When a BlackBerry device is activated on MDaemon, a designated policy is pushed to that device. Policies are sets of rules that govern what is required or permitted on a device. They allow you to do things like require passwords, force the device to lock when holstered, encrypt files on the device, and more. Policies can be assigned to domains and to individual accounts. Use the Domains screen to assign policies to domains, or use the BlackBerry Enterprise Server screen on the Account Editor to assign them to specific accounts. MDaemon is equipped with three pre-configured policies, and you can create your own custom policies.
After a device is activated it may have various functionality changes or operating differences when compared to its state prior to BlackBerry Device Activation. The degree of difference depends on the device, OS, policy used, and whether or not it was previously activated on a different BlackBerry Enterprise Server. |
Pre-configured Policies
There are three pre-configured policies that cannot be edited or removed:
Default
This policy causes the BlackBerry device to use standard BlackBerry Enterprise Server defaults for all settings. This is a standard "out-of-the-box" and "under the control of a BlackBerry Enterprise Server" policy configuration.
Password Required
This policy is like Default except that it sets the Password Required rule to YES and the User can disable password rule to No (see rule descriptions below). Devices with this policy must be secured by a password.
Expiring Passwords
This policy is like Password Required but also sets the Max password age (days) rule to 30. The password on the device will have to be changed at least every 30 days.
Creating a Custom Policy
To create a custom policy:
1. | Click New. |
2. | Enter a name for the policy. |
3. | Click OK. |
4. | Set the various policy rules as desired. |
5. | Click Save. |
The following is a list of all policy rules that you can set when creating or editing a custom policy. Password Settings Contains policy rules that apply to BlackBerry device password settings. Password required Specify whether the BlackBerry device requires a password. Set this rule to YES to require the user to enter a password to unlock the BlackBerry device. Rule dependency: If you enable this rule, you should set the User can disable password rule to NO to prevent the BlackBerry device user from disabling this rule. Minimum password length Type the minimum required length, in characters, of the BlackBerry device password. This rule only controls the minimum password length, not the maximum password length. The maximum password length is 32 characters. The valid range for the value of this rule is 4 through 14. Rule dependency: The BlackBerry device uses this rule only if a BlackBerry device password is set. To require a BlackBerry device password, set the Password required rule to YES. User can disable password Specify whether the user can disable the requirement for a BlackBerry device password. Set this rule to NO to prevent users from disabling the password requirement on the BlackBerry device. Rule dependency: The BlackBerry device uses this rule only if a BlackBerry device password is set. To require a BlackBerry device password, set the Password required rule to YES. Max security timeout (minutes) Specify the maximum time, in minutes, that a BlackBerry device user can set as the security timeout value (the number of minutes of BlackBerry device user inactivity allowed before the security timeout occurs and the device requires the user to type the BlackBerry device password to unlock it). The BlackBerry device user can set any timeout value that is less than or equal to the maximum value, unless you set the User can change timeout rule value to NO. The maximum security timeout value available by default on the BlackBerry device is 60 minutes. The valid range for the value of this rule is 10-480 minutes. Note: Use the Set Password Timeout (minutes) rule if you wish to set a specific timeout value. Rule dependency: The BlackBerry device uses this policy rule only if the Password required rule is set to YES. User can change timeout Specify whether the BlackBerry device user can change the security timeout. If set to YES, the user can set the timeout to any available value up to the limit set in the Max security timeout (minutes) rule. Set this rule to NO if you wish to prevent the user from changing the timeout value. If no value is set then a default value of YES is used. Max password age (days) Type the number of days until a BlackBerry device password expires and the BlackBerry device prompts the user to set a new password. The valid range for the value of this rule is 0-65535 days. Note: Set this rule to 0 to prevent the BlackBerry device password from expiring. Rule dependency: The BlackBerry device uses this rule only if a BlackBerry device password is set. To require a BlackBerry device password, set the Password required rule to YES. Set password timeout (minutes) Specify the amount of time, in minutes, of BlackBerry device user inactivity allowed before the security timeout occurs and the BlackBerry device requires the user to type the password to unlock the BlackBerry device. The valid range for the value of this rule is 0-60. Note: The default security timeout interval is 2 minutes of inactivity for BlackBerry device software versions earlier than 4.7, and 30 minutes of inactivity for BlackBerry device software versions 4.7 and later. Rule dependencies: The BlackBerry device uses this rule only if the Password required rule is set to YES. If you do not set the User can change timeout rule to NO, the BlackBerry device user can set the password timeout to one of a range of values. The maximum security timeout value available by default on the BlackBerry device is 60 minutes. Set max password attempts Set the number of password attempts (incorrect passwords entered) permitted on the BlackBerry device before the BlackBerry device data is erased and the BlackBerry device is disabled. The valid range for the value of this rule is 3-10 attempts. 10 attempts are allowed by default. Rule dependency: The BlackBerry device uses this rule only if a BlackBerry device password is set. To require a BlackBerry device password, set the Password required rule to YES. Suppress password echo Set this rule to YES to prevent the echoing (printing to the screen) of characters typed into the password screen after the user has entered a set number of incorrect passwords while attempting to unlock the device. Note: You can use the Set max password attempts rule to designate the number of incorrect password attempts allowed before password echoing occur (if permitted). Rule dependency: The BlackBerry device uses this rule only if a BlackBerry device password is set. To require a password, set the Password required rule to YES. Max password history Set the maximum number of previous passwords against which the BlackBerry device can check new passwords to prevent reuse of the old passwords. The valid range for the value of this rule is 0-15 passwords. Set this rule to 0 to prevent the BlackBerry device from checking for reused passwords. If you do not set this rule, a default value of 0 will be used. Rule dependency: The BlackBerry device uses this rule only if a BlackBerry device password is set. To require a BlackBerry device password, set the Password required rule to YES. Forbidden passwords Type a list of comma-separated string values representing words that users are not permitted to use within their passwords. Note: The BlackBerry device automatically prevents common letter substitutions. For example, if you include "password" in the forbidden passwords list, users cannot use "p@ssw0rd", "pa$zword", or "password123" on the BlackBerry device. Rule dependency: The BlackBerry device uses this rule only if a BlackBerry device password is set. To require a BlackBerry device password, set the Password required rule to YES. Security Settings Contains policy rules that apply to BlackBerry device security." Force lock when holstered Specify whether the BlackBerry device is security locked when placed in the holster. If you do not set this rule, a default value of NO will be used. Content protection Specify whether content protection is turned on. When content protection is turned on, BlackBerry device content is always protected with the 256 bit AES encryption algorithm. If the BlackBerry device is locked when it receives content, the BlackBerry device randomly generates the content protection key (a 256 bit AES encryption key) and an ECC key pair, derives an ephemeral 256 bit AES encryption key from the BlackBerry device password, and uses the ephemeral key to encrypt the content protection key and the ECC private key. Rule dependency: The BlackBerry device uses this policy rule only if the Password required rule is set to YES. External file system encryption level Specify the level of file system encryption that the BlackBerry device uses to encrypt files that it stores on an external file system. You can use this policy rule to require the BlackBerry device to encrypt an external file system, either including or excluding multimedia directories. If you do not set this rule, a default value of Level 0 (i.e. Not Required) will be used. You can set this rule to the following values: Level 0: Not Required Level 1: Encrypt to User Password (excluding multi-media directories) Level 2: Encrypt to User Password (including multi-media directories) Level 3: Encrypt to Device Key (excluding multi-media directories) Level 4: Encrypt to Device Key (including multi-media directories) Level 5: Encrypt to User Password and Device Key (excluding multi-media directories) Level 6: Encrypt to User Password and Device Key (including multi-media directories) Encryption on on-board device media files Specify whether the media files located on the on-board device memory will be encrypted to the user password and the device generated key if on-board device memory exists. If you set this rule to Required or Disallowed the user cannot change this setting on the device. If you do not set this rule, a default value of Allowed will be used. Rule dependency: The BlackBerry device uses this policy rule only if the Content protection strength is set. Password required for application download Specify whether the BlackBerry device will prompt the user for their password prior to using the browser to download applications. Rule dependency: The BlackBerry device uses this rule only if a BlackBerry device password is set. To require a BlackBerry device password, set the Password required rule to YES. Disable organizer data access for social networking apps This rule specifies whether a BlackBerry device must prevent social networking applications from accessing organizer data such as contacts and calendar data. Set this to NO to grant social networking applications access to the address book, calendar, and other organizer data. This rule's default value is YES, social networking applications cannot access organizer data on the device. BlackBerry Balance Contains policies governing separation of work and personal data. Enable separation of work content Specify whether a BlackBerry device distinguishes between work data and personal data and whether the applications on the device can access work data. If you do not set this rule, a default value of NO will be used. Disable forwarding of work content using personal channels Specify whether a BlackBerry device user can send work data to contacts using personal resources (for example, SMS text messaging, MMS messaging, or personal email accounts). If you do not set this rule, a default value of NO will be used. Rule dependency: This rule requires the Enable separation of work rule to be enabled. Require work resources for conducting work activities Specify whether a BlackBerry device must use work resources (for example, work email accounts or work calendars) when a BlackBerry device user conducts work activity (for example, sending an email message to a work contact or scheduling a work appointment). If you do not set this rule, a default value of NO will be used. Rule dependency: This rule requires the Enable separation of work rule to be enabled. Work domains Type a list of comma-separated string values listing domain names that the BlackBerry device will identify as a work resource (for example: altn.com, example.com). Sub-domains are included automatically. Other Miscellaneous settings Allow web-based software loading Specify whether to allow a user to update the BlackBerry device software using the web-based software loading feature. If you do not set this rule, a default value of NO will be used. MDS browser domains Specify a list of web addresses that the BlackBerry device should retrieve using the BlackBerry browser. Separate multiple web addresses with a comma. If you wish to allow the BlackBerry browser to retrieve sub-domains of a web address then prefix the domain with a period. For example, type ".example.com" to allow for sub-domains of example.com, such as: mail.example.com, www.example.com, etc. This rule applies only to Java-based BlackBerry devices version 4.2.0 and higher. Policy author's name Enter the name of the author of this policy. Policy description Enter some text to describe this policy. |
See:
Account Editor » BlackBerry Enterprise Server