN messages sent to other devices on your organization's network that use the same PIN
encryption key
• can only decrypt PIN messages that are sent from devices that use the global PIN encryption key or PIN messages
from other devices on your organization's network that use the same PIN encryption key
• cannot decrypt PIN messages sent from devices that use a PIN encryption key from another organization
You should generate a new PIN encryption key if you know that your current organization-specific PIN encryption
key is compromised.
Generate a PIN encryption key
You can generate a PIN encryption key to make the BlackBerry® devices in your organization use a PIN encryption
key that is specific to your organization for PIN messaging.
1.
2.
3.
4.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology.
Click BlackBerry Domain.
Click Update peer-to-peer encryption key.
Click Create new key.
Turn off BlackBerry services that the BlackBerry MDS
Connection Service provides
You can prevent BlackBerry® device users that you associate with a BlackBerry® Enterprise Server Express from
browsing the intranet or Internet or running applications that communicate with application servers and content
servers. You can turn off the BlackBerry services if you want to enhance security, save bandwidth on the wireless
network, or conserve system resources on the computer.
1.
2.
In the BlackBerry Administration Service, expand BlackBerry Solution topology > BlackBerry Domain >
Component view > BlackBerry Enterprise Server.
Click the instance that you want to change.
3.
4.
5.
Click Edit Instance.
In the External services turned on drop-down list, click No.
Click Save All.
48
Administration Guide
6.
Turn off BlackBerry services that the BlackBerry MDS Connection Service provides
Restart the BlackBerry Enterprise Server Express.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
49
Configuring the BlackBerry Enterprise Server Express environment
Administration Guide
Configuring the BlackBerry Enterprise Server
Express environment
6
Best practice: Running the BlackBerry Enterprise Server
Express
Best practice
Do not change the startup type for
the BlackBerry® Enterprise Server
Express services.
Do not change the account
information for BlackBerry
Enterprise Server Express services.
Run the BlackBerry Configuration
Panel as an administrator.
Use Windows® Services to stop and
start the BlackBerry Messaging
Agent.
Description
When you install or upgrade the BlackBerry Enterprise Server Express, the
setup application configures the startup type for the BlackBerry Enterprise
Server Express services to automatic or manual. For example, the setup
application configures the startup type for the BlackBerry Mail Store
Service, BlackBerry Policy Service, and BlackBerry Synchronization Service
to manual.
To avoid errors in the BlackBerry Enterprise Server Express, do not change
the startup type for the BlackBerry Enterprise Server Express services.
When you install or upgrade the BlackBerry Enterprise Server Express, the
setup application configures the account information for the BlackBerry
Enterprise Server Express services.
Do not change the account information for the BlackBerry Enterprise Server
Express unless the BlackBerry Enterprise Server Express documentation
specifies that you can.
Consider the following guidelines if you are running the BlackBerry
Configuration Panel on Windows Server® 2008:
• Log in to the computer with a user account that is in the Administrator
group on the Windows Server.
• Right-click the BlackBerry Configuration Panel icon and click Run as
administrator.
To stop and start the BlackBerry Messaging Agent after you have made
changes to the configuration, stop and start the BlackBerry Controller
service and BlackBerry Dispatcher service in the Windows Services, or stop
and start the BlackBerry Enterprise Server Express using the BlackBerry
Administration Service.
You should not use the IBM® Lotus® Domino® console to stop and start the
BlackBerry Messaging Agent. If you use the IBM Lotus Domino console, the
BlackBerry Messaging Agent libraries might not load properly.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
50
Administration Guide
Configuring the BlackBerry MDS Connection Service to use a proxy server
Configuring the BlackBerry MDS Connection Service to use
a proxy server
You can configure the BlackBerry® MDS Connection Service to use a proxy server to access web addresses on the
Internet and your organization's intranet. You should use a proxy method that is consistent with the proxy method
that other applications and servers in your organization use to access web content.
Proxy servers typically do not permit network traffic between servers that are on the same side of the firewall, so
you can configure the BlackBerry MDS Connection Service to use a .pac file, or to access the Internet directly through
a proxy server. You can also configure multiple proxy servers to manage traffic to specific web addresses, and you
can specify URLs that the BlackBerry Enterprise Server Express components can access without using a proxy server.
Related topics
Configuring multiple BlackBerry Enterprise Server Express instances to use the same BlackBerry MDS Connection Service, 57
Configure the BlackBerry MDS Connection Service to use a .pac file
You can configure the BlackBerry® MDS Connection Service to use a .pac file. The BlackBerry MDS Connection Service
supports only one .pac file.
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want to change.
Click Edit instance.
On the Proxy mappings tab, in the Universal resource locator field, type the regular expression for the web
address that you want the proxy mapping rule to control.
In the Proxy type drop-down list, perform one of the following actions:
• To detect a .pac file automatically, click AUTO.
• To specify the location of the .pac file, click PAC. In the Proxy string field, type the proxy server name, port
number, and location of the .pac file using the following format: <proxy_server>:<port>/<pac_filepath>/
<pac_filename>.
Click the Add icon for the proxy item. If you add more than one proxy item, use the Up and Down icons to set
the priority of the proxy items.
Click the Add icon for the web address. If you add more than one web address, use the Up and Down icons to
set the priority of the web addresses.
Click Save all.
Configure the BlackBerry MDS Connection Service to use a proxy server
You can configure the BlackBerry® MDS Connection Service to access web servers through a proxy server.
51
Administration Guide
Configuring the BlackBerry MDS Connection Service to use a proxy server
You can specify more than one proxy string in a proxy mapping rule for a web address. If the BlackBerry MDS
Connection Service cannot access the web server using the first proxy string, it tries to access the web server using
the subsequent proxy strings that you specify, until the component accesses the web server.
If the BlackBerry MDS Connection Service is configured to use a proxy server, BlackBerry device users can browse
web sites that use HTTPS if the proxy server supports basic authentication only.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want to change.
Click Edit instance.
On the Proxy mappings tab, in the Universal resource locator field, type the URL regular expression for the web
address that you want the proxy mapping rule to control.
In the Proxy type drop-down list, perform one of the following actions:
• To configure a proxy server, click PROXY. In the Proxy string field, type the proxy server name and port
number using the following format: <proxy_server>:<port>.
• To exclude the web address from routing through the proxy server, click DIRECT.
6.
Click the Add icon for the proxy item. If you add more than one proxy item, use the Up and Down icons to set
the priority for the proxy items.
7.
Click the Add icon for the web address. If you add more than one web address, use the Up and Down icons to
set the priority for the web addresses.
Click Save all.
8.
Configure the BlackBerry MDS Connection Service to authenticate to a
proxy server on behalf of BlackBerry devices
You can configure the BlackBerry® MDS Connection Service to authenticate to a proxy server on behalf of BlackBerry
devices.
Before you begin: If you want to configure the BlackBerry MDS Connection Service to authenticate to a proxy server
on behalf of BlackBerry devices, turn on authentication support for the BlackBerry MDS Connection Service.
1.
6.
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want to change.
Click Edit instance.
On the Proxy mappings tab, click the Edit button for a web address.
In the Credentials section, in the User name field, type the user name that the BlackBerry MDS Connection
Service can use to connect to the proxy server that is defined for the web address.
In the Password and Confirm password fields, type the password for the user name.
7.
8.
Click the Add icon.
Click Save all.
2.
3.
4.
5.
52
Administration Guide
Configuring the BlackBerry Administration Service to use a proxy server
Related topics
Configure how BlackBerry devices authenticate to content servers, 114
Configuring the BlackBerry Administration Service to use a
proxy server
If you want to allow the BlackBerry® Administration Service to automatically download device.xml files, vendor.xml
files, and information about BlackBerry® Device Software bundles from the BlackBerry® Infrastructure, and your
organization uses a proxy server, you must configure the BlackBerry Administration Service to select and authenticate
(if necessary) with the proxy server.
Configuring proxy selection for the BlackBerry Administration Service
You can configure the BlackBerry® Administration Service to select a proxy server either manually or automatically.
To manually select a proxy server, you can use one of the following tools:
• Proxy Configuration Tool (proxycfg.exe) with Windows Server® 2003 or earlier
• Network Shell Utility (netsh.exe) with Windows Server 2008
• Windows® Internet Explorer®
To automatically select a proxy server, you can use one of the following methods:
• enable the Web Proxy Autodiscovery Protocol using the BlackBerry Enterprise Trait Tool
• specify a URL for a PAC file using Windows Internet Explorer
Configuring manual proxy selection for a BlackBerry Administration Service instance
Depending on the operating system on the computer that hosts the BlackBerry® Administration Service instance,
you can use the Proxy Configuration Tool or the Network Shell Utility to manually select a proxy server for a BlackBerry
Administration Service instance. You must configure manual proxy selection for all of the computers that host a
BlackBerry Administration Service instance. Both the Proxy Configuration Tool and the Network Shell Utility store
the proxy server settings in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Connections\WinHttpSettings registry key. You must run both tools as an administrator.
The Proxy Configuration Tool works with Windows Server® 2003 or earlier, and it is located in one of the following
locations:
• For 32-bit Windows® operating systems, the Proxy Configuration Tool is located at c:\Windows\system32\.
• For 64-bit Windows operating systems, the Proxy Configuration Tool is located at c:\Windows\sysWow64\.
For more information about the Proxy Configuration Tool, visit www.msdn.microsoft.com and search for
proxycfg.exe.
The Network Shell Utility works with Windows Server 2008. For more information about the Network Shell Utility,
visit technet.microsoft.com and search for Netsh.exe.
53
Administration Guide
Configuring the BlackBerry Administration Service to use a proxy server
Configure manual proxy selection for the Windows account that runs the BlackBerry
Administration Service
Perform this task on all of the computers that host a BlackBerry® Administration Service instance.
1.
2.
3.
On the computer that hosts the BlackBerry Administration Service, log in using the Windows® account that runs
the BlackBerry Administration Service.
Open Windows® Internet Explorer®.
Click Tools > Internet Options.
4.
5.
6.
7.
8.
9.
On the Connections tab, click LAN settings.
Select Use a proxy server for your LAN.
In the Address field, type the address for the proxy server.
In the Port field, type the port number for the proxy server.
Click OK.
Click OK.
Windows Internet Explorer stores the settings for the proxy server in the HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Internet Settings registry key.
Configure the BlackBerry Administration Service to use the Web Proxy Autodiscovery
Protocol to select a proxy server automatically
If you want to configure the BlackBerry® Administration Service to use the Web Proxy Autodiscovery Protocol to
select a proxy server automatically, you must use the BlackBerry® Enterprise Trait Tool. The Web Proxy Autodiscovery
Protocol uses DHCP and DNS to find a PAC file. Perform this task on any computer that hosts a BlackBerry
Administration Service instance.
CAUTION: If the proxy server authenticates using HTTP basic authentication, the Web Proxy Autodiscovery Protocol
file must be on a computer that is separate from the proxy server and uses Windows® authentication or anonymous
authentication.
1.
2.
On the computer that hosts the BlackBerry Administration Service, at the command prompt, navigate to the
folder that contains the TraitTool.exe file.
To turn on Web Proxy Autodiscovery Protocol, type traittool -global -trait BASIsProxyWPADOptionEnabled set 1.
Turn off Web Proxy Autodiscovery Protocol
Perform this task on any computer that hosts a BlackBerry Administration Service instance.
1.
2.
54
On the computer that hosts the BlackBerry Administration Service, at the command prompt, navigate to the
folder that contains the TraitTool.exe file.
To turn off Web Proxy Autodiscovery Protocol, type traittool -global -trait BASIsProxyWPADOptionEnabled erase.
Administration Guide
Configuring the BlackBerry Administration Service to use a proxy server
Configure the BlackBerry Administration Service to use a PAC file to select a proxy
server automatically
Perform this task on all of the computers that host a BlackBerry® Administration Service instance.
CAUTION: If the proxy server authenticates using HTTP basic authentication, the PAC file must be on a computer
that is separate from the proxy server and uses Windows® authentication or anonymous authentication.
Before you begin:
Obtain the URL for the PAC file.
1.
2.
3.
4.
5.
6.
7.
8.
On the computer that hosts the BlackBerry Administration Service instance, log in using the Windows® account
that runs the BlackBerry Administration Service.
Open Windows® Internet Explorer®.
Click Tools > Internet Options.
On the Connections tab, click LAN settings.
Select Use automatic configuration script.
In the Address field, type the URL for the PAC file.
Click OK.
Click OK.
Configuring the BlackBerry Administration Service to authenticate with a
proxy server
If your organization's proxy server requires authentication, you must configure the BlackBerry® Administration
Service to authenticate with the proxy server.
If the proxy server uses Windows® authentication, you must configure the proxy server to authenticate the Windows
account that runs the BlackBerry Administration Service.
If your proxy server uses HTTP basic authentication, you can configure the user name and password for HTTP basic
authentication using the BlackBerry Enterprise Trait Tool. You can specify the credentials for either the entire
BlackBerry Domain or for individual BlackBerry Administration Service instances. The BlackBerry Administration
Service tries the credentials that you specify for the BlackBerry Administration Service instance first and then tries
the credentials that you specify for the BlackBerry Domain.
Configure the BlackBerry Administration Service to use HTTP basic authentication
You use the BlackBerry® Enterprise Trait Tool to configure the BlackBerry Administration Service to use HTTP basic
authentication to authenticate with a proxy server. HTTP basic authentication requires a user name and password
for authentication.
1.
2.
On the computer that hosts the BlackBerry Administration Service, at the command prompt, navigate to the
folder that contains the TraitTool.exe file.
Perform one of the following tasks:
55
Administration Guide
Configuring the BlackBerry Administration Service to use a proxy server
Task
Steps
Specify the credentials for HTTP basic authentication a.
that your organization's BlackBerry Domain uses.
b.
Specify the credentials for HTTP basic authentication a.
that a specific BlackBerry Administration Service
instance uses.
b.
Type traittool -global -trait BASProxyBasicAuthUID set <user_name>, where <user_name> is the user
name (for example, [email protected] or
blackberry.com\user01).
Type traittool -global -trait
BASProxyBasicAuthPassword -set <password>, where
<password> is the password.
Type traittool -BASServer <name> -trait
BASProxyBasicAuthUID -set <user_name>, where
<name> is the host name of the computer that hosts
the BlackBerry Administration Service instance and
<user_name> is the user name (for example,
[email protected] or blackberry.com\user01)
for that computer.
Type traittool -BASServer <name> -trait
BASProxyBasicAuthPassword -set <password>, where
<name> is the host name of the computer that hosts
the BlackBerry Administration Service instance and
<password> is the password for the computer.
Delete credentials for HTTP basic authentication
1.
2.
On the computer that hosts the BlackBerry® Administration Service, at the command prompt, navigate to the
folder that contains the TraitTool.exe file.
Perform one of the following tasks:
Task
Steps
Delete the user name and password that all of the
BlackBerry Administration Service instances in your
organization's BlackBerry Domain use for HTTP basic
authentication.
a.
b.
Delete the user name and password for the computer a.
that a single BlackBerry Administration Service
instance in your organization's BlackBerry Domain
b.
uses for HTTP basic authentication.
56
Type traittool -global -trait BASProxyBasicAuthUID erase.
Type traittool -global -trait
BASProxyBasicAuthPassword -erase.
Type traittool -BASServer <name> -trait
BASProxyBasicAuthUID -erase.
Type traittool -BASServer <name> -trait
BASProxyBasicAuthPassword -erase.
Administration Guide
Configuring multiple BlackBerry Enterprise Server Express instances to use the same BlackBerry MDS
Connection Service
Configuring multiple BlackBerry Enterprise Server Express
instances to use the same BlackBerry MDS Connection
Service
To help make a BlackBerry® Domain more scalable, you can configure multiple BlackBerry® Enterprise Server Express
instances to use the same BlackBerry MDS Connection Service. If a BlackBerry Domain contains one BlackBerry
Enterprise Server Express, all of the BlackBerry Enterprise Server Express components are associated with that
BlackBerry Enterprise Server Express automatically.
Configure multiple BlackBerry Enterprise Server Express instances to use
the same BlackBerry MDS Connection Service
You can configure multiple BlackBerry® Enterprise Server Express instances to use the same central push server to
transfer application data to and from BlackBerry devices and to manage HTTP requests from the BlackBerry® Browser.
Before you begin: Specify a BlackBerry MDS Connection Service as a central push server.
1.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Conection Service.
2.
3.
4.
Click the instance that you want to change.
Click Edit instance.
On the Supported Dispatcher instances tab, in the Available Dispatcher instances list, click the BlackBerry
Enterprise Server Express instance that you want to use the BlackBerry MDS Connection Service.
Click Add.
Repeat steps 4 and 5 for each BlackBerry Enterprise Server Express instance that you want to have use the
BlackBerry MDS Connection Service.
Click Save all.
5.
6.
7.
Related topics
Specifying a BlackBerry MDS Connection Service as a central push server, 113
57
Administration Guide
Configuring user accounts
Configuring user accounts
7
Creating user groups
You can create user groups and assign user accounts to user groups based on custom criteria, such as user location,
organizational group, or BlackBerry® device model. User accounts that are part of a user group can exist on multiple
BlackBerry® Enterprise Server Express instances in the BlackBerry Domain.
Create a group to manage similar user accounts
You can reduce the time that you spend managing user accounts by adding similar user accounts to a group, and
assigning shared properties, such as software configurations or IT policies, to the group. Properties that you assign
to a group are assigned to all user accounts in the group.
1.
2.
3.
4.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Group.
Click Create a group.
In the Group information section, type a name and description for the group.
Click Save.
After you finish:
• Add properties to the group.
• Add user accounts to the group.
Related topics
Change the properties of a group, 194
Add user accounts to a group, 58
Add user accounts to a group
You can add user accounts to a group to assign the properties of the group to user accounts automatically.
1.
2.
3.
4.
5.
6.
7.
8.
58
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for the user accounts.
Select the user accounts.
In the Add to user configuration list, click Add group.
In the Available groups list, click the group that you want to add the user accounts to.
Click Add.
Click Save.
Administration Guide
Adding a user account to the BlackBerry Enterprise Server Express
Adding a user account to the BlackBerry Enterprise Server
Express
When you add a user account to the BlackBerry® Enterprise Server Express, your organization's messaging
environment must meet the following requirements to support user accounts that exist in different geographical
locations in your organization's messaging environment:
User account location
Messaging environment requirements
The user account is located on the IBM® Lotus® Domino® The IBM Lotus Domino server must contain a replica of
server.
the primary IBM Lotus Domino Directory.
The user account is located on an IBM Lotus Domino
The primary IBM Lotus Domino Directory must establish
administration server in a that is outside of the IBM
cross-certification to access the foreign directory server.
Lotus Domino domain.
You must configure the BlackBerry Enterprise Server
Express to access the primary IBM Lotus Domino
Directory using the ACL.
The IBM Lotus Domino administration server must be a
directory server.
If you use a central directory server in an IBM Lotus Domino R6 environment, the server that you add the user account
from require a replica of the primary IBM Lotus Domino Directory.
Related topics
Assigning BlackBerry devices to users, 64
Add a user account
You can add a user account to the BlackBerry® Enterprise Server Express, assign a BlackBerry device to a user account
and activate the BlackBerry device. The user account must exist on your organization's messaging server.
Before you begin: If required, create a group of user accounts so that you can manage user accounts that are similar.
Before you activate a device on the BlackBerry® Enterprise Server Express, you can visit the BlackBerry Expert Support
Center to use online tools to determine whether the device is associated with the BlackBerry® Internet Service. If
you want to activate devices that are associated with the BlackBerry Internet Service over the wireless network, visit
www.blackberry.com/go/serverdocs to see the Activating Devices That are Associated With the BlackBerry Internet
Service Over the Wireless Network Technical Note.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Create a user.
Search for a user account.
Select the check box beside the display name for the user account.
Click Continue.
59
Adding a user account to the BlackBerry Enterprise Server Express
Administration Guide
6.
7.
8.
9.
If your organization's environment includes multiple BlackBerry Enterprise Server Express instances, select the
BlackBerry Enterprise Server Express that you want to add the user account to.
If groups exist in the Available groups list, click at least one group that you want to add the user account to.
Click Add.
To select an activation option, perform one of the following actions:
Option
Specify an activation password
for the user account.
Generate an activation
password for the user account
automatically.
Activate the user account
without using an activation
password.
Step
a.
Click Create a user with activation password.
b.
In the Set activation password, section, type and confirm an activation
password. The password must not contain special characters. Some
BlackBerry devices do not support special characters and do not
unlock when a user types a password that contains special characters.
c.
In the Password expiration (hours) field, type the amount of time, in
hours, that you want to elapse before the activation password expires.
d. Click Create user.
Click Create a user with generated activation password.
Click Create a user without activation password.
Related topics
Assigning BlackBerry devices to users, 64
Managing user accounts, 195
Create a user account that is not in the contact list in the BlackBerry
Configuration Database
You can create a user account for a user even if the BlackBerry® Mail Store Service did not yet synchronize the contact
information for the user account to the BlackBerry Configuration Database. If the BlackBerry Mail Store Service did
not synchronize the contact information and you create a user account, the BlackBerry Administration Service does
not display the user account in the search results.
1.
2.
3.
4.
5.
6.
7.
60
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Create user.
Search for a user account.
Click Add user from company directory.
In the Email address field, type the email address, in SMTP format, of the user account that you want to add.
Click Find user in company directory.
Click Save user to available user list and Create BlackBerry Enabled User.
Administration Guide
Adding a user account to the BlackBerry Enterprise Server Express
8.
If you installed multiple BlackBerry® Enterprise Server Express instances, select the BlackBerry Enterprise Server
Express that you want to add the user account to.
9. Click Continue.
10. Type and confirm an activation password. The password must not contain special characters. Specific BlackBerry
devices do not support special characters and do not unlock when a user types a password that contains special
characters.
11. In the Password expiration field, type the amount of time, in hours, that can elapse before the activation
password expires.
12. Click Create user.
Export a list of user accounts
You can export a list of user accounts from a BlackBerry® Enterprise Server Express to a .csv file. The .csv file contains
information about the user accounts, such as the user ID, display name, PIN and email address. You can import the
list of user accounts to another BlackBerry Enterprise Server Express.
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for one or more user accounts.
Click Manage multiple users.
Select the appropriate user accounts.
In the Export users list, click Export user.
Click Download file.
Save the .csv file.
Importing a list of user accounts to a BlackBerry Enterprise Server Express
You can add multiple user accounts to a BlackBerry® Enterprise Server Express by importing a .csv file that contains
a list of user accounts and the required information to activate the user accounts on a BlackBerry Enterprise Server
Express.
The .csv file can include the following information:
•
•
•
user accounts that you want to create
names of the groups you want to add the user accounts to
activation passwords and expiry times that you want to assign to the user accounts
The BlackBerry Administration Service processes actions in the order that they appear in the .csv file. If the BlackBerry
Administration Service encounters an error that is specific to an action during the import process (for example, an
action is incorrectly formatted in the .csv file), the BlackBerry Administration Service continues to process the
remaining actions that are listed in the file and displays an error message for the action that the BlackBerry
Administration Service could not process.
The import process can take a long time (more than 30 minutes) to complete if you add more than 2000 user accounts.
61
Administration Guide
Adding a user account to the BlackBerry Enterprise Server Express
Fields in a .csv file that contain user account information
The BlackBerry® Administration Service uses a .csv file to add user account information to the BlackBerry® Enterprise
Server Express. The following table lists the fields in the .csv file that might be populated when you import user
account information.
Field
Email Address
SRP ID
Group Names
Activation Password Operation
Description
The field specifies the email address for the user account.
This field specifies the SRP ID for the BlackBerry Enterprise Server Express
that you want to add the user account to.
This field specifies the names of groups that you want to add the user
account to.
This field specifies whether an activation password is required to activate
the user account and whether that password will be specified by the
administrator or the BlackBerry Administration Service. The activation
password value specified in this field can either be "specify", "none", or
"generate" in lower case only. The activation password operation must be
the same on each line in the .csv file.
If the field is set to "specify", the activation password and the expiry time
(in hours) are optional fields in the .csv file. If the activation password and
the expiry time values are not included in the .csv file, you will be prompted
to specify these values the after uploading the .csv file. If you specify the
activation password and the expiry time for the user accounts, the values
must be provided on every line of the csv file.
If the field is set to "generate", the password is automatically generated by
the BlackBerry Administration Service and the final two fields of each .csv
line must be empty. The activation password will expire if the user does not
activate the BlackBerry device on the BlackBerry Enterprise Server Express
before the password timeout elapses. The default value is 48 hours.
If the field is set to "none", the user account will be created without an
activation password and the final two fields of each .csv line must be empty.
Activation Password
Activation Password Expiry
To activate a BlackBerry device on the BlackBerry Enterprise Server Express
over the wireless network, an activation password is required.
This field specifies the activation password for the user account if an
activation password is required.
This field specifies the amount of time, in hours, that can elapse before the
activation password expires if an activation password is required.
The activation password will expire if the user does not activate the
BlackBerry device on the BlackBerry Enterprise Server Express before a
default value of 48 hours elapses.
62
Administration Guide
Adding a user account to the BlackBerry Enterprise Server Express
Example: Importing user accounts to a BlackBerry Enterprise Server
"Email Address","SRP ID","Group Names","Activation Password Operation","Activation
Password","Activation Password Expiry"
"[email protected]","WBARICHAK0033","Admins","specify", "asdf","24"
"[email protected]","JBUAC0011,"Admins","specify", "asdf","24"
Import multiple user accounts from a .csv file
You can import a list of user accounts from a .csv file to a BlackBerry® Enterprise Server Express so that you can
manage the user accounts.
Before you begin: Create a .csv file.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Click Manage multiple users from an import list.
In the Manage multiple users from an import list section, click Browse.
Navigate to the .csv file that contains the user accounts that you want to import.
Click Next.
Perform the appropriate actions for the user accounts.
Create multiple user accounts by importing the user accounts from a .csv file
You can import a list of user accounts from a .csv file and add them to a BlackBerry® Enterprise Server Express. The
user accounts must exist on your organizations messaging server.
Before you begin: Create the .csv file.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Create a user.
Click Import new users.
In the Import users from a list section, click Browse.
Navigate to the .csv file that contains the user accounts that you want to import.
Click Continue.
Perform the appropriate actions for the user accounts.
63
Administration Guide
Assigning BlackBerry devices to users
Assigning BlackBerry devices to users
8
Preparing to distribute a BlackBerry device
Before you distribute a BlackBerry® device to a user, you can configure the BlackBerry® Enterprise Server Express to
synchronize email messages that the user previously sent and received on a supported BlackBerry device. You can
synchronize messages for a new user or for a user whose PIN changed when they received a replacement BlackBerry
device.
When the BlackBerry Enterprise Server Express synchronizes messages onto a BlackBerry device, it applies the
message filter rules and redirection settings that are specific to the user account.
Change how the BlackBerry Enterprise Server Express downloads a user's
existing email messages onto the BlackBerry device
By default, the BlackBerry® Enterprise Server Express synchronizes the headers of 200 email messages from the
previous 5 days to a BlackBerry device when you activate it. If you change the BlackBerry Enterprise Server Express
settings so that it synchronizes the headers and body of messages to a BlackBerry device when you activate it, the
BlackBerry Enterprise Server Express can synchronize up to 3000 messages from the previous 30 days.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
Click the instance that you want to change.
Click Edit host instance.
On the Messaging tab, in the Message prepopulation settings section, perform the following actions:
• To specify the number of previous days that you want to synchronize messages from, in the Prepopulation
By Message Age field, type a number.
• To specify the maximum number of messages that you want to synchronize, in the Prepopulation By Message
Count field, type a number.
Click Save all.
Prevent the BlackBerry Enterprise Server Express from synchronizing
existing email messages onto a BlackBerry device
1.
2.
3.
4.
64
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
Click the instance that you want to change.
Click Edit instance.
On the Messaging tab, in the Message prepopulation settings section, perform the following actions:
• In the Prepopulation by message age field, type 0.
• In the Prepopulation by message count field, type 0.
Administration Guide
5.
Identify whether a BlackBerry device is associated with the BlackBerry Internet Service
Click Save all.
Identify whether a BlackBerry device is associated with the
BlackBerry Internet Service
Before you activate a BlackBerry® device on the BlackBerry® Enterprise Server Express, you can visit the BlackBerry
Expert Support Center to use online tools to determine whether the device is associated with the BlackBerry® Internet
Service.
For more information about activating devices that are associated with the BlackBerry Internet Service over the
wireless network, visit www.blackberry.com/go/serverdocs to see the Activating Devices That are Associated With
the BlackBerry Internet Service Over the Wireless Network Technical Note.
Assigning BlackBerry devices to user accounts
The BlackBerry® Enterprise Server Express supports BlackBerry devices that are associated with a BlackBerry®
Enterprise Server and devices that are associated with the BlackBerry® Internet Service. To assign devices to user
accounts and activate the devices, you can use any of the following methods:
Method
BlackBerry Administration Service
over the wireless network
over the LAN
BlackBerry® Web Desktop Manager
over your organization's Wi-Fi®
network
Description
You can activate a device before you give it to a user by connecting the
device to a computer and logging in to the BlackBerry Administration
Service.
A new device user or a user that is receiving a replacement device can
activate the device without requiring a physical connection to your
organization's network.
For more information about activating devices that are associated with
the BlackBerry Internet Service over the wireless network, visit
www.blackberry.com/go/serverdocs to see the Activating Devices That
are Associated With the BlackBerry Internet Service Over the Wireless
Network Technical Note.
A new device user or a user that is receiving a replacement device can
activate the device by connecting it to a computer and using the
BlackBerry® Desktop Software.
A new device user or a user that is receiving a replacement device can
activate the device by connecting it to a computer and using the
BlackBerry Web Desktop Manager.
You can activate a Wi-Fi enabled BlackBerry device over your
organization's Wi-Fi network.
65
Assigning BlackBerry devices to user accounts
Administration Guide
Method
Description
For more information about activating devices that are associated with
the BlackBerry Internet Service over the wireless network, visit
www.blackberry.com/go/serverdocs to see the Activating Devices That
are Associated With the BlackBerry Internet Service Over the Wireless
Network Technical Note.
If you add a user account that was previously located on another BlackBerry® Enterprise Server Express in a different
BlackBerry Domain, to assign a BlackBerry device to the user account, you must connect the device to the computer
that hosts the BlackBerry Administration Service.
Related topics
Managing BlackBerry Java Applications and BlackBerry Device Software, 74
Option 1: Activate a BlackBerry device using the BlackBerry Administration
Service
Before you begin: If necessary, prepare a BlackBerry® device so that you can redistribute it to a user.
1.
2.
3.
4.
5.
6.
7.
8.
Connect the BlackBerry device to a computer that can access the BlackBerry Administration Service.
On the Devices menu, expand Attached devices.
Click Manage current device.
Click Assign current device.
Search for a user account.
In the search results, click the display name for a user account.
Click Associate user.
Click Assign current device.
When I connect a device to my computer I cannot see the device in the Attached
devices section of the BlackBerry Administration Service
Possible cause
Your browser might not support
device management in the
BlackBerry® Administration Service
when a BlackBerry device is
connected to the computer with a
USB cable.
66
Possible solution
Verify that the BlackBerry Administration Service supports the browser that
you are using. For more information, visit www.blackberry.com/go/
serverdocs to see the BlackBerry Enterprise Server Express Installation
Guide.
Administration Guide
Assigning BlackBerry devices to user accounts
Possible cause
Possible solution
The computer that you are currently If the computer that you are using does not have the required web
using to access the BlackBerry
components installed, the BlackBerry Administration Service prompts you
Administration Service might not
to install the web components (RIMWebComponents.cab) when you log in.
have the required web components Try logging in to the BlackBerry Administration Service again and choose to
for the BlackBerry Administration
install the web components when you are prompted to.
Service.
Option 2: Activating a BlackBerry device over the wireless network
To activate a BlackBerry® device over the wireless network, you assign an activation password to a user account. The
user receives the activation password in an email message and types the password on the device to start the activation
process.
For more information about activating devices that are associated with the BlackBerry Internet Service over the
wireless network, visit www.blackberry.com/go/serverdocs to see the Activating Devices That are Associated With
the BlackBerry Internet Service Over the Wireless Network Technical Note.
Save bandwidth by synchronizing organizer data over the LAN
When users activate BlackBerry® devices over the wireless network, by default, the BlackBerry® Enterprise Server
Express synchronizes the initial download of organizer data over the wireless network. To save bandwidth, you can
configure an IT policy to synchronize the initial download of organizer data through the BlackBerry Router and over
your organization's LAN when users connect their BlackBerry devices to a computer that hosts the BlackBerry® Device
Manager.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
Click Manage IT policies.
Click Default.
Click Edit IT policy.
On the PIM Synchronization policy group tab, in the Disable Wireless Bulk Loads rule, in the drop-down list,
click Yes.
Click Save all.
Wireless activation
The wireless activation process activates BlackBerry® devices on the BlackBerry® Enterprise Server Express over the
wireless network. Neither you nor the users are required to connect the BlackBerry devices to a computer to complete
the activation process.
You can use wireless activation process to activate a large number of BlackBerry devices over the wireless network.
When users want to activate BlackBerry devices on the BlackBerry Enterprise Server Express over the wireless
network, they must notify you. You can use the BlackBerry Administration Service to configure activation passwords
and distribute the passwords to the users.
67
Assigning BlackBerry devices to user accounts
Administration Guide
The BlackBerry® Enterprise Solution can begin the wireless activation process automatically or when users open the
activation application on the BlackBerry devices and type an activation password and email address. When the
activation process completes, users can send email messages from and receive email messages on their BlackBerry
devices.
When you initiate the wireless activation process, the BlackBerry Enterprise Server Express sends an email message
with an etp.dat attachment from the blackberry.net domain to the user's email application. To make sure that the
message is not blocked or modified, add the blackberry.net domain to the allowed list in the anti-virus and anti-spam
software applications used by the messaging server or gateway.
Activation passwords
The BlackBerry® Enterprise Server Express activates a BlackBerry device over the wireless network using the wireless
activation authentication protocol and an activation password that is specific to the user account associated with
the BlackBerry device.
Item
length of the activation password
Description
Typical activation passwords are four to eight characters long. Activation
passwords are limited to the following character lengths:
•
•
•
character support
security
BlackBerry device: 31 characters
BlackBerry Administration Service : 20 characters
KeyGenPassword field that stores the password in the BlackBerry
Configuration Database: 50 characters
Activation passwords can include any type of character
Wireless activation is designed so that short activation passwords do not
compromise the security of the protocol.
You must distribute the activation password to the authenticated user
securely. If the user receives the activation password, but does not activate
the BlackBerry device on the BlackBerry Enterprise Server Express, a
potentially malicious user who can access the activation password can
connect another BlackBerry device to the BlackBerry Enterprise Server
Express and assume the identity of the intended user.
When a user activates a BlackBerry device on the BlackBerry Enterprise
Server Express, the activation password becomes inactive and a potentially
malicious user cannot reuse it to activate another BlackBerry device.
expiry time
68
If a user receives an activation password, you cannot generate a new
activation password for the user until the activation password expires. An
activation password expires after 48 hours by default. You can configure an
activation to password expire earlier than the default value of 48 hours.
An activation password is no longer valid if any of the following events occur:
Assigning BlackBerry devices to user accounts
Administration Guide
Item
Description
•
•
•
the user does not activate the BlackBerry device on the BlackBerry
Enterprise Server Express before the default value of 48 hours elapses
the user types the activation password incorrectly five consecutive
times
the BlackBerry Enterprise Server Express activates a BlackBerry device
using the activation password
Customize the activation password
You can customize the type of activation password and the number of characters the password can contain that you
send to BlackBerry® devices in a BlackBerry Domain. You can also change the length of time that the activation
password exists before it expires.
1.
2.
3.
In the BlackBerry Administration Service, on the Devices menu, expand Wireless activations.
Click Device activation settings.
In the Password settings section, perform the following actions:
• To change the activation password length, in the Auto-generated password length field, type a character
length.
• To change the activation password type, in the Auto-generated password type drop-down list, click a
password type.
• To change the length of time that the activation password exists before it expires, in the Auto-generated
password lifespan (hours) field, type the number of hours.
4.
Click Save all.
Customize the activation message
To provide information to help troubleshoot activation issues that a user might encounter or to make sure that the
activation message that users receive on their computers conforms to your organization's messaging policies, you
can customize the default activation message.
1.
2.
3.
4.
In the BlackBerry® Administration Service, on the Devices menu, expand Wireless activations.
Click Device activation settings.
Click Edit activation settings.
In the Email initialization message section, perform the following actions:
• In the Sender address field, type the email address for the administrator account.
• In the Custom activation message field, type the subject, and message.
5.
Click Save all.
Send an activation password to a user
1.
2.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
69
Administration Guide
3.
4.
5.
6.
7.
8.
Assigning BlackBerry devices to user accounts
Search for a user account.
In the search results, click the display name for the user account.
In the Device activation list, click Specify activation password.
In the Activation password and Confirm password fields, type an activation password. The password must not
contain special characters. Some BlackBerry devices do not support special characters and do not unlock when
a user types a password that contains special characters.
In the Password expiration (hours) field, type the amount of time that can elapse before the activation password
expires.
Click Specify activation password.
Send an activation password to multiple users
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for one or more user accounts.
Click Manage multiple users.
Select the appropriate user accounts.
In the Device activation list, click Specify activation password.
7.
In the Activation password and Confirm password fields, type an activation password. The password must not
contain special characters. Some BlackBerry devices do not support special characters and do not unlock when
a user types a password that contains special characters.
In the Password expiration (hours) field, type the amount of time, in hours, that can elapse before the activation
password expires.
Click Specify activation password.
8.
9.
Option 3: Activating BlackBerry devices over the LAN
Users can activate BlackBerry® devices by connecting the BlackBerry devices to computers that the BlackBerry®
Desktop Manager is associated with. The BlackBerry Desktop Manager must be configured with the user's work email
account. During the activation process, the BlackBerry Desktop Manager prompts the user to associate the BlackBerry
device with their work email account and generates encryption keys.
When users complete the activation process, the BlackBerry® Enterprise Server Express sends email messages and
organizer data to the BlackBerry devices through the BlackBerry Router. If a connection to the BlackBerry Router is
interrupted, the data transfer continues over the wireless network.
70
Administration Guide
Assigning BlackBerry devices to user accounts
Option 4: Activating BlackBerry devices using the BlackBerry Web Desktop
Manager
Users can activate their BlackBerry® devices by connecting them to computers using a USB cable or Bluetooth®
connection and logging in to the BlackBerry® Web Desktop Manager. During the activation process, the BlackBerry
Web Desktop Manager prompts users to associate the BlackBerry device with their email accounts and generate
encryption keys.
When users complete the activation process, the BlackBerry® Enterprise Server Express synchronizes email messages
and organizer data to BlackBerry devices through the BlackBerry Router. If a connection to the BlackBerry Router is
interrupted, the data transfer continues over the wireless network.
Option 5: Activating BlackBerry devices over an enterprise Wi-Fi network
Users can activate Wi-Fi® enabled BlackBerry® devices over an enterprise Wi-Fi network in environments that have
the following characteristics:
•
•
•
BlackBerry devices can connect to the enterprise Wi-Fi network but cannot connect to the BlackBerry®
Infrastructure.
Users did not install BlackBerry® Desktop Manager on their computers and cannot access BlackBerry® Web
Desktop Manager.
You want to deploy and activate a large number of BlackBerry devices.
To activate BlackBerry devices over the enterprise Wi-Fi network, you must configure the BlackBerry Router as an
SMTP client (also known as a Mail User Agent). As an SMTP client, the BlackBerry Router communicates with an SMTP
server, that sends an ETP message to the user. The ETP message is the email message that the BlackBerry Router
sends to the user’s mailbox during the activation process.
You can configure the BlackBerry Router to act as a gateway for BlackBerry device activations over the enterprise
Wi-Fi network and as a gateway for other network traffic such as email messages, data, or calendar synchronization,
or to act only as a gateway for BlackBerry device activations over the enterprise Wi-Fi network. If you choose to
configure the BlackBerry Router only as a gateway for BlackBerry device activations over the enterprise Wi-Fi network,
you must configure the BlackBerry Router as part of a chain of BlackBerry Router instances and make sure that one
or more BlackBerry Router instances in the chain can act as a gateway for other network traffic.
For more information about activating devices that are associated with the BlackBerry Internet Service over the
wireless network, visit www.blackberry.com/go/serverdocs to see the Activating Devices That are Associated With
the BlackBerry Internet Service Over the Wireless Network Technical Note.
Prerequisites: Configuring a BlackBerry Router for BlackBerry device activations over
the enterprise Wi-Fi network
•
On the computer that you installed the BlackBerry® Router, or on a remote computer, configure an SMTP service
that the BlackBerry Router can use. For more information, see the documentation for the Windows Server®.
71
Administration Guide
•
•
•
•
Assigning BlackBerry devices to user accounts
To restrict the BlackBerry Router so that it acts only as a gateway for BlackBerry device activations over the
enterprise Wi-Fi® network, on a computer that does not host a BlackBerry® Enterprise Server Express, install a
BlackBerry Router whose only purpose is to provide a connection to Wi-Fi enabled BlackBerry devices over the
enterprise Wi-Fi network. Configure the BlackBerry Router as part of a chain of BlackBerry Router instances and
make sure that one or more BlackBerry Router instances in the chain can act as a gateway for other network
traffic such as email messages, data, or calendar synchronization.
Verify that the wireless access points can connect to the BlackBerry Router that you configured for BlackBerry
device activations over the enterprise Wi-Fi network.
Verify that each BlackBerry Enterprise Server Express can connect to a BlackBerry Router that you configured
for BlackBerry device activations over the enterprise Wi-Fi network.
Create a user account and activation password on the BlackBerry Enterprise Server Express for each new
BlackBerry device.
Configure a BlackBerry Router to permit BlackBerry device activations over the
enterprise Wi-Fi network
1.
2.
3.
4.
5.
6.
7.
8.
9.
On the computer that hosts the BlackBerry® Router, on the taskbar, click Start > Programs > BlackBerry
Enterprise Server > BlackBerry Server Configuration.
On the OTA WIFI Activation tab, select the Permit wireless activation in your WLAN environment check box.
Optionally, to restrict the BlackBerry Router so that it acts as a gateway for wireless activations over the
enterprise Wi-Fi® network and not as a gateway for other network traffic such as email messages, data, or
calendar synchronization, select the Prevent all serial bypass traffic through this router except WLAN
activations check box. Only restrict the BlackBerry Router if you configured more than one BlackBerry Router
instance.
To specify how the BlackBerry Router locates the SMTP server, in the Activation Gateway Settings section, select
one of the following options:
• To permit the BlackBerry Router to determine which SMTP server it uses for ETP traffic based on the mail
exchange record of the host domain, select Use MX Lookup to obtain SMTP server.
• To provide the SMTP server name and port number for the BlackBerry Router, select Explicitly provide SMTP
server name and port. Type the server name and the server port number for the SMTP server.
If the SMTP server requires authentication, specify the SMTP login name and SMTP password.
In the From address for ETP messages field, type the email address that you want to use as the From address.
The ETP message is the email message that the BlackBerry Router sends to the users' mailboxes during the
activation process.
Click Apply.
Click OK.
In the Windows® Services, restart the BlackBerry Router.
After you finish: Instruct users to activate the Wi-Fi enabled BlackBerry devices.
72
Administration Guide
Assigning BlackBerry devices to user accounts
Activate a Wi-Fi enabled BlackBerry device
If you want to activate a Wi-Fi® enabled BlackBerry® device using the enterprise Wi-Fi network, you can instruct a
BlackBerry user to perform the following task on the BlackBerry device. If you want to reactivate a BlackBerry device,
you must create a new activation password for the BlackBerry device.
1.
2.
3.
4.
5.
6.
On the BlackBerry device, in the device options, click Advanced Options.
Click Enterprise Activation.
Type the activation email address.
Type the activation password.
In the Activation Server Address field, type the IP address for the BlackBerry Router that the BlackBerry device
can use to activate over the enterprise Wi-Fi network.
In the menu, click Activate.
After you finish:
• For more information, see the user guide for the BlackBerry device.
• To view the activation status, in the BlackBerry Administration Service, on the Wireless > View activations page,
search for the user account. Confirm that the activation is successful.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Troubleshooting: Connections to the Wi-Fi network, 329
73
Administration Guide
Sending software and BlackBerry Java Applications to BlackBerry devices
Sending software and BlackBerry Java
Applications to BlackBerry devices
9
Managing BlackBerry Java Applications and BlackBerry
Device Software
You can use the BlackBerry® Administration Service to install and manage the BlackBerry® Device Software and
BlackBerry Java® Applications on BlackBerry devices.
To send BlackBerry Java Applications to devices, you must first add the applications to the application repository.
You can use the application repository to store and manage all versions of the BlackBerry Java Applications that you
want to install on, update on, or remove from devices.
In the BlackBerry Administration Service, you create software configurations to specify the versions of the BlackBerry
Device Software and BlackBerry Java Applications that you want to install on, update on, or remove from devices.
You also use software configurations to specify which applications are required, optional, or not permitted. When
you create a software configuration, you must also specify whether users can install applications that are not listed
in the software configuration.
When you add a BlackBerry Java Application to a software configuration, you must assign an application control
policy to the application to specify what resources the application can access. You can use default application control
policies or you can create and use custom application control policies. If you permit users to install unlisted
applications, you must create an application control policy for unlisted applications that specifies what resources the
applications can access.
When you assign a software configuration to a group or individual user accounts, the BlackBerry Administration
Service creates a deployment job to install the BlackBerry Device Softwareand BlackBerry Java Applications on devices
and to apply access control policies to the devices. A deployment job consists of a number of tasks. Each task manages
the delivery of a specific object (for example, a BlackBerry Java Application or an access control policy) by
communicating with the appropriate BlackBerry® Enterprise Server Express components.
If you assign more than one software configuration to a user account, all of the settings in the multiple software
configurations are applied to the user's device. The BlackBerry Enterprise Server Express resolves conflicting settings
using predefined reconciliation rules and prioritized rankings that you can specify using the BlackBerry Administration
Service. After you install the BlackBerry Device Software and BlackBerry Java Applications on devices, you can view
details about how the BlackBerry Administration Service resolved software configuration conflicts.
For more information about installing and managing the BlackBerry Device Software on devices, visit
www.blackberry.com/go/serverdocs to see the BlackBerry Device Software Update Guide.
74
Administration Guide
Developing BlackBerry Java Applications for BlackBerry devices
Developing BlackBerry Java Applications for BlackBerry
devices
Application developers can use the BlackBerry® Java® Development Environment or the BlackBerry® Java® Plug-in
for Eclipse® to create and test BlackBerry Java Applications for BlackBerry devices, and to package BlackBerry Java
Applications to install them on BlackBerry devices using a user’s computer or over the wireless network. Application
developers can use the BlackBerry JDE or the BlackBerry Java Plug-in for Eclipse to generate .cod files that contain
the compiled application code for a BlackBerry Java Application. BlackBerry devices execute .cod files to run
BlackBerry Java Applications. The BlackBerry JDE and the BlackBerry Java Plug-in for Eclipse also include tools to
generate .jad files or .alx descriptor files that provide information about a BlackBerry Java Application that is used
when the application is compiled.
MIDlets are Java applications that conform to the MIDP standard and can run on any mobile device that runs Java
applications. Most MIDlets are distributed as .jar files. The BlackBerry JDE and the BlackBerry Java Plug-in for Eclipse
include tools that you can use to convert existing MIDlets that are in .jad and .jar file formats to .cod file formats for
use on BlackBerry devices.
For more information about developing and customizing BlackBerry Java Applications, visit www.blackberry.com/
developers.
Preparing to distribute BlackBerry Java Applications
To send a BlackBerry® Java® Application to BlackBerry devices, the application developer must create a .zip file that
contains the necessary application files and an .alx file that contains information about the application. If a directory
structure is described in the .alx file, that directory structure must be represented in the .zip file.
For more information about creating BlackBerry Java Applications and .alx files, visit www.blackberry.com/
developers to see the BlackBerry Java Development Environment Development Guide.
Before you distribute BlackBerry Java Applications, you must specify a shared network folder for BlackBerry Java
Applications using the BlackBerry Administration Service. This shared network folder must not be the same network
share location that is used for BlackBerry® Device Software, and it must not be located in <drive>:\Program Files
\Common Files\Research In Motion. The BlackBerry Administration Service accesses the shared network folder to
install BlackBerry Java Applications on BlackBerry devices. Do not add application files to the shared network folder
or make changes to the files that the BlackBerry Administration Service stores in the shared network folder.
To make a BlackBerry Java Application available for installation on BlackBerry devices, you must add the application
to the BlackBerry Administration Service application repository. After you add an application to the application
repository, you can add the application to a software configuration, specify whether the application is required,
optional, or not permitted on BlackBerry devices, and assign an application control policy to the application to control
the access permissions for the application. You assign software configurations to user accounts to install or upgrade
BlackBerry Java Applications on BlackBerry devices, or to remove BlackBerry Java Applications from BlackBerry
devices.
75
Administration Guide
Preparing to distribute BlackBerry Java Applications
Specify a shared network folder for BlackBerry Java Applications
You must specify a shared network folder for BlackBerry® Java® Applications using the BlackBerry Administration
Service before you add any BlackBerry Java Applications to the application repository. The BlackBerry Administration
Service must access the shared network folder to install BlackBerry Java Applications on BlackBerry devices. Do not
add application files to the shared network folder or make changes to the files that the BlackBerry Administration
Service stores in the shared network folder.
Before you begin: Create a shared network folder on the network that hosts the BlackBerry® Enterprise Server
Express. This shared network folder must not be the same network share location that is used for BlackBerry® Device
Software, and it must not be located in <drive>:\Program Files\Common Files\Research In Motion.
The administration accounts that you use for the BlackBerry Administration Service must have write permissions for
the shared network folder. The administration accounts that run the BlackBerry Administration Service Application
Server service must have write permissions for the shared network folder. BlackBerry devices and the computers
that host the BlackBerry Enterprise Server Express instances must have access to the shared network folder.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click BlackBerry Administration Service.
Click Edit component.
In the Software management section, in the BlackBerry Administration Service application shared network
drive field, type the path of the shared network folder using the following format: \
\<BlackBerry_Administration_Service_computer_name>\<shared_folder>.
The shared network path must be typed in UNC format (for example, \\ComputerName\Applications\Testing).
Click Save all.
Add a BlackBerry Java Application to the application repository
To send a BlackBerry® Java® Application to BlackBerry devices, you must first add the BlackBerry Java Application
bundle to the application repository. To send an updated version of a BlackBerry Java Application to BlackBerry
devices, you must first add the updated bundle to the application repository.
1.
2.
3.
4.
5.
76
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software >
Applications.
Click Add or update applications.
In the Application location section, click Browse. Navigate to the BlackBerry Java Application bundle that you
want to add to, or update in, the application repository.
Click Next.
Click Add application.
Configuring application control policies
Administration Guide
Specify keywords for a BlackBerry Java Application
You can specify keywords for a BlackBerry® Java® Application. You can use the keywords to search for the application
in the application repository.
1.
2.
3.
4.
5.
6.
7.
8.
9.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software >
Applications.
Click Manage applications.
Search for an application.
In the search results, click the name of an application.
Click Edit application.
In the Application keywords field, type a keyword.
Click the Add icon.
Repeat steps 6 and 7 for each keyword that you want to add.
Click Save all.
Configuring application control policies
When you add a BlackBerry® Java® Application to a software configuration so that you can install the application on
BlackBerry devices, you must specify an application control policy that you want to apply to the BlackBerry Java
Application. Application control policies control the data and APIs that BlackBerry Java Applications can access on
BlackBerry devices, and the external data sources and network connections that BlackBerry Java Applications can
access.
The BlackBerry Administration Service includes a standard application control policy for BlackBerry Java Applications
that you classify as required, optional, or not permitted. You can change the default settings of the standard
application control policies or create custom application control policies for a BlackBerry Java Application.
For more information about configuring settings for application control policy rules, visit www.blackberry.com/go/
serverdocs to see the BlackBerry Enterprise Server Express Policy Reference Guide.
Standard application control policies
The BlackBerry® Enterprise Server Express includes the following standard application control policies.
Application control policy
Standard Required
Description
When you apply the application control policy to a BlackBerry® Java®
Application, rule settings require that the BlackBerry Java Application be
installed and permitted to run on BlackBerry devices. BlackBerry devices
install the application automatically.
77
Configuring application control policies
Administration Guide
Application control policy
Standard Optional
Standard Disallowed
Description
When you apply the application control policy to a BlackBerry Java
Application, rule settings make the BlackBerry Java Application optional on
the BlackBerry device. Users can install and run the BlackBerry Java
Application on their BlackBerry devices.
When you apply the application control policy to a BlackBerry Java
Application, rule settings prevent users from installing the BlackBerry Java
Application on BlackBerry devices. Users cannot install and run the
BlackBerry Java Application on their BlackBerry devices.
Change a standard application control policy
When you add a BlackBerry® Java® Application to a software configuration, you must assign an application control
policy to the BlackBerry Java Application. Based on the requirements of your organization's environment, you can
change the default settings for the standard application control policies.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software >
Applications.
Click Manage default application control policies.
Click the standard application control policy that you want to change.
Click Edit application control policy.
On the Access settings tab, in the Settings section, change the settings for the standard application control
policy.
Click Save all.
Create custom application control policies for a BlackBerry Java
Application
After you add a BlackBerry® Java® Application to the application repository, you can configure the application to use
the standard application control policies, or you can create custom application control policies for the application.
If you want a BlackBerry Java Application to use custom application control policies, you must create the custom
application control policies before you add the application to a software configuration. When you add the application
to a software configuration, you can select which custom application control policy you want to apply to the
application.
If you add the BlackBerry Java Application to multiple software configurations and you assign different custom access
control policies to the BlackBerry Java Application in the different software configurations, you must set the priority
for the custom application control policies. This priority determines which custom application control policy the
BlackBerry Policy Service applies if you assign multiple software configurations to a user account.
1.
2.
78
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software >
Applications.
Click Manage applications.
Configuring application control policies
Administration Guide
3.
4.
5.
6.
7.
8.
Search for a BlackBerry Java Application.
In the search results, click a BlackBerry Java Application.
In the Application versions section, click the version of the application that you want to create a custom
application control policy for.
Click Edit application.
On the Application control policies tab, in the Settings section, select the Use custom application control
policies option.
Perform any of the following tasks:
Task
Steps
Create an application control
a. In the Required application name field, type a name for the
policy for required BlackBerry Java
application control policy.
Applications.
b. In the Settings section, configure the settings for the application
control policy.
c.
Click the Add icon.
d.
Repeat steps a to c for each application control policy that you want
to create.
Create an application control
a.
policy for optional BlackBerry Java
Applications.
b.
Create an application control
policy for BlackBerry Java
Applications that are not
permitted.
In the Optional application name field, type a name for the
application control policy.
In the Settings section, configure the settings for the application
control policy.
c.
Click the Add icon.
d.
Repeat steps a to c for each application control policy that you want
to create.
a.
In the Disallowed application name field, type a name for the
application control policy.
b.
Click the Add icon.
9. If necessary, in each section, click the up and down arrows to set the priority for the application control policies.
10. Click Save all.
IT policy rules take precedence on the device
IT policy rule settings override application control policy rule settings. For example, if you change the Allow Internal
Connections IT policy rule to No for BlackBerry® devices, and if the devices have an application control policy set that
allows a specific application to make internal connections, the application cannot make internal connections.
79
Administration Guide
Application control policies for unlisted applications
The device revokes an application control policy and resets if the permissions of the application it is applied to become
more restrictive. On supported devices, users can make application permissions more restrictive than what the
BlackBerry® Enterprise Server Express administrator sets but users cannot make the permissions less restrictive.
Application control policies for unlisted applications
When you create a software configuration and assign it to user accounts so that you can send BlackBerry® Device
Software, BlackBerry Java® Applications, and standard application settings to BlackBerry devices, you must configure
whether the software configuration permits users to install and use applications that are not included in the software
configuration (also known as unlisted applications). When you configure whether unlisted applications are permitted
and optional or not permitted on BlackBerry devices, you must assign an application control policy for unlisted
applications to the software configuration.
An application control policy for unlisted applications determines what unlisted applications are permitted on
BlackBerry devices and what data the unlisted applications can access on BlackBerry devices. The BlackBerry
Administration Service has two standard application control policies for unlisted applications: one for unlisted
applications that are optional, and one for unlisted applications that are not permitted. You can change the default
settings of the standard application control policy for unlisted applications that are optional, or you can create custom
application control policies for unlisted applications that are optional.
For more information about the rule settings in application control policies for unlisted applications, see the
BlackBerry Enterprise Server Express Policy Reference Guide.
Change the standard application control policy for unlisted applications
that are optional
For more information about the rule settings in application control policies for unlisted applications, see the
BlackBerry Enterprise Server Express Policy Reference Guide.
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Software.
Click Manage application control policies for unlisted applications.
Click the Standard Unlisted Optional application control policy.
Click Edit application control policy.
On the Access settings tab, in the Settings section, configure the settings for the application control policy.
Click Save all.
Create an application control policy for unlisted applications
The BlackBerry® Administration Service includes two default application control policies for unlisted applications:
one for unlisted applications that you permit on BlackBerry devices, and one for unlisted applications that you do
not permit on BlackBerry devices. You can also create custom application control policies for unlisted applications
that are optional.
80
Administration Guide
Creating software configurations
For more information about the rule settings in application control policies for unlisted applications, see the
BlackBerry Enterprise Server Express Policy Reference Guide.
1.
2.
3.
4.
5.
6.
7.
8.
9.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software.
Click Create an application control policy for unlisted applications.
In the Application control policy information section, in the Name field, type a name for the application control
policy for unlisted applications.
Click Save.
On the BlackBerry solution management menu, click Manage application control policies for unlisted
applications.
Click the application control policy that you created.
Click Edit application control policy.
On the Access settings tab, in the Settings section, configure the settings for the application control policy.
Click Save all.
Configure the priority of application control policies for unlisted
applications
You can assign multiple software configurations to user accounts. You can assign different application control policies
for unlisted applications to different software configurations. You must configure the priority of the different
application control policies for unlisted applications so that the BlackBerry® Policy Service can determine which
application control policies to apply to user accounts when you assign multiple software configurations to user
accounts.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software.
Click Manage application control policies for unlisted applications.
Click Set priority of application control policies for unlisted applications.
Click the up and down arrows to set the priority of application control policies for unlisted applications.
Click Save.
Creating software configurations
You can use software configurations to perform the following actions on BlackBerry® devices:
•
•
•
•
install, upgrade, or remove BlackBerry Java® Applications over the wireless network or using the BlackBerry®
Web Desktop Manager
assign access control policies to BlackBerry Java Applications to control application permissions and the data
that the applications can access
specify that a BlackBerry Java Application is not permitted
specify whether BlackBerry Java Applications that you do not include in the software configuration are permitted
or not permitted
81
Administration Guide
•
•
•
Creating software configurations
configure the access permissions for BlackBerry Java Applications that you do not include in the software
configuration
install or upgrade the BlackBerry® Device Software over the wireless network or using the BlackBerry Web
Desktop Manager
specify standard application settings
You can assign a software configuration to a group, multiple user accounts, or a single user account. After you assign
a software configuration, you can change the settings in the software configuration to manage the BlackBerry Java
Applications, BlackBerry Device Software, and standard application settings on BlackBerry devices. You can configure
settings in the BlackBerry Administration Service to control how the BlackBerry Administration Service sends
BlackBerry Java Applications, BlackBerry Device Software, and standard application settings in software
configurations to BlackBerry devices.
If you assign multiple software configurations to a user account, the settings in each software configuration are
applied to the BlackBerry device. The BlackBerry Administration Service uses a set of rules to resolve conflicting
settings in the multiple software configurations.
The BlackBerry Enterprise Server Express Administration Guide contains information about creating software
configurations to manage BlackBerry Java Applications on BlackBerry devices. For more information about using
software configurations to manage BlackBerry Device Software on BlackBerry devices, visit www.blackberry.com/
go/serverdocs to see the BlackBerry Device Software Upgrade Guide.
Related topics
Reconciliation rules for conflicting settings in software configurations, 96
Create a software configuration
1.
2.
3.
4.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Software.
Click Create a software configuration.
In the Configuration information section, in the Name field, type a name for the software configuration.
In the Disposition for unlisted applications drop-down list, perform one of the following actions:
• To permit users to install applications that are not included in the software configuration on their BlackBerry
devices, click Optional.
• To prevent users from installing applications that are not included in the software configuration on their
BlackBerry devices, click Disallowed.
5.
In the Application control policy for unlisted applications drop-down list, click the application control policy for
unlisted applications that you want to assign to the software configuration.
Click Save.
6.
After you finish: Add BlackBerry® Device Software configurations and BlackBerry Java® Applications to the software
configuration.
82
Administration Guide
Creating software configurations
Add a BlackBerry Java Application to a software configuration
You must add a BlackBerry® Java® Application to a software configuration and assign the software configuration to
user accounts to install the BlackBerry Java Application on BlackBerry devices over the wireless network. To upgrade
an application, you must add the new version of the application to the appropriate software configuration. The
BlackBerry® Enterprise Server Express upgrades the application that is on BlackBerry devices to the new version.
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software.
Click Manage software configurations.
Click the software configuration that you want to add a BlackBerry Java Application to.
Click Edit software configuration.
On the Applications tab, click Add applications to software configuration.
Search for the BlackBerry Java Applications that you want to add to the software configuration.
In the search results, select a BlackBerry Java Application that you want to add to the software configuration.
In the Disposition drop-down list for the BlackBerry Java Application, perform one of the following actions:
• To install the BlackBerry Java Application automatically on BlackBerry devices, and to prevent users from
removing the application, click Required.
• To permit users to install and remove the BlackBerry Java Application, click Optional.
• To prevent users from installing a BlackBerry Java Application on BlackBerry devices, click Disallowed.
9.
In the Application data section, in the Application control policy drop-down list, click an application control
policy to apply to the BlackBerry Java Application.
10. If necessary, in the Deployment drop-down list, perform one of the following actions:
• To install the application on BlackBerry devices over the wireless network, click Wireless.
• To install the application on BlackBerry devices using a USB connection to the user's computer and the
BlackBerry® Web Desktop Manager, click Wired.
11. Repeat steps 6 to 10 for each BlackBerry Java Application that you want to add to the software configuration.
12. Click Add to software configuration.
13. Click Save all.
Assign a software configuration to a group
1.
2.
3.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Group.
Click Manage groups.
Click a group.
4.
5.
6.
7.
8.
Click Edit group.
On the Software configuration tab, in the Available software configurations list, click a software configuration.
Click Add.
Repeat steps 5 and 6 for each software configuration that you want to assign.
Click Save all.
83
Administration Guide
Creating software configurations
Related topics
Create a group to manage similar user accounts, 58
View the status of a job, 85
Managing the default distribution settings for jobs, 198
Managing the distribution settings for a specific job, 203
Managing software configurations, 210
Assign a software configuration to multiple user accounts
1.
2.
3.
4.
5.
6.
7.
8.
9.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for one or more user accounts.
Select one or more user accounts.
In the Add to user configuration list, click Add software configuration.
In the Available software configurations list, click the software configuration that you want to assign to the user
accounts.
Click Add.
Repeat steps 6 and 7 for each software configuration that you want to assign to the user accounts.
Click Save.
Related topics
View the status of a job, 85
Managing the default distribution settings for jobs, 198
Managing the distribution settings for a specific job, 203
Managing software configurations, 210
Assign a software configuration to a user account
1.
2.
3.
4.
5.
6.
7.
8.
9.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the display name for the user account.
Click Edit user.
On the Software configuration tab, in the Available software configurations list, click the appropriate software
configuration.
Click Add.
Repeat steps 6 and 7 for each software configuration that you want to assign.
Click Save all.
Related topics
View the status of a job, 85
Managing the default distribution settings for jobs, 198
Managing the distribution settings for a specific job, 203
Managing software configurations, 210
84
Administration Guide
Install BlackBerry Java Applications on a BlackBerry device at a central computer
Install BlackBerry Java Applications on a BlackBerry device
at a central computer
If you do not want to install BlackBerry® Java® Applications on a BlackBerry device over the wireless network, and
you do not want the user to install the BlackBerry Java Applications using the BlackBerry® Web Desktop Manager or
BlackBerry® Desktop Software, you can install the BlackBerry Java Applications on a BlackBerry device by connecting
the BlackBerry device to a central computer that can access the BlackBerry Administration Service.
Before you begin:
• Assign a software configuration with the necessary BlackBerry Java Applications to the appropriate user account.
• To permit the BlackBerry Administration Service to connect to a BlackBerry device that is attached to the
computer that hosts the BlackBerry Administration Service by a USB connection, add the web address of the
BlackBerry Administration Service to the list of trusted web sites in the web browser. Log in to the BlackBerry
Administration Service again.
• Verify that the central computer can access the BlackBerry Administration Service.
• Connect the BlackBerry device that is associated with the user account to the central computer.
1.
2.
3.
4.
In the BlackBerry Administration Service, on the Devices menu, expand Attached devices.
Click Device software.
Click Automatic installation of applications on the BlackBerry device.
Complete the instructions on the screen.
View the status of a job
After you assign a software configuration to user accounts or change an existing software configuration that you
assigned to user accounts, the BlackBerry® Administration Service creates a job to deliver BlackBerry® Device
Software, BlackBerry Java® applications, or application settings to BlackBerry devices. If you assign an IT policy to
user accounts or change an existing IT policy, a job sends the IT policy changes to BlackBerry devices. You can view
the status of a job to determine if it is ready to run, currently running, completed, or completed with task failures.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs.
Click Manage deployment jobs.
Search for a job.
In the search results, in the Status column, view the status of the job.
To view more information about a job or to change a job, click the ID of the job.
Related topics
Stopping a job that is running, 94
85
Administration Guide
View the status of a job
View the status of a task
Each deployment job consists of multiple tasks. Each task delivers a specific object or setting to a BlackBerry® device
that carries out an action, for example, updating BlackBerry® Device Software, installing or removing a BlackBerry
Java® Application, or applying updated IT policy settings or application settings. You can view the status of tasks. If
a BlackBerry® Enterprise Server Express does not complete a task, you can view error messages that help you
troubleshoot the task failure.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs.
Click Manage deployment job tasks.
Search for a task.
In the search results, in the Status column, view the status of the task.
To view more information about a task, click More.
Error messages: BlackBerry Java Application tasks
To troubleshoot errors that display for a task when you send a BlackBerry® Java® Application to a BlackBerry device,
or update a BlackBerry Java Application on a BlackBerry device, you can try to determine the cause by collecting the
following information:
• BlackBerry Policy Service log files from the day the issue was reported (log level 4 recommended)
• BlackBerry Dispatcher log files from the day the issue was reported (log level 4 recommended)
• BlackBerry Administration Service log files from the day the issue was reported (log level 4 recommended)
• BlackBerry device information (for example, the BlackBerry device model, BlackBerry® Device Software version,
wireless service provider, IT policy assigned to the BlackBerry device, service books on the BlackBerry device,
and so on)
• event log of the BlackBerry device from the day the issue was reported
If the preceding information does not help you to address the issue, you can collect the following information:
• BlackBerry Policy Service log files from the day the issue was reported (log level 6 recommended)
• system event logs
• copy of the BlackBerry Configuration Database
• SQL trace of the BlackBerry Policy Service that communicates with the BlackBerry Configuration Database
For information about changing the log level for a BlackBerry® Enterprise Server Express component, visit
www.blackberry.com/support to read article KB04342. For information about obtaining the event log for a BlackBerry
device, visit www.blackberry.com/support to read article KB05349.
If the recommended administrative action for an error message does not resolve the issue, contact RIM Technical
Support.
Sequence Processing Stopped due to error processing SEND_APC_APP command
86
Administration Guide
View the status of a job
The BlackBerry Policy Service sends application data to a BlackBerry device as a group of application modules. If
the BlackBerry Policy Service does not deliver one of the application modules to the BlackBerry device, the
remaining application modules are not delivered to the BlackBerry device.
You can try to resend the BlackBerry Java Application to the BlackBerry device.
SendApp failed due to error getting application data, processing stopped
An error occurred when the BlackBerry Policy Service tried to retrieve the data that it required to install the
BlackBerry Java Application.
You can verify that the BlackBerry Policy Service can access the network share that you use to store the application
files.
QueueModule failed, processing stopped
An error occurred when the BlackBerry Policy Service tried to process the application modules and send the
application modules to the BlackBerry device.
You can verify that the BlackBerry Policy Service can access the network share that stores the application files.
Device timed out waiting for module
The BlackBerry device reported a timeout failure while waiting for the application modules.
You can resend the BlackBerry Java Application to the BlackBerry device. If the second attempt to install the
BlackBerry Java Application is not successful, in the log files that you collected, locate the user account that
experienced the issue. Trace the installation activity.
Device reported insufficient memory to install module
The BlackBerry device does not have enough application memory available to install the application modules.
You can instruct the user to make more application memory available on the BlackBerry device. Resend the
BlackBerry Java Application.
Device reported insufficient privileges to install module
The BlackBerry device does not have the necessary permissions to install the BlackBerry Java Application.
You can verify that the BlackBerry device is configured with the necessary permissions to install a BlackBerry Java
Application. Resend the BlackBerry Java Application.
Device reported invalid version in packet, supported version is %s
The BlackBerry Java Application is not compatible with the BlackBerry Device Software version that is running
on the BlackBerry device.
You can verify that the BlackBerry Java Application is compatible with the BlackBerry Device Software version
that is running on the BlackBerry device.
Device reported Data Format Error in packet while installing module
87
Administration Guide
View the status of a job
An error occurred in the BlackBerry Policy Service that prevented the BlackBerry device from installing the
BlackBerry Java Application.
In the log files that you collected, locate the user account that experienced the issue. Trace the installation activity.
Device reported a %s error while installing module
Device reported a general failure installing the module
Device reported a security violation while installing the application
Device reported insufficient app data while installing module
Device reported insufficient body data while installing module
Device reported invalid app data length while installing module
Device reported invalid command while installing module
Device reported invalid module hash while installing module
Device reported that the module save failed
Device reported that there was an incomplete module
The BlackBerry device identified a formatting error in the application data before or during the installation
process.
You can verify that the application files are formatted properly and try to send the BlackBerry Java Application
to the BlackBerry device again. If your second try at the installation is not successful, in the log files that you
collected, locate the user account that experienced the issue. Trace the installation activity.
Incomplete ACK data for APPD request
The BlackBerry Policy Service did not receive an acknowledgment message from a BlackBerry device that indicates
that the BlackBerry Java Application was installed.
You can verify that the BlackBerry device is turned on and is located in a wireless coverage area. Resend the
BlackBerry Java Application.
For the command: %s Device reported a general failure
For the command: %s Device reported non command handler for request
For the command: %s Device reported security violation
For the command: %s Device reported unable to decrypt
For the command: %s Device reported key mismatch
88
Administration Guide
View the status of a job
For the command: %s Device reported unsupported command version
For the command: %s Device reported code base error
For the command: %s Device reported a general failure installing the module
The BlackBerry device cannot execute the command to install or update the BlackBerry Java Application.
In the log files that you collected, locate the user account that experienced the issue. Trace the installation activity.
Error messages: BlackBerry Device Software tasks
To troubleshoot errors that display for a task when you are updating BlackBerry® Device Software on a BlackBerry
device, you can try to determine the cause by collecting the following information:
• BlackBerry Policy Service log files from the day the issue was reported (log level 4 recommended)
• BlackBerry Dispatcher log files from the day the issue was reported (log level 4 recommended)
• BlackBerry Administration Service log files from the day the issue was reported (log level 4 recommended)
• BlackBerry device information (for example, the BlackBerry device model, BlackBerry Device Software version,
wireless service provider, IT policy assigned to the BlackBerry device, service books on the BlackBerry device,
and so on)
• event log of the BlackBerry device from the day the issue was reported
• error report from the update application; instruct users to view the details of the errors reported by the update
application and to send error reports to an administrative email address that you must specify
If the preceding information does not address the issue, you can collect the following information:
• BlackBerry Policy Service log files from the day the issue was reported (log level 6 recommended)
• system event logs
• copy of the BlackBerry Configuration Database
• SQL trace of the BlackBerry Policy Service that communicates with the BlackBerry Configuration Database
For information about changing the log level for a BlackBerry® Enterprise Server Express component, visit
www.blackberry.com/support to read article KB04342. For information about obtaining the event log for a BlackBerry
device, visit www.blackberry.com/support to read article KB05349.
If the recommended administrative action for an error message does not resolve the issue, contact RIM Technical
Support.
Available upgrade rejected
You can determine the reason for the error message and determine the status code that is associated with the
error by viewing the event log of the BlackBerry device.
0x01 not supported by device: The BlackBerry device model or the current version of the BlackBerry Device
Software on the BlackBerry device does not support the BlackBerry Device Software update.
You can verify that the BlackBerry device model and the current BlackBerry Device Software version support the
BlackBerry Device Software update.
89
Administration Guide
View the status of a job
0x02 not consistent with device version or vendorid: The BlackBerry device model, the current version of the
BlackBerry Device Software on the BlackBerry device, or the vendor ID that is associated with the BlackBerry
device does not support the BlackBerry Device Software update.
You can verify that the BlackBerry device model, the current BlackBerry Device Software version, and the vendor
ID that are associated with the BlackBerry device support the BlackBerry Device Software update.
0x03 disallowed by IT policy: An IT policy rule in an IT policy that you assigned to the user account does not
permit BlackBerry Device Software updates over the wireless network.
You can verify that the IT policy rule settings in the IT policy that you assigned to the user account permits
BlackBerry Device Software updates over the wireless network.
0x05 duplicate: A previous request to install the same BlackBerry Device Software version has already been sent
to the BlackBerry device.
0x07 bad request: An error occured when the BlackBerry® Infrastructure processed the request to update the
BlackBerry Device Software on the BlackBerry device.
You can try to send the BlackBerry Device Software update again.
0x08 insufficient storage: The BlackBerry device does not have enough memory available to update the
BlackBerry Device Software.
You can manage the BlackBerry device so that it has enough memory available to update the BlackBerry Device
Software (for example, remove applications from the BlackBerry device that are no longer required).
0x09 reset required: The user must reset the BlackBerry device to clear a code module condition.
You can instruct the user to reset the BlackBerry device and you can send the BlackBerry Device Software update
again.
0X10 service book flag disabled: A service book on the BlackBerry device does not permit you to send BlackBerry
Device Software updates over the wireless network.
You can verify that the service books on the BlackBerry device permit BlackBerry Device Software updates over
the wireless network.
Available upgrade deferred by user
0x01 prior upgrade in progress: The BlackBerry Device Software update did not complete because a previous
BlackBerry Device Software update was in progress.
If the previous BlackBerry Device Software update did not install the correct BlackBerry Device Software version,
you can wait until the update completes and then you can send the BlackBerry Device Software update again.
Upgrade prompt deferred
0x02 reset required: The user must reset the BlackBerry device to clear a code module condition.
90
Administration Guide
View the status of a job
You can instruct the user to reset the BlackBerry device. The update application tries to perform the update for
up to 72 hours. After 72 hours, the update application performs the update and the user no longer has the option
to defer the update.
Upgrade rejected
An error or inconsistency exists in the BlackBerry Device Software files that are available from the BlackBerry
Infrastructure.
Upgrade failed, rollback complete
After the update application downloaded and applied the current BlackBerry Device Software patch files to the
BlackBerry device, an error occurred when the update application tried to restart the BlackBerry device. As a
result, the update application reapplied the previous BlackBerry Device Software files to the BlackBerry device
and cancelled the BlackBerry Device Software update.
Available upgrade deleted by administrator
When a BlackBerry Device Software update request either completes or does not complete, this status message
displays when the BlackBerry Infrastructure deletes the update request.
Mandatory upgrade failed
After the update application downloaded and applied the current BlackBerry Device Software files to the
BlackBerry device, an error occured when the update application tried to restart the BlackBerry device. As a
result, the update application reapplied the previous BlackBerry Device Software files to the BlackBerry device,
and cancelled the update.
BlackBerry Administration Service error
An error occurred when the BlackBerry Administration Service processed the request to update the BlackBerry
Device Software on a BlackBerry device.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Error messages: Standard application settings tasks
To troubleshoot errors that display for a task when you change the standard application settings on a BlackBerry®
device, you can try to determine the cause by collecting the following information:
• BlackBerry Synchronization Service log files from the day the issue was reported (log level 4 recommended)
• BlackBerry Dispatcher log files from the day the issue was reported (log level 4 recommended)
• BlackBerry Administration Service log files from the day the issue was reported (log level 4 recommended)
• BlackBerry device information (for example, the BlackBerry device model, BlackBerry® Device Software version,
wireless service provider, IT policy assigned to the BlackBerry device, service books on the BlackBerry device,
and so on)
• event log of the BlackBerry device from the day the issue was reported
91
Administration Guide
View the status of a job
If the preceding information does not address the issue, you can collect the following information:
• BlackBerry Synchronization Service log files from the day the issue was reported (log level 6 recommended)
• system event logs
• copy of the BlackBerry Configuration Database
• SQL trace of the BlackBerry Synchronization Service that communicates with the BlackBerry Configuration
Database
For information about changing the log level for a BlackBerry® Enterprise Server Express component, visit
www.blackberry.com/support to read article KB04342. For information about obtaining the event log of a BlackBerry
device, visit www.blackberry.com/support to read article KB05349.
If the recommended administrative action for an error message does not resolve the issue, contact RIM Technical
Support.
Restore failed -- error getting value
The BlackBerry Synchronization Service cannot read the value of the standard application settings because the
BlackBerry Configuration Database is unavailable.
Verify that the BlackBerry Synchronization Service can access the BlackBerry Configuration Database. If necessary,
restart the BlackBerry Configuration Database.
Failed to set properties for item
The BlackBerry Synchronization Service cannot specify the value of the standard application settings because the
BlackBerry Configuration Database is unavailable.
Verify that the BlackBerry Synchronization Service can access the BlackBerry Configuration Database. If necessary,
restart the BlackBerry Configuration Database.
Failed to backup data to database
The BlackBerry Synchronization Service cannot apply the value of the standard application settings because the
BlackBerry Configuration Database is unavailable.
Verify that the BlackBerry Synchronization Service can access the BlackBerry Configuration Database. If necessary,
restart the BlackBerry Configuration Database.
Failed to delete item
The BlackBerry Synchronization Service cannot delete the value of the standard application settings because the
BlackBerry Configuration Database is unavailable.
Verify that the BlackBerry Synchronization Service can access the BlackBerry Configuration Database. If necessary,
restart the BlackBerry Configuration Database.
Failed to create an instance of the XML DOM document
The BlackBerry Synchronization Service cannot create XML data for the standard application settings.
Failed to load XML document
92
Administration Guide
View the status of a job
The BlackBerry Synchronization Service cannot load XML data for the standard application settings.
Invalid GUID
The BlackBerry Synchronization Service received an invalid globally unique identifier from the BlackBerry device.
Invalid/unknown command
The BlackBerry Synchronization Service received an invalid command from the BlackBerry device.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Error messages: IT policy tasks
To troubleshoot errors that display for a task when you send an IT policy to a BlackBerry® device or update an IT
policy on a BlackBerry device, you can try to determine the cause by collecting the following information:
• BlackBerry Policy Service log files from the day the issue was reported (log level 4 recommended)
• BlackBerry Dispatcher log files from the day the issue was reported (log level 4 recommended)
• BlackBerry Administration Service log files from the day the issue was reported (log level 4 recommended)
• BlackBerry device information (for example, the BlackBerry device model, BlackBerry® Device Software version,
wireless service provider, IT policy assigned to the BlackBerry device, service books on the BlackBerry device,
and so on)
• event log of the BlackBerry device from the day the issue was reported
If the preceding information does not help you to address the issue, you can collect the following information:
• BlackBerry Policy Service log files from the day the issue was reported (log level 6 recommended)
• system event logs
• copy of the BlackBerry Configuration Database
• SQL trace of the BlackBerry Policy Service that communicates with the BlackBerry Configuration Database
For information about changing the log level for a BlackBerry® Enterprise Server Express component, visit
www.blackberry.com/support to read article KB04342. For information about obtaining the event log for a BlackBerry
device, visit www.blackberry.com/support to read article KB05349.
If the recommended administrative action for an error message does not resolve the issue, contact Research In
Motion Technical Support.
Reject Security Violation
Reject Authentication Failed
Data might not have been permanently deleted from the BlackBerry device before you assigned the BlackBerry
device to a new user account and activated the BlackBerry device again.
You can permanently delete the data on the BlackBerry device and activate the BlackBerry device again.
Invalid password
Set Password Failed
93
Administration Guide
Stopping a job that is running
You sent the Specify new device password and lock device IT administration command to a BlackBerry device
and the password might not have satisfied the password criteria that the BlackBerry device user configured on
the BlackBerry device.
You can resend the Specify new device password and lock device IT administration command to the BlackBerry
device and specify a password that satisfies the password criteria that you configured using IT policy rules.
Sequence Processing Stopped due to error processing SET_IT_POLICY_COMMAND command
The BlackBerry Policy Service can send the IT policy data to a BlackBerry device in a group of commands. If the
IT policy command is not delivered to the BlackBerry device, the remaining commands in the group are not
delivered to the BlackBerry device.
You can try to resend the IT policy to the BlackBerry device. You can also try to resend the service books to the
BlackBerry device.
Stopping a job that is running
After you assign a software configuration to user accounts or change an existing software configuration that you
already assigned to user accounts, the BlackBerry® Administration Service creates a job to deliver BlackBerry® Device
Software, BlackBerry Java® Applications, or application settings to BlackBerry devices. If you assign an IT policy to
user accounts or change an existing IT policy, a job sends the IT policy changes to BlackBerry devices. If you want to
make changes to a job that is running, you can stop a job.
When you stop a job, the BlackBerry® Enterprise Server Express does not process the remaining tasks in the job, and
the BlackBerry Administration Service changes the scheduled start time for the job to the following day. The job
returns to a ready to run status. You can make changes to the start time, priority, and distribution settings of the job.
If you do not change the start time for the job, the BlackBerry Enterprise Server Express delivers the job on the
following day using the default job schedule settings. When the job starts again, the BlackBerry Enterprise Server
Express processes the remaining tasks in the job.
If you want to delete a job, change the start date of the job to a date that exceeds the job failure period that you
configured in the job schedule settings. The default job failure period is 30 days.
Related topics
Change default settings for a job schedule, 198
Specify the start time and priority for a job, 204
Stop a job that is running
1.
2.
3.
4.
5.
94
In the BlackBerry® Administration Service, on the Devices menu, expand Deployment jobs.
Click Manage deployment jobs.
Search for the job that you want to stop.
In the search results, click the ID of the job that you want to stop.
You can only stop jobs with a Running status.
Click Stop Current Execution.
Administration Guide
6.
View the users that have a BlackBerry Java Application installed on their BlackBerry devices
Click Yes - Stop Current Execution.
Related topics
View the status of a job, 85
Managing the default distribution settings for jobs, 198
Managing the distribution settings for a specific job, 203
View the users that have a BlackBerry Java Application
installed on their BlackBerry devices
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Software >
Applications.
Click Manage applications.
Search for an application.
In the search results, click the name of an application.
In the Application versions section, click a version of the application.
Click View users with application.
Search for users that are associated with BlackBerry devices that you installed the BlackBerry Java® Application
on.
View how the BlackBerry Administration Service resolved
software configuration conflicts for a user account
You can assign multiple software configurations to a user account or group. The BlackBerry® Administration Service
uses specific rules to resolve conflicting settings in the multiple software configurations that you assign to a user
account or group. After the BlackBerry Administration Service applies software configurations to a BlackBerry device,
you can view how the BlackBerry Administration Service resolved any of the conflicting settings in the multiple
software configurations.
Before you begin: Assign multiple software configurations to a user account or group.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
Click the name of a user account.
On the Software configuration tab, perform one of the following actions:
• To view how the BlackBerry Administration Service resolved conflicts that involve BlackBerry Java®
Applications, click View resolved applications.
• To view how the BlackBerry Administration Service resolved conflicts that involve BlackBerry® Device
Software, click View Resolved BlackBerry Device Software bundles.
95
Administration Guide
•
•
6.
Reconciliation rules for conflicting settings in software configurations
To view how the BlackBerry Administration Service resolved conflicts that involve application control
policies for unlisted applications, click View Resolved Application Control Policy for Unlisted Applications.
To view how the BlackBerry Administration Service resolved conflicts that involve the standard application
settings in BlackBerry Device Software configurations, click View Resolved BlackBerry Device Software
application settings.
View the appropriate information about how the BlackBerry Administration Service resolved the software
configuration conflicts for the user account.
Reconciliation rules for conflicting settings in software
configurations
If you assign multiple software configurations to user accounts or groups, the multiple software configurations might
contain conflicting settings. For example, you might specify that a BlackBerry® Java® Application is required in a
software configuration that you assign to a user account, but you might also specify that the same application is not
permitted in a software configuration that you assign to a group that the user account belongs to. Conflicts can occur
when you assign multiple BlackBerry Java Applications, application control policies, application control policies for
unlisted applications, BlackBerry® Device Software, and the standard application settings in BlackBerry Device
Software configurations.
The BlackBerry Administration Service uses predefined reconciliation rules to resolve conflicting settings in multiple
software configurations, and to determine which applications, software, and settings the BlackBerry Administration
Service installs on or applies to a BlackBerry device. The BlackBerry Administration Service resolves conflicting settings
as an asynchronous background activity. You can view the outcome of the reconciliation activities, reconciliation
errors, and the applications, software, and settings that the BlackBerry Administration Service installed on or applied
to a BlackBerry device.
The BlackBerry Administration Service might have to reconcile software configuration settings that conflict if you
perform any of the following actions:
•
•
•
•
•
•
•
•
•
•
•
•
96
activate a user account
assign a new BlackBerry device or PIN to a user
assign a user account to or remove a user account from a group
add a group to or remove a group from another group
add an application to or remove an application from a software configuration
change the settings for an application in a software configuration
change the settings for an application control policy
change the ranking for application control policies
install a new version of the BlackBerry Device Software on a BlackBerry device
add a BlackBerry Device Software configuration to or remove a BlackBerry Device Software configuration from
a software configuration
change a BlackBerry Device Software configuration
change the standard application settings in a BlackBerry Device Software configuration
Administration Guide
Reconciliation rules for conflicting settings in software configurations
Reconciliation rules: BlackBerry Java Applications
Scenario
Rule
Multiple software configurations are assigned to a user The BlackBerry Java Applications in each software
account or the groups the user belongs to. Multiple
configuration are installed on the BlackBerry device. If
BlackBerry® Java® Applications are contained in each
the BlackBerry® Device Software does not support a
software configuration.
specific BlackBerry Java Application, the application is
not installed on the BlackBerry device.
Multiple software configurations that contain different When different versions of an application exist in the
versions of the same BlackBerry Java Application are
software configurations that are assigned to a user
assigned to a user account or the groups the user
account, the latest version of the application that is
belongs to.
supported by the BlackBerry Device Software is installed
on the BlackBerry device. For example, if a software
configuration with version 1.0 of an application is
assigned to a user account, and another software
configuration with version 2.0 of the application is
assigned to a user account, version 2.0 of the application
is installed on the BlackBerry device.
The version of a BlackBerry Java Application that is in a
software configuration that is assigned to a user account
takes precedence over the version of a BlackBerry Java
Application that is in a software configuration that is
assigned to a group. For example, if version 1.0 of an
application is in a software configuration that is assigned
to a user account, and version 2.0 of an application is in
a software configuration that is assigned to a group that
the user belongs to, version 1.0 of the application is
installed on the BlackBerry device.
Multiple software configurations that contain the same The disposition specified for an application in a software
BlackBerry Java Application are assigned to a user
configuration that is assigned to a user account takes
account or the groups the user belongs to. The
precedence over the disposition of the same application
disposition of the BlackBerry Java Application (required, in any software configuration that is assigned to a group.
optional, or disallowed) is different in each software
If the application has different dispositions in multiple
configuration. The deployment method (wired or over software configurations that are assigned at the same
the wireless network) for the application is different in level (either to the user account or groups), the required
each software configuration.
disposition takes precedence over the optional
disposition, and the optional disposition takes
precedence over the disallowed disposition.
97
Administration Guide
Reconciliation rules for conflicting settings in software configurations
Scenario
Rule
The BlackBerry Administration Service resolves the
deployment method after resolving the disposition of
an application. The deployment method specified for an
application in a software configuration that is assigned
to a user account takes precedence over the
deployment method for the same application in any
software configuration that is assigned to a group. The
wireless setting takes precedence over the wired
setting.
One or more software configurations that include
The BlackBerry Administration Service checks the
BlackBerry Java Applications are assigned to a user
amount of available memory on the BlackBerry device
account or the groups the user belongs to, but a limited after resolving application conflicts (for example,
amount of available memory remains on the BlackBerry resolving conflicting disposition and deployment
device.
settings) and before installing a BlackBerry Java
Application. If there is not enough memory available on
the BlackBerry device to support the application, the
application is not installed.
Depending on the amount of available memory,
applications are installed in the following order:
1.
Required applications that are configured for
wireless deployment
2.
Required applications that are configured for wired
deployment
3.
Optional applications that are configured for
wireless deployment
4.
A software configuration is assigned to a user account
and it contains a BlackBerry Java Application that has a
dependency on another BlackBerry Java Application.
Optional applications that are configured for wired
deployment
If a BlackBerry Java Application in a software
configuration has a dependency on another application,
and the other application is not included in a software
configuration that is assigned to the user account or a
group that the user belongs to, the application is not
installed on the BlackBerry device.
If a BlackBerry Java Application in a software
configuration has a dependency on another application,
and the dependent application is included in a software
configuration that is assigned to the user account or a
group the user belongs to, the dependent application is
98
Administration Guide
Reconciliation rules for conflicting settings in software configurations
Scenario
Rule
installed first. If the dependent application is installed
successfully, the application with the dependency is
then installed.
A software configuration is assigned to a user account If a dependent application is not supported by the
and it contains a BlackBerry Java Application that has a BlackBerry device or was not installed successfully on
dependency on another BlackBerry Java Application.
the BlackBerry device, the application with the
The dependent application is not supported on the
dependency is not installed on the user's BlackBerry
BlackBerry device.
device.
Multiple BlackBerry Java Applications have a circular
If multiple BlackBerry Java Applications are included in
dependency (for example, application A is dependent
the same application bundle and have a circular
on application B, application B is dependent on
dependency, the applications are not installed on the
application C, and application C is dependent on
BlackBerry device. If multiple applications have a
application A) and are included in the same application circular dependency, they can only be installed if they
bundle. The application bundle is added to the
exist in separate application bundles and are installed
application repository. The applications are added to a using wired deployment.
software configuration and assigned to a user account
or a group the user belongs to.
Reconciliation rules: BlackBerry Device Software
Scenario
Rule
A software configuration that contains BlackBerry®
The BlackBerry Device Software in a software
Device Software is assigned to a user account. A
configuration that is assigned to a user account takes
software configuration that contains a different version precedence over the BlackBerry Device Software in a
of BlackBerry Device Software is assigned to a group that software configuration that is assigned to a group.
the user account belongs to.
Multiple software configurations that contain different The version of the BlackBerry Device Software that is
versions of BlackBerry Device Software are assigned to supported by the BlackBerry device and by the wireless
a user account.
service provider, and that you ranked highest in the
BlackBerry Administration Service, is installed on the
BlackBerry device. The BlackBerry® Enterprise Server
Express does not install a version of the BlackBerry
Device Software if that version is ranked lower than the
version of the BlackBerry Device Software that is
currently installed on the BlackBerry device.
99
Administration Guide
Reconciliation rules for conflicting settings in software configurations
Reconciliation rules: Standard application settings
Scenario
Rule
A software configuration with standard application
The standard application settings in a software
settings is assigned to a user account. A software
configuration that is assigned to a user account take
configuration with different standard application
precedence over the standard application settings in a
settings is assigned to a group that the user account
software configuration that is assigned to a group.
belongs to.
A user account belongs to multiple groups. The calendar The calendar initial view setting that is applied to the
initial view setting is configured differently in each of the user's BlackBerry® device is the lowest value that was
software configurations that are assigned to the groups. specified in the multiple software configurations.
A user account belongs to multiple groups. The calendar The calendar keep appointments setting that is applied
keep appointments setting is configured differently in to the user's BlackBerry device is the highest value that
each of the software configurations that are assigned to was specified in the multiple software configurations.
the groups.
A user account belongs to multiple groups. The email
If the email confirm delete setting is set to Yes in a
confirm delete setting is set to Yes in one or more of the software configuration that is assigned to a group that
software configurations that are assigned to the groups. the user account belongs to, the Yes setting is applied
The setting is set to No in the remaining software
to the BlackBerry device.
configurations.
A user account belongs to multiple groups. The email
If the email hide sent messages setting is set to No in a
hide sent messages setting is set to Yes in one or more software configuration that is assigned to a group that
of the software configurations that are assigned to the the user account belongs to, the No setting is applied to
groups. The setting is set to No in the remaining software the BlackBerry device.
configurations.
A user account belongs to multiple groups. The email
If the email save copy in sent folder setting is set to Yes
save copy in sent folder setting is set to Yes in one or
in a software configuration that is assigned to a group
more of the software configurations that are assigned that the user account belongs to, the Yes setting is
to the groups. The setting is set to No in the remaining applied to the BlackBerry device.
software configurations.
A user account belongs to multiple groups. The address If the address book sort by setting is configured
book sort by setting is configured differently in each of differently in the software configurations that are
the software configurations that are assigned to the
assigned to the groups that the user account belongs to,
groups.
the first name setting takes precedence over the last
name setting, and the last name setting takes
precedence over the company name setting.
A user account belongs to multiple groups. The
The Locked and visible setting takes precedence over
attributes settings for the various standard application the Unlocked and visible setting. The Unlocked and
settings are configured differently in the software
visible setting takes precedence over the Unlocked and
configurations that are assigned to the groups.
hidden setting.
100
Administration Guide
Reconciliation rules for conflicting settings in software configurations
Scenario
Rule
Standard application settings are configured in a
Standard application settings apply only to BlackBerry
software configuration and assigned to user accounts
devices that are associated with BlackBerry® Enterprise
with BlackBerry devices that are running a BlackBerry® Server Express version 5.0 or later, and BlackBerry
Device Software version earlier than 5.0.
devices that are running BlackBerry Device Software
version 5.0 or later.
Reconciliation rules: Application control policies
Scenario
Rule
A user is assigned multiple software configurations that An application control policy for an application in a
each contain the same application. A different
software configuration that is assigned to a user account
application control policy is assigned to the application takes precedence over an application control policy for
in each software configuration.
the same application in a software configuration that is
assigned to a group. The required setting takes
precedence over the optional setting. The optional
setting takes precedence over the disallowed setting.
If multiple software configurations contain the same
application, and each software configuration is assigned
a different custom application control policy with the
same disposition (for example, two custom required
application control policies), the application control
policy that you ranked highest in the BlackBerry®
Administration Service is applied to the user's
BlackBerry device.
Reconciliation rules: Application control policies for unlisted applications
Scenario
Rule
A software configuration with a default or custom
The application control policy for unlisted applications
application control policy for unlisted applications is
in a software configuration that is assigned to a user
assigned to a user account. A software configuration
account takes precedence over the application control
with a different application control policy for unlisted
policy for unlisted applications in a software
applications is assigned to a group that the user account configuration that is assigned to a group.
belongs to.
101
Administration Guide
Reconciliation rules for conflicting settings in software configurations
Scenario
Rule
A software configuration that defines unlisted
If unlisted applications are defined as disallowed in a
applications as disallowed is assigned to a user account. software configuration that is assigned to a user
A software configuration that defines unlisted
account, unlisted applications are not permitted on the
applications as optional is also assigned to the user
BlackBerry® device.
account.
Multiple software configurations with different access The application control policy for unlisted applications
control policies for unlisted applications are assigned to that you ranked highest in the BlackBerry
a user account.
Administration Service is applied to the BlackBerry
device.
102
Administration Guide
Alternative methods for installing BlackBerry Java Applications on BlackBerry devices
Alternative methods for installing BlackBerry
Java Applications on BlackBerry devices
10
Installing BlackBerry Java Applications on BlackBerry
devices without using the BlackBerry Administration Service
You can install and update BlackBerry® Java® Applications on BlackBerry devices without using the BlackBerry
Administration Service. You can use any of the following tools or software to install, update, and manage BlackBerry
Java Applications on BlackBerry devices:
•
•
•
•
•
BlackBerry® Desktop Software
BlackBerry® Web Desktop Manager
BlackBerry Application Web Loader on a web server
standalone application loader tool
web browser on BlackBerry devices
Developing BlackBerry Java Applications for BlackBerry
devices
Application developers can use the BlackBerry® Java® Development Environment or the BlackBerry® Java® Plug-in
for Eclipse® to create and test BlackBerry Java Applications for BlackBerry devices, and to package BlackBerry Java
Applications to install them on BlackBerry devices using a user’s computer or over the wireless network. Application
developers can use the BlackBerry JDE or the BlackBerry Java Plug-in for Eclipse to generate .cod files that contain
the compiled application code for a BlackBerry Java Application. BlackBerry devices execute .cod files to run
BlackBerry Java Applications. The BlackBerry JDE and the BlackBerry Java Plug-in for Eclipse also include tools to
generate .jad files or .alx descriptor files that provide information about a BlackBerry Java Application that is used
when the application is compiled.
MIDlets are Java applications that conform to the MIDP standard and can run on any mobile device that runs Java
applications. Most MIDlets are distributed as .jar files. The BlackBerry JDE and the BlackBerry Java Plug-in for Eclipse
include tools that you can use to convert existing MIDlets that are in .jad and .jar file formats to .cod file formats for
use on BlackBerry devices.
For more information about developing and customizing BlackBerry Java Applications, visit www.blackberry.com/
developers.
Methods you can use to install BlackBerry Java
Applications on BlackBerry devices
If you do not want to use the BlackBerry® Administration Service to install or update BlackBerry Java® Applications
on BlackBerry devices over the wireless network, you can use any of the following methods:
103
Installing BlackBerry Java Applications using the BlackBerry Desktop Software
Administration Guide
Method
Install BlackBerry Java Applications
using the BlackBerry® Desktop
Software
Install BlackBerry Java Applications
using the BlackBerry Application
Web Loader
Install BlackBerry Java Applications
using the standalone application
loader tool
Install BlackBerry Java Applications
using a web browser on BlackBerry
devices
Description
You can install a BlackBerry Java Application on a BlackBerry device by
instructing the user to use the application loader tool that is part of the
BlackBerry Desktop Software. An automated application installer installs
the application files on the user’s computer. The user uses the BlackBerry®
Desktop Manager to navigate to the application files and install the
BlackBerry Java Application on a BlackBerry device that the user connects
to the computer.
You can install a BlackBerry Java Application on a BlackBerry device by
instructing the user to browse to a specific web server that you configured
to use the BlackBerry Application Web Loader. The user must connect the
BlackBerry device to the computer.
You can install a BlackBerry Java Application on a BlackBerry device by
installing the standalone application loader tool in a shared network folder,
and providing users with a link to run the tool. The user must connect the
BlackBerry device to the computer.
This method requires that you install the BlackBerry® Device Manager on
the user's computer but does not require a full installation of the BlackBerry
Desktop Software.
You can install a BlackBerry Java Application on a BlackBerry device by
installing the files for the BlackBerry Java Application on a web server and
instructing the user to browse to the appropriate web address on the
BlackBerry device. Users can download the BlackBerry Java Application
from an Internet web site using a web browser or from an intranet web site
using the BlackBerry® Browser.
This method does not require the user to connect the BlackBerry device to
the computer.
Installing BlackBerry Java Applications using the
BlackBerry Desktop Software
Application developers can use the BlackBerry® Java® Development Environment or the BlackBerry® Java® Plug-in
for Eclipse® to create an automated application installer. You can use the application installer to install the files for
a BlackBerry Java Application (the .alx identifier file and the application's .cod files) on users’ computers. You can
then instruct users to use the application loader tool in the BlackBerry® Desktop Software to install the BlackBerry
Java Application on their BlackBerry devices. Users must connect their BlackBerry devices to their computers.
This method has the following advantages:
•
•
104
You can control how the application files are distributed to users’ computers.
Users are responsible for completing the installation.
Administration Guide
•
Installing BlackBerry Java Applications using the BlackBerry Desktop Software
If you installed the BlackBerry® Desktop Software on users’ computers, they can use it to install the BlackBerry
Java Applications.
This method has the following disadvantages:
•
•
•
•
You must install the BlackBerry Desktop Software on users’ computers.
The users must use the BlackBerry Desktop Software to install the BlackBerry Java Application.
You cannot control when the users install the BlackBerry Java Application.
Users must connect their BlackBerry devices to their computers.
Prerequisites: Installing BlackBerry Java Applications using the BlackBerry
Desktop Software
BlackBerry® device
•
BlackBerry APIs and Java® ME (standard on BlackBerry devices)
User’s computer
•
•
•
Windows® 2000 or later, Windows® XP, or Windows Vista®
BlackBerry® Desktop Software version 4.0 or later
Research In Motion® USB drivers and a USB connection for the BlackBerry device
BlackBerry Java Application
•
•
.alx files and .cod files: The .alx file is the application descriptor that provides information about the application
and the location of the application's .cod files. A .cod file contains compiled and packaged application code. The
application loader tool requires these files so that it can install the BlackBerry Java Application on BlackBerry
devices.
required modules: Some BlackBerry Java Applications require modules that are part of the BlackBerry® Device
Software. The required modules are listed in the .alx file in a <requires> tag. If the required modules do not exist
on the BlackBerry device, you need to install the necessary BlackBerry Device Software on the BlackBerry device.
For more information about application dependencies, visit www.blackberry.com/developers to read the
BlackBerry Java Development Environment Development Guide.
Make the BlackBerry Java Application available to the BlackBerry Desktop
Software
1.
2.
Obtain the application installer (.exe file) for the BlackBerry® Java® Application from the application developer,
vendor, or wireless service provider.
Run the application installer on the user's computer to install the .alx identifier file and .cod file in an installation
folder on the user’s computer. You can also run the application installer to install the .alx identifier file and .cod
file in a shared network folder that users can access from their computers.
105
Administration Guide
Installing BlackBerry Java Applications using the BlackBerry Application Web Loader
Install the BlackBerry Java Application using the BlackBerry Desktop
Software
For instructions for how to install a BlackBerry® Java® Application using the BlackBerry Desktop Software, visit
www.blackberry.com/go/docs to find the required version of the BlackBerry Desktop Software User Guide.
Installing BlackBerry Java Applications using the
BlackBerry Application Web Loader
You can configure the BlackBerry® Application Web Loader, which uses Microsoft® ActiveX®, to install a BlackBerry
Java® Application on BlackBerry devices using a web server and Microsoft® Internet Explorer® on users’ computers.
You can add the BlackBerry Application Web Loader to a web server (for example, on your organization’s intranet or
a public web server), and instruct users to browse to the appropriate web address using Microsoft Internet
Explorer. The BlackBerry Application Web Loader prompts users to install the BlackBerry Java Application, and installs
the required .cod files for the application on BlackBerry devices. The users must connect their BlackBerry devices to
their computers.
The BlackBerry Application Web Loader supports .cod files only. To install a MIDlet, convert the .jar file to a .cod file.
For more information about how to compile .java and .jar file formats into the .cod file format, visit
www.blackberry.com/developers to read the BlackBerry Java Development Environment Development Guide. For
more information about the BlackBerry Application Web Loader and a sample development template, visit
www.blackberry.com/go/docs to read the BlackBerry Application Web Loader Developer Guide.
This method has the following advantages:
•
•
•
You do not have to install the BlackBerry® Desktop Software on users’ computers.
The installation process is straightforward and requires Microsoft Internet Explorer, a common web browser.
Users are responsible for completing the installation.
This method has the following disadvantages:
•
•
You cannot control when the users install the BlackBerry Java Application.
Users must connect their BlackBerry devices to their computers.
Prerequisites: Installing BlackBerry Java Applications using the BlackBerry
Application Web Loader
BlackBerry device
•
BlackBerry® APIs and Java® ME (standard on BlackBerry devices)
User’s computer
•
•
•
106
Windows® 2000 or later, Windows® XP, or Windows Vista®
Microsoft® Internet Explorer® version 5.0 or later
Microsoft® ActiveX® version 8.0 or later
Administration Guide
•
•
Installing BlackBerry Java Applications using the BlackBerry Application Web Loader
BlackBerry Application Web Loader; if the BlackBerry Application Web Loader is not installed, the user is
prompted to install it after the user browses to the specified web address
Research In Motion® USB drivers and a USB connection for the BlackBerry device
Web server
Configure the following MIME types on the web server to permit users to download and install BlackBerry Java
Applications on BlackBerry devices:
•
•
•
•
.cod files: application/vnd.rim.cod
.jad files: text/vnd.sun.j2me.app-descriptor
scripting language: Use a scripting language that is supported by Microsoft Internet Explorer and Microsoft
ActiveX.
AxLoader.cab file: Copy the AxLoader.cab file to the folder that the web page .html files are located in (or update
the <object> element URL information in the .html file to the new location).
BlackBerry Java Application
•
•
•
•
.jad files and .cod files: The .jad file is the application descriptor that provides information about the application
and the location of .cod files. A .cod file contains compiled and packaged application code. The BlackBerry
Application Web Loader requires these files to install the BlackBerry Java Application.
The maximum .jad file size is 4096 bytes.
The maximum number of .cod files supported by the BlackBerry Application Web Loader is 32.
MIDlet support: The BlackBerry Application Web Loader supports CLDC applications that reference the
BlackBerry API or MIDlets that have been converted to the .cod file format.
Enable the BlackBerry Application Web Loader on a web server
Before you begin:
• Obtain the .jad and .cod files for the BlackBerry® Java® Application from the application developer, vendor, or
wireless service provider.
• Visit www.blackberry.com/developers to download the latest version of the BlackBerry Application Web Loader
(AxLoader.cab).
1.
2.
3.
4.
Create a web page that you can use to install the BlackBerry Java Application on BlackBerry devices.
Copy the AxLoader.cab file to the folder where the web page’s .html files are located.
Copy the .jad and .cod files for the application on the web server that hosts the web page.
Reference a specific version of the BlackBerry Application Web Loader.
5.
For more information about referencing a specific version of the BlackBerry Application Web Loader, visit
www.blackberry.com/go/docs to read the BlackBerry Application Web Loader Developer Guide.
Associate the BlackBerry Application Web Loader with the .jad file.
6.
To load the .jad file, invoke loadJad(). Use a string parameter that represents one of the following:
• If the .jad file is in the same location as the AxLoader.cab file, use the .jad file name.
107
Administration Guide
Installing BlackBerry Java Applications using the standalone application loader tool
• If the .jad file is in a different location than the AxLoader.cab file, use the relative location address of the .jad
file.
7.
Send the web address to users.
The BlackBerry Application Web Loader requires the BlackBerry device password before it can install a BlackBerry
Java Application. If a password is set, the AxLoaderPassword control is used to obtain the password. This control is
included in the AxLoader.cab file. For more information about obtaining a BlackBerry device password, visit
www.blackberry.com/go/docs to read the BlackBerry Application Web Loader Developer Guide.
Install the BlackBerry Java Application using the BlackBerry Application
Web Loader
Send these instructions to users.
1.
2.
3.
4.
Connect the BlackBerry® device to your computer.
Using Microsoft® Internet Explorer® version 5.0 or later, browse to <web_address>.
If the required version of the BlackBerry Application Web Loader is not installed on your computer, accept the
installation prompt, and complete the instructions on the screen.
Complete the instructions on the screen to install the BlackBerry Java Application.
Installing BlackBerry Java Applications using the
standalone application loader tool
The standalone application loader tool is included in the BlackBerry® Enterprise Server Express installation files. You
can make the standalone application loader tool available from a shared network folder and provide users with a
link to run the tool and install the BlackBerry Java® on their BlackBerry devices. The users must connect their
BlackBerry devices to their computers to install the BlackBerry Java Application.
You must install the BlackBerry® Device Manager on users’ computers so that users can use this method to install
BlackBerry Java Applications. The BlackBerry Device Manager manages the connection between the standalone
application loader tool and the BlackBerry device. The BlackBerry Device Manager is included in the BlackBerry®
Desktop Software. You can also install the BlackBerry Device Manager on users' computers without installing the full
BlackBerry Desktop Software. To download the BlackBerry Device Manager or the BlackBerry Desktop Software, visit
na.blackberry.com/eng/support/downloads/.
You can also use the standalone application loader tool to install BlackBerry Java Applications in automated mode
on BlackBerry devices. Automated mode installs the BlackBerry Java Application on BlackBerry devices without giving
users the option to cancel the installation.
Advantages of this method include:
•
•
The installation process is straightforward.
Users are responsible for completing the installation.
Disadvantages of this method include:
108
Administration Guide
•
•
•
Installing BlackBerry Java Applications using the standalone application loader tool
You cannot control when users install the BlackBerry Java Application.
Users must connect the BlackBerry device to their computers.
You must install the BlackBerry Desktop Software on users’ computers.
Prerequisites: Installing BlackBerry Java Applications using the standalone
application loader tool
BlackBerry device
•
BlackBerry® APIs and Java® ME (standard on BlackBerry devices)
User’s computer
•
•
•
•
Windows® 2000 or later, Windows® XP, or Windows Vista®
BlackBerry® Desktop Software version 4.0 or later
BlackBerry® Device Manager version 4.1 (for automated mode)
Research In Motion USB drivers and USB connection
BlackBerry Java Application
•
•
•
.alx file and .cod files: The .alx file is the application descriptor that provides information about the application
and the location of the application's .cod files. A .cod file contains compiled and packaged application code. The
standalone application loader tool requires these files to install the BlackBerry Java Application.
required modules: Some BlackBerry Java Applications require modules that are part of the BlackBerry® Device
Software. The required modules are listed in the .alx file in a <requires> tag. If the required modules do not exist
on the BlackBerry device, you must install the required BlackBerry Device Software on the BlackBerry device.
For more information about application dependencies, visit www.blackberry.com/developers to read the
BlackBerry Java Development Environment Development Guide.
required BlackBerry Java Applications: To configure a BlackBerry Java Application as required on a BlackBerry
device, in the .alx file, after the copyright statement, add the following tag: <required>true</required>.
Add BlackBerry Java Application files to a shared network folder
Before you begin:
• The standalone application loader tool is installed when you install the BlackBerry® Enterprise Server Express.
Verify that the standalone application loader tool is installed in <drive>:\Program Files\Common Files\Research
In Motion\AppLoader.
• Obtain the .alx and .cod files for the BlackBerry® Java® Application from the application developer, vendor, or
wireless service provider.
1.
In <drive:>\Program Files\Common Files\Research In Motion\Shared\Applications\, create a folder with a
unique name to contain the application files. Maintain the application’s file structure.
2.
Copy the .cod, .alx, and .dll files for the BlackBerry Java Application to the folder that you created.
109
Administration Guide
Installing BlackBerry Java Applications using the standalone application loader tool
Share the Research In Motion folder that contains the BlackBerry Java
Application
1.
Navigate to <drive>:\Program Files\Common Files\Research In Motion.
2.
3.
4.
5.
Right-click the Research In Motion folder. Click Properties.
On the Sharing tab, click Share this folder. Provide read-only permissions.
If necessary, configure other required options.
Click OK.
After you finish: Select a distribution method (for example, an email message or an intranet web page) that you can
use to provide users with a link to the loader.exe file (for example, \\<shared_computer_name>\Research In Motion
\Apploader\loader.exe.
Configure the standalone application loader tool to install the BlackBerry
Java Application in automated mode
Use automated mode if you do not want to give users the option to cancel the installation of the BlackBerry® Java®
Application.
Before you begin: Verify that BlackBerry® Device Manager version 4.1 or later is installed on the user’s computer.
When you distribute the link to the shared network folder to users, specify the loading command using the
following format:
• USB: \\<shared_computer_name>\Research In Motion\Apploader\loader.exe /defaultUSB /forceload
Install the BlackBerry Java Application using the standalone application
loader tool
Send these instructions to users.
Before you begin: Verify that the BlackBerry® Desktop Software is installed on your computer. If it is not, contact
your administrator.
1.
2.
3.
4.
5.
6.
7.
110
Connect the BlackBerry device to your computer.
If prompted, type your BlackBerry device password.
Click Next.
On your computer, click the link to the loader.exe file that your administrator provided you with.
If a security warning displays, click Run.
Complete the instructions on the screen.
When the installation process completes, click Close.
Administration Guide
Installing BlackBerry Java Applications using a web browser on BlackBerry devices
Installing BlackBerry Java Applications using a web
browser on BlackBerry devices
You can install BlackBerry® Java® Applications on BlackBerry devices over the wireless network. This method does
not require users to connect their BlackBerry devices to their computers.
You can add the required files for the BlackBerry Java Application (a .jad file and the application .cod or .jar files) to
a web server, and instruct users to navigate to the appropriate web address using a browser on their BlackBerry
devices. Users can use the BlackBerry® Browser or the wireless service provider’s WAP Browser. When users access
the web address, they can click a download option to install the BlackBerry Java Application on their BlackBerry
devices.
This method has the following advantages:
•
•
•
You do not have to install the BlackBerry® Desktop Software on users’ computers.
Users do not have to connect their BlackBerry devices to their computers.
Users are responsible for completing the installation.
This method has the following disadvantages:
•
•
You cannot control when users install the BlackBerry Java Application.
Installing a BlackBerry Java Application on BlackBerry devices over the wireless network can result in increased
network usage.
Prerequisites: Installing BlackBerry Java Applications using a web browser
on BlackBerry devices
BlackBerry device
•
BlackBerry® APIs and Java® ME (standard on BlackBerry devices)
Web server
Configure the following MIME types on the web server to permit users to download and install BlackBerry Java
Applications on BlackBerry devices:
•
•
•
.cod files: application/vnd.rim.cod
.jad files: text/vnd.sun.j2me.app-descriptor
.jar files (optional): application/java-archive
BlackBerry Java Application
•
•
.jad file: The .jad file is the application descriptor that provides information about the application and the location
of the application’s .cod or .jar files.
.cod or .jar files: These files contain compiled and packaged application code.
111
Administration Guide
Installing BlackBerry Java Applications using a web browser on BlackBerry devices
Install the BlackBerry Java Application on a web server
Before you begin: Obtain the .jad and .cod files or .jar files for the BlackBerry® Java® Application from the application
developer, vendor, or wireless service provider.
1.
2.
Create a web page that you can use to install the BlackBerry Java Application on BlackBerry devices.
Copy the application .jad and .cod files or .jar files to the web server that hosts the web page.
After you finish: Select a distribution method (for example, an email message or an intranet web page) that you can
use to provide users with the web address for the web page that you created.
Install the BlackBerry Java Application using a web browser on the
BlackBerry device
Send these instructions to users.
1.
2.
3.
112
Open a web browser on the BlackBerry® device.
Navigate to the web address that your administrator provided you with.
Click Download.
Administration Guide
Configuring how users access enterprise applications and web content
Configuring how users access enterprise
applications and web content
11
Specifying a BlackBerry MDS Connection Service as a
central push server
At least one BlackBerry® MDS Connection Service in your organization's BlackBerry Domain must act as a central
push server. Central push servers receive content push requests from server-side applications that are located on
an application server or on a web server. Central push servers also manage push requests and send application data
and application updates to BlackBerry device applications.
If a BlackBerry Domain includes one BlackBerry MDS Connection Service that is version 5.0 or later, by default, that
BlackBerry MDS Connection Service is the central push server. If two BlackBerry MDS Connection Service instances
(that are version 5.0 or later) exist in a BlackBerry Domain, by default, both instances are central push servers. If
more than two BlackBerry MDS Connection Service instances (that are version 5.0 or later) exist in a BlackBerry
Domain, the first two instances that start are central push servers. You can configure any BlackBerry MDS Connection
Service in your organization's BlackBerry Domain to act as a central push server. If a BlackBerry MDS Connection
Service in your organization's environment is earlier than version 5.0, it is not designated as a central push server
automatically when it starts.
Related topics
Configure multiple BlackBerry Enterprise Server Express instances to use the same BlackBerry MDS Connection Service, 57
Specify a BlackBerry MDS Connection Service as a central push server
You can specify more than one BlackBerry® MDS Connection Service in your organization's BlackBerry Domain as a
central push server. By default, if one or two BlackBerry MDS Connection Service instances exist in the BlackBerry
Domain, those instances are central push servers.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want to change.
Click Edit instance.
In the General section, in the Is centralized push server drop-down list, click Yes.
Click Save all.
After you finish:
• Notify the push application developers in your organization's environment that you have specified a new central
push server.
113
Administration Guide
Configuring how BlackBerry devices authenticate to content servers
Configuring how BlackBerry devices authenticate to
content servers
If you configured the content servers in your organization's environment to use an authentication protocol to
authenticate the sources of the data requests that they receive, you can control how BlackBerry® devices authenticate
to content servers to receive application data and application updates.
Configure how BlackBerry devices authenticate to content servers
You can configure whether BlackBerry® devices authenticate to content servers directly, or whether the BlackBerry
MDS Connection Service authenticates to content servers on behalf of BlackBerry devices. If you configure BlackBerry
devices to authenticate directly to content servers but you do not configure an authentication method for BlackBerry
MDS Connection Service connections, authenticated BlackBerry devices prompt users to provide login information
every 60 minutes. The BlackBerry devices prompt users only if the connection to the content server persists for more
than 60 minutes.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the HTTP tab, in the Protocol service information section, in the Authentication support enabled drop-down
list, perform one of the following actions:
• If you want BlackBerry devices to authenticate to content servers directly, click No.
• If you want the BlackBerry MDS Connection Service to store authentication information and perform HTTP
authentication on behalf of BlackBerry devices, click Yes.
If necessary, in the Authentication timeout field, type the length of time, in milliseconds, that you want
authentication information for BlackBerry devices to remain valid on the content server.
By default, the authentication timeout limit is 1 hour.
Click Save all.
After you finish: If you set Authentication support enabled to Yes, configure the BlackBerry MDS Connection Service
to authenticate to content servers that use NTLM, Kerberos™, LTPA, or RSA® Authentication Manager on behalf of
BlackBerry devices.
Related topics
Managing how users access enterprise applications and web content, 212
Configure the BlackBerry MDS Connection Service to authenticate
BlackBerry devices to content servers that use NTLM
Before you begin: Configure the BlackBerry® MDS Connection Service to authenticate to content servers on behalf
of BlackBerry devices.
114
Administration Guide
1.
2.
Configuring how BlackBerry devices authenticate to content servers
Navigate to <drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\Instance
\config.
Configure the MdsLogin.conf file.
For more information about the Java® Authentication and Authorization Service configuration file, visit http://
java.sun.com/javase/6/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html.
Configure the BlackBerry MDS Connection Service to authenticate
BlackBerry devices to content servers that use Kerberos
Before you begin: Configure the BlackBerry® MDS Connection Service to authenticate to content servers on behalf
of BlackBerry devices.
1.
2.
Navigate to <drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\Instance
\config.
Configure the krb5.conf file.
For more information about the Kerberos™ 5 configuration file, visit web.mit.edu/kerberos/www/krb5-1.3/
krb5-1.3.3/doc/krb5-admin.html#krb5.conf.
Configure the BlackBerry MDS Connection Service to authenticate
BlackBerry devices to content servers that use LTPA
BlackBerry® devices that are running BlackBerry® Device Software version 3.8 or later manage how HTTP cookies are
stored and used to authenticate to content servers that use LTPA authentication technology. For BlackBerry devices
that use previous versions of the BlackBerry Device Software, you must permit the BlackBerry MDS Connection Service
to manage HTTP cookie storage on BlackBerry devices.
Before you begin: Configure the BlackBerry MDS Connection Service to authenticate to the content servers in your
organization's environment on behalf of BlackBerry devices.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the HTTP tab, in the Protocol service information section, in the Cookie support enabled drop-down list,
click Yes.
Click Save all.
115
Administration Guide
Configuring how BlackBerry devices authenticate to content servers
Configuring the BlackBerry MDS Connection Service to authenticate
devices to the RSA Authentication Manager
You can configure the BlackBerry® MDS Connection Service to require that BlackBerry device users pass RSA®
authentication when they access the Internet or intranet from BlackBerry devices. You can configure the BlackBerry
MDS Connection Service to require that users use RSA authentication in one of the following scenarios:
• when users access every web site and intranet site from devices
• when users access intranet sites from devices
• when users access web addresses or intranet addresses that you specify
If you configure the BlackBerry MDS Connection Service to require that users use RSA authentication to access web
addresses or intranet addresses that you specify, you can choose to apply this option to specific user accounts or to
all user accounts that are associated with a BlackBerry® Enterprise Server Express instance.
After the RSA Authentication Manager authenticates the devices, if you configured proxy authentication, the devices
prompt users to authenticate to the proxy server.
Prerequisites: Configuring the BlackBerry MDS Connection Service to support RSA
authentication when the BlackBerry MDS Connection Service runs on Windows Server
2008
•
•
•
•
If required, remove the RSA® Authentication Agent from the computer that hosts the BlackBerry® MDS
Connection Service.
If required, in the RSA® Authentication Manager, delete the node secret data for the computer that hosts the
BlackBerry MDS Connection Service.
If required, delete the node secret data that is located on the computer that hosts the BlackBerry MDS
Connection Service.
Retrieve the RSA Authentication API version 5.0.3.2 from RSA.
Configure the BlackBerry MDS Connection Service to support RSA authentication
when the BlackBerry MDS Connection Service runs on Windows Server 2008
1.
On the computer that hosts the BlackBerry® MDS Connection Service, copy the aceclnt.dll file and sdmsg.dll file
from the RSA® Authentication API to one of the following folders:
• If you are running a 32-bit version of Windows Server® 2008, the <drive>:\WINDOWS\system32 folder
• If you are running a 64-bit version of Windows Server 2008, the <drive>:\WINDOWS\SysWow64 folder
2.
3.
In the RSA® Authentication Manager, create an Agent Host record for the BlackBerry® Enterprise Server Express.
The RSA Authentication Manager generates an sdconf.rec file.
On the computer that hosts the BlackBerry MDS Connection Service, copy the sdconf.rec file that the RSA
Authentication Manager generates to one of the following folders:
• If you are running a 32-bit version of Windows Server 2008, the <drive>:\WINDOWS\system32 folder
• If you are running a 64-bit version of Windows Server 2008, the <drive>:\WINDOWS\SysWow64 folder
4.
In the Windows® Services, restart the BlackBerry MDS Connection Service.
116
Administration Guide
Configuring how the BlackBerry MDS Connection Service manages requests for web content
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Configure the BlackBerry MDS Connection Service to authenticate devices to the RSA
Authentication Manager
Before you begin:
• Configure the BlackBerry® MDS Connection Service to authenticate to the content servers in your organization's
environment on behalf of BlackBerry devices.
• To specify the web addresses that require RSA® authentication, configure URL patterns and access control rules
that restrict user access to specific web addresses or intranet addresses.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the RSA tab, in the Protocol service information section, in the RSA® authentication support drop-down
list, select one of the following options:
• If you want users to use RSA authentication when they access every web address or intranet address, select
Turn on globally.
• If you want users to use RSA authentication when they access the intranet only, select Turn on for Intranet
only.
• If you want users to use RSA authentication for web addresses or intranet addresses that you specify, select
Turn on for specific sites only.
In the RSA authentication timeout field, type a number, in minutes, to specify how long devices that the RSA
Authentication Manager authenticates can remain connected to your organization's network while the users
are active.
By default, the authenticated connection persists for 24 hours.
In the RSA inactivity timeout field, type a number, in minutes, to specify how long devices can remain connected
to your organization's network while the users are inactive.
By default, an authenticated connection persists for 60 minutes of user inactivity on the devices.
Click Save all.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Managing how users access enterprise applications and web content, 212
Configuring how the BlackBerry MDS Connection Service
manages requests for web content
The BlackBerry® MDS Connection Service manages requests for web content from the BlackBerry® Browser and other
applications on BlackBerry devices. You can configure how the BlackBerry MDS Connection Service manages these
requests.
117
Administration Guide
Configuring how the BlackBerry MDS Connection Service manages requests for web content
Configure the BlackBerry MDS Connection Service to manage HTTP cookie
storage
By default, the BlackBerry® MDS Connection Service does not manage HTTP cookie storage for BlackBerry devices.
If the BlackBerry device requires JavaScript® support for its HTTP requests, the BlackBerry device processes cookies.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the HTTP tab, in the Protocol service information section, in the Cookie support enabled drop down list,
click Yes.
Click Save all.
After you finish: To prevent the BlackBerry MDS Connection Service from managing HTTP cookie storage, change
the Cookie support enabled drop-down list to No.
Configure the timeout limit for HTTP connections with BlackBerry devices
You can specify how long a BlackBerry® MDS Connection Service waits for a BlackBerry device to send data to it
before the BlackBerry MDS Connection Service closes the HTTP connection to the BlackBerry device. The default
timeout limit is 120,000 milliseconds (2 minutes).
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the HTTP tab, in the Protocol service information section, in the Device connection timeout field, type a
number in milliseconds.
Click Save all.
Configure the timeout limit for HTTP connections with web servers
You can specify how long a BlackBerry® MDS Connection Service waits for a web server to send data to it before the
BlackBerry MDS Connection Service closes the HTTP connection to the web server. The default timeout limit is 120,000
milliseconds (2 minutes).
1.
2.
3.
4.
118
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the HTTP tab, in the Protocol service information section, in the Server connection timeout field, type a
number in milliseconds.
Administration Guide
5.
Permitting push applications to make trusted connections to a BlackBerry MDS Connection Service
Click Save all.
Configure the maximum number of times that the BlackBerry Browser
accepts HTTP redirections
HTTP redirection occurs when the BlackBerry® Browser requests a web page from a web server and the web server
redirects the request to a new web address for the page. The default limit is 5 redirections.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the HTTP tab, in the Protocol service information section, in the Maximum redirect connections field, type
a number.
Click Save all.
Permitting push applications to make trusted connections
to a BlackBerry MDS Connection Service
To permit push applications to open trusted connections to a BlackBerry® MDS Connection Service, you must create
a key store (the webserver.keystore file) on the computer that hosts the BlackBerry MDS Connection Service. This
key store permits the BlackBerry MDS Connection Service to accept HTTPS connections from push applications.
Push applications can use a BlackBerry MDS Connection Service certificate to open HTTPS connections to the
BlackBerry MDS Connection Service to push application data and application updates to the BlackBerry devices that
are assigned to that BlackBerry MDS Connection Service.
You can use the Java® keytool to create a self-signed certificate for the BlackBerry MDS Connection Service, or you
can import a signed certificate from a trusted public certification authority. You can use the Java keytool to export
the BlackBerry MDS Connection Service certificate from the key store, and import the certificate to the key stores
that the Java push applications use.
For more information about using the Java keytool, visit java.sun.com/javase/6/docs/technotes/tools/windows/
keytool.html. For more information about the Apache Tomcat™ requirements, visit tomcat.apache.org/tomcat-5.5doc/ssl-howto.html.
Create a key store to store certificates for use with HTTPS connections
You must create a key store to store the certificates that permit the BlackBerry® MDS Connection Service to accept
HTTPS connections from push applications.
1.
On the computer that hosts the BlackBerry MDS Connection Service, on the taskbar, click Start > Programs >
BlackBerry Enterprise Server > BlackBerry Server Configuration.
119
Administration Guide
2.
3.
4.
5.
Permitting push applications to make trusted connections to a BlackBerry MDS Connection Service
On the Mobile Data Service tab, configure the key store information. Only one key store can exist. The file must
be named webserver.keystore and it must be located at <drive>:\Program Files\Research In Motion\BlackBerry
Enterprise Server\MDS\webserver.
Click Create Keystore File.
If prompted to overwrite a key store, click Yes.
Click OK.
Add a certificate for the BlackBerry MDS Connection Service
To permit server-side push applications to open trusted HTTPS connections to a BlackBerry® MDS Connection Service
and push application data and application updates to BlackBerry devices, you must add a certificate for the BlackBerry
MDS Connection Service to the webserver.keystore file.
1.
2.
On the computer that hosts the BlackBerry MDS Connection Service, navigate to <drive>:\Program Files\Java
\<JRE_version>\bin.
At the command prompt, perform one of the following tasks:
Task
Steps
Create a self-signed certificate for the BlackBerry MDS
Connection Service and add it to the key store.
a.
Add a publicly signed certificate to the key store.
3.
b.
Type keytool -genkey -alias tomcat -keyalg RSA keystore webserver.keystore.
Type the required information.
c.
To confirm the information that you typed, type Yes.
a.
b.
Type keytool -import -trustcacerts -alias tomcat -file
<trustedserver.cer> -keystore webserver.keystore.
Type the key store password.
c.
When prompted, click Yes.
Copy the key store file to <drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS
\webserver.
After you finish: Export the certificate for the BlackBerry MDS Connection Service to make it available to other
applications.
Export the BlackBerry MDS Connection Service certificate to make it
available to push applications
You must export the certificate for the BlackBerry® MDS Connection Service so that you can import it to the key store
of a server-side push application.
Before you begin: Add a self-signed or publicly signed certificate for the BlackBerry MDS Connection Service to the
key store.
1.
120
On the computer that hosts the BlackBerry MDS Connection Service, navigate to <drive>:\Program Files\Java
\<JRE_version>\bin.
Administration Guide
2.
3.
Configuring a BlackBerry MDS Connection Service to trust web servers
At the command prompt, type keytool -export -alias tomcat -file <server.cer> -keystore <drive>:\Program Files
\Research In Motion\BlackBerry Enterprise Server\MDS\webserver\webserver.keystore -storepass
<password>.
Type the key store password.
After you finish: Import the certificate for the BlackBerry MDS Connection Service to the key store of a push
application.
Import the BlackBerry MDS Connection Service certificate to the key store
of a push application
To permit a server-side push application to open trusted connections to the BlackBerry® MDS Connection Service,
you must add the certificate for the BlackBerry MDS Connection Service to the key store of the push application.
1.
2.
3.
4.
On the computer that hosts the BlackBerry MDS Connection Service, navigate to <drive>:\Program Files\Java
\<JRE_version>\bin.
At a command prompt, type keytool -import -trustcacerts -alias <alias> -file <server.cer> -keystore
<application_keystore>.
Type the key store password.
To add the certificate to the key store, at the prompt, type Yes.
After you finish: If the certificate does not exist, import the certificate to <drive>:\Program Files\Java\<JRE version>
\lib\security\cacerts.
Configuring a BlackBerry MDS Connection Service to trust
web servers
You can configure the BlackBerry® MDS Connection Service to permit BlackBerry devices to pull application data and
updates from trusted or untrusted web servers. If you want to open trusted connections between web servers and
the BlackBerry MDS Connection Service, you must import the certificate for the web server into the JRE™ certificates
keystore file (JRE cacerts).
The BlackBerry MDS Connection Service supports LDAP, OCSP, and CRL to retrieve certificates and certificate status,
and HTTPS and SSL/TLS for connections that use trusted certificates.
Specify whether the BlackBerry MDS Connection Service requires trusted
HTTPS connections from web servers
1.
2.
3.
4.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the HTTPS tab, in the Name field, type the name of a web server.
121
Administration Guide
5.
6.
7.
8.
9.
Configuring a BlackBerry MDS Connection Service to trust web servers
In the Service URL field, type the regular expression for the web address of the web server. For example, type *
to represent all web servers, or type https://<domain>.com* to specify all web servers in a specific domain.
For more information about regular expressions in Java®, visit java.sun.com/j2se/1.4.2/docs/api/java/util/
regex/Pattern.html and java.sun.com/docs/books/tutorial/essential/regex/literals.html.
In the Settings section, in the Allow untrusted servers drop-down list, perform one of the following actions:
• To permit only trusted HTTPS connections from the web server, click No.
• To permit untrusted HTTPS connections from the web server, click Yes.
Click the Add icon.
Repeat steps 4 to 7 for each web server that you want to specify.
Click Save all.
After you finish: Restart the BlackBerry MDS Connection Service.
Related topics
Add a retrieved certificate for a web server to the key store, 128
Restarting BlackBerry Enterprise Server Express components, 272
Specify whether the BlackBerry MDS Connection Service requires trusted
TLS connections from web servers
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the TLS tab, in the Name field, type the name of a web server.
In the Service URL field, type the regular expression for the web address of the web server.
In the Settings section, in the Allow untrusted servers drop-down list, perform one of the following actions:
• To permit only trusted TLS connections from the web server, click No.
• To permit untrusted TLS connections from the web server, click Yes.
7.
8.
9.
Click the Add icon.
Repeat steps 4 to 7 for each web server that you want to specify.
Click Save all.
After you finish: Restart the BlackBerry MDS Connection Service.
Related topics
Add a retrieved certificate for a web server to the key store, 128
Restarting BlackBerry Enterprise Server Express components, 272
122
Administration Guide
Configuring a BlackBerry MDS Connection Service to trust web servers
Configuring certificate server information for the BlackBerry MDS
Connection Service
The certificate for the BlackBerry® MDS Connection Service permits push applications to make HTTPS connection to
the BlackBerry MDS Connection Service. You can configure the BlackBerry MDS Connection Service to search for and
retrieve certificates and the status of the certificates that external web servers use to make HTTPS connections.
To search for and retrieve certificates from an LDAP server, you can configure the BlackBerry MDS Connection Service
to use LDAP or DSML. The BlackBerry MDS Connection Service searches each LDAP server using LDAP or DSML in the
order that you specify. If you configure the BlackBerry MDS Connection Service to use both LDAP and DSML to search
and retrieve certificates, the BlackBerry MDS Connection Service searches the servers using LDAP and then searches
the servers using DSML. After the BlackBerry MDS Connection Service retrieves the certificate, the BlackBerry®
Enterprise Server Express sends the certificate to the BlackBerry device, and the BlackBerry device displays the
certificate so that the user can accept it. The BlackBerry MDS Connection Service supports DSML version 2.
To search for and retrieve the status of the certificates, you can configure the BlackBerry MDS Connection Service
to search the OCSP servers or CRL servers. If you search for the status of the certificates using an OCSP server or a
CRL server, which server you choose to search for the status of the certificates first does not matter because each
server creates a prioritized list automatically.
For more information about certificates, see the BlackBerry Enterprise Solution Security Technical Overview.
Configure the LDAP servers that the BlackBerry MDS Connection Service uses to
retrieve certificates
You can create a user name and password so that the BlackBerry® MDS Connection Service can authenticate to LDAP
servers on behalf of BlackBerry devices.
If you change the LDAP port number or host server information, you must stop and restart the BlackBerry MDS
Connection Service so that the BlackBerry MDS Connection Service can use the new port number or host server
information immediately.
1.
2.
3.
4.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
On the LDAP tab, click Edit component.
In the LDAP Service Information section, perform one of the following tasks:
Task
Steps
Create an LDAP server configuration.
a.
b.
c.
Type the LDAP server name and the web address for
the server.
In the Settings section, configure the LDAP server
settings.
Click the Add icon.
123
Configuring a BlackBerry MDS Connection Service to trust web servers
Administration Guide
Change an existing LDAP server configuration.
5.
a.
b.
c.
Click the Edit icon beside the LDAP server.
In the Settings section, change the LDAP server settings.
Click the Accept icon.
Click Save all.
After you finish:
• To configure the BlackBerry MDS Connection Service to retrieve the status of certificates, configure the OCSP
and CRL server information.
• Add the communication information that you configured for the LDAP server to the BlackBerry MDS Connection
Service configuration set.
Related topics
Add communication information to a BlackBerry MDS Connection Service configuration set, 248
Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance, 249
Restarting BlackBerry Enterprise Server Express components, 272
LDAP server settings
Field
Base Query
Password and Confirm Password
Query Limit
Service URL
User name
Description
This field specifies the base query for the default LDAP server. You can use
%20 for spaces. Each LDAP server can host multiple Windows® domains but
can search in only one Windows domain at a time. You might need to
configure a default base query for some LDAP servers.
These fields specify a password if the LDAP server requires simple
authentication.
This field specifies the maximum number of entries that you want to return
for each query.
This field specifies the FQDN and port number of the LDAP server. You must
use the <FQDN>:<Port> format.
This field specifies the user name if the LDAP server requires simple
authentication.
Configure the BlackBerry MDS Connection Service to use DSML to retrieve certificates
1.
2.
3.
4.
5.
124
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
On the DSML tab, click Edit component.
In the Protocol Service Information section, in the Query limit field, type the maximum number of certificates
that the BlackBerry MDS Connection Service can retrieve during each search it performs.
Perform one of the following tasks:
Administration Guide
Configuring a BlackBerry MDS Connection Service to trust web servers
Task
Steps
Create a configuration for a DSML certificate server.
a.
b.
c.
d.
e.
f.
Change a configuration for an existing DSML certificate a.
server configuration.
b.
c.
6.
In the Name field, type a name for the DSML certificate
server that you want the BlackBerry MDS Connection
Service to search.
In the Service URL field, type the FQDN of the DSML
certificate server (for example, http://
server01.rim.com:1234/dsml/adssoap.dsmlx).
In the Settings section, if you do not want the
BlackBerry MDS Connection Service to search the entire
directory tree, in the Default Server Base Query field,
type the search base that the BlackBerry MDS
Connection Service can use.
To permit the BlackBerry MDS Connection Service to
authenticate with the DSML certificate server on behalf
of BlackBerry devices, in the DSML User ID field, type
the user name that the BlackBerry MDS Connection
Service can use to authenticate with the DSML
certificate server.
In the DSML Password and Confirm DSML Password
fields, type the password for the user name that the
BlackBerry MDS Connection Service can use to
authenticate with the DSML certificate server.
Click the Add icon.
Click the Edit icon that is beside the DSML certificate
server that you want to change.
In the Settings section, change the DSML certificate
server settings.
Click the Accept icon.
Click Save all.
After you finish:
• To configure the BlackBerry MDS Connection Service to retrieve the status of certificates from an OCSP server
or CRL server, you must configure the OCSP server and CRL server information.
• Add the communication information that you configured for the DSML server to the BlackBerry MDS Connection
Service configuration set.
Related topics
Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance, 249
Add communication information to a BlackBerry MDS Connection Service configuration set, 248
Restarting BlackBerry Enterprise Server Express components, 272
125
Administration Guide
Configuring a BlackBerry MDS Connection Service to trust web servers
Configure the OCSP servers that the BlackBerry MDS Connection Service uses to
retrieve the status of certificates
You can configure the BlackBerry® MDS Connection Service to authenticate to OCSP servers on behalf of BlackBerry
devices and to retrieve the status of certificates.
1.
2.
3.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
On the OCSP tab, click Edit component.
4.
In the OCSP Service information section, perform the following actions:
• Configure the BlackBerry MDS Connection Service to accept OCSP servers that BlackBerry devices specify.
• Configure the OCSP handler to use the OCSP responder extension in a certificate.
5.
Perform one of the following tasks:
Task
Steps
Create an OCSP server configuration.
a.
Change an existing OCSP server configuration.
6.
b.
Type the OCSP server name and the web address for
the server.
Click the Add icon.
a.
b.
Click the Edit icon beside the OCSP server.
Click the Accept icon.
Click Save all.
After you finish: Add the communication information that you configured for the OCSP server to the BlackBerry MDS
Connection Service configuration set.
Related topics
Add communication information to a BlackBerry MDS Connection Service configuration set, 248
Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance, 249
Restarting BlackBerry Enterprise Server Express components, 272
Configure the CRL servers that the BlackBerry MDS Connection Service uses to retrieve
the status of certificates
You can configure the BlackBerry® MDS Connection Service to authenticate to CRL servers on behalf of BlackBerry
devices and to retrieve the status of certificates.
1.
2.
3.
4.
126
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
On the CRL tab, click Edit component.
In the CRL Service information section, perform the following actions:
• Configure the BlackBerry MDS Connection Service to accept CRL servers that BlackBerry devices specify.
• Configure the CRL handler to use the CRL responder extension in a certificate.
Administration Guide
5.
Perform one of the following tasks:
Task
Steps
Create a CRL server configuration.
a.
Change an existing CRL server configuration.
6.
Configuring a BlackBerry MDS Connection Service to trust web servers
b.
Type the CRL server name and the web address for the
server.
Click the Add icon.
a.
b.
Click the Edit icon beside the CRL server.
Click the Accept icon.
Click Save all.
After you finish: Add the communication information that you configured for the CRL server to the BlackBerry MDS
Connection Service configuration set.
Related topics
Add communication information to a BlackBerry MDS Connection Service configuration set, 248
Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance, 249
Restarting BlackBerry Enterprise Server Express components, 272
Add communication information to a BlackBerry MDS Connection Service
configuration set
A BlackBerry® MDS Connection Service configuration set is a set of service configurations that the BlackBerry MDS
Connection Service instances in your organization can use to communicate with a remote file system, an LDAP server,
a DSML server, a CRL server, an OCSP server, or a certification authority. You must add the communication information
that the BlackBerry MDS Connection Service requires to communicate with servers to a configuration set so that a
BlackBerry MDS Connection Service instance can communicate with the servers after you assign the configuration
set to the instance.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the Configuration Sets tab, perform one of the following actions:
• To create a configuration set, in the Configuration set name section, type a name and description for the
configuration set.
• To change an existing configuration set, click the Edit icon.
In the Priority Service group drop-down list, click the name of the service that you want to configure the
communication method for.
In the Service (Name : Description) drop-down list, click the name of the communication method that you want
to configure.
Click the Add icon.
127
Administration Guide
8.
9.
Configuring a BlackBerry MDS Connection Service to trust web servers
To specify the communication method that the BlackBerry MDS Connection Service should try to connect to the
server with first , click the Up and Down arrows. The BlackBerry MDS Connection Service resolves conflicts by
applying communication methods in the order that you specify. The order of that you specify for LDAP, DSML,
or file communication applies to each communication method separately. The order permits the BlackBerry
MDS Connection Service to resolve conflicts between domains if you created multiple communication methods
for a specific URL.
Perform one of the following actions:
• To add a new configuration set, click the Add icon.
• To update an existing configuration set, click the Update icon.
10. Click Save all.
After you finish:
• To confirm your changes, click the View icon.
• Assign the configuration set to a BlackBerry MDS Connection Service.
Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS
Connection Service instance
You can assign a BlackBerry® MDS Connection Service configuration set to a BlackBerry MDS Connection Service
instance so that BlackBerry device users can access documents on remote file systems from devices, the BlackBerry
MDS Connection Service can search for certificates and check for the status of the certificates from LDAP servers,
DSML servers, CRL servers, or OCSP servers, and the BlackBerry MDS Connection Service can send certificate requests
to a certificate authority.
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click the instance that you want to change.
Click Edit instance.
On the Component Configuration Sets tab, in the Available component configuration sets section, in the Service
configuration sets drop-down list, click the configuration set that you want to assign to the BlackBerry MDS
Connection Service instance.
Click Save all.
To restart the BlackBerry MDS Connection Service instance, on the Instance information tab, in the Status list,
click Restart instance.
To assign the BlackBerry MDS Connection Service configuration set to another BlackBerry MDS Connection
Service instance, repeat steps 3 to 7.
Add a retrieved certificate for a web server to the key store
You can use the Java® keytool to add a certificate for a web server to the BlackBerry® MDS Connection Service key
store. The certificate permits the BlackBerry MDS Connection Service to connect to the trusted web server.
1.
128
Save the certificate from a secure web site to a .cer file.
Administration Guide
2.
3.
4.
5.
6.
Permitting users to access intranet sites on BlackBerry devices using global login information
On the computer that hosts the BlackBerry MDS Connection Service, copy the .cer file to <drive>:\Program Files
\Java\<JRE_version>\lib\security.
At a command prompt, navigate to <drive>:\Program Files\Java\<JRE_version>\bin.
Type keytool -import -trustcacerts -alias <alias_name> -file <cert_filename> -keystore cacerts.
Type the key store password.
To add the certificate to the key store, at the command prompt, type Yes.
After you finish: For more information about using the Java keytool, visit java.sun.com/javase/6/docs/technotes/
tools/windows/keytool.html.
Permitting users to access intranet sites on BlackBerry
devices using global login information
To permit users to access intranet sites on BlackBerry® devices without having to specify their user names and
passwords, you can configure a global user name and password. When users try to access an intranet site, the
BlackBerry MDS Connection Service checks to see if you configured global login information, and validates the login
information. If authentication succeeds, users can access intranet sites without providing their user names and
passwords. If authentication fails, users must type their user names and passwords before they can access intranet
sites.
Configure global login information for intranet site access
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
On the HTTP tab, click Edit component.
In the Protocol service information section, in the Authentication support enabled drop-down list, click Yes.
In the Name section, type a global name, and type the web address of the intranet site in the Service URL section.
In the Settings section, type a user name and password.
Click Save all.
Configuring how the BlackBerry MDS Connection Service
connects to BlackBerry devices
Specify the maximum amount of data that a BlackBerry MDS Connection
Service can send to BlackBerry devices
1.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
129
Administration Guide
2.
3.
4.
5.
Configuring how the BlackBerry MDS Connection Service connects to BlackBerry devices
Click the instance that you want to change.
Click Edit instance.
On the General tab, in the Flow control section, in the Maximum data amount permitted per connection field,
type a number, in KB.
Click Save all.
Specify the pending content timeout limit for a BlackBerry MDS Connection
Service
You can specify how long a BlackBerry® MDS Connection Service waits for acknowledgment from a BlackBerry device
before it deletes pending content for the BlackBerry device.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want to specify the content timeout limit for.
Click Edit instance.
On the General tab, in the Flow control section, in the Flow control timeout field, type a number, in milliseconds.
Click Save all.
Permit Java applications to use scalable socket connections with a
BlackBerry MDS Connection Service
Before you begin: Verify that your system memory supports scalable socket connections.
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want to permit scalable socket connections on.
Click Edit instance.
On the General tab, in the Socket connection settings section, in the Use scalable sockets options list, click Yes.
Click Save all.
Specify the thread pool size of a BlackBerry MDS Connection Service
You can specify the maximum number of threads that a BlackBerry® MDS Connection Service can process at the same
time.
Before you begin: Verify that your system memory can support the thread pool size that you want to specify.
1.
2.
3.
130
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want to specify the thread pool size for.
Click Edit instance.
Administration Guide
4.
5.
Configuring how the BlackBerry MDS Connection Service connects to BlackBerry devices
On the General tab, in the Socket connection settings section, in the Thread pool size field, type a number
between 100 and 1000.
Click Save all.
Specify the maximum number of scalable socket connections
You can specify the maximum number of scalable socket connections that can be open at the same time between
BlackBerry® devices and a BlackBerry MDS Connection Service.
Before you begin: Verify that your system memory can support the number of scalable socket connections that you
want to specify.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want to specify the maximum number of scalable socket connections for.
Click Edit instance.
On the General tab, in the Socket connection settings section, in the Use scalable sockets options, select the Yes
option.
In the Maximum simultaneous scalable sockets field, type a number between 100 and 3500.
By default, the maximum number of scalable socket connections is 2000.
Click Save all.
Prevent the BlackBerry MDS Connection Service from using scalable HTTP
By default, the BlackBerry® MDS Connection Service 5.0 SP2 or later uses scalable HTTP, which permits the BlackBerry
MDS Connection Service to use fewer system resources and to establish more socket connections at one time than
previous versions of the BlackBerry MDS Connection Service. When a BlackBerry MDS Connection Service uses
scalable HTTP, it streams data to and from BlackBerry devices instead of storing and forwarding the data. If you want
a BlackBerry MDS Connection Service to process data as it did in previous versions of the BlackBerry® Enterprise
Server Express, you can prevent a BlackBerry MDS Connection Service from using scalable HTTP.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want to prevent from using scalable HTTP.
Click Edit instance.
On the General tab, in the Socket connection settings section, in the Use scalable HTTP drop-down list, click No.
Click Save all.
131
Administration Guide
Configuring how the BlackBerry MDS Connection Service connects to BlackBerry devices
Specify the port number that the web server listens on for push application
requests
You can specify the port number that the web server listens on for HTTP requests and HTTPS requests from serverside push applications. You should change the default port parameters only if a port conflict exists with another
service on the same computer.
1.
2.
3.
4.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want to specify the port number for.
Click Edit instance.
On the General tab, in the Connection section, perform one of the following actions:
• To specify the port for HTTP requests, in the Web server listen port field, type the port number.
• To specify the port for HTTPS requests, in the Web server SSL listen port field, type the port number.
5.
Click Save all.
After you finish:
• Restart the BlackBerry MDS Connection Service.
• Notify your organization's push application developers that you changed the port number that the web server
listens on for push application requests.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Specify how often a BlackBerry MDS Connection Service polls for
configuration information
You can specify how often a BlackBerry® MDS Connection Service polls the BlackBerry Configuration Database for
changes to the administration settings for the BlackBerry MDS Connection Service. The default interval is 5 minutes.
1.
2.
3.
4.
5.
132
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want change.
Click Edit instance.
On the General tab, in the Database section, in the Database admin configuration cycle timer field, type a time,
in minutes.
Click Save all.
Administration Guide
Setting up the messaging environment
Setting up the messaging environment
12
Creating email message filters
You can create email message filters to define which email messages the BlackBerry® Enterprise Server Express
forwards from users’ email applications to their BlackBerry devices. When users receive email messages in the
incoming message queue, the BlackBerry Enterprise Server Express applies email message filters to determine how
to direct the messages: forward, forward with priority, or do not forward to the BlackBerry devices.
Email message filters that you create and apply override the email message filters that users create using the
BlackBerry® Desktop Manager, the BlackBerry® Web Desktop Manager, or their BlackBerry devices. You can specify
the order that the BlackBerry Messaging Agent applies the email message filters in.
You can create the following types of email message filters:
• global filters: apply to all users on the BlackBerry Enterprise Server Express
• user filters: apply to specific users on the BlackBerry Enterprise Server Express
Users cannot view or change global filters. If you define global filters, you must explain to users that some of the
email message filters that they created might not apply to incoming messages.
If you change global filters, the BlackBerry Enterprise Server Express applies the changes immediately.
Create an email message filter that applies to all user accounts on a
BlackBerry Enterprise Server Express
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
Click the instance that you want to change.
Click Edit instance.
On the Email message filters tab, in the Email message filter name field, type a name for the email message
filter.
In the Email message filter rules section, configure the options for the email message filter. Use semicolons (;)
to separate multiple items that you specify.
If you specify multiple users in the From or Sent to fields, or multiple subject terms in the Subject field, the
message filter is applied to email messages that contain any of the users or terms that you specify. All of the
users or terms that you specify do not have to be satisfied for the message filter to be applied.
Perform one of the following tasks:
• To create an email message filter that does not deliver email messages that match the filter criteria to
BlackBerry devices, select Do not forward email messages to the device.
• To create an email message filter that forwards email messages that match the filter criteria to BlackBerry
devices, select Forward email messages to the device.
Click the Add icon.
133
Administration Guide
Creating email message filters
8.
To move the email message filter higher or lower in the list, click the Up or Down icons.
The BlackBerry® Enterprise Server Express applies email message filters in the order that they are listed in.
Organize the email message filters from the least restrictive to the most restrictive.
9. Repeat steps 4 to 8 for each email message filter that you want to add.
10. Click Save all.
Turn on an email message filter that applies to all user accounts on a
BlackBerry Enterprise Server Express
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
Click the instance that you want to change.
Click Edit instance.
On the Email message filters tab, click the Edit icon beside the email message filter you want to turn on.
In the Enabled drop down list, click Yes.
Click Save all.
The BlackBerry Administration Service applies email message filters in the order that they are listed in.
Create an email message filter that applies to a specific user account
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the name of the user account.
Click Edit user.
In the Messaging configuration section, click Default configuration.
On the Email tab, in the Email message filter name field, type a name for the email message filter.
In the Email message filter rules section, configure the options for the email message filter. Use semicolons (;)
to separate multiple items that you specify.
If you specify multiple users in the From or Sent to fields, or multiple subject terms in the Subject field, the
message filter is applied to email messages that contain any of the users or terms that you specify. All of the
users or terms that you specify do not have to be satisfied for the message filter to be applied.
9.
Perform one of the following tasks:
• To create an email message filter that does not deliver email messages that match the filter criteria to
BlackBerry devices, select Do not forward email messages to the device.
• To create an email message filter that forwards email messages that match the filter criteria to BlackBerry
devices, select Forward email messages to the device.
10. Click the Add icon.
11. To move the email message filter higher or lower in the list, click the Up or Down icons.
134
Administration Guide
Copying existing email message filters to another BlackBerry Enterprise Server Express
The BlackBerry® Enterprise Server Express applies email message filters in the order that they are listed in.
Organize the email message filters from the least restrictive to the most restrictive.
12. Click Continue to user information edit.
13. Click Save all.
Turn on an email message filter that applies to a specific user account
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
In the BlackBerry® Administration Service, in the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the name of the user account.
Click Edit user.
In the Messaging configuration section, click Default configuration.
On the Email tab, click the Edit icon beside the email message filter that you want to turn on.
In the Enabled drop-down list, click Yes.
Click Continue to user information edit.
Click Save all.
The BlackBerry Administration Service applies email message filters in the order that they are listed in.
Copying existing email message filters to another
BlackBerry Enterprise Server Express
You can copy the existing email message filters for a BlackBerry® Enterprise Server Express and apply them to other
instances of the BlackBerry Enterprise Server Express. To create a copy of existing email message filters, you can
export the existing email message filters for a BlackBerry Enterprise Server Express as an .xml file. You can then import
the .xml file so that you can use it with another instance of the BlackBerry Enterprise Server Express.
Export email message filters for a BlackBerry Enterprise Server Express
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
Click the instance that you want to change.
On the Email message filters tab, click Export email message filters.
Click Download file.
Save the .xml file.
Import email message filters for a BlackBerry Enterprise Server Express
Before you begin: Export email message filters for a BlackBerry® Enterprise Server Express.
135
Administration Guide
1.
2.
3.
4.
5.
6.
7.
Copying existing email message filters to user accounts
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
Click the instance that you want to change.
Click Edit instance.
On the Email message filters tab, click Import email message filters.
In the Import email message filters section, click Browse. Navigate to the .xml file that contains the email
message filters that you want to import.
Click Import email message filters.
Click Save all.
Copying existing email message filters to user accounts
You can copy the existing email message filters for a user account and apply them to other user accounts. To create
a copy of existing email message filters, you must export the existing email message filters for a user account as
an .xml file. You can then import the .xml file so that you can use it with other user accounts.
Export email message filters for a user account
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the name of the user account.
In the Messaging configuration section, click Default configuration.
On the Email tab, click Export email message filters.
Click Download file.
Save the .xml file.
Import email message filters for a user account
Before you begin: Export email message filters for a user account.
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for the user account.
In the search results, click the name of the user account.
Click Edit user.
In the Messaging configuration section, click Default configuration.
7.
On the Email tab, at the bottom of the screen, click Import email message filters.
136
Administration Guide
Extension plug-ins for processing messages
8.
In the Import email message filters section, click Browse. Navigate to the .xml file that contains the email
message filters that you want to import.
9. Click Import email message filters.
10. Click Save all.
Extension plug-ins for processing messages
You can add extension plug-ins to a BlackBerry® Messaging Agent. The BlackBerry Messaging Agent uses extension
plug-ins to process and make changes to email messages and attachments that the BlackBerry Messaging Agent
sends to and receives from BlackBerry devices. For example, you can add an extension plug-in to modify the signature
in email messages.
Before you add an extension plug-in to the BlackBerry Administration Service, you must install the extension plugin application on the computer the hosts the BlackBerry® Enterprise Server Express. By default, each BlackBerry
Messaging Agent in your organization's BlackBerry Domain includes the extension plug-in BBAttachBESExtension,
which connects the BlackBerry Messaging Agent to the BlackBerry Attachment Service so that the BlackBerry
Attachment Service can process email message attachments. If you add multiple extension plug-ins to a BlackBerry
Messaging Agent, you can define the order that the BlackBerry Messaging Agent uses the extension plug-ins to
process email messages in.
Install an extension plug-in application
To add an extension plug-in to the BlackBerry® Administration Service, you must first install the application for the
extension plug-in on the computer that hosts the BlackBerry® Enterprise Server Express.
Before you begin: Copy the .dll file for the extension plug-in application to the computer that hosts the BlackBerry
Enterprise Server Express.
1.
2.
3.
4.
On the computer that hosts the BlackBerry Enterprise Server Express, on the Start menu, click Run.
Type regedit.
Click OK.
Perform one of the following actions:
• If you are running a 32-bit version of Windows®, navigate to HKEY_LOCAL_MACHINE\Software\Research In
Motion\BlackBerry Enterprise Server\Agents.
• If you are running a 64-bit version of Windows, navigate to HKEY_LOCAL_MACHINE\Software
\WOW6432Node\Research In Motion\BlackBerry Enterprise Server\Agents.
5.
6.
7.
If necessary, create a DWORD value named PlugIns.
Double-click the PlugIns DWORD value.
In the Value data field, type Name=<DLL_Name> Data=<DLL_Path>, where <DLL_Name> is a descriptive name
of the .dll file and <DLL_Path> is the full path and file name for the .dll file.
8.
Click OK.
After you finish:
137
Administration Guide
•
•
Extension plug-ins for processing messages
Restart the BlackBerry Enterprise Server Express.
Add the extension plug-in to a BlackBerry Messaging Agent.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Add an extension plug-in to a BlackBerry Messaging Agent
Before you begin: Install an extension plug-in application on the computer that hosts the BlackBerry® Enterprise
Server Express.
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
Click the instance that you want to change.
Click Edit instance.
On the Extension plug-ins tab, in the Extension plug-in name field, type the name of the extension plug-in that
you want to add.
Click the Add icon.
Repeat steps 4 and 5 for each extension plug-in that you want to add.
If necessary, click the Up and Down icons to set the order that the BlackBerry Messaging Agent uses the extension
plug-ins to process email messages in.
Click Save all.
Change how a BlackBerry Messaging Agent uses extension plug-ins
The BlackBerry® Messaging Agent uses a BlackBerry® Enterprise Server Express extension process to load extension
plug-ins to process email messages. If you do not add an extension plug-in to the BlackBerry Administration
Service, and you install the extension plug-in application on the computer that hosts the BlackBerry Enterprise Server
Express, the extension plug-in is loaded directly by the BlackBerry Messaging Agent instead of the extension process.
To stabilize and manage your organization's messaging environment, you can change how the BlackBerry Controller
starts extension processes. For example, you can configure the BlackBerry Controller to start one extension process
for all extension plug-ins, or you can configure the BlackBerry Controller to start separate extension processes for
each extension-plug in.
1.
2.
3.
4.
138
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
Click the instance that you want to change.
Click Edit instance.
On the Extension plug-ins tab, in the Extension mode section, in the Extension mode drop-down list, perform
one of the following actions:
• To configure the BlackBerry Controller to start a single extension process that loads all extension plug-ins for
all BlackBerry Messaging Agent instances, click single.
Administration Guide
Configure how a BlackBerry Messaging Agent deletes email messages from a BlackBerry state
database
• To configure the BlackBerry Controller to start a dedicated extension process for each BlackBerry Messaging
Agent instance, click perAgent.
• To configure the BlackBerry Controller to start a dedicated extension process that loads each extension plugin, click perExtension. Each BlackBerry Messaging Agent uses the same extension process to process a specific
extension plug-in.
• To configure the BlackBerry Controller to start a dedicated extension process for each extension plug-in for
each BlackBerry Messaging Agent, click perAgentperExtension.
5.
Click Save all.
Configure how a BlackBerry Messaging Agent deletes email
messages from a BlackBerry state database
To manage your organization's messaging environment, you can configure how a BlackBerry® Messaging Agent
deletes email messages that users create and delete from the BlackBerry state database. If you change the database
pruning settings for the BlackBerry state database, your organization's messaging environment might experience a
performance impact.
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view > Email.
Click the instance that you want to change.
Click Edit instance.
In the State database pruning section, in the Turn on state database pruning options, click Yes.
In the Remove deleted messages from state database after field, type a number of days that is greater than
30.
The default value is 183 days.
In the Remove created messages from state database after field, type a number of days that is greater than
30.
The default value is 548 days.
In the Run daily at drop-down lists, specify the time that the BlackBerry Messaging Agent deletes email messages
from the BlackBerry state database at.
Click Save all.
Mapping contact information fields for synchronization
and contact lookups
You can map contact information fields from the email applications on users' computers to the contact list fields on
the BlackBerry® devices. The information in the fields in the email applications synchronizes to the fields on the
BlackBerry devices. You can create the following types of field mappings on the BlackBerry® Enterprise Server Express:
•
•
global field mappings: apply to all user accounts in a BlackBerry Domain
user field mappings: apply to specific user accounts
139
Administration Guide
Mapping contact information fields for synchronization and contact lookups
You can map up to four fields that users define in the contact information on their computers to their BlackBerry
devices. When users request a remote contact lookup from the IBM® Lotus Notes® address book, the fields that you
configure display on BlackBerry devices.
Map a contact information field in an email application to a contact list
field on BlackBerry devices
1.
2.
3.
4.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Synchronization.
Click Edit component.
On the Mappings for organizer data synchronization tab, for each type of organizer data, select the option in
the drop-down lists that you want to map the information to on BlackBerry devices.
Click Save all.
After you finish: To return all organizer data to the default settings, click Reset global organizer data synchronization
mappings.
Map a contact list field in an email application to a contact list field on a
BlackBerry device
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the display name for the user account.
Click Edit user.
In the Messaging configuration section, click Default configuration.
On the Mappings for organizer data synchronization tab, in the Mappings for organizer data synchronization
section, select the Turned on option.
8. In the appropriate drop-down lists, select the fields on the BlackBerry device that you want to map the
information to.
9. Click Continue to user information edit.
10. Click Save all.
Map a contact information field in an email application to contact list fields
on BlackBerry devices
You can map up to four contact list fields that users define in an email application to BlackBerry® devices.
1.
2.
140
In the BlackBerry Administration Service, on the Servers and components menu, expand Blackerry Solution
topology > BlackBerry Domain > Component view.
Click Synchronization.
Administration Guide
3.
4.
5.
Mapping contact information fields for synchronization and contact lookups
Click Edit component.
On the Mappings for organizer data synchronization tab, in the Other mappings section, select each User
defined string contact list field that you want to map to BlackBerry devices.
Click Save all.
After you finish: To return the organizer data to the default settings, click Reset global organizer data synchronization
mappings.
Map a contact list field in an email application to a contact list field on a
BlackBerry device
You can map up to four contact list fields that users define in an email application to a BlackBerry® device.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the display name for the user account.
Click Edit user.
In the Messaging configuration section, click Default configuration.
On the Mappings for organizer data synchronization tab, in the Mappings for organizer data synchronization
section, select the Turned on option.
8. In the Other mappings section, in each User defined string drop-down list, select the contact field that you want
to map to the BlackBerry device.
9. Click Continue to user information edit.
10. Click Save all.
141
Administration Guide
Making the BlackBerry Web Desktop Manager available to users
Making the BlackBerry Web Desktop Manager
available to users
13
Installing the client components of the BlackBerry Web
Desktop Manager on users' computers
By default, when users open and log in to the BlackBerry® Web Desktop Manager for the first time, the browser
prompts them to accept a client authentication certificate and install the required RIMWebComponents.cab file. The
RIMWebComponents.cab file provides the BlackBerry® Device Manager and USB drivers that users require to use
the BlackBerry Web Desktop Manager. To install these RIMWebComponents.cab file, users must log in to their
computers as a local administrator.
If you use Microsoft® Active Directory® in your organization's environment, consider creating Windows® GPOs to
install the client components of the BlackBerry Web Desktop Manager on users' computers automatically. When you
use Windows GPOs, the browser does not display the security warning or installation prompts to users, and users
do not require local administrator permissions to complete the installation process.
Related topics
Configuring the BlackBerry Web Desktop Manager, 147
Publish the client files for the BlackBerry Web Desktop
Manager in a Windows GPO for Windows XP
If you use Microsoft® Active Directory®, you can create a Windows® GPO to make sure that the browser settings are
correct for your organization's environment. Alternatively, you can check the browser settings on users' computers
and, if necessary, change them manually.
1.
2.
3.
In the BlackBerry® Enterprise Server Express installation files, navigate to tools/RIMWebComponents.
Copy the RIMWebComponents.msi file to a shared network folder.
In Microsoft Active Directory Users and Computers, right-click the organizational unit that you want to assign
the Windows GPO to. Click Properties.
4. On the Group Policy tab, click New.
5. In the Name field, type a name for the new GPO.
6. In the list of GPOs, click the GPO name.
7. Click Edit.
8. In the Group Policy Editor menu, click User Configuration > Software Settings.
9. Right-click Software Installation. Click New > Package.
10. Type the UNC path and name of the RIMWebComponents.msi. The path must be typed in UNC format (for
example, \\ComputerName\Applications\Testing).
11. Click Open.
142
Administration Guide
12.
13.
14.
15.
16.
Publish the client files for the BlackBerry Web Desktop Manager in a Windows GPO for Windows
Vista
In the Deploy Software window, click Advanced.
Click OK.
In the Group Policy Object properties window, on the Deployment tab, under Deployment type, click Published.
In the Installation user interface options menu, click Basic.
If the computer runs Windows Server® 2003, perform the following actions:
a. On the Deployment tab, click Advanced.
b. Click Include OLE class and product information.
17. Click OK.
After you finish: Perform one of the following actions:
• On each user's computer that runs a 32-bit version of Windows, add the registry key HKEY_LOCAL_MACHINE
\Software\Microsoft\WindowCurrentVersion\Internet Settings\UseCoInstall.
• On each user's computer that runs a 64-bit version of Windows, add the registry key HKEY_LOCAL_MACHINE
\Software\WOW6432Node\Microsoft\WindowCurrentVersion\Internet Settings\UseCoInstall.
Publish the client files for the BlackBerry Web Desktop
Manager in a Windows GPO for Windows Vista
Before you begin:
• Add the web address for the BlackBerry® Administration Service to the list of trusted web sites in the web
browser.
• Download and install the Microsoft® Group Policy Management Console with Service Pack 1. For more
information about installing the service pack, see www.microsoft.com.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Open the Microsoft Exchange Management Console.
Click File > Add/Remove Snap-in.
In the Available Snap-ins list, click Group Policy Management.
Click Add.
Click OK.
Expand Group Policy Management > Forest> Domains.
Click the domain name.
Right-click the organizational unit that you want to assign the Windows® GPO to.
Click Create a GPO in this domain, and link it here.
In the Name field, type a name for the new GPO.
Click OK.
Right-click the GPO that you just created.
13. Click Edit.
14. On the Computer Configuration menu, click Policies.
143
Administration Guide
Configure users' computers to install the client file for the BlackBerry Web Desktop Manager
automatically
15.
16.
17.
18.
19.
20.
21.
22.
23.
Expand Administrator Templates.
Expand Windows Components.
Click ActiveXInstaller Service.
Right-click Approved Installation Sites for ActiveX Controls.
Select Properties.
On the Settings tab, click Enabled.
Click Show.
Click Add.
In the Enter the name of the item to be added field, type the web address for the BlackBerry Administration
Service.
24. In the Enter the value of the item to be added field, type 2,2,1,0.
25. In each dialogue box, click OK.
Configure the Microsoft ActiveX Installer on Windows Vista
1.
2.
3.
4.
On the computer that hosts the BlackBerry® Web Desktop Manager, click Start > Control Panel > Programs and
Features.
Click Turn Windows Features On or Off.
Select ActiveX Installer Service.
Click OK.
Configure users' computers to install the client file for the
BlackBerry Web Desktop Manager automatically
You can create a new Windows® GPO so that you can add the registry key HKEY_LOCAL_MACHINE\Software
\Microsoft\Windows\CurrentVersion\Internet Settings\UseCoInstall to users' computers. When you add the registry
key, the users' computers install the RIMWebComponents.msi file and other Microsoft® ActiveX® controls
automatically. The Windows GPO adds the registry key to computers in the organizational unit that you assigned the
GPO to.
1.
On the computer that hosts Microsoft® Active Directory®, in a new text file, copy and paste the following lines:
CLASS MACHINE
CATEGORY !!RegistrySettings
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
;KEYNAME "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"
POLICY !!EnableActiveXInstallFromAD
EXPLAIN !!EnableActiveXInstallFromAD_Explain
144
Administration Guide
Configure users' computers to install the client file for the BlackBerry Web Desktop Manager
automatically
VALUENAME "UseCoInstall"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY
[strings]
EnableActiveXInstallFromAD="Allow user computers to install administrator-approved Microsoft ActiveX
components."
EnableActiveXInstallFromAD_Explain="Allow user computers to install administrator-approved Microsoft
ActiveX components."
2.
3.
4.
5.
RegistrySettings="Registry Settings"
Name the file EnableActiveXInstallFromAD.adm and save it.
In Microsoft Active Directory Users and Computers, right-click the organizational unit that you want to assign
the Windows GPO to. Click Properties.
On the Group Policy tab, click New.
In the Name field, type a name for the new GPO.
6.
7.
8.
In the list of GPOs, click the GPO name. Click Edit.
In the Group Policy Object Editor list, click Computer Configuration > Administrative Templates.
Right-click Administrative Templates. Perform one of the following actions:
• If the computer uses Windows® 2000 Server, clear the View – Show Policies Only option.
• If the computer uses Windows Server® 2003, click View – Filtering. Clear the Only show policy settings that
can be fully managed check box.
9.
10.
11.
12.
13.
14.
Right-click Administrative Templates. Click Add/Remove Templates.
Add the EnableActiveXInstallFromAD.adm custom administrative template to the Windows GPO.
Click Administrative Templates > Registry Settings.
Double-click Allow user computers to install administrator-approved Microsoft ActiveX components.
Click Enabled.
Click OK.
After you finish: For more information about registry-based Windows GPOs, visit technet.microsoft.com to read
Using Administrative Template Files with Registry-Based Group Policy.
145
Administration Guide
Make the BlackBerry Web Desktop Manager available to users
Make the BlackBerry Web Desktop Manager available to
users
The BlackBerry® Web Desktop Manager web address is https://<full_computer_name> /webdesktop/login. If you
customized the BlackBerry Web Desktop Manager text colors or image and you want to display the changes on the
login screen, you must direct users to https://<full_computer_name>/webdesktop/app?
page=Login&service=page&orgId=0.
Send users the following information:
• BlackBerry Web Desktop Manager web page address
• IBM® Lotus® Domino® Internet user names and passwords that you configured for the users in your
messaging environment
146
Administration Guide
Configuring the BlackBerry Web Desktop Manager
Configuring the BlackBerry Web Desktop
Manager
14
You can configure the BlackBerry® Web Desktop Manager to permit users to perform administrative tasks such as
creating a password for wireless activation, locking a lost or stolen BlackBerry device, deleting data from a device,
or deactivating a device.
You can also customize the UI of the BlackBerry Web Desktop Manager by changing the text colors or displaying a
custom image, such as your organization's logo, to match the design of your organization's intranet.
For more information about the IT policies that control the tasks that users can perform in the BlackBerry Web
Desktop Manager, see the BlackBerry Enterprise Server Express Policy Reference Guide .
For more information about using the BlackBerry Web Desktop Manager to update the BlackBerry® Device
Software, see the BlackBerry Device Software Update Guide .
Permit users to perform administrative tasks using the
BlackBerry Web Desktop Manager
You can permit users to perform the following administrative tasks using the BlackBerry® Web Desktop Manager:
• specify an enterprise activation password for a BlackBerry device
• specify a new device password and lock a device
• delete all device data and deactivate a device
• assign a new device to a user account
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
Topology > BlackBerry Domain > Component view.
Click BlackBerry Administration Service.
Click Edit component.
On the BlackBerry Web Desktop Manager information tab, change Allow users to perform self service tasks
to Yes.
Click Save all.
Permit users to create activation passwords using the
BlackBerry Web Desktop Manager
You can specify whether the BlackBerry® Web Desktop Manager permits users to create their own activation
passwords so that they can activate their BlackBerry devices over the wireless network. By default, users can create
their own activation passwords. If you do not permit users to create their own activation passwords, in the BlackBerry
Web Desktop Manager, the Device setup screen in the Advanced Settings tab is hidden.
1.
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
Topology > BlackBerry Domain > Component view.
147
Administration Guide
Permit users to activate BlackBerry devices using the BlackBerry Web Desktop Manager
2.
3.
4.
Click BlackBerry Administration Service.
Click Edit component.
On the BlackBerry Web Desktop Manager information tab, perform one of the following actions:
• To prevent users from creating their own activation passwords, change Allow user self-activation wirelessly
to No.
• To permit users to create their own activation passwords, change Allow user self-activation wirelessly to Yes.
5.
Click Save all.
Permit users to activate BlackBerry devices using the
BlackBerry Web Desktop Manager
You can specify whether users can use the BlackBerry® Web Desktop Manager to activate BlackBerry devices using
a wired connection to a computer.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
Topology > BlackBerry Domain > Component view.
Click BlackBerry Administration Service.
Click Edit component.
On the BlackBerry Web Desktop Manager information tab, perform one of the following actions:
• To permit users to activate or re-activate BlackBerry devices, change Allow user wireline activation to
Activate Any PIN.
• To permit users to activate new BlackBerry devices only, change Allow user wireline activation to Activate
Unused PINs only.
• To prevent users from activiating BlackBerry devices, change Allow user wireline activation to No.
Click Save all.
Permit users to back up and restore data using the
BlackBerry Web Desktop Manager
You can specify whether users can back up and restore data on BlackBerry® devices using the BlackBerry® Web
Desktop Manager.
1.
2.
3.
4.
5.
148
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
Topology > BlackBerry Domain > Component view.
Click BlackBerry Administration Service.
Click Edit component.
On the BlackBerry Web Desktop Manager information tab, change Allow users to back up and restore data to
Yes.
Click Save all.
Administration Guide
Configure the domains for backing up data using the BlackBerry Web Desktop Manager
After you finish: To prevent users from backing up and restore data from their BlackBerry devices, change Allow
user backup/restore operations to No.
Configure the domains for backing up data using the
BlackBerry Web Desktop Manager
You can specify the domains that users' computers are located in so that you can limit which users can back up data
on their BlackBerry® devices using the BlackBerry® Web Desktop Manager.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
Topology > BlackBerry Domain > Component view.
Click BlackBerry Administration Service .
Click Edit component.
On the BlackBerry Web Desktop Manager information tab, in the Device backup domains field, type a domain
that permits the user to back up data.
Click the Add icon.
Repeat steps 4 and 5 for each domain that you want to add.
Click Save all.
Change the text colors in the BlackBerry Web Desktop
Manager
You can change the text colors in BlackBerry® Web Desktop Manager to match the colors that your organization uses
for UIs.
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click BlackBerry Administration Service.
On the Font colors tab, click Edit Component.
Type the name of the color, in hexadecimal format, for the color of the BlackBerry Web Desktop Manager text
that you want to change.
Click Save All.
BlackBerry Web Desktop Manager text colors
Parameter
Font color 1
Description
Default
This text color specifies the hexadecimal color value of #000000 (black)
the description text in the BlackBerry® Web Desktop
Manager.
149
Administration Guide
Parameter
Font color 2
Font color 3
Font color 4
Font color 5
Font color 6
Font color 7
Font color 8
Display a custom image in the BlackBerry Web Desktop Manager
Description
Default
This text color specifies the hexadecimal color value of #788cb6 (steel blue)
the copyright text in the BlackBerry Web Desktop
Manager.
This text color specifies the hexadecimal color value of #ff0000 (red)
the text in the BlackBerry Web Desktop Manager error
messages.
This text color specifies the hexadecimal color value of #6c4091 (purple)
the text in the BlackBerry Web Desktop Manager
information messages.
This text color specifies the hexadecimal color value of #a1a1a4 (grey)
unavailable links in the BlackBerry Web Desktop
Manager. For example, text for options that you make
unavailable using IT policy rules use this parameter.
This text color specifies the hexadecimal color value of #ffffff (white)
the text in the BlackBerry Web Desktop Manager
headers, and the text in the tab links that point to web
pages that the user is not currently visiting.
This text color specifies the hexadecimal color value of #005387 (blue)
the text in the available BlackBerry Web Desktop
Manager menu and text in the option links.
This text color specifies the hexadecimal color value of #8cb811 (green)
the BlackBerry Web Desktop Manager link text when a
user pauses a cursor on a link.
Display a custom image in the BlackBerry Web Desktop
Manager
You can display a custom image, such as your organization's logo, in the upper-right corner of the BlackBerry® Web
Desktop Manager. The image file that you specify must be a .jpg or .gif file that is located on a trusted web site.
1.
2.
3.
4.
5.
150
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
Topology > BlackBerry Domain > Component view .
Click BlackBerry Administration Service.
Click Edit component.
On the Company logos tab, type the HTTPS URL for your organization's logo.
Click Save all.
Administration Guide
Display the domain name on the login page of the BlackBerry Web Desktop Manager
Display the domain name on the login page of the
BlackBerry Web Desktop Manager
You can specify the domain name that appears automatically in the Domain field when users browse to the
BlackBerry® Web Desktop Manager login page. You can specify only one domain name. You can also provide the
domain name to users when you send their login information to them.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
Topology > BlackBerry Domain > Component view.
Click BlackBerry Administration Service.
Click Edit component.
On the Microsoft® Active Directory® authentication tab, in the Login domain field, type the name of the default
domain that users log in from.
Click Save all.
151
Administration Guide
Creating and configuring Wi-Fi profiles and VPN profiles
Creating and configuring Wi-Fi profiles and
VPN profiles
15
Creating and configuring Wi-Fi profiles
You can use Wi-Fi® configuration settings and optional VPN configuration settings to manage BlackBerry® devices
that can operate on both mobile and Wi-Fi networks.
You can manage the configuration settings for user accounts that are associated with a BlackBerry® Enterprise Server
Express by creating Wi-Fi profiles. You can create and assign one or more Wi-Fi profiles to a user account or to a
group using a process that is similar to the process you use to create an IT policy and assign it to a user account.
For more information, see the BlackBerry Enterprise Server Feature and Technical Overview.
Prerequisites: Creating Wi-Fi profiles and VPN profiles
You must install and configure wireless access points for your organization’s enterprise Wi-Fi® network. Perform the
following actions:
• Verify that the access points comply with the IEEE® 802.11a™ standard, IEEE® 802.11b™ standard, or IEEE®
802.11g™ standard.
• Verify the number of connections for each access point to make sure that the access points can manage additional
traffic.
• Verify that users can roam between access points.
• Refer to the documentation for the access points to complete a site survey and assign channels.
• If your organization does not use a switched enterprise Wi-Fi network and your organization has multiple
subnets, configure the subnets to cover the same physical area. The configuration can affect how users send or
receive calls.
• Assign an SSID to each access point or each group of access points that share an SSID.
• If users can roam between the access points, configure all of the relevant SSID profiles on each access point.
• If your organization uses NAT traversal, verify that the access points support NAT traversal.
You must configure authentication and encryption for the access points. Perform the following actions:
• Configure authentication using a supported authentication method. For example, if your organization uses layer
2 access security, verify that your organization uses one of the supported layer 2 security methods.
• Configure encryption using a supported encryption method.
If your organization’s environment requires a VPN concentrator, configure a VPN concentrator for VPN access security
using IPsec VPN. See the administrator for your organization’s firewall or VPN concentrator to determine the
appropriate configuration settings.
You must configure firewall settings. Perform the following actions:
• If your organization use a proxy firewall, configure the proxy server so that it is transparent to users.
152
Creating and configuring Wi-Fi profiles
Administration Guide
•
•
•
Verify that the IP addresses for the BlackBerry® Domain that are relevant to your organization’s environment
are permitted addresses.
Verify that the Wi-Fi network can connect to the BlackBerry Router.
Verify that you add the IP address of the BlackBerry Router to the DNS server.
Configure the ports for the Wi-Fi network.
You must configure access to the DHCP server and DNS server. Perform the following actions:
• If necessary, configure your organization’s enterprise Wi-Fi network to access the DHCP server.
• If you do not use static IT addresses, use the DNS lookup tool on a Wi-Fi enabled BlackBerry device to verify that
the BlackBerry device can access the DHCP server.
• Use the DNS lookup tool on a Wi-Fi enabled BlackBerry device to verify that the BlackBerry device can access
one or more DNS servers.
If your organization uses an AAA server, you must configure it. Perform the following actions:
• Configure the AAA server to support the Wi-Fi authentication method that your organization uses.
• Permit all access points to use the AAA server.
If you configure service-specific access security, create a captive portal login.
You must configure user accounts in your organization's environment. Perform the following actions:
• Create authentication credentials for the user accounts.
• If your organization uses EAP-TLS, EAP-TTLS, or PEAP authentication methods, permit the BlackBerry® Enterprise
Server Express to access to the PKI infrastructure and certificates.
Add the MAC addressses of every BlackBerry device that you permit to access a specific enterprise Wi-Fi network
(an allowed list) or prevent from accessing a specific enterprise Wi-Fi network (a restricted list) to the controller for
each access point.
Connection types and port numbers for a Wi-Fi network
Port assignments might vary by mobile network provider.
Item
Connection type
Default port number
incoming connection from
a BlackBerry® device to
the BlackBerry Router
outgoing connection from
a BlackBerry device to the
BlackBerry Router for a
direct Wi-Fi® connection
to the BlackBerry®
Infrastructure
TCP
4101
Where to configure the
connection
Windows® registry
TCP
443
—
153
Administration Guide
Creating and configuring Wi-Fi profiles
Create a Wi-Fi profile
1.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
2.
3.
4.
Click Create Wi-Fi profile.
In the Name field, type a name for the Wi-Fi® profile.
Click Save.
After you finish: Configure the Wi-Fi profile.
Create a Wi-Fi profile based on an existing Wi-Fi profile
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
Click Manage Wi-Fi profiles.
Click the name of the Wi-Fi® profile that you want to copy.
Click Copy profile.
Type a name for the new Wi-Fi profile.
6.
Click Save.
After you finish: Configure the Wi-Fi profile.
Configure a Wi-Fi profile on a BlackBerry device
You can instruct BlackBerry® device users to perform the following task if you want users to configure a Wi-Fi® profile
for the Wi-Fi networks that you did not create a Wi-Fi profile for in the BlackBerry® Administration Service. By default,
new Wi-Fi profiles appear at the end of the Wi-Fi profile list on the BlackBerry device.
1.
2.
3.
4.
On the Home screen or in the application list, click Manage Connections.
Click Set Up Wi-Fi Network.
Perform the instructions on the screen.
On the Wi-Fi Setup Complete screen, perform any of the following actions:
• To change the order of the Wi-Fi profiles, click Prioritize Wi-Fi Profiles.
• To specify registration information for the Wi-Fi network, click Wi-Fi Hotspot Login.
5.
Click Finish.
Assign a Wi-Fi profile to a group
You can assign one or more Wi-Fi® profiles to a group.
Before you begin: Create and configure a Wi-Fi profile.
1.
154
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Group.
Administration Guide
2.
3.
4.
5.
6.
Creating and configuring Wi-Fi profiles
Click Manage groups.
In the Manage groups section, click the group that you want to assign a Wi-Fi profile to.
On the Wi-Fi profiles tab, click Edit group.
In the Available Wi-Fi profiles list, click the profile that you want to assign to the group and click Add. Repeat
for any additional profiles that you want to assign to the group.
Click Save all.
When you assign a Wi-Fi profile to a group that has at least one user account assigned to it, the BlackBerry
Administration Service creates jobs to deliver the resulting objects to BlackBerry devices.
Assign a Wi-Fi profile to a user account
You can assign more than one Wi-Fi® profile to a user account.
Before you begin: Create and configure a Wi-Fi profile.
1.
2.
3.
4.
5.
6.
7.
8.
9.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for one or more user accounts.
Click the name of the user account that you want to assign a Wi-Fi profile to.
Click Edit user.
On the Wi-Fi profiles tab, in the Wi-Fi profile name section, in the drop-down list, click the Wi-Fi profile.
If required, in the Wi-Fi User Specific Settings section, specify the login information for the Wi-Fi profile.
Click the Add icon.
Click Save all.
When you assign a Wi-Fi profile to a user account, the BlackBerry Administration Service creates a job to deliver the
resulting object to the BlackBerry device.
Configure a Wi-Fi profile
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
Click Manage Wi-Fi profiles.
Click the name of a Wi-Fi® profile.
Click Edit profile.
On the Wi-Fi profile settings tab, change the values for the configuration settings.
Click Save All.
After you finish:
• For information about the Wi-Fi configuration settings, see the BlackBerry Enterprise Server Policy Reference
Guide.
155
Administration Guide
•
•
Creating and configuring VPN profiles
If the Wi-Fi network includes a captive portal, verify that you changed the WLAN Enable Authentication Page
option to True to permit users to access the captive portal using the WLAN Login browser on their BlackBerry
devices.
To update the BlackBerry device information immediately, resend the IT policy to the BlackBerry device.
Creating and configuring VPN profiles
Wi-Fi® enabled BlackBerry® devices have built-in VPN clients that supports several types of VPN concentrators.
To create a VPN profile, you configure the VPN configuration settings (for example, the IP address of the VPN
concentrator, user names and passwords, and cryptographic methods that the BlackBerry® Enterprise Server Express
uses) on a BlackBerry device or using a VPN profile or IT policy. You can assign one or more VPN profiles to a user
account or to a group. If a user account has a VPN profile, you can associate the VPN profile with the Wi-Fi profile
for the user account.
Depending on your organization's security policy, you can save a user name and password to a BlackBerry device to
prevent the BlackBerry device from prompting the user for the login information the first time (or each time) the
BlackBerry device connects to the enterprise Wi-Fi network.
Create a VPN profile
1.
2.
3.
4.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
Click Create VPN profile.
In the Name field, type a name for the VPN profile.
Click Save.
After you finish: Configure the VPN profile.
Create a VPN profile based on an existing VPN profile
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
Click Manage VPN profiles.
Click the name of the VPN profile that you want to copy.
Click Copy profile.
Type a name for the new VPN profile.
Click Save.
After you finish: Configure the VPN profile.
156
Administration Guide
Creating and configuring VPN profiles
Configure a VPN profile
1.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
2.
3.
4.
5.
6.
Click Manage VPN profiles.
Click the name of the VPN profile.
Click Edit profile.
On the VPN profile settings tab, change the values for the configuration settings.
Click Save All.
After you finish:
• For information about VPN configuration settings, see the BlackBerry Enterprise Server Policy Reference Guide.
• To update BlackBerry device information immediately, resend the IT policy to the BlackBerry device.
Assign a VPN profile to a group
You can assign one or more VPN profiles to a group.
Before you begin: Create and configure a VPN profile.
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Group.
Click Manage groups.
In the Manage groups section, click the group that you want to assign a VPN profile to.
On the VPN profiles tab, click Edit group.
In the Available VPN profiles list, click the profile that you want to assign to the group and click Add. Repeat for
any additional profiles that you want to assign to the group.
Click Save.
When you assign a VPN profile to a group that has at least one user account assigned to it, the BlackBerry
Administration Service creates jobs to deliver the resulting objects to BlackBerry devices.
Assign a VPN profile to a user account
You can assign one or more VPN profile to a user account.
Before you begin: Create and configure a VPN profile.
1.
2.
3.
In the BlackBerry® Administration Service, expand User.
Click Manage users.
Search for a user account.
4.
5.
Click the display name for the user account.
Click Edit user.
157
Administration Guide
6.
7.
8.
9.
Delete a Wi-Fi profile
On the VPN profiles tab, in the VPN profile name section, in the drop-down list, click the appropriate VPN profile.
If required, in the VPN User Specific Settings section, specify the login information that you want to associate
with the VPN profile.
Click the Add icon.
Click Save All.
When you assign a VPN profile to a user account, the BlackBerry Administration Service creates a job to deliver the
resulting object to the BlackBerry device.
Associate a VPN profile with a Wi-Fi profile
To permit a BlackBerry® device to connect to a Wi-Fi® network using a VPN session, you must associate a VPN profile
with a Wi-Fi profile that you assigned to the user account.
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
Click Manage Wi-Fi profiles.
Click the name of the Wi-Fi profile.
Click Edit profile.
On the Wi-Fi profile settings tab, in the Wi-Fi Associations section, in the VPN profile drop-down list, click the
VPN profile that you want to associate with the Wi-Fi profile.
Click Save All.
After you finish: To update the BlackBerry device information immediately, resend the IT policy to the BlackBerry
device.
Delete a Wi-Fi profile
Before you begin: Verify that the Wi-Fi® profile is not assigned to a user account.
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
Click Manage Wi-Fi profiles.
Click the name of a Wi-Fi profile.
Click Delete profile.
Click Yes - Delete the profile.
Delete a VPN profile
Before you begin: Verify that the VPN profile is not assigned to a user account or associated with a Wi-Fi® profile.
158
Administration Guide
1.
2.
3.
4.
5.
Importing profile information from a .csv file
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
Click Manage VPN profiles.
Click the name of a VPN profile.
Click Delete profile.
Click Yes - Delete the profile.
Importing profile information from a .csv file
You can update the Wi-Fi® profiles and VPN profiles that you want to assign to user accounts and the user names
and passwords for the profiles by importing a .csv file using the BlackBerry Administration Service. When you import
profile information from a file, you can configure the profile information for multiple user accounts at the same time.
The .csv file must contain the following information:
• user accounts that you want to update
• names of profiles that you want to change
• whether you want to add, remove, or change the profiles
Best practices: Creating a .csv file that contains profile information that you
want to import
Consider the following guidelines:
• Specify only one action that you want the BlackBerry® Enterprise Server Express to perform in each row of the
file.
• To assign more than one action to a user account, create multiple rows for the user account.
• If you are using a text editor to create the .csv file, include a comma (,) after the value that appears in each field
in each row. If a field does not contain a value, include only a comma in the field.
• If you are using a text editor to create the .csv file, include a character return at the end of each row.
• If you are using a text editor to create the .csv file, use quotation marks (" ") if the value for a field contains a
space (for example, "Westlee Barichak").
• Add no more than 2000 actions to a file.
• Assign a maximum of 32 profiles to BlackBerry devices that are running BlackBerry® Device Software versions
that are earlier than 4.5.0.
• Assign a maximum of 64 profiles to BlackBerry devices that are running BlackBerry Device Software version 4.5.0
and later.
Create a .csv file that contains profile information that you want to import
Before you begin: Using the BlackBerry® Administration Service, create profiles and specify the configuration settings
for the profiles.
159
Administration Guide
1.
2.
3.
4.
Importing profile information from a .csv file
Using the BlackBerry Administration Service, export user information for the user accounts that you want to
update profile information for to a .csv file.
In any application that permits you to update .csv files, add the following fields to the .csv file that you exported
in step 1:
• Attribute Name
• Attribute Type
• Action
• User Name
• Password
Configure the fields for each user account in the file.
Save the changes.
Example: Adding profile information to user accounts
"User Id","Display Name","PIN","Email Address","Logon Name","Attribute
Name","Attribute Type","Action","User Name","Password"
"16","Westlee Barichak","","[email protected]",,"wifi_1","WLAN","ADD","test
user","test password"
"17","Jovanka Buac","","[email protected]",,"vpn_1","VPN","ADD"
"8","Sherisse Da
Silva","2072C4B7","[email protected]",,"wifi_1","WLAN","ADD","wlan_user","wlan_pas
s"
"8","Sherisse Da Silva","2072C4B7","[email protected]",,"vpn_1","VPN","ADD"
Example: Changing profile information that you assigned to user accounts
"User Id","Display Name","PIN","Email Address","Logon Name","Attribute
Name","Attribute Type","Action","User Name","Password"
"16","Westlee
Barichak","","[email protected]",,"wlan_1","WLAN","UPDATE","update_username","update_
password"
"8","Sherisse Da
Silva","2072C4B7","[email protected]",,"wifi_1","WLAN","UPDATE","update_username","up
date_password"
Example: Removing profile information from user accounts
"User Id","Display Name","PIN","Email Address","Logon Name","Attribute
Name","Attribute Type","Action","User Name","Password"
"8","Lou Sicoli","2072C4B7","[email protected]",,"wlan_1","WLAN","DELETE"
"9","Sarah Symonds","2072C4B7","[email protected]",,"vpn_1","VPN","DELETE"
"16","Westlee Barichak","","[email protected]",,"wlan_1","WLAN","DELETE"
"16","Westlee Barichak","","[email protected]",,"vpn_1","VPN","DELETE"
Fields in the .csv file that contains profile information
The following table describes the fields that you can configure in a .csv file. The BlackBerry® Administration Service
uses the fields in the .csv file to update profile information that you assigned to user accounts.
160
Importing profile information from a .csv file
Administration Guide
Field
User Id
Display Name
PIN
Logon Name
Attribute Name
Attribute Type
Action
User Name
Password
Description
This field specifies the user identifier that the BlackBerry Enterprise Server
Express creates for each user account. You must specificy a value in this
field.
This field specifies the user name for the user account.
This field specifies the BlackBerry device PIN.
This field specifies the name that the user can use to log in to the BlackBerry
Administration Service or BlackBerry® Web Desktop Manager.
This field specifies the name of the Wi-Fi® profile or VPN profile. You must
specify a value in this field.
This field specifies whether the profile is a Wi-Fi profile or VPN profile. You
must specify either WLAN or VPN as the value in this field.
This field specifies whether you want to add, remove, or update the profile.
You must specify ADD, DELETE, or UPDATE as the value in this field.
This field specifies the user name that the BlackBerry device can use to
access the enterprise Wi-Fi network or VPN, if a user name is required.
This field specifies the password that the BlackBerry device can use to access
the enterprise Wi-Fi network or VPN, if a password is required. You can
include quotation marks (" ") in the password.
Import profile information from a .csv file
The BlackBerry® Administration Service processes actions in the order that they appear in the .csv file. If two actions
that you listed in the file contradict each other, the action that appears closer to the end of the file is the action that
the BlackBerry Administration Service processes. If the BlackBerry Administration Service notices an error that is
specific to an action during the import process (for example, you formatted an action incorrectly in the .csv file), the
BlackBerry Administration Service continues to process the remaining actions in the file and displays an error message
for the action that the BlackBerry Administration Service could not process.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, expand User > Manage users.
In the Search for users section, click Update WLAN Information for users from a List.
Click Browse.
Navigate to the .csv file that you want to import.
Click Open.
Click Save.
161
Administration Guide
Configuring encryption and authentication methods for Wi-Fi enabled BlackBerry devices
Configuring encryption and authentication
methods for Wi-Fi enabled BlackBerry devices
16
For information about the encryption and authentication methods for Wi-Fi® connections, see the BlackBerry
Enterprise Solution Security Technical Overview.
Configuring WEP encryption
WEP encryption uses matching encryption keys that are located at wireless access points and wireless clients to
secure wireless communication.
To configure WEP encryption, you must distribute the WEP keys in the Wi-Fi® profiles that you assign to user accounts.
The BlackBerry® Enterprise Server Express sends the WEP key information when users activate Wi-Fi enabled
BlackBerry devices.
The WEP keys on BlackBerry devices must match the WEP keys that are located at the access points.
You can configure four WEP keys and a default key ID. The WEP key numbering on BlackBerry devices does not match
the WEP key numbering in the configuration settings of the Wi-Fi profile for the enterprise Wi-Fi network. For
example, WEP key 1 on the BlackBerry device is WEP key 0 in the configuration settings, and WEP key 2 on the
BlackBerry device is WEP key 1 in the configuration settings. You type or copy the WEP keys for the access points as
a string of hexadecimal digits.
BlackBerry devices do not support a WEP passphrase.
Configure WEP keys for BlackBerry devices using a Wi-Fi profile
Before you begin: Obtain the WEP keys for the wireless access point. For more information, see the documentation
for the access point.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
Click Manage Wi-Fi profiles.
Click the name of the Wi-Fi® profile that you want to change.
Click Edit profile.
On the Wi-Fi profile settings tab, configure the values for the following configuration settings:
• Wi-Fi WEP Key 0
• Wi-Fi WEP Key 1
• Wi-Fi WEP Key 2
• Wi-Fi WEP Key 3
Click Save All.
After you finish:
• Assign the Wi-Fi profile to the user accounts.
162
Administration Guide
•
Configuring PSK encryption
Resend the IT policy that you assign to the user accounts to Wi-Fi enabled BlackBerry devices.
Related topics
Creating and configuring Wi-Fi profiles, 152
Configuring PSK encryption
The IEEE® 802.1X™ standard specifies PSK encryption as an access control method for enterprise Wi-Fi® networks.
You can use PSK encryption in small office and home environments where it is not feasible to configure server-based
authentication.
To configure PSK encryption, you must distribute a passphrase to Wi-Fi enabled BlackBerry® devices that matches
the key or passphrase for the wireless access points. You must distribute the passphrase using the Wi-Fi profiles that
you assign to user accounts. The BlackBerry® Enterprise Server Express sends the passphrase when users activate
the BlackBerry devices.
For more information about how the BlackBerry® Enterprise Solution supports PSK encryption, see the BlackBerry
Enterprise Server Security Technical Overview.
Configure PSK encryption data for BlackBerry devices using a Wi-Fi profile
Before you begin: Obtain the passphrase for the wireless access point. For more information, see the documentation
for the access point.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
Click Manage Wi-Fi profiles.
Click the name of the Wi-Fi® profile that you want to change.
Click Edit profile.
On the Wi-Fi profile settings tab, in the Wi-Fi Preshared Key field, type the passphrase.
Click Save All.
After you finish:
• Assign the Wi-Fi profile to the user accounts.
• Resend the IT policy that you assign to the user accounts to Wi-Fi enabled BlackBerry devices.
Related topics
Creating and configuring Wi-Fi profiles, 152
Configuring LEAP authentication
LEAP authentication is a proprietary authentication method that was developed by Cisco® Systems. LEAP
authentication provides one-side, server-based authentication between an enterprise Wi-Fi® network and Wi-Fi
enabled BlackBerry® devices and provides per-client dynamic generation of WEP keys and automatic WEP key updates
during a session.
163
Administration Guide
Configuring PEAP authentication
BlackBerry devices support LEAP authentication that uses a user name and password. You must distribute the user
name and password using a Wi-Fi profile that you assign to user accounts. BlackBerry devices use a one-way function
to encrypt passwords before they send the passwords to the authentication server.
For more information about how the BlackBerry® Enterprise Solution supports LEAP authentication, see the
BlackBerry Enterprise Server Security Technical Overview.
Configure LEAP authentication data for BlackBerry devices using a Wi-Fi
profile
Before you begin:
• Using the wireless access point, configure the LEAP settings to accept SSID association requests from users that
have the credentials that you specify or to identify the authentication server that the Wi-Fi® enabled BlackBerry
devices use to verify user credentials. For more information, see the documentation for your organization's
access points.
• Configure strong password policies if Wi-Fi network authentication uses LEAP authentication.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
Click Manage Wi-Fi profiles.
Click the name of the Wi-Fi profile that you want to change.
Click Edit profile.
On the Wi-Fi profile settings tab, perform the following actions:
• In the Wi-Fi User Name field, type the user name for LEAP authentication.
• In the Wi-Fi User Password field, type the password for LEAP authentication.
6.
Click Save All.
After you finish:
• Assign the Wi-Fi profile to the user accounts.
• Resend the IT policy that you assign to the user accounts to BlackBerry devices.
Related topics
Creating and configuring Wi-Fi profiles, 152
Configuring PEAP authentication
If your organization implements PEAP authentication, Wi-Fi® enabled BlackBerry® devices must authenticate to an
authentication server before they can connect to the enterprise Wi-Fi network.
PEAP authentication requires that BlackBerry devices trust the authentication server certificate. To trust the
authentication server certificate, BlackBerry devices must trust the certificate authority that issued the certificate.
A certificate authority that the BlackBerry devices and the authentication server trust mutually must generate the
certificate for the authentication server.
164
Administration Guide
Configuring PEAP authentication
Each BlackBerry device stores a list of explicitly trusted certificate authority certificates. BlackBerry devices that use
PEAP authentication require the root certificate for the certificate authority that issued the certificate.
To distribute the root certificate to BlackBerry devices, you can use the certificate synchronization tool in the
BlackBerry® Desktop Manager. You must configure a Wi-Fi profile to provide the user name and password for
authentication.
For more information about how the BlackBerry® Enterprise Solution supports PEAP authentication, see the
BlackBerry Enterprise Server Security Technical Overview.
Configure PEAP authentication data for BlackBerry devices using a Wi-Fi
profile
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
Click Manage Wi-Fi profiles.
Click the name of the Wi-Fi® profile that you want to configure.
Click Edit profile.
On the Wi-Fi profile settings tab, perform the following actions:
• In the Wi-Fi User Name field, type the user name for PEAP authentication.
• In the Wi-Fi User Password field, type the password for PEAP authentication.
6.
If necessary, on the Wi-Fi profile settings tab, configure the following configuration settings:
• Wi-Fi Link Security
• Wi-Fi Hard Token Required
• Wi-Fi Server Subject
• Wi-Fi Server SAN
• Wi-Fi Disable Server Certificate Validation
7.
Click Save All.
After you finish:
• Resend the IT policy that you assign to the user accounts to BlackBerry devices.
• Distribute the certificates.
Related topics
Creating and configuring Wi-Fi profiles, 152
Prerequisites: Distributing a certificate using the BlackBerry Desktop
Manager
•
Using a public or private certificate authority, obtain or generate a digital certificate for the authentication
server. The root.der certificate file is stored in the location where the certificate was created. For example, the
authentication server stores a self-signed certificate locally.
165
Administration Guide
•
•
Configuring PEAP authentication
Configure each wireless access point as a client of the authentication server. You must use the same
authentication version on clients and servers. For more information, see the documentation for the access
points.
Use the certificate management features of Microsoft® Active Directory® to download the root certificate from
the certificate authority server to the computer.
Distribute a certificate using the BlackBerry Desktop Manager
If a BlackBerry® device requires the root certificate for the certificate authority, a client certificate, or both, you can
distribute the certificates using BlackBerry® Desktop Manager. The BlackBerry device can add the certificates to the
list of explicitly trusted certificate authority certificates or the list of client certificates.
1.
2.
3.
4.
5.
On the user’s computer, right-click the certificate. Click Install certificate.
Click Next.
Click Place all certificates in the following store.
Click Browse.
Perform one of the following actions:
• If you are distributing a root certificate, click Trusted Root Certification Authorities.
• If you are distributing a client certficate, click Personal
6.
7.
8.
9.
10.
11.
12.
Click OK.
Click Finish.
In the Security Warning dialog box, click Yes.
Connect the BlackBerry device to the BlackBerry Desktop Manager.
In the BlackBerry Desktop Manager, select the Certificate Synch tool.
Type a password that you can use as the keystore password.
Perform one of the following actions:
• If you are distributing a root certificate, on the Root Certificates tab, select the certificate that you add to
the certificate list on the BlackBerry device.
• If you are distributing a client certificate, on the Personal tab, select the certificate that you want to add to
the certificate list on the BlackBerry device.
Users cannot find the certificate synchronization tool in the BlackBerry Desktop
Manager
Possible cause
The certificate synchronization tool was not installed when the user installed the BlackBerry® Desktop Manager.
Possible solution
Instruct the user to re-install the BlackBerry Desktop Manager using the custom installation option. During the custom
installation process, the user can install the certificate synchronization tool.
166
Administration Guide
Configuring EAP-TLS authentication
Configure PEAP configuration settings in the Wi-Fi profile on a BlackBerry
device
If you do not configure the PEAP configuration settings using the BlackBerry® Administration Service, instruct users
to configure the settings in the Wi-Fi® profile on the BlackBerry device.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
On the BlackBerry device, in the device options, click Wi-Fi Connections.
Click the Wi-Fi profile that you want to configure.
Click Edit.
In the Security Type list, select PEAP.
Type the user name and password for the messaging server.
In the CA certificate list, click the certificate for the authentication server.
Select the Inner link security type.
If your organization does not use EAP-MS-CHAPv2, if necesssary, in the Token list, select the token type.
If necesssary, in the Server subject field, type the server name in the server certificate, in URL format (for
example, server1.domain.com or server1.domain.net). If you leave the field blank, the BlackBerry device skips
over it during server authentication.
If necesssary, in the Server SAN field, type the alternative name for the server, in URL format (for example,
server1.domain.com or server1.domain.net). If you leave the field blank, the BlackBerry device skips over it
during server authentication.
If your organization uses dynamic IP addresses, verify that the Automatically obtain IP address and DNS option
is selected.
Verify that the Allow inter-access point handover option is selected.
If necesssary, select the Prompt before connection check box. If you do not select the check box, the BlackBerry
device connects to an available wireless access point automatically.
If necesssary, select the Notify on authentication failure check box.
If necesssary, select the VPN profile.
Configuring EAP-TLS authentication
If your organization implements EAP-TLS authentication, Wi-Fi® enabled BlackBerry® devices must authenticate to
an authentication server so that they can connect to the enterprise Wi-Fi network.
EAP-TLS authentication requires that BlackBerry devices trust the authentication server certificate and use a clientside certificate as the supplicant credentials. To trust the authentication server certificate, BlackBerry devices must
trust the certificate authority that issued the certificate. A certificate authority that the BlackBerry devices and the
authentication server trust mutually must generate the certificate for the authentication server and the certificate
for each BlackBerry device.
BlackBerry devices that use EAP-TLS authentication require a client certificate and the root certificate for the
certificate authority server that created the certificate for the authentication server. You can obtain and install both
certificates using the same distribution method.
167
Administration Guide
Configuring EAP-TLS authentication
To distribute the certificates to BlackBerry devices, you can use the certificate synchronization tool in the BlackBerry®
Desktop Manager, or you can enroll the certificate over the wireless network. You must configure a Wi-Fi profile to
provide the user name and password for authentication.
For more information about how the BlackBerry® Enterprise Solution supports EAP-TLS authentication, see the
BlackBerry Enterprise Server Security Technical Overview.
Configure EAP-TLS authentication data for BlackBerry devices using a WiFi profile
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
Click Manage Wi-Fi profiles.
Click the name of the Wi-Fi® profile that you want to change.
Click Edit profile.
On the Wi-Fi profile settings tab, perform the following actions:
• In the Wi-Fi User Name field, type the user name for EAP-TLS authentication.
• In the Wi-Fi User Password field, type the password for EAP-TLS authentication.
6.
If required, configure the following configuration settings:
• Wi-Fi Link Security
• Wi-Fi Hard Token Required
• Wi-Fi Server Subject
• Wi-Fi Server SAN
• Wi-Fi Disable Server Certificate Validation
7.
Click Save All.
After you finish:
• Resend the IT policy that you assign to the user accounts to Wi-Fi enabled BlackBerry devices.
• Distribute the certificates.
Related topics
Prerequisites: Distributing a certificate using the BlackBerry Desktop Manager, 165
Creating and configuring Wi-Fi profiles, 152
Configure EAP-TLS configuration settings in the Wi-Fi profile on a
BlackBerry device
If you do not configure the EAP-TLS configuration settings using the BlackBerry® Administration Service, instruct the
users to configure the settings in the Wi-Fi® profile on the Wi-Fi enabled BlackBerry device.
1.
On the BlackBerry device, in the device options, click Wi-Fi Connections.
2.
3.
Click the Wi-Fi profile that you want to change.
Click Edit.
168
Administration Guide
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Configuring EAP-TTLS authentication
If a warning about a VPN profile appears, click OK. EAP-TLS does not require a VPN profile.
In the Security Type list, select EAP-TLS.
Type the user name and password for the messaging server.
In the CA certificate list, click the root certificate for the certificate authority that created the authentication
server certificate.
In the Client certificate list, click the user certificate.
If necessary, in the Server subject field, type the server name in the server certificate, in URL format (for example,
server1.domain.com or server1.domain.net). If you leave the field blank, the BlackBerry device skips over it
during server authentication.
If necessary, in the Server SAN field, type the alternative name for the server, in URL format (for example,
server1.domain.com or server1.domain.net). If you leave the field blank, the BlackBerry device skips over it
during server authentication.
If your organization uses dynamic IP addresses, verify that the Automatically obtain IP address and DNS option
is selected.
Verify that the Allow inter-access point handover option is selected.
If necessary, select the Prompt before connection check box. If you do not select the check box, the BlackBerry
device connects to an available wireless access point automatically.
If necessary, select the Notify on authentication failure check box.
Configuring EAP-TTLS authentication
If your organization implements EAP-TTLS authentication, Wi-Fi® enabled BlackBerry® devices must authenticate to
an authentication server so that they can connect to the enterprise Wi-Fi network.
EAP-TTLS authentication requires that BlackBerry devices trust the authentication server certificate. To trust the
authentication server certificate, BlackBerry devices must trust the certificate authority that issued the certificate.
A certificate authority that the BlackBerry devices and the authentication server trust mutually must generate the
authentication server certificate.
Each BlackBerry device stores a list of explicitly trusted certificate authority certificates. BlackBerry devices that use
EAP-TTLS authentication require the root certificate for the certificate authority that created the authentication
server certificate.
To distribute the root certificate to BlackBerry devices, you can use the certificate synchronization tool in BlackBerry®
Desktop Manager or you can enroll the certificate over the wireless network.
For more information about how the BlackBerry® Enterprise Solution supports EAP-TTLS authentication, see the
BlackBerry Enterprise Server Security Technical Overview.
169
Administration Guide
Configuring EAP-TTLS authentication
Configure EAP-TTLS authentication data for BlackBerry devices using a WiFi profile
1.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
2.
3.
4.
5.
Click Manage Wi-Fi profiles.
Click the name of the Wi-Fi® profile that you want to change.
Click Edit profile.
On the Wi-Fi profile settings tab, perform the following actions:
• In the Wi-Fi User Name field, type the user name for EAP-TTLS authentication.
• In the Wi-Fi User Password field, type the password for EAP-TTLS authentication.
6.
If required, configure the following configuration settings:
• Wi-Fi Link Security
• Wi-Fi Hard Token Required
• Wi-Fi Server Subject
• Wi-Fi Server SAN
• Wi-Fi Disable Server Certificate Validation
7.
Click Save All.
After you finish:
• Resend the IT policy that you assign to the user accounts to Wi-Fi enabled BlackBerry devices.
• Distribute the certificates.
Related topics
Prerequisites: Distributing a certificate using the BlackBerry Desktop Manager, 165
Creating and configuring Wi-Fi profiles, 152
Configure EAP-TTLS configuration settings in the Wi-Fi profile on a
BlackBerry device
If you do not configure the EAP-TTLS configuration settings using the BlackBerry® Administration Service, instruct a
user to configure the settings in the Wi-Fi® profile on the Wi-Fi enabled BlackBerry device.
1.
2.
3.
4.
5.
6.
On the BlackBerry device, in the device options, click Wi-Fi Connections.
Click the Wi-Fi profile that you want to change.
Click Edit.
In the Security Type list, select EAP-TTLS.
Type the user name and password for the messaging server.
In the CA certificate list, click the root certificate for the certificate authority that created the authentication
server certificate.
7.
In the Inner link security type list, select EAP-MS-CHAPv2.
170
Administration Guide
8.
9.
10.
11.
12.
13.
14.
Configuring EAP-FAST authentication
If necessary, in the Server subject field, type the server name in the server certificate, in URL format (for example,
server1.domain.com or server1.domain.net). If you leave the field blank, the BlackBerry device skips over it
during server authentication.
If necessary, in the Server SAN field, type the alternative name for the server, in URL format (for example,
server1.domain.com or server1.domain.net). If you leave the field blank, the BlackBerry device skips over it
during server authentication.
If your organization use dynamic IP addresses, verify that the Automatically obtain IP address and DNS option
is selected.
Verify that the Allow inter-access point handover option is selected.
If necesssary, select the Prompt before connection check box. If you do not select the check box, the BlackBerry
device connects to an available wireless access point automatically.
Verify that the Allow inter-access point handover option is selected.
If necessary, select the Notify on authentication failure check box.
Configuring EAP-FAST authentication
EAP-FAST is an authentication method that was developed by Cisco® Systems. Similar to PEAP authentication, EAPFAST authentication encrypts EAP transactions within a TLS tunnel. Although PEAP uses a server-side digital certificate
to configure the TLS tunnel, EAP-FAST uses a .pac file.
The .pac file that the BlackBerry® devices and the authentication server share contains secret keys that are unique
to the BlackBerry devices. The EAP-FAST master key on the authentication server generates the .pac file. EAP-FAST
uses the .pac file to open the TLS tunnel and authenticates the user credentials through the TLS tunnel.
Configure EAP-FAST authentication
1.
2.
3.
4.
Distribute the .pac file to the wireless client over a network connection that is designed to be secure using
automatic PAC provisioning.
Configure each wireless access point to connect to the access control server and a DHCP server.
Verify that the DHCP server can provide the following information to the wireless client:
• IP address or network
• default gateway
• IP address of the DNS server
Configure the access control server.
After you finish:
• For information about the automatic provisioning process, see the documentation for your organization’s
authentication server.
• For information about configuring wireless access points, see the documentation for the access points.
• For information about configuring the access control server, see the documentation for the access control server.
Related topics
Prerequisites: Distributing a certificate using the BlackBerry Desktop Manager, 165
171
Administration Guide
Configuring EAP-FAST authentication
Creating and configuring Wi-Fi profiles, 152
Send EAP-FAST authentication data to a BlackBerry device using a Wi-Fi
profile
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
Click Manage Wi-Fi profiles.
Click the name of the Wi-Fi® profile that you want to configure.
Click Edit profile.
In the Wi-Fi profile settings tab, perform the following actions:
• In the Wi-Fi User Name field, type the user name for PEAP authentication.
• In the Wi-Fi User Password field, type the password for PEAP authentication.
6.
If required, configure the following configuration settings:
• Wi-Fi Link Security
• Wi-Fi Inner Authentication Mode
• Wi-Fi Hard Token Required
• Wi-Fi Server Subject
• Wi-Fi Server SAN
• Wi-Fi EAP-FAST Provisioning method
• Wi-Fi Disable Server Certificate Validation
7.
Click Save All.
After you finish:
• Resend the IT policy that you assign to the user accounts to BlackBerry devices.
• Distribute the certificates.
Configure EAP-FAST configuration settings in the Wi-Fi profile on BlackBerry
devices
If you do not configure the EAP-FAST configuration settings using the BlackBerry® Administration Service, instruct
users to configure the settings in the Wi-Fi® profile on the Wi-Fi enabled BlackBerry device.
1.
2.
3.
4.
5.
6.
7.
172
On the BlackBerry device, in the device options, click Wi-Fi Connections.
Click the Wi-Fi profile that you want to change.
Click Edit.
In the Security Type list, select EAP-FAST.
Type the user name and password for the messaging server.
In the Inner link security list, click the security type.
If necessary, in the Token list, select the token type.
Administration Guide
Configuring EAP-FAST authentication
8.
If your organization uses dynamic IP addresses, verify that the Automatically obtain IP address and DNS option
is selected.
9. If necesssary, select the Prompt before connection check box. If you do not select the check box, the BlackBerry
device connects to an available wireless access point automatically.
10. If necessary, select the Notify on authentication failure check box.
173
Administration Guide
Configuring software tokens for BlackBerry devices
Configuring software tokens for BlackBerry
devices
17
The BlackBerry® Enterprise Server Express is designed to work with the RSA® Authentication Manager to provide
software token support for use with layer 2 and layer 3 Wi-Fi® authentication on Wi-Fi enabled BlackBerry devices.
When you configure a software token for users, BlackBerry devices are designed to use the passcode to authenticate
the users to the Wi-Fi network and VPNs automatically using the PEAPv1, EAP-GTC, and EAP-TTLS or EAP-GTC
authentication methods.
You can configure multiple software tokens for each user. For example, you can configure one software token that
a user can use with Wi-Fi authentication and a second software token that a user can use with VPN authentication.
When users try to open a Wi-Fi or VPN connection that requires two-factor authentication on the BlackBerry devices,
the BlackBerry devices prompt the users to type the software token PIN and submit the current tokencode for the
connection type to create the passcode for two-factor authentication.
For more information about how the BlackBerry Enterprise Server Express supports software tokens, see the
BlackBerry Enterprise Solution Security Technical Overview.
Prerequisites: Configuring BlackBerry devices for RSA
authentication
To perform tasks in the RSA® Authentication Manager, see the RSA Authentication Manager documentation, and
the documentation for the RSA SecurID® token.
• In the RSA Authentication Manager, configure the following policies for the PINs of the software tokens in your
organization's environment:
• whether a PIN is required for authentication
• whether a PIN is defined by the user or generated by the RSA Authentication Manager
• whether a PIN is alphanumeric or numeric only
• whether a PIN has a fixed length or a variable length, with a minimum of four characters and a maximum
of eight characters
• Import the token seed file (also known as the *.sdtid file) that contains the UID for each software token into the
RSA Authentication Manager Database.
• In the RSA Authentication Manager Database, create a user record for each software token holder.
• In the RSA Authentication Manager Administration application, configure the following parameters for the
software token seed file:
• serial number
• cryptographic algorithm
• user account that you can assign the software token to
• password to protect the software token seed file
• Communicate the password to the user.
174
Administration Guide
Configure BlackBerry devices for RSA authentication
Configure BlackBerry devices for RSA authentication
Software tokens use the UID and current time to authenticate the Wi-Fi® enabled BlackBerry® devices to the RSA®
Authentication Manager. To permit BlackBerry devices to authenticate to the RSA Authentication Manager, you must
synchronize the time and date on BlackBerry devices with the time and date on the computer that hosts the RSA
Authentication Manager, even though the RSA Authentication Manager is designed to accommodate time differences
of up to three minutes.
Instruct users to use one of the following methods to synchronize the date, time, and time zone settings on the
BlackBerry devices with the RSA Authentication Manager:
• Adjust the time on BlackBerry devices using the Date/Time option on the BlackBerry devices manually.
• Use the BlackBerry® Desktop Manager to synchronize the date and time on the BlackBerry devices with the
date and time on the users' computers.
After you finish:
• Assign the Wi-Fi profile to the user accounts.
• Resend the IT policy to BlackBerry devices.
Configure RSA authentication over a Wi-Fi network using a
software token
You must add the serial number of the software token that the Wi-Fi® enabled BlackBerry® devices can use to a WiFi profile so that RSA® authentication can occur over Wi-Fi connections.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
Click Manage Wi-Fi profiles.
Click the name of the Wi-Fi profile that you want to change.
Click Edit profile.
On the Wi-Fi profile settings tab, in the Wi-Fi Token Serial Number field, type the serial number of the software
token.
Click Save All.
After you finish:
• Assign the Wi-Fi profile to the user accounts.
• Resend the IT policy that you assign to the user accounts to BlackBerry devices.
175
Administration Guide
Configure RSA authentication over a VPN network using a software token
Configure RSA authentication over a VPN network using a
software token
You must add the serial number of the software token that the Wi-Fi® enabled BlackBerry® device can use to a VPN
profile so that RSA® authentication can occur over VPN connections.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy > WiFi configuration.
Click Manage VPN profiles.
Click the name of the VPN profile that you want to change.
Click Edit profile.
On the VPN profile settings tab, in the VPN Token Serial Number field, type the serial number of the software
token.
Click Save All.
After you finish:
• Assign the VPN profile to the user accounts.
• Resend the IT policy that you assign to the user accounts to BlackBerry devices.
Assign software tokens to a user account
You must assign the software tokens that BlackBerry® device users can use to authenticate to a Wi-Fi® network or
VPN network to the user accounts. Depending on the number of software token records that are available to you,
you can assign up to three software tokens to each user account.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
Click the display name for the user account.
Click Edit user.
On the Software tokens tab, type the serial number of the software token.
To import the software token seed file for the user account, perform the following actions:
a. Click Browse.
b. Navigate to the software token seed file for the user account.
c.
8.
Click Open.
If you configured a password in the RSA® Authentication Manager so that you can encrypt the .sdtid file, type
and confirm the password.
9. In the Timeout (minutes) field, type the length of time, in minutes, that the Wi-Fi enabled BlackBerry device
takes to cache the PIN.
10. Click the Add icon.
176
Administration Guide
Assign software tokens to a user account
11. Click Save all.
177
Administration Guide
Changing the security settings of the BlackBerry Administration Service and BlackBerry Web Desktop
Manager
Changing the security settings of the
BlackBerry Administration Service and
BlackBerry Web Desktop Manager
18
Import a new SSL certificate for the BlackBerry
Administration Service and BlackBerry Web Desktop
Manager
When you install the BlackBerry® Administration Service and BlackBerry® Web Desktop Manager, the setup
application generates an SSL certificate to protect the HTTPS connection. You can import a self-signed SSL certificate
or a trusted certificate that a certification authority signs after the installation process completes. If you configure a
BlackBerry Administration Service pool, you must generate an SSL certificate that uses the name of the BlackBerry
Administration Service pool.
For more information about using the keytool, visit java.sun.com/javase/6/docs/technotes/tools/windows/
keytool.html.
Before you begin: If you want to use a trusted certificate, copy the root certificate of the certification authority to
the computer that hosts the BlackBerry Administration Service.
1.
2.
3.
4.
5.
6.
7.
178
On a computer that hosts a BlackBerry Administration Service instance, in <drive>:\Program Files\Research In
Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore, back up the web.keystore file.
Using the keytool in <drive>:\Program Files\Java\<JRE_version>\bin, delete the default SSL certificate that the
setup application generated (for example, keytool -delete -alias httpssl -keystore "<drive>:\Program Files
\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore").
Using the keytool and the SSL password that you specified when you installed the BlackBerry Administration
Service, generate a new entry and private key in the web.keystore file (for example, keytool -genkey -alias httpssl
-keypass <password> -keystore "<drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS
\bin\web.keystore"). When the keytool prompts you for the first name and last name, type the pool name of
the BlackBerry Administration Service. You can find the pool name in the BlackBerry Configuration Panel.
If you want to use a trusted certificate, using the keytool, import the root certificate of the certification authority
(for example, keytool -import -alias <ca_alias_name> -file <root_certificate_file>.cer -trustcacerts -keystore
"<drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore").
Using the keytool, generate a certificate signing request (for example, keytool -certreq -alias httpssl -file
<certreq_filename>.csr -keystore "<drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server
\BAS\bin\web.keystore").
Send the certificate signing request to a certification authority so that the certification authority can create the
certificate.
When the certification authority returns the certificate, copy it into a text file and save it with a .cer extension.
Administration Guide
Configuring which IBM Lotus Domino server with DIIOP the BlackBerry Administration Service uses
8.
Using the keytool, import the certificate to the web.keystore file (for example, keytool -import -alias httpssl keystore "<drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore" -file
"<certificate_filename>.cer").
9. In the Windows® Services, restart the BlackBerry Administration Service services.
10. Complete the following actions on each computer that hosts a BlackBerry Administration Service instance:
a. Copy the web.keystore file in the <drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server
\BAS\bin folder from the BlackBerry Administration Service that you updated to the other BlackBerry
Administration Service instances.
b. In the Windows® registry, copy the WebKeyStorePass value in the HKEY_CURRENT_USER\Software
\Research In Motion\BlackBerry Enterprise Server\Administration Service\Key Store from the BlackBerry
Administration Service that you updated to the other BlackBerry Administration Service instances.
c. In the Windows Services, restart the BlackBerry Administration Service services.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Configuring which IBM Lotus Domino server with DIIOP the
BlackBerry Administration Service uses
The BlackBerry® Administration Service uses DIIOP to connect to the IBM® Lotus® Domino® server so that the
BlackBerry Administration Service can access user account information. The BlackBerry® Web Desktop Manager uses
DIIOP if users authenticate with it using their IBM® iNotes™ credentials. You can update the IBM Lotus Domino server
information if you want the BlackBerry Administration Service to connect to a different server after you install the
BlackBerry Administration Service.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Change the IBM Lotus Domino server with DIIOP that the BlackBerry
Administration Service uses
Before you begin:
• Verify that the DIIOP task is running on the IBM® Lotus® Domino® server.
• If you are using BlackBerry® Web Desktop Manager with IBM Lotus Domino authentication, verify that users
have IBM® iNotes™ web access and an Internet password.
1.
2.
3.
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view.
Click BlackBerry Administration Service.
Click Edit component.
4.
5.
On the Domino Authentication (BESD) tab, change the fields as required.
Click Save all.
179
Administration Guide
6.
Change the information for Microsoft Active Directory authentication
Restart the BlackBerry Administration Service.
Change the information for Microsoft Active Directory
authentication
Before you begin:
• Create a Microsoft® Active Directory® account for the BlackBerry® Administration Service that is located in a
Windows® domain that is a part of the resource forest. When you create the account, specify a password that
meets the security requirements of your organization and configure the following password settings:
• the user is not required to change the password at next login
• the user's password never expires
1.
2.
3.
4.
In the BlackBerry Administration Service, expand BlackBerry solution topology > BlackBerry Domain >
Component view.
Click BlackBerry Administration Service.
On the Microsoft® Active Directory® authentication tab, click Edit component.
In the User name field, type the name for the Microsoft Active Directory account that has permission to access
the user containers and read the user objects that are stored in the global catalog servers that are located in
the resource forest.
5.
6.
7.
In the Password field and Confirm Password field, type the password for the Microsoft Active Directory account.
In the User domain field, type the name of the Windows domain that is a part of the resource forest.
In the Global Catalog search base field, perform one of the following actions:
• To permit the BlackBerry Administration Service to search the global catalog, leave the Global Catalog search
base field blank.
• To control which user accounts the BlackBerry Administration Service can authenticate with, type the
distinguished name of the user container (for example, OU=sales,DC=example,DC=com).
8.
If you want the BlackBerry Administration Service to find all of the global catalog servers in the resource forest
automatically, in the Global Catalog server discovery drop-down list, click Automatic.
If you want to configure which global catalog servers the BlackBerry Administration Service can access, in the
Global Catalog server discovery drop-down list, click Select server from the list below and perform the following
actions:
a. In the Global Catalog server section, type the FQDN of the global catalog server that you want the BlackBerry
Administration Service to access (for example, globalcatalog01.example.com). You must type the FQDN of
a global catalog server that is located in the Windows domain that the Microsoft Active Directory account
located in.
b. Click the Add icon.
c. Perform this step for each global catalog server that you want the BlackBerry Administration Service to
access.
9.
180
Administration Guide
Configuring single sign-on authentication for the BlackBerry Administration Service and BlackBerry
Web Desktop Manager
10. Click Save All.
The BlackBerry Administration Service validates the information for Microsoft Active Directory authentication. If the
information is valid, the BlackBerry Administration Service implements the changes immediately and you do not
need to restart the BlackBerry Administration Service services. If the information is invalid, the BlackBerry
Administration Service prompts you to specify correct information.
Configuring single sign-on authentication for the
BlackBerry Administration Service and BlackBerry Web
Desktop Manager
If you configure the BlackBerry® Administration Service to support Microsoft® Active Directory® authentication, you
can turn on single sign-on authentication. Single sign-on authentication permits you to access the BlackBerry
Administration Service and BlackBerry device users to access the BlackBerry Web Desktop Manager without requiring
that you or the users type a Microsoft Active Directory user name and password. By default, if you log in to the
BlackBerry Administration Service or users log in to the BlackBerry Web Desktop Manager using Microsoft Active
Directory authentication, the browser prompts you or the users to type a Microsoft Active Directory user name and
password. If you turn on single sign-on authentication, and you log in to a computer using a Microsoft Active Directory
account, you can bypass the login screen and access the BlackBerry Administration Service and BlackBerry Web
Desktop Manager directly.
Before you turn on single sign-on, you must configure constrained delegation for the Microsoft Active Directory
account for the BlackBerry Administration Service.
Configure constrained delegation for the Microsoft Active Directory
account to support single sign-on authentication
1.
Use the Windows Server® ADSI Edit tool to add the following SPNs for the BlackBerry® Administration Service
pool to the Microsoft® Active Directory® account :
• HTTP/<BAS_pool_FQDN> (for example, HTTP/BASconsole104.example.com)
• BASPLUGIN111/<BAS_pool_FQDN> (for example, BASPLUGIN111/BASconsole104.example.com)
2.
If you create separate pools of BlackBerry Administration Service instances and BlackBerry Web Desktop
Manager instances in the BlackBerry Administration Service pool, add the HTTP/<BAS_pool_FQDN> SPN for each
pool to the Microsoft Active Directory account.
Configure the Microsoft Active Directory account for constrained delegation using the following settings:
• trust this user for delegation to specific services only
• use Kerberos™ only
3.
4.
In the Microsoft Active Directory account properties, on the Delegation tab, add BASPLUGIN111/
<BAS_pool_FQDN> to the list of services.
After you finish: For more information about configuring constrained delegation for the Microsoft Active Directory
account so you can access the BlackBerry Administration Service, visit www.blackberry.com/btsc to read article
KB22717.
181
Administration Guide
Configuring single sign-on authentication for the BlackBerry Administration Service and BlackBerry
Web Desktop Manager
Turn on single sign-on authentication for the BlackBerry Administration
Service
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
Topology > BlackBerry Domain > Component view.
Click BlackBerry Administration Service.
On the Microsoft® Active Directory® authentication tab, click Edit component.
In the Login Domain section, in the Single sign-on authentication for BlackBerry Administration Service turned
on drop-down list, click Yes.
To configure the Microsoft® Active Directory® account for each forest, in the Account forest name section, type
the user domain name, user name, and password for the Microsoft Active Directory account.
Click Save all.
In the Windows® Services, restart all of the BlackBerry® Enterprise Server Express services.
Instruct all administrators and device users to add the web addresses for the BlackBerry Administration Service
and BlackBerry® Web Desktop Manager to the list of web sites in the local intranet zone and install the certificate
for the BlackBerry Administration Service or BlackBerry Web Desktop Manager in the certificate store of their
computers.
BlackBerry Administration Service web addresses and BlackBerry Web
Desktop Manager web addresses that support BlackBerry Administration
Service single sign-on
If you configure BlackBerry® Administration Service single sign-on, you must instruct administrators and BlackBerry®
Web Desktop Manager users to access the BlackBerry Administration Service console and BlackBerry Web Desktop
Manager using the following web addresses:
• https://<BAS_pool_FQDN>/webconsole/login
• https://<BAS_pool_FQDN>/webdesktop/login
Single-sign authentication takes precedence over other authentication methods that permit administrators and users
to log in to the BlackBerry Administration Service console or BlackBerry Web Desktop Manager. If the security policies
in your organization require that administrators or users use another authentication method, you must instruct
administrators or users to access the BlackBerry Administration Service console or BlackBerry Web Desktop Manager
using the following web addresses:
• https://<BAS_pool_FQDN>/webconsole/app
• https://<BAS_pool_FQDN>/webdesktop/app
182
Administration Guide
Changing password settings for BlackBerry Administration Service authentication
Changing password settings for BlackBerry Administration
Service authentication
If you use BlackBerry® Administration Service authentication in your organization's environment, you can change
the minimum password length and the date when passwords expire to meet the requirements of your organization's
security policies. By default, the minimum password length is four characters and a password expires after 365 days.
If you change the minimum password length, administrators that use passwords that do not meet the new minimum
length are not required to change the passwords until the passwords expire.
Change password settings for BlackBerry Administration Service
authentication
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the Servers and components menu, click BlackBerry solution
topology > BlackBerry Domain > Component view.
Click BlackBerry Administration Service.
Click Edit component.
In the Security settings section, change the minimum password length and the date when the password expires.
Click Save all.
Regenerate the system credentials for the BlackBerry
Administration Service
The setup application generates the system credentials for the BlackBerry® Administration Service during the
installation process. The BlackBerry Administration Service uses the system credentials when it communicates with
other BlackBerry® Enterprise Server Express components. If you suspect that the system credentials are
compromised, you can regenerate them on the database server.
Before you begin: Verify that you have database owner permissions for the BlackBerry Configuration Database.
1.
2.
3.
4.
On all of the computers that host BlackBerry Administration Service instances, in the Windows® Services, stop
the BlackBerry Administration Service services.
On the database server, on the BlackBerry Configuration Database, run the following SQL statement: DELETE
from BASTraits WHERE PlugInId=8 AND TraitId=0.
On a computer that hosts a BlackBerry Administration Service instance, in the Windows Services, start the
BlackBerry Administration Service services.
On the computers that host the remaining BlackBerry Administration Service instances, in the Windows Services,
start the BlackBerry Administration Service services.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
183
Administration Guide
Protecting and redistributing devices
Protecting and redistributing devices
19
Preparing a device for redistribution to a new user
You can prepare a BlackBerry® device for redistribution to a new BlackBerry device user by performing one of the
following actions:
•
•
•
use the security options on the device to permanently delete all user data
connect the device to the BlackBerry Administration Service and delete all user data from the device permanently
connect the device to the BlackBerry Administration Service and delete all user data permanently and remove
the BlackBerry® Device Software
For more information about using the security options on the device to permanently delete all user data, see the
user guide for the device.
After the new user receives the device, you must activate it.
Related topics
Assigning BlackBerry devices to user accounts, 65
Use the BlackBerry Administration Service to delete user data and assign
the device to a new user
1.
2.
3.
4.
5.
6.
7.
8.
9.
Connect the BlackBerry® device to the computer that you used to log in to the BlackBerry Administration Service.
If you receive a prompt, type the device password.
In the BlackBerry Administration Service, on the Devices menu, click Attached devices > Manage current device.
Click Remove user data from current device.
Click Yes – Remove user data.
Click Assign current device.
Search for the new user account that you want to assign the device to.
Select the user name.
Click Associate user.
After you assign the user account to the device, the activation process begins automatically.
10. On the Devices menu, click Attached devices > Device software.
11. Install the applications that the user requires on the device.
Use the BlackBerry Administration Service to delete user data and remove
the BlackBerry Device Software before assigning the device to a new user
If you perform this task, you are deleting user data permanently and removing the BlackBerry® Device Software and
BlackBerry device operating system.
1.
184
Connect the BlackBerry device to the computer that you used to log in to the BlackBerry Administration Service.
Deleting only work data from a device
Administration Guide
2.
3.
4.
5.
6.
7.
If you receive a prompt, type the device password.
In the BlackBerry Administration Service, on the Devices menu, click Attached devices > Manage current device.
Click Delete all device data and disable device.
Click Yes – Delete all device data and disable device.
Reinstall the BlackBerry Device Software using the application loader tool in the BlackBerry Administration
Service, BlackBerry® Desktop Manager, or BlackBerry® Web Desktop Manager.
Activate the device.
After you finish: For more information about installing the BlackBerry Device Software, see the BlackBerry Device
Software Update Guide.
Related topics
Assigning BlackBerry devices to user accounts, 65
Deleting only work data from a device
To help secure your organization's data on a personal BlackBerry® device, you can permit your organization to delete
work data from a device when a user no longer works at your organization. You can use the BlackBerry Administration
Service to require that a personal device remove only work data when the device receives the Delete only the
organization data and remove device IT administrative command over the wireless network. All personal data remains
on the device. A BlackBerry device user cannot use the device or make emergency calls while the device deletes the
work data.
The device permanently deletes the following work data:
Item
email messages
attachments
calendar entries
contacts
memos
tasks
call history
call logs
Description
•
email messages that are sent to the user's work email account and the
email messages that the user sends from the work email account
• draft email messages that the user creates using their work email
account
attachments that are sent to the user's work email account and the
attachments that the user sends from the work email account
calendar entries that the user creates using their work calendar
contacts that the BlackBerry® Enterprise Server Express synchronizes with
the user's work email account
all memos
all tasks
although the device defines phone data for personal use, the call history
entries are deleted when you delete work data
although the device classifies phone data as personal data, the call log files
are deleted when you delete work data
185
Deleting only work data from a device
Administration Guide
Item
the BlackBerry® Browser cache
files
IT policy
PIN encryption key
device transport key
work service books
Description
although the device specifies the BlackBerry Browser for personal use, the
BlackBerry Browser cache is deleted when you delete work data
• files that the user accesses and downloads from your organization's
network using the Files application
• files on media cards that are created by applications that can access
work data (except for media applications)
• work data is not deleted from the media card if the media card is not
available when the device deletes work data, however the user cannot
access work data on the media card after the device removes work
data
IT policy that is associated with your organization
references to your organization's PIN encryption key
references to the device transport key which prevents the device from
communicating with the BlackBerry Enterprise Server Express
service books on the device that the device classifies for work use
Delete only work data from a device
Before you begin: If you want to remove your organization's applications from the BlackBerry® device, create a
software configuration that includes the applications and set the disposition of all work applications to Disallowed
in the software configuration. Assign the software configuration to the user account to send it to the device. For
more information, see the BlackBerry Enterprise Server Express Administration Guide.
1.
2.
3.
4.
5.
6.
186
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the PIN for the user account.
In the Device activation list, click Delete only the organization data and remove device.
Optionally, in the Removing users and devices section, in the Actions drop-down list, perform one of the
following actions:
• To delete a user account from the BlackBerry® Enterprise Server Express but retain the BlackBerry Enterprise
Server Express information in the user's mailbox, click Delete the user.
• In a Microsoft® Exchange environment, to delete a user account from the BlackBerry Enterprise Server Express
and remove the BlackBerry Enterprise Server Express information from the user's mailbox, click Delete the
user and remove BlackBerry information from the user's messaging system.
• In an IBM® Lotus® Domino® environment, to delete a user account from the BlackBerry Enterprise Server
Express and remove the BlackBerry Enterprise Server Express information from the user's mailbox, click
Delete the user and remove the profile document and the state database.
• To disable a user account from the BlackBerry Enterprise Server Express but retain the BlackBerry Enterprise
Server Express information in the user's mailbox, click Disable as BlackBerry user.
Administration Guide
Using IT administration commands to protect a lost or stolen device
• In a Microsoft Exchange environment, to disable a user account from the BlackBerry Enterprise Server Express
and remove the BlackBerry Enterprise Server Express information from the user's mailbox, click Disable the
user and remove BlackBerry information from the user's messaging system.
• In a Lotus Domino environment, to disable a user account from the BlackBerry Enterprise Server Express and
remove the BlackBerry Enterprise Server Express information from the user's mailbox, click Disable the user
and remove the profile document and the state database.
7.
Click Yes - Delete only the organization data and remove device.
Using IT administration commands to protect a lost or
stolen device
The BlackBerry® Enterprise Server Express includes IT administration commands that you can send over the wireless
network to protect sensitive data on a BlackBerry device. You can use the commands to lock the device, permanently
delete work data, permanently delete user information and application data, and return the device settings to the
default values.
IT administration command
Specify new device password and
lock device
Delete only the organization data
and remove device
Description
This command creates a new password and locks a device over the wireless
network. You can communicate the new password to the user verbally when
the BlackBerry device user locates the device. When the user unlocks the
device, the device prompts the user to accept or reject the new password.
You can use this command if the device is lost. If you or a user turned on
content protection and a device is running BlackBerry® Device Software
4.3.0 or later, you can use this command. If you or a user turned on twofactor content protection, you cannot use this command.
This command permanently deletes all work data that the device stores and
removes the device from the BlackBerry Enterprise Server Express. All
personal data remains on the device.
You can send this command to a personal device when a user no longer
works at your organization and you want to delete work data from the
device.
Delete all device data and remove
device
You can also specify whether you want to delete or disable a user account
from the BlackBerry Enterprise Server Express after the device deletes all
work data.
This command permanently deletes all user information and application
data that the device stores. You can configure the following options when
you use this command:
• specify a delay, in hours, that must occur before the device starts to
delete all the user information and application data
187
Using IT administration commands to protect a lost or stolen device
Administration Guide
IT administration command
Description
•
•
require the device to return to its factory default settings when it
receives this command
specify whether to permit the user to stop permanently deleting data
from the device and making the device unavailable during the delay
period
You can send this command to a device that you want to distribute to
another user in your organization, or to a device that is lost and that the
user might not recover.
You can also specify whether you want to delete or disable a user account
from the BlackBerry Enterprise Server Express after the device deletes all
user information and application data.
Protect a stolen device
1.
2.
3.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
4.
5.
6.
7.
In the search results, click the PIN for the user account.
In the Device activation list, click Delete all device data and remove device.
Click Yes - Delete all device data and remove device.
Optionally, in the Removing users and devices section, in the Actions drop-down list, perform one of the
following actions:
• To delete a user account from the BlackBerry® Enterprise Server Express but retain the BlackBerry Enterprise
Server Express information in the user's mailbox, click Delete the user.
• To delete a user account from the BlackBerry Enterprise Server Express and remove the BlackBerry Enterprise
Server Express information from the user's mailbox, click Delete the user and remove the profile document
and the state database.
• To disable a user account from the BlackBerry Enterprise Server Express but retain the BlackBerry Enterprise
Server Express information in the user's mailbox, click Disable as BlackBerry user.
• To disable a user account from the BlackBerry Enterprise Server Express and remove the BlackBerry Enterprise
Server Express information from the user's mailbox, click Disable the user and remove the profile document
and the state database.
After you finish:
• Verify that the BlackBerry device received the command.
• Contact your organization's wireless service provider to turn off the service for a device after you send the IT
administration command that deletes all of the device data and deactivates the device.
188
Administration Guide
Using IT administration commands to protect a lost or stolen device
Protect a lost device
If a user misplaces a BlackBerry® device or if a device is stolen, you can protect the data on the device by locking the
device or making it unavailable.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the PIN for the user account.
In the Device activation section, click Specify new device password and lock device.
Type and confirm an activation password. For devices that are running BlackBerry® Device Software version 4.1
and earlier, the password must not contain special characters. Some devices do not support special characters
and do not unlock when a user types a password that contains special characters.
Click Specify new device password and lock device.
Protect a lost device that a user might not recover
If a BlackBerry® device is lost but the device user might recover it, you can protect the information on the device by
scheduling it to start deleting all user information and application data and to become unavailable after a period of
time that you specify. You can also specify whether the user can cancel the scheduled command if the user recovers
the device.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the PIN for the user account.
In the Device activation section, click Delete all device data and remove device.
In the Erase Data Settings section, perform the following actions:
• In the Erase Data Delay (hours) field, type the number of hours that must elapse before the BlackBerry device
starts deleting user information and application data.
• In the Allow User Override drop-down list, click Yes to permit the user to cancel the scheduled command on
the BlackBerry device if the user recovers it.
7.
Optionally, in the Removing users and devices section, in the Actions drop-down list, perform one of the
following actions:
• To delete a user account from the BlackBerry® Enterprise Server Express but retain the BlackBerry Enterprise
Server Express information in the user's mailbox, click Delete the user.
• To delete a user account from the BlackBerry Enterprise Server Express and remove the BlackBerry Enterprise
Server Express information from the user's mailbox, click Delete the user and remove the profile document
and the state database.
• To disable a user account from the BlackBerry Enterprise Server Express but retain the BlackBerry Enterprise
Server Express information in the user's mailbox, click Disable as BlackBerry user.
189
Administration Guide
Using IT administration commands to protect a lost or stolen device
• To disable a user account from the BlackBerry Enterprise Server Express and remove the BlackBerry Enterprise
Server Express information from the user's mailbox, click Disable the user and remove the profile document
and the state database.
8.
190
Click Yes - Delete all device data and remove device.
Administration Guide
Managing administrator accounts
Managing administrator accounts
20
Change the roles for an administrator account
To reflect the changes to an administrator's responsibilities in your organization, you can add or remove one or more
administrative roles for the administrator account.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for an administrator account.
In the search results, click the display name for the administrator account.
Click Edit user.
On the Roles tab, in the Current roles list, add or remove the appropriate roles.
Click Save all.
Delete a role
You can delete a role when you no longer require it in your organization's environment.
Before you begin: Verify that the role is not assigned to any administrator accounts or groups.
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Role.
Click Manage roles.
In the list of existing roles, click the name of the role that you want to delete.
Click Delete role.
Click Yes - Delete the role.
Delete an administrator account
You can delete an administrator account when you no longer require it in your organization's environment.
Before you begin: If the administrator is also a BlackBerry® device user, remove the BlackBerry device from the
administrator account.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Administrator
User.
Click Manage users.
Search for an administrator account.
In the search results, click the display name for the administrator account.
In the Status list, click Delete user.
191
Administration Guide
6.
192
Click Yes - Delete the user.
Delete an administrator account
Managing groups and user accounts
Administration Guide
Managing groups and user accounts
21
Managing groups
You can reduce the time that you spend managing user accounts by creating groups of similar user accounts and
assigning shared properties, such as software configurations or IT policies, to the group. Properties that you assign
to a group are assigned to all user accounts in the group.
You can assign properties to user accounts and administrator accounts at the individual level, group level, or domain
level. The BlackBerry® Administration Service applies properties to user accounts and administrator accounts using
the following hierarchy:
• The properties at the individual level override the properties at the group level.
• The properties at the group level override the properties at the domain level.
After you add a user account or administrator account to a group, you can override the properties that you configured
for the account at the group level or domain level by changing the properties at the user account level.
If you remove a user account or administrator account from a group, the account name remains in the global users
list but it does not appear in the group list.
You can either create user-specific groups and assign roles to those groups or use the default user groups that contain
pre-existing roles.
If you are managing a large number of groups (over 3000) using the BlackBerry Administration Service in a single
domain, your organization's environment might experience a performance impact.
Using default groups to manage user accounts and administrator accounts
The BlackBerry® Enterprise Server Express installation includes default groups that have preconfigured administrative
roles. You can use the default groups in your organization's environment instead of creating specific administrative
groups. Each default group consists of a set of preconfigured rules which specify the information that administrators
can view and the tasks that they can perform using the BlackBerry Administration Service.
The default groups ensure users without administrative privileges cannot escalate their permissions, for example,
junior administrators cannot escalate their roles to senior administrator roles.
Default group
Administrators
Help desk representatives
Description of the default group
This is a preconfigured group for BlackBerry Administration Service
administrators. This groups has the permissions assigned to the Security
role.
Administrators in this group are responsible for ensuring all Junior Helpdesk
administrators are added to the Junior Helpdesk group.
This is a preconfigured group for help desk administrators. This group has
the permissions assigned to the Junior Helpdesk role.
193
Managing groups
Administration Guide
Default group
Description of the default group
Junior Helpdesk administrators in this group can perform basic
administrative tasks such as adding users to groups and assigning BlackBerry
devices to BlackBerry device users. The Junior Helpdesk role can only add
users to the Web Desktop Users group and the Junior Helpdesk group.
BlackBerry® Web Desktop Manager This is a preconfigured group for BlackBerry Web Desktop Manager users.
users
BlackBerry Web Desktop Manager users in this group do not have any
BlackBerry Administration Service administrative permissions.
Users in this group can perform basic administrative tasks on their own user
account using the BlackBerry Web Desktop Manager such as setting an
activation password or locking their BlackBerry device.
Remove a user account from a group
1.
2.
3.
4.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Group.
Click Manage groups.
Click the group name.
In the Manage users in group membership list, click Remove users from group membership.
5.
6.
7.
Search for a user account.
Select the check box beside the display name for the user accounts that you want to remove.
Click Remove from group membership.
Change the properties of a group
After you create a group, specify the properties that you want to apply to all user and administrator accounts in the
group. You can copy the properties from one group to another. When you add user accounts or administrator
accounts to a group, the group properties apply to the new accounts automatically.
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Group.
Click Manage groups.
Click the group name.
Click Edit group.
Switch between the appropriate tabs and make the appropriate changes.
Click Save all.
Rename a group
1.
2.
3.
194
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Group.
Click Manage groups.
Click the group name.
Administration Guide
4.
5.
6.
Managing user accounts
Click Edit group.
In the Group information section, in the Name field, type a new name for the group.
Click Save all.
Delete a group
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Group.
Click Manage groups.
Click the group name.
Click Delete group.
Click Yes - Delete the group.
Managing user accounts
When you delete a user account, you can retain the user account information in the BlackBerry Enterprise Server
Express. You can activate the user account again, or the user can continue to use the BlackBerry device as a
BlackBerry® Desktop Redirector. When you activate a user account that you retained, the user account will have the
same settings it had before you deleted it.
Move a user account to a different group
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the display name for the user account.
Click Edit user.
On the Groups tab, in the Current groups list, click the group that you want to to remove the user from.
Click Remove.
In the Available groups list, click the group that you want to move the user account to.
Click Add.
Click Save all.
Move a user account from one BlackBerry Enterprise Server Express to
another
Before you begin:
• Verify that the BlackBerry® Enterprise Server Express that you are moving a user account from can access the
IBM® Lotus® Domino® server document of the destination BlackBerry Enterprise Server Express.
195
Administration Guide
Managing user accounts
•
Verify that the BlackBerry Enterprise Server Express that you are moving the user account from is part of the
LocalDomainServer group and that you replicated the Lotus Domino directory to the messaging servers in your
organization's environment.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for one or more user accounts.
In the search results, select one or more user accounts.
In the BlackBerry Enterprise Server status list, click Switch BlackBerry user to different BlackBerry Enterprise
Server.
In the Available BlackBerry Enterprise Server instances list, click the BlackBerry Enterprise Server Express that
you want to move the user accounts to.
Click Next.
A message appears indicating that some of the user accounts might have pending deployment tasks. Perform
one of the following actions:
• If you want to cancel any pending deployment tasks and move all of the user accounts, click Yes - Switch the
users and fail the tasks.
• If you do not want to move the user accounts that have pending deployment tasks, click No - Switch only
the users that have no existing deployment tasks.
6.
7.
8.
Delete a user account from the BlackBerry Enterprise Server Express
1.
2.
3.
4.
5.
6.
7.
8.
9.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the display name for the user account.
In the BlackBerry Enterprise Server status list, click Disable as BlackBerry user.
Click Back to search.
In the Search for users > User criteria section, type the display name for the user account.
Click the display name for the user account.
In the Status list, click Delete user.
Add an administrator role to a user account
1.
2.
3.
4.
5.
196
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the display name for the user account.
Click Edit user.
Administration Guide
6.
7.
8.
Managing user accounts
On the Roles tab, in the Available roles list, click the role that you want to assign to the user account.
Click Add.
Click Save all.
Update the contact list manually
You can update the contact list in the BlackBerry® Configuration Database so that you can include any organizational
changes or updates in the contact list. The amount of time that the BlackBerry Mail Store Service requires to update
the contact list depends on the contact list size.
1.
2.
3.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view.
Click Email.
Click Refresh available user list from company directory.
Resend service books to a BlackBerry device
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the BlackBerry device PIN.
In the Communications list, click Resend service books to a device.
197
Administration Guide
Managing the delivery of BlackBerry Java Applications, BlackBerry Device Software, and device
settings to BlackBerry devices
Managing the delivery of BlackBerry Java
Applications, BlackBerry Device Software, and
device settings to BlackBerry devices
22
Managing the default distribution settings for jobs
When you create a software configuration and assign it to user accounts, change a software configuration that you
assigned to user accounts, or assign or change an IT policy, the BlackBerry® Administration Service creates jobs to
deliver the resulting objects or settings to BlackBerry devices. You can change the default settings that control how
the BlackBerry Administration Service creates jobs and delivers job tasks to BlackBerry devices. You can also change
the default settings that the BlackBerry Administration Service uses to deliver IT policies, BlackBerry Java®
Applications, BlackBerry® Device Software, and standard application settings to BlackBerry devices.
Change default settings for a job schedule
When you create a software configuration and assign it to user accounts, when you change a software configuration
that you assigned to user accounts, or assign or change an IT policy, the BlackBerry® Administration Service creates
jobs to deliver the resulting objects or settings to BlackBerry devices. A job consists of multiple tasks. Each task
delivers a specific object or setting to a BlackBerry device, for example, upgrading BlackBerry® Device Software,
installing or removing a BlackBerry Java® Application, or sending updated IT policy settings or application settings.
You can change the default settings for a job to control how the BlackBerry Administration Service processes jobs.
If you change the default settings for a job, your organization's environment might experience a performance impact.
1.
2.
3.
4.
5.
6.
7.
198
In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs.
Click Specify job schedule settings.
Click Edit job schedule settings.
In the Default delay for each job section, in the Default delay field, type the number of minutes that the
BlackBerry Administration Service waits before it creates and processes a job.
The default value is 15 minutes.
In the General section, in the Mark job as failed field, type the number of days that the BlackBerry Administration
Service waits before it defines a job that was not delivered to BlackBerry devices as failed.
The default value is 30 days.
In the Purge jobs field, type the number of days that the BlackBerry Administration Service waits before it deletes
a failed job or a completed job.
The default value is 7 days.
Click Save all.
Managing the default distribution settings for jobs
Administration Guide
Change how IT policies are sent to BlackBerry devices
You can change the settings that the BlackBerry® Administration Service uses to send all IT policy settings and updates
to BlackBerry devices. If you change the default settings for IT policy distribution, your organization's environment
might experience a performance impact.
1.
2.
3.
4.
In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs.
Click Specify IT policy distribution settings.
Click Edit distribution settings.
Perform any of the following tasks:
Task
Steps
Change the default recurrence day a. Click the Edit icon for the default recurrence day.
for sending IT policy updates.
b. In the Scheduled deployment day(s) drop-down list, click the
appropriate recurrence option. If necessary, select the recurrence
days.
Add a new recurrence day for
sending IT policy updates.
5.
6.
7.
c.
In the Start time drop-down list, click the appropriate option. If
necessary, set the start time and end time.
d.
Click the Update icon.
By default, the recurrence day is Every day and the start time is All day.
If you want to add more than one recurrence day for sending IT policy
updates, the schedules for the separate recurrence days cannot overlap.
a.
In the Scheduled deployment day(s) drop-down list, click the
appropriate recurrence option. If necessary, select the recurrence
days.
b.
In the Start time drop-down list, click the appropriate option. If
necessary, set the start time and end time.
c.
Click the Add icon.
On the System throttling tab, in the Maximum number of simultaneous tasks per BlackBerry Administration
Service instance field, type the maximum number of tasks that you want the BlackBerry® Enterprise Server
Express to process at the same time.
The default value is 1000.
On the Job throttling tab, to turn on throttling for all IT policy tasks in jobs, select Enabled to reduce load on
system.
If necessary, in the Default throttling for all IT policy tasks in each job in a time window section, in the Maximum
number of simultaneous tasks per BlackBerry Administration Service instance field, type the maximum number
of IT policy tasks that you want the BlackBerry Enterprise Server Express to process at the same time.
The default value is 25.
199
Managing the default distribution settings for jobs
Administration Guide
8.
9.
If necessary, in the Total number of tasks per time window per BlackBerry Administration Service instance
field, type the total number of IT policy tasks that you want the BlackBerry Enterprise Server Express to process
during each processing interval.
The default value is 150.
Click Save all.
Change how to install, update, or remove BlackBerry Java Applications
You can change the settings that the BlackBerry® Administration Service uses to install and update BlackBerry® Java®
Applications on BlackBerry devices, and remove BlackBerry Java Applications on BlackBerry devices. If you change
the default application distribution settings, your organization's environment might experience a performance
impact.
1.
2.
3.
4.
In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs.
Click Specify application distribution settings.
Click Edit distribution settings.
Perform any of the following tasks:
Task
Steps
Change the default recurrence day a. Click the Edit icon for the default recurrence day.
for installing, upgrading, or
b. In the Scheduled deployment day(s) drop-down list, click the
removing BlackBerry Java
appropriate recurrence option. If necessary, select the recurrence
Applications.
days.
Add a new recurrence day for
installing, upgrading, or removing
BlackBerry Java Applications.
5.
200
c.
In the Start time drop-down list, click the appropriate option. If
necessary, change the start time and end time.
d.
Click the Update icon.
By default, the recurrence day is Every day and the start time is All day.
If you want to add more than one recurrence day, the schedules for the
separate recurrence days cannot overlap.
a.
In the Scheduled deployment day(s) drop-down list, click the
appropriate recurrence option. If necessary, select the recurrence
days.
b.
In the Start time drop-down list, click the appropriate option. If
necessary, change the start time and end time.
c.
Click the Add icon.
On the System throttling tab, in the Maximum number of simultaneous tasks per BlackBerry Administration
Service instance field, type the maximum number of tasks that you want the BlackBerry® Enterprise Server
Express to process at the same time.
The default value is 1000.
Managing the default distribution settings for jobs
Administration Guide
6.
7.
8.
9.
On the Job throttling tab, to turn on throttling for all application tasks in jobs, select Enabled to reduce load on
system.
If necessary, in the Default throttling for all application tasks in each job in a time window section, in the
Maximum number of simultaneous tasks per BlackBerry Administration Service instance field, type the
maximum number of application tasks that you want the BlackBerry Enterprise Server Express to process
simultaneously.
The default value is 25.
If necessary, in the Total number of tasks per time window per BlackBerry Administration Service instance
field, type the total number of application tasks that you want the BlackBerry Enterprise Server Express to process
during each processing interval.
The default value is 150.
Click Save all.
Change how to install or update the BlackBerry Device Software
You can change the settings that the BlackBerry® Administration Service uses to install or upgrade the BlackBerry®
Device Software on BlackBerry devices. If you change the default distribution settings for the BlackBerry Device
Software, your organization's environment might experience a performance impact.
1.
2.
3.
4.
In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs.
Click Specify BlackBerry Device Software distribution settings.
Click Edit distribution settings.
Perform any of the following tasks:
Task
Change the recurrence day for
installing, updating, or removing
the BlackBerry Device Software.
Add a recurrence day for installing,
updating, or removing the
BlackBerry Device Software.
Steps
a.
Click the Edit icon for the recurrence day.
b.
In the Scheduled deployment day(s) drop-down list, click the
appropriate recurrence option. If necessary, select the recurrence
days.
c.
In the Start time drop-down list, click the appropriate option. If
necessary, change the start time and end time.
d.
Click the Update icon.
By default, the recurrence day is Every day and the start time is All day.
To add more than one recurrence day, the schedules for the separate
recurrence days cannot overlap.
a.
In the Scheduled deployment day(s) drop-down list, click the
appropriate recurrence option. If necessary, select the recurrence
days.
201
Managing the default distribution settings for jobs
Administration Guide
Task
Steps
b.
In the Start time drop-down list, click the appropriate option. If
necessary, change the start time and end time.
c.
Click the Add icon.
5.
On the System throttling tab, in the Maximum number of simultaneous tasks per BlackBerry Administration
Service instance field, type the maximum number of BlackBerry Device Software tasks that you want the
BlackBerry Enterprise Server Express to process at the same time.
The default value is 1000.
6.
On the Job throttling tab, to turn on throttling for all BlackBerry Device Software tasks in jobs, select Enabled
to reduce load on system.
If necessary, in the Default throttling for all BlackBerry Device Software tasks in each job in a time window
section, in the Maximum number of simultaneous tasks per BlackBerry Administration Service instance field,
type the maximum number of BlackBerry Device Software tasks that you want the BlackBerry Enterprise Server
Express to process at the same time.
The default value is 25.
If necessary, in the Total number of tasks per time window per BlackBerry Administration Service instance
field, type the total number of BlackBerry Device Software tasks that you want the BlackBerry Enterprise Server
Express to process during each processing interval.
The default value is 150.
Click Save all.
7.
8.
9.
Change how the BlackBerry Enterprise Server Express sends standard
application settings to BlackBerry devices
BlackBerry® Device Software configurations include standard application settings that you can use to control
calendar, email, and contact list settings on BlackBerry devices. You can change how the BlackBerry® Enterprise
Server Express sends the settings to and updates the settings on BlackBerry devices. If you change the default
distribution settings for the standard application settings, your organization's environment might experience a
performance impact.
1.
2.
3.
4.
In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs.
Click Specify BlackBerry Device Software application distribution settings.
Click Edit distribution settings.
Perform any of the following tasks:
Task
Change the recurrence day for
sending or updating standard
application settings.
202
Steps
a.
Click the Edit icon for the default recurrence day.
b.
In the Scheduled deployment day(s) drop-down list, click the
appropriate recurrence option. If necessary, click the recurrence
days.
Managing the distribution settings for a specific job
Administration Guide
Task
Add a recurrence day for sending
or updating standard application
settings.
Steps
c.
In the Start time drop-down list, click the appropriate recurrence
option. If necessary, change the start time and end time.
d.
Click the Update icon.
By default, the recurrence day is Every day and the start time is All day.
To add more than one recurrence day, the schedules for the separate
recurrence days cannot overlap.
a.
In the Scheduled deployment day(s) drop-down list, click the
appropriate recurrence option. If necessary, click the recurrence
days.
b.
In the Start time drop-down list, click the appropriate recurrence
option. If necessary, change the start time and end time.
c.
Click the Add icon.
5.
On the System throttling tab, in the Maximum number of simultaneous tasks per BlackBerry Administration
Service instance field, type the maximum number of tasks that you want the BlackBerry Enterprise Server Express
to process at the same time.
The default value is 1000.
6.
On the Job throttling tab, to turn on throttling for all tasks for standard application settings in jobs, click Enabled
to reduce load on system.
If necessary, in the Default throttling for all BlackBerry Device Software application settings tasks in each job
in a time window section, in the Maximum number of simultaneous tasks per BlackBerry Administration
Service instance field, type the maximum number of tasks for standard application settings that you want the
BlackBerry Enterprise Server Express to process at the same time.
The default value is 25.
If necessary, in the Total number of tasks per time window per BlackBerry Administration Service instance
field, type the total number of tasks for standard application settings that you want the BlackBerry Enterprise
Server Express to process during each processing interval.
The default value is 150.
Click Save all.
7.
8.
9.
Managing the distribution settings for a specific job
When you create a software configuration and assign it to user accounts, change a software configuration that you
assigned to user accounts, or assign or change an IT policy, the BlackBerry® Administration Service creates jobs to
deliver the resulting objects or settings to BlackBerry devices. Before the BlackBerry Administration Service delivers
a specific job, you can change the delivery schedule of the job, priority of the job, and how the job delivers IT policies,
BlackBerry Java® Applications, BlackBerry® Device Software, and standard application settings to BlackBerry devices.
If you do not change the schedule, priority, or distribution settings for a job, the job uses the default schedule and
distribution settings that you configure in the BlackBerry Administration Service.
203
Managing the distribution settings for a specific job
Administration Guide
Specify the start time and priority for a job
If a job has not started running, you can specify when you want the job to start. If you do not specify the start time
for a job, the job starts according to the distribution settings that you configured in the BlackBerry® Administration
Service. You can also change the priority of a job. By default, all jobs have a medium priority. If you change the priority
of a job to low, the BlackBerry® Enterprise Server Express processes it after the jobs with a medium or high priority.
The BlackBerry Enterprise Server Express processes jobs with a high priority before it processes jobs with a medium
or low priority.
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs.
Click Manage deployment jobs.
Search for the job that you want to change.
In the search results, click the ID of the job that you want to change.
Click Edit job.
In the Priority drop-down list, click the appropriate priority for the job.
In the Job Schedule section, in the Effective Date field, select the start date for the job.
Click Save all.
Change how a job sends IT policies to BlackBerry devices
You can change how the BlackBerry® Administration Service sends IT policy settings and changes in a specific job to
BlackBerry devices. You can change a job's distribution settings for IT policies only if the job is not running. If you
changing the IT policy distribution settings for a job, your organization's environment might experience a performance
impact.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs.
Click Manage deployment jobs.
Search for the job that you want to change.
In the search results, click the ID of the job that you want to change.
Click Edit job.
On the IT Policy Distribution tab, perform any of the following tasks:
Task
Steps
Change the default recurrence day a. Click the Edit icon for the default recurrence day.
for sending IT policy changes.
b. In the Scheduled deployment day(s) drop-down list, click the
appropriate recurrence option. If necessary, select the recurrence
days.
204
c.
In the Start time drop-down list, click the appropriate option. If
necessary, change the start time and end time.
d.
Click the Update icon.
Managing the distribution settings for a specific job
Administration Guide
Task
Add a new recurrence day for
sending IT policy changes.
Steps
By default, the recurrence day is Every day and the start time is All day.
If you want to add more than one recurrence day for sending IT policy
changes, the schedules for the separate recurrence days cannot overlap.
a.
In the Scheduled deployment day(s) drop-down list, click the
appropriate recurrence option. If necessary, select the recurrence
days.
b.
In the Start time drop-down list, click the appropriate option. If
necessary, change the start time and end time.
c.
Click the Add icon.
7.
To turn on throttling for all IT policy tasks in the job, in the Default throttling enablement for all IT policy tasks
in each job in a time window section, select Enabled to reduce load on system.
8. If necessary, in the Default throttling for all IT policy tasks in each job in a time window section, in the Maximum
number of simultaneous tasks per BlackBerry Administration Service instance field, type the maximum number
of IT policy tasks in the job that you want the BlackBerry Enterprise Server Express to process at the same time.
The default value is 25.
9. If necessary, in the Total number of tasks per time window per BlackBerry Administration Service instance
field, type the total number of IT policy tasks in the job that you want the BlackBerry Enterprise Server Express
to process during each processing interval.
The default value is 150.
10. Click Save all.
Change how a job sends BlackBerry Java Applications to BlackBerry
devices
You can change how the BlackBerry® Administration Service installs, updates, or removes the BlackBerry® Java®
Applications in a specific job on BlackBerry devices. You can change a job's distribution settings for applications only
if the job is not running. If you change the default application distribution settings, your organization's environment
might experience a performance impact.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs.
Click Manage deployment jobs.
Search for the job that you want to change.
In the search results, click the ID of the job that you want to change.
Click Edit job.
On the Application Distribution tab, perform any of the following tasks:
205
Managing the distribution settings for a specific job
Administration Guide
Task
Steps
Change the default recurrence day a. Click the Edit icon for the default recurrence day.
for installing, upgrading, or
b. In the Scheduled deployment day(s) drop-down list, click the
removing BlackBerry Java
appropriate recurrence option. If necessary, select the recurrence
Applications.
days.
Add a new recurrence day for
installing, upgrading, or removing
BlackBerry Java Applications.
c.
In the Start time drop-down list, click the appropriate option. If
necessary, change the start time and end time.
d.
Click the Update icon.
By default, the recurrence day is Every day and the start time is All day.
If you want to add more than one recurrence day, the schedules for the
separate recurrence days cannot overlap.
a.
In the Scheduled deployment day(s) drop-down list, click the
appropriate recurrence option. If necessary, select the recurrence
days.
b.
In the Start time drop-down list, click the appropriate option. If
necessary, change the start time and end time.
c.
Click the Add icon.
7.
To turn on throttling for all application tasks in the job, on the Default throttling enablement for all application
tasks in each job in a time window section, select Enabled to reduce load on system.
8. If necessary, in the Default throttling for all application tasks in each job in a time window section, in the
Maximum number of simultaneous tasks per BlackBerry Administration Service instance field, type the
maximum number of application tasks in the job that you want the BlackBerry Enterprise Server Express to
process at the same time.
The default value is 25.
9. If necessary, in the Total number of tasks per time window per BlackBerry Administration Service instance
field, type the total number of application tasks in the job that you want the BlackBerry Enterprise Server Express
to process during each processing interval.
The default value is 150.
10. Click Save all.
Change how a job sends the BlackBerry Device Software to BlackBerry
devices
You can change how the BlackBerry® Administration Service installs or updates the BlackBerry® Device Software in
a specific job on BlackBerry devices. You can change the distribution settings for a job for the BlackBerry Device
Software only if the job is not running. If you change the default distribution settings for BlackBerry Device
Software, your organization's environment might experience a performance impact.
1.
206
In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs.
Managing the distribution settings for a specific job
Administration Guide
2.
3.
4.
5.
6.
Click Manage deployment jobs.
Search for a job.
In the search results, click the ID of the appropriate job.
Click Edit job.
On the BlackBerry Device Software Distribution tab, perform any of the following tasks:
Task
Change the recurrence day for
installing, updating, or removing
BlackBerry Device Software.
Add a new recurrence day for
installing, updating, or removing
BlackBerry Device Software.
Steps
a.
Click the Edit icon for the recurrence day.
b.
In the Scheduled deployment day(s) drop-down list, click the
appropriate recurrence option. If necessary, click the number of
recurrence days.
c.
In the Start time drop-down list, click the appropriate option. If
necessary, change the start time and end time.
d.
Click the Update icon.
By default, the recurrence day is Every day and the start time is All day.
To add more than one recurrence day, the schedules for the separate
recurrence days cannot overlap.
a.
In the Scheduled deployment day(s) drop-down list, click the
appropriate recurrence option. If necessary, click the recurrence
days.
b.
In the Start time drop-down list, click the appropriate recurrence
option. If necessary, change the start time and end time.
c.
Click the Add icon.
7.
To turn on throttling for all BlackBerry Device Software tasks in jobs, in the Default throttling enablement for
all BlackBerry Device Software tasks in each job in a time window section, click Enabled to reduce load on
system.
8. If necessary, in the Default throttling for all BlackBerry Device Software tasks in each job in a time window
section, in the Maximum number of simultaneous tasks per BlackBerry Administration Service instance field,
type the maximum number of BlackBerry Device Software tasks in the job that you want the BlackBerry®
Enterprise Server Express to process at the same time.
The default value is 25.
9. If necessary, in the Total number of tasks per time window per BlackBerry Administration Service instance
field, type the total number of BlackBerry Device Software tasks in the job that you want the BlackBerry
Enterprise Server Express to process during each processing interval.
The default value is 150.
10. Click Save all.
207
Managing the distribution settings for a specific job
Administration Guide
Change how a job sends standard application settings to BlackBerry
devices
BlackBerry® Device Software configurations include standard application settings that you can use to control
calendar, email, and contact list settings on BlackBerry devices. You can change how the BlackBerry Administration
Service sends settings and updates in jobs to BlackBerry devices. If you change the default distribution settings for
the standard application settings in BlackBerry Device Software configurations, your organization's environment
might experience a performance impact.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the Devices menu, expand Deployment jobs.
Click Manage deployment jobs.
Search for a job.
In the search results, click the ID of the appropriate job.
Click Edit job.
On the BlackBerry Device Software Application Settings Distribution tab, perform any of the following tasks:
Task
Change the recurrence day for
sending or updating standard
application settings.
Add a recurrence day for sending
or updating standard application
settings.
7.
208
Steps
a.
Click the Edit icon for the recurrence day.
b.
In the Scheduled deployment day(s) drop-down list, click the
appropriate recurrence option. If necessary, select the number of
recurrence days.
c.
In the Start time drop-down list, click the appropriate recurrence
option. If necessary, change the start time and end time.
d.
Click the Update icon.
By default, the recurrence day is Every day and the start time is All day.
To add more than one recurrence day, the schedules for the separate
recurrence days cannot overlap.
a.
In the Scheduled deployment day(s) drop-down list, click the
appropriate recurrence option. If necessary, click the recurrence
days.
b.
In the Start time drop-down list, click the appropriate recurrence
option. If necessary, change the start time and end time.
c.
Click the Add icon.
To turn on throttling for all tasks for standard application settings in the job, in the Default throttling enablement
for all BlackBerry Device Software application tasks in each job in a time window section, click Enabled to
reduce load on system.
Administration Guide
Managing BlackBerry Java Applications on BlackBerry devices
8.
If necessary, in the Default throttling for all BlackBerry Device Software Application Settings tasks in each job
in a time window section, in the Maximum number of simultaneous tasks per BlackBerry Administration
Service instance field, type the maximum number of tasks for standard application settings in the job that you
want the BlackBerry® Enterprise Server Express to process at the same time.
The default value is 25.
9. If necessary, in the Total number of tasks per time window per BlackBerry Administration Service instance
field, type the total number of tasks for standard application settings in the job that you want the BlackBerry
Enterprise Server Express to process during each processing interval.
The default value is 150.
10. Click Save all.
Managing BlackBerry Java Applications on BlackBerry
devices
Make a BlackBerry Java Application unavailable for installation
You can delete a BlackBerry® Java® Application and all versions of the application from the application repository if
you do not want to make the BlackBerry Java Application available to add to software configurations. You cannot
delete a BlackBerry Java Application from the application repository if the BlackBerry Java Application is in a software
configuration.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software >
Applications.
Click Manage applications.
Search for a BlackBerry Java Application.
In the search results, click the name of the application.
Click Delete application.
Click Yes - Delete the application and all application versions.
Remove a BlackBerry Java Application from BlackBerry devices over the
wireless network
You can remove a BlackBerry® Java® Application from BlackBerry devices over the wireless network.
1.
2.
3.
4.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software.
Click Manage software configurations.
Click a software configuration.
Click Edit software configuration.
5.
6.
On the Applications tab, click the Delete icon for the application.
Perform one of the following actions:
209
Administration Guide
Managing software configurations
• If you configured the software configuration to permit unlisted applications on BlackBerry devices and you
want to permit users to install the application as an unlisted application, or if you configured the software
configuration to not permit unlisted applications on BlackBerry devices, click Save all.
• If you configured the software configuration to permit unlisted applications on BlackBerry devices, and you
do not want to permit users to install the application on their BlackBerry devices, perform steps 7 to 12.
7.
8.
9.
10.
11.
12.
Click Add applications to software configuration.
Search for the application that you want to remove.
In the search results, select the application.
In the Disposition drop-down list for the application, click Disallowed.
Click Add to software configuration.
Click Save all.
Managing software configurations
Remove a software configuration from a group
If you remove a software configuration from a group, the applications in the software configuration are removed
from the BlackBerry® devices that are associated with the user accounts that belong to the group.
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group.
Click Manage groups.
Click a group.
Click Edit group.
On the Software configuration tab, in the Current software configurations list, click a software configuration.
Click Remove.
Repeat steps 5 and 6 for each software configuration you want to remove.
Click Save all.
Remove a software configuration from multiple user accounts
If you remove a software configuration from multiple user accounts, the applications in the software configuration
are removed from the BlackBerry® devices that are associated with the user accounts.
1.
2.
3.
4.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for one or more user accounts.
Select one or more user accounts.
5.
6.
In the Remove from user configuration list, click Remove software configuration.
In the Available software configurations list, click a software configuration.
210
Administration Guide
7.
8.
9.
Managing software configurations
Click Remove.
Repeat steps 6 and 7 for each software configuration that you want to remove from the user accounts.
Click Save.
Remove a software configuration from a user account
If you remove a software configuration from a user account, the applications in the software configuration are
removed from the BlackBerry® device associated with the user account.
1.
2.
3.
4.
5.
6.
7.
8.
9.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for one or more user accounts.
In the search results, click the display name for a user account.
Click Edit user.
On the Software configuration tab, in the Current software configurations list, click a software configuration.
Click Remove.
Repeat steps 6 and 7 for each software configuration that you want to remove.
Click Save all.
Delete a software configuration
You can delete a software configuration that is not assigned to a user account.
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Software.
Click Manage software configurations.
Click a software configuration.
Click Delete software configuration.
Click Yes - Delete the software configuration.
211
Administration Guide
Managing how users access enterprise applications and web content
Managing how users access enterprise
applications and web content
23
Restricting user access to content on web servers
You can prevent BlackBerry® device users from accessing specific web servers using the BlackBerry® Browser or
applications on BlackBerry devices. To specify the web servers that you want users to access, you can turn on pull
authorization to restrict access to all types of web content and create pull rules to specify a list of web servers that
you permit users to access. Alternatively, you can create pull rules that specify a list of restricted web servers.
When you create pull rules, you can specify whether users must authenticate using RSA® authentication, integrated
Windows® authentication, or both before the users can access the web servers.
Restrict requests for content on web servers from BlackBerry devices
Turn on pull authorization for a BlackBerry® MDS Connection Service to restrict the web addresses that users assigned
to that BlackBerry MDS Connection Service can request when the users connect to the Internet or to your
organization's intranet from their BlackBerry devices.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want to change.
Click Edit instance.
In the Access control section, in the Pull authorization drop-down list, click Yes.
Click Save all.
Users cannot access web content on their BlackBerry devices until you permit the users to access specific web servers
using pull rules.
After you finish: To permit users to access specific web servers, specify allowed web address patterns and assign the
web address patterns to a pull rule, and assign the pull rule to a user account or group.
Specify web address patterns
You can create pull rules that specify which web address patterns users can and cannot use to access web servers
from the BlackBerry® Browser and other applications on their BlackBerry devices. To create a pull rule, you must first
specify web address patterns (for example, specify addresses with domains that are allowed). You can assign the
web address patterns to a pull rule that you create, and specify whether access to web servers that match the web
address patterns is permitted or restricted on BlackBerry devices. After you create a pull rule, you must assign it to
user accounts or groups.
212
Administration Guide
Restricting user access to content on web servers
A web site that uses DNS load balancing returns a single IP address to the BlackBerry MDS Connection Service but
might use multiple IP addresses to provide access to the web site. As a result, the BlackBerry MDS Connection Service
might not be able to restrict BlackBerry devices from accessing the web site.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the Pull URL patterns tab, in the appropriate protocol section, type the web address pattern of a web server
that you want to control access to. The web address patterns are based on Java® regular expressions (for
example, .*\..*domain.*).
Click the Add icon.
Click Save all.
After you finish: Create web address patterns for each web server that you want to permit users to access. Create
a pull rule that permits users to access the web servers that match the web address patterns.
Create a pull rule
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry® Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the Access control rules tab, in the Rule name field, type a name for the pull rule.
In the Control type drop-down list, click Pull.
Click the Add icon.
Click Save all.
After you finish: Restrict or permit web address patterns using a pull rule.
Restrict or permit web addresses and Intranet addresses using a pull rule
A web site that uses DNS load balancing returns a single IP address to the BlackBerry® MDS Connection Service but
might use multiple IP addresses to provide access to the web site. As a result, the BlackBerry MDS Connection Service
might not be able to restrict BlackBerry devices from accessing the web site.
Before you begin:
• Create a pull rule.
• If you want BlackBerry device users to use RSA® authentication to access web servers, configure the BlackBerry
MDS Connection Service to authenticate BlackBerry devices to the RSA® Authentication Manager.
• If you want users to use integrated Windows® authentication when they access the web servers, configure the
BlackBerry MDS Connection Service to authenticate devices to Microsoft® Active Directory®.
213
Administration Guide
1.
2.
3.
4.
5.
6.
7.
8.
Restricting user access to content on web servers
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the Access control rules tab, click the Edit icon for a pull rule.
In the URL pattern group drop-down list, click the protocol for the address that you want to assign to the pull
rule.
In the URL pattern drop-down list, click the address that you want to assign to the pull rule.
In the Allowed drop-down list, perform one of the following actions:
• To prevent users from accessing web servers that match the address, click Deny.
• To permit users to access web servers that match a specific address, click Allow.
If necessary, in the Authentication drop-down list, perform one of the following actions:
• To require that a user enter authentication credentials to access content on a web site, click Access control
rules only. The device user is not prompted to enter authentication credentials if they are not required by
the web site.
• To require that the BlackBerry MDS Connection Service authenticates a user using integrated Windows
authentication, click Integrated.
• To require that a user authenticates to the RSA Authentication Manager using RSA authentication, click RSA.
• To require that the BlackBerry MDS Connection Service authenticates the user using integrated Windows
authentication and that a user authenticates to the RSA Authentication Manager using RSA authentication,
click Integrated and RSA.
9. Click the Add icon.
10. Repeat steps 5 to 8 for each address that you want to assign to the pull rule.
11. Click Save all.
After you finish: Assign the pull rule to a group or user account.
Assign a pull rule to the members of a group
Before you begin: Create a pull rule. Assign web address patterns to the pull rule.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry® Administration Service, in the BlackBerry solution management menu, expand User.
Click Manage users.
Click View more criteria.
Search for a group.
Click Select all results in the entire set.
In the Add to user configuration list, click Add pull rule.
In the Available pull rules list, click a pull rule.
8.
9.
Click Add.
Click Save.
214
Administration Guide
Restricting user access to media content in the BlackBerry Browser
Assign a pull rule to user accounts
Before you begin: Create a pull rule. Assign web address patterns to the pull rule.
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry® Administration Service, in the BlackBerry solution management menu, expand User.
Click Manage users.
Search for one or more user accounts.
Select the appropriate user accounts.
In the Add to user configuration list, click Add pull rule.
In the Available pull rules list, click a pull rule.
Click Add.
Click Save.
Restricting user access to media content in the BlackBerry
Browser
You can use standard definitions for MIME media types so that you can restrict the media types that the BlackBerry®
MDS Connection Service can send to the BlackBerry® Browser and other applications on BlackBerry devices.
For more information about MIME media types, visit www.iana.org.
Prevent users from accessing specific media types
You can configure the BlackBerry® MDS Connection Service instances in your organization's environment to prevent
users from accessing every format of a media type (for example, video), or a specific format of a media type (for
example, .mp3), using the BlackBerry® Browser and other applications on a BlackBerry device.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
In the Media content type field, type the media type and subtype using standard definitions for MIME media
types. Use the format <type>/<subtype>.
In the Disallow content drop-down list, click Yes.
Click the Add icon.
Click Save all.
215
Administration Guide
Restricting user access to media content in the BlackBerry Browser
Configure download limits for media content types
You can configure the BlackBerry® MDS Connection Service instances in your organization's environment to limit the
size of media content that BlackBerry device users can download to BlackBerry devices during each connection. Each
request for data that the device makes to the BlackBerry MDS Connection Service is a connection. If you do not
configure a limit for media content types, the default values apply.
Before you begin: For more information about MIME media types, visit www.iana.org/assignments/media-types.
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
In the Media content type field, type the media type and subtype using standard definitions for MIME media
types. Use the format <type>/<subtype>. You can substitute an asterisk (*) to represent all types or subtypes
except for the types you have already configured. Some examples of entries for the Media content type field
include application/msword, application/pdf, video/mpeg, application/*, image/*, */*.
In the Maximum KB/Connection field, type the maximum size (in KB) of content that a user can download to
the device, during each connection to the BlackBerry MDS Connection Service.
In the Disallow content drop-down list, click No.
Click the Add icon.
Click Save all.
Related topics
Default download limits for media content types, 216
Default download limits for media content types
BlackBerry® device users can only download a specific amount of media content to BlackBerry® devices with each
connection. You can configure a limit in the BlackBerry Administration Service. If you do not configure a limit, the
default limit applies. The following table lists the default values.
There is no limit for the amount of media content that users can download using HTTP POST.
MIME type
application/msword
application/pdf
application/vnd.ms-excel
application/vnd.ms-powerpoint
application/vnd.oma.drm.message
application/vnd.oma.dm.message
multimedia types such as audio and video
216
Maximum number of bytes per connection (KB)
2048
2048
2048
2048
5120
5120
32,768
Administration Guide
Configuring Integrated Windows authentication so that users can access resources on your
organization's network
MIME type
other
Maximum number of bytes per connection (KB)
2048
Related topics
Configure download limits for media content types, 216
Configuring Integrated Windows authentication so that
users can access resources on your organization's network
To permit BlackBerry® device users to access resources on your organization's network using BlackBerry devices
without requiring the users to type a user name and password each time they access the network resources, you
can configure the BlackBerry MDS Connection Service to support Integrated Windows® authentication. Users can
then access network resources such as intranet sites and network shared folders on their devices using the
BlackBerry® Browser or Files application without typing a user name and password.
Before you configure the BlackBerry MDS Connection Service to support Integrated Windows authentication, you
must create a Microsoft® Active Directory® account in each Microsoft Active Directory domain that includes resources
that you want to turn on Integrated Windows authentication for. You must configure constrained delegation for the
Microsoft Active Directory accounts so that they delegate access to each intranet site or network shared folder in
the Microsoft Active Directory domain.
You must also configure two-way trust between the Microsoft Active Directory domain that the BlackBerry MDS
Connection Service is running on and other Microsoft Active Directory domains in other forests that the BlackBerry
MDS Connection Service must connect to. The S4U2proxy extension that the BlackBerry MDS Connection Service
uses to retrieve the Kerberos™ service tickets for users requires a two-way trust between Microsoft Active Directory
domains.
After you turn on Integrated Windows authentication and specify a Microsoft Active Directory account in the
BlackBerry Administration Service, you must specify web address patterns for the network resources that you want
to permit users to access, create a pull rule for the web address patterns, permit access to the web address patterns
using the pull rule, and assign the pull rule to users or a group.
After you configure the BlackBerry MDS Connection Service to support Integrated Windows authentication, the
BlackBerry MDS Connection Service uses the Microsoft Active Directory account to verify login information for a user
and access the network resources on behalf of the user. The BlackBerry Enterprise Server Express then sends
information from the network resources to the user's device.
Configuring the Microsoft Active Directory account to delegate access
Prerequisites: Configuring the Microsoft Active Directory account to delegate access
to an intranet site
•
Verify that you configured Integrated Windows® authentication for the application server that hosts the intranet
site.
217
Administration Guide
•
•
•
•
•
Configuring Integrated Windows authentication so that users can access resources on your
organization's network
Verify that the application server that hosts the intranet site and the web application that runs on the application
server support Kerberos™ authentication.
Verify that you have permission to update the Microsoft® Active Directory® account in Microsoft Active
Directory.
Verify that you have access to the Windows Server® setspn tool that is included with the Windows Server Support
Tools. For more information about the setspn tool, visit http://technet.microsoft.com to read Setspn Overview.
If you did not configure a Microsoft Active Directory account to delegate access to an intranet site or shared
folder, in Microsoft Active Directory, you must create a Microsoft Active Directory account that should have the
following conditions:
• a password that meets the security requirements of your organization
• the user is not required to change their password the next time that the user logs in
• the user's password never expires
If you configured a pool of application servers to host the intranet site, and the pool is running on Microsoft®
IIS and is located behind a load balancer, specify a user account (also known as the identity) for the pool that
hosts the intranet site. For more information, see http://technet.microsoft.com/en-us/library/cc771170(WS.
10).aspx.
Configure the Microsoft Active Directory account to delegate access to an intranet
site
You are required to have only one Microsoft® Active Directory® account in each Microsoft Active Directory domain
that includes the resources that you want to turn on Integrated Windows® authentication for.
For more information about configuring the Microsoft Active Directory account using setspn and Microsoft Active
Directory, visit www.blackberry.com/btsc to read article KB22726.
1.
2.
3.
4.
5.
218
If a pool of application servers host a intranet site and the pool is running on Microsoft® IIS and is located behind
a load-balancer, use setspn or ADSI to add the SPNs of the intranet site to the user account (also known as the
identity) of the pool. You must configure the SPNs using the FQDN and the name of the intranet site that users
type into their browsers (for example, if users type http://intranet_site in their browsers, the name of the
intranet site is intranet_site).
In Microsoft Active Directory, in the Microsoft Active Directory account properties, if the Delegation tab does
not display, update the default HOST SPN registrations for the Microsoft Active Directory account.
In the Microsoft Active Directory account properties, on the Delegation tab, configure the following settings:
• trust this user for delegation to specified services only
• use any authentication protocol
Click Add.
Perform one of the following tasks:
• If a pool of application servers hosts the intranet site and the pool is running on Microsoft IIS and is located
behind a load-balancer, select the user account that runs the application pools in the Microsoft IIS servers.
• If the intranet site is hosted by one application server, select the application server that hosts the intranet
site.
Administration Guide
6.
7.
Configuring Integrated Windows authentication so that users can access resources on your
organization's network
Select the HTTP service type for the user account or application server that you specified.
Repeat steps 1 to 6 for each intranet site that you want to turn on integrated Windows authentication for.
After you finish:
• If required, configure BlackBerry® MDS Connection Service to use a Microsoft Active Directory account when
the messaging server is in a remote Microsoft Active Directory domain.
• Turn on Integrated Windows authentication when users access resources on your organization's network.
Prerequisites: Configuring the Microsoft Active Directory account to delegate access
to a shared folder
•
•
•
•
Verify that you configured Integrated Windows® authentication for the file server that hosts the shared folders.
Verify that you have permission to update the Microsoft® Active Directory® account in Microsoft Active
Directory.
Verify that you have access to the Windows Server® setspn tool that is included with the Windows Server Support
Tools. For more information about the setspn tool, visit http://technet.microsoft.com to read Setspn Overview.
If you did not configure a Microsoft Active Directory account to delegate access to an intranet site or shared
folder, in Microsoft Active Directory, you must create a Microsoft Active Directory account that should have the
following conditions:
• the password meets the security requirements of your organization
• the user is not required to change their password the next time that the user logs in
• the user's password never expires
Configure the Microsoft Active Directory account to delegate access to a shared
folder
You are required to have only one Microsoft® Active Directory® account in each Microsoft Active Directory domain
that includes the resources that you want to turn on Integrated Windows® authentication for.
For more information about configuring the Microsoft Active Directory account using setspn and Microsoft Active
Directory, visit www.blackberry.com/btsc to read article KB22726.
1.
2.
In Microsoft Active Directory, in the Microsoft Active Directory account properties, if the Delegation tab does
not display, update the default HOST SPN registrations for the Microsoft Active Directory account.
In the Microsoft Active Directory account properties, on the Delegation tab, configure the following settings:
• trust this user for delegation to specified services only
• use any authentication protocol
3.
4.
5.
6.
Click Add.
Select the the file server that hosts the shared folder.
Select the CIFS service type for the file server that you specified.
Repeat steps 3 to 5 for each shared folder that you want to turn on Integrated Windows authentication for.
After you finish:
219
Administration Guide
•
•
Configuring Integrated Windows authentication so that users can access resources on your
organization's network
If required, configure BlackBerry® MDS Connection Service to use a Microsoft Active Directory account when
the messaging server is in a remote Microsoft Active Directory domain.
Turn on Integrated Windows authentication when users access resources on your organization's network.
Configuring the BlackBerry MDS Connection Service when the messaging
server is located in a remote Microsoft Active Directory domain
If the computer that hosts the BlackBerry® MDS Connection Service is not located in the same Microsoft® Active
Directory® domain as the global catalog server or messaging server and you want to configure support for Integrated
Windows® authentication, you must create a Microsoft Active Directory account that the BlackBerry MDS Connection
Service can use to connect to the global catalog server.
In a Microsoft® Exchange environment, you must create the Microsoft Active Directory account in the Microsoft
Active Directory domain that includes the messaging server.
In an IBM® Lotus® Domino® environment, if the messaging server is located in the same Microsoft Active Directory
domain as the global catalog server, you must create the Microsoft Active Directory account in that domain. If the
messaging server is located in a different Microsoft Active Directory domain than the global catalog server, you must
create the Microsoft Active Directory account in the Microsoft Active Directory domain that includes the global
catalog server.
You do not need to configure constrained delegation for the Microsoft Active Directory account that you create in
the Microsoft Active Directory domain that includes the messaging server or global catalog server.
Configure the BlackBerry MDS Connection Service when the messaging server is
located in a remote Microsoft Active Directory domain
Before you begin: Create a Microsoft® Active Directory® account in the Microsoft Active Directory domain that the
messaging server or global catalog server is located in.
1.
2.
3.
4.
5.
220
On the computer that hosts the BlackBerry® MDS Connection Service, navigate to <drive>:\Program Files
\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\instance\config.
In a text editor, open the rimpublic.properties file.
Perform one of the following actions:
• If the IBM® Lotus® Domino® server is installed in a Microsoft Active Directory domain with a global catalog
server, in the rimpublic.properties file, type application.handler.exchange.domain=<domain_name> where
<domain_name> is the Microsoft Active Directory domain that contains the messaging server. For example,
type application.handler.exchange.domain=domain123.example.com.
• If the Lotus Domino server is not installed in a Microsoft Active Directory domain with a global catalog server,
in the <domain_name>rimpublic.properties file, type
application.handler.exchange.domain=<domain_name> where <domain_name> is the Microsoft Active
Directory domain that contains the global catalog server. For example, type
application.handler.exchange.domain=domain123.example.com.
Save and close the rimpublic.properties file.
In the Windows® Services, restart the BlackBerry MDS Connection Service service.
Administration Guide
Configuring Integrated Windows authentication so that users can access resources on your
organization's network
After you finish: Turn on Integrated Windows authentication when BlackBerry device users access resources on your
organization's network.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Turn on Integrated Windows authentication so that users can access
resources on your organization's network
Before you begin:
• Configure the Microsoft® Active Directory® account to access resources on your organization's network.
• If required, configure BlackBerry® MDS Connection Service to use a Microsoft Active Directory account when
the messaging server is in a remote Microsoft Active Directory domain.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
In the Integrated authentication turned on drop-down list, click Yes.
For each Microsoft Active Directory account, provide the following information:
• In the Delegation user domain field, type the FQDN (for example, ldap.example.com).
• In the Delegation user name field, type the user name.
• In the Password and Confirm fields, type the password.
Click Save all.
On the HTTP tab, click Edit component.
In the Authentication support enabled drop-down list, click Yes.
Click Save all.
On the Pull URL Patterns tab, specify web address patterns for the intranet sites or shared folders that you want
to permit BlackBerry device users to access (for example, intranet_site(:80)?(\/.*)?). The web address patterns
are based on Java® regular expressions. Consider specifying the following web address patterns:
• Specify .*\:.*\/.* as the web address pattern so that you can prevent users from using any other web address
patterns to access intranet sites or shared network folders.
• Specify .* as the web address pattern for OCSP, LDAP, and TCP to permit users to communicate with OCSP
servers, LDAP servers, or TCP servers.
11. On the Access control rules tab, create a pull rule for each of the web address patterns that you specified. When
you create the pull rule, in the Authentication drop-down list, click Integrated or Integrated and RSA.
12. Click Save all.
13. Assign the pull rules to the users or groups that you want to access intranet sites or shared network folders.
14. On the Servers and components menu, expand BlackBerry solution topology > BlackBerry Domain >
Component view > MDS Connection Service.
15. Click a BlackBerry MDS Connection Service instance.
221
Administration Guide
16.
17.
18.
19.
Restricting the push application content that users can receive
Click Edit instance.
In the Pull Authorization drop-down list, click Yes.
Click Save all.
Repeat step 16 to 20 for each BlackBerry MDS Connection Service instance.
Related topics
Specify web address patterns, 212
Create a pull rule, 213
Assign a pull rule to the members of a group, 214
Assign a pull rule to user accounts, 215
Restrict or permit web addresses and Intranet addresses using a pull rule, 213
Restricting the push application content that users can
receive
By default, a BlackBerry® MDS Connection Service sends push requests from server-side push applications to
applications on BlackBerry devices. BlackBerry devices can receive application data and application updates without
users requesting the content.
You can configure your organization's environment so that only specific server-side push applications can send push
requests to BlackBerry devices. You can turn on push authentication to prevent a BlackBerry MDS Connection Service
from sending push requests, and create push initiators that permit specific server-side applications to send push
requests to BlackBerry devices. To permit specific users to receive push requests on BlackBerry devices, you can
create push rules and assign the rules to the users.
For more information about push requests, see the BlackBerry Java Development Environment Development Guide.
Restrict push applications from sending data to BlackBerry devices
You can turn on push authentication to permit only authenticated push applications to send push requests to
applications on BlackBerry® devices.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want to change.
Click Edit instance.
In the Access control section, in the Push authentication options, click Yes.
Click Save all.
After you finish: To authenticate and permit specific server-side push applications to send push requests to BlackBerry
devices, create push initiators.
222
Administration Guide
Restricting the push application content that users can receive
Create push initiators for push applications
Push initiators specify which server-side push applications are authenticated and permitted to send push requests
to applications on BlackBerry® devices. For push initiators to work, you must turn on push authentication for the
BlackBerry MDS Connection Service. You can configure several server-side push applications to use the same push
initiator (that is, to use the same authorization password) if your organization's development environment permits
it. Verify that the authorization HTTP header in push requests from server-side push applications matches the name
and password that you specify for the push initiator.
Before you begin: Turn on push authentication for the appropriate instances of the BlackBerry MDS Connection
Service.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the Push initiators tab, in the Name field, type the name of the server-side application that you want to
permit to send push requests to BlackBerry devices.
In the Credentials field, type the password for the server-side push application.
Click the Add icon.
Click Save all.
After you finish: Create a push initiator for each server-side push application that you want to permit to send push
requests to BlackBerry devices. To specify which users can receive push requests from authenticated push
applications, turn on push authorization and create push rules.
Turn on push authorization
If you turned on push authentication and created push initiators to specify which push applications can send push
requests, you can create push rules to specify which users are permitted to receive authenticated push requests.
The BlackBerry® MDS Connection Service can apply push rules only if you turn on push authorization for the BlackBerry
MDS Connection Service.
Before you begin:
• Turn on push authentication.
• Create push initiators to authenticate specific push applications.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want to change.
Click Edit instance.
In the Access control section, in the Push authorization drop-down list, click Yes.
Click Save all.
223
Administration Guide
Restricting the push application content that users can receive
After you finish: Create a push rule.
Related topics
Restrict push applications from sending data to BlackBerry devices, 222
Create a push rule
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry® Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the Access control rules tab, in the Rule name field, type a name for the push rule.
In the Control type drop-down list, click Push.
Click the Add icon.
Click Save all.
After you finish: Assign push initiators to the push rule.
Assign push initiators to a push rule
Before you begin: Create push initiators to authenticate specific push applications.
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry® Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the Access control rules tab, click the Edit icon for a push rule.
In the Available push initiators list, click the push initiator that you want to assign to the push rule.
Click Add.
Repeat steps 5 and 6 for each push initiator that you want to assign to the push rule.
Click Save all.
After you finish: Assign the push rule to a user account or to a group.
Related topics
Create push initiators for push applications, 223
Assign a push rule to the members of a group
Before you begin:
• Create a push rule.
• Assign push initiators to the push rule.
1.
224
In the BlackBerry® Administration Service, in the BlackBerry solution management menu, expand User.
Administration Guide
2.
3.
4.
5.
6.
7.
8.
9.
Restricting the push application content that users can receive
Click Manage users.
Click View more criteria.
Search for a group.
Click Select all results in the entire set.
In the Add to user configuration list, click Add push rule.
In the Available push rules list, click a push rule.
Click Add.
Click Save.
Assign a push rule to user accounts
Before you begin:
• Create a push rule.
• Assign push initiators to the push rule.
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry® Administration Service, in the BlackBerry solution management menu, expand User.
Click Manage users.
Search for one or more user accounts.
Select the user accounts that you want to assign a push rule to.
In the Add to user configuration list, click Add push rule.
In the Available push rules list, click a push rule.
Click Add.
Click Save.
Encrypt push requests that push applications send to BlackBerry devices
You can configure a BlackBerry® MDS Connection Service to use SSL or TLS to encrypt the push requests that serverside push applications send to BlackBerry devices. By default, the BlackBerry MDS Connection Service does not
encrypt the push requests that server-side push applications send.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want to change.
Click Edit instance.
In the Access control section, in the Push encryption drop-down list, click Yes.
Click Save all.
225
Administration Guide
Managing push application requests
Managing push application requests
The BlackBerry® MDS Connection Service receives push application requests from server-side push applications and
sends the requests to applications on BlackBerry devices. You can control how the BlackBerry MDS Connection Service
processes, stores, and sends push application requests.
For more information about types of push requests, visit www.blackberry.com/developers to see the BlackBerry Java
Development Environment Development Guide.
Specify device ports for application-reliable push requests
Application developers can create BlackBerry® Java® Applications to manage application-reliable push requests.
When a BlackBerry Java Application receives an application-reliable push request, it sends a delivery confirmation
message to the BlackBerry MDS Connection Service, which sends the message to the server-side push application.
You must specify the device port numbers that the BlackBerry Java Applications listen on for application-reliable
push requests.
Before you begin: Contact your organization's application developers for the unique port numbers that they defined
for BlackBerry Java Applications that support application-reliable push requests.
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want to specify device ports for.
Click Edit instance.
In the Device ports enabled for reliable pushes field, type the device port number.
Click the Add icon.
Repeat steps 4 to 5 for each device port number that you want to add.
Click Save all.
Click Restart instance.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Store push application requests in the BlackBerry Configuration Database
To manage memory and system resources in your organization's environment, you can configure a BlackBerry® MDS
Connection Service to store PAP and Research In Motion® push requests in the BlackBerry Configuration Database.
You can also configure storage settings for the BlackBerry Configuration Database. For more information about types
of push requests, visit www.blackberry.com/developers to see the BlackBerry Java Development Environment
Development Guide.
1.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
2.
Click the instance that you want to change.
226
Administration Guide
3.
4.
5.
6.
Managing push application requests
Click Edit instance.
In the Push access protocol section, in the Store push submissions drop-down list, click Yes.
Click Save all.
Click Restart instance.
After you finish: Configure the settings for storing push requests in the BlackBerry Configuration Database.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Configure the settings for storing push requests in the BlackBerry
Configuration Database
To manage your organization's system resources, you can configure storage settings for push requests that are stored
in the BlackBerry® Configuration Database.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
In the Push message settings section, in the Maximum number of push messages stored field, type the number
of push requests that you want the BlackBerry Configuration Database to store.
In the Maximum push message age field, type the maximum length of time, in minutes, that you want the
BlackBerry Configuration Database to store a push request before the BlackBerry® Enterprise Server Express
deletes it from the BlackBerry Configuration Database.
Click Save all.
Configure the maximum number of active connections that a BlackBerry
MDS Connection Service can process
You can configure the maximum number of push connections that a BlackBerry® MDS Connection Service can process
at the same time. The BlackBerry MDS Connection Service queues the push connections that exceed this limit.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want to configure active connections for.
Click Edit instance.
In the Push access protocol section, in the Maximum number of active connections field, type a number.
Click Save all.
Click Restart instance.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
227
Administration Guide
Managing push application requests
Configure the maximum number of queued connections that a BlackBerry
MDS Connection Service can process
The BlackBerry® MDS Connection Service queues push connections when the number of connections exceeds a limit
that you specify. You can configure the maximum number of push connections that a BlackBerry MDS Connection
Service can queue. The BlackBerry MDS Connection Service sends a "service unavailable" message to BlackBerry
devices when the number of pending push connections in the queue exceeds the limit.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click the instance that you want to configure the maximum number of queued connections for.
Click Edit instance.
In the Push access protocol section, in the Maximum number of queued connections field, type a number.
Click Save all.
Click Restart instance.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
228
Administration Guide
Managing organizer data synchronization
Managing organizer data synchronization
24
Managing the wireless backup and recovery of organizer
data
The wireless backup feature backs up user account settings and data from BlackBerry® devices to the BlackBerry®
Enterprise Server Express automatically. You can use the wireless backup feature to synchronize organizer data to
BlackBerry devices without affecting the performance of your organization's messaging server. You can also use the
wireless backup feature to restore data from the BlackBerry Enterprise Server Express to the BlackBerry device. By
default, wireless backup is turned on when you activate BlackBerry devices.
Turn off the wireless backup of organizer data for a user account
1.
2.
3.
4.
5.
6.
7.
8.
9.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the display name for the user account.
Click Edit user.
In the Messaging configuration section, click Default configuration.
On the Organizer data synchronization tab, in the General section, in the Automatic wireless backup turned on
drop-down list, click No.
Click Continue to user information edit.
Click Save all.
Delete organizer data for members of a user group from the BlackBerry
Enterprise Server Express
If the BlackBerry® Enterprise Server Express is not writing organizer data for members of a user group from their
BlackBerry devices to the BlackBerry Configuration Database correctly, the organizer data on the BlackBerry
Enterprise Server Express might be corrupted. You can delete the organizer data from the BlackBerry Enterprise
Server Express. This action forces the BlackBerry devices to synchronize the current organizer data with the BlackBerry
Enterprise Server Express over the wireless network.
1.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
2.
3.
4.
5.
6.
Click Manage users.
Click Advanced search.
In the Group criteria section, in the Specific group drop-down list, click the appropriate group.
Click Search.
Click Manage multiple users.
229
Administration Guide
7.
8.
Turning off organizer data synchronization
Select all users.
Under Organizer data synchronization, click Clear backed up data for organizer data synchronization.
Delete a user's organizer data from a BlackBerry Enterprise Server Express
If the BlackBerry® Enterprise Server Express writes a user’s organizer data from a BlackBerry device to the BlackBerry
Configuration Database incorrectly, the organizer data on the BlackBerry Enterprise Server Express might become
corrupt. In this case, you can delete the organizer data from the BlackBerry Enterprise Server Express.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for one or more user accounts.
Click Manage multiple users.
Select the appropriate user accounts.
In the Organizer data synchronization list, click Clear backed up data for organizer data synchronization.
Turning off organizer data synchronization
Turn off organizer data synchronization for all user accounts that are
associated with a BlackBerry Enterprise Server Express
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Synchronization.
Click the instance that you want to change.
In the Instance information section, click Synchronization.
Click Edit component.
In the Synchronization turned on drop-down list, click False for each type of organizer data.
Click Save all.
Turn off organizer data synchronization for a specific user account
1.
2.
3.
4.
5.
6.
7.
230
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the display name for the user account.
Click Edit user.
In the Messaging configuration section, click Default configuration.
On the Organizer data synchronization tab, in the General section, perform one of the following actions:
Administration Guide
Changing how organizer data synchronizes
• To prevent the synchronization of organizer data, in the Wireless Synchronization turned on drop-down list,
click No.
• To prevent the synchronization of specific types of organizer data, in the General section, in the Wireless
Synchronization turned on drop-down list, click Yes. In the Synchronization turned on drop-down list, click No
for each type of organizer data that you do not want to synchronize.
8.
9.
Click Continue to user information edit.
Click Save all.
Changing how organizer data synchronizes
Change the direction of organizer data synchronization for all user
accounts on a BlackBerry Enterprise Server Express
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Synchronization.
Click the instance that you want to change.
In the Instance information section, click Synchronization.
Click Edit component.
For each type of organizer data, in the Synchronization type drop-down list, perform one of the following actions:
• To synchronize data from the BlackBerry® Enterprise Server Express to the BlackBerry device only, click Server
to Device.
• To synchronize data from the BlackBerry device to the BlackBerry Enterprise Server Express only, click Device
to Server.
• To synchronize data from the BlackBerry device to the BlackBerry Enterprise Server Express and from the
BlackBerry Enterprise Server Express to the BlackBerry device, click Bidirectional.
Click Save all.
Change the direction of organizer data synchronization for a specific user
account
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the display name of the user account.
Click Edit user.
In the Message configuration section, click Default configuration.
On the Organizer data synchronization tab, for each type of organizer data, in the Synchronization type dropdown list, perform one of the following actions:
231
Administration Guide
Changing how organizer data synchronizes
• To synchronize data from the BlackBerry® Enterprise Server Express to the BlackBerry device only, click Server
to Device.
• To synchronize data from the BlackBerry device to the BlackBerry Enterprise Server Express only, click Device
to Server.
• To synchronize data from the BlackBerry device to the BlackBerry Enterprise Server Express and from the
BlackBerry Enterprise Server Express to the BlackBerry device, click Bidirectional.
8.
9.
Click Continue to user information edit.
Click Save all.
Change how the BlackBerry Administration Service resolves conflicts during
organizer data synchronization for all user accounts on a BlackBerry
Enterprise Server Express
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Synchronization.
Click the instance that you want to change.
In the Instance information section, click Synchronization.
Click Edit component.
In the Conflict resolution drop-down list, perform one of the following actions for each type of organizer data:
• To specify that the BlackBerry® Enterprise Server Express data overrides the BlackBerry device data, click
Server Wins.
• To specify that the BlackBerry device data overrides the BlackBerry Enterprise Server Express data, click
Device Wins.
Click Save all.
Change how the BlackBerry Administration Service resolves conflicts during
organizer data synchronization for a specific user account
1.
2.
3.
4.
5.
6.
7.
232
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the display name for the user account.
Click Edit user.
In the Messaging configuration section, click Default configuration.
On the Organizer data synchronization tab, for each type of organizer data, in the Conflict resolution drop-down
list, perform one of the following actions:
• To specify that the BlackBerry® Enterprise Server Express data overrides the BlackBerry device data, click
Server Wins.
Administration Guide
Changing how organizer data synchronizes
• To specify that the BlackBerry device data overrides the BlackBerry Enterprise Server Express data, click
Device Wins.
8.
9.
Click Continue to user information edit.
Click Save all.
Specify the location of organizer data
You can specify whether an administrator can determine the location of a BlackBerry® user's organizer data. By
default, the BlackBerry Messaging Agent specifies the location of the organizer data.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
Click the instance that you want to change.
Click Edit instance.
On the Messaging tab, in the Messaging options section, in the Agent who determined organizer data location
drop-down list, select Administrator only.
Click Save all.
After you finish: Specify the location that the BlackBerry Messaging Agent uses to find organizer data.
Specify the location that the BlackBerry Messaging Agent uses to find
organizer data
You can specify the location that the BlackBerry® Messaging Agent uses to find a BlackBerry user's address book or
memo organizer data.
Note: If the Location - Server and Location - Relative Path fields are not populated, the BlackBerry® Enterprise Server
Express does not synchronize the user's address book and memo application to the user's BlackBerry device.
1.
2.
3.
4.
5.
6.
7.
8.
9.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the display name for the user account.
Click Edit user.
In the Messaging configuration section, click Default configuration.
On the Organizer data synchronization tab, in the Address book or Memos sections, in the Override the
organizer data location drop-down list , select True.
In the Location - Server drop-down list, select the messaging server that hosts the organizer data.
In the Location - Relative Path field, type the relative path for the messaging server that hosts the organizer
data.
10. Click Continue to user information edit.
11. Click Save all.
233
Administration Guide
Managing your organization's messaging environment and attachment support
Managing your organization's messaging
environment and attachment support
25
Managing message forwarding
You can define the message forwarding settings for user accounts and groups that are associated with the BlackBerry®
Enterprise Server Express. The settings control how the BlackBerry Enterprise Server Expressforwards email messages
from users’ email applications to their BlackBerry devices. You can also manage individual user accounts, provide
support to users, control the size of the message queue, and control the load on the BlackBerry Messaging Agent to
process forwarding requests. By default, email message forwarding is turned on when you add a user account to the
BlackBerry Enterprise Server Express.
Users can configure message forwarding settings on their BlackBerry devices, or by using the BlackBerry® Desktop
Manager or the BlackBerry® Web Desktop Manager. The settings that you define override the settings that users
define.
Forward email messages to a BlackBerry device when no filter rules apply
You can configure a BlackBerry® Enterprise Server Express to deliver incoming messages to a user’s BlackBerry device
when no email message filters apply to those messages.
1.
2.
3.
4.
5.
6.
7.
8.
9.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the name of a user account.
In the Messaging configuration section, click Default configuration.
Click Edit user.
On the Email tab, in the Email message filter rules section, click Forward email messages to the device.
Click Continue to user information edit.
Click Save all.
Do not deliver email messages to a BlackBerry device when no filter rules
apply
You can configure a BlackBerry® Enterprise Server Express to prevent the delivery of incoming email messages to a
user’s BlackBerry device when no email message filters apply to the email messages.
1.
2.
3.
4.
234
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the name of a user account.
Administration Guide
5.
6.
7.
8.
9.
Managing message forwarding
In the Messaging configuration section, click Default configuration.
Click Edit user.
On the Email tab, in the Email message filter rules section, click Do not forward email messages to the device.
Click Continue to user information edit.
Click Save all.
Forward email messages from inbox subfolders to a BlackBerry device
You can specify which subfolders in a user's email application that the BlackBerry® Enterprise Server Express can
forward email messages from. By default, a BlackBerry Enterprise Server Express forwards messages from the inbox
only.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the name of the user account.
Click Edit user.
In the Messaging configuration section, click Default configuration.
On the Email tab, in the Redirection settings section, perform one of the following actions:
• To forward email messages from the user's inbox only, click Inbox only.
• To forward email messages from the user's inbox and sent items folder, click Inbox and sent items only.
• To select the folders that you want the BlackBerry Enterprise Server Express to forward messages from, click
Selected folders. Click the folders that you want to forward messages from.
8.
9.
Click Continue to user information edit.
Click Save all.
Turn off email message forwarding to user accounts in a group
You can temporarily stop the BlackBerry® Enterprise Server Express from forwarding email messages to user accounts
that belong to a user group (for example, if the members of the user group are out of a wireless coverage area and
do not want to receive email messages during that time). When you turn off message forwarding for user accounts,
users cannot send or receive email messages.
1.
2.
3.
4.
In the BlackBerry Administration Service, on the BlackBerry Solution management menu, expand User.
Click Manage users.
Click Advanced search.
In the Group criteria section, in the Specific group drop-down list, click the group you want to turn off message
forwarding for.
5.
6.
7.
Click Search.
Click Manage multiple users.
Select all users.
235
Administration Guide
8.
Managing message forwarding
Under Device services, click Turn off redirection for selected devices.
Turn off email message forwarding to a user account
You can temporarily stop the BlackBerry® Enterprise Server Express from forwarding email messages to a BlackBerry
device (for example, if a user is out of a wireless coverage area and does not want to receive email messages during
that time). When you turn off message forwarding for a user account, the user cannot send or receive email messages.
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
Click Edit user.
In the Messaging configuration section, click Default configuration.
In the Email services settings section, on the Redirect to BlackBerry device drop-down list, click No.
Click Continue to user information edit.
Click Save all.
Turn off synchronization for email messages sent from a BlackBerry device
If you do not want a user’s email application to receive a copy of email messages that the user sends from the
BlackBerry® device, you can turn off synchronization for email messages that the user sends from the BlackBerry
device.
1.
2.
3.
4.
5.
6.
7.
8.
9.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the name of the user account.
Click Edit user.
In the Messaging configuration section, click Default configuration.
On the Services tab, in the Email services settings section, in the Save copy in sent folder drop-down list, click
No.
Click Continue to user information edit.
Click Save all.
Turn off email message forwarding when a user connects a BlackBerry
device to a computer
To manage network resources and control the number of email messages on a user's BlackBerry® device, you can
turn off email message forwarding when a user's BlackBerry device is connected to the user's computer using a USB
connection.
1.
236
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Administration Guide
2.
3.
4.
5.
6.
7.
8.
9.
Managing the incoming message queue
Click Manage users.
Search for a user account.
In the search results, click the name of the user account.
Click Edit user.
In the Messaging configuration section, click Default configuration.
In the Email services settings section, in the Redirect when in cradle drop-down list, click False.
Click Continue to user information edit.
Click Save all.
Managing the incoming message queue
The incoming message queue stores email messages from an organization's mail server until the BlackBerry®
Enterprise Server Express processes the email messages and sends them to BlackBerry devices.
Delete email messages for user accounts from the incoming message queue
You can delete email messages for one or more user accounts from the incoming message queue. This permits you
to manage the size of the queue and to manage user accounts that have a high number of pending email messages.
When you delete pending email messages from the incoming message queue, the BlackBerry® Enterprise Server
Express does not send the email messages to the user’s BlackBerry device. The email messages remain in the email
application on the user’s computer.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for one or more user accounts.
Click Manage multiple users.
Select the user accounts that you want to delete incoming messages for.
In the Pending data packets list, click Purge pending data packets for selected devices.
If wireless calendar synchronization for a user account is turned on, the BlackBerry Enterprise Server Express deletes
pending meeting invitations or updates from the incoming message queue and sends them at a later time. The
BlackBerry Enterprise Server Express does not delete IT policies and IT administration commands from the incoming
message queue.
Managing wireless message reconciliation
The BlackBerry® Enterprise Server Express synchronizes email message status changes between BlackBerry devices
and the email applications on users' computers. The BlackBerry Enterprise Server Express reconciles message moves,
deletions, and indicators for read and unread messages every 30 minutes. By default, wireless message reconciliation
is turned on.
237
Administration Guide
Managing access to remote message data
To reduce high volumes of wireless network traffic, you can instruct users to limit how often they use the Reconcile
Now menu item in the message list on their BlackBerry devices.
Turn off wireless message reconciliation for a BlackBerry Enterprise Server
Express
You can turn off wireless message reconciliation to reduce wireless network traffic or to manage user accounts. If
you turn off wireless message reconciliation, users can reconcile their email messages only by connecting their
BlackBerry® devices to the BlackBerry® Desktop Manager or the BlackBerry® Web Desktop Manager.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
Click the instance that you want to change.
Click Edit instance.
On the Messaging tab, in the Messaging options section, in the Wireless message reconciliation turn on drop
down list, click False.
Click Save all.
Managing access to remote message data
Prevent a user from checking the availability of meeting participants on the
BlackBerry device
By default, when a BlackBerry® device user creates a meeting request , the BlackBerry device user can check to see
if a potential participant is available. You can turn this feature off if you want to minimize the resource impact of the
BlackBerry® Enterprise Server Express on your organization's messaging server.
1.
2.
3.
4.
5.
6.
7.
238
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component View > Email.
Click the name of the BlackBerry Enterprise Server Express instance or BlackBerry Enterprise Server Express pair
that you want to change.
Click Edit instance.
On the Messaging tab, in the Messaging Options section, change Free busy lookup turn on to False.
Click Save All.
Restart the BlackBerry Enterprise Server Express using one of the following methods:
• If you want to change a BlackBerry Enterprise Server Express instance, on the Instance information tab, click
Restart instance.
• If you want to change a BlackBerry Enterprise Server Express pair, click one of the instances, and on the
Instance information tab, click Restart instance. Repeat this step for the other instance in the pair.
• In the Windows® Services, restart the BlackBerry Dispatcher.
Repeat step 2 to step 6 for each BlackBerry Enterprise Server Express instance that you want to turn off the
feature for.
Administration Guide
Managing access to remote message data
After you finish: To allow the user to check the availability of a potential meeting participant, in the Messaging
Options section, change Free busy lookup turn on to True. Click Save all. Restart the BlackBerry Enterprise Server
Express.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Prevent a user from searching for remote email messages using a device
You can prevent BlackBerry® device users from searching with their devices for remote email messages that are
located on the messaging server.
Before you begin: You must turn on wireless email reconciliation.
1.
2.
3.
4.
5.
6.
7.
8.
9.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
Click the name of the BlackBerry Messaging Agent instance that you want to prevent a device user from searching
for remote email messages.
Click Edit instance.
On the Messaging tab, in the Messaging options section, change Remote search turned on to False.
Click Save all.
On the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain >
Component view > BlackBerry Enterprise Server.
Click the name of the BlackBerry® Enterprise Server Express instance or BlackBerry Enterprise Server Express
pair that is associated with the email instance that you want to prevent a device user from searching for remote
email messages.
Restart the BlackBerry Enterprise Server Express using one of the following methods:
• If you are changing a BlackBerry Enterprise Server Express instance, in the Status section, click Restart
instance.
• If you are changing a BlackBerry Enterprise Server Express pair, in the Status section for one of the instances
in the pair, click Restart instance. Repeat this step for the other instance in the pair.
• In the Windows® Services, restart the BlackBerry Dispatcher.
Repeat step 2 to step 8 for each BlackBerry Messaging Agent instance that you want to turn off remote searching
for.
After you finish: To turn on the ability to search for remote messages, in the Messaging Options section, change
Remote search turn on to True. Click Save all. Restart the BlackBerry Enterprise Server Express.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
239
Administration Guide
Managing email messages that contain HTML and rich content
Managing email messages that contain HTML and rich
content
The BlackBerry® Enterprise Server Express supports email messages that contain HTML and rich content on BlackBerry
devices that are running BlackBerry® Device Software version 4.5 or later. You can turn off support for rich content
and inline images in email messages. Users can configure the message settings on the BlackBerry devices. The settings
that you define override the settings that users define.
View whether a user turned on support for email messages that contain
HTML and rich content for a BlackBerry device
You can view whether a user turned on support for email messages with HTML and rich content and whether a user
can download images to a BlackBerry® device automatically. A user can choose whether to turn off support on the
BlackBerry device.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
In the Search for users section, search for the user account that you assigned the BlackBerry device to.
In the search results, click the user name.
In the Messaging configuration section, click the Device configuration name.
In the Email Services Settings section, check if Rich content turned on and Automatic downloading of inline
images turned on are configured to Yes.
Turn off support for rich text formatting and inline images in email
messages for users on a BlackBerry Enterprise Server Express
You can prevent the BlackBerry® Enterprise Server Express from sending email messages that contain HTML and rich
content to BlackBerry devices. When you turn off rich text formatting, the BlackBerry Enterprise Server Express sends
all email messages in plain text format. You can also prevent the BlackBerry Enterprise Server Express from sending
email messages that contain inline images to BlackBerry devices.
If you turn off support for rich content and inline images, you reduce the resource consumption on the computers
that are running the messaging server, BlackBerry Attachment Service, and BlackBerry MDS Connection Service.
1.
2.
3.
4.
240
In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component View > Email.
Click the name of the BlackBerry Enterprise Server Express instance or BlackBerry Enterprise Server Express pair
that you want turn off rich text formatting or inline images for.
Click Edit instance.
On the Messaging tab, perform one or both of the following options:
• To turn off rich text formatting, in the Messaging Options section, change Rich content turn on to False.
Administration Guide
Configuring IBM Lotus Notes links on devices
• To prevent sending inline images, in the Messaging Options section, change Automatic downloading of inline
images turn on to False.
5.
6.
Click Save All.
Restart the BlackBerry Enterprise Server Express using one of the following methods:
• If you want to change a BlackBerry Enterprise Server Express instance, on the Instance information tab, click
Restart instance.
• If you want to change a BlackBerry Enterprise Server Express pair, click one of the instances, and on the
Instance information tab, click Restart instance. Repeat this step for the other instance in the pair.
• In the Windows® Services, restart the BlackBerry Dispatcher.
7.
Repeat step 2 through step 6 for each BlackBerry Enterprise Server Express instance that you want to turn off
rich text formatting or inline images for.
Turn off support for rich text formatting in email messages using an IT policy
rule
You can change an IT policy rule to prevent the BlackBerry® Enterprise Server Express from sending email messages
that contain HTML and rich content to users. If you turn off support for rich text formatting, the BlackBerry Enterprise
Server Express sends all email messages in plain text format.
If you turn off rich content formatting, you reduce resource consumption on the computers that host the messaging
server, BlackBerry Attachment Service, and BlackBerry MDS Connection Service.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
Click Manage IT policies.
Click the name of the IT policy that you want to change.
Click Edit IT policy.
On the Email Messaging tab, change Disable Rich Content Email to Yes.
Click Save all.
Resend the updated IT policy to the BlackBerry devices.
Configuring IBM Lotus Notes links on devices
In IBM® Lotus Notes®, BlackBerry® device users can include Lotus Notes links to connect to documents, specific
sections of a document, views, folders, or applications in Lotus Notes. The BlackBerry® Enterprise Server Express
supports Lotus Notes links in email messages that users create and receive on their BlackBerry devices. The BlackBerry
Enterprise Server Express retrieves the properties of document links, anchor links, view links, or database links (also
known as application links) from the IBM® Lotus® Domino® server and converts them into HTTP format. In plain-text
email messages, the links appear as web addresses. In HTML email messages, the links appear as icons.
Users can click the HTTP links to view documents, folders, views, or database information in the BlackBerry®
Browser. If the information that you want the user to access by clicking the link is stored on a Lotus Domino server
that requires authentication, the device might prompt users to type their login information after they click the link.
241
Administration Guide
Configuring IBM Lotus Notes links on devices
Lotus Notes links contain the name of the Lotus Domino server that the information that you link to is stored on. The
Lotus Domino server name is a Lotus Notes name that the BlackBerry Messaging Agent might not be able to use to
access the information that you link to using HTTP. The BlackBerry Enterprise Server Express uses a map that is located
in the memory of the BlackBerry Messaging Agent to store information about Lotus Domino servers and the host
names for the servers. If the BlackBerry Messaging Agent processes an email message to send to a user and the email
message contains links, the BlackBerry Messaging Agent searches the map to find the host name for the Lotus Domino
server that stores the information that you link to and creates an HTTP link to display in the email message.
The BlackBerry Enterprise Server Express supports Lotus Notes links on devices if the following conditions exist:
•
•
Lotus Domino servers that contain the information that you link to must have the HTTP task running
Lotus Domino servers that contain the information that you link to must permit browser clients to access
databases on the servers
For more information, visit www.ibm.com/developerworks/lotus/documentation/domino/ to read the Lotus
Domino Administrator Help.
Configure the BlackBerry Enterprise Server Express to support IBM Lotus
Notes links to different IBM Lotus Domino domains
The BlackBerry® Enterprise Server Express detects the IBM® Lotus® Domino® servers that user accounts are assigned
to and updates the map of Lotus Domino server names and host names so that the BlackBerry Enterprise Server
Express can access the information that you link to on the servers. If the BlackBerry Enterprise Server Express cannot
detect a Lotus Domino server (for example, if a Lotus Domino server is in a different domain), you can add the Lotus
Domino server name and host name to the map manually using a registry value.
1.
2.
3.
On the computer that hosts the BlackBerry Messaging Agent, click Start > Run.
Type regedit.
Perform one of the following actions:
• If you are running a 32-bit version of Windows®, go to HKEY_LOCAL_MACHINE\SOFTWARE\Research In
Motion\BlackBerry Enterprise Server\Agents.
• If you are running a 64-bit version of Windows, go to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node
\Research In Motion\BlackBerry Enterprise Server\Agents.
4.
5.
6.
7.
If the DocLink registry key does not exist, create a registry key that you name DocLink.
In the DocLink registry key, create a multistring value that you name ServerHostNames.
Double-click the new multistring value.
In the Value data field, type the Lotus Domino server name and host name using the following format:
<server_name>!!<host_name> (for example, CN=server01/O=central!!example.com). Type additional server
names and host names on separate lines.
Click OK.
8.
242
Administration Guide
Configuring IBM Lotus Notes links on devices
Updating the map for IBM Lotus Domino server names and host names
When you start the BlackBerry® Messaging Agent, it starts the map for IBM® Lotus® Domino® and stores it in memory.
When you add the configuration information for each BlackBerry device user to the BlackBerry® Enterprise Server
Express, the BlackBerry Enterprise Server Express populates the map with each user’s Lotus Domino server name
and host name. If the BlackBerry Enterprise Server Express detects a new Lotus Domino server when it processes
email messages, it adds the server name and host name to the map.
By default, the map updates itself daily at 3:00 AM. If the domain name for a server changes, you must wait until
after 3:00 AM for the map to update. You can use a registry value to change how often the map updates. If the map
updates more frequently, you have more frequent access to the Lotus Domino Directory.
Change how often the BlackBerry Messaging Agent updates the map for
IBM Lotus Domino server names and host names
1.
2.
3.
On the computer that hosts the BlackBerry® Messaging Agent, click Start > Run.
Type regedit.
Perform one of the following actions:
• If you are running a 32-bit version of Windows®, go to HKEY_LOCAL_MACHINE\SOFTWARE\Research In
Motion\BlackBerry Enterprise Server\Agents.
• If you are running a 64-bit version of Windows, go to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node
\Research In Motion\BlackBerry Enterprise Server\Agents.
4.
5.
6.
7.
If the DocLink registry key does not exist, create a registry key that you name DocLink.
In the DocLink registry key, create a DWORD value that you name ServerHostNamesCacheTimeout.
Double-click the new DWORD value.
In the Value data field, type the interval, in seconds, that can elapse before the map updates itself. The minimum
value is 3600 seconds (1 hour); the maximum value is 86,400 seconds (24 hours).
Click OK.
8.
Turn off support for IBM Lotus Notes links
By default, support for IBM® Lotus Notes® links is turned on. If your organization's environment has security
restrictions, you can turn off support for Lotus Notes links using a registry value.
1.
2.
3.
On the computer that hosts the BlackBerry® Messaging Agent, click Start > Run.
Type regedit.
Perform one of the following actions:
• If you are running a 32-bit version of Windows®, go to HKEY_LOCAL_MACHINE\SOFTWARE\Research In
Motion\BlackBerry Enterprise Server\Agents.
• If you are running a 64-bit version of Windows, go to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node
\Research In Motion\BlackBerry Enterprise Server\Agents.
4.
If the DocLink registry key does not exist, create a registry key that you name DocLink.
243
Administration Guide
5.
6.
7.
8.
Synchronizing folders on the BlackBerry device
In the DocLink registry key, create a DWORD value that you name Disable.
Double-click the new DWORD value.
In the Value data field, type 1.
Click OK.
After you finish: To turn on support for Lotus Notes links, change the Disable registry value to 0.
Synchronizing folders on the BlackBerry device
Control which published public contact folders a user can synchronize to a
BlackBerry device
By default, a user can synchronize contacts from all of the published public contact folders on the messaging server
with the contact lists on a BlackBerry® device. To help manage network resources, you can select the published public
contact folders that a user can synchronize.
1.
2.
3.
4.
5.
6.
7.
8.
9.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the display name for the user account.
Click Edit user.
In the Messaging configuration section, click Device configuration.
On the Email tab, in the Published public contact folders section, select the check box beside each public address
book that you that you want to permit the user to synchronize with the contact lists on the BlackBerry device.
Click Continue to user information edit.
Click Save all.
Control which personal contact subfolders a user can synchronize to a
BlackBerry device
By default, a user can synchronize all of the personal contact subfolders on the messaging server with the contact
lists on the BlackBerry® device. To help manage network resources, you can select the personal contact subfolders
that a user can synchronize.
1.
2.
3.
4.
5.
6.
244
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
Click the display name for the user account.
In the Messaging Configuration section, click Device configuration.
Click Edit User.
Administration Guide
7.
8.
9.
Synchronizing folders on the BlackBerry device
On the Email tab, in the Private contact folders section, select the private contact subfolders that you want to
permit the user to synchronize with the contact lists on the BlackBerry device.
Click Continue to user information edit.
Click Save all.
Control which personal mail folders a user can synchronize with a
BlackBerry device
To help manage network resources, you can select the personal mail folders that a user can synchronize with a
BlackBerry® device.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for the user account.
In the search results, click the display name for a user account.
In the Messaging Configuration section, click Device configuration name.
Click Edit User.
On the Email tab, in the Redirection Folders section, click Selected Folders.
Select the folders that you want to permit the user to synchronize with the contact lists on the BlackBerry device.
Click Continue to user information edit.
Click Save all.
After you finish: To permit the user to select which folders that the user can synchronize, instruct the user to select
folders using the BlackBerry® Desktop Manager or BlackBerry® Web Desktop Manager.
Specify public contact databases that users can access from their
BlackBerry devices
1.
5.
6.
7.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click Email.
Click Edit component.
In the Published contact servers section, in the User synchronized public contact servers maximum field, type
the maximum number of public contact databases that users can access from their BlackBerry devices.
The default value is 20.
In the Contact server name field, type the name of a contact server.
In the Database name field, type the name of a public contact database.
Click the Add icon.
8.
9.
Repeat steps 5 to 7 for each public contact database that you want to add.
Click Save all.
2.
3.
4.
245
Administration Guide
Configuring access to documents on remote file systems
After you finish: To permit BlackBerry device users to access the public contact databases that you specified, use
the BlackBerry Administration Service to control which public contact databases users can access, or instruct users
to use the BlackBerry® Desktop Manager or BlackBerry® Web Desktop Manager to select the available public contact
databases.
Control which public contact databases a user can access from the
BlackBerry device
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the name of a user account.
Click Edit user.
In the Messaging configuration section, click Default configuration.
On the Email tab, in the Available Contact Databases section, in the Available Contact Databases list, click the
public contact databases that you want the user to access from the BlackBerry device.
8. Click Add.
9. In the Current Contact Databases list, click the public contact databases that you do not want the user to access
from the BlackBerry device.
10. Click Remove.
11. Click Continue to user information edit.
12. Click Save all.
Configuring access to documents on remote file systems
By default, the BlackBerry® MDS Connection Service can search your organization's Windows® network for any
documents that users might want to access from the BlackBerry devices.
In BlackBerry® Enterprise Server Express version 5.0 SP1 or later and BlackBerry® Device Software version 5.0 or
later, if you want to permit users to access specific documents that are not located on the Windows network (for
example, documents that are located on a Linux® network) from BlackBerry devices, you can configure the BlackBerry
MDS Connection Service to search the remote file system where the documents are located and provide
authentication credentials to users or the BlackBerry MDS Connection Service. For remote file systems that require
authentication, you can provide the credentials to the BlackBerry MDS Connection Service so that users do not need
to provide the credentials when they access the documents.
To configure the BlackBerry MDS Connection Service to search the remote file system, you must define how the
BlackBerry MDS Connection Service communicates with the remote file system, add the communication information
to a BlackBerry MDS Connection Service configuration set, and assign the configuration set to one or more BlackBerry
MDS Connection Service instances.
246
Administration Guide
Configuring access to documents on remote file systems
Configure the BlackBerry MDS Connection Service to communicate with a
remote file system
To permit the BlackBerry® MDS Connection Service to communicate with a remote file system, you specify the URL
for the remote file system and the type of access (Linux® or Windows®) that the domain of the remote file system
supports. You can also provide credentials for the domain so that BlackBerry device users do not need to provide
the credentials when they access the documents.
Before you begin: If the file system requires the BlackBerry MDS Connection Service to authenticate to the remote
file system, create an account on the remote file system that the BlackBerry MDS Connection Service can use to
authenticate when the BlackBerry MDS Connection Service receives requests for documents.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the File tab, in the Name field, type a name for the communication method that you want to configure.
In the Service URL field, type the UNC path to the remote file system using the following format: /
<computer_name> <fs_path>, where <computer_name> is the FQDN or IP address of a computer or the virtual
view of the shared folders (for example, the DFS Namespace in Windows Server®) and <fs_path> is the optional
directory path that can include a specific filename. When you type the UNC path, you can use an asterisk (*) to
represent a sequence of arbitrary characters (including blank spaces), a question mark (?) to represent a single
arbitrary character, and a backslash (\) to represent an escape character. You cannot type a URL that can search
all of the computers in a Windows domain.
If the file system requires the BlackBerry MDS Connection Service to authenticate with the remote file system,
perform the following actions:
• In the User name field, type the name of the account that you want the BlackBerry MDS Connection Service
to use to authenticate to the remote file system.
• In the Authentication domain field, type the domain for the user account.
• In the Password and Confirm Password fields, type the password for the user account.
• In the Network provider drop-down list, click the network provider that BlackBerry MDS Connection Service
should use to access the file system.
Click Save all.
Examples for step 5
To access a specific file on a computer, you can type /test.company.net/docs/presentation.ppt. To access the shared
folders on a specific computer, you can type /10.10.10.10. To access all of the content on the computers in a specific
domain, you can type *.test.company.net/*.
After you finish: Add communication information to a BlackBerry MDS Connection Service configuration set.
247
Administration Guide
Configuring access to documents on remote file systems
Add communication information to a BlackBerry MDS Connection Service
configuration set
A BlackBerry® MDS Connection Service configuration set is a set of service configurations that the BlackBerry MDS
Connection Service instances in your organization can use to communicate with a remote file system, an LDAP server,
a DSML server, a CRL server, an OCSP server, or a certification authority. You must add the communication information
that the BlackBerry MDS Connection Service requires to communicate with servers to a configuration set so that a
BlackBerry MDS Connection Service instance can communicate with the servers after you assign the configuration
set to the instance.
1.
2.
3.
4.
5.
6.
7.
8.
9.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the Configuration Sets tab, perform one of the following actions:
• To create a configuration set, in the Configuration set name section, type a name and description for the
configuration set.
• To change an existing configuration set, click the Edit icon.
In the Priority Service group drop-down list, click the name of the service that you want to configure the
communication method for.
In the Service (Name : Description) drop-down list, click the name of the communication method that you want
to configure.
Click the Add icon.
To specify the communication method that the BlackBerry MDS Connection Service should try to connect to the
server with first , click the Up and Down arrows. The BlackBerry MDS Connection Service resolves conflicts by
applying communication methods in the order that you specify. The order of that you specify for LDAP, DSML,
or file communication applies to each communication method separately. The order permits the BlackBerry
MDS Connection Service to resolve conflicts between domains if you created multiple communication methods
for a specific URL.
Perform one of the following actions:
• To add a new configuration set, click the Add icon.
• To update an existing configuration set, click the Update icon.
10. Click Save all.
After you finish:
• To confirm your changes, click the View icon.
• Assign the configuration set to a BlackBerry MDS Connection Service.
248
Administration Guide
Managing signatures and disclaimers in email messages
Assign a BlackBerry MDS Connection Service configuration set to a
BlackBerry MDS Connection Service instance
You can assign a BlackBerry® MDS Connection Service configuration set to a BlackBerry MDS Connection Service
instance so that BlackBerry device users can access documents on remote file systems from devices, the BlackBerry
MDS Connection Service can search for certificates and check for the status of the certificates from LDAP servers,
DSML servers, CRL servers, or OCSP servers, and the BlackBerry MDS Connection Service can send certificate requests
to a certificate authority.
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click the instance that you want to change.
Click Edit instance.
On the Component Configuration Sets tab, in the Available component configuration sets section, in the Service
configuration sets drop-down list, click the configuration set that you want to assign to the BlackBerry MDS
Connection Service instance.
Click Save all.
To restart the BlackBerry MDS Connection Service instance, on the Instance information tab, in the Status list,
click Restart instance.
To assign the BlackBerry MDS Connection Service configuration set to another BlackBerry MDS Connection
Service instance, repeat steps 3 to 7.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Managing signatures and disclaimers in email messages
Add a signature to email messages that a user sends from a BlackBerry
device
To enforce a signature format policy in your organization, you can add a standard signature to the email messages
that users send from their BlackBerry® devices.
1.
2.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
3.
4.
5.
6.
Search for a user account.
In the search results, click the name of the user account.
Click Edit user.
In the Messaging configuration section, click Default configuration.
7.
On the Email tab, in the Mail options section, in the Auto signature field, type the signature that you want to
appear in the email messages that the user sends from the BlackBerry device.
249
Administration Guide
8.
9.
Managing signatures and disclaimers in email messages
Click Continue to user information edit.
Click Save all.
Add a disclaimer to email messages that users send from BlackBerry
devices
You can add a disclaimer to email messages that users send from their BlackBerry® devices. Users cannot change the
disclaimers that you define.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view > Email.
Click the instance that you want to change.
Click Edit instance.
On the Messaging tab, in the Messaging options section, perform one of the following actions:
• To add a disclaimer before the body of the message, in the Prepended disclaimer text field, type the
disclaimer.
• To add a disclaimer after the user signature, in the Appended disclaimer text field, type the disclaimer.
Repeat steps 2 to 4 for each instance that you want to create a disclaimer for.
Click Save all.
Add a disclaimer to email messages that a user sends from a BlackBerry
device
You can add a disclaimer to all email messages that are sent by a user that is different from the disclaimer that you
added for all users on a BlackBerry® Enterprise Server Express. A user cannot change the disclaimer that you define.
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for the user account.
In the search results, click the name of the user account.
Click Edit user.
In the Messaging configuration section, click Default configuration.
On the Email tab, in the Mail options section, perform one of the following actions:
• To add a disclaimer before the body of the message, in the Prepended disclaimer text field, type the
disclaimer.
• To add a disclaimer after the user signature, in the Appended disclaimer text field, type the disclaimer.
8.
9.
Click Continue to user information edit.
Click Save all.
250
Administration Guide
Monitor email messages that users send from BlackBerry devices
Specify conflict rules for disclaimers
If you associate multiple disclaimers with a user account, you can specify conflict rules for the disclaimer to define
the order in which the BlackBerry® Enterprise Server Express applies the disclaimers. For example, you can configure
the BlackBerry Enterprise Server Express to display the user disclaimer first in the email message, followed by the
BlackBerry Enterprise Server Express disclaimer.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view > Email.
Click the instance that you want to change.
Click Edit instance.
On the Messaging tab, in the Messaging options section, perform one of the following actions:
• To specify the conflict rules for disclaimers that appear before the body of a message, in the Messaging
options section, in the Prepended disclaimer conflict rule drop-down list, click a conflict rule.
• To specify the conflict rules for disclaimers that appear after the user signature, in the Messaging options
section, in the Appended disclaimer conflict rule drop-down list, click a conflict rule.
Click Save all.
Turn off disclaimers for email messages
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view > Email.
Click the instance that you want to change.
Click Edit instance.
On the Messaging tab, in the Messaging options section, perform any of the following actions:
• To turn off disclaimers that appear before the body of the message, in the Prepended disclaimer conflict rule
field, in the drop-down list, click Disable all disclaimer text.
• To turn off disclaimers that appear after the user signature, in the Appended disclaimer conflict rule field,
in the drop-down list, click Disable all disclaimer text.
Click Save all.
Monitor email messages that users send from BlackBerry
devices
To monitor the content of email messages that users send from their BlackBerry® devices, you can BCC specific email
addresses on the email messages. You can BCC the email addresses of all of the users that you assign to a BlackBerry
Messaging Agent. When you automatically BCC email addresses on messages, the BCC field of the original message
is populated, so the message sender is aware that the message is BCCed.
1.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
251
Sending notification messages to users
Administration Guide
2.
3.
4.
5.
6.
7.
Click the instance that you want to change.
Click Edit instance.
On the Messaging tab, in the Auto BCC email address section, perform one of the following tasks:
Task
Add email addresses manually.
Steps
In the Auto BCC email address field, type the email
addresses.
Add email addresses from the address book.
a.
Click Select from mail address list.
b.
Search for one or more users.
c.
In the search results, select one or more user
accounts.
d.
Click Continue.
Click the Add icon.
Repeat steps 4 and 5 for each email address that you want to add.
Click Save all.
Sending notification messages to users
You can send a notification message to a user, to all of the users associated with a BlackBerry® Enterprise Server
Express, or to all of the users in the BlackBerry Domain. You can send notifications as email messages or PIN messages.
PIN messages are appropriate for informing users about messaging server outages because BlackBerry devices send
and receive PIN messages directly, without using the messaging server. BlackBerry devices do not apply filters to PIN
messages.
When users reply to a notification email message, their BlackBerry devices send the replies to the administration
email address.
Send a notification message to all users in a BlackBerry Domain
1.
2.
3.
4.
5.
252
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry solution
topology.
Click BlackBerry Domain.
On the Domain information tab, click Send message to users.
Type the message that you want to send.
Click Send message.
Administration Guide
Automated notification messages
Send a notification message to all users on a BlackBerry Enterprise Server
Express
1.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > BlackBerry Enterprise Server.
2.
3.
4.
5.
Click an instance.
Under Manage BlackBerry Enterprise Server users, click Send message to users.
Type the message that you want to send.
Click Send message.
Send a notification message to group members
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Group.
Click Manage groups.
Click a group.
Click Send message to users in group.
Type the message that you want to send.
6.
Click Send message.
Send a notification message to a user
1.
2.
3.
4.
5.
6.
7.
In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the name of a user account.
Click Send message to user.
Type the message that you want to send.
Click Send message.
Automated notification messages
If the BlackBerry® Enterprise Server Express cannot send email messages to BlackBerry devices, it sends a notification
PIN message to the BlackBerry devices automatically, informing users about an issue with wireless email delivery.
Change the subject for automated notification messages
You can change the subject for automated notification messages that users receive on their BlackBerry® devices. If
you do not create a subject, the BlackBerry® Enterprise Server Express uses the default subject.
1.
On the computer that hosts the BlackBerry Enterprise Server Express, on the Start menu, click Run.
253
Administration Guide
Automated notification messages
2.
3.
4.
Type regedit.
Click OK.
Perform one of the following actions:
• If you are running a 32-bit version of Windows®, navigate to HKEY_LOCAL_MACHINE\Software\Research In
Motion\BlackBerry Enterprise Server\Agents.
• If you are running a 64-bit version of Windows, navigate to HKEY_LOCAL_MACHINE\Software
\WOW6432Node\Research In Motion\BlackBerry Enterprise Server\Agents.
5.
6.
7.
8.
9.
Right-click Agents. Click New > String Value.
Type UserSuppliedBBMessageSubject.
Double-click the new value.
In the Value data field, type a subject that does not exceed the 256 KB limit.
Click OK.
After you finish: Restart the BlackBerry Messaging Agent.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Turn off automated notification messages
You can turn off automated notification messages if users receive them too frequently.
1.
2.
3.
4.
On the computer that hosts the BlackBerry® Enterprise Server Express, on the Start menu, click Run.
Type regedit.
Click OK.
Perform one of the following actions:
• If you are running a 32-bit version of Windows®, navigate to HKEY_LOCAL_MACHINE\Software\Research In
Motion\BlackBerry Enterprise Server\Agents.
• If you are running a 64-bit version of Windows, navigate to HKEY_LOCAL_MACHINE\Software
\WOW6432Node\Research In Motion\BlackBerry Enterprise Server\Agents.
5.
6.
7.
8.
9.
Right-click Agents. Click New > DWORD Value.
Type MaxSkippedNotificationsPerDay.
Double-click the new value.
In the Value data field, type 0.
Click OK.
After you finish: Restart the BlackBerry Messaging Agent.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
254
Administration Guide
How the BlackBerry Attachment Connector communicates with BlackBerry Attachment Service
instances
How the BlackBerry Attachment Connector communicates
with BlackBerry Attachment Service instances
When a user sends a request to view an email message attachment on a BlackBerry® device, the BlackBerry device
sends a request to the BlackBerry® Enterprise Server Express to convert the attachment. The BlackBerry Enterprise
Server Express uses a BlackBerry Attachment Connector to send the attachment data to a BlackBerry Attachment
Service, which processes the request and returns the attachment data to the BlackBerry Attachment Connector. The
BlackBerry Enterprise Server Express requests the attachment data from the BlackBerry Attachment Connector and
sends the attachment data to the user's BlackBerry device.
By associating multiple BlackBerry Attachment Service instances with a single BlackBerry Attachment Connector, you
can create a BlackBerry Attachment Service pool. You can configure different BlackBerry Attachment Service
instances as dedicated servers for processing specific file formats. For example, you can create a BlackBerry
Attachment Service pool that contains three BlackBerry Attachment Service instances, where one instance processes
email message attachments that are in audio file formats, one instance processes email message attachments that
are in image file formats, and one instance processes email message attachments that are in all other file formats.
You can change how a BlackBerry Attachment Connector processes attachment requests that it cannot deliver to a
BlackBerry Attachment Service, and you can change how a BlackBerry Attachment Connector restores a lost
connection to a BlackBerry Attachment Service.
Change how a BlackBerry Attachment Connector retries sending requests
to a BlackBerry Attachment Service
The BlackBerry® Attachment Connector sends requests to view attachments from users' BlackBerry devices to a
BlackBerry Attachment Service. You can change how a BlackBerry Attachment Connector processes attachment
requests that it cannot deliver to a BlackBerry Attachment Service.
Depending on the number of users in your organization's environment, if you change the BlackBerry Attachment
Connector settings, your organization's environment might experience a performance impact.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Attachment > Connector.
Click the instance that you want to change.
Click Edit instance.
In the General section, in the Minimum wait for retry per request field, type the amount of time, in milliseconds,
that the BlackBerry Attachment Connector waits before it resends a request that is not delivered to a BlackBerry
Attachment Service.
The default value is 1000 milliseconds.
In the Maximum retries per request field, type the maximum number of times that the BlackBerry Attachment
Connector tries to resend a request that is not delivered to a BlackBerry Attachment Service.
The default value is 10.
Click Save all.
255
Administration Guide
Attachment file formats that the BlackBerry Attachment Service supports
Change how a BlackBerry Attachment Connector restores a lost connection
to a BlackBerry Attachment Service
Based on the number of users in your organization's environment, if you change the BlackBerry® Attachment
Connector settings, your organization's environment might experience a performance impact.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Attachment > Connector.
Click the instance that you want to change.
Click Edit instance.
In the General section, in the Minimum wait to attempt restore of lost connection field, type the amount of
time, in milliseconds, that the BlackBerry Attachment Connector waits before it tries to restore a lost connection
to a BlackBerry Attachment Service.
The default value is 1000 milliseconds.
Click Save all.
Attachment file formats that the BlackBerry Attachment
Service supports
Format
Adobe® Acrobat®
ASCII text
audio
Corel® WordPerfect® 7-10
HTML
images
Microsoft® Excel® 97-2003, 2007, and XP
Microsoft® PowerPoint® 97-2003, 2007, and XP
Microsoft® Word 97-2003, 2007, and XP
OpenOffice Format version 1.1
RTF
ZIP archives
256
Extension
.pdf
.txt
.amr, .mp3, .wav, .wma
.wpd
.htm, .html
.bmp, .gif, .jpeg, .jpg, .png, .ppm, .tif
, .tiff, .wmf
.xls, .xlsx
.pps, .ppsx, .ppt, .pptx
.doc, .dot, .dotx, .docx
.odp, .ods, .odt, .ott
.rtf
.zip
Administration Guide
Attachment file formats that the BlackBerry Attachment Service supports
Limitations for supported attachment file formats
Format format and extension
audio
OpenOffice Format version 1.1
— .odp files
Limitations
If the computer that hosts the BlackBerry® Attachment Service uses
Windows Server® 2008, the BlackBerry Attachment Service does not
support .mp3 audio files on BlackBerry devices and the BlackBerry
Attachment Service does not support any audio file formats on BlackBerry®
7100 Series devices that support CDMA networks. The BlackBerry
Attachment Service must be located on a computer that uses Windows
Server 2003 if you want the BlackBerry Attachment Service to support .mp3
audio files on BlackBerry devices and all audio formats on BlackBerry 7100
Series devices that support CDMA networks.
The BlackBerry Attachment Service supports .odp files that users create
using IBM® Lotus® Symphony™ only.
The fonts that can be displayed in slides are dependent on the font types
that are available on the BlackBerry Attachment Service. If a specific font is
not available, the BlackBerry Attachment Service uses the most similar font
type that is available.
OpenOffice Format version 1.1
— .ods files
The BlackBerry Attachment Service does not support the following features
in .odp files:
• some text effects and style options
• line spacing: proportional, at least, leading
• text with position functionality
• animation
• transitions
• tables
• .svm images
• crop and clip image effects
• specific types of text object spacing
• table of contents
• portrait page orientation
• color gradient, hatching, and bitmap fill effects
• some shapes
• shape, image, and text rotation
• connector shape route that connects to shapes
The BlackBerry Attachment Service supports .ods files that users create
using IBM Lotus Symphony only.
257
Administration Guide
Format format and extension
Changing how a BlackBerry Attachment Service converts attachments
Limitations
Cell dimensions might change when they are displayed on BlackBerry
devices.
The BlackBerry Attachment Service does not support the following features
in .ods files:
• some text effects: specific underline styles, specific strikethrough
styles, emphasis, outline, shadow, embossed, engrayed
• text alignment
• charts
• style effects for cells: shadow, borders
• headers and footers
• drawing objects and Fontwork objects
Changing how a BlackBerry Attachment Service converts
attachments
If the BlackBerry® Enterprise Server Express receives requests from BlackBerry device users to view email message
attachments, the BlackBerry Attachment Service converts the attachments into a DOM and caches the DOM locally.
The BlackBerry Attachment Service accesses the DOM to process the requests. If users send requests to view the
same message attachment again, the BlackBerry Attachment Service accesses the same DOM to process the requests.
The BlackBerry Attachment Service keeps all of the cached data in memory only and never caches the original
documents.
Each attachment conversion process allocates memory when it starts, uses memory on conversion, and caches the
attachment DOM locally on the computer that hosts the BlackBerry Attachment Service. A larger cache size means
that more memory is allocated to each running conversion process. The maximum file size of attachments impacts
the amount of cached memory that the BlackBerry Attachment Service uses.
By default, the BlackBerry Attachment Service does not limit the file size of an attachment that is embedded in an
email message or retrieved using a link. The BlackBerry Enterprise Server Express sends data to BlackBerry devices
over the wireless network in packets that are no larger than 64 KB, and it can send an unlimited number of packets
to BlackBerry devices.
You can change how the BlackBerry Attachment Service converts attachments by specifying a maximum file size for
attachments that users can receive and controlling how the BlackBerry Attachment Service retrieves, distills, and
converts attachment data.
Change how a BlackBerry Attachment Service converts attachments
1.
2.
3.
258
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Attachment > Server.
Click the instance that you want to change.
Click Edit instance.
Changing how a BlackBerry Attachment Service converts attachments
Administration Guide
4.
5.
In the General section, configure the BlackBerry Attachment Service optimization settings.
Click Save.
BlackBerry Attachment Service optimization settings
Setting
Submit port
Result port
Configuration
port
Description
Range
This setting specifies the TCP/IP port number that a BlackBerry® Attachment —
Service uses to listen for and receive attachment conversion requests in a
predefined XML/binary protocol.
The default value is 1900.
This setting specifies the TCP/IP port number that a BlackBerry Attachment
Service returns attachment conversion results to in a predefined XML/
binary protocol.
The default value is 2000.
This setting specifies the TCP/IP port number that you can use with an XML
protocol to configure or obtain configuration information for a BlackBerry
Attachment Service, including version information, the number of
conversion processes, and the number of cached documents.
—
—
Document cache
size
The default value is 1999.
This setting specifies the maximum number of converted documents that
can be located in the document cache (as DOM) for a single conversion
process.
Maximum
number of
processes
The default value is 32.
This setting specifies the number of conversion requests that the BlackBerry 1 through 64
Attachment Service can process at the same time. When you specify this
value, consider the amount of available memory and the competing services
on the computer that hosts the BlackBerry Attachment Service.
Process recycle
time (minutes)
The default value is 4.
This setting specifies the length of time that an application conversion
process can reuse system resources to reclaim space and prevent failed
processes from occupying memory resources.
Maximum
conversion
threads
The default value is 25 minutes.
This setting specifies the number of documents that the BlackBerry
Attachment Service can convert at the same time in a single conversion
process. You can use this setting with the Server busy time setting to control
thread saturation and manage the BlackBerry Attachment Service
workload.
1 through 128
5 to 60 minutes
2 to 32
The default value is 4.
259
Changing how a BlackBerry Attachment Service converts attachments
Administration Guide
Setting
Description
Server busy time This setting specifies the threshold at which the BlackBerry Attachment
(seconds)
Service does not accept new conversion requests.
Allow remote
services
Maximum
archive (ZIP)
level
The default value is 120 seconds.
This setting specifies whether you prevent or permit remote TCP/IP
connections to the BlackBerry Attachment Service.
The default value is Yes.
This setting specifies how many levels of zipped files that the BlackBerry
Attachment Service can process. For example, if you set this field to 2, the
BlackBerry Attachment Service processes the .zip files within a .zip file. If
you set this field to 1, the BlackBerry Attachment Service only lists the
contents of a .zip file.
Range
60 to 270
seconds
—
1 to 9
The default value is 1.
Change the maximum file size for attachments that users can receive
The BlackBerry® Attachment Service uses memory during the attachment conversion process. If users try to open
large or complex attachments (for example, .pdf files or ASCII text files that are larger than 2 MB) or multiple
attachments at the same time, you might want to limit the file size for attachments.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Attachment > Server.
Click the instance that you want to change.
Click Edit instance.
In the Distiller section, in the Attachment size (KB) column, type a value, in KB, for the distillers that you want
to change. If necessary, configure the settings in the Additional data column.
Click Save.
After you finish: Restart the BlackBerry Attachment Service.
Suggested file sizes for attachments
File format
Adobe® Acrobat® versions 1.1, 1.2, 1.3, and 1.4
ASCII text
audio
Corel® WordPerfect® versions 6.0, 7.0, 8.0, 9.0 (2000), and 10.0
HTML
images
Microsoft® Excel® versions 97, 2000, 2003, 2007, and XP
Microsoft® PowerPoint® versions 97, 2000, 2003, 2007, and XP
260
Suggested size
less than 2000 KB
less than 100 KB
less than 2000 KB
less than 2000 KB
less than 100 KB
less than 2000 KB
less than 2000 KB
less than 2000 KB
Administration Guide
Turn off support for an attachment file format for a BlackBerry Attachment Service
File format
Microsoft® Word versions 97, 2000, 2003, 2007, and XP
MP3
OpenOffice Format version 1.1 - ODP, ODS, ODT
RTF
ZIP archives
Suggested size
less than 2000 KB
less than 2000 KB
less than 2000 KB
less than 2000 KB
less than 2000 KB
Turn off support for an attachment file format for a
BlackBerry Attachment Service
The BlackBerry® Attachment Service uses distillers to convert attachments that are in supported file formats so that
users can view the attachments on their BlackBerry devices. By default, all supported distillers are turned on. You
can turn off a distiller to prevent users from viewing attachments that are in a specific file format. For example, if
you turn off the .pdf distiller, users cannot view .pdf attachments on their BlackBerry devices.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Attachment > Server.
Click the instance that you want to change.
Click Edit instance.
In the Distiller section, in the Allowed column, specify which distillers are supported for the instance.
Click Save all.
After you finish: Restart the BlackBerry Attachment Service.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Add support for an additional attachment file format to a
BlackBerry Attachment Service
You can configure a BlackBerry® Attachment Service to support additional file formats. If your organization's
messaging server connects to a document management system that renames file format extensions, you must add
the necessary extensions to the list of supported file formats for all BlackBerry Attachment Service instances.
If your organization uses new common extensions for a file format that there is a distiller available for on a BlackBerry
Attachment Service, you must add those extensions to the BlackBerry Attachment Connector. For example, if users
send .rtf files as .wav files, you must verify that the BlackBerry Attachment Connector supports .wav files and that
the appropriate distiller is turned on for the BlackBerry Attachment Service instances.
1.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Attachment > Connector.
2.
Click the BlackBerry Attachment Connector instance that is associated with the BlackBerry Attachment Service
that you want to change.
261
Administration Guide
3.
4.
5.
6.
7.
8.
Changing how the BlackBerry Messaging Agent reconciles attachments to the messaging server
Click Edit instance.
On the Supported Attachment Server instances tab, click the Edit icon for the BlackBerry Attachment Service
that you want to support additional file formats.
In the field at the bottom of the Extensions list, type the extension of the file format that you want to add.
Click the Add icon.
Repeat steps 4 to 6 for each BlackBerry Attachment Service that you want to add additional file formats to.
Click Save all.
Changing how the BlackBerry Messaging Agent reconciles
attachments to the messaging server
The BlackBerry® Messaging Agent receives message attachments from supported BlackBerry devices and reconciles
the attachments to the messaging server. The BlackBerry Attachment Service does not convert the attachments.
The entries in the CMIME service book on BlackBerry devices indicate whether the BlackBerry® Enterprise Server
Express supports attachments that users send from their BlackBerry devices. Users must have BlackBerry® Desktop
Software version 4.2 or later installed on their computers to make sure that these service book entries remain on
their BlackBerry devices during service book updates over a physical connection to a computer that is running the
BlackBerry Desktop Software.
By default, the BlackBerry Messaging Agent limits the file size of attachments that it can receive from a BlackBerry
device to a maximum of 3 MB. If the BlackBerry Messaging Agent receives more than one attachment at a time, it
limits the total file size of all of the attachments to a maximum of 5 MB.
Data that a BlackBerry device and the messaging server send each other over the wireless network must be in packets
that are no larger than 64 KB. If a BlackBerry device sends an attachment that is larger than a single packet, the
BlackBerry device divides the attachment into multiple packets. The BlackBerry Messaging Agent caches all of the
packets and sends the attachment to the messaging server after it receives the last packet.
You can optimize the amount of memory, amount of hard disk space, and number of transactions that the BlackBerry
Messaging Agent uses while it receives attachments by changing the maximum file size for attachments or preventing
users from sending large attachments.
Users with BlackBerry devices that are running BlackBerry® Device Software version 4.5 or later can download
attachments in any native format to their BlackBerry devices. Users can open and make changes to native file formats
using an appropriate third-party application on their BlackBerry devices. Users might be able to open specific file
formats using the media application on their BlackBerry devices.
To manage network resources in your organization's environment, you can change the maximum file size of
attachments that users can download to their BlackBerry devices.
262
Administration Guide
Changing how the BlackBerry Messaging Agent reconciles attachments to the messaging server
Change the maximum file size for attachments that users can send
By default, the maximum file size of a single attachment that users can send is 3072 KB, and the maximum file size
of multiple attachments that BlackBerry® devices can send in a single email message is 5120 KB.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
Click the instance that you want to change.
Click Edit instance.
On the Messaging tab, in the Messaging options section, perform any of the following actions:
• To change the maximum file size for a single attachment that BlackBerry devices can send, in the Maximum
single attachment upload size (KB) field, type a number that is between 1 and 3072 KB.
• To change the maximum file size of multiple attachments that BlackBerry devices can send at one time, in
the Maximum multiple attachment upload size (KB) field, type a number that is between 1 and 5120 KB that
is greater than the value in the Maximum single attachment upload size (KB) field.
Click Save all.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Prevent users from sending large attachments
If you prevent users from sending large attachments, they can only send specific attachments, such as certificates
and contact list entries, that are less than a single packet.
1.
2.
3.
4.
5.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
Click the instance that you want to change.
Click Edit instance.
On the Messaging tab, in the Messaging options section, in the Maximum single attachment upload size (KB)
field, type 0.
Click Save all.
Change the maximum file size of attachments that users can download
On BlackBerry® devices that are running specific versions of the BlackBerry® Device Software, users can download
attachments in native formats (for example, .txt for a text file) to their BlackBerry devices. Users can open and make
changes to the files that they download using an appropriate third-party application on their BlackBerry devices. A
user might be able to open specific file formats using the media application on the BlackBerry device.
The default maximum file size of attachments that users can download to their BlackBerry devices is 3072 KB (3 MB).
1.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Email.
263
Administration Guide
2.
3.
4.
5.
264
Changing how the BlackBerry Messaging Agent reconciles attachments to the messaging server
Click the instance that you want to change.
Click Edit instance.
On the Messaging tab, in the Messaging options section, in the Maximum single attachment download size (KB)
field, type a number, in KB, that is between 0 and 10240 (10 MB). If you type 0, users cannot download
attachments in a native format to their BlackBerry devices.
Click Save all.
Managing calendars
Administration Guide
Managing calendars
26
Correcting calendar synchronization errors on devices
If you run corrective calendar synchronization on a BlackBerry® Enterprise Server Express instance, you can find and
correct differences between the calendar entries on BlackBerry devices and the calendar entries on users' computers.
You can specify a recurring day and time when the process can run and specific days when the process should check
for calendar synchronization errors.
You configure corrective calendar synchronization using the BlackBerry Enterprise Trait Tool, which is located in the
Tools folder of the BlackBerry Enterprise Server Express installation files.
If corrective calendar synchronization finds differences between the calendar entries on a device and the calendar
entries on a computer, the process writes information about the differences to the BlackBerry Messaging Agent log
file and, optionally, automatically corrects the calendar synchronization errors that it finds.
It is a best practice to schedule corrective calendar synchronization to occur during low-use periods. For example,
you can schedule the process to begin in the early evening, before devices are scheduled to turn off automatically.
Configuration levels using the BlackBerry Enterprise Trait Tool
You can use the BlackBerry® Enterprise Trait Tool to specify whether corrective calendar synchronization checks
calendar entries for a specific user, users on a specific BlackBerry® Enterprise Server Express, or all users. The tool
uses a hierarchy to determine what calendar entries to check. Settings at the user level override settings at the server
level, settings at the server level override settings at the global level, and settings at the global level override the
default settings.
Level
-global
-server <server_name>
-user <smtp_address>
Description
The setting that you specify applies to all users.
The setting that you specify applies to all users on a specific BlackBerry Enterprise
Server Express.
The setting that you specify applies to a specific user.
Turn on corrective calendar synchronization
By default, corrective calendar synchronization is turned off. You can turn on corrective calendar synchronization to
find differences between calendar entries on BlackBerry® devices and calendar entries on users' computers.
1.
2.
3.
4.
Copy the BlackBerry® Enterprise Server Express installation files to a computer that hosts a BlackBerry Enterprise
Server Express instance.
Extract the contents to a folder on the computer.
At the command prompt, navigate to the folder that contains the TraitTool.exe file.
Perform one of the following actions:
265
Administration Guide
Correcting calendar synchronization errors on devices
• To turn on corrective calendar synchronization for a specific user account, type traittool -user
<smtp_address> -trait DominoSmartSyncEnable -set true.
• To turn on corrective calendar synchronization for all user accounts that are associated with a BlackBerry
Enterprise Server Express, type traittool -server <server_name> -trait DominoSmartSyncEnable -set true.
• To turn on corrective calendar synchronization for all user accounts, type traittool -global -trait
DominoSmartSyncEnable -set true.
5.
Press ENTER.
Example: Turning on the process for all users
traittool -global -trait DominoSmartSyncEnable -set true
Example: Turning on the process for a specific user
traittool -user [email protected] -trait DominoSmartSyncEnable -set true
After you finish: To turn off corrective calendar synchronization, type traittool -<level> -trait
DominoSmartSyncEnable -set false, where <level> is the SMTP address of a specific user account, the server name
of a specific BlackBerry Enterprise Server Express for all user accounts that are associated with the specific BlackBerry
Enterprise Server Express, or global for all user accounts.
View the current settings for corrective calendar synchronization
1.
Copy the BlackBerry® Enterprise Server Express installation files to a computer that hosts a BlackBerry Enterprise
Server Express instance.
Extract the contents to a folder on the computer.
At the command prompt, navigate to the folder that the TraitTool.exe file is located in.
Perform one of the following actions:
• To view the calendar synchronization settings for a specific user account, type traittool -user <smtp_address>
-list.
• To view the calendar synchronization settings for all user accounts that are associated with a BlackBerry
Enterprise Server Express, type traittool -server <server_name> -list.
• To view the calendar synchronization settings for all user accounts, type traittool -global -list.
2.
3.
4.
5.
Press ENTER.
Example: Viewing the global calendar synchronization settings
traittool -global -list
266
Administration Guide
Correcting calendar synchronization errors on devices
Permit corrective calendar synchronization to correct errors automatically
You can specify whether corrective calendar synchronization adds calendar synchronization errors to the BlackBerry®
Messaging Agent log file or adds and corrects calendar synchronization errors. By default, the process adds calendar
synchronization errors to the BlackBerry Messaging Agent log file without correcting the errors.
1.
2.
3.
4.
5.
Copy the BlackBerry® Enterprise Server Express installation files to a computer that hosts a BlackBerry Enterprise
Server Express instance.
Extract the contents to a folder on the computer.
At the command prompt, navigate to the folder that the TraitTool.exe file is located in.
Perform one of the following actions:
• To turn on automatic correction of calendar synchronization errors for a specific user account, type traittool
-user <smtp_address> -trait DominoSmartSyncSendUpdate -set True.
• To turn on automatic correction of calendar synchronization errors for all user accounts that are associated
with a BlackBerry Enterprise Server Express, type traittool -server <server_name> -trait
DominoSmartSyncSendUpdate -set true.
• To turn on automatic correction of calendar synchronization errors for all user accounts, type traittool -global
-trait DominoSmartSyncSendUpdate -set true.
Press ENTER.
Example: Configuring the process to correct calendar synchronization errors for a specific user
traittool -user [email protected]ackberry.com -trait DominoSmartSyncSendUpdate -set true
After you finish: To turn off calendar synchronization error correction, type traittool -<level> -trait
DominoSmartSyncSendUpdate -set false, where <level> is the SMTP address of a specific user account, the server
name of a specific BlackBerry Enterprise Server Express for all user accounts that are associated with the specific
BlackBerry Enterprise Server Express, or global for all user accounts.
Configure the range of days to check for calendar synchronization errors
You can configure corrective calendar synchronization to check for calendar synchronization errors during a specific
range of days in the calendar after the current date.
1.
2.
3.
4.
Copy the BlackBerry® Enterprise Server Express installation files to a computer that hosts a BlackBerry Enterprise
Server Express instance.
Extract the contents to a folder on the computer.
At the command prompt, navigate to the folder that the TraitTool.exe file is located in.
Perform one of the following actions:
• To check for calendar synchronization errors during a specific range of days in the calendar for a user account,
type traittool -user <smtp_address> -trait DominoSmartSyncDays -set <value>, where <value> is a number
from 1 to 365.
267
Administration Guide
Correcting calendar synchronization errors on devices
• To check for calendar synchronization errors during a specific range of days in the calendar for all user accounts
that are associated with a BlackBerry Enterprise Server Express, type traittool -server <server_name> -trait
DominoSmartSyncDays -set <value>, where <value> is a number from 1 to 365.
• To check for calendar synchronization errors during a specific range of days in the calendar for all user
accounts, type traittool –global -trait DominoSmartSyncDays -set <value>, where <value> is a number from
1 to 365.
5.
Press ENTER.
Example: To configure corrective calendar synchronization to check calendar entries for the period of three days
from the current date for all users, type:
traittool -global -trait DominoSmartSyncDays -set 3
Configure when corrective calendar synchronization runs
You can configure corrective calendar synchronization to start running at a specific hour, on recurring days, or on
only one recurring day. To specify more than one value for when corrective calendar synchronization runs, after you
extract the BlackBerry® Enterprise Server Express installation files to the computer, you can create a list of values
that are separated by commas (,) at the command prompt.
1.
2.
3.
4.
Copy the BlackBerry Enterprise Server Express installation files to a computer that hosts a BlackBerry Enterprise
Server Express instance.
Extract the contents to a folder on the computer.
At the command prompt, navigate to the folder that the TraitTool.exe file is located in.
Perform one of the following actions:
• To configure calendar synchronization to occur at a specific hour for a specific user account, type traittool user <smtp_address> -trait DominoSmartSyncTriggerHour -set <value>, where <value> is a number from 0
to 23, 0 is 12:00 AM, and 23 is 11:00 PM. The default value is 0, which is 12:00 AM.
• To configure calendar synchronization to occur at a specific hour for all user accounts that are associated
with a BlackBerry Enterprise Server Express, type traittool -server <server_name> -trait
DominoSmartSyncTriggerHour -set <value>, where <value> is a number from 0 to 23, 0 is 12:00 AM, and 23
is 11:00 PM. The default value is 0 0, which is 12:00 AM.
• To configure calendar synchronization to occur at a specific hour for all user accounts, type traittool -global
-trait DominoSmartSyncTriggerHour -set <value>, where <value> is a number from 0 to 23, 0 is 12:00 AM,
and 23 is 11:00 PM. The default value is 0, which is 12:00 AM.
5.
Press ENTER.
6.
Perform one of the following actions:
• To configure calendar synchronization to recur on specific days for all user accounts, type traittool -global trait DominoSmartSyncSchedule -set <value>, where <value> is one or more of the following options:
Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday, Weekdays, Weekends, or Daily. The
default value is Daily.
268
Administration Guide
Correcting calendar synchronization errors on devices
• To configure calendar synchronization to recur on specific days for all user accounts that are associated with
a BlackBerry Enterprise Server Express, type traittool -server <server_name> -trait
DominoSmartSyncSchedule -set <value>, where <value> is one or more of the following options: Monday,
Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday, Weekdays, Weekends, or Daily. The default value
is Daily.
• To configure calendar synchronization to recur on specific days for a user account, type traittool -user
<smtp_address> -trait DominoSmartSyncSchedule -set <value>, where <value> is one or more of the
following options: Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday, Weekdays, Weekends,
or Daily. The default value is Daily.
7.
Press ENTER.
Example: Configuring corrective calendar synchronization to run at 10:00 PM for all users on the BlackBerry
Enterprise Server Express that is named SERVER01
traittool -server SERVER01 -trait DominoSmartSyncTriggerHour -set 22
Example: Corrective calendar synchronization that runs at 11:00 PM for all users on the BlackBerry Enterprise
Server Express that is named SERVER02
traittool -server SERVER02 -trait DominoSmartSyncTriggerHour -set 23
Example: Corrective calendar synchronization that runs on weekdays for all users
traittool -global -trait DominoSmartSyncSchedule -set Weekdays
Example: Corrective calendar synchronization that runs on Monday, Wednesday, and Friday for a specific user
traittool -user [email protected] -trait DominoSmartSyncSchedule -set
Monday,Wednesday,Friday
Configure throttling for corrective calendar synchronization
You can throttle corrective calendar synchronization by specifying a period of time, in minutes, that calendar
synchronization sessions are randomly distributed in. The time period starts at the time that you specify for the
DominoSmartSyncTriggerHour trait.
1.
2.
3.
4.
Copy the BlackBerry® Enterprise Server Express installation files to a computer that hosts a BlackBerry Enterprise
Server Express instance.
Extract the contents to a folder on the computer.
At the command prompt, navigate to the folder that the TraitTool.exe file is located in.
Perform one of the following actions:
• To configure the time period that corrective calendar synchronization sessions are randomly distributed in
for a specific user account, type traittool -user <smtp_address> -trait DominoSmartSyncStartWindow -set
<value>, where <value> is a number, in minutes, from 20 to 1440. The default value is 60.
269
Administration Guide
Correcting calendar synchronization errors on devices
• To configure the time period that corrective calendar synchronization sessions are randomly distributed in
for all user accounts that are associated with a BlackBerry Enterprise Server Express, type traittool -server
<server_name> -trait DominoSmartSyncStartWindow -set <value>, where <value> is a number, in minutes,
from 20 to 1440. The default value is 60.
• To configure the time period that corrective calendar synchronization sessions are randomly distributed in
for all user accounts, type traittool -global -trait DominoSmartSyncStartWindow -set <value>, where
<value> is a number, in minutes, from 20 to 1440. The default value is 60.
5.
Press ENTER.
Example: Configuring corrective calendar synchronization to distribute calendar synchronization sessions
randomly for all user accounts on a BlackBerry Enterprise Server Express in a two-hour time period
traittool -server SERVER01 -trait DominoSmartSyncStartWindow -set 120
Example: Configuring corrective calendar synchronization to distribute calendar synchronization sessions
randomly for all user accounts in a 12-hour time period
traittool -global -trait DominoSmartSyncStartWindow -set 720
Logging information for corrective calendar synchronization
Corrective calendar synchronization writes the following information to the BlackBerry® Messaging Agent log file:
Item
DIF
MOD
MON
SAM
SmartSyncFireOff
Description
specifies that a calendar item is different on the BlackBerry device than it
is in the email application
specifies that a calendar item is missing on the device
specifies that a calendar item is missing in the email application
specifies that a calendar item is the same on the device and in the email
application
specifies that the calendar synchronization process was initiated using the
BlackBerry® Enterprise Trait Tool instead of the standard calendar
synchronization process
Delete a setting for corrective calendar synchronization
If you delete a setting for corrective calendar synchronization, the calendar synchronization process uses the setting
that you specified at the next highest level of the hierarchy. For example, if you delete a setting at the user level, the
process uses the setting that is specified at the server level because the server level is the next highest level. If you
do not specify any values, the default value is used.
1.
2.
270
Copy the BlackBerry® Enterprise Server Express installation files to a computer that hosts a BlackBerry Enterprise
Server Express instance.
Extract the contents to a folder on the computer.
Administration Guide
Start corrective calendar synchronization manually for a user account
3.
4.
At the command prompt, navigate to the folder that the TraitTool.exe file is located in.
Perform one of the following actions:
• To delete a setting for a specific user account, type traittool -user <smtp_address> -trait <name> -erase,
where <name> is the setting you want to delete.
• To delete a setting for all user accounts that are associated with a BlackBerry Enterprise Server Express, type
traittool -server <server_name> -trait <name> -erase, where <name> is the setting you want to delete.
• To delete a setting for all user accounts, type traittool –global -trait <name> -erase, where <name> is the
setting you want to delete.
5.
Press ENTER.
Example: To delete the setting for the hour that corrective calendar synchronization begins on the BlackBerry
Enterprise Server Express that is named SERVER01, type:
traittool -server SERVER01 -trait DominoSmartSyncTriggerHour -erase
Start corrective calendar synchronization manually for a
user account
By default, the BlackBerry® Enterprise Server Express synchronizes the calendar on each BlackBerry device user's
computer with the calendar on each user's BlackBerry device at a regular interval. You can use the BlackBerry
Administration Service to start corrective calendar synchronization manually for a user account.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
Click Manage users.
Search for a user account.
In the search results, click the PIN for the user account.
In the Communications list, click Synchronize calendar.
271
Managing a BlackBerry Domain
Administration Guide
Managing a BlackBerry Domain
27
Restarting BlackBerry Enterprise Server Express
components
When you complete certain tasks, you need to restart one or more BlackBerry® Enterprise Server Express
components. You restart the BlackBerry Enterprise Server Express components using the BlackBerry Administration
Service or Windows® services.
BlackBerry Enterprise Server
Express component
BlackBerry Messaging Agent,
BlackBerry Controller, and
BlackBerry Dispatcher
BlackBerry Synchronization
Service
BlackBerry Attachment Service
BlackBerry MDS Connection
Service
BlackBerry Router
BlackBerry Policy Service
BlackBerry Administration
Service
Component name in the
Associated service in Windows Services
BlackBerry Administration Service
BlackBerry Enterprise Server
BlackBerry Controller and BlackBerry
Express
Dispatcher
BlackBerry Web Desktop
Manager
BlackBerry Administration Service
Synchronization
BlackBerry Synchronization Service
Attachment Service
MDS Connection Service
BlackBerry Attachment Service
BlackBerry MDS Connection Service
–
Policy
BlackBerry Administration Service
BlackBerry Router
BlackBerry Policy Service
• BlackBerry Administration Service Application Server
• BlackBerry Administration Service Native Code Container
• BlackBerry Administration Service Application Server
• BlackBerry Administration Service Native Code Container
Restart a BlackBerry Enterprise Server Express component using the
BlackBerry Administration Service
1.
2.
3.
4.
272
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
Expand the component that you want to restart.
Click an instance.
Click Restart instance.
Administration Guide
Using the BlackBerry Enterprise Trait Tool
Restart a BlackBerry Enterprise Server Express component using Windows
Services
1.
On each computer that hosts the BlackBerry® Enterprise Server Express component, in the Windows® Services,
restart the services for the component.
2.
If you want to restart all of the BlackBerry Enterprise Server Express components, you must restart the Windows
Services in the following order:
• BlackBerry Administration Service - Application Server
• BlackBerry Administration Service - Native Code Container
• BlackBerry Mail Store Service
• BlackBerry MDS Connection Service
• BlackBerry Dispatcher
• BlackBerry Attachment Service
• BlackBerry Controller
• All of the remaining services for BlackBerry Enterprise Server Express components
Best practice: Restarting more than one BlackBerry Administration Service
instance
To restart all BlackBerry® Administration Service instances without issues, the best practice is to stop all instances
before you begin restarting the instances.
If you must keep at least one BlackBerry Administration Service instance running while you restart all instances, you
should restart the instances one at a time and verify that each instance that you restart is running before you restart
the next instance.
Using the BlackBerry Enterprise Trait Tool
The BlackBerry® Enterprise Trait Tool is a stand-alone command line tool that you can use to configure specific
BlackBerry® Enterprise Server Express traits. You can configure most BlackBerry Enterprise Server Express settings
using the BlackBerry Administration Service, but you must use the BlackBerry Enterprise Trait Tool to configure
specific settings that are not available in the BlackBerry Administration Service.
The BlackBerry Enterprise Trait Tool file is located in the installation files for the BlackBerry Enterprise Server Express
and is named TraitTool.exe. You must launch the TraitTool.exe file using a Windows® command prompt.
Use the BlackBerry Enterprise Trait Tool
1.
2.
3.
Copy the BlackBerry® Enterprise Server Express installation files to a computer that hosts a BlackBerry Enterprise
Server Express instance.
Extract the contents to a folder on the computer.
At the command prompt, navigate to <extracted_folder>\tools.
273
BlackBerry Enterprise Trait Tool traits
Administration Guide
4.
Perform one of the following actions:
Task
Steps
Display the current version of the trait tool and a
summary of valid commands.
Type traittool.
Display all possible traits, the expected data types, and Type traittool -show.
any value restrictions.
Display a list of traits that were configured in the
BlackBerry® Domain.
Type traittool {*} -list.
Configure the value of a trait in the BlackBerry Domain Type traittool {*} -trait <trait name> -set <value>.
specified.
Erase the value of a trait.
Type traittool {*} -trait <trait name> -erase.
Replace the braces and asterisk {*} with one or more of the following command line options:
•
•
•
•
•
•
5.
6.
-global to specify all BlackBerry Enterprise Server Express instances in the BlackBerry Domain
-agent <agent id> to specify the ID for the BlackBerry Messaging Agent
-group <groups_name> to specify a group of BlackBerry device users
-user <smtp_address> to specify one user
-server <server_name> to specify a BlackBerry Enterprise Server Express instance
-basserver <name> to specify the computer that hosts the BlackBerry Administration Service
Press ENTER.
Restart the BlackBerry Enterprise Server Express component that is associated with the trait that you configured.
BlackBerry Enterprise Trait Tool traits
The BlackBerry® Enterprise Trait Tool includes the following traits that you can change to meet the requirements of
your organization's environment:
Trait
ACPByteSizeDeviceVersion
274
Description
This trait specifies the minimum version of the BlackBerry® Device
Software that can receive 8 bytes of ACP data. The typical amount
of ACP data that BlackBerry devices can receive is 4 bytes. The
BlackBerry® Enterprise Server Express check-s the value of this
trait to find out how many bytes of ACP data to send to devices.
If the version of the BlackBerry Device Software that the device
is running is earlier than the version that this trait specifies, the
BlackBerry Enterprise Server Express sends the device 4 bytes of
ACP data instead of 8 bytes.
Administration Guide
Trait
ActiveDirectoryLDAPConnectTimeout
BASIsProxyWPADOptionEnabled
BlackBerry Enterprise Trait Tool traits
Description
If you do not configure this trait, the BlackBerry Enterprise Server
Express sends 8 bytes of ACP data to the device.
This trait specifies the number of seconds that the BlackBerry
Administration Service waits for the BlackBerry Administration
Service and the Microsoft® Active Directory® to connect over
LDAP before the connection times out.
The default value is 5.
This trait specifies whether the BlackBerry Administration Service
uses the Web Proxy Autodiscovery protocol to discover proxy
servers automatically. If you want to enable the Web Proxy
Autodiscovery protocol, change the value to 1. If you want to
disable the Web Proxy Autodiscovery protocol, change the value
to 0.
If you do not change the value to 1, the Web Proxy Autodiscovery
protocol is not enabled.
BASNumberOfAdditionalWiredApplicationsTo
IncludeInACP
BASPASBundleRequestVersionSupport
BASProxyBasicAuthPassword and
BASProxyBasicAuthUID
DocumentThrottleMaxDocOpen
For more information, see Configure the BlackBerry
Administration Service to use Web Proxy Autodiscovery Protocol
to discover a proxy server .
This trait specifies the number of additional wired applications to
include in the application control policy when reconciling
applications.
This trait specifies the version of the BundleRequest.xml file that
the BlackBerry® Infrastructure supports.
The default version is 1.0.
If the BlackBerry Administration Service uses HTTP basic
authentication to authenticate with a proxy server, these traits
specify the password and user name that the BlackBerry
Administration Service can use. You can specify the password and
user name for a BlackBerry Administration Service instance, or
for all the BlackBerry Administration Service instances in the
BlackBerry Domain. If you do not configure these traits, you
cannot use HTTP basic authentication for proxy authentication.
For more information, see Configure the BlackBerry
Administration Service to use HTTP basic authentication .
This trait specifies the maximum number of documents that have
the same Universal Note ID that the BlackBerry Messaging Agent
can open.
275
BlackBerry Enterprise Trait Tool traits
Administration Guide
Trait
DominoDisableConfirmEmailDelivery
DominoSmartSyncDays
Description
If you do not configure this trait, there is no limit to the number
of documents that have the same Universal Note ID that the
BlackBerry Messaging Agent can open.
This trait specifies whether a BlackBerry device user can append
the word "confirm" to the subject of an email message to receive
an automatic confirmation that the email message was delivered
to the intended recipient. If you want to permit the BlackBerry
Messaging Agent to send confirmations automatically when the
BlackBerry Messaging Agent delivers email messages, change the
value to false (0). If you want to prevent the BlackBerry Messaging
Agent from sending confirmations automatically when the
BlackBerry Messaging Agent delivers email messages, change the
value to true (1).
The default value is false (0), the BlackBerry Messaging Agent
sends confirmations automatically when the BlackBerry
Messaging Agent delivers email messages.
This trait specifies how many days in the calendar, after the
current date, that the BlackBerry Enterprise Server Express
checks for calendar errors on devices. You can configure the
BlackBerry Enterprise Server Express to check for calendar errors
for a user account, all user accounts that you associate with a
specific BlackBerry Enterprise Server Express, or all user accounts.
The default value is 1.
DominoSmartSyncEnable
For more information, see Configure the range of days to check
for calendar synchronization errors.
This trait specifies whether the BlackBerry Enterprise Server
Express checks for calendar errors on devices. You can configure
the BlackBerry Enterprise Server Express to check for calendar
errors for a specific user account, all user accounts that you
associate with a BlackBerry Enterprise Server Express, or all user
accounts. If you want the BlackBerry Enterprise Server Express to
check for calendar errors on devices, change the value to true (1).
The default value is false (0), the BlackBerry Enterprise Server
Express does not check for calendar errors on devices.
For more information, see Turn on corrective calendar
synchronization.
276
BlackBerry Enterprise Trait Tool traits
Administration Guide
Trait
DominoSmartSyncSchedule
Description
This trait specifies when the calendar synchronization process
runs. You can configure the calendar synchronization process to
start running on multiple recurring days or on only one recurring
day for a user account, all user accounts that you associate with
a BlackBerry Enterprise Server Express, or all user accounts.
The default value is Daily.
DominoSmartSyncSendUpdate
For more information, see Configure when corrective calendar
synchronization runs.
This trait specifies whether the calendar synchronization process
writes calendar synchronization errors to the BlackBerry
Messaging Agent log file, or writes the errors to the log file and
corrects the calendar synchronization errors on devices. You can
configure the BlackBerry Messaging Agent to correct calendar
synchronization errors automatically for a specific user account,
all user accounts that you associate with a BlackBerry Enterprise
Server Express, or all user accounts. If you want the BlackBerry
Messaging Agent to correct calendar synchronization errors
automatically, change the value to true (1).
The default value is false (0), the BlackBerry Messaging Agent
does not correct calendar synchronization errors automatically.
DominoSmartSyncStartWindow
For more information, see Permit the calendar synchronization
process to correct errors automatically.
This trait specifies the duration of the time window, in minutes,
that calendar synchronization sessions are distributed randomly
to throttle the calendar synchronization process. The time
window starts at the time that you specify for
DominoSmartSyncTriggerHour. The minimum value is 20
minutes, the maximum value is 1440 minutes (24 hours).
The default value is 60 minutes, the BlackBerry Enterprise Server
Express distributes calendar synchronization sessions randomly
over a one-hour time window starting at the time specified for
DominoSmartSyncTriggerHour.
DominoSmartSyncTriggerHour
For more information, see Configure throttling for corrective
calendar synchronization.
This trait specifies when the BlackBerry Enterprise Server Express
checks for calendar synchronization errors on devices. You can
configure the BlackBerry Enterprise Server Express to check for
277
Administration Guide
Trait
BlackBerry Enterprise Trait Tool traits
Description
calendar synchronization errors on devices at a specific hour for
a specific user account, all user accounts that you associate with
a BlackBerry Enterprise Server Express, or all user accounts.
The default value is 0, the BlackBerry Enterprise Server Express
checks for calendar synchronization errors on devices at 12:00
AM.
DominoSuppressBodyOfSentItems
EnableNNEIDFileProvisioning
For more information, see Configure when corrective calendar
synchronization runs.
This trait specifies whether the body of an email message is
included in an email message sent to a device when the
BlackBerry Enterprise Server Express synchronizes email
messages that an email application sends.
The default value is false (0), the body of an email message is sent
to a device.
This trait specifies whether the BlackBerry Enterprise Server
Express can synchronize IBM® Lotus Notes® .id files with the Lotus
Notes ID vault automatically and send the files to devices. Devices
require the Lotus Notes .id files to support Lotus Notes
encryption. If you want the BlackBerry Enterprise Server Express
to synchronize Lotus Notes .id files with the Lotus Notes ID vault
automatically and send the files to devices, change the value to
true (1). If you do not want the BlackBerry Enterprise Server
Express to synchronize Lotus Notes .id files automatically with the
Lotus Notes ID vault and send the files to devices, change the
value to false (0).
The default value is true (1), the BlackBerry Enterprise Server
Express synchronizes Lotus Notes .id files with the Lotus Notes ID
vault automatically and sends the files to devices.
MailstoreAddressRefreshEnabled
278
For more information, see Configure BlackBerry Enterprise Server
Express instances to import Lotus Notes .id files to BlackBerry
devices.
This trait specifies whether you want the BlackBerry Mail Store
Service to update the user directory in the BlackBerry
Configuration Database. If you want the BlackBerry Mail Store
Service to update the user directory in the BlackBerry
Configuration Database, change the value to true (1). If you do
not want the BlackBerry Mail Store Service to update the user
directory in the BlackBerry Configuration Database, change the
value to false (0).
Administration Guide
Trait
MailstorePublicFolderLookupEnabled
MaxDomainSlowSyncsPerMin
MaxPollCycleCountForHungSlowSync
MaxPollCycleCountForNoResponseToSlowSy
nc
MaxSyncServerSlowSyncsInProcess
MaxSyncServerSlowSyncsPerMin
BlackBerry Enterprise Trait Tool traits
Description
The default value is true (1), the BlackBerry Mail Store Service
updates the user directory in the BlackBerry Configuration
Database.
For more information, see Configure the BlackBerry Mail Store
Service instance that updates the contact list.
This trait specifies whether the BlackBerry Administration Service
looks up public folders and displays them in the list of public
contact folders. When an organization has a large number of
public folders available, it can take longer than expected for the
BlackBerry Messaging Agent to display the folders and the
BlackBerry Administration Service might time out. If you want to
turn off the look up function, change the value to false (0). If you
turn off the look up function, you can access the BlackBerry
Messaging Agent in the BlackBerry Administration Servicebut you
cannot see the list of available public folders in the Email
component page in the BlackBerry Administration Service.
The default value is true (1), the BlackBerry Administration
Service looks up public folders.
This trait specifies the maximum number of full synchronization
events that the BlackBerry Synchronization Service can process
each minute, in a BlackBerry Domain.
The default value is 300.
This trait specifies the maximum number of times that the
BlackBerry Synchronization Service polls a device to determine if
there is a hung synchronization event.
The default value of 10.
This trait specifies the maximum number of times that the
BlackBerry Synchronization Service polls a device to determine if
the device is out of a wireless coverage area or if wireless
synchronization is disabled on the device.
The default value is 2.
This trait specifies the maximum number of full synchronization
events that a BlackBerry Synchronization Service can start before
it schedules more full synchronization events.
The default value is 10.
This trait specifies the maximum number of pending full
synchronization events that the BlackBerry Synchronization
Service can process each minute.
279
BlackBerry Enterprise Trait Tool traits
Administration Guide
Trait
MonitorJunkEmailFolderForETP
NumberOfUserTargetTypeForSlowSyncInPara
llel
OutOfOfficeAPIEnable
PolicyEnterpriseWipeCommandOrderTraitTy
pe
Description
The default value is 30.
This trait specifies whether the BlackBerry Messaging Agent
monitors the Junk folder and the Inbox for email messages that
include an etp.dat attachment. When the activation process over
the wireless network begins, the BlackBerry Enterprise Server
Express sends an email message that includes an etp.dat
attachment from the blackberry.net domain to the email account
of the user. In some scenarios, anti-spam software applications
that the messaging server or gateway uses filters the email
messages and places them in the Junk folder. If you do not want
the BlackBerry Enterprise Server Express to monitor the Junk
folder for activation messages, change the value to false (0) and
restart the BlackBerry Controller.
The default value is true (1), the BlackBerry Enterprise Server
Express monitors the Junk folder for activation messages.
This trait specifies how many different types of organizer data,
such as tasks, memos, and contacts, the BlackBerry
Synchronization Service can synchronize at the same time during
a full synchronization event.
The default value is 10.
This trait specifies whether you want to turn on the use of the
out-of-office API that is available in Lotus Notes 8.5.1 and later.
If this trait is configured to false (0), the BlackBerry Enterprise
Server Express uses a previous implementation for the out-ofoffice functionality on devices, which does not work correctly if
a user turns on the out-of-office service mode in Lotus Notes.
The default value is true (1), the out-of-office API in Lotus Notes
8.5.1 and later is used.
This trait specifies the order for commands that run when the
BlackBerry Policy Service sends the "Delete only the organization
data and remove device" IT administration command to a device.
The value is a string that contains the command IDs separated by
a colon (:), for example, commandId1:commandId2.
The default value is 3:18.
PolicyThrottlingAppPush
280
Contact a BlackBerry Technical Support representative before
you change the default value of this trait.
This trait specifies whether the BlackBerry Policy Service uses
throttling to send applications the same way that it throttles IT
policies and service books. If you want the BlackBerry Policy
BlackBerry Enterprise Trait Tool traits
Administration Guide
Trait
Description
Service to send applications using throttling in the same way that
it throttles IT policies and service books, change the value to true
(1). If you do not want the BlackBerry Policy Service to send
applications using throttling in the same way that it throttles IT
policies and service books, change the value to false (0).
The default value is false (0), the BlackBerry Policy Service does
not use throttling to send applications the same way that it
throttles IT policies and service books.
PolicyThrottlingInProcessJobs
For more information, see Configure BlackBerry Policy Service
throttling for application polling.
This trait specifies the maximum number of processes for IT
policies or processes for service books that a BlackBerry Policy
Service can run at one time before the BlackBerry Policy Service
schedules additional processes for IT policies or service books.
The default value is 30.
PolicyThrottlingMaxBESJobs
For more information, see Configure BlackBerry Policy Service
throttling for IT policies and service books.
This trait specifies the maximum number of IT policies and service
books that a BlackBerry Policy Service can send to devices each
minute.
The default value is 100.
PolicyThrottlingMaxDomainJobs
For more information, see Configure BlackBerry Policy Service
throttling for IT policies and service books.
This trait specifies the maximum number of IT policies and service
books that all BlackBerry Policy Service instances can send to
devices each minute.
The default value is 300.
PolicyThrottlingP2PKeyRate
For more information, see Configure BlackBerry Policy Service
throttling for IT policies and service books.
This trait specifies the maximum number of processes for PIN
encryption keys that a BlackBerry Policy Service can process at
one time before the BlackBerry Policy Service schedules
additional processes for PIN encryption keys.
The default value is 60.
For more information, see Configuring BlackBerry Policy Service
throttling for PIN encryption keys.
281
Managing BlackBerry CAL keys
Administration Guide
Trait
PrepopulatePIMForNotesUsers
RouterAutoDiscoveryMethod
SlowSyncPollCycleInterval
Description
This trait specifies whether administrators can change the PIM
location for roaming. If you want to permit administrators to
change the PIM location for roaming, change the value to false
(0). If you do not want to permit administrators to change the PIM
location for roaming, change the value to true (1) and the
BlackBerry Messaging Agent determines the PIM location.
The default value is true (1), administrators cannot change the
PIM location for roaming.
This trait specifies the method that the BlackBerry Enterprise
Server Express uses to update the list of BlackBerry Router
instances in the BlackBerry Configuration Database. If you want
the BlackBerry Enterprise Server Express to compile the list of
BlackBerry Router instances automatically, change the value to
true (1). If you want the BlackBerry Router instances to provide
the BlackBerry Enterprise Server Express with the list of
BlackBerry Router instances, change the value to false (0).
The default value is true (1), the BlackBerry Enterprise Server
Express compiles the list of BlackBerry Router instances
automatically.
This trait specifies the interval (in minutes) between the times
that the BlackBerry Synchronization Service reviews the list of
users, to determine how many pending full synchronization
events can be scheduled based on the throttling parameters.
The default value is 2.
Related topics
Using the BlackBerry Enterprise Trait Tool, 273
Managing BlackBerry CAL keys
BlackBerry® CAL keys control how many user accounts can exist on a BlackBerry® Enterprise Server Express at the
same time. If you exceed the number of user accounts that can exist on a BlackBerry Enterprise Server Express, the
BlackBerry Administration Service informs you that you require more BlackBerry CAL keys.
To help you troubleshoot BlackBerry CAL key issues, copy the BlackBerry CAL keys from the BlackBerry Administration
Service to a text file.
If you install all BlackBerry Enterprise Server Express components on the same computer as the messaging server, it
is a best practice to support up to 75 users only on the BlackBerry Enterprise Server Express. If you install the
BlackBerry Enterprise Server Express components on multiple computers that are separate from the computer that
hosts the messaging server, it is a best practice to support no more than 2000 users on one BlackBerry Enterprise
Server Express instance.
282
Administration Guide
Configuring the BlackBerry Mail Store Service instance that updates the contact list
Add or delete a BlackBerry CAL key
1.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
2.
3.
4.
Click BlackBerry Administration Service.
Click Edit component.
In the License key section, perform one of the following actions:
• To add a BlackBerry CAL key, type the information for the BlackBerry CAL key. Click the Add icon.
• To delete a BlackBerry CAL key, click the Delete icon.
5.
Click Save all.
Copy a BlackBerry CAL key to a text file
You can copy a BlackBerry® CAL key to a text file and save it on a computer for reference if you want to transfer CAL
keys to a different BlackBerry Enterprise Server Express or troubleshoot BlackBerry CAL key issues.
1.
2.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution
topology > BlackBerry Domain > Component view.
Click BlackBerry Administration Service.
3.
4.
5.
6.
7.
8.
Click Edit component.
In the License key section, highlight and right-click the BlackBerry CAL key.
Click Copy.
Open a text editor.
Paste the BlackBerry CAL key into the file.
Save the file.
Configuring the BlackBerry Mail Store Service instance that
updates the contact list
The BlackBerry® Configuration Database contains your organization's contact list and a list of BlackBerry® Enterprise
Server Express instances. By default, the BlackBerry Mail Store Service instance that you installed with the first
BlackBerry Enterprise Server Express instance that appears in the list updates the contact list. If you prevent the
BlackBerry Mail Store Service that you installed with the first BlackBerry Enterprise Server Express instance from
updating the contact list, the next available BlackBerry Mail Store Service instance in the list updates the contact list.
By default, if you install multiple BlackBerry Mail Store Service instances, each instance can update the contact list
in the BlackBerry Configuration Database. The first BlackBerry Mail Store Service instance that updates the contact
list prevents the other instances from also updating the contact list. Each BlackBerry Mail Store Service instance
searches for time stamp information in the BlackBerry Configuration Database to determine if another BlackBerry
Mail Store Service instance is updating the contact list already before it starts to update the contact list.
283
Administration Guide
Configuring BlackBerry Policy Service throttling
You must verify that at least one BlackBerry Mail Store Service instance can update the contact list in the BlackBerry
Configuration Database so that the BlackBerry Administration Service can access the latest contact list information
when you create and manage user accounts. If you prevent all of the BlackBerry Mail Store Service instances from
updating the contact list, the BlackBerry Configuration Database might not contain the contact information for all
user accounts on your organization's messaging server.
If the BlackBerry Configuration Database does not contain contact information for a user account, you cannot create
the user account by searching for the contact information in the BlackBerry Administration Service. You can only
create the user account if you use the Add from company directory option in the BlackBerry Administration
Service. The Add from company directory option permits the BlackBerry Mail Store Service to search the contact
information that is stored in the messaging environment so that you can create the user account even if the BlackBerry
Configuration Database does not contain the contact information for the user account.
How the BlackBerry Mail Store Service instances update multiple contact
lists
If your organization's environment includes IBM® Lotus® Domino® and you configured multiple contact lists or IBM®
Lotus Notes® Address Books, all of the BlackBerry® Mail Store Service instances might not have permission to read
all of the contact lists. By default, if you configured multiple contact lists, a BlackBerry Mail Store Service instance
can update some of the contact lists while the other BlackBerry Mail Store Service instances update other contact
lists. To optimize the performance of the BlackBerry Mail Store Service instances, you can configure only one
BlackBerry Mail Store Service instance to update all of the contact lists.
Configure the BlackBerry Mail Store Service instance that updates the
contact list
1.
2.
3.
4.
5.
Copy the BlackBerry® Enterprise Server Express installation media to a computer that hosts a BlackBerry
Enterprise Server Express instance.
Extract the contents to a folder on the computer.
At the command prompt, navigate to <extracted_folder>\tools.
Perform one of the following actions:
• To permit a BlackBerry Mail Store Service instance to update the contact list, type Traittool -host
<instance_name> -trait MailstoreAddressRefreshEnabled -set true, where <instance_name> is the name of
the BlackBerry Enterprise Server Express instance that you installed the BlackBerry Mail Store Service with.
• To prevent a BlackBerry Mail Store Service instance from updating the contact list, type Traittool -host
<instance_name> -trait MailstoreAddressRefreshEnabled -set false, where <instance_name> is the name
of the BlackBerry Enterprise Server Express instance that you installed the BlackBerry Mail Store Service with.
Repeat step 4 for each BlackBerry Mail Store Service instance.
Configuring BlackBerry Policy Service throttling
You can configure BlackBerry® Policy Service throttling on a BlackBerry® Enterprise Server Express instance to limit
the database usage of the BlackBerry Policy Service when it performs the following actions:
284
Administration Guide
•
•
•
Configuring BlackBerry Policy Service throttling
sends IT policies and service books that you update to all BlackBerry devices that are associated with the
BlackBerry Enterprise Server Express instance that the BlackBerry Policy Service runs on
sends updated PIN encryption keys to all devices that are associated with the BlackBerry Enterprise Server
Express instance that the BlackBerry Policy Service runs on
performs an application poll to verify whether the BlackBerry Policy Service must send applications to all devices
that are associated with the BlackBerry Enterprise Server Express instance that the BlackBerry Policy Service
runs on
You can configure BlackBerry Policy Service throttling using the BlackBerry Enterprise Trait Tool. You can access the
BlackBerry Enterprise Trait Tool in the Tools folder of the BlackBerry Enterprise Server Express installation files.
View the current settings for BlackBerry Policy Service throttling
1.
2.
3.
4.
5.
Copy the BlackBerry® Enterprise Server Express installation files to a computer that hosts the BlackBerry
Enterprise Server Express instance.
Extract the contents to a folder on the computer.
At the command prompt, navigate to <extracted_folder>\tools.
Type traittool -global -list
Press ENTER.
If the BlackBerry Enterprise Trait Tool does not list any BlackBerry Policy Service throttling traits, no BlackBerry
Policy Service throttling traits have been changed from their default values.
Configuring BlackBerry Policy Service throttling for IT policies and service
books
If the BlackBerry® Policy Service detects that you updated an IT policy or service book in the BlackBerry Configuration
Database, it schedules a task to create and deliver the IT policy or service book to BlackBerry device users that must
receive the update. The BlackBerry Policy Service tries to process tasks as fast as the server permits, which can result
in an unexpected increase in CPU usage and database usage.
Because you cannot synchronize multiple BlackBerry Policy Service instances on multiple BlackBerry® Enterprise
Server Express instances, an update to an IT policy or service book that affects many users on multiple BlackBerry
Enterprise Server Express instances can increase the CPU usage and database usage significantly for a long period of
time. The increased CPU usage and database usage can lead to unexpected behavior such as database updates not
completing.
To avoid this scenario, you can throttle the processing of IT policies and service books. You can specify the maximum
number of processes for IT policies and service books that a BlackBerry Policy Service can run at one time before the
BlackBerry Policy Service schedules additional processes for IT policies and service books. You can also specify the
maximum number of IT policies and service books that a BlackBerry Policy Service can send to devices each minute
and the maximum number of IT policies and service books that all BlackBerry Policy Service instances can send to
devices each minute.
285
Administration Guide
Configuring BlackBerry Policy Service throttling
If you configure throttling, the BlackBerry Policy Service determines which users that are associated with the
BlackBerry Enterprise Server Express instance that the BlackBerry Policy Service runs on require a new IT policy or
service book. The BlackBerry Policy Service also determines how many users to schedule for processing in the next
60 seconds. The BlackBerry Policy Service then schedules the same number of users for processing at equal intervals
over the next 60 seconds to distribute the usage on the BlackBerry Configuration Database.
The BlackBerry Policy Service only applies throttling when it automatically detects updates to IT policies or service
books. The BlackBerry database notification system starts automatic detection. If you configure the BlackBerry
database notification system to be turned off, a five-minute timer starts automatic detection. The BlackBerry Policy
Service does not apply throttling when the BlackBerry Enterprise Server Express requests IT policies or service books
during device activation or when you request that the BlackBerry Enterprise Server Express send IT policies or service
books to users.
Configure BlackBerry Policy Service throttling for IT policies and service books
1.
2.
3.
4.
5.
Copy the BlackBerry® Enterprise Server Express installation files to a computer that hosts the BlackBerry
Enterprise Server Express instance.
Extract the contents to a folder on the computer.
At the command prompt, navigate to <extracted_folder>\tools.
Perform one of the following actions:
• To configure the maximum number of processes that a BlackBerry Policy Service can run for IT policies and
services books at one time before the BlackBerry Policy Service schedules additional processes, type traittool
-global -trait PolicyThrottlingInProcessJobs -set <value>, where <value> is 0 or greater. The default value is
30.
• To configure the maximum number of IT policies and service books that a BlackBerry Policy Service can send
to BlackBerry devices each minute, type traittool -global -trait PolicyThrottlingMaxBESJobs -set <value>,
where <value> is 1 or greater. The default value is 100.
• To configure the maximum number of IT policies and service books that all BlackBerry Policy Service instances
can send to devices each minute, type traittool -global -trait PolicyThrottlingMaxDomainJobs -set
<value>, where <value> is 1 or greater. The default value is 300.
Press ENTER.
Example: Configuring the maximum number of IT policies or service books that a BlackBerry Policy Service can
send
If you want to configure the maximum number of IT policies or service books that a BlackBerry Policy Service can
send to 500, type traittool -global -trait PolicyThrottlingMaxDomainJobs -set 500.
286
Administration Guide
Configuring BlackBerry Policy Service throttling
Configuring BlackBerry Policy Service throttling for PIN encryption keys
If the BlackBerry® Policy Service detects that you updated the PIN encryption keys in the BlackBerry Configuration
Database, the BlackBerry Policy Service verifies which BlackBerry device users require a new key and then schedules
a certain number of users at equal intervals over the next 60 second period. The default setting is 60, or one process
per second. You can adjust the number of users that the BlackBerry Policy Service schedules over the 60 second
interval using throttling.
The BlackBerry Policy Service only applies throttling when it automatically detects updates to the PIN encryption
keys. The BlackBerry database notification system starts automatic detection. If you turn off the BlackBerry database
notification system, a five-minute timer starts automatic detection.
Configure BlackBerry Policy Service throttling for PIN encryption keys
1.
2.
3.
4.
5.
Copy the BlackBerry® Enterprise Server Express installation files to a computer that hosts the BlackBerry
Enterprise Server Express instance.
Extract the contents to a folder on the computer.
At the command prompt, navigate to <extracted_folder>\tools.
To configure the maximum number of processes for PIN encryption keys that a BlackBerry Policy Service can
process at one time before it schedules additional processes, type traittool -global -trait
PolicyThrottlingP2PKeyRate -set <value>, where <value> is 0 or greater. The default value is 60. If you configure
a value of 0, theBlackBerry Policy Service will not throttle the processes to update PIN encryption keys.
Press ENTER.
Example: Configuring the maximum number of processes for PIN encryption keys
If you want to configure the maximum number of processes for PIN encryption keys to 30, you can type traittool global -trait PolicyThrottlingP2PKeyRate -set 30.
Configuring BlackBerry Policy Service throttling for application polling
The BlackBerry® Policy Service performs application polling to verify when it must send applications to all BlackBerry
devices that are associated with the BlackBerry® Enterprise Server Express instance that the BlackBerry Policy Service
runs on. You can configure BlackBerry Policy Service throttling on a BlackBerry Enterprise Server Express instance to
limit the database usage of the BlackBerry Policy Service when it sends applications to devices.
If you do not configure throttling, the BlackBerry Policy Service tries to process tasks as fast as the server permits,
which might result in an unexpected increase in CPU usage and database usage. If you configure throttling, the
BlackBerry Policy Service sends applications to devices using the same method that it uses to throttle IT policies and
service books.
Configure BlackBerry Policy Service throttling for application polling
1.
Copy the BlackBerry® Enterprise Server Express installation file to a computer that hosts the BlackBerry
Enterprise Server Express instance.
287
Administration Guide
2.
3.
4.
5.
Change the port number that BlackBerry Enterprise Server Express components use to connect to
the BlackBerry Configuration Database
Extract the contents to a folder on the computer.
At the command prompt, navigate to <extracted_folder>\tools.
Perform one of the following actions:
• To configure the BlackBerry Policy Service to send applications using the same method that it uses to throttle
IT policies and service books, type traittool -global -trait PolicyThrottlingAppPush -set true.
• To configure the BlackBerry Policy Service to not send applications using throttling, and to process the
requests as quickly as possible, type traittool -global -trait PolicyThrottlingAppPush -set false.
The default value is false.
Press ENTER.
Delete a BlackBerry Policy Service throttling setting
1.
2.
3.
4.
5.
Copy the BlackBerry® Enterprise Server Express installation files to a computer that hosts a BlackBerry Enterprise
Server Express instance.
Extract the contents to a folder on the computer.
At the command prompt, navigate to the Tools folder where the TraitTool.exe file is located.
Type traittool -global -trait <trait_name> -erase, where <trait_name> is the configuration that you want to
delete.
Press ENTER.
Example: Deleting a BlackBerry Policy Service throttling setting
If you want to delete the maximum number of IT policies and service books that all BlackBerry Policy Service instances
can send to BlackBerry devices each minute, type traittool -global -trait PolicyThrottlingMaxDomainJobs -erase.
Change the port number that BlackBerry Enterprise Server
Express components use to connect to the BlackBerry
Configuration Database
You can change the static port number that BlackBerry® Enterprise Server Express components use if you changed
the port number that the BlackBerry Configuration Database uses after you install the BlackBerry Enterprise Server
Express.
By default, the BlackBerry Configuration Database accepts TCP/IP connections to port 1433 on a Microsoft® SQL
Server®. The BlackBerry Configuration Database accepts connections through ports 1024 to 65535.
1.
On the computer that hosts the BlackBerry Enterprise Server Express component, open the BlackBerry
Configuration Panel.
2.
3.
4.
In the Database Connectivity tab, in the Use dynamic ports or specify SQL port field, type the port number.
Click Apply.
Click OK.
288
Administration Guide
5.
6.
Change the port number that the syslog tools use to monitor BlackBerry Enterprise Server Express
events
In the Windows® Services, restart the appropriate service for the BlackBerry Enterprise Server Express
component.
Repeat steps 1 to 5 on each computer that hosts a BlackBerry Enterprise Server Express component that connects
to the BlackBerry Configuration Database.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
BlackBerry Configuration Database connection types and port numbers, 311
Change the port number that the syslog tools use to monitor
BlackBerry Enterprise Server Express events
You can change the port number that the syslog tools listen on to monitor BlackBerry® Enterprise Server Express
events. By default, the syslog tools listen to events for the BlackBerry Enterprise Server Express on port 514.
1.
2.
3.
4.
5.
6.
7.
On the computer that hosts the BlackBerry Enterprise Server Express component, open the Windows® Registry
Editor.
Perform one of the following actions:
• If you are running a 32-bit version of Windows, navigate to HKEY_LOCAL_MACHINE\Software\Research In
Motion\BlackBerry Enterprise Server.
• If you are running a 64-bit version of Windows, navigate to HKEY_LOCAL_MACHINE\Software
\WOW6432Node\Research In Motion\BlackBerry Enterprise Server.
In the Logging Info registry key, click a BlackBerry Enterprise Server Express component.
If the DWORD value does not exist, create a DWORD value that you name (Default).
Change the DWORD value to the port number that the syslog tools listen on.
Click OK.
In the Windows Services, restart the service for the BlackBerry Enterprise Server Express component.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Syslog connection type and port number, 323
289
Administration Guide
BlackBerry Controller and BlackBerry Enterprise Server Express Component Monitoring
BlackBerry Controller and BlackBerry
Enterprise Server Express Component
Monitoring
28
How the BlackBerry Controller monitors the BlackBerry
Enterprise Server Express components
The BlackBerry® Controller enables the BlackBerry® Enterprise Server Express to continue running if nonresponsive
threads occur or BlackBerry Enterprise Server Express services become inactive. The BlackBerry Controller monitors
the BlackBerry Messaging Agent, the extension plug-ins for the BlackBerry Messaging Agent, and the BlackBerry
Dispatcher so that the BlackBerry Controller can detect when to start, restart, or stop the services. The BlackBerry
Controller can also restart other BlackBerry Enterprise Server Express services if they stop responding.
Services that require database access are installed in manual start mode and the BlackBerry Controller starts the
services when the BlackBerry Dispatcher verifies the connection to the database. Other services are installed in
automatic start mode, and by default, the BlackBerry Controller restarts the services if the BlackBerry Controller
detects that the services are inactive. By default, the BlackBerry Controller also restarts services if the BlackBerry
Controller detects nonresponsive threads or that a service is inactive for a long period of time.
Registry keys determine how the BlackBerry Controller monitors the BlackBerry Enterprise Server Express
components and restarts the services that are associated with the components. You can change the default behavior
of the BlackBerry Controller by creating new registry keys and changing the default values of the registry keys.
The BlackBerry Controller also monitors the IBM® Lotus® Domino® server that is installed on the BlackBerry Enterprise
Server Express (as either a service or an application).
Change how the BlackBerry Controller restarts the BlackBerry Messaging
Agent
Before you begin: To create a user.dmp file, or to use a user.dmp file as a data collection option, you must download
and install the User Mode Process Dumper application that is included as a part of the Microsoft® OEM Support Tools.
1.
2.
On the computer that hosts the BlackBerry® Enterprise Server Express, open the Registry Editor.
In the left pane, perform one of the following actions:
• If you are running a 32-bit version of Windows®, navigate to HKEY_LOCAL_MACHINE\Software\Research In
Motion\BlackBerry Enterprise Server.
• If you are running a 64-bit version of Windows, navigate to HKEY_LOCAL_MACHINE\Software\
WOW6432Node\Research In Motion\BlackBerry Enterprise Server.
3.
4.
Click Controller.
Perform any of the following tasks:
290
Administration Guide
How the BlackBerry Controller monitors the BlackBerry Enterprise Server Express components
Task
Change how the BlackBerry
Controller restarts the BlackBerry
Messaging Agent.
Steps
Change the maximum number of
times that the BlackBerry
Messaging Agent restarts daily.
a.
Create a DWORD value that is named RestartAgentsOnCrash.
b.
Double-click the new DWORD value.
c.
In the Value data field, perform one of the following actions:
• To prevent the BlackBerry Controller from restarting the
BlackBerry Messaging Agent if the BlackBerry Messaging
Agent stops responding, type 0.
• To permit the BlackBerry Controller to restart the
BlackBerry Messaging Agent if the BlackBerry Messaging
Agent stops responding, type 1.
a.
Create a DWORD value that is named MaxAgentRestartPerDay.
b.
Double-click the new DWORD value.
c.
In the Value data field, type a value.
The default maximum number of restarts that can occur daily is ten.
Change the maximum number of
times that the BlackBerry
Controller requests IBM® Lotus®
Domino® to restart the BlackBerry
Messaging Agent daily.
Change the number of minutes
that the BlackBerry Controller
waits for NSD to finish if it is
running when the BlackBerry
Controller tries to restart IBM
Lotus Domino and the BlackBerry
Messaging Agent.
Change the maximum number of
missed health checks that can
occur before the BlackBerry
Messaging Agent restarts.
a.
Double-click MaxAgentLaunchesPerDay.
b.
In the Value data field, type a value.
The default maximum number of requests that can occur daily is
100.
a.
Double-click WaitForNSDToComplete.
b.
In the Value data field, type a value.
The default number of minutes is 30.
a.
Create a DWORD value that is named WaitToRestartAgentOnHung.
b.
Double-click the new DWORD value.
c.
In the Value data field, type a value that is greater than four, which
provides the BlackBerry Controller with sufficient time to monitor
thread health checks before the BlackBerry Controller restarts the
BlackBerry Messaging Agent.
The default value is 6.
Health checks occur every ten minutes. If a health check does not receive
a response from the thread that that the BlackBerry Controller monitors,
the BlackBerry Enterprise Server Express tracks the missed health check
in the BlackBerry Messaging Agent log file as the wait count.
291
Administration Guide
How the BlackBerry Controller monitors the BlackBerry Enterprise Server Express components
Task
Steps
Example:
[20148] (05/12 12:21:00):{0xC28} Thread: *** No Response *** Thread
Id=0xB00, Handle=0x558, WaitCount=2
Prevent the BlackBerry Controller
from restarting the BlackBerry
Messaging Agent when a
nonresponsive thread occurs.
a.
Create a DWORD value that is named WaitToRestartAgentOnHung.
b.
Double-click the new DWORD value.
c.
In the Value data field, type 0.
The default value is 6.
Prevent the BlackBerry Controller
from restarting the BlackBerry
Messaging Agent for a specific time
range if the BlackBerry Controller
detects a nonresponsive thread.
a.
Create a DWORD value that is named
RestartAgentOnHungBlackoutFrom.
b.
Double-click the new DWORD value.
c.
In the Base section, select the Decimal option.
d.
In the Value data field, type the lowest value of the time range.
The values range from 0 to 23, where 0 is 12:00 AM and 23 is 11:00
PM.
e.
Create a DWORD value that is named
RestartAgentOnHungBlackoutTo.
f.
Double-click the new DWORD value.
g.
In the Base section, select the Decimal option.
h.
In the Value data field, type the highest value of the time range.
For example, if you configure the RestartAgentOnHungBlackoutFrom
value to eight and the RestartAgentOnHungBlackoutTo value to 17, the
BlackBerry Controller does not restart the BlackBerry Messaging Agent
between 8:00 AM and 5:00 PM if it detects a nonresponsive thread.
To turn off the time range, in the RestartAgentOnHungBlackoutFrom
and RestartAgentOnHungBlackoutTo value fields, type 0.
Change the maximum number of
user.dmp files that each
BlackBerry Enterprise Server
Express creates daily before the
BlackBerry Controller restarts the
BlackBerry Messaging Agent.
5.
292
Click OK.
a.
Create a DWORD value that is named MaxUserDumpPerDay.
b.
Double-click the new DWORD value.
c.
In the Value data field, type a value.
The default value is 3.
To turn off the daily creation of user.dmp files, change the
MaxUserDumpPerDay value field to 0.
Administration Guide
How the BlackBerry Controller monitors the BlackBerry Enterprise Server Express components
Change how the BlackBerry Controller restarts a BlackBerry Enterprise
Server Express service
By default, the BlackBerry® Controller restarts a BlackBerry® Enterprise Server Express service if it stops responding.
1.
2.
3.
On the computer that hosts the BlackBerry Enterprise Server Express component that you want to change, open
the Registry Editor.
In the left pane, perform one of the following actions:
• If you are running a 32-bit version of Windows®, navigate to HKEY_LOCAL_MACHINE\Software\Research In
Motion.
• If you are running a 64-bit version of Windows, navigate to HKEY_LOCAL_MACHINE\Software
\WOW6432Node\Research In Motion.
Perform any of the following tasks:
Task
Change how the BlackBerry
Controller restarts the BlackBerry
Attachment Service.
Steps
a.
Click BBAttachServer.
b.
Double-click the DWORD value that is named RestartOnCrash.
c.
In the Value data field, perform one of the following actions:
• To prevent the BlackBerry Controller from restarting the
BlackBerry Attachment Service if the service stops
responding, type 0.
• To permit the BlackBerry Controller to restart the
BlackBerry Attachment Service if the service stops
responding, type 1.
Change how the BlackBerry
Controller restarts the BlackBerry
MDS Connection Service.
a.
Click BlackBerry Mobile Data Server.
b.
Double-click the DWORD value that is named RestartOnCrash.
c.
In the Value data field, perform one of the following actions:
• To prevent the BlackBerry Controller from restarting the
BlackBerry MDS Connection Service if the service stops
responding, type 0.
• To permit the BlackBerry Controller to restart the
BlackBerry MDS Connection Service if the service stops
responding, type 1.
Change how the BlackBerry
Controller restarts the BlackBerry
Router.
a.
Click BlackBerryRouter.
b.
Double-click the DWORD value that is named RestartOnCrash.
c.
In the Value data field, perform one of the following actions:
• To prevent the BlackBerry Controller from restarting the
BlackBerry Router if the service stops responding, type 0.
293
Administration Guide
How the BlackBerry Controller monitors the BlackBerry Enterprise Server Express components
Task
Steps
•
Change how the BlackBerry
Controller restarts the BlackBerry
Mail Store Service.
Change how the BlackBerry
Controller restarts the BlackBerry
Policy Service.
Change how the BlackBerry
Controller restarts the BlackBerry
Synchronization Service.
4.
294
Click OK.
To permit the BlackBerry Controller to restart the
BlackBerry Router if the service stops responding, type 1.
a.
Navigate to BlackBerry Enterprise Server.
b.
Click MailStore.
c.
Double-click the DWORD value that is named RestartOnCrash.
d.
In the Value data field, perform one of the following actions:
• To prevent the BlackBerry Controller from restarting the
BlackBerry Mail Store Service if the service stops
responding, type 0.
• To permit the BlackBerry Controller to restart the
BlackBerry Mail Store Service if the service stops
responding, type 1.
a.
Navigate to BlackBerry Enterprise Server.
b.
Click PolicyServer.
c.
Double-click the DWORD value that is named RestartOnCrash.
d.
In the Value data field, perform one of the following actions:
• To prevent the BlackBerry Controller from restarting the
BlackBerry Policy Service if the service stops responding,
type 0.
• To permit the BlackBerry Controller to restart the
BlackBerry Policy Service if the service stops responding,
type 1.
a.
Navigate to BlackBerry Enterprise Server.
b.
Click SyncServer.
c.
Double-click the DWORD value that is named RestartOnCrash.
d.
In the Value data field, perform one of the following actions:
• To prevent the BlackBerry Controller from restarting the
BlackBerry Synchronization Service if the service stops
responding, type 0.
• To permit the BlackBerry Controller to restart the
BlackBerry Synchronization Service if the service stops
responding, type 1.
Administration Guide
BlackBerry Enterprise Server Alert Tool
BlackBerry Enterprise Server Alert Tool
Configuring notifications using the BlackBerry Enterprise Server Alert Tool
You can use the BlackBerry® Enterprise Server Alert Tool to monitor the Windows Event Log™ and send users that
you define as notification recipients a notification message when the tool records a critical, error, warning, or
informational event. You must configure notification settings for each BlackBerry® Enterprise Server Express in your
organization's BlackBerry Domain.
Change the default event monitoring level
By default, the BlackBerry® Enterprise Server Alert Tool monitors critical events only.
1.
2.
3.
4.
5.
6.
7.
8.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Alert.
Click the instance that you want to change.
Click Edit instance.
In the SMTP host name field, type the SMTP host name of your organization's gateway in DNS format (for
example, smtp.CompanyName.com).
In the SMTP account name field, type the name of the SMTP account that you want to send notifications from.
In the SMTP from address field, type the SMTP address that you want to send notifications and receive replies
to notifications.
In the Event level drop-down list, click one of the following menu items:
• To monitor level 0 events (critical), click Critical.
• To monitor all events up to and including level 1 (critical and error), click Error.
• To monitor all events up to and including level 2 (critical, error, and warning), click Warning.
• To monitor all events up to and including level 3 (critical, error, warning, and informational), click
Informational.
Click OK.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Define a notification recipient
You can specify a notification recipient for the BlackBerry® Enterprise Server Alert Tool so that the contact receives
notification messages in email or popup messages that appear on the screen. You can send popup messages to the
contact if the Messenger service for Windows® is running on the computer that you installed the BlackBerry Enterprise
Server Alert Tool on, and if the computer is not running Windows Server® 2008. The contact receives popup messages
only if the Messenger service is running on the contact's computer.
1.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Alert.
295
Administration Guide
BlackBerry Enterprise Server Alert Tool
2.
3.
4.
5.
Click the instance that you want to change.
Click Edit instance.
In the User name field, type the name of the contact.
In the Event level drop-down list, click one of the following menu items:
• To send notification messages for the default event monitoring level, click Default.
• To send notification messages for all events up to and including level 1 (critical and error), click Error.
• To send notification messages for all events up to and including level 2 (critical, error, and warning), click
Warning.
• To send notification messages for all events up to and including level 3 (critical, error, warning, and
informational), click Info.
6.
7.
In the Email address field, type the recipient's email address.
To send notification messages as popup messages on the contact's computer, in the Console field, type the
name of the contact's computer.
Click OK.
8.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
296
Administration Guide
BlackBerry Enterprise Server Express log files
BlackBerry Enterprise Server Express log files
29
Log files for BlackBerry Enterprise Server Express
components
You can use log files to record the activity of BlackBerry® Enterprise Server Express components and troubleshoot
issues with the components. The BlackBerry Enterprise Server Express creates a log file for each BlackBerry Enterprise
Server Express component and saves the log files on the computer that hosts the BlackBerry Enterprise Server
Express. By default, the BlackBerry Enterprise Server Expresssaves the log files in C:\Program Files\Research In Motion
\BlackBerry Enterprise Server\Logs. Each BlackBerry Enterprise Server Express instance saves the log files in folders
that it creates daily and organizes by date. To prevent the BlackBerry Enterprise Server Express log files from taking
up too much disk space, you can change how BlackBerry Enterprise Server Express components create and delete
log files.
The size of log files varies based on the number of users in your BlackBerry Enterprise Server Express environment
and the level of user activity. It is a best practice to monitor and control the amount of disk space taken up by the
BlackBerry Enterprise Server Express log files.
By default, the BlackBerry Enterprise Server Express names log files
<server_name>_<component_identifier>_<instance>_<yyyymmdd>_<log_number>.txt (for example,
BBServer01_MAGT_01_20070120_0001.txt). An event that the BlackBerry Enterprise Server Express writes to a log
file begins with a five-digit number, where the first digit represents the logging level. For example, the following log
file entry logs level 3, which are informational level events: [30000] (03/12 14:03:42.315):{0x18CC} [ENV] Computer
Host Name: host_name.
Changing the location where BlackBerry Enterprise Server Express
components save log files
Change the location where BlackBerry Enterprise Server Express components save
log files
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Logging.
Click the instance that contains the logging settings that you want to change.
Click Edit instance.
In the General section, in the Log file path field, type the path where you want to save the log files.
Click Save all.
On each computer that hosts a BlackBerry® Enterprise Server Express component or BlackBerry Enterprise Server
Express service, in the Windows® Services, restart the BlackBerry Enterprise Server Express services.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
297
Administration Guide
Log files for BlackBerry Enterprise Server Express components
Store the log files for BlackBerry Enterprise Server Express components in one folder
You can store the log files for BlackBerry® Enterprise Server Express components in one folder instead of permitting
the BlackBerry Enterprise Server Express to save the log files in folders that it creates daily and organizes by date.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Logging.
Click the instance that contains the logging settings that you want to change.
Click Edit instance.
In the General section, in the Create folder for daily logs drop-down list, click False.
Click Save all.
On each computer that hosts a BlackBerry Enterprise Server Express component or BlackBerry Enterprise Server
Express service, in the Windows® Services, restart the BlackBerry Enterprise Server Express services.
Changing how BlackBerry Enterprise Server Express components create log
files
Add a prefix to the file names of the log files for BlackBerry Enterprise Server Express
components
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Logging.
Click the instance that contains the logging settings that you want to change.
Click Edit instance.
In the General section, in the Log file prefix field, type the prefix that you want to add to the log files.
Click Save all.
On each computer that hosts a BlackBerry® Enterprise Server Express component or BlackBerry Enterprise Server
Express service, in the Windows® Services, restart the BlackBerry Enterprise Server Express services.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Change the maximum size of the log file for a BlackBerry Enterprise Server Express
component
When the log file for a BlackBerry® Enterprise Server Express component reaches its maximum size, the BlackBerry
Enterprise Server Express either creates an additional log file for the component or overwrites the current one,
depending on whether you turn on log auto-roll.
By default, log auto-roll is turned on for all BlackBerry Enterprise Server Express components, which means that the
BlackBerry Enterprise Server Express creates an additional log file when the current log file reaches its maximum
size.
298
Administration Guide
Log files for BlackBerry Enterprise Server Express components
You can specify a different maximum size for each log file.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Logging.
Click the instance that contains the logging settings that you want to change.
On the Logging details tab, click Edit instance.
In each section, in the Maximum size of daily log files (MB) field, type the file size.
Click Save all.
On the Servers and components menu, locate and restart the components that contain the logging settings that
you changed.
Related topics
Create an additional log file for a BlackBerry Enterprise Server Express component when the current log file reaches its maximum size, 300
Restarting BlackBerry Enterprise Server Express components, 272
Change the logging level for a BlackBerry Enterprise Server Express component
You can select whether the information that you save to the log files is detailed or limited by changing the logging
level for a BlackBerry® Enterprise Server Express component. A more detailed logging level can help you troubleshoot
issues with a BlackBerry Enterprise Server Express component.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Logging.
Click the instance that contains the logging settings that you want to change.
On the Logging details tab, click Edit instance.
In each section, in the Log level drop-down list, click one of the following menu items:
• To write error messages to the log files, click Error.
• To write warning messages to the log files, click Warning.
• To write daily activities to the log files, click Information.
• To write additional information to the log files that can help you troubleshoot issues with your organization's
environment, click Debug.
Click Save all.
On the Servers and components menu, locate and restart the components that contain the logging settings that
you changed.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
299
Administration Guide
Log files for BlackBerry Enterprise Server Express components
Create an additional log file for a BlackBerry Enterprise Server Express component
when the current log file reaches its maximum size
If you turn on log auto-roll for a BlackBerry® Enterprise Server Express component, the BlackBerry Enterprise Server
Express creates a new log file for the component when the current log file reaches the maximum size. If you turn off
log auto-roll for a BlackBerry Enterprise Server Express component, the BlackBerry Enterprise Server Express
overwrites the current log file for the component when the log file reaches the maximum size. By default, log autoroll is turned on for all BlackBerry Enterprise Server Express components.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Logging.
Click the instance that contains the logging settings that you want to change.
On the Logging details tab, click Edit instance.
In each section, in the Log auto-roll drop-down list, click True.
Click Save all.
On the Servers and components menu, locate and restart the components that contain the logging settings that
you changed.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Change the identifier of the log file for a BlackBerry Enterprise Server Express
component
You can identify the log file for a BlackBerry® Enterprise Server Express component by the identifier that is included
in the file name. For example, a log file that is named BBServer01_SYNC_01_20080120_001.txt uses the default
component identifier SYNC to identify the BlackBerry Synchronization Service component.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Logging.
Click the instance that contains the logging settings that you want to change.
On the Logging details tab, click Edit instance.
In each section, in the Log identifier field, type a new identifier name.
Click Save all.
On the Servers and components menu, locate and restart the components that contain the logging settings that
you changed.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Prevent a BlackBerry Enterprise Server Express component from creating a daily log
file
1.
300
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Logging.
Administration Guide
2.
3.
4.
5.
6.
Log files for BlackBerry Enterprise Server Express components
Click the instance that contains the logging settings that you want to change.
On the Logging details tab, click Edit instance.
In each section, in the Daily file creation drop-down list, click False.
Click Save all.
On the Servers and components menu, locate and restart the components that contain the logging settings that
you changed.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Configure when the BlackBerry Enterprise Server Express deletes a log file
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Logging.
Click the instance that contains the logging settings that you want to change.
On the Logging details tab, click Edit instance.
In each section, in the Maximum age of daily log files field, type the number of days that you want the
BlackBerry® Enterprise Server Express to delete the log files after.
Click Save all.
On the Servers and components menu, locate and restart the components that contain the logging settings that
you changed.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Change the character encoding of the log file for a BlackBerry Enterprise Server
Express component
You can change the character encoding of the log files of a BlackBerry® Enterprise Server Express component so that
the encoding supports the tools that you use to parse and examine the log files. You can specify a different character
encoding for each BlackBerry Enterprise Server Express component. You can use the ANSI®, UTF-8, and UTF-16LE
character encoding methods.
1.
2.
3.
4.
5.
6.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Logging.
Click the instance that contains the logging settings that you want to change.
On the Logging details tab, click Edit instance.
In each section, in the Log encoding drop-down list, click one of the following character encodings:
• ANSI
• UTF-8
• UTF-16LE
Click Save all.
On the Servers and components menu, locate and restart the components that contain the logging settings that
you changed.
301
Log files for BlackBerry Enterprise Server Express components
Administration Guide
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Restore logging settings to default values for all components
1.
2.
3.
4.
5.
6.
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > Logging.
Click the instance that you want to restore to default values.
On the Logging details tab, click Edit instance.
Click Reset logging defaults.
Click Save all.
For the changes to take effect, perform any of the following actions to restart the BlackBerry® Enterprise Server
Express services:
• To restart services other than the BlackBerry Administration Service, on the Servers and components menu,
locate and restart the services that you restored to default values.
• To restart the BlackBerry Administration Service, on the computer that hosts the BlackBerry Administration
Service, in the Windows® Services, restart the BlackBerry Administration Service - Native Code Container
service.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Component identifiers for log files
You can identify the names for the BlackBerry® Enterprise Server Express log files using the following component
identifiers:
Component identifier
ACNV
ALRT
ASCL
ASMN
ASRV
BBAS-AS
BBAS-NCC
CBCK
CMNG
CNTS
ConfigTool
CONN
CTRL
DBNS
302
Logging component
BlackBerry Attachment Service attachment conversion
BlackBerry Enterprise Server Alert Tool
BlackBerry Attachment Service client
BlackBerry Attachment Service attachment monitor
BlackBerry Attachment Service component
BlackBerry Administration Service – Application Server
BlackBerry Administration Service – Native Code Container
backup connector
management connector
IBM® Lotus Notes® connector
BlackBerry Enterprise Server Express configuration tool
BlackBerry Synchronization Connector
BlackBerry Controller
BlackBerry database notification service
BlackBerry MDS Connection Service log files
Administration Guide
Component identifier
DISP
EXTS
HHCG
MAGT
MAST
MDAT
POLC
ROUT
SYNC
TAT
Logging component
BlackBerry Dispatcher
extension connector
BlackBerry Configuration Panel
BlackBerry Messaging Agent
BlackBerry Mail Store Service
BlackBerry MDS Connection Service
BlackBerry Policy Service
BlackBerry Router
BlackBerry Synchronization Service
BlackBerry Threshold Analysis Tool
BlackBerry MDS Connection Service log files
Changing how the BlackBerry MDS Connection Service creates a log file
Change the logging level for BlackBerry MDS Connection Service log files
You can change the logging level for the BlackBerry® MDS Connection Service log file, which includes the event log,
UDP log files, and TCP log files.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click an instance of the BlackBerry MDS Connection Service.
On the Logging tab, click Edit instance.
In the File logging destination, UDP logging destination, TCP logging destination, or EventLog logging
destination sections, select one of the following logging levels from the Log level drop-down list:
• To write events to the log files, click Event.
• To write error messages to the log files, click Error.
• To write warning messages to the log files, click Warning.
• To write daily activities to the log files, click Informational.
• To write additional information to the log files that can help you troubleshoot issues with the BlackBerry MDS
Connection Service, click Debug.
Click Save all.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
303
Administration Guide
BlackBerry MDS Connection Service log files
Change the interval that the BlackBerry MDS Connection Service writes information to
a log file
The interval that the BlackBerry® MDS Connection Service writes information to a log file applies to all BlackBerry
MDS Connection Service log files, including the event log, UDP log files, and TCP log files.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click an instance of the BlackBerry MDS Connection Service.
On the Logging tab, click Edit instance.
In the File logging destination section, in the Log timer interval field, type the interval in milliseconds.
The default value is 30000.
Click Save all.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Change the host and port number that the BlackBerry MDS Connection Service
connects to when it sends UDP log file messages
The SNMP agent for the BlackBerry® Enterprise Server Express receives UDP log file messages from the same host
and port number that the BlackBerry MDS Connection Service connects to when it sends UDP log messages.
1.
2.
3.
4.
5.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click an instance of the BlackBerry MDS Connection Service.
On the Logging tab, click Edit instance.
In the UDP logging destination section, in the Location field, type the host name and port number using the
format <host_name>:<port_number>.
Click Save all.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Change the host and port number that the BlackBerry MDS Connection Service
connects to when it sends TCP log file messages
1.
2.
3.
4.
5.
304
In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click an instance of the BlackBerry MDS Connection Service.
On the Logging tab, click Edit instance.
In the TCP logging destination section, in the Location field, type the host name and port number using the
format <host_name>:<port_number>.
Click Save all.
Administration Guide
BlackBerry MDS Connection Service log files
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Configure BlackBerry MDS Connection Service to log DSML information
1.
2.
3.
4.
On the computer that hosts the BlackBerry® MDS Connection Service, navigate to <drive>:\Program Files
\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\instance\config.
In any text editor, open the rimpublic.properties file.
In the rimpublic.properties file, type application.handler.dsml.logging=Yes.
Save and close the rimpublic.properties file.
5.
In the Windows® Services, restart the BlackBerry MDS Connection Service service.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Change the activities that the BlackBerry MDS Connection Service writes to a log file
The settings for the activities that the BlackBerry® MDS Connection Service writes to a log file apply to all log files,
including the event log, UDP log files, and TCP log files.
1.
2.
3.
4.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view > MDS Connection Service.
Click a BlackBerry MDS Connection Service instance.
On the Logging tab, click Edit instance.
In the Logging section, perform any of the following tasks:
Task
Steps
Do not trace how data packets travel inside the SRP In the SRP logging turned on drop-down list, click No.
network layer from the BlackBerry MDS Connection
Service to the BlackBerry Dispatcher.
Do not trace how data packets travel inside the IPPP In the IPPP logging turned on drop-down list, click No.
network layer from the BlackBerry MDS Connection
Service to the BlackBerry Dispatcher.
Send logging information using UDP to a UDP server. In the UDP logging turned on drop-down list, click
Yes.
Trace how data packets travel inside the GME
In the GME logging turned on drop-down list, click
network layer from the BlackBerry MDS Connection Yes.
Service to the BlackBerry Dispatcher.
Monitor HTTP headers for request and response
In the HTTP logging turned on drop-down list, click
messages that the web server sends or receives when Yes.
users retrieve content from the Internet and intranet
on BlackBerry devices.
305
Administration Guide
BlackBerry MDS Connection Service log files
Task
Steps
Monitor HTTP headers and the body of response
In the Verbose HTTP logging turned on drop-down
messages that the web server sends when users
list, click Yes.
retrieve content from the Internet and intranet on
BlackBerry devices.
Monitor activity that occurs between the BlackBerry In the TLS logging turned on drop-down list, click Yes.
MDS Connection Service and the target server when
the BlackBerry MDS Connection Service uses a TLS
connection.
Monitor the certificate revocation status that the
In the OCSP logging turned on drop-down list, click
BlackBerry device retrieves from the OCSP server.
Yes.
Monitor BlackBerry device requests to access a user In the LDAP logging turned on drop-down list, click
profile or certificate from the LDAP directory.
Yes.
Monitor CRLs that the BlackBerry device retrieves
In the CRL logging turned on drop-down list, click Yes.
from the CRL server.
Monitor PGP® key status and revocation information In the PGP logging turned on drop-down list, click Yes.
that the BlackBerry device retrieves from the PGP
server.
5.
Click Save all.
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
Using BlackBerry MDS Connection Service log files to view information for
proxied connections to BlackBerry devices
The BlackBerry® Enterprise Server Express writes data for each BlackBerry device connection that the BlackBerry
MDS Connection Service proxies in the BlackBerry MDS Connection Service log files.
You can find the BlackBerry MDS Connection Service log files on the computer that hosts the BlackBerry Enterprise
Server Express. You can identify BlackBerry MDS Connection Service log files by the component identifier MDAT in
the log file name.
Log file example: BlackBerry device user initiates the proxied connection
<LAYER = IPPP, DEVICEPIN = u29, DOMAINNAME = test.rim.net, CONNECTION_TYPE =
DEVICE_CONN, CONNECTIONID = 852164874, DURATION(ms) = 3500, MFH_KBytes = 0.908,
MTH_KBytes = 38.218, MFH_PACKET_COUNT = 1, MTH_PACKET_COUNT = 2>
Log file example: BlackBerry Enterprise Server Express initiates the proxied connection (push)
<LAYER = IPPP, DEVICEPIN = <devicepin>, DOMAINNAME = kmtestd, CONNECTION_TYPE =
PUSH_CONN, CONNECTIONID = -432667474, DURATION(ms) = 600090, MFH_KBytes = 0,
MTH_KBytes = 10.477, MFH_PACKET_COUNT = 0, MTH_PACKET_COUNT = 4>
306
Administration Guide
BlackBerry MDS Connection Service log files
Information in BlackBerry MDS Connection Service log files for proxied connections to
BlackBerry devices
Attribute
LAYER
DEVICEPIN
DOMAINNAME
CONNECTION_TYPE
CONNECTIONID
DURATION(ms)
MFH_KBytes
MTH_KBytes
MFH_PACKET_COUNT
MTH_PACKET_COUNT
Description
protocol layer that the BlackBerry® MDS Connection Service uses to proxy
BlackBerry device connections
PIN or BlackBerry® Enterprise Server Express user ID of the BlackBerry
device that connects using a proxy server
domain that requests the BlackBerry device connection
initiator of the proxied connection, which can be either the BlackBerry
device user (DEVICE_CONN) or BlackBerry Enterprise Server Express
(PUSH_CONN )
unique identifier for an IPPP connection, where - (minus sign) indicates a
push connection
duration of the proxied BlackBerry device connection, in milliseconds
size of messages that the BlackBerry device sends, in KB
size of messages that the BlackBerry device receives, in KB
number of packets that the BlackBerry device sends
number of packets that the BlackBerry device receives
307
BlackBerry Enterprise Solution connection types and port numbers
Administration Guide
BlackBerry Enterprise Solution connection
types and port numbers
30
The BlackBerry® Enterprise Server Express components authenticate the port connections over a TCP/IP or UDP/IP
connection that uses SSL or TLS.
BlackBerry Administration Service connection types and
port numbers
Item
Connection
type
Default port
number
for a Microsoft® SQL Server®, incoming data
connections from, and outgoing data connections to,
the BlackBerry® Configuration Database
TCP
1433
UI where you can
configure the
connection
Windows® registry
•
•
308
On a 32-bit
version of
Windows:
HKEY_LOCAL_M
ACHINE
\SOFTWARE
\Research In
Motion
\BlackBerry
Enterprise
Server
\Database\Port
On a 64-bit
version of
Windows:
HKEY_LOCAL_M
ACHINE
\SOFTWARE
\WOW6432Nod
e\Research In
Motion
\BlackBerry
Enterprise
Server
\Database\Port
Administration Guide
BlackBerry Administration Service connection types and port numbers
Item
Connection
type
Default port
number
UI where you can
configure the
connection
BlackBerry
Configuration Panel
BlackBerry
Configuration Panel
incoming data connections from, and outgoing data
connections to, browsers
incoming data connections from, and outgoing data
connections to, BlackBerry® Enterprise Server
Express components
incoming data connections from, and outgoing data
connections to, BlackBerry Enterprise Server Express
components for HA JNDI
incoming data connections from, and outgoing data
connections to, a BlackBerry Administration Service
instance for local JNDI
internal data connection
HTTPS
3443
HTTP
18180
TCP
11100
BlackBerry
Configuration Panel
TCP
11099
BlackBerry
Configuration Panel
TCP
18083
incoming data connections from, and outgoing data TCP
connections to, BlackBerry Enterprise Server Express
components for Java® RMI
incoming data connections from, and outgoing data TLS
connections to, BlackBerry Enterprise Server Express
components for Java RMI over SSL
internal data connection
TCP
13873
BlackBerry
Configuration Panel
BlackBerry
Configuration Panel
internal data connection
TCP
28083
internal data connection
TLS
23843
internal data connection
TCP
21099
data connections between BlackBerry
Administration Service instances
UDP
multicast IP
address/port
13843
BlackBerry
Configuration Panel
14457
BlackBerry
Configuration Panel
BlackBerry
Configuration Panel
BlackBerry
Configuration Panel
BlackBerry
Configuration Panel
—
228.1.2.1/48858
228.1.2.1/48857
228.1.2.1/48855
data connections between BlackBerry
Administration Service instances using TCP ping
TCP
228.1.2.5/45588
first unused port
number from
17200 to 17209;
17400 to 17409;
BlackBerry
Administration
Service
309
Administration Guide
Item
BlackBerry Attachment Service connection types and port numbers
Connection
type
Default port
number
UI where you can
configure the
connection
17600 to 17609
and 17800 to
17809
BlackBerry Attachment Service connection types and port
numbers
Item
Connection
type
incoming document submissions from the BlackBerry® TCP
Attachment Service
outgoing conversion results to the BlackBerry
TCP
Attachment Connector
incoming connections and outgoing connections for
TCP
BlackBerry Administration Service configuration
incoming document queries from the BlackBerry
TCP
Attachment Service
outgoing conversion results of large attachments to the TCP
BlackBerry Attachment Connector for the BlackBerry
Attachment Service
incoming data connections from, and outgoing data
TCP
connections to, the BlackBerry Configuration Database
that a Microsoft® SQL Server® database hosts
Default port UI where you can configure
number
the connection
1900
BlackBerry Administration
Service
1900
BlackBerry Administration
Service
1999
BlackBerry Administration
Service
2000
BlackBerry Administration
Service
2000
BlackBerry Administration
Service
1433 (static
connection
s only)
Windows® registry
•
•
310
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
\BlackBerry
Enterprise Server
\Database\Port
On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
Administration Guide
Item
BlackBerry Configuration Database connection types and port numbers
Connection
type
Default port UI where you can configure
number
the connection
\BlackBerry
Enterprise Server
\Database\Port
BlackBerry Configuration Database connection types and
port numbers
Item
for a Microsoft® SQL Server®, incoming data
connections from, and outgoing data connections to,
any of the following BlackBerry® Enterprise Server
Express components:
• BlackBerry Administration Service
• BlackBerry Attachment Service
• BlackBerry Dispatcher
• BlackBerry MDS Connection Service
• BlackBerry Messaging Agent
• BlackBerry Policy Service
• BlackBerry Synchronization Service
Connection
type
TCP
Default port
number
1433 (for
static port)
UI where you can configure
the connection
BlackBerry Configuration
Panel
Windows® registry
•
•
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
\BlackBerry
Enterprise Server
\Database\Port
On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerry
Enterprise Server
\Database\Port
Related topics
Restarting BlackBerry Enterprise Server Express components, 272
311
BlackBerry Controller connection types and port numbers
Administration Guide
BlackBerry Controller connection types and port numbers
Item
incoming syslog connections from the BlackBerry®
Messaging Agent
Connection
type
UDP
Default port UI where you can configure
number
the connection
4070
Microsoft® Windows®
registry
•
•
outgoing syslog connections to the BlackBerry
Messaging Agent
312
UDP
port
number
that the
BlackBerry
Messaging
Agent
provides
—
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
\BlackBerry
Enterprise Server
\Logging Info
\Mailbox Agent
\SysLogHost
On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerry
Enterprise Server
\Logging Info
\Mailbox Agent
\SysLogHost
BlackBerry Dispatcher connection types and port numbers
Administration Guide
BlackBerry Dispatcher connection types and port numbers
Item
incoming data connections from the BlackBerry®
Messaging Agent
Connection
type
TCP
Default port UI where you can configure
number
the connection
5096
Windows® registry
•
•
incoming data connections from, and outgoing data
connections to, one or more of the following
BlackBerry® Enterprise Server Express components:
• BlackBerry MDS Connection Service
• BlackBerry Policy Service
• BlackBerry Synchronization Service
outgoing data connection that uses SRP to the
BlackBerry Router
incoming data connections from, and outgoing data
connections to, the BlackBerry Configuration Database
that a Microsoft® SQL Server® hosts
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
\BlackBerry
Enterprise Server
\Agents
\TcpPortDispatcher
On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerry
Enterprise Server
\Agents
\TcpPortDispatcher
TCP
3201
—
TCP
3101
TCP
1433
BlackBerry Administration
Service
Windows registry
•
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
313
BlackBerry Dispatcher connection types and port numbers
Administration Guide
Item
Connection
type
incoming data connection from the BlackBerry database
notification system
UDP
outgoing syslog connection to the SNMP agent
UDP
Default port UI where you can configure
number
the connection
\BlackBerry
Enterprise Server
\Database\Port
• On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerry
Enterprise Server
\Database\Port
first unused —
port
number
from 4185
to 4499
4071
Windows registry
•
•
314
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
\BlackBerrySNMPAg
ent\Parameters
\UDPPort
On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerrySNMPAg
ent\Parameters
\UDPPort
BlackBerry Messaging Agent connection types and port numbers
Administration Guide
BlackBerry Messaging Agent connection types and port
numbers
Item
outgoing data connections to the BlackBerry®
Dispatcher
incoming data connections from, and outgoing data
connections to, the BlackBerry Configuration Database
that a Microsoft® SQL Server® hosts
Connection
type
TCP
Default port UI where you can configure
number
the connection
5096
Windows® registry
•
TCP
1433
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
\BlackBerry
Enterprise Server
\Agents
\TcpPortDispatcher
• On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerry
Enterprise Server
\Agents
\TcpPortDispatcher
Windows registry
•
•
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
\BlackBerry
Enterprise Server
\Database\Port
On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
315
Administration Guide
BlackBerry Messaging Agent connection types and port numbers
Item
Connection
type
incoming syslog connections from the BlackBerry
Controller and CalHelper
UDP
outgoing syslog connections to the BlackBerry
Controller
UDP
outgoing syslog connections to the SNMP agent
UDP
Default port UI where you can configure
number
the connection
\Research In Motion
\BlackBerry
Enterprise Server
\Database\Port
first unused —
port
number
from 4085
to 4499
4070
Windows registry
•
4071
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
\BlackBerry
Enterprise Server
\Agents\SysLogHost
• On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerry
Enterprise Server
\Agents\SysLogHost
Windows registry
•
•
316
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
\BlackBerry
Enterprise Server
\Agents\UDPPort
On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
Administration Guide
BlackBerry MDS Connection Service connection types and port numbers
Item
Connection
type
incoming data connections from the BlackBerry
database notification system
UDP
incoming data connections from, and outgoing data
TCP
connections to, the IBM® Lotus® Domino® server, using
RPC
Default port UI where you can configure
number
the connection
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerry
Enterprise Server
\Agents\UDPPort
first unused —
port
number
from 4185
to 4499
1352
—
BlackBerry MDS Connection Service connection types and
port numbers
Item
if access control for push applications is turned on,
incoming connections for the HTTP listener port
if access control for push applications is turned on,
incoming connections for the HTTP listener port
incoming data connections from, and outgoing data
connections to, the BlackBerry Dispatcher
incoming data connections from, and outgoing data
connections to, the BlackBerry Configuration Database
that a Microsoft® SQL Server® hosts
Connection
type
HTTP
TCP
Default port UI where you can configure
number
the connection
8080
BlackBerry®
Administration Service
8443
BlackBerry Administration
Service
3201
—
TCP
1433
HTTPS
Windows® registry
•
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
\BlackBerry
Enterprise Server
\Database\Port
317
BlackBerry Policy Service connection types and port numbers
Administration Guide
Item
Connection
type
Default port UI where you can configure
number
the connection
•
outgoing syslog connections to the SNMP agent
UDP
4071
On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerry
Enterprise Server
\Database\Port
Windows registry
•
incoming data connections for reliable pushes
TCP
7874
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
\BlackBerrySNMPAg
ent\Parameters
\UDPPort
• On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerrySNMPAg
ent\Parameters
\UDPPort
BlackBerry Administration
Service
BlackBerry Policy Service connection types and port
numbers
Item
incoming data connections from, and outgoing data
connections to, the BlackBerry® Dispatcher
318
Connection
type
TCP
Default port UI where you can configure
number
the connection
3200
—
BlackBerry Router connection types and port numbers
Administration Guide
Item
incoming data connections from, and outgoing data
connections to, the BlackBerry Configuration Database
that a Microsoft® SQL Server® hosts
Connection
type
TCP
Default port
number
1433 (for
the static
port)
UI where you can configure
the connection
Windows® registry
•
•
incoming data connections from the BlackBerry
database notification system
UDP
first unused
port
number
from 4185
to 4499
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
\BlackBerry
Enterprise Server
\Database\Port
On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerry
Enterprise Server
\Database\Port
—
BlackBerry Router connection types and port numbers
Item
incoming data connections from the BlackBerry®
Dispatcher that use SRP
Connection
type
TCP
Default port UI where you can configure
number
the connection
3101
BlackBerry Configuration
Panel
Windows® registry
•
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
319
BlackBerry Router connection types and port numbers
Administration Guide
Item
Connection
type
outgoing data connections to the BlackBerry®
Infrastructure that use SRP
TCP
Default port UI where you can configure
number
the connection
\Research In Motion
\BlackBerryRouter
\ServicePort
• On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerryRouter
\ServicePort
3101
BlackBerry Configuration
Panel
Windows registry
•
incoming data connections from, and outgoing data
connections to, BlackBerry devices that use the
BlackBerry® Device Manager to bypass the wireless
network and devices that connect using Wi-Fi®
TCP
4101
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
\BlackBerryRouter
\TcpPort
• On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerryRouter
\TcpPort
BlackBerry Device
Manager
Windows registry
•
320
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
Administration Guide
BlackBerry Synchronization Service connection types and port numbers
Item
Connection
type
outgoing syslog connections to the SNMP agent
UDP
Default port UI where you can configure
number
the connection
\Research In Motion
\BlackBerryRouter
\DevicePort
• On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerryRouter
\DevicePort
4071
Windows registry
•
•
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
\BlackBerrySNMPAg
ent\Parameters
\UDPPort
On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerrySNMPAg
ent\Parameters
\UDPPort
BlackBerry Synchronization Service connection types and
port numbers
Item
incoming data connections from, and outgoing data
connections to, the BlackBerry® Dispatcher
Connection
type
TCP
Default port UI where you can configure
number
the connection
3200
—
321
IBM Lotus Domino connection types and port numbers
Administration Guide
Item
incoming data connections from, and outgoing data
connections to, the BlackBerry Configuration Database
that a Microsoft® SQL Server® hosts
Connection
type
TCP
Default port UI where you can configure
number
the connection
1433
Windows® registry
•
•
incoming data connections from the BlackBerry
database notification system
UDP
first unused
port
number
from 4185
to 4499
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
\BlackBerry
Enterprise Server
\Database\Port
On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerry
Enterprise Server
\Database\Port
—
IBM Lotus Domino connection types and port numbers
Item
incoming data connections from and outgoing data
connections to the IBM® Lotus® Domino® Web server
incoming data connections from and outgoing data
connections to the IBM Lotus Domino Web server
322
Connection
type
TCP/IP
SSL
Default port UI where you can configure
number
the connection
80
IBM Lotus Domino
Directory
443
IBM Lotus Domino
Directory
SNMP agent connection types and port numbers
Administration Guide
SNMP agent connection types and port numbers
Item
incoming syslog connections from the following
BlackBerry® Enterprise Server Express components:
• BlackBerry Messaging Agent
• BlackBerry Dispatcher
• BlackBerry Router
incoming syslog connections from SNMP queries and
traps
outgoing syslog connections from SNMP queries and
traps
Connection
type
UDP
Default port UI where you can configure
number
the connection
4071
Windows® registry
•
UDP
161
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
\BlackBerrySNMPAg
ent\Parameters
\UDPPort
• On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerrySNMPAg
ent\Parameters
\UDPPort
Windows registry
TCP
162
Windows registry
Syslog connection type and port number
Item
listener port for the BlackBerry® Enterprise Server
Express events
Connection
type
UDP
Default port UI where you can configure
number
the connection
514
Windows® registry
•
On a 32-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\Research In Motion
\BlackBerry
323
Syslog connection type and port number
Administration Guide
Item
324
Connection
type
Default port UI where you can configure
number
the connection
Enterprise Server
\Logging Info
\<component>\
(Default)
• On a 64-bit version of
Windows:
HKEY_LOCAL_MACHI
NE\SOFTWARE
\WOW6432Node
\Research In Motion
\BlackBerry
Enterprise Server
\Logging Info
\<component>\
(Default)
Administration Guide
Troubleshooting
Troubleshooting
31
Troubleshooting: Connecting to the BlackBerry
Administration Service
The web browser displays an HTTP 404 or HTTP 504 error message when it
tries to connect to a BlackBerry Administration Service instance
Possible cause
Possible solution
You created a BlackBerry® Administration Service pool Wait a few seconds and then try to click a link in the
using DNS round robin and you stopped the BlackBerry BlackBerry Administration Service console again. The
Administration Service services for the BlackBerry
web browser redirects you to an instance in the
Administration Service instance that you currently use. BlackBerry Administration Service pool that is running
Although you stopped the BlackBerry Administration
and the web browser displays the login page for the
Service services, it might take some time before the
instance.
BlackBerry Administration Service instance completes
the shutdown process. During this time, if the web
browser sends an HTTP request to the BlackBerry
Administration Service instance, the BlackBerry
Administration Service instance accepts the request
because the connection is still available. However, while
the BlackBerry Administration Service instance
processes the request, it completes its shutdown process
and the connection becomes unavailable. The web
browser displays an error message.
The BlackBerry Administration Service cannot connect
Verify the BlackBerry Administration Service can access
to the BlackBerry Configuration Database.
the BlackBerry Configuration Database. If necessary,
restart the BlackBerry Configuration Database.
Troubleshooting: BlackBerry Enterprise Server Express
Performance
A BlackBerry Enterprise Server Express that you installed remotely from the
BlackBerry Configuration Database uses an unexpected amount of system
resources and increases wireless network traffic
Possible cause
325
Administration Guide
Troubleshooting: BlackBerry Enterprise Server Express Performance
Once daily, the BlackBerry® Enterprise Server Express uses the BlackBerry Mailstore Service to refresh the user
information from your organization's address book in the BlackBerry Configuration Database. If multiple BlackBerry
Enterprise Server Express instances are associated with a BlackBerry Configuration Database, each BlackBerry
Enterprise Server Express instance tries to use a BlackBerry Mailstore Service to refresh the address book information
in the BlackBerry Configuration Database. The first BlackBerry Mailstore Service that starts the refresh process is
responsible for completing it.
If the BlackBerry Mailstore Service that is responsible for completing the refresh process is associated with a
BlackBerry Enterprise Server Express that is geographically remote from the BlackBerry Configuration Database, the
BlackBerry Mailstore Service can take an unexpected amount of time to complete the refresh process. The refresh
process can use an unexpected amount of system resources and increase wireless network traffic.
Possible solution
You can use TraitTool.exe to turn off the address book refresh feature for BlackBerry Enterprise Server Express
instances that are geographically remote from the BlackBerry Configuration Database. As a result, BlackBerry
Enterprise Server Express instances that are located geographically close to the BlackBerry Configuration Database
can use the BlackBerry Mailstore Service to refresh the user information from your organization's address book in
the BlackBerry Configuration Database.
TraitTool.exe is located in the Tools directory on the BlackBerry Enterprise Server Express installation media.
1.
At the command prompt, navigate to the folder that TraitTool.exe is located in.
2.
Type: TraitTool -host <name> -trait MailstoreAddressRefreshEnabled -set False, where <name> is the name
of the BlackBerry Enterprise Server Express instance.
3.
Press ENTER.
To turn on the address book refresh feature for a BlackBerry Enterprise Server Express again, use the same command
with a value of True.
Microsoft SQL Server uses a considerable amount of disk space
Possible cause
Reorganizing or rebuilding an index in Microsoft® SQL Server® can cause the size of the transaction log file in the
BlackBerry® Configuration Database to grow larger than expected.
Possible solution
Add the following tasks to the end of your organization's regular maintenance plan:
1.
Perform a complete backup of the transaction log file.
2.
Perform a shrink log file task on the transaction log file.
326
Administration Guide
Troubleshooting: Using IBM Lotus Notes encryption
Troubleshooting: Using IBM Lotus Notes encryption
The BlackBerry device does not prompt the user for the Notes .id password
when it decrypts an IBM Lotus Notes encrypted message
After you configure the Notes Native Encryption Password Timeout IT policy rule to prevent the BlackBerry® device
from storing the user's Notes .id password, the BlackBerry device does not prompt the user for the Notes .id password
to decrypt messages that are encrypted using IBM® Lotus Notes® encryption.
Possible cause
You did not prevent the BlackBerry® Enterprise Server Express from storing the Notes .id password that it uses to
decrypt messages.
Possible solution
1.
On the computer that hosts the BlackBerry Enterprise Server Express, on the Start menu, click Run.
2.
Type regedit.
3.
Click OK.
4.
In the left pane, navigate to HKEY_LOCAL_MACHINE\Software\Research in Motion\BlackBerry Enterprise
Server.
5.
Click Agents.
6.
Create a DWORD value that you name SECMSGPasswordCacheTimeout.
7.
Double-click SECMSGPasswordCacheTimeout.
8.
In the Value Data field, type 0.
9.
Click OK.
Troubleshooting: Setting up user accounts
You cannot create a user account in the BlackBerry Administration Service
Possible cause
Possible solution
The BlackBerry® Administration
Configure the BlackBerry Administration Service to use a dynamic port for
Service is configured to use static
the BlackBerry Configuration Database.
ports when it connects to the
BlackBerry Configuration Database 1. On the computer that hosts the BlackBerry® Enterprise Server Express
or BlackBerry Enterprise Server Express components, on the taskbar,
server, but the BlackBerry
click
Start > Programs > BlackBerry Enterprise Server > BlackBerry
Configuration Database server uses
Server
Configuration.
a dynamic port.
327
Troubleshooting: Messaging
Administration Guide
Possible cause
Possible solution
2.
On the Database Connectivity tab, select the Use dynamic ports or
specify SQL port check box.
3.
Click OK.
4.
In the Windows® Services, restart the services for the BlackBerry
Administration Service.
You upgraded a BlackBerry
1.
Enterprise Server Express and when
you search for a user account in the
BlackBerry Administration Service,
2.
the BlackBerry Administration
Service cannot find the user
account. The BlackBerry Mail Store
Service cannot connect to your
organization’s contact list and
synchronize the contact list to the
BlackBerry Configuration Database.
Verify that you configured the MailServer property in the notes.ini file
on the computer that hosts the BlackBerry Enterprise Server Express
for an IBM® Lotus® Domino® server that is running.
Using the local system account, restart the Lotus Domino server that
is running on the computer that hosts the BlackBerry Enterprise Server
Express.
You cannot find a new user account in the directory using the BlackBerry
Administration Service
Possible solution
Refresh the list of available user accounts that the BlackBerry® Administration Service can access from the directory.
By default, the BlackBerry Administration Service refreshes the list of available user accounts at 12:30 AM daily.
1.
In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution
topology > BlackBerry Domain > Component view.
2.
Click Email.
3.
Click Refresh available user list from company directory.
The background process to refresh the user list starts. The amount of time that the BlackBerry Administration Service
requires to refresh the user list depends on the size of the directory.
Troubleshooting: Messaging
Messages are not delivered to BlackBerry devices
Possible cause
328
Troubleshooting: BlackBerry Web Desktop Manager
Administration Guide
A third-party application used the BlackBerry® Enterprise Server Express extension API to filter messages that the
BlackBerry Enterprise Server Express sends to BlackBerry devices.
Possible solution
1.
On the computer that stores the BlackBerry Enterprise Server Express event logs, navigate to <drive>:\Program
Files\Research In Motion\BlackBerry Enterprise Server\Logs.
2.
Search for an event that indicates a third-party application filtered a message (for example, [30425] (07/25
00:11:10.274):{0x1700} {[email protected]} Message is requested to be blocked. EntryId=123786).
3.
Perform one of the following actions:
• Remove the third-party application that uses the BlackBerry Enterprise Server Express extension API.
• Change the third-party application so that it does not filter messages.
Troubleshooting: BlackBerry Web Desktop Manager
Troubleshooting: Users cannot log in to the BlackBerry Web Desktop
Manager
Possible cause
Possible solution
You might have specified an incorrect URL for the
Change the BlackBerry Configuration Database URL.
BlackBerry® Configuration Database during the
BlackBerry Administration Service installation process.
You might have specified an incorrect URL for the IBM® Change the IBM Lotus Domino server URL.
Lotus® Domino® server during the BlackBerry
Administration Service installation process.
Troubleshooting: Connections to the Wi-Fi network
A BlackBerry device cannot connect to a Wi-Fi network
Possible cause
On the BlackBerry® device, Wi-Fi®
connections are not turned on.
A Wi-Fi profile is not configured on
the BlackBerry device.
Possible solution
1.
On the BlackBerry device, on the Home screen, click Manage
Connections.
2.
Click Wi-Fi Options.
3.
In the Wi-Fi field, verify that a checkmark appears.
1.
On the BlackBerry device, on the Home screen, click Manage
Connections.
2.
In the Wi-Fi field, verify that the name of the Wi-Fi network appears.
329
Administration Guide
Possible cause
Troubleshooting: Connections to the Wi-Fi network
Possible solution
If the name does not appear, resend the IT policy to the BlackBerry device,
or instruct the user to configure a Wi-Fi profile on the BlackBerry device.
Move the BlackBerry device into a wireless coverage area.
The BlackBerry device is not in the
wireless coverage area of a wireless
access point that has an SSID that is
stored in one of the profiles on the
BlackBerry device.
The SSID of the access point is not
Check the SSID status indicator in the Wi-Fi status indicator group. The SSID
configured on the BlackBerry device. is case-sensitive.
The Wi-Fi settings on the BlackBerry
device, IT policy, or Wi-Fi profile
were not configured correctly.
The user account is not configured
correctly.
The BlackBerry device is not
assigned to the correct user account.
The BlackBerry Enterprise Server
Express cannot connect to the
BlackBerry device.
The settings in the IT policy or Wi-Fi
profile were not sent to the
BlackBerry device.
The BlackBerry device is not using
the same channel as the access
point.
If the SSID status indicator is not correct, run Set up Wi-Fi in the Setup Wizard
on the BlackBerry device again.
Perform any of the following actions:
• Using the BlackBerry® Enterprise Server Express, resolve any issues
with the IT policy and Wi-Fi profile. Resend the IT policy to the
BlackBerry device.
• On the BlackBerry device, run Set up Wi-Fi in the Setup Wizard again.
In the BlackBerry Administration Service, resolve any issues with the user
account.
In the BlackBerry Administration Service, assign the correct BlackBerry
device to the user account.
Perform the following actions:
• Ping the BlackBerry device from the BlackBerry Enterprise Server
Express.
• Resolve any connection issues in your organization’s network and with
the BlackBerry Router.
Resend the IT policy to the BlackBerry device.
Perform the following actions:
• Use a wireless device, such as a laptop computer, to test the association
with the access point. Use the settings that the BlackBerry uses to
configure the wireless connection.
• Use a wireless device, such as a computer, to ping the BlackBerry
Router. The ping tests whether the BlackBerry Router is on the ACL of
the access point.
• If access point logs are available, view the logs to determine the error
that occurred.
For more information, see the documentation for your organization’s
access points.
330
Troubleshooting: Connections to the Wi-Fi network
Administration Guide
Possible cause
The authentication method is not
configured correctly.
Possible solution
In the BlackBerry Administration Service, verify the configuration
information for the authentication method.
•
•
•
•
•
The static IP address and DHCP for
the BlackBerry device are not
configured correctly.
Low signal strength is causing
intermittent drops in data
connectivity.
If a WEP key or PSK is required, verify that the key is configured
correctly.
For WEP authentication, verify that the access point is configured to
not filter the MAC address of the BlackBerry device.
For LEAP authentication, verify that the user’s authentication
credentials are correct.
For PEAP authentication, verify that the user’s authentication
credentials are correct.
For EAP-TLS authentication, verify that the EAP-TLS certificate for the
user account is correct.
Verify that the correct authentication method is configured on the access
point and BlackBerry device.
Perform any of the following actions:
• If a static IP address is configured, verify that the parameters such as
the subnet mask, default gateway IP address, and DNS IP address are
configured correctly.
• If the BlackBerry device uses DHCP, verify that the BlackBerry device
can obtain a valid IP configuration (for example, an IP address, subnet
mask, default gateway IP address, or DNS IP address).
• Verify that a wireless device, such as a laptop computer, can connect
to the network using DHCP and obtain an IP address.
• Verify in the DHCP logs, if they are available, that a DHCP was granted
to the BlackBerry device.
Move the BlackBerry device into a wireless coverage area.
1.
On the BlackBerry device, in the device options, click Wi-Fi
Connections.
2.
Press the Menu key.
3.
Click Wi-Fi Tools > Wi-Fi Diagnostics.
4.
Verify the information in the status fields for the following connection
groups:
• Wi-Fi
• VPN
• UMA/GAN (if your organization's mobile network provider
supports UMA or GAN and you subscribed for the service)
331
Troubleshooting: Connections to the Wi-Fi network
Administration Guide
Possible cause
Possible solution
•
•
5.
BlackBerry Infrastructure
Enterprise
To view more diagnostic information, press the Menu key and click
Options. In the Display Mode drop-down list, click Advanced.
A user cannot see Wi-Fi connection settings on a Wi-Fi enabled BlackBerry device
Possible cause
The Wi-Fi® enabled BlackBerry® device is not configured to permit a user to make changes to the Wi-Fi configuration
settings.
Possible solution
1.
In the BlackBerry Administration Service, change the WLAN Allowed Handheld Changes configuration setting
in the Wi-Fi profile to Yes.
2.
Resend the IT policy to the BlackBerry device.
Status indicators
The status indicators for Wi-Fi® diagnostic information on a BlackBerry device show the status of the BlackBerry®
device connection to a Wi-Fi network.
Indicator
black
yellow or white
green
red
Description
This indicator displays when you or a user did not configure a Wi-Fi network
for a BlackBerry device.
This indicator displays when a BlackBerry device tries to connect to a Wi-Fi
network but has not connected yet.
This indicator displays when a BlackBerry device is connected to a Wi-Fi
network.
This indicator displays when a connection error exists between the
BlackBerry device and a Wi-Fi network.
Status fields for Wi-Fi connections
Field
Current Profile
SSID
Description
This field specifies the name of the Wi-Fi® profile that the user is currently using.
This field specifies the identifier for the Wi-Fi network.
When the BlackBerry® device displays an SSID value, the BlackBerry device is
connected to a network, and the name of the network appears.
332
Administration Guide
Field
AP MAC Address
Security Type
Association
Authentication
Local IP Address
Signal Level
Connection Data Rate
Status
Network Type
Network Channel
Pairwise Cipher
Troubleshooting: Connections to the Wi-Fi network
Description
This field specifies the MAC address of the wireless access point that the BlackBerry
device is associated with.
When the BlackBerry device displays a value for the AP MAC Address, the BlackBerry
device is associated with the access point.
This field specifies the following link security methods:
• No Security
• WEP
• PSK
• PEAP
• LEAP
• EAP-TLS
• EAP-FAST
• EAP-TTLS
When the BlackBerry device displays the link security method, the security on the
Wi-Fi connection is turned on and active.
This field shows the status of the BlackBerry device connection to the access point.
The status indicators are the following icons:
• green check mark: The authentication key is applied, authentication is
complete, and keys are used to decrypt packets.
• black filled circle: No network connection exists, or no profile exists for an
association to a specific access point.
This field shows the status of the authentication process on the BlackBerry device.
This field specifies the IP address of the BlackBerry device. When a BlackBerry device
displays a value, it displays the network that the BlackBerry device is associated
with.
The field specifies the current signal strength of the BlackBerry device. The value is
based on the signal percentage level, from none to excellent.
This field specifies the data rate in Mbps. IEEE® 802.11b™ has a data rate of 11 Mbps,
and IEEE® 802.11a™ and IEEE® 802.11g™ have a data rate of 54 Mbps.
This field provides a descriptive status message, such as "Status acquired". It also
specifies warnings and errors that a user encountered when the user tried to open
a connection to an access point.
This field specifies whether the wireless connection type is IEEE 802.11a, IEEE
802.11b, or IEEE 802.11g.
This field specifies the IEEE 802.11 channel that the access point uses.
This field specifies information about how the access point manages encryption
keys for a user account on the network. You can configure an access point to support
multiple pairwise ciphers. You can use a pairwise cipher with a group cipher.
333
Troubleshooting: Connections to the Wi-Fi network
Administration Guide
Field
Group Cipher
Description
This field specifies information about how the access point manages encryption
keys for all user accounts on the network or locally. You can use a pairwise cipher
with a group cipher.
The group ciphers have one of the following values:
• None
• WEP 40
• WEP 104
• TKIP
• AES-CCMP
Gateway Address
DHCP
Primary DNS
Secondary DNS
DNS Suffix
Subnet Mask
Server Domain Suffix
Certificate
Software Token
An access point that you configure to support multiple pairwise ciphers is only as
strong as the weakest pairwise cipher.
This field specifies the IP address of the gateway that routes any packets that the
gateway sends outside the local network. In an enterprise Wi-Fi network, this field
specifies the IP address of the organization’s LAN gateway. In a personal Wi-Fi
network, this field specifies the internal IP address of the router for the home
network.
This field specifies the status of the DHCP connection to the BlackBerry device. When
a check mark displays, DHCP is complete.
This field specifies the address of an optional computer that translates host names
into IP addresses.
This field specifies the address of an optional computer that translates host names
into IP addresses. The BlackBerry device can use the secondary DNS server if the
primary DNS is not available.
This field specifies the domain name suffix, such as .com or .org.
This field specifies information about the subnet base for the IP address tha the
access point assigned to the BlackBerry device.
This field specifies the domain name suffix for the network that the BlackBerry
device is associated with.
This field specifies the certificate that the BlackBerry device can use for Wi-Fi
authentication, if applicable.
If you configured a software token for the BlackBerry device, this field specifies the
serial number of the software token.
Status fields for VPN connections
Field
Current Profile
Concentrator Address
334
Description
This field specifies the name of the VPN profile that the user is using.
This field specifies the IP address of the VPN concentrator.
Troubleshooting: Connections to the Wi-Fi network
Administration Guide
Field
Contact
Authentication
Secure Device IP
Status
Resolving Concentrator
Concentrator IP
Primary DNS
Secondary DNS
DNS Suffix
Secure Subnet Mask
Retry at
Session Lifetime
Re-login at
Failed Login Attempts
Certificate
Software Token
Description
This field displays the status of the BlackBerry® device connection with the
VPN concentrator. A green check mark appears when the BlackBerry device
connects with the VPN concentrator.
This field displays the status of the VPN authentication on the BlackBerry
device. If the last authentication attempt was not successful, the field
specifies an error state.
This field specifies the IP address of the BlackBerry device on the private
network that the VPN protects.
This field specifies a current status message, such as "Error: Link down".
This field specifies that the IP address of the VPN concentrator was verified.
This field specifies the IP address of the VPN concentrator.
When a VPN session is open, this field specifies the DNS address that
corresponds to the primary DNS of the VPN concentrator. If a VPN session
is not open, this field specifies the Wi-Fi® address.
This field specifies the address of an optional computer that translates host
names into IP addresses. The BlackBerry device uses the secondary DNS
server if the primary DNS is not available.
This field specifies the domain that the BlackBerry device uses to resolve
addresses on the enterprise Wi-Fi network.
This field specifies the subnet mask of the BlackBerry device on the private
network that the VPN protects. The subnet mask and IP address provide
information about the subnet that the BlackBerry device has connected to.
If a BlackBerry cannot log in, this field specifies the next date and time that
the BlackBerry device can try to log in.
This field specifies the length of time, in seconds, that the BlackBerry device
maintains the VPN session before the BlackBerry device renegotiates the
session.
This field specifies the length of the periodic rollover or new login period.
The BlackBerry device obtains this information from the VPN concentrator.
This field specifies the number of login attempts that are not successful. If
a user logs in, the field is cleared and reverts to 0 automatically.
This field specifies the certificate that the BlackBerry device uses for VPN
authentication, if applicable.
If you configured a software token for the BlackBerry device, this field
specifies the serial number of the software token.
Status fields for UMA or GAN connections
If your organization's mobile network provider supports UMA or GAN and your organization subscribes to this service,
a UMA/GAN connection group is present on the BlackBerry® device.
335
Troubleshooting: Connections to the Wi-Fi network
Administration Guide
Field
Connection Preference
UMA Wi-Fi Available
Connection
Status
Registered UNC Address
Registration
Authentication
Serving UNC Address
Security Gateway IP
Cellular information
Cellular handover to UMA failures
Cellular rove-in failures
Description
This field specifies how the BlackBerry device tries to connect to the mobile
network provider’s voice and data services. Using the following settings,
you or the user can configure how the BlackBerry device accesses the mobile
network provider’s voice and data services:
• Wi-Fi Preferred: If possible, the BlackBerry device uses a Wi-Fi®
connection. When the user is not in a wireless coverage area, the
BlackBerry device uses a mobile network connection.
• Wi-Fi Only: The BlackBerry device uses a Wi-Fi connection only.
• Mobile Network Only: The BlackBerry device uses a mobile network
connection to the mobile network provider only.
• Mobile Network Preferred: If possible, the BlackBerry device uses a
mobile network connection but the BlackBerry device can also use a
Wi-Fi connection.
This field specifies whether the user has a UMA profile.
You can safely ignore this status field.
This field specifies whether the BlackBerry device is connected over UMA.
This field specifies the status of the UMA connection.
This field specifies the IP address or FQDN of the UNC.
This field specifies whether the BlackBerry device is registered with the UNC.
This field specifies whether the BlackBerry device is authenticated with the
UNC.
This field specifies the UNC that the BlackBerry device is connected to.
This field specifies the IP address of the mobile network provider’s security
gateway.
This field specifies the GSM® cellular information as received from or sent
to the UNC, MNC, MCC, mobile network ID (also known as Cell ID) of the
BlackBerry device, and ARFCN.
This field specifies errors that the BlackBerry device received during the
transition from one network type to the other when the user is on a call.
This field specifies errors that the BlackBerry device received during the
transition from one network type to the other when the BlackBerry device
is idle.
Status fields for BlackBerry Infrastructure connections
The connection status indicators for the BlackBerry® Infrastructure appear on a BlackBerry device when a user makes
a Wi-Fi® connection or tries to make a Wi-Fi connection.
336
Troubleshooting: Connections to the Wi-Fi network
Administration Guide
Field
Address Used
IP Used
Connecting
Authenticating router
Authenticating server
Last Contact At
Description
This field specifies the host name or IP address and port number that the
BlackBerry device uses to connect to the BlackBerry Infrastructure.
This field specifies the host name or IP address and port number that the
BlackBerry device uses to connect to the BlackBerry Infrastructure.
This field specifies the IP address and port number that the BlackBerry
device uses to connect to the BlackBerry Infrastructure.
This field specifies the IP address of the server that performs authentication,
if applicable.
This field specifies the IP address of the server that performs authentication.
This field specifies the last time that the BlackBerry device had contact with
the BlackBerry® Enterprise Server Express through the BlackBerry
Infrastructure.
Status fields for Enterprise connections
Field
UIDs
Address Used
IP Used
Connecting
Authenticating router
Authenticating server
Last Contact At
Description
This field specifies the SRP UID of the BlackBerry® Enterprise Server Express
that hosts the user account for the BlackBerry device.
This field specifies the host name or IP address and port number that the
BlackBerry device uses to connect to the BlackBerry® Infrastructure.
This field specifies the host name or IP address and port number that the
BlackBerry device uses to connect to the BlackBerry Infrastructure.
This field specifies the IP address and port number that the BlackBerry
device uses to connect to the BlackBerry Infrastructure.
This field specifies the IP address of the server that performs authentication,
if applicable.
This field specifies the IP address of the server that performs authentication.
This field specifies the last time that the BlackBerry device had contact with
the BlackBerry Enterprise Server Express through the BlackBerry
Infrastructure.
A BlackBerry device cannot open a VPN connection
Possible cause
The connection to the VPN
concentrator is not configured
correctly.
Possible solution
•
•
•
Verify that the VPN is turned on.
Ping the IP address of the VPN concentrator.
Verify that the VPN concentrator host name resolves to an IP address.
If it does not, configure the VPN IP address.
337
Troubleshooting: Connections to the Wi-Fi network
Administration Guide
Possible cause
The VPN authentication method is
not configured correctly.
Possible solution
•
•
Verify that the VPN server supports the security parameters.
Verify that the VPN login information for the user account are correct.
A BlackBerry device cannot connect to the mobile network using UMA or
GAN
Possible cause
The UMA connection is not
configured correctly.
The UMA profile is not configured
correctly.
The BlackBerry device is not
connected to the Wi-Fi® network or
has not registered on a UNC.
Possible solution
1.
On the BlackBerry® device, in the device options, click Mobile Network.
2.
Verify that Wi-Fi Preferred is selected.
3.
On the Mobile Network screen, verify that the Connection Preference
icon is displayed.
4.
If the Connection Preference icon does not display, at the Network
icon, type ALT-GANN to turn on UMA connectivity.
1.
On the BlackBerry device, in the device options, click UMA.
2.
Verify whether a UMA profile exists.
3.
If a UMA profile does not exist, create one using the credentials of the
mobile network provider.
4.
Verify that for the currently selected UMA profile, the mobile network
provider’s security gateway certificate field is not empty and is
associated with a certificate for the corresponding mobile network
provider.
1.
On the BlackBerry device, on the Wi-Fi Diagnostics screen, verify that
the BlackBerry device is connected to a Wi-Fi network.
2.
Connect a computer to the wireless access point.
3.
To verify the IP address of the BlackBerry device, on the Wi-Fi
Diagnostics screen, ping the computer.
4.
If you do not receive a response to the ping, the reason for this error
is an issue on the Wi-Fi network.
5.
If you receive a response to the the ping but the BlackBerry device does
not display a success message, check the Status field for a reason for
this error.
Verify whether a BlackBerry device can resolve an IP address
If a BlackBerry® device cannot connect to a Wi-Fi® network, you can determine which connections the BlackBerry
device cannot make to it. You can ping the IP address of another wireless device, the Wi-Fi gateway, a VPN
concentrator, the UNC of the mobile network provider, or the BlackBerry Router.
338
Administration Guide
Troubleshooting: BlackBerry Administration Service pools
A user can ping network servers from a BlackBerry device to check the availability and responsiveness of network
servers.
1.
2.
3.
4.
On the BlackBerry device, on the Home screen, click Manage connections.
Click Wi-Fi Options.
Press the Menu key, and click Wi-Fi Tools > Ping.
In the Ping Type field, perform one of the following actions:
• To ping another wireless device, click IP or Name.
• To ping the BlackBerry device, click Self.
• To ping the security gateway, click WLAN Gateway.
• To ping the VPN concentrator, click VPN Concentrator.
• To ping the UNC of the mobile network provider, click UNC.
• To ping the BlackBerry Router, click BBR.
5.
6.
7.
In the Ping to field, type the IP address that you want to ping.
In the Number of Pings field, type the number of times that you want to ping the IP address.
On the menu, click Send ping.
Look up a computer name to resolve an IP address
Using a BlackBerry® device, a user can look up a computer name in the DNS server to resolve network or domain
names and IP addresses.
1.
2.
3.
4.
5.
6.
On the BlackBerry device, on the Home screen, click Manage connections.
Click Wi-Fi Options.
Press the Menu key and click Wi-Fi Tools > DNS Lookup.
In the Host field, type a name or an IP address that you want to look up.
Press the Menu key and click DNS Lookup.
Press the Menu key and click Send ping.
Troubleshooting: BlackBerry Administration Service pools
BlackBerry Administration Service instances located in different network
segments are not connecting to each other
Possible cause
If BlackBerry® Administration Service instances are located in different network segments that are separated by a
firewall, the firewall can block the dynamic ports on the BlackBerry Administration Service.
Possible solution
Perform the following actions:
339
Administration Guide
Troubleshooting: BlackBerry Administration Service pools
1.
Make sure that you configured the BlackBerry Administration Service instances to communicate across network
subnets using TCP with TCP ping, instead of multicast UDP.
2.
On each computer that hosts a BlackBerry Administration Service instance, navigate to <drive>:\Program Files
\Research in Motion\BlackBerry Enterprise Server\BAS\server\default\conf.
3.
In a text editor, open service-port-bindings.xml.
4.
Move the line <attribute name ="secondaryBindPort'">xyz</attribute> that is located inside the comment tags
outside of the comment tags.
5.
Change xyz to an available port, for example port 14458.
6.
Add the port that you configured in step 5 to the firewall.
340
Administration Guide
Glossary
Glossary
32
AAA
Authentication, Authorization, Accounting
AES
Advanced Encryption Standard
ACL
An access control list (ACL) is a list of permissions that are associated with an object, such as a file, directory, or
other network resource. It specifies which users or components have permission to perform specific operations
on an object.
ACP
ANSI® code page
AES
Advanced Encryption Standard
AES-CCMP
Advanced Encryption Standard Counter Mode CBCMAC Protocol
ANSI
American National Standards Institute
API
application programming interface
ARFCN
absolute radio frequency channel
ASCII
American Standard Code for Information Interchange
BCC
blind carbon copy
BlackBerry CAL
A BlackBerry® Client Access License (BlackBerry CAL) limits how many users you can add to a BlackBerry®
Enterprise Server.
BlackBerry Domain
A BlackBerry Domain consists of the BlackBerry Configuration Database with its users and any BlackBerry®
Enterprise Server instances that connect to it.
341
Administration Guide
Glossary
BlackBerry MDS
BlackBerry® Mobile Data System
BlackBerry transport layer encryption
BlackBerry transport layer encryption (formerly known as standard BlackBerry encryption) uses a symmetric key
encryption algorithm to help protect data that is in transit between a BlackBerry device and the BlackBerry®
Enterprise Server when the data is outside an organization's firewall.
CDMA
Code Division Multiple Access
CLDC
Connected Limited Device Configuration
CMIME
Compressed Multipurpose Internet Mail Extension
content protection
Content protection helps protect user data on a locked BlackBerry device by encrypting the user data using the
content protection key and ECC private key.
CRL
certificate revocation list
CSR
certificate signing request
DES
Data Encryption Standard
device transport key
The device transport key (formerly known as the master encryption key) is unique to a BlackBerry device. The
BlackBerry device and BlackBerry® Enterprise Server use the device transport key to encrypt the message keys.
DFS
distributed file system
DHCP
Dynamic Host Configuration Protocol
DIIOP
Domino Internet Inter-ORB Protocol
DNS
342
Administration Guide
Glossary
A Domain Name System (DNS) is an Internet database that translates domain names that are meaningful and
recognizable by people into the numeric IP addresses that the Internet uses.
DOM
Document Object Model
DSML
Directory Service Markup Language
DSML-enabled server
A BlackBerry device uses a DSML-enabled server to search for and download certificates.
EAP-FAST
Extensible Authentication Protocol Flexible Authentication via Secure Tunneling
EAP-GTC
Extensible Authentication Protocol Generic Token Card
EAP-TLS
Extensible Authentication Protocol Transport Layer Security
EAP-TTLS
Extensible Authentication Protocol Tunneled Transport Layer Security
EAP
Extensible Authentication Protocol
Enterprise Service Policy
The Enterprise Service Policy controls which BlackBerry devices can connect to a BlackBerry® Enterprise Server.
ETP
Email Transfer Protocol
FQDN
fully qualified domain name
GAN
generic access network
gateway message envelope
343
Administration Guide
Glossary
The gateway message envelope protocol is a Research In Motion proprietary protocol that allows the transfer
of compressed and encrypted data between the wireless network and BlackBerry devices. The protocol defines
a routing layer that specifies the types of message contents allowed and the addressing information for the data.
Gateways and routing components use this information to identify the type and source of the BlackBerry device
data, and the appropriate destination service to route the data to.
GPO
Group Policy Object
GPS
Global Positioning System
HTML
Hypertext Markup Language
HTTP
Hypertext Transfer Protocol
HTTPS
Hypertext Transfer Protocol over Secure Sockets Layer
IIS
Internet Information Services
IP address
An Internet Protocol (IP) address is an identification number that each computer or mobile device uses when it
sends or receives information over a network, such as the Internet. This identification number identifies the
specific computer or mobile device on the network.
IPPP
Internet Protocol Proxy Protocol
IPsec
Internet Protocol Security
IT administration command
An IT administration command is a command that you can send over the wireless network to protect sensitive
information on a BlackBerry device or delete all BlackBerry device data.
IT policy
An IT policy consists of various IT policy rules that control the security features and behavior of BlackBerry
smartphones, BlackBerry® PlayBook™ tablets, the BlackBerry® Desktop Software, and the BlackBerry® Web
Desktop Manager.
344
Administration Guide
Glossary
IT policy rule
An IT policy rule permits you to customize and control the actions that BlackBerry smartphones, BlackBerry®
PlayBook™ tablets, the BlackBerry® Desktop Software, and the BlackBerry® Web Desktop Manager can perform.
Java ME
Java® Platform, Micro Edition
JDE
Java® Development Environment
JNDI
Java® Naming and Directory Interface
JRE
Java® Runtime Environment
LAN
local area network
LDAP
Lightweight Directory Access Protocol
LDAPS
Lightweight Directory Access Protocol over SSL
LEAP
Lightweight Extensible Authentication Protocol
LED
light-emitting diode
LTPA
Lightweight Third-Party Authentication
MAC
message authentication code
MCC
mobile country code
messaging server
A messaging server sends and processes messages and provides collaboration services, such as updating and
communicating calendar and address book information.
345
Administration Guide
MIDP
Mobile Information Device Profile
MIME
Multipurpose Internet Mail Extensions
MNC
mobile network code
MTLS
Mutual Transport Layer Security
NAT
network address translation
NSD
name server daemon
NTLM
NT LAN Manager
OCSP
Online Certificate Status Protocol
OEM
original equipment manufacturer
PAC
proxy auto-configuration
PAP
Push Access Protocol
PEAP
Protected Extensible Authentication Protocol
PIM
personal information management
PIN
personal identification number
PKCS
Public-Key Cryptography Standards
346
Glossary
Administration Guide
Glossary
PKI
Public Key Infrastructure
PSK
pre-shared key
RMI
Record Management System
RTF
Rich Text Format
SAN
subject alternative name
S/MIME
Secure Multipurpose Internet Mail Extensions
SMS
Short Message Service
SMTP
Simple Mail Transfer Protocol
SNMP
Simple Network Management Protocol
SPN
service principal name
SQL
Structured Query Language
SRP
Server Routing Protocol
SRP ID
The SRP ID is a unique identifier for the BlackBerry® Enterprise Server that the BlackBerry Enterprise Server uses
to identify itself to the BlackBerry® Infrastructure during SRP authentication.
SSID
service set identifier
SSL
347
Administration Guide
Glossary
Secure Sockets Layer
TCP
Transmission Control Protocol
TCP/IP
Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of communication protocols that is used to
transmit data over networks, such as the Internet.
TKIP
Temporal Key Integrity Protocol
TLS
Transport Layer Security
Triple DES
Triple Data Encryption Standard
UCS
Universal Content Stream
UDP/IP
User Datagram Protocol/Internet Protocol
UDP
User Datagram Protocol
UID
unique identifier
UMA
Unlicensed Mobile Access
UNC
Universal Naming Convention
USB
Universal Serial Bus
UTF
UCS Transformation Format
UTF-8
8-bit UCS/Unicode Transformation Format
348
Administration Guide
Glossary
UTF-16LE
UCS Transformation Format 16 Little Endian
VPN
virtual private network
VoIP
Voice over Internet Protocol
WAP
Wireless Application Protocol
WEP
Wired Equivalent Privacy
WLAN
wireless local area network
XML
Extensible Markup Language
349
Administration Guide
Provide feedback
To provide feedback on this deliverable, visit www.blackberry.com/docsfeedback.
350
Provide feedback
33
Administration Guide
Legal notice
Legal notice
34
©2011 Research In Motion Limited. All rights reserved. BlackBerry®, RIM®, Research In Motion®, and related
trademarks, names, and logos are the property of Research In Motion Limited and are registered and/or used in the
U.S. and countries around the world.
Adobe and Acrobat are trademarks of Adobe Systems Incorporated. ANSI is a trademark of the American National
Standards Institute. Apache Tomcat is a trademark of The Apache Software Foundation. Bluetooth is a trademark of
Bluetooth SIG. Cisco is a trademark of Cisco Systems, Inc. Corel and WordPerfect are trademarks of Corel Corporation.
Eclipse is a trademark of Eclipse Foundation, Inc. Entrust Authority is a trademark of Entrust, Inc. GSM is a trademark
of the GSM MOU Association. IBM, DB2, Domino, Lotus, Lotus iNotes, Lotus Notes, Lotus Symphony, and Sametime
are trademarks of International Business Machines Corporation. IEEE, IEEE 802.11a, IEEE 802.11b, IEEE 802.11g, and
802.1X are trademarks of the Institute of Electrical and Electronics Engineers, Inc. Linux is a trademark of Linus
Torvalds. Java, JavaScript, and JRE are trademarks of Oracle America, Inc. Kerberos is a trademark of the
Massachusetts Institute of Technology. Microsoft, Active Directory, ActiveX, Excel, Internet Explorer, Outlook,
PowerPoint, SQL Server, Visual Studio, Windows, Windows Event Log, Windows Server, Windows Vista, and Windows
XP are trademarks of Microsoft Corporation. Netscape is a trademark of Netscape Communication Corporation.
Novell and GroupWise are trademarks of Novell, Inc. PGP is a trademark of PGP Corporation. RSA and RSA SecurID
are trademarks of RSA Security. Wi-Fi is a trademark of the Wi-Fi Alliance. All other trademarks are the property of
their respective owners.
This documentation including all documentation incorporated by reference herein such as documentation provided
or made available at www.blackberry.com/go/docs is provided or made accessible "AS IS" and "AS AVAILABLE" and
without condition, endorsement, guarantee, representation, or warranty of any kind by Research In Motion Limited
and its affiliated companies ("RIM") and RIM assumes no responsibility for any typographical, technical, or other
inaccuracies, errors, or omissions in this documentation. In order to protect RIM proprietary and confidential
information and/or trade secrets, this documentation may describe some aspects of RIM technology in generalized
terms. RIM reserves the right to periodically change information that is contained in this documentation; however,
RIM makes no commitment to provide any such changes, updates, enhancements, or other additions to this
documentation to you in a timely manner or at all.
This documentation might contain references to third-party sources of information, hardware or software, products
or services including components and content such as content protected by copyright and/or third-party web sites
(collectively the "Third Party Products and Services"). RIM does not control, and is not responsible for, any Third
Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility,
performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The
inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by
RIM of the Third Party Products and Services or the third party in any way.
EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS,
ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR
WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE
QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR
A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE
351
Administration Guide
Legal notice
OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES
REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR
PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND
CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE
DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE
HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM
THAT IS THE SUBJECT OF THE CLAIM.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL RIM BE
LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NONPERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES
REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT,
CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES
FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS
OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO
TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH
RIM PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF RIM PRODUCTS OR SERVICES OR ANY PORTION
THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES,
COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR
UNFORESEEN, AND EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, RIM SHALL HAVE NO OTHER
OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY
LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.
THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE
CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT,
NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH
OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED
HEREIN; AND (B) TO RIM AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS
(INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED RIM DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE
PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS.
IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE,
AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF RIM OR ANY AFFILIATES OF RIM HAVE ANY
LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.
Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure
that your airtime service provider has agreed to support all of their features. Some airtime service providers might
not offer Internet browsing functionality with a subscription to the BlackBerry® Internet Service. Check with your
service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party
Products and Services with RIM's products and services may require one or more patent, trademark, copyright, or
other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for
determining whether to use Third Party Products and Services and if any third party licenses are required to do so.
If required you are responsible for acquiring them. You should not install or use Third Party Products and Services
352
Administration Guide
Legal notice
until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with RIM's
products and services are provided as a convenience to you and are provided "AS IS" with no express or implied
conditions, endorsements, guarantees, representations, or warranties of any kind by RIM and RIM assumes no liability
whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to
you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except
to the extent expressly covered by a license or other agreement with RIM.
Certain features outlined in this documentation require a minimum version of BlackBerry® Enterprise Server,
BlackBerry® Desktop Software, and/or BlackBerry® Device Software.
The terms of use of any RIM product or service are set out in a separate license or other agreement with RIM applicable
thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR
WARRANTIES PROVIDED BY RIM FOR PORTIONS OF ANY RIM PRODUCT OR SERVICE OTHER THAN THIS
DOCUMENTATION.
Certain features outlined in this documentation might require additional development or Third Party Products and
Services for access to corporate applications.
This product contains a modified version of HTML Tidy. Copyright © 1998-2003 World Wide Web Consortium
(Massachusetts Institute of Technology, European Research Consortium for Informatics and Mathematics, Keio
University). All Rights Reserved.
This product includes software developed by the Apache Software Foundation (www.apache.org/) and/or is licensed
pursuant to one of the licenses listed at (www.apache.org/licenses/). For more information, see the NOTICE.txt file
included with the software.
Research In Motion Limited
295 Phillip Street
Waterloo, ON N2L 3W8
Canada
Research In Motion UK Limited
Centrum House
36 Station Road
Egham, Surrey TW20 9LF
United Kingdom
Published in Canada
353
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Related manuals

Download PDF

advertisement